Botconf Author Listing

Ali Fakeri-Tabrizi

Last known affiliation: Alibaba Cloud
Bio: Dr. Ali Fakeri-Tabrizi is Principal Data Scientist at Alibaba Cloud. His main area of interest is Machine learning modeling and data analysis for cybersecurity applications. He got a Ph.D. degree in Computer Science, Artificial Intelligence from Sorbonne Université, France.
Date: 2022-04-28
Detecting emerging malware on cloud before VirusTotal can see it
Anastasia Poliakova 🗣 | Andreas Pfadler 🗣 | Yuriy Yuzifovich | Ali Fakeri-Tabrizi | Gan Feng | Hongliang Liu | Thanh Nguyen

Abstract (click to view)

In this session, we will present our approach for detecting newly emerging malware on a cloud platform and predicting its behavior, and doing so before VirusTotal or any other 3rd party detection engine can report it.

We will specifically describe our methodology for detecting emerging malware and predicting its behavior by combining an anomaly detection engine (we refer to as ‘GAD’ – General Anomaly Detection system), and a graph pattern-learning machine.

Slides Icon
Paper Link Icon
Date: 2020-12-04
Honeypot + graph learning + reasoning = scale up your emerging threat analysis
Ali Fakeri-Tabrizi 🗣 | Hongliang Liu 🗣 | Anastasia Poliakova | Yohai Einav

Abstract (click to view)

You must see thousands of new threats hitting your honeypot, what would you do next? Buying more coffee for the security research team so they can keep analyzing more? At Alibaba Cloud, we have the same flood of emerging new threats in our honeypot and we want to present our work to scale up the new threat analysis, with our honeypot system, the graph learning algorithm and the reasoning framework, surely, the most important, human in the loop!

The real-life problem comes after having a large honeypot system. We see new bots in the honeypot every hour, and they also try their best to fool our honeypot. Alibaba Cloud security team’s honeypot supports ssh, telnet, and HTTP protocols, that allows us to catch attacks on different levels. However, with new attacks vectors, it might be difficult to track existing malicious comparing. An attacker can easily change the hash value of binaries, structure of a payload, or adopt new vulnerabilities to attack with the same set of TTP (Tactics, Techniques, and Procedures). To make it worse, such changes are happening every hour.

Scroll to Top