`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 1of8
`
`sky ATP Analysis Pipeline
`
`
`
`
`ANALYSIS PIPELINE
`
` Safe
` CUSTOMER
`
`NETWORKS
`
`
`
`Malicious
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 2 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 2 of 8
`
`Speaker Notesfor Slide 1
`
`So, how does Argon use ML? Whatclassification decisions are we making?
`
`Essentially we want to decide, for each sample, whether it’s malicious or not. We accomplish this by funneling samples through
`Argon’s ANALYSIS PIPELINE. As samplesflow through the pipeline, we process them in a number of ways to generate metadata
`which helps us to classify the samples.
`
`Currently samples can be analyzed by an antivirus adapter, two static analysis adapters, and a sandbox+deception adapter. Based on
`the metadata generated by these adapters our ML models form an estimate of the probability that a given sample is malicious.
`
`However, it costs us more the longer a sample remains in the pipeline since the latter stages take more time to compute, so webuild
`ML models whichcan try to classify a sample at each stage where new metadatais available. At each stage the VERDICT ENGINE
`will basically say, “this is safe; stop scanning”,
`“this is malware; stop scanning and blockit’, or “not sure; continue analyzing the
`sample.”
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 3 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 3 of 8
`
`cere! flow
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 4 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 4 of 8
`
` ave a relatively simple model to interpret the results from 6
`es; the result is more or less that if a sample hits a couple
`d AVs (or several less trusted AVs) then we believe thatit's
`malware.
`further processing isn't crak necessary.
`¢ However, we may continue to analyze the sample in orderto obtain
`more information either to inform the customer of the malware's
`behavior or for purposesofinternal efficacy tracking/improvement
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 5 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 5of8
`
`
`
`esults of the analyses are evaluated by ML models to determine
`
`a sample is so obviously malicious or benign that we can stop
`spanning!it, or (2) iLwe shouldns to eaUpexng:
`
`
`¢« We collect a large amountof information, including thingslike "this
`executable appears to contain code to make API calls secretly", or
`"this document contains obfuscated VBA’, but we do not provide this
`information to the customer.
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 6 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 6 of 8
`
`
`
`esults of dynamic analysis give us our most accurate evaluation
`ample, and with deception we're able to obtain animpressively
`low false positive rate.
`
`computer, dropping the sample onto the desktop, and double-clicking
`—
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 7 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 7 of 8
`
` instance, and thenlater etouedfrom the queue.
`
`
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 8 of 8
`
`Case 3:17-cv-05659-WHA Document 390-16 Filed 03/14/19 Page 8 of 8
`
`
`
`
`SHSSSOGDIAHealSLOL etacr tas.
`General sample information
`PERI
`
`BORGERGeas Ege
`
`Valor
`
`
`
`
`
`
`Fas, sushoe
`Fug names
`
`Sue
`
`
`
`
`Adapter results
`
`antivirus medlay
`fast static anaiysic
`
`
`LEfsOr2OES S134 20 PM
`2/10/2023
`
`
`
`
`srteed
`535.RR PM
`
`eanished ef
`S22 RM
`SER RUBE 2 PR
`
`Stars me
`
`SIRES
`“Tre
`
`Seraiis
`
`
`
`slow Static samiysis
`(SAEROFEDRS
`
`
`
`
`
`
`
`
`sandbox with dacaphign
`4089Aad a
`OF20%
`
`
`Sears ah
`
`Seating at
`
`
`
`LAOS AEIS B39 2B PM
` BES S420 83 Bye
`(2s
`204 5
`Yrasse
`
`
`
`weerdick
`RRSROES 5243558 OM
`
`Duarteet RSG AE US
`Anished ef
`LZsTGee0dh Sis So PM
`tsar me0os
`SHEREES
`
`
`
`
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
