{"id":6463,"date":"2019-04-30T15:53:11","date_gmt":"2019-04-30T22:53:11","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=6463"},"modified":"2019-04-30T15:53:11","modified_gmt":"2019-04-30T22:53:11","slug":"using-deep-learning-for-information-security-part-2","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2019\/04\/30\/using-deep-learning-for-information-security-part-2\/","title":{"rendered":"Using Deep Learning for Information Security – Part 2"},"content":{"rendered":"

Authors: Santosh Kosgi, Mohammad Waseem, Arunabha Choudhury, and Satnam Singh<\/span><\/p>\n

Deep Learning-based methods have been successfully applied to various computer vision and NLP based problems recently [1]. AI researchers have achieved statistically significant improvements in pushing the benchmarks for state of the art algorithms in object detection, language translation, and sentiment analysis. However, the application of Deep Learning in Information Security (InfoSec) is still in its nascent stages. We introduced deep learning and its applications for InfoSec<\/a> in our article [2]; this blog is a continuation of this topic. Malware detection<\/a> and network intrusion detection are two such areas where deep learning has shown significant improvements over the rule-based and classic machine learning-based solutions [3]. Specifically, we demonstrate the power of deep neural networks using Tensorflow, Keras to detect obfuscated PowerShell scripts. <\/span>
\nPowerShell is a task automation and configuration management framework consisting of a robust command line shell. It was made open sourced and cross-platform compatible by Microsoft since August 2016. PowerShell has been heavily exploited tool in various cyber attacks scenarios. According to a research study by Symantec, nearly 95.4% of all scripts analyzed by Symantec Blue Coat Sandbox were malicious[4]. The Odinaff hacker group leveraged malicious PowerShell scripts as part of its attacks on banks and other financial institutions [5]. One can find many tools like PowerShell Empire[6] and PowerSploit[7] on the internet that can be used for reconnaissance, privilege escalation, lateral movement, persistence, defense evasion, and exfiltration. The adversaries typically use two techniques to evade detection: First, by running fileless malware, they load malicious scripts downloaded from the internet directly into memory, thereby evading Antivirus (AV) file scanning. Secondly, they use obfuscation to make their code challenging to decode, thus making it more difficult for AV or analyst to figure out the intent of the script. Obfuscation of PowerShell scripts for malicious intent is on the rise and task of analyzing them are made even more difficult due to the high flexibility of its syntax. <\/span>In Acalvio high interaction decoys, we can monitor PowerShell logs, commands, and scripts that the attacker tried to execute in the decoy. We collect these logs and analyze them in real time and detect whether the script is obfuscated or not.<\/span>
\nProblem:<\/b>
\nFor a Windows operating system, Microsoft PowerShell is an ideal candidate for the attackerb\u0000\u0019s tool. Firstly, it is installed by default in Windows and secondly, attackers are better off using existing tools that allow them to blend well and possibly evade Antivirus (AV). Since PowerShell 3.0 Microsoft has enhanced PowerShell logging considerably. If Script Block Logging is enabled, then one can capture commands and scripts executed through PowerShell in the event logs. These logs can be analyzed to detect and block malicious scripts. Obfuscation is typically used to evade detection. Daniel and Holmes address this problem of detecting obfuscated scripts in their Blackhat paper [8]. They used Logistic Regression classifier with Gradient Descent method to achieve a reasonable classification accuracy to separate the obfuscated script from clean scripts. However, using a deep feed-forward neural network (FNN) may enhance other performance metrics such as precision and recall. Hence in this blog, we decided to use the deep neural network and compared the performance metrics with different machine learning (ML) classifiers.<\/span>
\nDataset<\/b>
\nWe use the PowerShellCorpus dataset published and open sourced by Daniel [9] for our data experiments. The dataset consists of around ~300k PowerShell scripts scraped from various sources on the internet like Github, PowerShell Gallery, and Technet. Apart from this we also scraped PowerShell scripts from Poshcode [10] and added to the corpus. Finally, we had nearly 3 GB of script data consisting of 300K clean scripts. We have used Invoke-Obfuscation [11] tool to obfuscate the scripts. Once we have obfuscated all scripts using this tool, we have a labeled data set consisting of class label as clean or obfuscated script.<\/span>
\nData Experiments:<\/b>
\nAll the activities performed by an attacker in a high interaction decoy are malicious. However, obfuscation detection asserts the presence of an advanced attacker. Here is a simple PowerShell command to get a list of processes:<\/span>
\nGet-Process| Where($_.Handles -gt 600}| sort Handles| Format – Table<\/span>
\nThis command may be obfuscated as:<\/span>
\n(((b\u0000\u001c{2}{9}{12}{0}{3}{10}{13}{4}{18}{8}{17}{11}{5}{16}{1}{15}{14}{7}{19}{6}”-f’-P’,’es’,’G’,’rocess8Dy Whe’,’ {‘,’S’,’le’,’-Ta’,’-gt’,’e’,’r’,’y ‘,’t’,’e’,’t’,’ 8Dy Forma’,’ort Handl’,’ 600} 8D’,’RYl_.Handles ‘,’b’)) B -crePLACE’8Dy’,[cHar]124-crePLACE’RYl’,[cHar]36) | IEx<\/span>
\nThis looks suspicious and noisy. Here is another example of a subtle obfuscation for the same command:<\/span>
\n&(b\u0000\u001c{1}{2}{0}”-f ‘s’,’G’,’et-Proces’)| &(“{1}{0}”-f’here’,’W’) {$_.Handles -gt 600} | &(“{1}{0}” -f’ort’,’S’) Handles | .(“{1}{0}{2}”-f ‘-‘,’Format’,’Table’)<\/span>
\nThis obfuscation makes it hard to detect the intent of PowerShell command\/script. Most of the malicious PowerShell scripts in the wild have these kinds of subtle variations that help them to evade AVs easily. Practically, it is nearly impossible for a security analyst to review every PowerShell script to determine whether it is obfuscated or not. Therefore, automating the obfuscation detection is required. One can use a rule-based approach for obfuscation detection; however, it may not detect a lot of obfuscation types, and a large number of rules needs to be manually written by a domain expert. Therefore, a machine learning\/deep learning-based solution is an ideal solution for this problem.<\/span>
\nTypically, the first step of machine learning is data cleanup and preprocessing. For the obfuscation detection dataset, the data preprocessing is done to remove Unicode characters from a script. <\/span>
\nObfuscated scripts look different from normal scripts, some combination of characters used in obfuscated scripts are not used in normal scripts. So, we use character level representation for all PowerShell scripts instead of word-based representation. Another reason being, in case of PowerShell scripting, sophisticated obfuscation can sometimes completely blur the boundary between words\/tokens\/identifiers, rendering it useless for any word-based tokenization. Character-based tokenization is also used by security researchers to detect PowerShell obfuscated scripts. Lee Holmes from Microsoft had explored character frequency-based representation and cosine similarity to detect obfuscated scripts in his blog [12]. B There are multiple ways in which characters can be vectorized. One hot encoding of characters represents every character by a bit, and the bit is set to 0 or 1 depending upon whether that character is present in the script or not. The classifiers trained with a single character one hot encoding performs well. However, this can be improved by capturing the sequence of characters. For example: command like <\/span>New-Object <\/span><\/i>may be obfuscated as <\/span>(‘Ne’+’w-‘+’Objec’+’t’)<\/span><\/i>. The character plus (+) operator is common for any PowerShell script. However, plus (+) followed by a single (b\u0000\u0018) or double quote (b\u0000\u001c) may not be as common. Therefore, we use tf-idf character bigrams to represent as the features input to the classifiers. <\/span>
\nHere are 20 bigrams with top tf-idf score from the training dataset:<\/span>
\nClean script<\/span><\/span>
\n[‘er’, ‘te’, ‘in’, ‘at’, ‘re’, ‘pa’, ‘st’, ‘on’, ‘me’, ‘en’, ‘ti’, ‘le’, ‘th’, ‘am’, ‘nt’, ‘es’, ‘se’, ‘or’, ‘ro’, ‘co’]<\/span>
\n
\n<\/span>Obfuscated script<\/span><\/span>
\n[“‘+”, “+'”, ‘}{‘, “,'”, “‘,”, ‘er’, ‘te’, ‘in’, ‘re’, ‘me’, ‘st’, ‘et’, ‘se’, ‘ar’, ‘on’, ‘at’, ‘ti’, ‘am’, ‘es’, ‘{1’]<\/span>
\nEach script is represented using the character bigrams. We process all these features using deep Feed Forward Neural Network (FFN) with N hidden layers using Keras and Tensorflow.<\/span>
\n\"\"<\/p>\n

Figure 1: Obfuscation Detection data flow diagram using deep <\/span>FFN<\/span><\/p>\n

The data flow diagram as shown in Figure 1 shows the training and prediction flow for obfuscation detection. We have varied the value of hidden layers in the deep FNN and found N=6 to be optimal. For activation, RELU is used for all the hidden layers. Each layer of Hidden layer is dense in nature of dimension 1000 and used a dropout rate of 0.5. For the last layer, sigmoid is used as an activation function. Figure 2 shows the deep <\/span>FFN network representation for obfuscation detection<\/span>.<\/span><\/p>\n

\"\"Figure 2: FFN Network Representation for Obfuscation Detection<\/span><\/p>\n

We see a validation accuracy of nearly 92% that indicates that the model has generalized well outside the training set. Next, we test our model on the test set. We see accuracy of 93% with 0.99 recall for obfuscated class. Figure 2 shows the classification accuracy and classification loss plots for training and validation data for each epoch.<\/span><\/p>\n

\"\"\"\"<\/span><\/p>\n

Figure 2: Classification Accuracy and Loss plots for Training and Validation Phase<\/span><\/p>\n

Table 1 shows the results of deep FNN as compared to other ML models. Performance metrics precision and recall are used to measure the efficacy of the various models. <\/span><\/p>\n

Table 1: Output of ML Models for Obfuscation Detection.<\/span><\/p>\n\n\n\n\n\n\n
Classifier Used<\/b><\/td>\nPrecision<\/b><\/td>\nRecall<\/b><\/td>\n<\/tr>\n
Random Forest<\/span><\/td>\n0.92<\/span><\/td>\n0.97<\/span><\/td>\n<\/tr>\n
Logistic Regression<\/span><\/td>\n0.91<\/span><\/td>\n0.87<\/span><\/td>\n<\/tr>\n
Deep Feed-forward Neural Network (FNN)<\/span><\/td>\n0.89<\/span><\/td>\n0.99<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Our objective is to detect most of the obfuscated scripts as the obfuscated script, i.e. we would like to minimize the false negative rate for the obfuscated class. The Recall seems to be the appropriate measure in this case. Table 1 shows that the deep FNN model achieves more recall as compared to other classifiers. The dataset used in our experiments is of medium scale, in the wild, the datasets are typically quite big, and deep FNN performs even better as compared to the other ML classifiers.<\/span>
\nConclusion:<\/b>
\nPowerShell obfuscation is a smart way to bypass existing antivirus and hide the attackb\u0000\u0019s intent; a technique which is used by many adversaries. In this blog, we demonstrated the power of deep learning combined with Acalviob\u0000\u0019s deception [13] technology to detect obfuscated PowerShell scripts in a high interaction decoy. Acalviob\u0000\u0019s Shadowplex<\/a> [14], an autonomous deception platform provides an ability to engage with the adversary, understand his intent, tools and monitor all of his activities. In our next blog of this series, we will share some more use cases where AI and deception can be leveraged for information security.<\/span>
\nReferences:<\/span>
\n[1] b\u0000\u001c<\/span>Deep Learning<\/span><\/a>,b\u0000\u001d Ian Goodfellow, Yoshua Bengio, Aaron Courville; pp 196, MIT Press, 2016.<\/span>
\n[2] b\u0000\u001c<\/span>Using Deep Learning for Information Security – Part 1<\/span><\/a>,b\u0000\u001d Acalvio Blog, 2018.<\/span>
\n[3] B “Malware detection using machine learning,” B DragoE\u001f GavriluE#, Mihai CimpoeE\u001fu, Dan Anton, Liviu Ciortuz; International Multiconference on Computer Science and Information Technology, Mragowo, 2009<\/span>
\n[4] b\u0000\u001c<\/span>The increased use of Powershell in attacks<\/span><\/a>,b\u0000\u001d Symantec, 2016<\/span>
\n[5] b\u0000\u001c<\/span>Odinaff: New Trojan used in financial attacks<\/span><\/a>,b\u0000\u001d Symantec Security Response, Oct 2016<\/span>
\n[6] b\u0000\u001c<\/span>Empire<\/span><\/a>,b\u0000\u001d Will Schroeder, Justin Warner, Matt Nelson, Steve Borosh, Alex Rymdeko-harvey, Chris Ross; 2017<\/span>
\n[7] b\u0000\u001c<\/span>PowerSploit<\/span><\/a>,b\u0000\u001d Matthew Graeber; 2012 B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B <\/span>
\n[8] b\u0000\u001c<\/span>Revoke-Obfuscation<\/span><\/a>,b\u0000\u001d Daniel Bohannan, Lee Holmes; 2017<\/span>
\n[9] b\u0000\u001c<\/span>PowerShell Corpus<\/span><\/a>b\u0000\u001d <\/span>
\n[10] b\u0000\u001c<\/span>PoshCode<\/span><\/a> – PowerShell Projects for Power Users.b\u0000\u001d <\/span>
\n[11] b\u0000\u001c<\/span>Invoke-Obfuscation<\/span><\/a>,b\u0000\u001d Daniel Bohannan; 2017<\/span>
\n[12] b\u0000\u001d<\/span>More Detecting Obfuscated PowerShell<\/span><\/a>,b\u0000\u001d Lee Holmes; 2016<\/span>
\n[13] <\/span>The Definitive Guide to Deception<\/span><\/a>, Acalvio Technologies.<\/span>
\n[14] <\/span>ShadowPlex<\/span><\/a>, Acalvio Technologies.<\/span><\/p>\n

<\/div>\n","protected":false},"excerpt":{"rendered":"

Authors: Santosh Kosgi, Mohammad Waseem, Arunabha Choudhury, and Satnam Singh Deep Learning-based methods have been successfully applied to various computer vision and NLP based problems recently [1]. AI researchers have achieved statistically significant improvements in pushing the benchmarks for state of the art algorithms in object detection, language translation, and sentiment analysis. However, the application […]<\/p>\n","protected":false},"author":2,"featured_media":6467,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[87,117,126,129],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6463"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=6463"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/6467"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=6463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=6463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=6463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}