![Page 1: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/1.jpg)
04/15/2023 1
The Similarity Evidence Explorer for Malware
A SCALABLE VISUALIZATION FOR COMPARING MALWARE
ATTRIBUTESRobert Gove
Senior Research Engineer, LABS | FAIRFAX, VA
![Page 2: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/2.jpg)
Meet the Presenter
Robert Gove is a Senior Research Engineer at Invincea Labs. He is a data visualization expert who has recently worked on Cynomix, a web-based community malware triage tool. He has several years of experience designing and implementing novel visualizations to support analysts in answering complicated questions. Robert has a Master of Science in Computer Science from The University of Maryland where his thesis was on evaluating visualization tools for citation network exploration.
![Page 3: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/3.jpg)
Malware Analysis Use Case
SITUATION:Major corporation hacked• Stack of malware to
analyze• Need to compare to other
malware
![Page 4: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/4.jpg)
Scale Is Overwhelming
![Page 5: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/5.jpg)
Need to Compare Malware
comparison 1%s Connected!/fetch.py\cmd.exe__getmainargs_controlfpadd “HKCU”advapi32.dllAllocConsoleAnalogCloseHandlecmd.exeCreatePipeDeleteFileAFileSizeInternetConnectInternetOpenInternetOpenUrlkernel32.dllread failedlstrlenA...
focal sample%s Connected!/fetch.py\cmd.exe__getmainargs_controlfpAccept:*/*add “HKCU”advapi32.dllAnalogCloseHandlecmd.exeCreatePipeDeleteFileAFileSizeInternetConnectInternetOpenInternetOpenUrlkernel32.dllread failedlstrcatA...
comparison 2/install__getmainargs__p__commode_controlfp_strnicmpadd “HKCU”advapi32Analogcd-romcheck serviceCloseServiceHandlecmdpath=CopyPathADeleteFileAInstall serviceHTTPQueryInfoInternetOpenInternetOpenUrlread failedlstrcatA...
comparison n/install__getmainargs__p__fmode_initterm_strcmpiAccept:*/*add “HKCU”advapi32tcpcmdpath=CopyFileAFileSizeInstall serviceHTTPQueryInfoInternetOpenInternetOpenUrlread failurelstrcatAmsvcrt.dllnet start...
…
![Page 6: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/6.jpg)
Existing Malware Viz Tools
compare system calls[Trinius et al, 2009][Saxe et al, 2012]
individual malware[Conit et al, 2008][Quist and Lierbrock, 2009][Domas, 2012]
![Page 7: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/7.jpg)
Similarity Evidence Explorer for Malware
![Page 8: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/8.jpg)
Similarity Histogram
overview of similarity with focal sample
![Page 9: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/9.jpg)
Venn Diagram List
![Page 10: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/10.jpg)
Relationship Matrix
![Page 11: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/11.jpg)
SEEM Demo
[ DEMO ]
try it yourself: www.cynomix.org
![Page 12: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/12.jpg)
SEEM Conclusion
• Large-scale malware comparison–Comparison overviews with histograms–Detailed visualizations of comparisons
compare large group of malware across sets of strings, DLLs, and function
calls
Interested? www.cynomix.org
[email protected] by DARPA awardFA8750-10-C-0169 as part of Cyber Genome
![Page 13: Webcast: The Similarity Evidence Explorer For Malware](https://reader030.vdocuments.site/reader030/viewer/2022032618/55ba4633bb61eb6b438b464e/html5/thumbnails/13.jpg)
Questions?
@Invincea@InvinceaLabs
@rpgove
Learn more about Invincea’s solutions or visit our website at www.invincea.comContact us at 1-855-511-5967