Explore ReversingLabs Software Supply Chain Security's New Secrets Capabilities
LEARN MORE
Forrester Report: The Software Composition Analysis Landscape, Q1 2023 
LEARN MORE
eBook: Why Traditional App Sec Testing Fails on Supply Chain Security
READ NOW

TitaniumCore

Explainable Machine Learning

TitaniumCore includes “explainable” machine learning, a groundbreaking application of machine learning algorithms and models to classify unknown malware, while providing analysts a deep and actionable understanding of “why” the detection was determined. TitaniumCore’s machine learning classification is based entirely on human readable indicators, coded to identify which of these indicators have contributed to a malware’s final verdict. Furthermore, each of these indicators is linked to a respective MITRE ATT&CK framework category that helps SOC analysts understand the type of threat they are dealing with, its behaviors at various stages in the attack, with references to the verifiable data supporting that mapping, and its impact to the organization.

Explainable Machine Learning
What is Explainable Machine Learning?
Accurate Malware Family Modeling & Classification

Accurate Malware Family Modeling & Classification

  • Challenge: Traditional machine learning models are applied to a very large data set of millions of files that are then sorted into buckets with labels of good or bad, while being in the form of 1’s and 0’s, and not human readable. This approach results in vague often meaningless classifications such as Finding: Unknown, Threat Score: 68/100, or Malware: Virus, with the supporting information and features lacking human interpretability. It’s often very difficult to overcome this challenge since it requires skilled threat researchers that understand threats at a deep level and with the time and technology to properly label.
  • Solution: ReversingLabs solves this explainability problem through a much more effective way of labeling, which includes smaller cluster threat types such as Ransomware, Keyloggers, etc. In addition the feature set used to apply models is not 1’s and 0’s, but instead human readable indicators. These human readable indicators are textual descriptions of intent that allows a security analyst to understand why a verdict was determined and take quick action. And by leveraging the world’s largest private database of goodware/malware, ReversingLabs possesses the data set to effectively train these models to accurately detect day zero threats on a global level.
Machine Learning Indicator Tagging

Machine Learning Indicator Tagging

  • Challenge: Analysts are often placed in the situation of “accepting” the outputs of their security tools, without any context as to why or how these decisions were made. Unfortunately, this context is often what is required in order to make decisions, formulate a response, and justify their actions. They need more than detection- they need the intelligence, or evidence, to confidently proceed. And ideally in a human readable form.
  • Solution: ReversingLabs static analysis system unpacks complex objects, extracts over 3,000 metadata points, and translates this into human readable indicators or descriptions about how a file will behave. Through explainable machine learning, TitaniumCore makes a classification decision based on predefined models, delivering machine learning tagged indicators that are interpretable by a human analyst. This added context supports a verifiable classification and a level of transparency in the classification decision that is the most defensible, and more importantly actionable.
Actionable Indicators in the MITRE ATT&CK Framework

Actionable Indicators in the MITRE ATT&CK Framework

  • Challenge: In order for threat intelligence to be effective it needs to be understandable and actionable. Far too often threat intelligence vendors offer lists of insights but with limited guidance and steps to put into action.
  • Solution: ReversingLabs is setting a path forward in addressing this problem by providing trusted and actionable threat intelligence enabling analysts to quickly clear alert queues, make classification convictions with confidence, and initiate incident response and remediation. This helps set the stage for SOC automation- which will further offload the routine, repetitive, and mundane tasks historically left to the analysts. In addition, ReversingLabs is delivering human readable indicators for each threat within the MITRE ATT&CK framework. This will provide security analysts a map of the specific attack with clear actions on where and how to defend and remediate.
Overview

TitaniumCore implements highly-scalable automated static analysis to recursively unpack, extract internal indicators and classify files to support real-time and/or high-volume applications. With static analysis, files are not executed so that detailed analysis may be performed in milliseconds on an extensive list of file types. TitaniumCore consists of software and an SDK for integration into advanced automated workflows, products or services.

High-Speed Analysis for a New Generation of Advanced Threats

TitaniumCore performs advanced file analysis at millisecond speeds with a powerful engine for applications of any scale, from a few samples to millions of samples daily. The rules engine calculates threat level based on rules provided by ReversingLabs and YARA rules supplied by the customer. Extracted files can automatically be routed to additional analysis tools (e.g., decompilers, debuggers, sandboxes) or an analyst for further evaluation based on threat level and type to make the most efficient use of security assets. No other product (e.g., sandboxes or scanners) exposes the breadth and depth of threat indicators extracted by TitaniumCore.

Features

TitaniumCore Engine Automated Static Analysis

  • Unique Automated Static Analysis fully dissects internal contents of files without execution
  • Every sample processed to extract all objects and uncover threat indicators
  • 3600 file formats identified from PE/Windows, ELF/ Linux, Mac OS, iOS, Android, firmware, FLASH and documents
  • Over 360 file formats unpacked and analyzed including archives, installers, packers & compressors

Results and Reports

  • The platform produces detailed XML and/or JSON reports for consumption by backend systems and databases for further analysis.

Detection Customization

  • YARA-based rules matched on all decompressed content
  • 3rd party modules supported

Integration Requirements

  • Linux and Windows 64-bit platforms
  • Multi-threaded architecture fully utilizes underlying host processing to maximize file processing capacity
  • CLI and API (C, C++, Python, .NET) for integrating with automated workflows or OEM products

TitaniumCore Technology

Get a deeper understanding of how it works