进程注入如何通过调用栈,使用ML分类来检测——非常值得借鉴,待实践
4、Machine Learning to Ultimately Defeat Advanced Ransomware Threats
RSA 2022的这个分享主题核心讲解了进程注入如何通过调用栈,使用ML分类来检测。当然,勒索的其他本质特征例如文件加密等没有提到。但是其进程注入的检测值得重点关注。
Ryukas the most advanced form of ransomware payloads (1)
The initial stages:Planting several executables in the system, for example using the Zloaderbotnet.
Stopping services, deleting VSS copies, etc.
The advanced stages:Injecting multiple system and trusted processes.
But keeping the system operational: lsass.exe, csrss.exe and explorer.exe are not changed.
Detaching the encrypting part from Ryukprocesses.
Challenge: abnormal injection detection.
Important: there are legitimate injection techniques.
The ML-based solution:Snapshotting of data changes for the thread.
Detecting stack anomalies with ML models.
Recovering changed data if ransomware is detected.
Otherwise discarding the snapshots of data changes.
Ransomware Shell code injection with CreateRemoteThread
The dropper delivers the payload
The payload injects itself into legitimateprocesses with OpenProcess
VirtualAllocEx
WriteProcessMemorywrites bufferWithTheEncryptor
CreateRemoteThreadlaunches bufferWithTheEncryptor
CloseHandle
Ransomware shell code injection with APC
The dropper delivers the payload
The payload injects itself into legitimateprocesses with OpenProcess
VirtualAllocEx
WriteProcessMemorywrites bufferWithTheEncryptor
apcRoutine= bufferWithTheEncryptor
OpenThread
QueueUserApc
Ransomware DLL injection with SetWindowsHookEx
The dropper delivers the payload
The payload injects itself into legitimateprocesses withLoadLibrary(“hook.dll”)
Hooker=GetProcAddress(..);
SetWindowsHookEx
Architecture of the Anti-Ransomware Solution
Windows File system filter driver, advanced call stack analyzer, Machine Learning system
Fighting Advanced Ransomware: Main Steps
Monitor injections using RtlCaptureStackBackTrace.
Analyze injections with Machine Learning Model.
Start data protection per the injection affected process.
Analyze process behavior.
When the detection decision is made, recover the encrypted files and terminate hostile injected objects.
System service orthe well-known legitimate application,
the Victim
Malicious thread, injected by Ransomware
detection heuristics. Data remediation controls.
Filter Driver
Driver sends call stacks to ML, the verdict is received to mark the thread as suspicious. Full set of heuristics is turned ON if stack anomaly is identified
举例:
Analysis of injectionsduringexecution
MalwareInject Detection ByAPI Call Sequence
ntdll.dllkernel32.dlln/akernel32.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll ==》ML的输入就这个调用栈
SuspiciousExample:Create Thread operationModulestowhich return addresses on stackbelong
Returnedaddressin theallocated memorydoesn’t belong toany processes
ntdll.dllkernel32.dllTeamViewer.exen/aTeamViewer.exesetupapi.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll ==>ML的输入就这个
Clean Example: Create Section operation
Just-in-time codecompilation:whitelisted
训练数据集示例:
ntkrnlpa.exe,ntdll.dll,KernelBase.dll, …, clean KernelBase.dll,kernel32.dll,kernel32.dll, …, clean NetSetupSvc.dll,ELSCore.dll,ELSCore.dll, …,clean com.docker.9pdb.exe, n/a,cryptsp.dll, …, infected ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean … … … ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean n/a,clr.dll,clr.dll,clr.dll, combase.dll, …, clean
就是获取了一堆的调用关系链,然后作为ML分类输入检测:
==》不过从他给的这个数据,看不出调用关系。
Analysis of injections: Models comparison
Samples database:850Mrecords,23Mis unique
New samples:1-2Mper dayStacktrace Analyzer 1.0: Model: Random Forest Model details: Input –fixed number of frames Output –clean/suspicious Size –8M Test results: Accuracy –0.96 Execution Time: 10-20 ms |
Stacktrace Analyzer 2.0: Model: Gradient Boosting Tree Model details: Input –deduplicated frames Output –clean/suspicious Size –900K Test results: Accuracy –0.98 Execution Time: 1-5 ms |
DEMO
We launch the Real-world ransomware and demonstrate how the injection is detected and malicious file data modifications are rolled back:The video that demonstrates how the injected stacks are detected https://drive.google.com/file/d/1KKptRRvGEy0ri-2DsdV8U1N203Qh9Eg5/view?usp=sharing
The video that shows the post-mortem analysis of files encryption and recovery https://drive.google.com/file/d/1o68zFgRioNEgteaMhhgMXKbEq4pWA3Ti/view?usp=sharing
Dealing with false positives of the call stack anomaly detection
Find methods to reduce false positives, connect with other methodologies and detections
How to Reduce False Positives
The knowledge of injection source helps to reduce false positives.
Sensors: file system mini-filter callbacks, user mode or hypervisor assisted hooking.
Validation: whitelisted services or behavior models.
Enhance anti-ransomware defense with ML
Gather all types of injections routinely.
Develop the model training infrastructure.
Start with simple models like Random Forest.
Update your model regularly.
Automate the data annotation process.
Apply ML to behavior analysis.
相关文章
- windows10 记事本进程 键盘消息钩子 dll注入
- Spring | 依赖注入详解(DI)
- 用WriteProcessMemory函数注入进程的流程
- SQL注入(入门)
- 【Android 逆向】Android 进程代码注入原理 ( 进程注入原理 | 远程调用流程 | 获取函数地址 | 设置 IP 寄存器 | mmap 申请内存 | 设置 SP 寄存器 )
- 【Android 逆向】Android 进程注入工具开发 ( 远程调用总结 | 远程调用注意事项 )
- 【Android 逆向】Android 进程注入工具开发 ( 注入代码分析 | 远程调用 目标进程中 libc.so 动态库中的 mmap 函数 一 | mmap 函数简介 )
- 【Android 逆向】Android 进程注入工具开发 ( 注入代码分析 | 远程调用 目标进程中 libc.so 动态库中的 mmap 函数 二 | 准备参数 | 远程调用 mmap 函数 )
- 【Android 逆向】Android 进程注入工具开发 ( 注入代码分析 | 获取注入的 libbridge.so 动态库中的 load 函数地址 并 通过 远程调用 执行该函数 )
- 【Groovy】MOP 元对象协议与元编程 ( 方法注入 | 使用 @Category 注解进行方法注入 | 分类注入方法查找优先级 )
- 如何使用cThreadHijack实现远程进程注入研究
- Spring注入内部Bean
- Java Spring各种依赖注入注解的区别
- MySQL 注入攻击技术及防范教程(mysql注入教程)
- 管家婆赋能MSSQL,为企业数据应用注入活力(管家婆mssql)
- 明小子指引:MSSQL注入攻击技巧全攻略(明小子mssql注入教程)
- Oracle给企业的发展注入新的活力,增加了人数(Oracle 人数)
- Oracle IO 99注入新活力驱动大数据(oracle io 99)
- 输入值/表单提交参数过滤有效防止sql注入的方法