Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter...
Transcript of Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter...
Andrea Marcelli (@_S0nn1_)
Web
PhD Student
Security Researcher
The signature generation problem
The algorithm
Introducing YaYaGen
Demo
A unique pattern
Syntactic signatures* this is where the most of the existing tools and researches focus on
Semantic signatures
Android malware
Reduce Automate 100% recall Save
“YARA is to files what Snort is to network traffic”
de-facto standard
syntactic signatures
Semantic signatures
rule YaYaSyringe {
meta: author = "DEF CON 26"
strings: $a = “text here” $b = { E2 34 A1 C8 23 FB }
condition: $a and $b and androguard.filter("action.BATTERYCHECK") and androguard.number_of_services == 3 …
}
APK Unsupervised Automatic
Each block is an attribute extracted through the analysis
quality of the analysis
static
dynamic
url: “malware.xxx”
permission: “ACCESS_FINE_LOCATION”
Sample 1 Sample 2
=
Signature
Sample 1 Sample 2 Sample 3 Sample 4 Sample 5 Sample 6
Sample 7 Sample 8 Sample 9 Sample 10 Sample 11 Sample 12
dynamic greedy algorithm
+ + + +
clause literal
DNF
clause weighed
is the lowest
weighting system
higher the weight, the less FP
lower the weight, the more FP
TMIN TMAX
over-specific
Basic optimizer
Evo optimizer
TMAX
Raw Optimized
From
application analysis reports
YARA rules
to
2 algorithms 2 optimizers heuristics
YARA rule parser
FP exclusion
Koodous
Rule Name Original YaYaGen Improvement
1,004 +86.3%
315 +43.2%
257 +89.0%
652 +16.6%
172 +8.2%
430 +131.2%
perform better 100 apps is less 5 minutes