Friday 5 October 11:00 - 11:30, Red room
Karishma Sanghvi (Microsoft)
Joe Blackbird (Microsoft)
This paper discusses efforts to identify malware authors through Windows Defender telemetry to improve customer protection. Malware authors have been difficult to identify through telemetry since they are careful to avoid detection while developing and testing malware. However, as our cloud-based protection improves, malware authors may be forced to test their malware against our cloud-based solution, giving us an opportunity to identify them during their development phase.
The discussion outlines the process of identifying a sample of malware authors' devices through heuristic telemetry patterns, device-based information, and details on suspicious files originating from devices. From this sample, we generalize the attributes of malware authors' devices to find new devices as they come online. The aim of this is to have a dynamic, more flexible approach for classifying malware author devices.
The paper will conclude with a test of the additional protection value that we gain with this classifier. Using experimental cloud-based protection, we will quantify the impact of blocking the files originating from the flagged machines. Furthermore, we will explore the result of taking action based on this classifier, since malware authors are sure to react to detection. Our aim is to put these malware authors in 'starvation mode' by determining the optimal number of files we can block without them disappearing and forcing us to find them again.
Karishma Sanghvi joined Microsoft in 2016 as a data scientist for Windows Active Defense. Her work involves finding and anticipating trends in the threat landscape in order to improve Defender's protection capabilities. Her recent focus has been the design of real-time detection algorithms for malware outbreaks. Before her life in security, she was a data scientist in product marketing and customer analytics at Accenture. Karishma holds a Master's degree from Cornell University and a Bachelor's degree from the University of Washington, both with a focus in operations research.
Joe Blackbird joined Symantec as a vulnerability researcher in 2003 after completing a degree in computer science with a specialization in computer viruses and malware at the University of Calgary, Canada. He progressed into threat-related data analysis and threat reporting, contributing to various threat-landscape reports published by Symantec until he left to work with Microsoft in 2012. At Microsoft he continues to work with data analysis and reporting as a data scientist with the team behind Windows Defender Anti-Virus.