Deep Impact: Recognizing Unknown Malicious Activities from Zero Knowledge

Conference:  BlackHat EU 2018



The presentation discusses the use of neural networks to detect and prevent cyber attacks, specifically focusing on detecting exploit kits and content type sequences.
  • Neural networks can be used to detect and prevent cyber attacks
  • The focus is on detecting exploit kits and content type sequences
  • The presentation provides examples of different types of exploit kits and their characteristics
  • The recurrent neural network model is used to detect content type sequences
  • The model is tested with both benign and malicious sequences and is successful in detecting malicious ones
The presenter explains how the model was able to successfully detect a sequence containing a popular pattern of the Neutrino exploit kit, which is a fundamental function that cannot be easily changed. This illustrates the effectiveness of the model in detecting and preventing cyber attacks.


To detect malicious activities, there are pattern matching, blacklists, behavioral analysis, and event correlation. However, those existing approaches have several problems. For instance:- Unknown threats and sophisticated attacks could circumvent those solutions.- Some of those require huge resources.This talk will cover how to solve those issues above and how we detect unknown malicious activities from typical logs of devices which are not dedicated for attack detection such as proxies, firewalls and so on.1. C2 Server DetectionWe discover malware which periodically communicates with C2 servers such as Bots/RATs from zero-knowledge. In order to achieve this, we generate over two-million communication patterns by enumerating C2-ish communication patterns with a generator script. And we use Convolutional Neural Networks by converting common logs into "virtual images" by mapping count of communications, sent/received bytes with chronological order.We will show you that our models are able to detect various C2 communications of unknown (it means unlearned) malware samples which come from actual incidents such as PlugX, RedLeaves/himawari, xxmm, Asruex, ursnif/gozi, Vawtrak, and so on.2. Exploit Kit DetectionStable detection of Exploit Kits (EKs) is difficult because EKs' URLs and contents keep being changed frequently. However we found effective EK detection from zero-knowledge.The method is able to detect unknown (it also means unlearned) EKs from standard proxy logs, by recognizing emulated content-type sequences of EKs (e.g. html -> swf -> octet-stream) with Recurrent Neural Networks. The sequences are deeply related to behavior of EKs, therefore attackers cannot change those easily.We will show you our models which are trained with 300 thousands EK-like content-type sequences, are able to detect 14 kinds of EKs such as Rig, Nebula, Terror, Sundown, KaiXin and so on.