HITB-Invoice-Logo

thank you for joining us!

Best Practices For Simulating Execution in Malicious Text Detection

Date

August 26, 2022

Time

11:00

Track

CommSec Track

Static detection is the earliest text detection method, and it is still widely used since its birth. But in fact, the effect of static detection depends on the extraction of text features, and the dimension of the features directly determines the false positive rate and the false negative rate. The mainstream static detection methods have the characteristics of fast detection speed, good universality (cross-platform, cross-version, cross-language, etc.), and low implementation cost (in theory, as long as it is a black sample, rules can be written to cover it); however, due to the lack of Lexical and grammatical constraints are more prone to false positives, and at the same time, lack of adversarial and technical barriers makes this type of detection algorithm difficult to detect when it encounters packed, encrypted, and obfuscated samples, and cannot form a differentiated advantage.

When the static feature extraction of malicious text is accurate enough, it is easier to detect. However, attackers usually use code obfuscation (packing, encoding, encryption) to hinder the extraction of features, so it is necessary to dynamically run and run all features for detection. The dynamic detection algorithm is technically difficult, and can implement more advanced and complex detection techniques. At the same time, due to real execution, the malicious code conforms to syntax and lexical constraints, and false positives are extremely low without forced intervention. However, since real execution requires simulation and custom design of the entire operating environment, there are problems of high cost, low detection efficiency, and poor compatibility. At the same time, when encountering the problem of version fragmentation, it is also a tedious thing to adapt to different versions of the sandbox. The sandbox solution also introduces new confrontation problems, such as branch confrontation, time confrontation, network confrontation, etc.

During this presentation, the audience will hear the following:

  • Cloud Intrusion Attack Skills and Advanced Attack Utilization Skills.
  • The dilemma of traditional detection schemes (static matching, dynamic sandbox) in malicious text detection.
  • Simulate the implementation of malicious text detection.
  • How to use the external ecology to improve the detection water level.

Speakers

Cloud Security Engineer

Alibaba Cloud

I am responsible for building CWPP security capabilities and helping cloud tenants deal with external attacks. Good at cloud security, host security, data analysis, malicious text detection and other fields. I have  spoken at security conferences such as Xcon.

Security R&D Engineer

Alibaba Cloud

Yi Sun a security R&D engineer with 12 years of experience. He is now a security research in Alibaba Cloud. The main job is to design and develop the detection engine. Including the development of text-based sandboxes such as Webshell and malicious scripts.

Yi Sun active in the bbs.pediy.com community as an expert member (ID: ddlx) and he speaks at XCON 2020.

Other Talks in This Track

LOCATION

CommSec Track

DATE

August 26

TIME

10:30

LOCATION

CommSec Track

DATE

August 26

TIME

11:30

LOCATION

CommSec Track

DATE

August 26

TIME

12:00

LOCATION

CommSec Track

DATE

August 26

TIME

16:30