Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation presented at Black Hat USA 2022

by Dmitrijs Trizna,

Tags: AI ML & Data Science Malware


Summary : This session will present a hybrid machine learning architecture that simultaneously utilizes static and dynamic malware analysis methodologies. We employ the Windows kernel emulator published by Mandiant for dynamic analysis and process emulation reports with a 1D convolutional neural network. On the contrary, static analysis is based on the state-of-the-art ensemble model publicly released by Endgame. It surpasses the capabilities of the modern AI classifiers. We use threat intelligence data consisting of in-the-wild telemetry from 100k samples and record a detection rate of 96.70% with a fixed False Positive rate of 0.1%. Additionally, we will show that contextual telemetry from a system, such as an executable's file path, can further increase detection rates. Finally, unaffiliated with any organization, we open-source our hybrid model with a convenient scikit-learn-like API for public use.