Welcome to the 2nd part of this Blog series. Here’s the link to Part 1.

100% accuracy in detecting Malware by our own Classifier

Capturing System Calls: The Heart of Our Methodology

Think of system call as a program’s special request to the computer’s operating system (user mode to kernel mode). To monitor and display the interaction between a process and the kernel, we can use system diagnostic tools like strace, and NtTrace.

NtTrace is like spyglass that lets us zoom in on the critical spots in Ntdll, a vital part of the Windows operating system, which allow us to set up ‘breakpoints’ around the Windows system calls — think of these as hidden surveillance cameras monitoring the kernel’s interactions.

Now, what happens when these system calls activate one of our carefully placed breakpoints? That’s when our tool, playing the role of a vigilant security officer, steps in. It quickly takes note of the arguments — the specific instructions — that were passed along and returned during that interaction. here’s how it look likes when we run strace (For Linux):

This is how system calls are look like when we run a command

In this process, strace is employed to execute the common command ‘pwd’. strace’s role is to act as an interceptor and recorder for all system calls instigated by the ‘pwd’ command. Following the execution, the intercepted system calls and signals are then reported back and displayed on the console upon the command’s completion.

If we take a closer look at the diagram above, the first point to note is that each individual line in the output corresponds to one specific system call made by the command. Taking our ‘pwd’ command as an example, the initial line indicates that the ‘execve’ system call is invoked at the command’s commencement. The ‘execve’ system call is essentially the kernel’s way of launching a new program, specifically, the program that is pointed to by the first argument.

Progressing further, the diagram reveals that strace also meticulously lists the precise arguments involved in each system call. In the context of our ‘pwd’ command, the ‘execve’ system call executes the binary situated at the path ‘/usr/bin/pwd’ and submits ‘pwd’ as its principal argument.

As we delve deeper into the output, we can journey line by line to scrutinize the command’s behavior and actions at each stage. Each system call — be it ‘read’, ‘write’, ‘connect’, and so forth — tells its own unique story about the operations performed by the command.

Segregating System Calls: Preparing Data for Analysis

Upon capturing raw data for both malware and legitimate application system calls, it’s essential to segregate and store them separately for future analysis, as shown below images:

Dissecting System Calls: The Key to Unlock Malware Secrets

Now, let’s turn our attention to examining the structure of a system call. Think of it as opening a book to understand its content. We’ll open one of the captured files and take a peek into its anatomy.

As you will see from the image below, every system call carries a unique identity. It has a distinctive name, and it comes with a set of arguments and a return value.

Those system calls can be any of the followings as shown below image which offers us vital clues about what the system call is, what it does, and how it works. It’s like unlocking the secret language of your computer’s operating system.:

As we venture forward in this exploration, our focus will narrow down to system call names and their corresponding sequences and frequencies. This is where machine learning enters the picture, transforming complex data into digestible insights.

To do this, I’ve harnessed the power of regular expressions, an invaluable tool in parsing textual data. It helps us sift through the plethora of system calls and identify the ones that are significant to our analysis.

Below, you can view an image that visually represents how regular expressions enable this process, simplifying the extraction of crucial information from the vast sea of system calls. Remember, despite the technicality of the process, it’s like sorting through a mixed bag of items to pick out the ones we need.

Count of each system call of one program

In the next part of this Blog, we will train our dataset and test them against our own classifier. Then we will predict the result of our work…

In the vast digital seas of our interconnected world, we continually face a storm of cybersecurity threats, notably the ever-evolving danger of malware. As these invisible threats grow more sophisticated, the need for stalwart defenses has become increasingly crucial.

Despite our most advanced antivirus software, the task of defending against this wave of malware remains an arduous and uphill battle. For professionals in cybersecurity, and particularly those working as Malware Analysts, their daily challenge is to identify, scrutinize, and understand the many forms of malware infiltrating our digital domains. This typically involves labor-intensive, manual processes using specialized tools such as IDA Pro, WinDbg, and OllyDbg, which can be time-consuming.

Faced with this relentless digital onslaught, how do we fortify our defenses and secure our virtual infrastructure? The answer lies in the extraordinary capabilities of machine learning.

Machine Learning: A Game-Changer in Malware Detection

In the intricate and unpredictable sphere of cybersecurity, numerous challenges lie in wait. However, amid these trials, one pioneering approach has emerged, showing considerable promise and potential for future applications: machine learning.

Rather than the conventional approach of painstakingly establishing a manual set of rules for malware detection, machine learning offers an intriguing alternative. This innovative methodology allows us to train a machine utilizing highly sophisticated algorithms.

In machine learning, algorithms act as decision-making guideposts. They operate by learning from previous experiences, or in this case, from pre-existing data. The machine is meticulously trained on a vast set of diverse and complex data, allowing it to learn, adapt, and make precise predictions on new, unseen data.

In the context of cybersecurity, the utility of this technique is exceptional. A machine learning-based system is capable of analyzing millions of system call characteristics in real time. The scale of this analysis far exceeds what human analysts could achieve, particularly given the speed and accuracy required.

Most notably, machine learning methods are not only confined to identifying known malware, but also they are equally proficient at determining whether a file is malicious or benign, even when encountering novel, previously unseen forms of malware.

Just as our immune system works tirelessly to identify and neutralize foreign invaders in our bodies, machine learning can act as an immune system for our digital environments, identifying and mitigating the threat of malware. Today, we’ll embark on a journey to explore the integration of machine learning and malware detection. Our primary aim is to guide anyone new to the field through this intriguing landscape.

The Essentials for performing Malware Analysis

To kick things off, it’s paramount that we equip ourselves with the right set of skills and tools needed for malware analysis. We will be relying on below libraries and languages.

You must have basic knowledge and understanding of System calls and different machine learning classifier.
These include NumPy for array processing.
Pandas for data manipulation, and a machine learning algorithm to classify the dataset.
For visualizations, we will use the Seaborn library.
DataFrames for data manipulation.
The project will be developed and presented in Jupyter Notebook and will utilize Vim as the text editor.
To match patterns, we will be leveraging Regular Expressions, and Python will serve as our coding language.

Establishing a Safe Environment for Malware Analysis

Once above mentioned prerequires are in place, you’ll need to set up a secure testing environment for your malware. You can download and install the Linux system and Windows Virtual Machine on Oracle VM VirtualBox to run the Malware for testing purpose.

To begin with our malware analysis, it is crucial to build an isolated, controlled, and secure environment, often referred to as a ‘“lab”. In this context, “isolation” is key. The lab should be completely separated from your regular work environment to avoid any potential collateral damage. This isolation is established through a sandbox or virtual system, ensuring it employs Network Address Translation (NAT) and has no shared folders or USB connections. It’s also pivotal to keep all systems updated with the latest security patches.

Collection and Verification of Malware Samples and Legitimate Applications

Our next step involves collecting malware samples from various repositories. We understand that navigating the complex world of cyber threats requires access to tangible examples and real-world scenarios. To this end, we’ve included below images in our article that lists the various sites we utilized to download malware samples for our work.

These samples serve as the fodder for our machine-learning model, allowing it to learn and adapt. To ensure that these files are indeed malware, they can be uploaded to Virus Total or similar platforms for verification as shown in the image below.

Regarding legitimate application samples, it can be downloaded directly from Microsoft’s official website or sourced from pre-installed Windows apps.

In the next part of this Blog, we will capture the system calls of the Malwares as well as legitimate applications, then, segregate them to train and test data set, after that, fine-tune them for our own machine learning classifier.

Tag Archives: Analysis

System Call Analysis in the Age of AI : Revolutionizing Malware Detection with our own Machine Learning Classifier — Part 2