Upgrade to Pro — share decks privately, control downloads, hide ads and more …

マルウェアを機械学習する前に

Yuma Kurogome
February 13, 2016
Programming
3
1.6k

 マルウェアを機械学習する前に

Kaggle - Malware Classification Challenge勉強会 connpass.com/event/25007/ 発表資料

Yuma Kurogome

February 13, 2016
Tweet

More Decks by Yuma Kurogome

See All by Yuma Kurogome
The Art of De-obfuscation
ntddk
16
27k
死にゆくアンチウイルスへの祈り
ntddk
55
38k
Windows Subsystem for Linux Internals
ntddk
10
2.9k
なぜマルウェア解析は自動化できないのか
ntddk
6
4.1k
Linear Obfuscation to Drive angr Angry
ntddk
4
820
CAPTCHAとボットの共進化
ntddk
2
1.1k
Peeling Onions
ntddk
7
3.6k
仮想化技術を用いたマルウェア解析
ntddk
8
27k
An Introduction to Drawbridge(ja)
ntddk
11
3.3k

Other Decks in Programming

See All in Programming
useSyncExternalStoreを使いまくる
ssssota
6
1k
情報漏洩させないための設計
kubotak
1
140
生成AIでGitHubソースコード取得して仕様書を作成
shukob
0
370
コンテナをたくさん詰め込んだシステムとランタイムの変化
makihiro
1
130
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
330
創造的活動から切り拓く新たなキャリア 好きから始めてみる夜勤オペレーターからSREへの転身
yjszk
1
130
命名をリントする
chiroruxx
1
410
KMP와 kotlinx.rpc로 서버와 클라이언트 동기화
kwakeuijin
0
140
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
330
Effective Signals in Angular 19+: Rules and Helpers
manfredsteyer
PRO
0
100
これでLambdaが不要に?!Step FunctionsのJSONata対応について
iwatatomoya
2
3.6k
rails stats で紐解く ANDPAD のイマを支える技術たち
andpad
1
290

Featured

See All Featured
Being A Developer After 40
akosma
87
590k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Scaling GitHub
holman
458
140k
Building Adaptive Systems
keathley
38
2.3k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Automating Front-end Workflow
addyosmani
1366
200k
Music & Morning Musume
bryan
46
6.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
Building Your Own Lightsaber
phodgson
103
6.1k

Transcript

  1. @ntddk Kaggle - Malware Classification Challenge 2016.02.13 1

  2. • http://ntddk.github.io/ • 2

  3. 3

  4. 4

  5. Kaggle 5 https://www.kaggle.com/

  6. 6 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  7. 7 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  8. 8 There ain't no such thing as a free lunch

    http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

  9. 9 There ain't no such thing as a free lunch

    http://www.amazon.co.jp/dp/4150117489 http://www.amazon.co.jp/dp/B00GJMUKMG/ http://www.amazon.co.jp/dp/4150312133/

  10. 10 http://blog.kaggle.com/

  11. 11 x η g a b c x …

  12. 12 x η g a b c x …

  13. 13 • • A B Satoshi Watanabe, Knowing and Guessing

    ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

  14. 14 • • A B Satoshi Watanabe, Knowing and Guessing

    ― Quantitative Study of Inference and Information John Wiley & Sons, 1969.

  15. 15 • • • •

  16. 16 https://www.av-test.org/en/statistics/malware/

  17. 17 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf

  18. 18 http://www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf http://www.mcafee.com/jp/resources/reports/rp-threats-predictions-2016.pdf

  19. 19 • KERNEL32!VirtualAllocStub • KERNEL32!VirtualProtectStub • KERNEL32!OpenProcessStub • KERNEL32!OpenThreadStub •

  20. 20 CSEC: MWS: http://www.iwsec.org/mws/2015/about.html

  21. 21 https://www.kaggle.com/c/malware-classification/data 16

  22. 22 • https://virusshare.com/ • http://malware-traffic-analysis.net/

  23. 23 • • • •

  24. 24 • • • • API PE

  25. 25 https://github.com/corkami/

  26. 26 • • • • • •

  27. 27 #include <windows.h> typedef int (WINAPI *LPFNMESSAGEBOXW)(HWND, LPCWSTR, LPCWSTR, UINT);

    int main() { HMODULE hmod = LoadLibrary(TEXT("user32.dll")); LPFNMESSAGEBOXW lpfnMessageBoxW = (LPFNMESSAGEBOXW)GetProcAddress(hmod, "MessageBoxW"); lpfnMessageBoxW(NULL, L"Hello, world!", L"Test", MB_OK); FreeLibrary(hmod); return 0; } •

  28. 28 { "category": "registry", "status": true, "return": "0x00000000", "timestamp": "2015-05-24

    02:46:50,773", "thread_id": "3220", "repeated": 0, "api": "NtOpenKey", "arguments": [ { "name": "DesiredAccess", "value": "33554432" }, { "name": "KeyHandle", "value": "0x00000154" }, { "name": "ObjectAttributes", "value": "¥¥REGISTRY¥¥USER¥¥S-1-5-21-916742657-1382504153-4155998892-1001" } ], "id": 83 },

  29. 29 • • • ※ David H. Wolpert, The Supervised

    Learning No-Free-Lunch Theorems, In Proc. 6th Online World Conference on Soft Computing in Industrial Applications, pp.25-42, 2001.

  30. 30 • AdaBoost, Gradient Boosting • Kaggle

  31. DAF 31 Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham, A

    scalable multi-level feature extraction technique to detect malicious executables, Information Systems Frontiers, Vol.10, Issue.1, pp.33-45, 2008. 16 DAF: Derived Assembly Features BFS: Binary N-gram Features