BruCON 0x05 has ended
This schedule is subject to change, check back regularly.
Registrations start at 8h30!
Workshop rooms in the location Novotel are 5 minutes walking from the main venue.
Workshop seats are limited to max 30 persons in rooms Orval, Chimay & La Trappe Seats will be on a first come first serve basis, please be there in time
back to BruCON web site.
TIP: to see as grid: click on the "Schedule button"  
Back To Schedule
Friday, September 27 • 3:30pm - 5:30pm
Winter Cluster : Build a malware agglomerator (Michael Sikorski, Willi Ballenthin)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Millions of new malware samples are identified each week, but most are simply variants of well-known families. Finding a means to automatically group these families enables researchers to focus their time on the truly interesting samples. Machine learning clustering algorithms are perfect for this task. WINTER CLUSTER is a four hour, hands-on workshop that introduces machine learning and malware analysis. Students will build a foundation on these topics and create an interactive malware clustering tool from scratch. After the conference, attendees can immediately integrate “the Agglomerator” into their real-world or R&D environments.

The first hour of the workshop provides the students with a taste of machine learning. WINTER CLUSTER covers both classification and clustering algorithms, but focuses on the intuition behind each approach. In the first lab session, students work with an industrial-grade machine learning toolkit to rapidly triage a large dataset and identify threats.

The second hour of the workshop has students dive into malware analysis. WINTER CLUSTER presents common techniques for static and dynamic analysis. Throughout this session, the authors place an emphasis on identifying features appropriate for machine learning algorithms. In this session, students dissect real malware and manually identify similarities among the samples.

After a break, the third and fourth hour of the workshop takes the newly formed expertise and applies it towards the problem: "How can we handle a firehose of malware?". Students build an automated malware clustering tool that discovers relationships among samples. As they identify and extract robust features, the tool agglomerates binaries into families. WINTER CLUSTER concludes by exploring how attendees can implement a similar system in their research or professional environment.

Attendees of the workshop are encouraged to bring a laptop with VMware in order to participate in the labs. The speakers will provide a virtual machine with all required software and frameworks.

avatar for Willi Ballenthin

Willi Ballenthin

Willi Ballenthin is a Consultant with Mandiant who can usually be found responding to breaches. Although he has experience in a variety of forensic settings, Willi enjoys reconstructing intrusions from initial exploit to long-term persistence. At Mandiant, Willi identifies vectors... Read More →

Michael Sikorski

Michael Sikorski is a well-known expert in malware analysis. He is a Technical Director at Mandiant and a member of the Mandiant Labs (M-Labs) leadership team. He leads the M-Labs malware analysis team through reverse engineering malware as a primary analyst and manages the overall... Read More →

Friday September 27, 2013 3:30pm - 5:30pm CEST
4 Chimay Novotel Ghent