Jay Hao, the CEO of the digital asset exchange OKEx, took part in Cointelegraph China HUB, an online interview column started by Cointelegraph China. In the past, Hao has stated that blockchain will eliminate transaction barriers, improve efficiency and ultimately impact the development of the global economy. But what does he think about the world of blockchain now?

Cointelegraph: Is cryptocurrency a niche industry developing with uncertainty and volatility? And how did OKEx overcome the volatility of the industry to become one of the top exchanges?

Jay Hao: As you said, the cryptocurrency industry itself brims with uncertainties, and it is OKEx’s innate mission to be prepared to meet new challenges on all occasions. In the past year, the lowest price of Bitcoin reached about $3,300 and the highest exceeded $13,000. Especially in the past three months, the global financial industry has encountered massive fluctuations under the influence of COVID-19. 24/7 free-to-trade cryptocurrency has reacted even more in this plunge. 

“For exchanges, the biggest challenge brought by such huge fluctuations is the stability of the trading system and risk control under such extreme market behavior.”

So, my team and I have consistently held a consensus: in the world of cryptocurrency, technology strength must be the key to building any crypto ecosystem. In the past year, we have polished the construction of the system without stopping, and we have carried out hundreds of significant upgrades. Our unique super matching engine and Lightning 2.0 system ensure that the platform can run stable even under extreme market conditions, and also the order processing speed has ranked high on the world’s top options exchanges lists. This is indeed a matter of pride.

CT: Can you give some details about OKEx’s expansion plan or overall strategy?

JH: From my point of view, reputation is the foundation of an enterprise, especially in the crypto world. In addition to the well-known reasons why Libra’s issuance is so complicated, I think there is another factor. Business lies happen once or countless times. After all, a lie requires countless lies to make up for it, and the vicious cycle will always collapse.

As Facebook is one of the main sponsors, it was bothered with problems such as user data leakage and unauthorized collection of user data, which have seriously hurt market confidence. Lawmakers’ distrust of Facebook even exceeds that of cryptocurrency itself or blockchain technology. 

“Therefore, within OKEx, I repeatedly stress with the team that we must never do anything that harms the interests of users. ‘Customer first’ is always the core value of OKEx, which also acts as the cornerstone of our internationalization.”

The internationalization of OKEx has been accelerating. At present, it has reached cooperation with the world’s seven largest legal fiat payment providers through the fiat gateway project, supported 30 fiat currencies including United States dollars and euros, and accepts 17 payment methods including Visa and Mastercard. Also, we have provided services to more than 20 million users in more than 200 countries and regions around the world, and that is still increasing.

In the crypto world, OKEx’s role is not only as a trading platform but also a blockchain technology company. We have launched OKEx Cloud, relying on the technical strength and service experience accumulated by OKEx in the field of digital assets for many years and providing exchange technology services to the world. 

Besides, OKChain, independently developed by OKEx, was also completed as 100% open-source. OKChain pioneered the “commercial chain alliance” model, which will face all ecological nodes and provide efficient, free and boundless public chain ecosystems. It is a significant step for our internationalization.

In summary, OKEx’s internationalization has three points: first, customers come first; second, to meet global differentiated needs and provide localized services; and third, we are not building an exchange, but a global free, equal and healthy encryption ecosystem.

CT: According to CryptoCompare, the combined volumes of OKEx’s, BitMEX’s, Huobi’s and Binance’s derivatives markets in March totaled $514 billion, or 86% of the entire market. And OKEx took more than BitMEX. How do you see the competition in the market? 

JH: In the face of competition, I always believe that continuous and healthy competition will bring new vitality into the market. While promoting the progress of the industry, it also allows users to have a better reference basis when choosing a trading platform. We will actively learn from excellent competitors. After all, the beneficiaries under healthy competition will always be users.

Can a contract dominate the competitiveness and fate of an exchange? The answer is, of course, no. No company can be popular in the world with only one function. The needs of users are constantly changing. In the business environment, the only constant is change. What’s more, in a new and rapidly changing industry like blockchain, I always believe that OKEx’s biggest competitor is ourselves, and we are also confident that we will continue to lead the industry and make breakthroughs.

CT: How does OKEx address challenges such as cryptojacking or the free-fall of the market such as occurred on March 12?

JH: As I said before, technical security is still one of the biggest challenges that trading platforms need to face. I can proudly tell you that because of OKEx’s excellent technical strength, there has never been a theft of user funds or an information security incident since its establishment. In terms of fund management, OKEx adopts enhanced cold/hot wallet management, and the risk control system is continuously upgraded to ensure the safety of user funds and information.

Due to the particularity of the industry, the order volume per second in extreme market conditions is several times higher than the normal order volume and can reach 1 million. This is indeed an objective challenge for all exchanges in the industry.

On the other hand, service solutions from the perspective of user interests are also particularly important. For the user losses caused by our platform in the extreme market on March 12, we immediately set up a special solution group to actively follow up and solve the problems, which has also been understood and supported by most users. As an objectively neutral and responsible trading platform, we are well aware that there are still many areas that need to be improved. 

CT：It can be said that OKB is not only a platform coin for OKEx, but also a global token throughout the entire ecosystem of OKEx. What’s the role of OKB in OKEx’s ecosystem?

JH: Now, in many people’s eyes, OKB is less and less like a “platform token.” It creates continuous value for OKEx users. OKB ecological construction starts from several important dimensions, and its ultimate goal is to continue to create value for users.

In terms of additional rights within the OKEx trading platform, 14 application scenarios have been expanded. From the perspective of the construction of a deflation model, we are currently the first platform coin in the industry to achieve full circulation. On Feb. 10, we destroyed 700 million unissued OKB, which means that the team completely gave up its rights and holdings of OKB, and the profits were given to OKB users. Of course, this also means that OKB’s future buyback and burn will all be performed in the secondary market.

CT: Can you tell us how OKChain will empower OKB in the future?

JH: The appearance of OKChain is also an attempt of OKEx in the global decentralization tide. The big difference is that OKChain will solve the problem of large-scale landing and application of public chains because we believe this is the main contradiction in the current development of public chains.

OKChain’s uniquely designed cross-chain solution and original business chain alliance can enable each participating node to exert its power here and publish and run various decentralized applications without hindrance. The whole process does not require any review nor is there a so-called “proposal.” To a large extent, it has solved a series of problems such as transactions per second, security and adaptability that plagued the development of public chain technology.

In the future, OKB will be migrated to the main chain of OKChain. At that time, we will delete the code of the smart contract for the additional issuance of tokens and continue to improve the OKB deflation model. And the genesis block of OKChain’s basic token OKT will map 100% to OKB holders when the mainnet goes online, and OKB holders will also have the opportunity to become supernodes on OKChain.

The latest progress is that when it was open-sourced to GitHub, OKChain joined hands with the first group of ecological partners — a total of 30 global well-known enterprises from the public chain, proof-of-stake mining pool, blockchain browser, wallet and multiple other types of fields. Perhaps by that time, OKB will be less like a “platform token.”

CT：How do you see the regulatory landscape around crypto, and how does OKEx remain compliant with global regulators?

JH: I was not surprised by the result of the U.S. Security and Exchange Commission’s ban on Telegram tokens. Telegram is elaborating on the nature of its tokens, saying that Telegram Open Network is a practical tool for community members with “consumer uses,” while the SEC and the courts are more concerned about its financial attributes, believing that it can flow out of control to the secondary market. Such negotiations are doomed to a consensus.

“The supervision of any industry always needs to dynamically adapt to market changes, but a basic premise is that no matter how changes are made, everyone has a basic consensus on this industry.”

The TON ban does not completely represent the SEC’s denial of the entire digital currency. On the contrary, this judgement fully shows us the professional understanding of the SEC and the courts on blockchain technology and digital currency, which is a powerful impetus for the development of the entire crypto industry. In the globalization process of OKEx, it is our primary premise to reach a regulatory consensus with local users and regulatory agencies.

In March, we heard a lot of good news from the world: India lifted the trading ban, South Korea officially classified cryptocurrencies as an asset and Germany issued a guide to classify cryptocurrencies as a financial instrument, with many other countries also actively exploring.

This just shows that the regulatory agencies of various countries are reaching a consensus with the crypto market. Therefore, for any country and region in the world that has reached a consensus with the crypto world, OKEx is ready to embrace supervision at any time.

CT: Could you share your thoughts on Binance’s acquisition of CoinMarketCap? What were the main motivations behind this move, in your opinion? Is expansion like this a natural way for exchanges to develop?

JH：First of all, congratulations to Binance on its ecological footprint expansion. However, I have also expressed my view on social media. In contrast, I would be more inclined to spend this budget on repurchasing platform coins and giving back to users who support the development of the platform. Only when users benefit will more and more people pay attention to and support you, and the exchange ecology will naturally become stronger and stronger.

“Each exchange has its expansion strategy. There is no so-called natural occurrence. It is a trade-off between the interests of all parties. The final choice is also determined by the operator’s judgment on the interests.”

Although I have said it many times, I still have to reiterate that in the expansion of OKEx, the interests of OKEx users will always be first. It does not exclude that we will advance some important decisions by soliciting opinions from users. OKEx will continue to contribute its strength to the construction of the global crypto ecosystem, which is beyond doubt.

CT: Can you share what your favorite books are, those that have inspired you to do what you’ve been doing in the blockchain sector?

JH：Work and life are two mirrors that reflect a person. I am quite different from myself at work. In addition to books that enhance professional knowledge every day, I like to read some tragic comedy and realism novels by Shakespeare and Dickens. I remember one sentence in Dickens’s A Tale of Two Cities: “It was the best of times, it was the worst of times.” Now, in many moments, this sentence will appear in my heart. Any industry and its related technologies have two sides. 

This era has given us a great platform to do what we think is meaningful and at the same time set up many constraints. Therefore, our actions must be oriented to benefit the people, society and life. A good or bad thought requires that we always have a rule in our hearts to measure and correct. These novels have influenced my code of conduct to a certain extent.

In addition to these, an avid teenager lives in my heart. Maybe you can’t imagine it, but I also like to watch popular novels like “Harry Potter” and “Lord of the Rings.” I like a story that breaks the boundaries of thinking and uses imagination to create a world of dreams and love.

Just like the blockchain industry, it is new, meaningful, borderless and does not adhere to conventions. We still have a lot of possibilities to achieve the impossible. Just like the enthusiasm brought by these novels, I think that whether it is a blockchain enterprise or a trading platform, we first need to use unlimited innovation and imagination to create services and value for society. At the same time, we must assess the situation, be bold and careful, and conduct within the rules of society.

This interview was conducted during a partnered event. It has been condensed and edited.

Engineering Mathematics - II Tuition Classes In Greater Noida Near Alpha Commercial

Engineering Mathematics – II Tuition Classes In Greater Noida Near Alpha Commercial

Engineering Mathematics – II Tuition Classes In Greater Noida Near Alpha Commercial

Differential Equations Linear differential equations of nth order with constant coefficients, Complementary function and Particular integral, Simultaneous linear differential equations, Solution of second order differential equations by changing dependent & independent variables, Normal form, Method of variation of

View On WordPress

Sharing Thoughts on Security, OKEx’s Jay Hao Says Customers Come First

Sharing Thoughts on Security, OKEx’s Jay Hao Says Customers Come First:

Jay Hao, the CEO of the digital asset exchange OKEx, took part in Cointelegraph China HUB, an online interview column started by Cointelegraph China. In the past, Hao has stated that blockchain will eliminate transaction barriers, improve efficiency and ultimately impact the development of the global economy. But what does he think about the world of blockchain now?

Cointelegraph: Is cryptocurrency a niche industry developing with uncertainty and volatility? And how did OKEx overcome the volatility of the industry to become one of the top exchanges?

Jay Hao: As you said, the cryptocurrency industry itself brims with uncertainties, and it is OKEx’s innate mission to be prepared to meet new challenges on all occasions. In the past year, the lowest price of Bitcoin reached about $3,300 and the highest exceeded $13,000. Especially in the past three months, the global financial industry has encountered massive fluctuations under the influence of COVID-19. 24/7 free-to-trade cryptocurrency has reacted even more in this plunge. 

“For exchanges, the biggest challenge brought by such huge fluctuations is the stability of the trading system and risk control under such extreme market behavior.”

So, my team and I have consistently held a consensus: in the world of cryptocurrency, technology strength must be the key to building any crypto ecosystem. In the past year, we have polished the construction of the system without stopping, and we have carried out hundreds of significant upgrades. Our unique super matching engine and Lightning 2.0 system ensure that the platform can run stable even under extreme market conditions, and also the order processing speed has ranked high on the world’s top options exchanges lists. This is indeed a matter of pride.

CT: Can you give some details about OKEx’s expansion plan or overall strategy?

JH: From my point of view, reputation is the foundation of an enterprise, especially in the crypto world. In addition to the well-known reasons why Libra’s issuance is so complicated, I think there is another factor. Business lies happen once or countless times. After all, a lie requires countless lies to make up for it, and the vicious cycle will always collapse.

As Facebook is one of the main sponsors, it was bothered with problems such as user data leakage and unauthorized collection of user data, which have seriously hurt market confidence. Lawmakers’ distrust of Facebook even exceeds that of cryptocurrency itself or blockchain technology. 

“Therefore, within OKEx, I repeatedly stress with the team that we must never do anything that harms the interests of users. ‘Customer first’ is always the core value of OKEx, which also acts as the cornerstone of our internationalization.”

The internationalization of OKEx has been accelerating. At present, it has reached cooperation with the world’s seven largest legal fiat payment providers through the fiat gateway project, supported 30 fiat currencies including United States dollars and euros, and accepts 17 payment methods including Visa and Mastercard. Also, we have provided services to more than 20 million users in more than 200 countries and regions around the world, and that is still increasing.

In the crypto world, OKEx’s role is not only as a trading platform but also a blockchain technology company. We have launched OKEx Cloud, relying on the technical strength and service experience accumulated by OKEx in the field of digital assets for many years and providing exchange technology services to the world. 

Besides, OKChain, independently developed by OKEx, was also completed as 100% open-source. OKChain pioneered the “commercial chain alliance” model, which will face all ecological nodes and provide efficient, free and boundless public chain ecosystems. It is a significant step for our internationalization.

In summary, OKEx’s internationalization has three points: first, customers come first; second, to meet global differentiated needs and provide localized services; and third, we are not building an exchange, but a global free, equal and healthy encryption ecosystem.

CT: According to CryptoCompare, the combined volumes of OKEx’s, BitMEX’s, Huobi’s and Binance’s derivatives markets in March totaled $514 billion, or 86% of the entire market. And OKEx took more than BitMEX. How do you see the competition in the market? 

JH: In the face of competition, I always believe that continuous and healthy competition will bring new vitality into the market. While promoting the progress of the industry, it also allows users to have a better reference basis when choosing a trading platform. We will actively learn from excellent competitors. After all, the beneficiaries under healthy competition will always be users.

Can a contract dominate the competitiveness and fate of an exchange? The answer is, of course, no. No company can be popular in the world with only one function. The needs of users are constantly changing. In the business environment, the only constant is change. What’s more, in a new and rapidly changing industry like blockchain, I always believe that OKEx’s biggest competitor is ourselves, and we are also confident that we will continue to lead the industry and make breakthroughs.

CT: How does OKEx address challenges such as cryptojacking or the free-fall of the market such as occurred on March 12?

JH: As I said before, technical security is still one of the biggest challenges that trading platforms need to face. I can proudly tell you that because of OKEx’s excellent technical strength, there has never been a theft of user funds or an information security incident since its establishment. In terms of fund management, OKEx adopts enhanced cold/hot wallet management, and the risk control system is continuously upgraded to ensure the safety of user funds and information.

Due to the particularity of the industry, the order volume per second in extreme market conditions is several times higher than the normal order volume and can reach 1 million. This is indeed an objective challenge for all exchanges in the industry.

On the other hand, service solutions from the perspective of user interests are also particularly important. For the user losses caused by our platform in the extreme market on March 12, we immediately set up a special solution group to actively follow up and solve the problems, which has also been understood and supported by most users. As an objectively neutral and responsible trading platform, we are well aware that there are still many areas that need to be improved. 

CT：It can be said that OKB is not only a platform coin for OKEx, but also a global token throughout the entire ecosystem of OKEx. What’s the role of OKB in OKEx’s ecosystem?

JH: Now, in many people’s eyes, OKB is less and less like a “platform token.” It creates continuous value for OKEx users. OKB ecological construction starts from several important dimensions, and its ultimate goal is to continue to create value for users.

In terms of additional rights within the OKEx trading platform, 14 application scenarios have been expanded. From the perspective of the construction of a deflation model, we are currently the first platform coin in the industry to achieve full circulation. On Feb. 10, we destroyed 700 million unissued OKB, which means that the team completely gave up its rights and holdings of OKB, and the profits were given to OKB users. Of course, this also means that OKB’s future buyback and burn will all be performed in the secondary market.

CT: Can you tell us how OKChain will empower OKB in the future?

JH: The appearance of OKChain is also an attempt of OKEx in the global decentralization tide. The big difference is that OKChain will solve the problem of large-scale landing and application of public chains because we believe this is the main contradiction in the current development of public chains.

OKChain’s uniquely designed cross-chain solution and original business chain alliance can enable each participating node to exert its power here and publish and run various decentralized applications without hindrance. The whole process does not require any review nor is there a so-called “proposal.” To a large extent, it has solved a series of problems such as transactions per second, security and adaptability that plagued the development of public chain technology.

In the future, OKB will be migrated to the main chain of OKChain. At that time, we will delete the code of the smart contract for the additional issuance of tokens and continue to improve the OKB deflation model. And the genesis block of OKChain’s basic token OKT will map 100% to OKB holders when the mainnet goes online, and OKB holders will also have the opportunity to become supernodes on OKChain.

The latest progress is that when it was open-sourced to GitHub, OKChain joined hands with the first group of ecological partners — a total of 30 global well-known enterprises from the public chain, proof-of-stake mining pool, blockchain browser, wallet and multiple other types of fields. Perhaps by that time, OKB will be less like a “platform token.”

CT：How do you see the regulatory landscape around crypto, and how does OKEx remain compliant with global regulators?

JH: I was not surprised by the result of the U.S. Security and Exchange Commission’s ban on Telegram tokens. Telegram is elaborating on the nature of its tokens, saying that Telegram Open Network is a practical tool for community members with “consumer uses,” while the SEC and the courts are more concerned about its financial attributes, believing that it can flow out of control to the secondary market. Such negotiations are doomed to a consensus.

“The supervision of any industry always needs to dynamically adapt to market changes, but a basic premise is that no matter how changes are made, everyone has a basic consensus on this industry.”

The TON ban does not completely represent the SEC’s denial of the entire digital currency. On the contrary, this judgement fully shows us the professional understanding of the SEC and the courts on blockchain technology and digital currency, which is a powerful impetus for the development of the entire crypto industry. In the globalization process of OKEx, it is our primary premise to reach a regulatory consensus with local users and regulatory agencies.

In March, we heard a lot of good news from the world: India lifted the trading ban, South Korea officially classified cryptocurrencies as an asset and Germany issued a guide to classify cryptocurrencies as a financial instrument, with many other countries also actively exploring.

This just shows that the regulatory agencies of various countries are reaching a consensus with the crypto market. Therefore, for any country and region in the world that has reached a consensus with the crypto world, OKEx is ready to embrace supervision at any time.

CT: Could you share your thoughts on Binance’s acquisition of CoinMarketCap? What were the main motivations behind this move, in your opinion? Is expansion like this a natural way for exchanges to develop?

JH：First of all, congratulations to Binance on its ecological footprint expansion. However, I have also expressed my view on social media. In contrast, I would be more inclined to spend this budget on repurchasing platform coins and giving back to users who support the development of the platform. Only when users benefit will more and more people pay attention to and support you, and the exchange ecology will naturally become stronger and stronger.

“Each exchange has its expansion strategy. There is no so-called natural occurrence. It is a trade-off between the interests of all parties. The final choice is also determined by the operator’s judgment on the interests.”

Although I have said it many times, I still have to reiterate that in the expansion of OKEx, the interests of OKEx users will always be first. It does not exclude that we will advance some important decisions by soliciting opinions from users. OKEx will continue to contribute its strength to the construction of the global crypto ecosystem, which is beyond doubt.

CT: Can you share what your favorite books are, those that have inspired you to do what you’ve been doing in the blockchain sector?

JH：Work and life are two mirrors that reflect a person. I am quite different from myself at work. In addition to books that enhance professional knowledge every day, I like to read some tragic comedy and realism novels by Shakespeare and Dickens. I remember one sentence in Dickens’s A Tale of Two Cities: “It was the best of times, it was the worst of times.” Now, in many moments, this sentence will appear in my heart. Any industry and its related technologies have two sides. 

This era has given us a great platform to do what we think is meaningful and at the same time set up many constraints. Therefore, our actions must be oriented to benefit the people, society and life. A good or bad thought requires that we always have a rule in our hearts to measure and correct. These novels have influenced my code of conduct to a certain extent.

In addition to these, an avid teenager lives in my heart. Maybe you can’t imagine it, but I also like to watch popular novels like “Harry Potter” and “Lord of the Rings.” I like a story that breaks the boundaries of thinking and uses imagination to create a world of dreams and love.

Just like the blockchain industry, it is new, meaningful, borderless and does not adhere to conventions. We still have a lot of possibilities to achieve the impossible. Just like the enthusiasm brought by these novels, I think that whether it is a blockchain enterprise or a trading platform, we first need to use unlimited innovation and imagination to create services and value for society. At the same time, we must assess the situation, be bold and careful, and conduct within the rules of society.

This interview was conducted during a partnered event. It has been condensed and edited.

Original Post from FireEye Author: Vikram Hegde

This blog post presents a machine learning (ML) approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints. We start out with an introduction to this relatively new threat capability, and then discuss how such problems have traditionally been handled. We then describe a machine learning approach to solving this problem and point out how ML vastly simplifies development and maintenance of a robust obfuscation detector. Finally, we present the results obtained using two different ML techniques and compare the benefits of each.

Introduction

Malicious actors are increasingly “living off the land,” using built-in utilities such as PowerShell and the Windows Command Processor (cmd.exe) as part of their infection workflow in an effort to minimize the chance of detection and bypass whitelisting defense strategies. The release of new obfuscation tools makes detection of these threats even more difficult by adding a layer of indirection between the visible syntax and the final behavior of the command. For example, Invoke-Obfuscation and Invoke-DOSfuscation are two recently released tools that automate the obfuscation of Powershell and Windows command lines respectively.

The traditional pattern matching and rule-based approaches for detecting obfuscation are difficult to develop and generalize, and can pose a huge maintenance headache for defenders. We will show how using ML techniques can address this problem.

Detecting obfuscated command lines is a very useful technique because it allows defenders to reduce the data they must review by providing a strong filter for possibly malicious activity. While there are some examples of “legitimate” obfuscation in the wild, in the overwhelming majority of cases, the presence of obfuscation generally serves as a signal for malicious intent.

Background

There has been a long history of obfuscation being employed to hide the presence of malware, ranging from encryption of malicious payloads (starting with the Cascade virus) and obfuscation of strings, to JavaScript obfuscation. The purpose of obfuscation is two-fold:

Make it harder to find patterns in executable code, strings or scripts that can easily be detected by defensive software.

Make it harder for reverse engineers and analysts to decipher and fully understand what the malware is doing.

In that sense, command line obfuscation is not a new problem – it is just that the target of obfuscation (the Windows Command Processor) is relatively new. The recent release of tools such as Invoke-Obfuscation (for PowerShell) and Invoke-DOSfuscation (for cmd.exe) have demonstrated just how flexible these commands are, and how even incredibly complex obfuscation will still run commands effectively.

There are two categorical axes in the space of obfuscated vs. non-obfuscated command lines: simple/complex and clear/obfuscated (see Figure 1 and Figure 2). For this discussion “simple” means generally short and relatively uncomplicated, but can still contain obfuscation, while “complex” means long, complicated strings that may or may not be obfuscated. Thus, the simple/complex axis is orthogonal to obfuscated/unobfuscated. The interplay of these two axes produce many boundary cases where simple heuristics to detect if a script is obfuscated (e.g. length of a command) will produce false positives on unobfuscated samples. The flexibility of the command line processor makes classification a difficult task from an ML perspective.

Figure 1: Dimensions of obfuscation

Figure 2: Examples of weak and strong obfuscation

Traditional Obfuscation Detection

Traditional obfuscation detection can be split into three approaches. One approach is to write a large number of complex regular expressions to match the most commonly abused syntax of the Windows command line. Figure 3 shows one such regular expression that attempts to match ampersand chaining with a call command, a common pattern seen in obfuscation. Figure 4 shows an example command sequence this regex is designed to detect.

Figure 3: A common obfuscation pattern captured as a regular expression

Figure 4: A common obfuscation pattern (calling echo in obfuscated fashion in this example)

There are two problems with this approach. First, it is virtually impossible to develop regular expressions to cover every possible abuse of the command line. The flexibility of the command line results in a non-regular language, which is feasible yet impractical to express using regular expressions. A second issue with this approach is that even if a regular expression exists for the technique a malicious sample is using, a determined attacker can make minor modifications to avoid the regular expression. Figure 5 shows a minor modification to the sequence in Figure 4, which avoids the regex detection.

Figure 5: A minor change (extra carets) to an obfuscated command line that breaks the regular expression in Figure 3

The second approach, which is closer to an ML approach, involves writing complex if-then rules. However, these rules are hard to derive, are complex to verify, and pose a significant maintenance burden as authors evolve to escape detection by such rules. Figure 6 shows one such if-then rule.

Figure 6: An if-then rule that *may* indicate obfuscation (notice how loose this rule is, and how false positives are likely)

A third approach is to combine regular expressions and if-then rules. This greatly complicates the development and maintenance burden, and still suffers from the same weaknesses that make the first two approaches fragile. Figure 7 shows an example of an if-then rule with regular expressions. Clearly, it is easy to appreciate how burdensome it is to generate, test, maintain and determine the efficacy of such rules.

Figure 7: A combination of an if-then rule with regular expressions to detect obfuscation (a real hand-built obfuscation detector would consist of tens or hundreds of rules and still have gaps in its detection)

The ML Approach – Moving Beyond Pattern Matching and Rules

Using ML simplifies the solution to these problems. We will illustrate two ML approaches: a feature-based approach and a feature-less end-to-end approach.

There are some ML techniques that can work with any kind of raw data (provided it is numeric), and neural networks are a prime example. Most other ML algorithms require the modeler to extract pertinent information, called features, from raw data before they are fed into the algorithm. Some examples of this latter type are tree-based algorithms, which we will also look at in this blog (we described the structure and uses of Tree-Based algorithms in a previous blog post, where we used a Gradient-Boosted Tree-Based Model).

ML Basics – Neural Networks

Neural networks are a type of ML algorithm that have recently become very popular and consist of a series of elements called neurons. A neuron is essentially an element that takes a set of inputs, computes a weighted sum of these inputs, and then feeds the sum into a non-linear function. It has been shown that a relatively shallow network of neurons can approximate any continuous mapping between input and output. The specific type of neural network we used for this research is what is called a Convolutional Neural Network (CNN), which was developed primarily for computer vision applications, but has also found success in other domains including natural language processing. One of the main benefits of a neural network is that it can be trained without having to manually engineer features.

Featureless ML

While neural networks can be used with feature data, one of the attractions of this approach is that it can work with raw data (converted into numeric form) without doing any feature design or extraction. The first step in the model is converting text data into numeric form. We used a character-based encoding where each character type was encoded by a real valued number. The value was automatically derived during training and conveys semantic information about the relationships between characters as they apply to cmd.exe syntax.

Feature-Based ML

We also experimented with hand-engineered features and a Gradient Boosted Decision Tree algorithm. The features developed for this model were largely statistical in nature – derived from the presence and frequency of character sets and keywords. For example, the presence of dozens of ‘%’ characters or long, contiguous strings might contribute to detecting potential obfuscation. While any single feature will not perfectly separate the two classes, a combination of features as present in a tree-based model can learn flexible patterns in the data. The expectation is that those patterns are robust and can generalize to future obfuscation variants.

Data and Experiments

To develop our models, we collected non-obfuscated data from tens of thousands of endpoint events and generated obfuscated data using a variety of methods in Invoke-DOSfuscation. We developed our models using roughly 80 percent of the data as training data, and tested them on the remaining 20 percent. We ensured that our train-test split was stratified. For featureless ML (i.e. neural networks), we simply input Unicode code points into the first layer of the CNN model. The first layer converts the code point into semantically meaningful numerical representations (called embeddings) before feeding it into the rest of the neural network.

For the Gradient Boosted Tree method, we generated a number of features from the raw command lines. The following are some of them:

Length of the command line

The number of carets in the command line

The count of pipe symbols

The fraction of white space in the command line

The fraction of special characters

Entropy of the string

The frequency of the strings “cmd” and “power” in the command line

While each of these features individually is a weak signal and could not possibly be a good discriminator on its own, a flexible classifier such as a Gradient Boosted Tree – trained on sufficient data with these features – is able to classify obfuscated and non-obfuscated command lines in spite of the aforementioned difficulties.

Results

Evaluated against our test set, we were able to get nearly identical results from our Gradient Boosted Tree and neural network models.

The results for the GBT model were near perfect with metrics such as F1-score, precision, and recall all being close to 1.0. The CNN model was slightly less accurate.

While we certainly do not expect perfect results in a real-world scenario, these lab results were nonetheless encouraging. Recall that all of our obfuscated examples were generated by one source, namely the Invoke-DOSfuscation tool. While Invoke-DOSfuscation generates a wide variety of obfuscated samples, in the real world we expect to see at least some samples that are quite dissimilar from any that Invoke-DOSfuscation generates. We are currently collecting real world obfuscated command lines to get a more accurate picture of the generalizability of this model on obfuscated samples from actual malicious actors. We expect that command obfuscation, similar to PowerShell obfuscation before it, will continue to emerge in new malware families.

As an additional test we asked Daniel Bohannon (author of Invoke-DOSfuscation, the Windows command line obfuscation tool) to come up with obfuscated samples that in his experience would be difficult for a traditional obfuscation detector. In every case, our ML detector was still able to detect obfuscation. Some examples are shown in Figure 8.

Figure 8: Some examples of obfuscated text used to test and attempt to defeat the ML obfuscation detector (all were correctly identified as obfuscated text)

We also created very cryptic looking texts that, although valid Windows command lines and non-obfuscated, appear slightly obfuscated to a human observer. This was done to test efficacy of the detector with boundary examples. The detector was correctly able to classify the text as non-obfuscated in this case as well. Figure 9 shows one such example.

Figure 9: An example that appears on first glance to be obfuscated, but isn’t really and would likely fool a non-ML solution (however, the ML obfuscation detector currently identifies it as non-obfuscated)

Finally, Figure 10 shows a complicated yet non-obfuscated command line that is correctly classified by our obfuscation detector, but would likely fool a non-ML detector based on statistical features (for example a rule-based detector with a hand-crafted weighing scheme and a threshold, using features such as the proportion of special characters, length of the command line or entropy of the command line).

Figure 10: An example that would likely be misclassified by an ML detector that uses simplistic statistical features; however, our ML obfuscation detector currently identifies it as non-obfuscated

CNN vs. GBT Results

We compared the results of a heavily tuned GBT classifier built using carefully selected features to those of a CNN trained with raw data (featureless ML). While the CNN architecture was not heavily tuned, it is interesting to note that with samples such as those in Figure 10, the GBT classifier confidently predicted non-obfuscated with a score of 19.7 percent (the complement of the measure of the classifier’s confidence in non-obfuscation). Meanwhile, the CNN classifier predicted non-obfuscated with a confidence probability of 50 percent – right at the boundary between obfuscated and non-obfuscated. The number of misclassifications of the CNN model was also more than that of the Gradient Boosted Tree model. Both of these are most likely the result of inadequate tuning of the CNN, and not a fundamental shortcoming of the featureless approach.

Conclusion

In this blog post we described an ML approach to detecting obfuscated Windows command lines, which can be used as a signal to help identify malicious command line usage. Using ML techniques, we demonstrated a highly accurate mechanism for detecting such command lines without resorting to the often inadequate and costly technique of maintaining complex if-then rules and regular expressions. The more comprehensive ML approach is flexible enough to catch new variations in obfuscation, and when gaps are detected, it can usually be handled by adding some well-chosen evader samples to the training set and retraining the model.

This successful application of ML is yet another demonstration of the usefulness of ML in replacing complex manual or programmatic approaches to problems in computer security. In the years to come, we anticipate ML to take an increasingly important role both at FireEye and in the rest of the cyber security industry.

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Vikram Hegde Obfuscated Command Line Detection Using Machine Learning Original Post from FireEye Author: Vikram Hegde This blog post presents a machine learning (ML) approach to solving…