Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation

Presented at Black Hat USA 2022, Aug. 11, 2022, 2:30 p.m. (30 minutes)

This session will present a hybrid machine learning architecture that simultaneously utilizes static and dynamic malware analysis methodologies. We employ the Windows kernel emulator published by Mandiant for dynamic analysis and process emulation reports with a 1D convolutional neural network. On the contrary, static analysis is based on the state-of-the-art ensemble model publicly released by Endgame. It surpasses the capabilities of the modern AI classifiers. We use threat intelligence data consisting of in-the-wild telemetry from 100k samples and record a detection rate of 96.70% with a fixed False Positive rate of 0.1%. Additionally, we will show that contextual telemetry from a system, such as an executable's file path, can further increase detection rates. Finally, unaffiliated with any organization, we open-source our hybrid model with a convenient scikit-learn-like API for public use.

Presenters:

• Dmitrijs Trizna - Security Software Engineer, University of Helsinki, Microsoft
  Dmitrijs Trizna is a Security Software Engineer at Microsoft. Previously, Dmitrijs was in Red Teaming, Threat Hunting, and was a member of NATO cybersecurity events. Dmitrijs has participated in publications and has been a speaker at Def Con and CAMLIS, has two higher education degrees (MSc Data Science UH, MSc Network Security RTU) and is certified OSCP, GREM, GDAT, CCNA, CCSA, deeplearning.ai.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#malware-classification-with-machine-learning-enhanced-by-windows-kernel-emulation-27167

Similar Presentations:

• Black Hat USA 2014 / Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware
• BSidesSF 2019 / Bye-Bye False Positives: Using AI to Improve Detection
• Objective by the Sea version 3.0 (2020) / Binary Emulation Environment for Mach-O Malware