Advanced techniques for real-time detection of polymorphic malware

Presented at BSidesSF 2016, Feb. 29, 2016, 5:30 p.m. (25 minutes).

In this Session, we will introduce the audience to various techniques that are used in the identification and classification of polymorphic malware. By definition, polymorphic malware easily evades traditional signature based detection methods. Approximation Matching algorithms such as ssdeep have had much greater success in detecting polymorphic files. The ssdeep hash is one of the more popular attributes that is computed for a file by a number of sites such as VirusTotal, Malwr and Anubis. Newer algorithms using bloom filters have also shown great promise in detecting polymorphic malware. This session gives an overview of these various algorithms and compares their efficiency and performance.While ssdeep is a good tool for comparing two known files, it becomes computationally expensive when a new file (and its ssdeep hash) is to be compared with a large database of existing ssdeep hashes to determine the closest match. In this session, we enumerate a class of techniques which reduce the lookup time significantly and allow for fast detection of similar files. These techniques are then extended to the classification of polymorphic malware and we show the efficacy of these techniques with real data collected from the field. We then analyze the performance of these algorithms both from a speed as well as their success rate.


Presenters:

  • Ajit Thyagarajan
    Ajit Thyagarajan is an independent Security Researcher. Until recently, he multiple Director positions at Fidelis Cybersecurity. His area of research is new techniques for the detection of malware using network tools. Prior to Fidelis, he was heavily involved in with Internet Protocols and building fast routers. Ajit also mentors several cybersecurity start-ups as part of Mach37, a Virginia based Cyber security incubator.

Links:

Similar Presentations: