The Cybersecurity Lecture Series at Georgia Tech is a free, one-hour lecture from a thought leader who is advancing the field of information security and privacy. Invited speakers include executives and researchers from Fortune 500 companies, federal intelligence agencies, start-ups and incubators, as well as Georgia Tech faculty and students presenting their research. Lectures are open to all -- students, faculty, industry, government, or simply the curious.

RSVP

On Friday, Feb. 16 guest speaker Malachi Jones Ph.D. will give a lecture titled "Automated In-memory Malware/rootkit Detection via Binary Analysis and Machine Learning."

A prominent technique for detecting sophisticated malware consists of monitoring the execution behavior of each binary to identify anomalies and/or malicious intent. Hooking and emulation are two primary mechanisms that are employed to facilitate the monitoring. Although these behavioral monitoring mechanisms are a substantial improvement over classic signature detection, skilled malware authors have developed reliable techniques to defeat them. As an example, sophisticated malware can exploit hooking implementations by either utilizing alternative (e.g. lower level) unhooked API or by removing the hooks at run-time to evade monitoring. In addition, the malware also can perform checks to detect if it is executing in an emulator/VM and modify its behavior accordingly.
 
In this talk, we will demonstrate an approach for pairing Memory Forensics with Binary Analysis and Machine Learning to analyze the behavior of binaries on a set of hosts to detect advanced persistent threats (APT)s that may evade detection by hooking and emulation. In particular, we will discuss how an approximate clustering algorithm with linear run-time performance can be leveraged to identify outliers (i.e., potential APTs) among sets of clustered memory artifacts (i.e., processes, shared libraries, drivers, and kernel modules). Note that these memory artifacts are collected from live, networked hosts and clustered real-time in a scalable manner. We will also discuss and demonstrate how dynamic binary analysis can be leveraged to differentiate between benign anomalous code and malware to improve detection accuracy.
 

Malachi Jones, Ph.D., is a security researcher at Booz Allen Dark Labs located in central Maryland and has over 10 years of combined experience performing security research work in academia and industry. As a Dark Labs security researcher, he specializes in embedded systems vulnerability assessment and also is an instructor with Booz Allen’s internal reverse engineering training program. In addition to his work at Dark Labs, he is separately conducting independent research on pairing memory forensics with binary analysis and machine learning to detect malware and rootkits in an automated fashion. Before joining Dark Labs in March 2016, he worked as a vulnerability researcher at a defense contractor in Melbourne, Fla., for over two years. Jones holds a B.S. in Computer Engineering from the University of Florida and an M.S. and Ph.D. from the Georgia Institute of Technology. His graduate work at Georgia Tech focused on modeling cybersecurity problems in a Game Theoretic framework to perform actionable cyberattack forecasting.