Measuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware

Presented at Black Hat USA 2018, Aug. 8, 2018, 10:30 a.m. (25 minutes)

Security is a constant cat-and-mouse game between those trying to keep abreast of and detect novel malware, and the authors attempting to evade detection. The introduction of the statistical methods of machine learning into this arms race allows us to examine an interesting question: how fast is malware being updated in response to the pressure exerted by security practitioners? The ability of machine learning models to detect malware is now well known; we introduce a novel technique that uses trained models to measure "concept drift" in malware samples over time as old campaigns are retired, new campaigns are introduced, and existing campaigns are modified. Through the use of both simple distance-based metrics and Fisher Information measures, we look at the evolution of the threat landscape over time, with some surprising findings. In parallel with this talk, we will also release the PyTorch-based tools we have developed to address this question, allowing attendees to investigate concept drift within their own data.

Presenters:

• Felipe Ducau - Data Scientist, Sophos
  Felipe Ducau is a machine learning researcher and engineer who specializes in the design and evaluation of deep learning models. As part of Sophos Data Science team, he develops deep learning applications for cybersecurity. Felipe received his master's degree from the Center for Data Science at NYU, where he focused on adversarial learning applied to generative models.
• Richard Harang - Principal Data Scientist, Sophos
  Richard Harang is a Principal Data Scientist at Sophos with over seven years of research experience at the intersection of computer security, machine learning, and privacy. Prior to joining Sophos, he served as a scientist at the U.S. Army Research Laboratory, where he led the research group investigating the applications of machine learning and statistical analysis to problems in network security. He received his PhD in Statistics from the University of California, Santa Barbara. Research interests include randomized methods in machine learning, adversarial machine learning, and ways to use machine learning to support human analysis.

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#measuring-the-speed-of-the-red-queens-race-adaption-and-evasion-in-malware-11214
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2018/Measuring the Speed of the Red Queen's Race_ Adaption and Evasion in Malware.mp4
• https://www.youtube.com/watch?v=GocrXUMRqEI

Similar Presentations:

• Black Hat Europe 2016 / 50 Thousand Needles in 5 Million Haystacks: Understanding Old Malware Tricks to Find New Malware Families
• Black Hat USA 2014 / Prevalent Characteristics in Modern Malware
• Black Hat USA 2013 / CrowdSource: An Open Source, Crowd Trained Machine Learning Model for Malware Capability Detection