Joshua Saxe

Another visualization of "malware mordor" (110k sample malware dataset), this time via printable string minhashes used as indices into a 2d histogram. Lots of cluster structure. If I was more inspired I'd photoshop a victim operating system getting grilled over these flames :)pic.twitter.com/YlZf5MUANB

Two attempts to visualize the topology of "malware mordor" -- 110k malware samples random-projected onto a 2d surface, histogrammed to show concentration. Malware datasets contain huge volumes of near-duplicate binaries (~60%?). You can see that pretty clearly here.pic.twitter.com/7GwUeWlJAY

v0.2 of my security learning model thanks to feedback from @eugk @taosecurity and @jacnah63. It's part of what makes security so exhilarating that many conversations (e.g. strategy around designing a threat response operation) require every layer as part of the conversation.pic.twitter.com/bDuT0Znx2t

Malware analysis by poking the malware: We run malware, and then run it again with added stimulus (eg keystrokes). Events that *only* occur with stimulus are high-signal and telling. I did the viz part, the paper authors did everything else. https://www.researchgate.net/publication/261169317_PyTrigger_A_System_to_Trigger_Extract_User-Activated_Malware_Behavior …pic.twitter.com/J2mUS5jWO3

... my team and I were funded under that program. One could have a philosophical debate about the 'genetic' metaphor but it proved operationally useful. We had two comp bio scientists on our team who transferred modeling methods from biology to malware in ways we found useful.pic.twitter.com/YiWYUEPrBU

1\ Here's what a Yara-ified ML decision tree for OSX/Mach-O malware detection looks like. The full random forest is 3903 lines of Yara, computes @ 3ms per CPU per binary, and gets 67% detection @ 0.2% false positive rate. Will push to YaraML GitHub once results improve a bit.pic.twitter.com/hkgj90cJzY

Some infosec knowledge is useful for months (knowledge of a given campaign), other knowledge, for years, (TTPs), other knowledge, for decades (the halting problem). Here's a "Pyramid of Pain" (cc/ @DavidJBianco) inspired model of knowledge in cyber I find useful for myself.pic.twitter.com/ZjMbgRfoGF

1\ Malware sandboxes are useful but extremely limited. Here's a malware call graph, and in red are the functions the malware actually *executed* when run in a sandbox -- a miniscule fraction of the malware's potential badness!pic.twitter.com/Ba5EK5EeIO

Useful summary of known/best-guess information about the coronavirus from the NYTimes https://www.nytimes.com/interactive/2020/world/asia/china-coronavirus-contain.html …pic.twitter.com/BC4KIMnMZe

For sure, that's apparent just from eyeballing this chart.pic.twitter.com/j9F4E3DCZc

A genealogy of 10 malware EXEs that share code - and one that doesn't belong - visualized. The rows are individual samples, and the color-blocks are their functions. A somewhat complicated algorithm is used to draw a plausible evolutionary lineage. Work from my CyberGenome days.pic.twitter.com/dN5ftANvWZ

For a non-mathy thorough intro to ML detection, Chapter 6 of @hillarymsanders and my book is available for free on the @nostarch site. Goes through logistic regression, kNN, decision trees, random forests, and when it makes sense to use each. https://nostarch.com/download/MalwareDataScience_ch6.pdf …pic.twitter.com/eBgIPGdnHN

5\ The result, as would be intuitive, is much better detection accuracy. Please see the paper for more info!pic.twitter.com/YnbBHyjHmd

4\ These analyses are then merged so that reasoning about the file path in the context of the binary, and vice-versa, can take place. Good targets for detection are, for example, unsigned system utilities that have been replaced by very different looking files.pic.twitter.com/JYnQXAMZ1n

3\ And a character string / file path analyzer, which does a high-capacity analysis of file path strings...pic.twitter.com/kledM9doLx

2\ Their neural network has two components: a file analyzer, shown in the image below, which does a high-capacity, non-linear analysis of a file's features...pic.twitter.com/ZtHuGyeg1F

1\ A file seen at "Downloads\svchost.exe" that doesn't *look* like svchost.exe *might* be a problem. Indeed, @Sophos AI's @adarshdk, @kberlin and @EthanMRudd show that a neural net that takes a file's path alongside its contents gets ~30% better detection. https://arxiv.org/pdf/1905.06987.pdf …pic.twitter.com/ITRKYAtJBe

Large scale malware similarity visualization work by @rpgove, myself, and others. We built a prototype set of analytics and accompanying GUI to accelerate malware analysis over many samples, and did a user study showing efficacy. http://vis.cs.ucdavis.edu/vis2014papers/VIS_Conference/workshops/vizsec/files/gove2014seem.pdf …pic.twitter.com/DKE73zTdhy

2\ I've put a PoC powershell logistic regression rule up at the github link. Idea here is by Yara-ifing ML we make ML more transparent--the ML logic is right there in the text. And we allow blue teams to mix and match ML rules with signatures, and quickly swap in new models.pic.twitter.com/BDg2kLCTRh

1\ I've written a little compiler to ship ML models as standalone Yara rules, and done proof of concept detectors for Macho-O, RTF files, and powershell scripts. So far I have decision trees, random forests, and logistic regression (LR) working. https://github.com/inv-ds-research/yaraml_rules …pic.twitter.com/sfuXEkHeNO