Hongliang Liu
Last known affiliation: Clarivate
Bio: Dr. Hongliang Liu is currently Director of Engineering at Security Innovations Labs of Alibaba Cloud. His primary research focus is on general machine intelligence approach to solve network security problems on cloud, mostly on malware and botnet detection. He also has multiple patents on malware detection methods. He has received his PhD degree in 2011.
Anastasia Poliakova 🗣 | Andreas Pfadler 🗣 | Yuriy Yuzifovich | Ali Fakeri-Tabrizi | Gan Feng | Hongliang Liu | Thanh Nguyen
Abstract (click to view)
In this session, we will present our approach for detecting newly emerging malware on a cloud platform and predicting its behavior, and doing so before VirusTotal or any other 3rd party detection engine can report it.
We will specifically describe our methodology for detecting emerging malware and predicting its behavior by combining an anomaly detection engine (we refer to as ‘GAD’ – General Anomaly Detection system), and a graph pattern-learning machine.
Ali Fakeri-Tabrizi 🗣 | Hongliang Liu 🗣 | Anastasia Poliakova | Yohai Einav
Abstract (click to view)
You must see thousands of new threats hitting your honeypot, what would you do next? Buying more coffee for the security research team so they can keep analyzing more? At Alibaba Cloud, we have the same flood of emerging new threats in our honeypot and we want to present our work to scale up the new threat analysis, with our honeypot system, the graph learning algorithm and the reasoning framework, surely, the most important, human in the loop!
The real-life problem comes after having a large honeypot system. We see new bots in the honeypot every hour, and they also try their best to fool our honeypot. Alibaba Cloud security team’s honeypot supports ssh, telnet, and HTTP protocols, that allows us to catch attacks on different levels. However, with new attacks vectors, it might be difficult to track existing malicious comparing. An attacker can easily change the hash value of binaries, structure of a payload, or adopt new vulnerabilities to attack with the same set of TTP (Tactics, Techniques, and Procedures). To make it worse, such changes are happening every hour.
Yohai Einav 🗣 | Hongliang Liu | Alexey Sarychev
Abstract (click to view)
We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.
Yuriy Yuzifovich 🗣 | Hongliang Liu | Alexey Sarychev | Amir Asiaee
Abstract (click to view)
We propose and implement a novel method of discovering botnet activities by identifying new core domains (domains that are directly below a TLD) that appear in real-time DNS query traffic as suspicious, and discovering botnet C&C groups using a domain correlation machine learning model. This method discovers botnet C&C groups before security list vendors which it is benchmarked against.