进程注入如何通过调用栈,使用ML分类来检测——非常值得借鉴,待实践

4、Machine Learning to Ultimately Defeat Advanced Ransomware Threats

RSA 2022的这个分享主题核心讲解了进程注入如何通过调用栈,使用ML分类来检测。当然,勒索的其他本质特征例如文件加密等没有提到。但是其进程注入的检测值得重点关注。

Ryukas the most advanced form of ransomware payloads (1)

    The initial stages:Planting several executables in the system, for example using the Zloaderbotnet.

    Stopping services, deleting VSS copies, etc.

     

    The advanced stages:Injecting multiple system and trusted processes.

    But keeping the system operational: lsass.exe, csrss.exe and explorer.exe are not changed.

    Detaching the encrypting part from Ryukprocesses.

 

 

 

Challenge: abnormal injection detection.

Important: there are legitimate injection techniques.

   The ML-based solution:Snapshotting of data changes for the thread.

   Detecting stack anomalies with ML models.

   Recovering changed data if ransomware is detected.

   Otherwise discarding the snapshots of data changes.

    

 

Ransomware Shell code injection with CreateRemoteThread

The dropper delivers the payload

   The payload injects itself into legitimateprocesses with OpenProcess

   VirtualAllocEx

   WriteProcessMemorywrites bufferWithTheEncryptor

   CreateRemoteThreadlaunches bufferWithTheEncryptor

   CloseHandle

    

Ransomware shell code injection with APC

The dropper delivers the payload

   The payload injects itself into legitimateprocesses with OpenProcess

   VirtualAllocEx

   WriteProcessMemorywrites bufferWithTheEncryptor

   apcRoutine= bufferWithTheEncryptor

   OpenThread

   QueueUserApc

    

 

Ransomware DLL injection with SetWindowsHookEx

The dropper delivers the payload

   The payload injects itself into legitimateprocesses withLoadLibrary(“hook.dll”)

   Hooker=GetProcAddress(..);

   SetWindowsHookEx

    

              Architecture of the Anti-Ransomware Solution

              Windows File system filter driver, advanced call stack analyzer, Machine Learning system

 

Fighting Advanced Ransomware: Main Steps

Monitor injections using RtlCaptureStackBackTrace.

Analyze injections with Machine Learning Model.

Start data protection per the injection affected process.

Analyze process behavior.

When the detection decision is made, recover the encrypted files and terminate hostile injected objects.

 

 


System service orthe well-known legitimate application,

the Victim

Malicious thread, injected by Ransomware


detection heuristics. Data remediation controls.

Filter Driver

Driver sends call stacks to ML, the verdict is received to mark the thread as suspicious. Full set of heuristics is turned ON if stack anomaly is identified

 

举例:

 

Analysis of injectionsduringexecution

MalwareInject Detection ByAPI Call Sequence

ntdll.dllkernel32.dlln/akernel32.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll ==》ML的输入就这个调用栈

SuspiciousExample:Create Thread operationModulestowhich return addresses on stackbelong

Returnedaddressin theallocated memorydoesn’t belong toany processes

ntdll.dllkernel32.dllTeamViewer.exen/aTeamViewer.exesetupapi.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll  ==>ML的输入就这个

Clean Example: Create Section operation

Just-in-time codecompilation:whitelisted

 

 训练数据集示例:

ntkrnlpa.exe,ntdll.dll,KernelBase.dll, …, clean
KernelBase.dll,kernel32.dll,kernel32.dll, …, clean
NetSetupSvc.dll,ELSCore.dll,ELSCore.dll, …,clean
com.docker.9pdb.exe, n/a,cryptsp.dll, …, infected
ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean
…
…
…
ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean
n/a,clr.dll,clr.dll,clr.dll, combase.dll, …, clean

  

 

就是获取了一堆的调用关系链,然后作为ML分类输入检测:

 

==》不过从他给的这个数据,看不出调用关系。

 

Analysis of injections: Models comparison

Samples database:850Mrecords,23Mis unique

New samples:1-2Mper dayStacktrace Analyzer 1.0:

Model: Random Forest

Model details:

Input –fixed number of frames

Output –clean/suspicious

Size –8M

Test results:

Accuracy –0.96

Execution Time: 10-20 ms

Stacktrace Analyzer 2.0:

Model: Gradient Boosting Tree

Model details:

Input –deduplicated frames

Output –clean/suspicious

Size –900K

Test results:

Accuracy –0.98

Execution Time: 1-5 ms

 

DEMO

    We launch the Real-world ransomware and demonstrate how the injection is detected and malicious file data modifications are rolled back:The video that demonstrates how the injected stacks are detected https://drive.google.com/file/d/1KKptRRvGEy0ri-2DsdV8U1N203Qh9Eg5/view?usp=sharing  

    The video that shows the post-mortem analysis of files encryption and recovery https://drive.google.com/file/d/1o68zFgRioNEgteaMhhgMXKbEq4pWA3Ti/view?usp=sharing

     

              Dealing with false positives of the call stack anomaly detection

              Find methods to reduce false positives, connect with other methodologies and detections

              How to Reduce False Positives

      The knowledge of injection source helps to reduce false positives.

      Sensors: file system mini-filter callbacks, user mode or hypervisor assisted hooking.

      Validation: whitelisted services or behavior models.

 

Enhance anti-ransomware defense with ML

Gather all types of injections routinely.

Develop the model training infrastructure.

Start with simple models like Random Forest.

Update your model regularly.

Automate the data annotation process.

Apply ML to behavior analysis.

posted @ 2022-06-23 09:51  bonelee  阅读(46)  评论(0编辑  收藏  举报