Home

Awesome

Forseti

Forseti is a prototype for binary classification (malware/goodware) targeting ELF/Linux binaries.

Authors

Forseti was authored by Lucas Galante under supervision of Marcus Botacin, André Grégio and Paulo de Geus.

Motivation

Forseti is inspired by the lack of didactic, academic tools for exploring Linux binaries.

Repository Organization

The repository is organized as follows:

Papers

Forseti is supported by a series of developments and described in multiple papers:

Installation

Install the following dependencies to run Forseti:

pip install pyelftools
pip install pickle
pip install configparser
pip install sklearn

Execution

Forseti can be trained by providing it with a list of goodware and malware files:

python main.py -g goodware.txt -m malware.txt

The list should look like:

$> cat data/malware.txt 
> tests/static_malicious.bin
> tests/upx.bin
> tests/fork.bin

Alternatively, one can also provide a list of suspicious files to be classified:

python main.py -g goodware.txt -m malware.txt -s suspicious.txt

Or, automate everything using our script:

./run-forsite.sh

Usage Example

If you start Forseti using the previously presented parameters, you should see a screen like this:

Forseti Execution Example

Notice that Forseti: (i) initially displays the feature vectors for all considered binaries; (ii) display all parameters used for the selected classifier; and (iii) finally starts displaying the classification metrics for each folding step.

Forseti Internals

If you want to take a look on how Forseti extracts features, you might want to look:

If you want to take a look on Forseti training, you might want to look:

More specifically, you might want to change the implemented classifiers by implementing a new class that inherits the MachineLearning class, as Forseti does to implement its classifiers. The currently implemented classifiers are:

class RandomForest(MachineLearing)
class Svm(MachineLearing)
class MLP(MachineLearing)