Technical dry goods - how to use AI technology to accurately identify mining Trojans

In recent years , With the price of virtual currency rising all the way , Use computer resources “ dig ” The behavior of , The mining Trojans are on the rise . Driven by great interests , In order to get more computing resources , Hackers often scan the whole network indiscriminately , At the same time, a variety of blasting and loopholes are used to attack the host . After the host is successfully invaded , Mining Trojans also infiltrate the intranet , And stay on the invaded server for a long time to get the maximum benefit .

that , Is there any way , It can effectively identify the mining Trojan horse ？ not long ago , Tang Qiyi, senior security researcher of Tencent security Cohen lab , With “BinaryAI: use AI Methods to identify the mining Trojan horse ” The theme of , From the development trend and threat of mining Trojan horse 、BinaryAI The principle and mechanism of BinaryAI How to identify mining Trojans and other dimensions , Provide users in various industries with AI Technology mining Trojan horse recognition solution .

Mining Trojans have developed rapidly

Traditional recognition methods have their own shortcomings

since 2008 In the middle of this year, Ben Cong proposed the concept of digital currency and developed the algorithm of bitcoin ,“ dig ” It's getting popular . But mining would have taken up CPU perhaps GPU Perform overclocking calculation , Time consuming and power consuming . In order to get more computing resources , Hacker gangs compete for computing resources of the host computers in the whole network , This has led to an obvious growth trend of mining Trojans in the past year . According to Tencent cloud Statistics , In the public cloud attack , The proportion of intrusions aimed at mining 54.9%.

（ Mining Trojan horse attack process ）

However , Tang Qiyi pointed out , The traditional detection and recognition method of mining Trojan horse , Such as static detection 、 Dynamic detection 、 Resource detection of cloud computing itself , Each has its own defects .

One 、 The static test . The most common is file based hash Cloud killing , Compare with the Trojan horse library that has been included , Determine whether the file belongs to the mining Trojan horse ; Or use constant features such as strings , Design identification rules . The computational complexity of static detection method is relatively low , Implement a simple , But the underreporting rate is very high , It's easy to fight .

Two 、 Dynamic detection . It mainly detects network related behaviors generated by ore pool connection . The false alarm rate of dynamic detection method is relatively low , But it is easy to fail to report , And the dynamic detection delay is relatively high , Lack of real-time .

3、 ... and 、 Cloud computing resource detection . testing CPU and GPU Of computing resources , It is not specially used for mining Trojan horse recognition , After the alarm is generated , The user needs to confirm whether the alarm is normal .

be based on BinaryAI Of

Representation model and mining Trojan horse recognition scheme

BinaryAI The algorithm can be said to be a static detection scheme , Compared with the traditional scheme , It mainly solves the problem that the rate of missing reports is too high .

BinaryAI Is the use of deep learning algorithms , The technique of expressing a function as a high-dimensional vector that can represent its semantics . Simply speaking ,BinaryAI Technique is to convert a function into a vector , If the semantics of two functions are similar or consistent , The corresponding vector is also very close .

According to Tang Qiyi ,BinaryAI It has the largest and most complete training data in the industry 、SOTA The neural network model of 、 Industry leading function similarity search results , And successfully applied to include malware identification 、 Software component analysis 、 Multiple security business scenarios such as vulnerability mining .

（BinaryAI: Functional semantic vectorization representation model ）

Functional semantic vectorization representation model

The largest and most complete training data ： To some extent, the data determines the upper limit that the algorithm can reach . Through millions of binary functions with different semantics , And each binary function is generated by one source code in several different compilers 、 Compile optimization level 、CPU Architecture, etc . To learn how to correctly represent the semantics of a function from as much data as possible .

SOTA The neural network model of ： Using twin neural networks and metric learning methods , adopt HBMP Model , Convert each node into a vector , Using graph neural network , Update the vector of each node , use Graph Pooling Methods , Gather the vectors of all nodes into a high-dimensional vector ; Use an immediate number at the same time 、 String and other constant information , hold Global Feature It is also converted to a vector . Finally, the two vectors are spliced , The last vector we get , It is enough to express the semantics of this function .

（SOTA The neural network architecture of ）

Industry leading function similarity search results ： According to Tencent security test results , Among 10000 functions with different semantics , The correct rate of recall is 91.1%. Tests conducted by Cisco's research team , The final data is also significantly ahead of other algorithms and products . be based on BinaryAI Algorithm development SDK, This IDA The plug-in of CTF The circle has also been praised .

BinaryAI Mining Trojan horse recognition scheme

In the whole process of mining Trojan horse identification , be based on BinaryAI Algorithm to identify mining Trojan horse , First, the functions of the main mining components will be collected , Build mining component function library . Divide each input sample to be tested into function granularity , Match with function library , And calculate the semantic similarity . When the similarity meets the set threshold , That is, the match is successful . According to the matching proportion , Determine whether it is a mining Trojan horse .

secondly ,BinaryAI The algorithm puts the encryption function and the pool connection function in different sets . Because the mining Trojan horse may only use the cryptographic operation of a mining component or the connection mode of the mining pool , And there may be multiple files , Different files may contain only some functions , Only identify encryption algorithm or ore pool connection, which is easy to fail to report .

Last , The function of the mining component contains some noise , These functions themselves are not strongly related to mining , It is not helpful for mining Trojan horse recognition , Need an automated cleanup scheme , And artificial fine screen . First, automated rough cleaning , Directly to the function name , function body Filter rules such as size , Make a preliminary screening . Then, for each function of the mining feature component, the frequency of matching the real mining samples is evaluated , Remove the function with high frequency from the function library . After cleaning , combination badcase Analysis and expert experience , Further adjust the composition of the feature function library . Finally, we get a relatively high-quality function library , It is used to identify the mining Trojan horse .

（ be based on BinaryAI Mining Trojan horse recognition algorithm ）

According to Tang Qiyi , Include in 3000 A mining Trojan horse ,12000 Copies of normal software , total 15000 In the test of manually labeled software samples from real scenes ,BinaryAI The recall rate of the algorithm to the mining Trojan horse reaches 96%, At the same time, the false positive rate of normal software is lower than 1%.

With the full cooperation of Cohen lab and Tencent security threat intelligence product team , be based on BinaryAI Mining Trojan horse identification method will be used as the core capability of threat intelligence , Provide technical support for the production and operation of threat intelligence , As one of the basic security capabilities of Tencent cloud and Tencent security , Will be on cloud 、 Off cloud customers provide continuous and effective security protection .