jrtechs
/
jrtechs-NodeJSBlog
mirror of https://github.com/jrtechs/NodeJSBlog.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Personal blog written from scratch using Node.js, Bootstrap, and MySQL. https://jrtechs.net
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
368 Commits
6 Branches
900 MiB
Tree: 6ca589c7df
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6ca589c7df'
${ noResults }
jrtechs-NodeJSBlog/blogContent/posts/data-science/is-using-ml-for-antivirus-s...

131 lines
6.4 KiB
Raw Normal View History

Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Started adding information on general ML in anti virus security.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
Re-formatted some blog posts using custom paragraph formatter which limits col to 70 characters.
5 years ago
Final edits and additions to ML security blog post.
5 years ago
 
  1. In this blog post I examine the ways in which antivirus programs
  2. currently employ machine learning and then go into the  security
  3. vulnerabilities that it brings. 
  4. 

  5. # ML in the Antivirus Industry

  6. 

  7. Malware detection falls into two broad categories: static and dynamic
  8. analysis. Static analysis examines the program without actually
  9. running the code. Static analysis looks at things like the file
  10. fingerprints, hashes, reverse engineering, memory artifacts, packer
  11. detection, and debugging.  Static analysis is largely known for
  12. looking up the hashes of the virus against a known database of
  13. viruses. It is super easy to fool signature based malware detection
  14. using simple obfuscation methods. Dynamic analysis is a technique
  15. where you run the program in a sandbox and monitor all the actions
  16. that the virus takes. If you notice that the program is acting
  17. suspicious, it is likely a virus. Suspicious behavior typically
  18. includes things like registry edits and API calls to bad host names.  
  19. 

  20. Antivirus detection is very difficult, but, probably not for the
  21. reasons you think. The issue isn't writing programs which can detect
  22. these static or dynamic properties of viruses-- that is the easy part.
  23. It is also relatively easy to determine a general rule set for what
  24. makes a program dangerous. You can also easily blacklist suspicious
  25. domains, block malicious activity, and implement a signature based
  26. maleware detection program.  
  27. 

  28. The real problem is that there are hundreds of thousands of malware
  29. applications and more are created every day. Not only are there tons
  30. of pesky malware applications, there is an absurd amount of normal
  31. programs which we don't want malware applications to block.   It is
  32. impossible for a small team of malware researchers to create a
  33. definitive set of heuristics which can correctly identify all malware
  34. programs. This is where we turn to the field of Machine Learning.
  35. Humans are very bad with big data, but, computers love big data. Most
  36. antivirus companies use machine learning and it has been a large
  37. success so far because it has allowed us to dramatically improve our
  38. ability to detect zero day viruses. 
  39. 

  40. ## Interesting Examples

  41. 

  42. ### Cylance

  43. 

  44. [Cylance](https://www.cylance.com) uses supervised learning and static analysis to classify files as being malware. 
  45. This product pulls a list of attributes from the file which they can then compare against other known viruses.
  46. 

  47. ### MalwareBytes Anomalous

  48. 

  49. [Anomalous](https://blog.malwarebytes.com/detections/machinelearning-anomalous-100/) is a machine learning application which simply flags files which appear different from their training set of known normal files.
  50. This does not attempt to classify what makes a virus a virus, but, what makes a normal program a normal program.
  51. Anything which is not a normal program, it alerts you about since it can be a virus.
  52. 

  53. ### Kaspersky

  54. 

  55. Kaspersky appears to have  done a ton of research into using machine
  56. learning for malware detection. I would highly recommend that you read
  57. their [white
  58. paper](https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf)
  59. on this subject. 
  60. 

  61. # Why is this a problem?

  62. 

  63. It turns out that machine learning systems can be easily fooled by
  64. using other machine learning algorithms. A classic example of this is
  65. with image classification. It is easy to use neural networks or
  66. genetic algorithms to generate examples which fool the machine
  67. learning application by learning the weights of the machine  learning
  68. application and then making slight tweaks to your input to give a
  69. false classification. 
  70. 

  71. ![](media/AISaftey/AdversarialExample.png)
  72. 

  73. Since viruses generation is a non-differentiable problem, people often
  74. use Genetic algorithms for the adversarial network to fool the
  75. antivirus. In other words, you don't want to attempt to calculate the
  76. derivative between two versions of a virus for gradient decent. Since
  77. viruses are high dimensional problems, it turns out that most calc
  78. implementations would actually be inefficient at traversing the search
  79. space to find the global minimum. If you want to learn more about
  80. genetic algorithms, check out my [recent blog
  81. post](https://jrtechs.net/data-science/lets-build-a-genetic-algorithm)
  82. on it. 
  83. 

  84. # Fooling Antivirus Software

  85. 

  86. ## Genetic Algorithms

  87. 

  88. There are two major approaches which people have used to generate
  89. antivirus resistant malware with genetic algorithms. The first
  90. approach is to slowly make polymorphic changes to the virus in order
  91. to fool the malware detection. One of the interesting things about
  92. this approach is that you have to have some way of verifying that the
  93. polymorphic behaviors that you apply to the virus don't break its
  94. "virus capabilities". 
  95. 

  96. An other approach used is to represent a virus as a set of properties.
  97. These properties are everything from the port of attack, the payloads,
  98. obfuscation parameters, etc. The genetic algorithm would simply tweak
  99. the properties of the virus until it found a configuration which
  100. evaded the antivirus program. 
  101. 

  102. ## Reinforcement Learning

  103. 

  104. A research group at [Endgame](https://www.endgame.com/) recently gave
  105. a [Def Con](https://www.defcon.org/) talk where they presented a
  106. framework which uses reinforcement learning to evade static virus
  107. detection. 
  108. 

  109. ![Reinforcement Learning Diagram](media/AISaftey/Reinforcement_learning_diagram.png)
  110. 

  111. At a high level, the AI plays a "game" against the antivirus where the
  112. agent can make functionality-preserving mutations to the virus. The
  113. reward for the agent is its ability to not get detected by the
  114. anti-virus. Over time the AI will learn which type of actions will
  115. result in getting detected by the antivirus.  This framework can be
  116. found on [Github](https://github.com/endgameinc/gym-malware). 
  117. 

  118. # Takeaways

  119. 

  120. Machine learning is great, but, it needs to be properly defended. As
  121. we start to use machine learning more and more, a large portion of the
  122. cyber security field may shift its focus away from securing systems to
  123. securing big data applications. 
  124. 

  125. # Resources

  126. 

  127. - [Blog post on Genetic Algorithms](https://jrtechs.net/data-science/lets-build-a-genetic-algorithm)
  128. - [Kaspersky White Paper](https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf)
  129. - [Windows Defender Use of ML](https://www.microsoft.com/security/blog/2015/11/16/windows-defender-rise-of-the-machine-learning/)
  130. - [Machine Learning Malware Models via Reinforcement Learning (Paper)](https://arxiv.org/abs/1801.08917)
  131. - [Evolvable Malware (Paper)](http://homepage.divms.uiowa.edu/~mshafiq/files/evolvable-malware.pdf)