4、Machine Learning to Ultimately Defeat Advanced Ransomware Threats
RSA 2022的这个分享主题核心讲解了进程注入如何通过调用栈,使用ML分类来检测。当然,勒索的其他本质特征例如文件加密等没有提到。但是其进程注入的检测值得重点关注。
Ryukas the most advanced form of ransomware payloads (1)
The initial stages:Planting several executables in the system, for example using the Zloaderbotnet.
Stopping services, deleting VSS copies, etc.
The advanced stages:Injecting multiple system and trusted processes.
But keeping the system operational: lsass.exe, csrss.exe and explorer.exe are not changed.
Detaching the encrypting part from Ryukprocesses.
Challenge: abnormal injection detection.
Important: there are legitimate injection techniques.
The ML-based solution:Snapshotting of data changes for the thread.
Detecting stack anomalies with ML models.
Recovering changed data if ransomware is detected.
Otherwise discarding the snapshots of data changes.
Ransomware Shell code injection with CreateRemoteThread
The dropper delivers the payload
The payload injects itself into legitimateprocesses with OpenProcess
VirtualAllocEx
WriteProcessMemorywrites bufferWithTheEncryptor
CreateRemoteThreadlaunches bufferWithTheEncryptor
CloseHandle
Ransomware shell code injection with APC
The dropper delivers the payload
The payload injects itself into legitimateprocesses with OpenProcess
VirtualAllocEx
WriteProcessMemorywrites bufferWithTheEncryptor
apcRoutine= bufferWithTheEncryptor
OpenThread
QueueUserApc
Ransomware DLL injection with SetWindowsHookEx
The dropper delivers the payload
The payload injects itself into legitimateprocesses withLoadLibrary(“hook.dll”)
Hooker=GetProcAddress(..);
SetWindowsHookEx
Architecture of the Anti-Ransomware Solution
Windows File system filter driver, advanced call stack analyzer, Machine Learning system
Fighting Advanced Ransomware: Main Steps
Monitor injections using RtlCaptureStackBackTrace.
Analyze injections with Machine Learning Model.
Start data protection per the injection affected process.
Analyze process behavior.
When the detection decision is made, recover the encrypted files and terminate hostile injected objects.
System service orthe well-known legitimate application,
the Victim
Malicious thread, injected by Ransomware
detection heuristics. Data remediation controls.
Filter Driver
Driver sends call stacks to ML, the verdict is received to mark the thread as suspicious. Full set of heuristics is turned ON if stack anomaly is identified
举例:
Analysis of injectionsduringexecution
MalwareInject Detection ByAPI Call Sequence
ntdll.dllkernel32.dlln/akernel32.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll ==》ML的输入就这个调用栈
SuspiciousExample:Create Thread operationModulestowhich return addresses on stackbelong
Returnedaddressin theallocated memorydoesn’t belong toany processes
ntdll.dllkernel32.dllTeamViewer.exen/aTeamViewer.exesetupapi.dllntdll.dllwow64.dllwow64cpu.dllwow64.dllntdll.dll ==>ML的输入就这个
Clean Example: Create Section operation
Just-in-time codecompilation:whitelisted
训练数据集示例:
ntkrnlpa.exe,ntdll.dll,KernelBase.dll, …, clean KernelBase.dll,kernel32.dll,kernel32.dll, …, clean NetSetupSvc.dll,ELSCore.dll,ELSCore.dll, …,clean com.docker.9pdb.exe, n/a,cryptsp.dll, …, infected ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean … … … ntkrnlpa.exe,ntdll.dll,KernelBase.dll, clean n/a,clr.dll,clr.dll,clr.dll, combase.dll, …, clean
就是获取了一堆的调用关系链,然后作为ML分类输入检测:
==》不过从他给的这个数据,看不出调用关系。
Analysis of injections: Models comparison
Samples database:850Mrecords,23Mis unique
|
New samples:1-2Mper dayStacktrace Analyzer 1.0: Model: Random Forest Model details: Input –fixed number of frames Output –clean/suspicious Size –8M Test results: Accuracy –0.96 Execution Time: 10-20 ms |
Stacktrace Analyzer 2.0: Model: Gradient Boosting Tree Model details: Input –deduplicated frames Output –clean/suspicious Size –900K Test results: Accuracy –0.98 Execution Time: 1-5 ms |
DEMO
We launch the Real-world ransomware and demonstrate how the injection is detected and malicious file data modifications are rolled back:The video that demonstrates how the injected stacks are detected https://drive.google.com/file/d/1KKptRRvGEy0ri-2DsdV8U1N203Qh9Eg5/view?usp=sharing
The video that shows the post-mortem analysis of files encryption and recovery https://drive.google.com/file/d/1o68zFgRioNEgteaMhhgMXKbEq4pWA3Ti/view?usp=sharing
Dealing with false positives of the call stack anomaly detection
Find methods to reduce false positives, connect with other methodologies and detections
How to Reduce False Positives
The knowledge of injection source helps to reduce false positives.
Sensors: file system mini-filter callbacks, user mode or hypervisor assisted hooking.
Validation: whitelisted services or behavior models.
Enhance anti-ransomware defense with ML
Gather all types of injections routinely.
Develop the model training infrastructure.
Start with simple models like Random Forest.
Update your model regularly.
Automate the data annotation process.
Apply ML to behavior analysis.