Stephen O'Shaughnessy - Malware Classification using Localised Image Features

my name is Steve bookshop busy and I'm going to share with you soon a research that I've been doing this type of PhD I'm a bee so it's newbie soap and it's great to be here and first one it's also and because it's ongoing research it's kind of a work in progress so it's a form of actually spoken about this to anybody apart from yourself and my wife and my supervisor and I suppose as a research are normally gives a rat's about your research or yourself and maybe your super boys or when does a dead lawyer something like that little regress so and said we get the introductions are the right it should work for the USB

and so I'm currently lecturing in ytp so and there Roundtree years two years full-time and I was doing a part-time stint as well teacher mainly secure ecology modules so I'm teaching that the students help they're gonna put pen testers over job that's what we say any people you know it's never gonna happen previously in the IT department of education skills I was there for about 11 years did all sorts of stuff I did basic the main work and then I moved into the IT department did some web admin and then I was in the IT infrastructure department as well for well and as I said a mouse with PhD students so this is one gonna be talking to you

about today and there a shout-out to the IRC which is the Irish Research Council and the ATB which are obviously cold formed and dis this research so it's just some boards Oh a view or three boards our view of the the the queen of methodology that I'm going through at the moment and when to the triage methods of malware classification so the method that I'm using is non-invasive so I'm not using any controversy engineering so I'm in no way statically uh noisy or ruining the code in some boxes ranking with that just to point out it's not a substitute for regular analysis mower analysis and that's not what I'm trying to do and when trying to classify a malware in

terms of slotting in samples into the respective families okay because and there is some ambiguity out there you probably see anyone that sees voiced out there is a bit of ambiguity there in terms of um the families that they actually classify each each malware as and means an image processing machine learn so quick over your go into this a bit more detail my basic converting my wineries into grayscale images and this is a point for a pixel mapping so the material structure of the foil is remains intact I'm using texture analysis stand to extract features and under music machine learning then to create a model so basically the model learns all of the different kind of

patterns within the resulting images and it gives you more than I can hopefully classify on seeing data them that's the whole point of it another thing as well for those you that are familiar with analysis it it's not static analysis really and yes it really does take a point for boy for Bleach mapping to pixelated image and and we are looking at the structure but the whole thing is untaken out features all that image based on texture okay and the idea is with enough images there were no variants of malware that we can start to recognize patterns and invariants and hopefully recognize them as particular members of particular families it'swell boost ish against obfuscation so again this is a work in progress so a

bit of work to do put the initial kind of results that are getting back our core the promising it's optimized well that's what I'm doing at the moment and I'm working employed on and which is fairly slow in terms of some of the image processing so I can use C bindings using language sorry using things like soit on and which allowed me to use that the native seek a little faster so that's simple working on as well I'm also looking at using the open MPI which is a parallel process and library as well to go to speed things up image analysis is very slow because you're going from you know your your your testing and training

images pixel by pixel so it takes it takes quite a long time pressing the wrong buttons it's been a long day okay so just gonna be an all reveal mile we're just fairly general continues to Royce there's no news flash there okay so there particularly last ten years I started to Roy's almost exponentially if you look at the stats to show you in a second it's very lucrative business so obviously they're the financial motive is there and to create malware and we've seen a big upsurge and it's all over the news as lots of those words and lots of ransomware stuff going on lots of talk today but around somewhere so we can see if definitely something that's that's in

the news very easily accessible so we can get I can get malware samples pretty easily from the web and don't have to have any knowledge of prior knowledge of anything just now just not have to know how to use it with use the web and little technical knowledge report so ever download a sample and I want to create a variant I don't have to have a lot of knowledge I can download encrypter x' cloakers well honey only type of alpha skater you know can download applications that'll do a lot for me so don't even have to tinker around the code in order to change his around and I can afford these variants that one you know most of the time if it's a good

encrypter that you download it you get a hold of it'll pass boy a lot of the Dion divorce so just some stats and these are from av-test funny one he's involved with malware in any way you probably know what av-test is it's a it's a German company of that release starts and they're there a navy testing company as well and they boast getting in around six to nine hundred million samples a year apart shooter there are systems and this for stat is for the total number of malware and so you can see from around 2007 last ten years it's been poisoned almost exponentially and [Music] we're currently us around 650 million and Azoff 2017 so that's secret and 50 million samples

of total malware so we just contrast that for a minute with the actual removers a new malware and you'll see it's actually the clean so take from 2015 - for topmost sorry two top posts and Bizon under histogram there at a branch out there and you'll see that 2015 a quite a peak there I'd say 142 million it dropped down significantly were down to about 124 in 2016 so if you contrast that with the figures in 2016 for the total malware and which around 600 million you can gonna see get an idea of the amount of variants that are floating around out there okay so as I said the problem with that I know the variance and there's a lot of

ambiguity and you will blow the samples of lawyers total and you'll get maybe 30 or 40 hits but you won't get a view when every one of DA V's and classifying I was the same token malware okay so there's a lot of ambiguity there that's something that I'm going to try and look into it I'm trying to solve with this the system doesn't divide and the obligatory VT upload so this is a very stout upload of a Trojan called sack crack and you can see I've got 38 positive and hits from the antivirus and you can see that most of them there we'll identify correctly a sec racket okay so the identify correctly as as

that Trojan so we pass it through a simple krypter and we blowed it again okay so the numbers dropped this time so we were 11 positives but the kind of interesting thing to note here is the generalization of the description or the classification of the malware it's gone from what we saw on the last slide and has been able to identify it as a crack down to something more generic okay so something unsafe oi what's unholy confidence that it's malicious things of that so the ambiguity is there with the and with the classification of that okay so the problem that I'm trying to solve with the method I'm using is T I'm going to remove that ambiguity if possible so for

foreign 300 samples of say crack okay well sure to say we you know reasonable are high confidence that they're all set crack okay not just a set of a malicious

just to give you an idea what we're talking about so when we transfer initially I'm interesting in which portable executable files or PDF files and initially when they're passing under they're passing under third transferred or mapped to the point of view images this is kind of examples of what we see so because we're mapping Boyd Boyd's the pixels and we get a good representative representations of foil so if you look here and here and these are all equates of different various sections within the portable executable foil and the header sections and all remain intact so if we have an obfuscated foil say for instance and we use encryption or encoding or some sort of cloaking heuristic cloaking

so cleared up generally we're going to get some sort of differences in those and but across the board if we have just a variant that's changed in some way maybe the cold is reordered or some slow parting may be put in say maybe some little boys party at the end you're not going to get very much difference in in the actual and the actual design or the actual texture of the resulting foils and that's going to walk more my condom work is built on and it's nothing nothing new as such the kind of basis for this and came from Goa called Gregg County okay so him in a bunch of other people did a couple of research papers around

2007-2008 and on reverse-engineering brownie foils so initially what he what he proposed in his work was an extension to the hex editor so I was kind of the visualization of our hex editor and come up with a notion of boy plots so like the methadone using it's a voyage for pixel transfer and call these bleep Lots so he fellow there up down in 2010 with similar and where he created a classification taxonomy so his idea was to try and help researchers and investigators to give them the repository for for analysis and again he did a bit more work on the actual structure of different born refiled so he looked at text files and boring reportable executables their

media foils and he also touched on encryption parking in code so we also noted back then you know the word difference is in the binary structure if the cold was office gated in some way and the nearest walk to Moines with scooter Carlo Lakshman an odometer pronounced I don't know not a rush and who did use a similar consistent for classification of malware so he did this a method where he passed the images so I passed that the the binary into images grayscale images he is the global escape script ecologist okay so gist is basically a whole bunch of filters okay so actually 22 different filters he called the cabal filters so these filters have different intensities

and different orientations so the idea is each time we pass the foil trilled through the filter we pick up different orientations of the the texture so these are all averaged out and bunch together into a single con the feature map and that becomes basically the feature extraction of that particular foil and then that's used and to classify the foil after that he devised a dataset of about nine and a half thousand samples from 24 mile where samples called a mile in each dataset and so they vary from just straightforward and called reordering there was some some hot and alpha station in there as well and mostly Muslim we're just going to slight variations of the of each other

and do some examples all of the samples out of dataset that's a dollar so we can see that the the similarities between the variants there and that one is another example of something that's very they're very very similar the next one then is and this one is an encrypted one so you can see that there is differences in the textures okay so this is a bit of cold reorder and Dan is that there's a bit of encryption there so the entropy of the foil equates to basically different textures if you're looking his findings were pretty good he got around 98% classification accuracy and similar boosters to regard to obfuscation method so goons three did come across and he was able to identify

within reason and he puts it down to pour encryption methods and a lot of them had one kind of interesting point in there that Parker's generate similar poised images so even though the difference between the original foil and the pocket or may be different parked impact images produced similar certainly packed falls produce similar images and so can be identified based on that specific pattern to some critiques on how we're going to base my research are we're a base my research from and since the based on global features it's not robust against cold section reorder and padding so this filtering system uses an average over the whole soil if you like so its global features so if you put a lot of pattern in the

end say we are done a lot of mold boys are introduced a new section into the foil this starts to fall down a bit and long model training time so as I said we're Aberdeen with image processing and there is the the kind of bad thing about it is that it does have a long train went because the factory you're examining and processing pixel pixel status that was boys so the Italian orient samples so there's no innocent samples and there's no you know normal run-of-the-mill applications put in there

so just to give an overview of what I've developed so far okay as I said this is a work in progress so feel free free later on to berate me or tell me where I'm going wrong and go back to the drawing board and so we have our malware samples that we're going to and map into images so we map them into grayscale images these are passed to the feature descriptor okay which is a localized feature descriptor I have what to speak about the minute called logo any problems and these produce histograms and for each feature okay for each set of features and so what we do is for all of the images we can catenate

these into a huge it's basically a vector array okay but it's it's it can be plotted or visualized as a as a histogram okay but if we talk about in terms of data it's actually a feature vector array these are concatenated and passed to our machine learning algorithm which is their K nearest neighbors algorithm using and that creates in turn creates a model so when we have our model we basically have all of the images trained and we have them trained using this feature descriptor okay called local boy or apartments so the idea is once we have a model then we can use that to pass in unseeing data and data foils and hopefully classify them

as entered are inter respective families and so we can play we can classify them hear us and obviously some sort of malware or you know what it's been doing but it's innocent so just say the closer look at the localized texture descriptor call the local boy named - soap it's a text descriptor so it's you it's used for feature extraction of textures my husband used and employed two different areas of computer vision as well like facial recognition and and DNA sequencing but it's it lured their beauty Lloyds in its simplicity and how effective it actually is classifying our extracted features from from textures so the the actual way it works is pretty simple it works by taking each pixel in the

image and considering a neighborhood 42 for each pixel so the original one and considered a tree by tree pixel neighbors okay this has been adopted and unrevised to also be taking a circular and set of features as well which is rotation invariant and scale invariance okay with those redeployed to us and the calculation is pretty much the same so you can't believe out there we're looking for to calculate the LBB called the local bonaparte record for the pixel fur so these numbers here are basically intensities of grayscale so we know the great gray scale is is 0 to 245 okay some black to white so anything in between has has a basic number so we

convert anything to grayscale we have varying degrees of of intensities of a from from black to white so these numbers represent and pixel intensities grayscale intensity so the way the algorithm works if any of the neighboring pixels have a value less than or equal to the center pixel its given a zero its treshold ago we called threshold threshold er to 0 and otherwise if it's above it's given a 1 so in the end we get this binary number which is converted back into a decimal and that now is treated as the LBP code for that particular pixel so this is repeated for every pixel in the indian torah and image if we have corners or

soit's and these are treated at zeroes okay so these are treated as zeroes in the calculation and if the corners are swords of the of the image so the current result and thing that we get as I said is a histogram and a feature vector of a vector of features that describe that particular image

so just according to give you illustrate the point and I took a picture yeah are we self a couple of days ago and no I wasn't taking a couple of days ago I took a picture from Lee a non-family folder a couple of days ago and and I passed it at the LBP feature descriptor and it gives me this kind of hideous looking picture so it was kind of an it's going to boogie me walked up a tree reminded me off over the last couple of days so and it hit me yesterday evening the dollar whether it was just because it was a long day yesterday because it was finished important East Lloyds together was tour I was getting giddy

but and I can work with this so if anyone's old enough to remember who that is that was Carol office Frankenstein every still of the moment he's booked okay so you might not could've really see the resemblance there so around Boras true the LBP again as well so the image looks nothing like maybe through the LBP but if you look at the histograms they're almost identical so it's good as scary they do actually look a bit like Boris Karloff I guess I'm sorry it was it was late when the cool for this so it's just you know I was getting giddy at that stage and [Music] so that the learning algorithm uses K nearest neighbors and it uses points

within a specified a neighborhood so I'll give you an example here so this is our feature space so these red dots in these green dots what they represent and Malware features okay vector of malware features and we're trying to classify what this blue star is so we pick a neighborhood and it's a case it really is the cases when we're doing gauge announced the case of fiddle around with different stories a neighborhoods in different weights and so forth and so for this one we're going to take a figure of tree so we're using K as the neighborhood of tree so if we take K is tree we picked three nearest points to it so that's the only you

kiddy and this Euclidean distance and between the feature vectors and don't ask me how to work it out on paper but a the classifier is pretty good at doing that so we have if we take the value of K is equal to tree the tree nearest neighbors to K are dollars three red dots there so we can say we're calling a high amount of confidence that that blue blue sky room is belong to that a particular family okay so you can imagine if there's thousands and thousands of samples there it gets quite complex but that's kind of a simplistic view of how did the actual there the actual thing works and it's pub your Bell is there as difficult that's all

you want to talk about this evening a big problem with data analysis is and the accuracy of the model okay so you can build a model you can do training testing and whatever else but we actually build a more than tested against one scene data it usually falls on the tires if it's what's called all our fishes okay so if we all were fish a model or a year for our fifth day the rubber Dino's were fitting to the model - well - right data so any kind of help lawyers or any kind of firm and all and picks if that takes title as being you know some sort of a relevant feature then when you pass order data

variants in it's not going to recognize them because it's not generalized enough or 20 there was general law as a model okay so we can pick up all variants and to coin Troy and calm by thought it doesn't the Eradicator but it definitely does make it a little bit better and is is a metric called cross-validation so what we do is take a training set and that's training set we divide it into a ten or twenty it doesn't matter you can you can void any you'll want to use ten and so one of the folds are one of one of the the sections is kept as a test that and the rest is trained down the

model and one against the test the test set and it does this iterate it's true all of the different all of the different fellows or all the different sections of the of the training set and then the result is a average of a joke so eliminates some of take on the boys in terms of if the if the the dataset is unbalanced so initially for benchmarking Iran against the male image days a class for reality an extra samples were added in some vanilla in samples taken mainly from their Windows 7 machines so I brought the they brought the total up to around 20 taels and herself I used a few different metric scores as well and I use accuracy and so that's

you know everyone knows where accuracy is and the total number of positives out of the total data set precision then takes into account them the total potent positives are what we were dint afford all were the total positives and total negatives so it looks at the proportion of samples that would say we we predicted as a certain type of malware and if it was indeed actually malware okay next one then is recall so that takes into account the they're true negatives as well okay I was like false negatives that's the kind of proportion of it's going to proportion samples from each class that were predicted correctly and then the effluent score is kind of a

weighted average between the two precision and recall okay so it gives a more kind of a smoother the fact it takes into account counts the first positives under a false negatives as well and so we can construct to make a confusion matrix so anybody that Cana doesn't know what that is I hasn't seen him before it's just a simple matrix so along the horizontal here rows we have the predictions and then along the axis here we have the actual identifiers okay so what we actually what they actually should have been okay so and we predict them as these and these where and what they actually should have been so ideally we should get a diagonal all the

way along here and we yellow okay so we've gone from 0 to 1 sorry this is not leads and default colon which is pretty bad and so the purple is 0 so basically means I haven't classified any of the samples and it means about a hundred percent classification rate in those so you can see all the yellow ones are all the desirable ones the ones that we want and the ones down here where we fell down a little bit we office cater Android platform and then down here we've another couple as well and I think of a I've showed you a couple of examples there so these are just to cite two examples from these two classifications that were

wrong okay so we can see that there is some similarity in structure between them and what happens online you can't afford our investigation any deeper kind of investigations to avoid and because I'm not at that stage and I can only surmise that because they're fairly similar looking patterns are facing a look at extras that maybe worried the classification model didn't find them or figured them out with something else Iran the I got your dr. Rogers cold Iran the same data set the extended data set true and he's very very pretty well as well you got a slightly lower score but still pretty good 97 and percent overall across the board and just in terms of and a comparison

TWEN complexity muy my method at the moment is four times slower so we'll free on ten ten milliseconds for his and sample per sample to actually process as opposed to forty milliseconds we put that down to dealing with Python because as I said it doesn't it in order to process we need to use what's called moon purees and they're pretty slow and we're looping through those so I'm looking to use see bindings to be able to speed those up and I did whoever and beat him on the actual training training of the model so around nine milliseconds per iteration so that's a pre iteration of of the order of the classification of the training into training and test sets as

opposed to 48 milliseconds so just to make things a bit more interesting and exactly where the kind of bases were based in this research and I started to start off a skating some of the the samples and I couldn't use the my let me say set because all they have Allakaket hi Olaf was the actual images I don't have the initial that the original foils and so I had it in my own another five different families so use various different types of techniques and encryption using a full krypter and boy krypter and so he was basically a basic encryption on that you know he's the cloaker we used a script from Mook sumac and you can get engage hope I

actually used an updated version and call PE cloak and then I wrote a script in Python just to add some voice into the end of an executable so all of those extends the soil has been executable and creates a header set our sir creates a section and updates the headers and and puts in a lot of NOLA bytes at the end okay so it doesn't actually disrupt the running off the foil yeah and the last one I played around with some Parker so impressed forties and upx and meter stocks that Parker's out there but I just picked you know tree RBG ones just gonna see what the difference was and them and so all in all they've got on

there an extra four and a half tails and samples and these are there so crypt the wall it's a fairly reasonable Droid X is very recent and Sheffield is very recent to trickster as well as Zemus they're put in there because I'm an old fogy and Zemus is one of the old and metamorphic versus it's gone since the late 90s but the husband variant of its seen as nearest as 2012 so it's still in there so just trillionaires just for good measure so this is just some examples of the samples that were when they pass through the [Music] posture to to images so this is the the cryptid I use so you can see that

the certain priority this that it encrypted here so it's going to bit more entropy it's a bit more there's a different texture there in the foil and that's the basically the encrypted parts but you can see that the more important parts like that the initial headers on under some of the sections down here remain the same so that there hasn't been any real change except for practice in the middle whereas some sections that were encrypted the accuracy down held its Howard scored the drop down little bit of 93% okay so that's acceptable for an F score of 92 and this is the hand this is the new confusion matrix which is really confusing and because you've

so much popped on so I had to shrink it down so you could actually fit everything in so you can see that there is a fair amount still a fair amount of a hundred percent classifications put a falls on its recipe here and Oh Pierce I'm gonna just concentrate on just one section over here and just to show you to blow it up so this the wall padded one kind of it kind of had a better to cause a bit of trouble for a few of the of the of the families here of the predictions here the The Cribs wall parted itself either quite a high classification rate of 95 and for orders like smooth surgeon and a

obfuscator obviously thought that they were and crypt the wall so just show you the the difference here that's squeezer and that's what it was classified it does so there's no apparent corner partners that look the same there and you know I'm not going to say there is it's obviously warrants afford investigation and it's not it's not clear from the outset why this type of pattern was classified as this sort of apartment board and obviously you know we'd have to do a bit more digging just to go back there for a second again and if you look at the corner the worst one there was this one here and the trickster encrypted so I decided to do a

little bit of and a little bit of a comparison between myself and Rory's total so what it was I wrote a script this is partly due to where was exhausted last night and Kitty and a lot of script for and forest total so what is I uploaded all of the samples of trickster encrypted ones and clean back all of the stock reports so the stats there are basically and all of these stats that vote divorced out antiviruses found as trickster so for each of the variants that were uploaded that this is a score of what actually came back as those trickster so it's various varies from from 0 up to toward he was the highest or TN 64 on

divorce that actually identified as trickster and now that they if you look at the actual scores if you uploaded these to voice level they may be higher because I'll just pick they're the ones actually identified this as trickster so you can see the overall average score was only 16% so it didn't actually fare too well it's pretty badly sorry and in terms of my force going to stab our classification and just about what about unseen data so this is the code of stages I might now where I've already started to build the models and my one he just recently finished building new models and I'm starting to rule him against one saying data so I picked and force for samples

whispered it for this and this particular and it's the particular talk around them true so the stats there will be an average overall 73% which isn't too bad but if I only beyond these two here quite surprised because if you look at and these two they're quite similar okay so these are Don towel and fakery and that for the two that that did worst okay so you can see that the coid the quite similar again I haven't done enough research to find out why and these are falling down on misclassifying these again that's its ongoing research and just the limitations so has trouble with some samples obviously okay so it's falling down and some samples I haven't

run them through the full data full dataset yet and kind of identify new malware okay so if there's a new malware strain and it isn't trained for that to identify a particular malware I won't actually find it so can only identify what it's trained to constantly and I'm begin T we regard the classification names to look at spoke about earlier with the V team reports the voice total reports there is a lot of ambiguity okay yes we may get a score of 2805 T or you know 44 over 60 and but are they all classified as the same that's the same sample as the same malware I already actually got sample that the majority said here okay so at

the moment I'm working off for his total and and I'm using samples are classifying these mostly as one type of family okay but again there is some ambiguity there that you know I don't know whether we ever will get to a stage where we have a kind of a a standardized way of classifying and Malware families and it's low at the moment so I'm working on the air the build-up of that over time just for it to do and so I Frannie when he was not from the Republican doesn't recognize our older lawsuits later and just skilled bearing a man Troy do not tell you pretty much all about so the next going to phase and prior

from you know I'm getting more treatment warning on this and [Music] apart from they did the increase in the data set under the ongoing test is to produce a hash local hashing Pasha so when we went to the local boy new problems you saw that stress holding was boring result 0 given the value of 1 or 0 which is very high con the treshold ok so it doesn't take into account the kind of similarities between and between neighboring pixels so we're looking into using some file of hashing okay some sort of a hashing scam - maybe kind of smooth over the differences between the textures so if there's any kind of Seiko reordering or any kind of

entropy and that it's a bit more convenient in terms of being able to identify that pattern and I don't know exist all just kind of and we had at the moment so I don't know if that's this'll actually work or not but and that's what I'm kind of working towards and as I said area optimizing it with sea boiling and open open MP oi and looking at the segmentation so segmentation is a computer vision it's computer vision I think to basically segments the image into different regions and then we can kind of identify you each region so for instance we could we can break down a piece oil into its different sections and then wound the classifier over each

of those so if it's a case that most of the foil stays intact okay I have a kind of a taxonomy or kind of a repository of all those those pieces so can use it just to and we can use it just to identify those those particular pieces as if it's only certain parts of the foil that are encrypted or encoded and for the most part using boy and what if come across you know the encryption algorithms are fairly weak and some of them are pretty strong but the segmentation can't and that will help to to identify DS a lot quicker add a lot more samples and obviously build it up and make the model better

stronger more general two different types of families and and then tweak tweak and test as much as possible and so we can get the model as generalize as possible so just assume boys we talk about I'm up with a new method for localized image features that using machine learning they're using local pointing patterns of texture analysis descriptor it's not a substitute for dynamic or static analysis don't don't attempt to - you can go there and it's it's merely a classification model more than just static analysis so not just looking at the static structures of the foil we're actually breaking it down and looking at the the the common features of these variants and it's favorable

results against the state-of-the-art which are shown in area your own favorable results of what I've done against various total and of course needs for the work as well and it's still a work of progress progress and it still needs a lot a lot of work and so that's pretty much it that's all I wanted to say thanks for a listen I know it was a kind of an ominous talk on in the next door so we're all hence that's why I forgot a remark on an intimate setting here today and well yeah if anyone wants to ask me questions or has any import as I said it's a work in progress so I'm not really kind of a I'm

really kind of you know finding away with this at the moment and so if anyone hasn't equally input it be happy to take it on board too late in the day to ask questions survey is there any sort of living

let it discover the feature yeah it was actually or was actually singing Gaza as a Quinta and I don't because it's part of the PhD so and I looked at supportive factor machines which were very cumbersome and didn't give great classification and but it's something that I definitely can't look into yet stay away from yeah to the same techniques instead of the yeah absolutely yeah puck will be yes yeah yeah

you can yeah you can't I'm actually actually pulled out up was a proposal for it for a project for four students this year I would let him take it on but it was actually going around they had yeah if you combine it with with even even basic static analysis or or even in a VM Mona and dynamic can get some of the function calls and API calls and and whatever else said that that you can get from it and transfer it out to two images

yeah yeah yeah yeah the tuk-tuk that would be actually interesting yes yeah this is similar as well as well as if you talk with the network - I mean if you take a peek up dump I'm sure that has haven't looked at whanau but I'm sure that has similarities in terms of you can maybe use as a baseline and you know have taught us okay this is this is my network on a normal day and for any anomalies will show up as different textures in the foil I'm not sure but I'm assuming that okay yeah so go be employed to that yeah absolutely yeah okay