Catch­ing hack­ers in the act of mal­ware at­tacks

The Taos News - - SCIENCE & TECHNOLOGY - By Justin Moore For the Santa Fe New Mexican

In May, the FBI is­sued a warn­ing to own­ers of home routers that their de­vices might have fallen prey to a mal­ware at­tack by a group of hack­ers with ties to the Rus­sian mil­i­tary.

The mal­ware, called VPNFil­ter, al­lowed hack­ers to col­lect per­sonal in­for­ma­tion and at­tack other de­vices. This at­tack was no­table for its breadth, but it cer­tainly wasn’t unique. An es­ti­mated 5.99 bil­lion mal­ware at­tacks took place in the first half of 2018 alone.

Mal­ware is a fa­vorite tool among cy­ber­crim­i­nals who use it in a broad spec­trum of cy­ber­at­tacks, from large-scale bank­ing Tro­jans that steal money from in­di­vid­ual ac­counts to ran­somware at­tacks that de­stroy data and have led to IT shut­downs at hos­pi­tals around the world. Large-scale theft of in­tel­lec­tual prop­erty is often ac­com­plished by so­phis­ti­cated, tar­geted mal­ware at­tacks on or­ga­ni­za­tions, such as the 2016 at­tack on the Demo­cratic Na­tional Com­mit­tee.

At Los Alamos Na­tional Lab­o­ra­tory, where some of the na­tion’s most pre­cious se­crets are kept, in­for­ma­tion is not only closely guarded, tools are be­ing de­vel­oped to help oth­ers de­tect and re­spond quickly to tar­geted at­tacks.

Un­der­stand­ing the ca­pa­bil­i­ties and in­tent of mal­ware, a process known as re­verse en­gi­neer­ing, is a dif­fi­cult, man­ual process that can take days or even weeks for an ex­pert an­a­lyst. Los Alamos has long been a leader in man­ual mal­ware anal­y­sis and has found that ex­pert in­tu­ition can be aug­mented by ma­chine learn­ing tools that rapidly iden­tify pat­terns across large sets of re­lated mal­ware col­lected over time.

The lab’s work is loosely based on a bi­o­log­i­cal anal­ogy of code evo­lu­tion. Func­tional soft­ware, even ma­li­cious soft­ware, is dif­fi­cult and ex­pen­sive to cre­ate. Mal­ware de­vel­op­ers, like all soft­ware en­gi­neers, cre­ate their pro­grams it­er­a­tively by in­cor­po­rat­ing ex­ist­ing code and re­fin­ing ex­ist­ing mal­ware to meet their ob­jec­tives.

Once mal­ware is de­tected by cy­berde­fenses, at­tack­ers make only small changes to cir­cum­vent ex­ist­ing de­tec­tion mech­a­nisms. It’s a process sim­i­lar to the small mu­ta­tions a bi­o­log­i­cal virus de­vel­ops to avoid de­struc­tion by the hu­man im­mune sys­tem. For cy­ber de­fend­ers, it is crit­i­cal to track these it­er­a­tive re­fine­ments in mal­ware be­cause it al­lows them to com­pare new threats to pre­vi­ously an­a­lyzed at­tacks.

De­fend­ers ask: Is this new mal­ware sam­ple sim­ply a cos­metic change to hide old code, or could the small change be a sig­nif­i­cant new strat­egy on the part of the at­tacker?

Code writ­ers have a style, or voice, sim­i­lar to writ­ers who have rec­og­niz­able ways of ar­rang­ing their words. So the coder leaves fin­ger­prints on the bits of mal­ware code that re­main un­changed, leav­ing a trail back to the source of the threat. This broad evo­lu­tion­ary anal­y­sis of mal­ware, es­pe­cially with an in­ter­est in source at­tri­bu­tion, dis­tin­guishes Los Alamos re­search from anti-mal­ware ef­forts that fo­cus largely on block­ing mal­ware rather than study­ing it.

LANL’s new­est re­search is based on a kind of ma­chine learn­ing called deep learn­ing, which is used to com­pute the sim­i­lar­i­ties be­tween re­lated mal­ware sam­ples that have been dis­guised by at­tack­ers. LANL takes the same ap­proach used in state-of-the-art lan­guage trans­la­tion sys­tems, such as Google Trans­late.

In lan­guage trans­la­tion, these novel deep learn­ing meth­ods sum­ma­rize a sen­tence or para­graph in a lan­guage-ag­nos­tic, com­put­er­ized rep­re­sen­ta­tion. This pat­tern then be­comes the key to de­code the sen­tence or para­graph into other lan­guages.

Im­por­tantly, these lan­guage trans­la­tion ap­proaches are trained in a sta­tis­ti­cal man­ner, re­quir­ing only trans­lated pairs of train­ing doc­u­ments in dif­fer­ent lan­guages. Sim­i­larly, sets of re­lated mal­ware code, col­lected over time, are used to learn a “trans­la­tion” that al­lows LANL to track ad­ver­saries bet­ter than ex­ist­ing anti-virus tools.

Keep­ing up with in­no­va­tive ad­ver­saries means LANL has to an­tic­i­pate new types of threats and more so­phis­ti­cated ver­sions of ex­ist­ing ones. Mal­ware anal­y­sis won’t pre­vent all cy­ber­at­tacks, though.

The fu­ture of cy­ber­se­cu­rity might in­stead de­pend on an­a­lyz­ing the be­hav­ior of an al­ready in­fected ma­chine rather than only screen­ing for mal­ware as it ar­rives. While bi­o­log­i­cal viruses op­er­ate ac­cord­ing to their own ob­jec­tives, com­puter viruses often fa­cil­i­tate re­mote con­trol of their host by an at­tacker.

The real sig­na­ture of cy­ber­at­tacks, there­fore, is left by the ac­tions of an at­tacker.

On­go­ing re­search at Los Alamos on ad­vanced user-be­hav­ior anal­y­sis holds the prom­ise of un­cov­er­ing these pat­terns of at­tacks in real time. What­ever the fu­ture holds, cy­ber­at­tacks will only grow in­creas­ingly so­phis­ti­cated with each pass­ing year, and so must the abil­ity to stop them.

Jus­ton

Moore is a data sci­en­tist and project leader in the Ad­vanced Re­search in Cy­ber Sys­tems group at Los Alamos Na­tional Lab­o­ra­tory.

Shutterstock

Once mal­ware is de­tected by cy­ber de­fenses, at­tack­ers make only small changes to cir­cum­vent ex­ist­ing de­tec­tion mech­a­nisms, sim­i­lar to the small mu­ta­tions a bi­o­log­i­cal virus de­vel­ops to avoid de­struc­tion by the hu­man im­mune sys­tem. For cy­ber de­fend­ers, it is crit­i­cal to track these it­er­a­tive re­fine­ments in mal­ware be­cause it al­lows them to com­pare new threats to pre­vi­ously an­a­lyzed at­tacks.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.