filmov
tv
#HITBGSEC D1: Malware Classification With Graph Hash - Chai Ching Fang and Shih-Hao Weng
Показать описание
In malware research, threat hunting and security intelligence exchanging, hashes, such as MD5 or SHA256, take a dominant position. Malware researchers search malware on VirusTotal with hashes, exchange security intelligence with IoC (incident of compromise) that include hashes. However, hashes have some characteristics, such as one-to-one relationship between file and its hash, this limit researchers to do files correlation. Of course that isn’t what hashes was made for. Because of that, some other related “enhanced” hashes have been proposed, such as ssdeep, sdhash, TLSH, and imphash, and they help to learn the similarity of binary files.
All of them is calculated from binary point of view, and there are the other methodologies to learn executable files similarity which are from graph point of view. For example, Zynamics bindiff takes a bigger picture of view of executable to learn the similarity/difference of two executable files. It give researchers very detail information about what similarity in which parts of two executable files, however, it could process two files in the same time.
This research, graph hash, tries to combine the advantages of these two types of methodologies, to calculate the hash of executable files from graph view, and it helps to classify malware with consistent and efficient way.
===
I am a senior threat researcher at Trend Micro. I have over 10 years of experience in malware analysis, malicious document analysis, and vulnerability assessment. My current research focuses on targeted attacks and threat intelligence. In 2009, I disclosed the Adobe Acrobat 0-day vulnerability and attack (CVE-2009-3459). In 2013, I was honored as (ISC)² Asia-Pacific ISLA 2013 Information Security Practitioner, and selected as the showcase. Speaker at Virus Bulletin 2017, IRCON 2016, BoT 2012, Bot 2010 to share APT cases and OSINT.
---
Shih-Hao Weng is a senior threat researcher at Trend Micro. He has focused on targeted attack investigation, incident response, and threat solution research for more than 15 years.
All of them is calculated from binary point of view, and there are the other methodologies to learn executable files similarity which are from graph point of view. For example, Zynamics bindiff takes a bigger picture of view of executable to learn the similarity/difference of two executable files. It give researchers very detail information about what similarity in which parts of two executable files, however, it could process two files in the same time.
This research, graph hash, tries to combine the advantages of these two types of methodologies, to calculate the hash of executable files from graph view, and it helps to classify malware with consistent and efficient way.
===
I am a senior threat researcher at Trend Micro. I have over 10 years of experience in malware analysis, malicious document analysis, and vulnerability assessment. My current research focuses on targeted attacks and threat intelligence. In 2009, I disclosed the Adobe Acrobat 0-day vulnerability and attack (CVE-2009-3459). In 2013, I was honored as (ISC)² Asia-Pacific ISLA 2013 Information Security Practitioner, and selected as the showcase. Speaker at Virus Bulletin 2017, IRCON 2016, BoT 2012, Bot 2010 to share APT cases and OSINT.
---
Shih-Hao Weng is a senior threat researcher at Trend Micro. He has focused on targeted attack investigation, incident response, and threat solution research for more than 15 years.
0:47:24
0:47:24
0:55:25
0:26:35
0:05:30
1:03:37
0:50:18
0:02:40
1:36:51
0:30:02
0:54:00
1:05:17
0:37:47
0:28:35
0:47:00
0:45:27
0:59:53
0:57:51
0:55:18
0:42:32
0:58:44
0:12:54
0:28:10
0:22:22