A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Stretching the Sandbox with Malware Feature Vectors - Mike Schladt Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

Stretching the Sandbox with Malware Feature Vectors
Mike Schladt
Derbycon 2015

Love 'em or hate 'em, the malware sandbox has evolved to become a staple for incident responders and researchers alike. In true hacker fashion, many of us have stockpiled thousands of HTML and JSON reports, squirreled away for that rainy day when something sparks a memory of that ‰ÛÏone incident‰Û with that ‰ÛÏone sample‰Û where that ‰ÛÏone thing‰Û occurred. Tragically, that day simply never comes for most malware reports. This presentation discusses one technique for giving new life to dynamically generated malware observables. Specifically, it focuses on putting sandbox reports to work with feature vector clustering. Feature vectors have long been utilized in the mathematical community to facilitate machine learning and pattern recognition. By applying similar concepts to dynamically generated observables, it is possible to visualize the relational proximity of malware samples. The key to this process lies in constructing statistically significant feature sets. This presentation details the methodology for turning predominately text-based reports into a series of meaningful quantitative data points. Lastly, a process for evaluating individual feature effectiveness is explored through the application of real-world data. In a concerted effort to achieve tangible operational benefits from this exercise, an open source reporting module for Cuckoo Sandbox will be released for generating the presented feature vectors as well as code for visualizing sample proximity.

Mike Schladt is an InfoSec Analyst for the GE Power & Water IT Security Operations Team. In this role, Mike leads tools development and analysis responsible for enabling rapid incident response in one of the world's largest, most geographically separated and dynamic networked environments. Recent efforts include developing artifact correlation engines, analyzing attacks and reverse engineering malware in a daily operational rhythm. In a previously life, Mike was active duty US Air Force serving as an analyst and manager of the Malware Lab at the National Air & Space Intelligence Center responsible for integrating technical analysis into strategic intelligence.


Back to Derbycon 2015 video list

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast