andrea marcelli (@ s0nn1 ) - def con con 26/def con 26... · andrea marcelli (@_s0nn1_) twitter...
TRANSCRIPT
![Page 1: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/1.jpg)
Andrea Marcelli (@_S0nn1_)
![Page 2: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/2.jpg)
Web
PhD Student
Security Researcher
![Page 3: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/3.jpg)
The signature generation problem
The algorithm
Introducing YaYaGen
Demo
![Page 4: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/4.jpg)
![Page 5: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/5.jpg)
A unique pattern
Syntactic signatures* this is where the most of the existing tools and researches focus on
Semantic signatures
Android malware
![Page 6: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/6.jpg)
Reduce Automate 100% recall Save
![Page 7: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/7.jpg)
“YARA is to files what Snort is to network traffic”
de-facto standard
syntactic signatures
Semantic signatures
![Page 8: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/8.jpg)
rule YaYaSyringe {
meta: author = "DEF CON 26"
strings: $a = “text here” $b = { E2 34 A1 C8 23 FB }
condition: $a and $b and androguard.filter("action.BATTERYCHECK") and androguard.number_of_services == 3 …
}
![Page 9: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/9.jpg)
![Page 10: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/10.jpg)
APK Unsupervised Automatic
![Page 11: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/11.jpg)
Each block is an attribute extracted through the analysis
quality of the analysis
static
dynamic
url: “malware.xxx”
permission: “ACCESS_FINE_LOCATION”
![Page 12: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/12.jpg)
Sample 1 Sample 2
=
Signature
![Page 13: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/13.jpg)
Sample 1 Sample 2 Sample 3 Sample 4 Sample 5 Sample 6
Sample 7 Sample 8 Sample 9 Sample 10 Sample 11 Sample 12
![Page 14: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/14.jpg)
dynamic greedy algorithm
+ + + +
![Page 15: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/15.jpg)
clause literal
![Page 16: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/16.jpg)
DNF
clause weighed
is the lowest
![Page 17: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/17.jpg)
weighting system
higher the weight, the less FP
lower the weight, the more FP
![Page 18: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/18.jpg)
TMIN TMAX
![Page 19: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/19.jpg)
over-specific
Basic optimizer
Evo optimizer
TMAX
Raw Optimized
![Page 20: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/20.jpg)
![Page 21: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/21.jpg)
From
application analysis reports
YARA rules
to
![Page 22: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/22.jpg)
2 algorithms 2 optimizers heuristics
YARA rule parser
FP exclusion
Koodous
![Page 23: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/23.jpg)
![Page 24: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/24.jpg)
![Page 25: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/25.jpg)
![Page 26: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/26.jpg)
Rule Name Original YaYaGen Improvement
1,004 +86.3%
315 +43.2%
257 +89.0%
652 +16.6%
172 +8.2%
430 +131.2%
![Page 27: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/27.jpg)
perform better 100 apps is less 5 minutes
![Page 28: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/28.jpg)
![Page 29: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/29.jpg)
![Page 30: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/30.jpg)
![Page 31: Andrea Marcelli (@ S0nn1 ) - DEF CON CON 26/DEF CON 26... · Andrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher . The signature generation problem The algorithm](https://reader033.vdocuments.mx/reader033/viewer/2022053120/60a428096b47086f9b60e451/html5/thumbnails/31.jpg)