Upgrade to Pro — share decks privately, control downloads, hide ads and more …

マルウェアを機械学習する前に

Yuma Kurogome
February 13, 2016
Programming
3
1.6k

 マルウェアを機械学習する前に

Kaggle - Malware Classification Challenge勉強会 connpass.com/event/25007/ 発表資料

Yuma Kurogome

February 13, 2016
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
ntddk
16
27k
死にゆくアンチウイルスへの祈り
ntddk
55
39k
Windows Subsystem for Linux Internals
ntddk
10
3k
なぜマルウェア解析は自動化できないのか
ntddk
6
4.1k
Linear Obfuscation to Drive angr Angry
ntddk
4
830
CAPTCHAとボットの共進化
ntddk
2
1.1k
Peeling Onions
ntddk
7
3.6k
仮想化技術を用いたマルウェア解析
ntddk
8
27k
An Introduction to Drawbridge(ja)
ntddk
11
3.3k

Other Decks in Programming

See All in Programming
pylint custom ruleで始めるレビュー自動化
shogoujiie
0
120
CDK開発におけるコーディング規約の運用
yamanashi_ren01
2
120
なぜイベント駆動が必要なのか - CQRS/ESで解く複雑系システムの課題 -
j5ik2o
10
3.6k
Djangoアプリケーション 運用のリアル 〜問題発生から可視化、最適化への道〜 #pyconshizu
kashewnuts
1
250
『GO』アプリ データ基盤のログ収集システムコスト削減
mot_techtalk
0
120
SpringBoot3.4の構造化ログ #kanjava
irof
2
990
法律の脱レガシーに学ぶフロントエンド刷新
oguemon
5
740
『テスト書いた方が開発が早いじゃん』を解き明かす #phpcon_nagoya
o0h
PRO
2
220
もう僕は OpenAPI を書きたくない
sgash708
5
1.6k
JavaScriptツール群「UnJS」を5分で一気に駆け巡る!
k1tikurisu
9
1.8k
AWS Organizations で実現する、 マルチ AWS アカウントのルートユーザー管理からの脱却
atpons
0
150
SwiftUIで単方向アーキテクチャを導入して得られた成果
takuyaosawa
0
270

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Automating Front-end Workflow
addyosmani
1368
200k
BBQ
matthewcrist
87
9.5k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
10
1.3k
Done Done
chrislema
182
16k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
How to Ace a Technical Interview
jacobian
276
23k
Unsuck your backbone
ammeep
669
57k
Become a Pro
speakerdeck
PRO
26
5.1k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k

Transcript

  1. @ntddk Kaggle - Malware Classification Challenge 2016.02.13 1

  2. • http://ntddk.github.io/ • 2

  3. 3

  4. 4

  5. Kaggle 5 https://www.kaggle.com/

  6. 6 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  7. 7 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  8. 8 There ain't no such thing as a free lunch

    http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

  9. 9 There ain't no such thing as a free lunch

    http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

  10. 10 http://blog.kaggle.com/

  11. 11 x η g a b c x …

  12. 12 x η g a b c x …

  13. 13 • • A B Satoshi Watanabe, Knowing and Guessing

    ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

  14. 14 • • A B Satoshi Watanabe, Knowing and Guessing

    ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

  15. 15 • • • •

  16. 16 https://www.av-test.org/en/statistics/malware/

  17. 17 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf

  18. 18 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf http://www.mcafee.com/jp/resources/reports/rp-threats-predictions-2016.pdf

  19. 19 • KERNEL32!VirtualAllocStub • KERNEL32!VirtualProtectStub • KERNEL32!OpenProcessStub • KERNEL32!OpenThreadStub •

  20. 20 CSEC: MWS: http://www.iwsec.org/mws/2015/about.html

  21. 21 https://www.kaggle.com/c/malware-classification/data 16

  22. 22 • https://virusshare.com/ • http://malware-traffic-analysis.net/

  23. 23 • • • •

  24. 24 • • • • API PE

  25. 25 https://github.com/corkami/

  26. 26 • • • • • •

  27. 27 #include <windows.h> typedef int (WINAPI *LPFNMESSAGEBOXW)(HWND, LPCWSTR, LPCWSTR, UINT);

    int main() { HMODULE hmod = LoadLibrary(TEXT("user32.dll")); LPFNMESSAGEBOXW lpfnMessageBoxW = (LPFNMESSAGEBOXW)GetProcAddress(hmod, "MessageBoxW"); lpfnMessageBoxW(NULL, L"Hello, world!", L"Test", MB_OK); FreeLibrary(hmod); return 0; } •

  28. 28 { "category": "registry", "status": true, "return": "0x00000000", "timestamp": "2015-05-24

    02:46:50,773", "thread_id": "3220", "repeated": 0, "api": "NtOpenKey", "arguments": [ { "name": "DesiredAccess", "value": "33554432" }, { "name": "KeyHandle", "value": "0x00000154" }, { "name": "ObjectAttributes", "value": "¥¥REGISTRY¥¥USER¥¥S-1-5-21-916742657-1382504153-4155998892-1001" } ], "id": 83 },

  29. 29 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  30. 30 • AdaBoost, Gradient Boosting • Kaggle

  31. DAF 31 Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham, A

    scalable multi-level feature extraction technique to detect malicious executables, Information Systems Frontiers, Vol.10, Issue.1, pp.33-45, 2008. 16 DAF: Derived Assembly Features BFS: Binary N-gram Features