TIPS#10 Peak Analyzer: an automated malware campaign detector

Jason Zhang (VMware), Stefano Ortolani (VMware) & Giovanni Vigna (VMware)

Cyber security threats have been growing significantly in both volume and sophistication over the past decade. Naturally, this has also been accompanied by an increasing collection of threat telemetry data, ranging from detonation timelines to IDS/IPS detections just to name a few. Telemetry data, typically represented by enriched time series, often contains underlying peak signals which in turn correspond to a number of informative events: occurrences of malware campaigns, most adopted malware delivery vectors, commonly affected verticals, and even anomalies possibly revealing the presence of false positives. While all this information clearly holds tremendous value, mining such data sets is expensive and complex; as a result, organizations often find it challenging to gain further insights of the underlying threat landscape even though they have access to the data.

In this talk, we discuss Peak Analyzer, a new statistical approach to leverage telemetry data and automatically produce threat intelligence insights. By looking at telemetry data as a collection of multi-attribute time series, we translate outliers into meaningful signals. False positives are minimized by computing and comparing statistics from both local and global temporal windows; the approach is efficient and scalable thanks to a sliding window mechanism that keeps both sets of statistics up-to-date by relying on incremental updates. We conclude the talk by evaluating the effectiveness of our approach by showcasing the most recent malware campaigns detected by Peak Analyzer when processing threat telemetry data from our production network sensors.

Jason Zhang

VMware

Jason Zhang is a senior member of technical staff in the Threat Intelligence Team, VMware NSBU. As a highly motivated cyber threat researcher and a proven product and technology pioneer, Jason has a wealth of experience in technology and product R&D. Prior to joining VMware, Jason worked at Lastline, Sophos and Symantec, specializing in cutting-edge research and automation in threat detection. Jason is a regular speaker at leading technical conferences including Black Hat, Virus Bulletin and InfoSec. Jason earned his Ph.D. in signal processing from King's College London & Cardiff University in the UK.

Stefano Ortolani

VMware

Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. He spends his time researching bespoke approaches to investigate and classify cyber tradecraft, and making sure none are left uncharted. A contributor to product development, he is also a regular speaker at technical conferences. Previously, he was part of the Global Research and Analysis Team at Kaspersky Lab, in charge of fostering operations with CERTs, governments, universities and law enforcement agencies, as well as conducting research of the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam.

Giovanni Vigna

VMware

Giovanni Vigna is the Sr. Director of Threat Intelligence at the VMware NSBU. He is also a professor in the Department of Computer Science at the University of California in Santa Barbara (on leave), and was the CTO and co-founder of Lastline, Inc., a company that provides anti-malware solutions, which was acquired by VMware in June 2020. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and mobile phone security. Giovanni Vigna is also the founder of the Shellphish hacking group, which has participated in more DEF CON CTF competitions than any other group in history. He is an IEEE Fellow and an ACM Fellow.