PRESENTED BY
Over the past 2.5 years Endgame received 20M samples of malware equating to roughly 9.5 TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10M samples in the last quarter of 2012 [1]. Its total corpus is estimated to be about 100M samples. VirusTotal receives between 300k and 600k unique files per day, and of those roughly one-third to half are positively identified as malware [2].
Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset.
To address this problem, we will present our open framework, BinaryPig, as well as some example uses of this technology to perform a multiyear, multi-terabyte, multimillion-sample malware census. This framework is built over Apache Hadoop, Apache Pig, and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware.
In addition, we will demonstrate the results of our exploration and the techniques used to derive these results. The framework, analysis modules, and some example applications will be released as open source (Apache 2.0 License) at Blackhat.
https://www.virustotal.com/en/statistics/ as of 4/9/2013
https://www.blackhat.com/us-13/archives.html#Hanif
No comments:
Post a Comment