Machine Learning for Reverse Engineers
Virtual 32 CPE Hours Training ★ February 2024
WEEK 1 ★ FEB 10-17 // DETAILED SCHEDULE READY
Abstract
This course features a practical hands-on approach to automated program analysis using machine learning. Given the increasing pervasiveness of IoT devices and malware, there is a great need to perform automated reverse engineering at scale, especially since reverse engineering software and firmware can often be a manual, labor-intensive, and time-intensive process. This class is perfectly suited for students who are new to machine learning and want to leverage it to automate their program analysis and reverse engineering efforts.
This class kicks off with performing advanced program analysis to automatically identify shared code relationships between applications using different binary features, compute code sharing similarity over a data set to determine binary groupings, and then determine a new binary’s similarity to previously seen samples based on code sharing patterns. We will also cover intermediate representations of binaries and how they can be used for advanced program analysis.
Next, we will introduce machine learning concepts and their applications to automated reverse engineering. We will first use unsupervised machine learning algorithms to find data patterns and features which can be useful for categorization. Then we will develop supervised machine learning models to classify binaries and make certain predictions about them. Lastly, we will apply deep learning to automate program analysis by building and evaluating neural networks. Throughout the class, labs will be conducted in a virtual environment. Students will leave the course with the necessary hands-on experience, knowledge, and confidence to conduct automated program analysis at scale using machine learning.
Applications covered in the class include, but are not limited to:
- Binary Analysis
- Malware Analysis
- Firmware Analysis
- Network/IoT Analysis
- Mobile Security Analysis
- Security Research / Vulnerability Discovery
Key Learning Objectives
- Performing Shared Code Analysis
- Leveraging intermediate representations for advanced program analysis
- Introduction to Machine Learning
- Understanding your data using descriptive statistics and visualization techniques
- Exploring Unsupervised ML algorithms
- Developing Supervised ML models
- Building Neural Networks
- Evaluating, measuring, and optimizing the effectiveness of ML systems
- Automating machine learning workflows
Intended Audience
- Reverse engineers, security researchers, and analysts with little to no experience with machine learning
- Analysts, security researchers, and reverse engineers who want to automate and scale their program analysis and reverse engineering process
Detailed Agenda
Session 1:
- Introduction to advanced program analysis
- Identifying and extracting program features
- EXERCISE: Similarities Lab
- Leveraging N-Grams for program analysis
- EXERCISE: N-Grams Lab
- Performing agnostic program analysis
- EXERCISE: Architecture and Compiler Agnostic Analysis Lab
- Introduction to intermediate representations
- EXERCISE: – IR Lab
Session 2:
- Introduction to Machine Learning
- Evaluating ML systems
- Unsupervised ML algorithm: K-Means Clustering
- EXERCISE: K-Means Lab
- Unsupervised ML algorithm: Agglomerative Hierarchical Clustering
- EXERCISE: Agglomerative Analysis Lab
- Unsupervised ML algorithm: DBSCAN
- EXERCISE: DBSCAN Lab
- Unsupervised ML algorithm: Principal Component Analysis
- EXERCISE: PCA Lab
Session 3:
- Introduction to Supervised Machine Learning
- Supervised ML algorithm: Logistic Regression
- EXERCISE: Logistic Regression Lab
- Supervised ML algorithm: Decision Tree
- EXERCISE: Decision Tree Lab
- Supervised ML algorithm: Random Forest
- EXERCISE: Random Forest Lab
- Supervised ML algorithm: K Nearest Neighbors
- EXERCISE: KNN Lab
- Supervised ML algorithm: Support Vector Machines
- EXERCISE: SVM Lab
Session 4:
- Introduction to Neural Networks
- Building Neural Networks for Program Analysis
- EXERCISE: Neural Networks Development Lab
- Evaluating Neural Networks
- EXERCISE: Neural Networks Performance Lab
- Transformers and Large Language Models (e.g., BERT, OpenAI GPT, Google Bard)
Knowledge Prequisites
- Knowledge of Python 3 programming
- Knowledge of computer architecture concepts
- Knowledge of an assembly language (e.g., x86/x64, ARM, etc.)
- Familiarity with navigating Linux environments and command line knowledge
Hardware Requirements
- A working laptop or desktop (no Netbooks, no Tablets, no iPads)
- Intel Core i3 (equivalent or superior) required
- 8GB RAM required, at a minimum
- 40 GB free hard disk space, at a minimum
Software Requirements
The following software needs to be installed on each student laptop prior to the workshop:
- Linux / Windows / Mac OS X desktop operating systems
- VMware Workstation or Fusion. The free 30-day trial is sufficient and can be downloaded here: https://www.vmware.com/try-vmware.html
- Administrator / root access MANDATORY
Hahna Latonick
For the past 17 years of her engineering career, Hahna Kane Latonick has worked throughout the defense industry specializing in cybersecurity as a security researcher for the Department of Defense and other defense contracting companies. She has been featured as a cybersecurity subject matter expert on Fox Business News, ABC, U.S. News and World Report, and other national media outlets. She has led multiple tech startups, serving as CTO, VP of R&D, and Director of R&D. She has trained and developed security researchers at one of the top five aerospace and defense industry companies. Over the years, she has also taught at different conferences, such as CanSecWest, Ringzer0 and Security BSides Orlando. In 2014, she became a DEFCON CTF finalist, placing in 6th and ranking in the top 1.5% of ethical hackers worldwide. She also holds a CISSP and CEH certification. Latonick attended Swarthmore College and Drexel University where she earned her B.S. and M.S. in Computer Engineering along with a Mathematics minor.