BSidesSF 2016 has ended
Back To Schedule
Monday, February 29 • 5:30pm - 5:55pm
Advanced techniques for real-time detection of polymorphic malware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In this Session, we will introduce the audience to various techniques that are used in the identification and classification of polymorphic malware. By definition, polymorphic malware easily evades traditional signature based detection methods. Approximation Matching algorithms such as ssdeep have had much greater success in detecting polymorphic files. The ssdeep hash is one of the more popular attributes that is computed for a file by a number of sites such as VirusTotal, Malwr and Anubis. Newer algorithms using bloom filters have also shown great promise in detecting polymorphic malware. This session gives an overview of these various algorithms and compares their efficiency and performance.While ssdeep is a good tool for comparing two known files, it becomes computationally expensive when a new file (and its ssdeep hash) is to be compared with a large database of existing ssdeep hashes to determine the closest match. In this session, we enumerate a class of techniques which reduce the lookup time significantly and allow for fast detection of similar files. These techniques are then extended to the classification of polymorphic malware and we show the efficacy of these techniques with real data collected from the field. We then analyze the performance of these algorithms both from a speed as well as their success rate.


Ajit Thyagarajan

Ajit Thyagarajan is an independent Security Researcher. Until recently, he multiple Director positions at Fidelis Cybersecurity. His area of research is new techniques for the detection of malware using network tools. Prior to Fidelis, he was heavily involved in with Internet Protocols... Read More →

Monday February 29, 2016 5:30pm - 5:55pm PST
DNA Lounge 375 11th St, San Francisco, CA 94103