Tiberiu Boros is a Ph.D. in computer science, specifically in the field of Text-to-Speech (TTS) Synthesis. He is currently working for Adobe Systems Romania and is an associate of the Research Institute for Artificial Intelligence of the Romanian Academy. Additionally, he maintains two Machine Learning open source projects (TTS-Cube and NLP-Cube) and is a contributor to the DyNet Machine Learning Framework (developed by Carnegie Mellon University and many others). His research is focused on applied Natural Language and Speech Processing.

Project SCOUT. Deep Learning for malicious code detection

The number of client-side attack vectors has increased dramatically in the last decade. From exploiting browser vulnerabilities to miners or drive-by downloads, attackers commonly use Javascript code to achieve their goals. In the past, malicious code classification has been achieved using standard feature-engineering over static code analysis or dynamic code execution patterns.
We propose a new deep-learning inspired methodology for detecting malicious code, based on latent representations computed in an un-supervised manner. We explore three different methodologies for computing the latent representations in a deep encoder-decoder architecture: self-attention, global style tokens (GST) and “memory-based” representations.
The three strategies for computing latent representations capture different aspects of how the code is written: (a) the GST tokens capture specific attacker techniques like code that is obfuscated or encrypted or that does many string manipulations; (b) the memory-based method learns “code patterns” such as iterators, if/else statements, asserts etc. and (c) the multi-head attention method captures on-the-fly summarizations of code-segments that are hard to reconstruct (don’t follow standard patterns).
1. The self-attention model represents code as the concatenated values of all heads in a multi-head attention system;
2. The GST method computes a probability distribution (attention) over a fixed number of style tokens (embeddings) and the latent representation is obtained as the weighted sum over all the tokens;
3. Finally, the memory-based method is similar to GST, but it computes multiple probability distributions over different buckets of style-tokens.

The latent code representations are used as input for a multilayer perceptron that classifies a code segment as being malicious or not. Our initial experiments on previously unseen data show state-of-the art results in classifying both isolated code-sequences as well as entire JS files as being malicious or benign.

The same latent-representation extraction methodology can be used over multiple datasets, regardless of the programming language, to attend a wide-variety of code-related tasks or problems as: identifying vulnerable code, identifying bad practices, indexing code (finding similar code), copyright issues, etc.
This talk is co-presented with Marius Manica, Cyber Incident Response at Adobe