Experience Seamless Full Ebook Downloads for Every Genre at textbookfull.

com

Malware Data Science Attack Detection And

Attribution Joshua Saxe

https://textbookfull.com/product/malware-data-science-
attack-detection-and-attribution-joshua-saxe/

OR CLICK BUTTON

DOWNLOAD NOW

Explore and download more ebook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Detection of Intrusions and Malware and Vulnerability

Assessment Cristiano Giuffrida

https://textbookfull.com/product/detection-of-intrusions-and-malware-
and-vulnerability-assessment-cristiano-giuffrida/

textboxfull.com

Detection of Intrusions and Malware and Vulnerability

Assessment 17th International Conference DIMVA 2020 Lisbon
Portugal June 24 26 2020 Proceedings Clémentine Maurice
https://textbookfull.com/product/detection-of-intrusions-and-malware-
and-vulnerability-assessment-17th-international-conference-
dimva-2020-lisbon-portugal-june-24-26-2020-proceedings-clementine-
maurice/
textboxfull.com

Advanced synthetic materials in detection science Subrayal

Reddy

https://textbookfull.com/product/advanced-synthetic-materials-in-
detection-science-subrayal-reddy/

textboxfull.com

Windows Virus and Malware Troubleshooting Andrew Bettany

https://textbookfull.com/product/windows-virus-and-malware-
troubleshooting-andrew-bettany/

textboxfull.com
Attribution in International Law and Arbitration 1st
Edition Carlo De Stefano

https://textbookfull.com/product/attribution-in-international-law-and-
arbitration-1st-edition-carlo-de-stefano/

textboxfull.com

From Social Data Mining and Analysis to Prediction and

Community Detection 1st Edition Mehmet Kaya

https://textbookfull.com/product/from-social-data-mining-and-analysis-
to-prediction-and-community-detection-1st-edition-mehmet-kaya/

textboxfull.com

Modern PyQt: Create GUI Applications for Project

Management, Computer Vision, and Data Analysis Joshua
Willman
https://textbookfull.com/product/modern-pyqt-create-gui-applications-
for-project-management-computer-vision-and-data-analysis-joshua-
willman/
textboxfull.com

Attack from Within Barbara Mcquade

https://textbookfull.com/product/attack-from-within-barbara-mcquade/

textboxfull.com

Modern PyQt Create GUI Applications for Project Management

Computer Vision and Data Analysis 1st Edition Joshua
Willman
https://textbookfull.com/product/modern-pyqt-create-gui-applications-
for-project-management-computer-vision-and-data-analysis-1st-edition-
joshua-willman/
textboxfull.com
 Malware
“Stay ahead of the changes in technology and the

Malware Data Science

adversaries you’re charged with defeating.”
— Anup Ghosh, PhD, founder of Invincea, Inc
With millions of malware files created each
year and a flood of security-related data
generated every day, security has become
a “big data” problem. So, when defending
against malware, why not think like a data
scientist?
👿

👿
Use data visualization to identify and
explore malware campaigns, trends, and
relationships

Use Python to implement deep neural

network–based detection systems
Data Science
In Malware Data Science, security data scien-
tists Joshua Saxe and Hillary Sanders show
you how to apply machine learning, statistics,
Whether you’re a malware analyst looking to
add skills to your existing arsenal or a data
scientist interested in attack detection and
Attack Detection and Attribution
and data visualization as you build your own threat intelligence, Malware Data Science will
detection and intelligence systems. Following help you stay ahead of the curve.
an overview of basic reverse engineering con-
cepts like static and dynamic analysis, you’ll
learn to measure code similarities in malware
About the Authors

Attack Detection and Attribution

samples and use machine learning frame- Joshua Saxe is chief data scientist at Sophos, a
works like scikit-learn and Keras to build and major security software vendor, where he helps
train your own detectors. invent data science technologies for detecting
Android-, Windows-, and web-based malicious
Learn how to: programs. Before joining Sophos, Saxe spent
five years leading DARPA-funded security data
👿 Identify new malware written by the same
research projects for the US government.
adversary groups through shared code
analysis Hillary Sanders is a senior software engi-
neer and data scientist at Sophos, where she
👿 Catch zero-day malware by building your
has played a key role in inventing and produc-
own machine learning detection system
tizing neural network, machine learning, and
👿 Use ROC curves to measure the accuracy of malware similarity analysis security technolo-
your malware detector to help you select gies. She is a regular speaker at security confer-
the best approach to a security problem ences like Black Hat USA and BSides Las Vegas.

T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™
w w w.nostarch.com
Saxe
Price: $49.95 ($65.95 CDN) Sanders
Shelve In: Computers/Security
Joshua Saxe with Hillary Sanders
Part of the proceeds from this book will be
donated to the Environmental Defense Fund. Foreword by Anup Ghosh, PhD
Malware Data Science
 Malware
Data Science
Attack Detection and
Attribution

b y Jos h u a S a x e
w i t h Hi l l a ry S a nd e r s

San Francisco
Malware Data Science. Copyright © 2018 by Joshua Saxe with Hillary Sanders.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.

ISBN-10: 1-59327-859-4
ISBN-13: 978-1-59327-859-5

Publisher: William Pollock

Production Editor: Laurel Chun
Cover Illustration: Jonny Thomas
Interior Design: Octopod Studios
Developmental Editors: Annie Choi and William Pollock
Technical Reviewer: Gabor Szappanos
Copyeditor: Barton Reed
Compositor: Laurel Chun
Proofreader: James Fraleigh
Indexer: BIM Creatives, LLC

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900; info@nostarch.com
www.nostarch.com

Library of Congress Control Number: 2018949204

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other
product and company names mentioned herein may be the trademarks of their respective owners. Rather
than use a trademark symbol with every occurrence of a trademarked name, we are using the names only
in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any
liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or
indirectly by the information contained in it.
 To Alen Capalik,
for bringing me back to computers after a long hiatus
About the Authors
Joshua Saxe is Chief Data Scientist at the major security vendor Sophos,
where he leads a security data science research team. He’s also a princi-
pal inventor of Sophos’ neural network–based malware detector, which
defends tens of millions of Sophos customers from malware infections.
Before joining Sophos, Joshua spent five years leading DARPA-funded
security data research projects for the US government.

Hillary Sanders is a senior software engineer and data scientist at

Sophos, where she has played a key role in inventing and productizing
neural network, machine learning, and malware similarity analysis tech-
nologies. Before joining Sophos, Hillary was a data scientist at Premise
Data Corporation. She is a regular speaker at security conferences,
having given security data science talks at Blackhat USA and BSides
Las Vegas. She studied Statistics at UC Berkeley.

About the Technical Reviewer

Gabor Szappanos graduated from the Eotvos Lorand University
of Budapest with a degree in physics. His first job was developing
diagnostic software and hardware for nuclear power plants at the
Computer and Automation Research Institute. Gabor started antivirus
work in 1995 and joined VirusBuster in 2001, where he was responsible
for taking care of macro virus and script malware; in 2002, he became
head of the virus lab. Between 2008 and 2016, he was a member of the
board of directors in Anti-Malware Testing Standards Organizations
(AMTSO), and, in 2012, he joined Sophos as a Principal Malware
Researcher.
 Brief Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Chapter 1: Basic Static Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2: Beyond Basic Static Analysis: x86 Disassembly . . . . . . . . . . . . . . . . . . . . . 11

Chapter 3: A Brief Introduction to Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 4: Identifying Attack Campaigns Using Malware Networks . . . . . . . . . . . . . . . 35

Chapter 5: Shared Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 6: Understanding Machine Learning–Based Malware Detectors . . . . . . . . . . . . 89

Chapter 7: Evaluating Malware Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 8: Building Machine Learning Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 9: Visualizing Malware Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 10: Deep Learning Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Chapter 11: Building a Neural Network Malware Detector with Keras . . . . . . . . . . . . 199

Chapter 12: Becoming a Data Scientist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Appendix: An Overview of Datasets and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
 Conte nt s in De ta il

Foreword by Anup Ghosh xvii

Acknowledgments xix

Introduction xxi
What Is Data Science? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Why Data Science Matters for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Applying Data Science to Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Who Should Read This Book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
How to Use the Sample Code and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv

1
Basic Static Malware Analysis 1
The Microsoft Windows Portable Executable Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Optional Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Section Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Dissecting the PE Format Using pefile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Examining Malware Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Examining Malware Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Using the strings Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Analyzing Your strings Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2
Beyond Basic Static Analysis: x86 Disassembly 11
Disassembly Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Basics of x86 Assembly Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
CPU Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Arithmetic Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Data Movement Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Disassembling ircbot.exe Using pefile and capstone . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Factors That Limit Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Packing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Resource Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Anti-disassembly Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Dynamically Downloaded Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3
A Brief Introduction to Dynamic Analysis 25
Why Use Dynamic Analysis? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Dynamic Analysis for Malware Data Science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Basic Tools for Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Typical Malware Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Loading a File on malwr.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Analyzing Results on malwr.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Limitations of Basic Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4
Identifying Attack Campaigns
Using Malware Networks 35
Nodes and Edges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Bipartite Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Visualizing Malware Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
The Distortion Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Force-Directed Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Building Networks with NetworkX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Adding Nodes and Edges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Adding Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Saving Networks to Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Network Visualization with GraphViz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using Parameters to Adjust Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
The GraphViz Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Adding Visual Attributes to Nodes and Edges . . . . . . . . . . . . . . . . . . . . . . . 48
Building Malware Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Building a Shared Image Relationship Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5
Shared Code Analysis 59
Preparing Samples for Comparison by Extracting Features . . . . . . . . . . . . . . . . . . . . . . 62
How Bag of Features Models Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
What are N-Grams? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using the Jaccard Index to Quantify Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Using Similarity Matrices to Evaluate Malware Shared Code Estimation Methods . . . . . . 66
Instruction Sequence–Based Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Strings-Based Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Import Address Table–Based Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Dynamic API Call–Based Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Building a Similarity Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Scaling Similarity Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Minhash in a Nutshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Minhash in Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Building a Persistent Malware Similarity Search System . . . . . . . . . . . . . . . . . . . . . . . . 79
Running the Similarity Search System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

xii   Contents in Detail
6
Understanding Machine Learning–Based
Malware Detectors 89
Steps for Building a Machine Learning–Based Detector . . . . . . . . . . . . . . . . . . . . . . . . 90
Gathering Training Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Extracting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Designing Good Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Training Machine Learning Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Testing Machine Learning Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Understanding Feature Spaces and Decision Boundaries . . . . . . . . . . . . . . . . . . . . . . . 93
What Makes Models Good or Bad: Overfitting and Underfitting . . . . . . . . . . . . . . . . . . 98
Major Types of Machine Learning Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Logistic Regression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
K-Nearest Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Decision Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Random Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

7
Evaluating Malware Detection Systems 119
Four Possible Detection Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
True and False Positive Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Relationship Between True and False Positive Rates . . . . . . . . . . . . . . . . . . 121
ROC Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Considering Base Rates in Your Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
How Base Rate Affects Precision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Estimating Precision in a Deployment Environment . . . . . . . . . . . . . . . . . . . 125
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

8
Building Machine Learning Detectors 127
Terminology and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Building a Toy Decision Tree–Based Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Training Your Decision Tree Classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Visualizing the Decision Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Complete Sample Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Building Real-World Machine Learning Detectors with sklearn . . . . . . . . . . . . . . . . . . 134
Real-World Feature Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Why You Can’t Use All Possible Features . . . . . . . . . . . . . . . . . . . . . . . . . 137
Using the Hashing Trick to Compress Features . . . . . . . . . . . . . . . . . . . . . . 138
Building an Industrial-Strength Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Extracting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Training the Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Running the Detector on New Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
What We’ve Implemented So Far . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Evaluating Your Detector’s Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Using ROC Curves to Evaluate Detector Efficacy . . . . . . . . . . . . . . . . . . . . 147
Computing ROC Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Splitting Data into Training and Test Sets . . . . . . . . . . . . . . . . . . . . . . . . . 148

Contents in Detail   xiii
 Computing the ROC Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Cross-Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

9
Visualizing Malware Trends 155
Why Visualizing Malware Data Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Understanding Our Malware Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Loading Data into pandas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Working with a pandas DataFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Filtering Data Using Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Using matplotlib to Visualize Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Plotting the Relationship Between Malware Size and Detection . . . . . . . . . . 162
Plotting Ransomware Detection Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Plotting Ransomware and Worm Detection Rates . . . . . . . . . . . . . . . . . . . . 165
Using seaborn to Visualize Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Plotting the Distribution of Antivirus Detections . . . . . . . . . . . . . . . . . . . . . . 169
Creating a Violin Plot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

10
Deep Learning Basics 175
What Is Deep Learning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
How Neural Networks Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Anatomy of a Neuron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
A Network of Neurons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Universal Approximation Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Building Your Own Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Adding Another Neuron to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Automatic Feature Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Training Neural Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Using Backpropagation to Optimize a Neural Network . . . . . . . . . . . . . . . 190
Path Explosion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Vanishing Gradient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Types of Neural Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Feed-Forward Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Convolutional Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Autoencoder Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Generative Adversarial Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Recurrent Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
ResNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

11
Building a Neural Network Malware Detector
with Keras 199
Defining a Model’s Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Compiling the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Training the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Extracting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Creating a Data Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Incorporating Validation Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Saving and Loading the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Evaluating the Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Enhancing the Model Training Process with Callbacks . . . . . . . . . . . . . . . . . . . . . . . . 211
Using a Built-in Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Using a Custom Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

12
Becoming a Data Scientist 215
Paths to Becoming a Security Data Scientist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
A Day in the Life of a Security Data Scientist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Traits of an Effective Security Data Scientist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Open-Mindedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Boundless Curiosity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Obsession with Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Skepticism of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Where to Go from Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Appendix
An Overview of Datasets and Tools 221
Overview of Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Chapter 1: Basic Static Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 222
Chapter 2: Beyond Basic Static Analysis: x86 Disassembly . . . . . . . . . . . . . 222
Chapter 3: A Brief Introduction to Dynamic Analysis . . . . . . . . . . . . . . . . . 222
Chapter 4: Identifying Attack Campaigns Using Malware Networks . . . . . . 222
Chapter 5: Shared Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Chapter 6: Understanding Machine Learning–Based Malware Detectors
and Chapter 7: Evaluating Malware Detection Systems . . . . . . . . . . . . . 223
Chapter 8: Building Machine Learning Detectors . . . . . . . . . . . . . . . . . . . . 224
Chapter 9: Visualizing Malware Trends . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 10: Deep Learning Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 11: Building a Neural Network Malware Detector with Keras . . . . . 224
Chapter 12: Becoming a Data Scientist . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Tool Implementation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Shared Hostname Network Visualization . . . . . . . . . . . . . . . . . . . . . . . . . 225
Shared Image Network Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Malware Similarity Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Malware Similarity Search System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Machine Learning Malware Detection System . . . . . . . . . . . . . . . . . . . . . . 230

Index 233

Contents in Detail   xv
 Fore word

Congratulations on picking up Malware Data Science.

You’re on your way to equipping yourself with the
skills necessary to become a cybersecurity profes-
sional. In this book, you’ll find a wonderful introduc-
tion to data science as applied to malware analysis,
as well as the requisite skills and tools you need to be
proficient at it.
There are far more jobs in cybersecurity than there are qualified
candidates, so the good news is that cybersecurity is a great field to get
into. The bad news is that the skills required to stay current are changing
rapidly. As is often the case, necessity is the mother of invention. With far
more demand for skilled cybersecurity professionals than there is supply,
data science algorithms are filling the gap by providing new insights and
predictions about threats against networks. The traditional model of watch-
men monitoring network data is rapidly becoming obsolete as data science
 is increasingly being used to find threat patterns in terabytes of data. And
thank goodness for that, because monitoring a screen of alerts is about as
exciting as monitoring a video camera surveillance system of a parking lot.
So what exactly is data science and how does it apply to security? As
you’ll see in the Introduction, data science applied to security is the art
and science of using machine learning, data mining, and visualization to
detect threats against networks. While you’ll find a lot of hyperbole around
machine learning and artificial intelligence driven by marketing, there are,
in fact, very good use cases for these technologies that are in production
today.
For instance, when it comes to malware detection, both the volume of
malware production and the cost to the adversary in changing malware
signatures has rendered signature-only based approaches to malware
obsolete. Instead, antivirus companies are now training neural networks
or other types of machine learning algorithms over very large datasets of
malware to learn their characteristics, so that new variants of malware can
be detected without having to update the model daily. The combination
of signature-based and machine learning–based detection provides cover-
age for both known and unknown malware. This is a topic both Josh and
Hillary are experts in and from which they speak from deep experience.
But malware detection is only one use case for data science. In fact,
when it comes to finding threats on the network, today’s sophisticated
adversaries often will not drop executable programs. Instead, they will
exploit existing software for initial access and then leverage system tools
to pivot from one machine to the next using the user privileges obtained
through exploitation. From an adversarial point of view this approach
doesn’t leave behind artifacts such as malware that antivirus software will
detect. However, a good endpoint logging system or an endpoint detection
and response (EDR) system will capture system level activities and send this
telemetry to the cloud, from where analysts can attempt to piece together
the digital footprints of an intruder. This process of combing through mas-
sive streams of data and continuously looking for patterns of intrusion is a
problem well-suited for data science, specifically data mining with statistical
algorithms and data visualization. You can expect more and more Security
Operations Centers (SOCs) to adopt data mining and artificial intelligence
technologies. It’s really the only way to cull through massive data sets of sys-
tem events to identify actual attacks.
Cybersecurity is undergoing massive shifts in technology and its opera-
tions, and data science is driving the change. We are fortunate to have
experts like Josh Saxe and Hillary Sanders not only share their expertise
with us, but do it in such an engaging and accessible way. This is your
opportunity to learn what they know and apply it to your own work so you
can stay ahead of the changes in technology and the adversaries you’re
charged with defeating.

Anup K. Ghosh, PhD

Founder, Invincea, Inc
Washington, DC

xviii    Foreword
 Acknowledgments

Thanks to Annie Choi, Laurel Chun, and Bill Pollock at No Starch Press
and to my copyeditor, Bart Reed. In all justice, they should be regarded as
co-authors of this book. Thanks in advance to the workers responsible for
printing, transporting, and selling copies of this book, and the engineers
responsible for its digital storage, transmission, and rendering. Thanks to
Hillary Sanders for bringing her remarkable talents to the project exactly
when they were needed. Gratitude to Gabor Szappanos for his excellent and
exacting technical review.
Thanks to my two year old daughter Maya, who, I'm happy to share,
slowed this project down dramatically. Thanks to Alen Capalik, Danny
Hillis, Chris Greamo, Anup Ghosh, and Joe Levy for their mentorship
over the past 10 years. Deep appreciation to the Defense Advanced
Research Projects Agency (DARPA) and Timothy Fraser for supporting
the research on which much of this book is based. Thanks to Mandiant,
and Mila Parkour, for obtaining and curating the APT1 malware samples
used for demonstration purposes in this book. Deep appreciation to the
authors of Python, NetworkX, matplotlib, numpy, sklearn, Keras, seaborn,
pefile, icoutils, malwr.com, CuckooBox, capstone, pandas, and sqlite for
your contributions to free and open source security and data science
software.
 Tremendous gratitude to my parents, Maryl Gearhart and Geoff Saxe,
for introducing me to computers, for tolerating my teenage hacker phase
(and all the illegality that entailed), and for their boundless love and sup-
port. Thanks to Gary Glickman for his indispensable love and support.
Finally, thanks to Ksenya Gurshtein, my partner in life, for supporting me
in this endeavor completely and without hesitation.

Joshua Saxe

Thanks to Josh, for including me in this! Thanks to Ani Adhikari for being
an amazing teacher. Thanks to Jacob Michelini, because he really wanted
his name in a book.

Hillary Sanders
 Introduction

If you’re working in security, chances are

you’re using data science more than ever
before, even if you may not realize it. For
example, your antivirus product uses data
science algorithms to detect malware. Your firewall
vendor may have data science algorithms detecting
suspicious network activity. Your security information
and event management (SIEM) software probably uses data science to iden-
tify suspicious trends in your data. Whether conspicuously or not, the entire
security industry is moving toward incorporating more data science into secu-
rity products.
Advanced IT security professionals are incorporating their own custom
machine learning algorithms into their workflows. For example, in recent
conference presentations and news articles, security analysts at Target,
Mastercard, and Wells Fargo all described developing custom data science
 technologies that they use as part of their security workflows.1 If you’re not
already on the data science bandwagon, there’s no better time to upgrade
your skills to include data science into your security practice.

What Is Data Science?

Data science is a growing set of algorithmic tools that allow us to understand
and make predictions about data using statistics, mathematics, and artful sta-
tistical data visualizations. More specific definitions exist, but generally, data
science has three subcomponents: machine learning, data mining, and data
visualization.
In the security context, machine learning algorithms learn from train-
ing data to detect new threats. These methods have been proven to detect
malware that flies under the radar of traditional detection techniques like
signatures. Data mining algorithms search security data for interesting
patterns (such as relationships between threat actors) that might help us
discern attack campaigns targeting our organizations. Finally, data visual-
ization renders sterile, tabular data into graphical format to make it easier
for people to spot interesting and suspicious trends. I cover all three areas
in depth in this book and show you how to apply them.

Why Data Science Matters for Security

Data science is critically important for the future of cybersecurity for three
reasons: first, security is all about data. When we seek to detect cyber threats,
we’re analyzing data in the form of files, logs, network packets, and other
artifacts. Traditionally, security professionals didn’t use data science tech-
niques to make detections based on these data sources. Instead, they used
file hashes, custom-written rules like signatures, and manually defined heu-
ristics. Although these techniques have their merits, they required hand-
crafted techniques for each type of attack, necessitating too much manual
work to keep up with the changing cyber threat landscape. In recent years,
data science techniques have become crucial in bolstering our ability to
detect threats.
Second, data science is important to cybersecurity because the number
of cyberattacks on the internet has grown dramatically. Take the growth of
the malware underworld as an example. In 2008, there were about 1 mil-
lion unique malware executables known to the security community. By
2012, there were 100 million. As this book goes to press in 2018, there are
more than 700 million malicious executables known to the security commu-
nity (https://www.av-test.org/en/statistics/malware/), and this number is likely
to grow.

1. Target (https://www.rsaconference.com/events/us17/agenda/sessions/6662-applied-machine-
learning-defeating-modern-malicious), Mastercard (https://blogs.wsj.com/cio/2017/11/15/artificial-
intelligence-transforms-hacker-arsenal/), and Wells Fargo (https://blogs.wsj.com/cio/2017/11/16/
the-morning-download-first-ai-powered-cyberattacks-are-detected/).

xxii   Introduction
 Due to the sheer volume of malware, manual detection techniques
such as signatures are no longer a reasonable method for detecting all
cyber­attacks. Because data science techniques automate much of the
work that goes into detecting cyberattacks, and vastly decrease the mem-
ory usage needed to detect such attacks, they hold tremendous promise
in defending networks and users as cyber threats grow.
Finally, data science matters for security because data science is the tech-
nical trend of the decade, both inside and outside of the security industry,
and it will likely remain so through the next decade. Indeed, you’ve probably
seen applications of data science everywhere—in personal voice assistants
(Amazon Echo, Siri, and Google Home), self-driving cars, ad recommenda-
tion systems, web search engines, medical image analysis systems, and fitness
tracking apps.
We can expect data science–driven systems to have major impacts in
legal services, education, and other areas. Because data science has become
a key enabler across the technical landscape, universities, major companies
(Google, Facebook, Microsoft, and IBM), and governments are investing
billions of dollars to improve data science tools. Thanks to these invest-
ments, data science tools will become even more adept at solving hard
attack-detection problems.

Applying Data Science to Malware

This book focuses on data science as it applies to malware, which we define
as executable programs written with malicious intent, because malware
continues to be the primary means by which threat actors gain a foothold
on networks and subsequently achieve their goals. For example, in the ran-
somware scourge that has emerged in recent years, attackers typically send
users malicious email attachments that download ransomware executables
(malware) to users’ machines, which then encrypt users’ data and ask them
for a ransom to decrypt the data. Although skilled attackers working for
governments sometimes avoid using malware altogether to fly under the
radar of detection systems, malware continues to be the major enabling
technology in cyberattacks today.
By homing in on a specific application of security data science rather
than attempting to cover security data science broadly, this book aims to
show more thoroughly how data science techniques can be applied to a
major security problem. By understanding malware data science, you’ll
be better equipped to apply data science to other areas of security, like
detecting network attacks, phishing emails, or suspicious user behavior.
Indeed, almost all the techniques you’ll learn in this book apply to build-
ing data science detection and intelligence systems in general, not just for
malware.

Introduction   xxiii
 Who Should Read This Book?
This book is aimed toward security professionals who are interested in
learning more about how to apply data science to computer security prob-
lems. If computer security and data science are new to you, you might find
yourself having to look up terms to give yourself a little bit of context, but
you can still read this book successfully. If you’re only interested in data
science, but not security, this book is probably not for you.

About This Book

The first part of the book consists of three chapters that cover basic reverse
engineering concepts necessary for understanding the malware data sci-
ence techniques discussed later in the book. If you’re new to malware, read
the first three chapters first. If you’re an old hand at malware reverse engi-
neering, you can skip these chapters.

• Chapter 1: Basic Static Malware Analysis covers static analysis tech-

niques for picking apart malware files and discovering how they achieve
malicious ends on our computers.
• Chapter 2: Beyond Basic Static Analysis: x86 Disassembly gives you a
brief overview of x86 assembly language and how to disassemble and
reverse engineer malware.
• Chapter 3: A Brief Introduction to Dynamic Analysis concludes the
reverse engineering section of the book by discussing dynamic analysis,
which involves running malware in controlled environments to learn
about its behavior.

The next two chapters of the book, Chapters 4 and 5, focus on mal-
ware relationship analysis, which involves looking at similarities and dif-
ferences between collections of malware to identify malware campaigns
against your organization, such as a ransomware campaign controlled by
a group of cybercriminals, or a concerted, targeted attack on your orga-
nization. These stand-alone chapters are for readers who are interested
not only in detecting malware, but also in extracting valuable threat intel-
ligence to learn who is attacking their network. If you’re less interested in
threat intelligence and more interested in data science–driven malware
detection, you can safely skip these chapters.

• Chapter 4: Identifying Attack Campaigns Using Malware Networks

shows you how to analyze and visualize malware based on shared attri-
butes, such as the hostnames that malware programs call out to.
• Chapter 5: Shared Code Analysis explains how to identify and visual-
ize shared code relationships between malware samples, which can help
you identify whether groups of malware samples came from one or mul-
tiple criminal groups.

xxiv   Introduction
 The next four chapters cover everything you need to know to under-
stand, apply, and implement machine learning–based malware detection
systems. These chapters also provide a foundation for applying machine
learning to other security contexts.

• Chapter 6: Understanding Machine Learning–Based Malware

Detectors is an accessible, intuitive, and non-mathematical introduc-
tion to basic machine learning concepts. If you have a history with
machine learning, this chapter will provide a convenient refresher.
• Chapter 7: Evaluating Malware Detection Systems shows you how to
evaluate the accuracy of your machine learning systems using basic
statistical methods so that you can select the best possible approach.
• Chapter 8: Building Machine Learning Detectors introduces open
source machine learning tools you can use to build your own machine
learning systems and explains how to use them.
• Chapter 9: Visualizing Malware Trends covers how to visualize malware
threat data to reveal attack campaigns and trends using Python, and
how to integrate data visualization into your day-to-day workflow when
analyzing security data.

The last three chapters introduce deep learning, an advanced area

of machine learning that involves a bit more math. Deep learning is a
hot growth area within security data science, and these chapters provide
enough to get you started.

• Chapter 10: Deep Learning Basics covers the basic concepts that
underlie deep learning.
• Chapter 11: Building a Neural Network Malware Detector with Keras
explains how to implement deep learning–based malware detection sys-
tems in Python using open source tools.
• Chapter 12: Becoming a Data Scientist concludes the book by sharing
different pathways to becoming a data scientist and qualities that can
help you succeed in the field.
• Appendix: An Overview of Datasets and Tools describes the data and
example tool implementations accompanying the book.

How to Use the Sample Code and Data

No good programming book is complete without sample code to play with
and extend on your own. Sample code and data accompany each chapter
of this book and are described exhaustively in the appendix. All the code
targets Python 2.7 in Linux environments. To access the code and data,
you can download a VirtualBox Linux virtual machine, which has the
code, data, and supporting open source tools all set up and ready to go,

Introduction   xxv
 and run it within your own VirtualBox environment. You can download
the book’s accompanying data at http://www.malwaredatascience.com/, and
you can download the VirtualBox for free at https://www.virtualbox.org/wiki/
Downloads. The code has been tested on Linux, but if you prefer to work
outside of the Linux VirtualBox, the same code should work almost as well
on MacOS, and to a lesser extent on Windows machines.
If you’d rather install the code and data in your own Linux environ-
ment, you can download them here: http://www.malwaredatascience.com/.
You’ll find a directory for each chapter in the downloadable archive,
and within each chapter’s directory there are code/ and data/ directories
that contain the corresponding code and data. Code files correspond to
chapter listings or sections, whichever makes more sense for the applica-
tion at hand. Some code files are exactly like the listings, whereas others
have been changed slightly to make it easier for you to play with parame-
ters and other options. Code directories come with pip requirements.txt files,
which give the open source libraries that the code in that chapter depends
on to run. To install these libraries on your machine, simply type pip -r
requirements.txt in each chapter’s code/ directory.
Now that you have access to the code and data for this book, let’s get
started.

xxvi   Introduction
 1
B a s i c S t a t i c M a l w a r e A n a ly s i s

In this chapter we look at the basics of

static malware analysis. Static analysis is
performed by analyzing a program file’s
disassembled code, graphical images, print-
able strings, and other on-disk resources. It refers to
reverse engineering without actually running the pro-
gram. Although static analysis techniques have their
shortcomings, they can help us understand a wide variety of malware.
Through careful reverse engineering, you’ll be able to better understand
the benefits that malware binaries provide attackers after they’ve taken
possession of a target, as well as the ways attackers can hide and continue
their attacks on an infected machine. As you’ll see, this chapter combines
descriptions and examples. Each section introduces a static analysis tech-
nique and then illustrates its application in real-world analysis.
Discovering Diverse Content Through
Random Scribd Documents
(Choir School at left)
 Part Two
The Fabric of the Cathedral
Name and Namesake
The legal title of the Cathedral is “the Cathedral Church of Saint John the Divine
in the City and Diocese of New York.” The adjective “cathedral,” commonly used as
a noun, is derived from the Greek word “cathedra” which means “seat.” In the
Cathedral is the cathedra of the Bishop of the Diocese of New York. It is not a
parish church and has no members in the sense in which a parish church has
members; but persons desiring to assist in cathedral work may join the auxiliary
organizations mentioned on page 115 following. The Cathedral is the chief church of
the Diocese which embraces 294 different parishes and missions.
The Cathedral is named after the author of the fourth Gospel, the three “epistles
general” bearing the name of John, and the book of “The Revelation of St. John the
Divine.” The word “Divine” in the title is not an adjective[2] but is a noun in
apposition with “St. John” and is rendered in the seal of the Cathedral by the Latin
word “theologus,” meaning “theologian.” St. John was one of the twelve Apostles,
and a brother of St. James the Great. He was “the Disciple whom Jesus loved”
(John xiii. 23), an expression implying exceptional sweetness and lovableness of
character. He founded the seven churches in Asia referred to in the Book of
Revelation. Toward the end of his ministrations, in which he suffered many
persecutions, he was banished to the Isle of Patmos, where he wrote the Book of
Revelation. When he returned from this exile, he continued his work until he died at
the advanced age of over 90 years. His traditional grave is at Ephesus. The two
principal symbols of St. John are the eagle with book, (explained in connection with
the symbols of the four Evangelists on page 44) and the chalice, the latter
sometimes having a serpent issuing from it. The sacramental cup without the
serpent is sometimes interpreted to refer to Christ’s reply to James and John: “Ye
shall indeed drink of the cup that I drink of” (Mark x. 39). The cup with the serpent
refers to the tradition related by St. Isidore to the effect that at Rome an attempt was
made to poison St. John in the communion wine, but that by a miracle the poison
vanished from the chalice in the form of a serpent. The Memorial Day for St. John is
kept on December 27.

Location and Access

The Cathedral is located between Cathedral parkway (110th street,) Amsterdam
avenue, 113th street, and Morningside drive.
 The Cathedral can be reached by taking the Broadway subway to 110th street
and walking one block east and two north; the Broadway surface line to 112th street
and walking one block east; the Amsterdam avenue surface line to the entrance at
112th street; the 6th and 9th avenue elevated line to 110th street and walking two
blocks west and two north; or Fifth avenue omnibuses marked route “4” via 110th
street, or ’buses transferring thereto.
Morningside Heights being 100 feet above the level of the adjacent Harlem Plain,
the Cathedral commands a sweeping prospect toward the northeast, east, and
southeast, over the roofs of the city and past the trees of Central Park to the regions
beyond the Harlem and East rivers; while from the main entrance at Amsterdam
avenue and 112th street, one can look westward to the Hudson and see the
columned Palisades on the New Jersey shore beyond. Morningside Heights is the
modern name for the ground on which the battle of Harlem Heights was fought on
September 16, 1776. Washington, whose figure occupies a niche in the Choir
Parapet (page 51) and adorns the entrance to the Synod House (p. 114), personally
directed the troops in this engagement. At that period an old colonial road ran
through the Cathedral site and down the Heights of Morningside Park to the ancient
King’s Highway or Post Road. During the War of 1812, the Cathedral grounds were
immediately within the lines of defence erected in 1814, one of the blockhouses of
which stood on the bluff on the eastern side of Morningside drive just northeast of
113th st.[3]
The Cathedral grounds,—called the “Close,” from the practice in olden times of
securing the privacy of the cathedral precincts by enclosing them with a wall and
gates,—comprise 11½ acres. Upon them are situated, besides the Cathedral, the
Old Synod House (brick with columned portico, formerly the Leake & Watts Orphan
Asylum,) the Bishop’s House and Deanery, the Choir School, the New Synod
House, and St. Faith’s Training School for Deaconesses. See plan and descriptions
of buildings hereafter. The Close cost $850,000 and the buildings other than the
Cathedral about $1,000,000. A portion of the Close is set apart for recreation
grounds for the boys of the choir; and a portion of the lawn as a playground for
small children.

Administration and Clergy

The affairs of the Cathedral are in the hands of a Board of 25 Trustees which
constitutes the Corporation, and is composed of the Bishop of New York, 12 other
clergymen and 12 laymen. The Bishop is President of the Board.
The Clergy of the Cathedral are the Bishop, Dean, Canon Bursar, Canon Sacrist,
Canon Precentor, and the Honorary Canons, not to exceed seven in number. The
Bishop is elected by the Diocesan Convention and the election must be confirmed
by a majority of the Bishops and Dioceses of the Episcopal Church. The Dean and
Canons are nominated by the Bishop and elected by the Trustees. The Bishop,
besides his diocesan duties, has general direction of the services of the Cathedral,
which direction he expresses through the Dean. The use of the Cathedral for
worship and for charitable and benevolent work is entrusted to the Dean and
Chapter. The Chapter consists of the Dean, the Bursar, the Sacrist, and such other
Canons as may be elected. The Dean is Chairman of the Cathedral Chapter and
the executive head of the Cathedral, leading and co-ordinating the various branches
of its work. The Canon Bursar is the agent of the Treasurer of the Corporation,
receives the offerings and sees that they are applied to their proper objects, and is
Supervisor of Buildings and Grounds. The Canon Sacrist has the care of the
Cathedral as a place of worship and is Master of Ceremonies on all occasions. The
Canon Precentor is responsible for the fitting performance of the musical parts of
the Cathedral services. The offices of Canon Sacrist and Canon Precentor are
vacant, their duties being performed by the Precentor. The Dean and Canons may
have Vicars as assistants.
Following is the Cathedral Staff:
Bishop of New York

The Right Rev. William Thomas Manning, D.D., LL.D., D.C.L.

Dean

The Very Rev. Howard Chandler Robbins, D.D.

Canon Bursar

The Rev. Robert Ellis Jones, D.D.

Precentor

The Rev. Henry Purcell Veazie, M.A. (Oxon.)

Honorary Canons

The Rev. George Francis Nelson, D.D.

The Rev. George William Douglas, D.D.
The Rev. George Frederick Clover, M.A.
The Rev. Harold Adye Prichard, M.A.
The Rev. Pascal Harrower, M.A.

Head Master of the Choir School

William Lester Henry, A.B.

Organist and Master of the Choristers

 Miles Farrow, M.A., Mus. Doc.

Head Verger

Thomas Meatyard.

The post-office address of any of the above mentioned is “The Cathedral of St.
John the Divine, New York, N. Y.”
The Bishop’s office is in the new Synod House at the corner of Amsterdam
Avenue and Cathedral Parkway. The offices of the Dean, Canon Bursar, etc., are in
the old Synod House which stands on the site of the South Transept. (See page 9).

Seals of Diocese and Cathedral

The seal of the Diocese is in the form of a pointed oval, or vesica,[4] and is as
follows:
Quarterly gules and argent, over all a cross counter-changed of the same. In
dexter chief the American eagle with wings displayed or; in sinister chief and dexter
base the sails of a windmill proper from the arms of the City of New York. In sinister
base two swords in saltire or from the arms of the see of London. Surmounted by
an episcopal mitre proper. The arms surmounted on a field purpure and enclosed
by a bordure azure lined (or edged) or bearing the legend “Seal of the Diocese of
New York MDCCLXXXV” or.
The red color (gules) and the swords are historically reminiscent of the fact that
prior to the Independence of the United States the church throughout the American
Colonies was under the ecclesiastical jurisdiction of the Diocese of London.
 Diocesan Seal Cathedral Seal

The seal of the Cathedral, also vesica-shaped, is as follows:

Tierce in pairle reversed. 1st, from the arms of the City of New York: argent four
sails of a windmill in saltire, between the ends in chief and base a beaver couchant,
in fess dexter and sinister a barrel of flour all proper. 2d, from the arms of the State
of New York: azure in a landscape the sun in fess rising in splendor or behind a
range of three mountains the middle one the highest, in base a ship and sloop
under sail passing and about to meet on a river bordered below by a grassy shore
fringed with shrubs all proper. 3d, azure seven six-pointed stars argent between as
many candlesticks or. Surmounted by an episcopal mitre proper. Enclosed by a
bordure gules edged or bearing the legend “Sigil. Eccles. Cath. S. Johann. Theol.
N. Ebor.” or.
The seven stars and candlesticks refer to the Revelation of St. John the Divine, i.
20.

Services
The Cathedral is open for private prayer and meditation every day of the year
from 7.30 a. m. to 5.30 p. m. There is a service in one of the chapels every week-
day at 7.30 a. m. The principal Sunday services are at 8 a. m., 11 a. m. and 4 p. m.,
the latter two being with full choral service and sermon. Other services are held on
week-days and Sundays as announced from time to time. As before stated, all
seats are free, and residents and strangers of all denominations are cordially
welcome.
The Cathedral service is neither “high” nor “low.” It is the prescribed liturgy of the
Church, with a fully choral rendering and congregational participation. Except during
the vacation season, there are usually about 60 persons in the procession. The
processional hymn is begun in the Ambulatory, through the south gate of which the
procession enters the Crossing and goes to the Choir. First comes the crucifer,
followed in order by the boys of the choir, the men of the choir, the Head Master of
the Choir School, the Verger and the clergy in inverse order of their rank. The
Bishop, if present, comes last, and is immediately preceded by the Verger and an
acolyte bearing the Bishop’s pastoral staff.[5] If the Bishop is absent, the Dean
comes last, preceded by the Verger. If neither Bishop nor Dean is present, the
Verger precedes all the clergy. The Verger (in black gown with purple facings),
carries a silver staff surmounted by the figure of an angel holding a tablet on which
is engraved the symbol of St. John the Divine, the chalice with emerging serpent.
When preceding the Bishop he carries his staff upright at his right shoulder, but
when going before the other clergy he carries it in the hollow of his left arm. The
organist and Master of the Choristers, wearing the gown and hood of Doctor of
Music, is usually invisible, being seated at the console in the gallery on the screen
at the south side of the Choir. At extraordinary musical services, an orchestra is
seated in the Choir, between the stalls, and then the Master of the Choristers
stands in the Choir, from which point he directs the singers, orchestra and assistant
organist. The recessional is in the same order as the processional. After entering
the Ambulatory, the procession halts while a dismissal prayer or hymn is said or
sung there, and the solemn service ends with a far-away “Amen” from the unseen
choir.[6]

Visitors
Visitors may see the Cathedral at all times between 7.30 a. m. and 5.30 p. m.
except during the hours of service. The Verger is usually in attendance.

Architecture
The architects of the Cathedral have been: Messrs. George L. Heins and C.
Grant LaFarge from July, 1891, until Mr. Heins’ death in September, 1907;[7] Mr.
LaFarge from September, 1907, until the completion of the Choir in April, 1911; and
Messrs. Cram & Ferguson from April, 1911, to the present time. Mr. Henry Vaughan
was architect of three of the Seven Chapels of Tongues, Messrs. Heins & LaFarge
of two, Messrs. Cram & Ferguson of one and Messrs. Carrere & Hastings of one, as
mentioned hereafter.
 The prevailing style of the Cathedral will be French Gothic. The north of France, it
will be remembered, is the birthplace of Gothic architecture. There, in the region so
recently devastated by war, Gothic architecture rose and reached the flower of
perfection in such monuments as Amiens, Rheims, Notre Dame (Paris), Chartres,
Beauvais, and Rouen Cathedrals and many other churches, great and small.

Plan and Size

The plan of the Cathedral is cruciform (symbolism, the cross on which Christ was
crucified;) and is oriented so that the priest standing at the High Altar faces the east
(the rising sun symbolizing the resurrection, and the orientation also connoting the
ideas of Christ “the Sun of Righteousness,” “the Dayspring from on High,” and the
“Morning Star”).[8] Seven chapels, called the Chapels of Tongues, radiate from the
Apse, or semi-circular eastern end of the Choir.
The loftiest features of the elevation are the two towers of the West Front (q. v.)
and the great Central Tower above the Crossing. The latter, in the design now under
consideration, consists of a dodecagonal lantern, carried up from the square
Crossing in two stages, the upper smaller than the lower, and surmounted by a
flèche or open-work spire rising to a height of 500 feet (including cross) above the
ground.
When completed, the Cathedral will extend from Morningside drive to Amsterdam
avenue, more than a tenth of a mile. It will be 601 feet long and 315 feet wide
across the Transepts, and, with an area of 109,082 square feet, will be the third
largest in the world, St. Peter’s at Rome being first and Seville Cathedral second.
The seating capacity of the Crossing in which the congregation ordinarily sits is
1,500; but on special occasions, when chairs are placed in the Ambulatory and
people are admitted to the Choir Stalls, the Cathedral can accommodate about
3,500. When the church is finished, it will seat 7,000 and will accommodate several
thousand more standing.

Progress of Construction
The Founder of the Cathedral was the Right Rev. Horatio Potter, (Provisional
Bishop 1854-1861 and Bishop of New York 1861-1887), who proposed it in 1872.
The charter was granted by the Legislature of the state of New York in 1873. The
Right Rev. Henry Codman Potter, (Assistant Bishop 1883-1887 and Bishop of New
York 1887-1908), nephew and successor of Bishop Horatio Potter, actively
forwarded the movement for raising funds in 1886. The Close was purchased from
the Leake & Watts Orphan Asylum by deed dated October 31, 1891. The first
service on the ground was held January 1, 1892. The corner-stone was laid on St.
John’s Day, December 27, 1892.[9] The first service was held in the Crypt January
8, 1899, and the first service in the Choir and Crossing (being the consecration
service) April 19, 1911. Ground was broken for the Nave May 8, 1916, by the Right
Rev. David Hummell Greer, (Bishop Coadjutor 1904-1908 and Bishop of New York
1908-1919). The parts thus far built are the Crypt, Choir, seven Chapels of
Tongues, Crossing and foundation for the Nave. The Mohegan golden granite for
the walls of the Nave is now being quarried near Peekskill, N. Y., and is being
delivered on the grounds. Some details of the Choir and Crossing are unfinished.
The completed portion of the Cathedral has cost about $4,000,000, and it is
estimated that the Nave, West Front, Transepts, Spire, etc., will cost about
$15,000,000, making the total estimated cost about $19,000,000.

Funds for Building

Visitors to the Cathedral repeatedly ask when it will be finished. It is impossible to
answer this question definitely. Some of the cathedrals of the Old World have been
seven hundred years in building and are not yet completed. The things which
endure the longest are generally of slow growth,[10] and the Cathedral of St. John
the Divine is no exception to this rule. It is not a steel-frame structure, but is of
massive masonry in the best traditions of Gothic architecture and is being built to
stand for ages. Its physical construction must therefore necessarily be slow.
It is to be remembered, also, that the financial resources for the building of a
modern cathedral are different from those which supplied the means for building
many of the Old World churches. Westminster Abbey was built almost entirely from
revenues of the Kings from Henry III. to Henry VII. St. Paul’s in London was partly
built by the gifts of penitents who performed their penances in money. Occasionally
an ancient shrine grew into a great church in consequence of some tradition or
superstition which caused a continuous stream of illustrious persons to shower
wealth, privileges and honors upon it. Pope Honorius prescribed collections in all
Christendom for the building of Rheims Cathedral. The metropolitan church of St.
Rombold’s, in Malines, Belgium, was built with money paid by pilgrims who flocked
thither in the 14th and 15th centuries to obtain indulgences issued by Pope
Nicholas V.; and the Tour de Beurre (butter tower) of Bourges Cathedral, like the
tower of the same name at Rouen, “derives its name from having been erected with
money paid for indulgences to eat butter in Lent.” (Baedeker.)
To-day, however, reliance is placed entirely upon voluntary contributions. Some of
the larger gifts to the Cathedral of St. John the Divine are mentioned hereafter, but
there have been many other large ones and innumerable smaller ones equally
acceptable from donors irrespective of denominational affiliations who have caught
the civic and patriotic as well as the religious inspiration of what is to be America’s
greatest cathedral. In a general way, it may be said that the Cathedral will be
finished as fast as funds are provided;—and no faster, for the authorities have
rigidly maintained the provision of the statute, building only what can be paid for,
and worshippers are therefore not kneeling on any debt. Anyone desiring here to
enshrine a loving memory or to embody the offering of a grateful heart may place a
donation to the Building Fund in the alms-basin or in the box at the door, or send it
to the Dean at the Cathedral offices in the old Synod House, at Amsterdam avenue
and 112th street, New York City.

Foundation and Superstructure

The foundation of the Cathedral is of Maine granite. Although the bed-rock of
Morningside Heights (Manhattan schist) lies near the surface, it is so disintegrated
near the top that it was necessary to go down 72 feet in some places in order that
the Cathedral might rest securely on the “living rock.” The excavation and
foundation alone cost a quarter of a million dollars. The main walls of the
superstructure are also of granite, faced on the outside of the finished portion with
Mohegan golden granite quarried near Peekskill, N. Y., and on the inside with a soft
buff-colored limestone or dolomite called Frontenac stone from Pepin county, Wis.
The great flying buttresses and massive piers of the Crossing, exposed in their
rugged unfinished state, exhibit the dark Maine granite. Local materials are
mentioned in their appropriate places.

Exterior Survey
Before entering the Cathedral the visitor should make a circuit of the Close
(beginning on the south side and going eastward), comparing the outlines of the
Cathedral with the plan and noting the location of the other buildings. This will give
him a better understanding of the interior of the Cathedral and of its ultimate
connection with the Bishop’s House and the Choir School by means of cloisters. It
will be noted that the Old Synod House (brick, with Ionic-columned portico)
occupies the site of the South Transept.
The Seven Chapels of Tongues, (see page 69 et seq.,) may be identified on the
exterior by the following characteristics (south to north): Chapel of St. James,
rectangular plan, crenelated parapet of roof, and pinnacles on buttresses. Chapel of
St. Ambrose, half round window arches. Chapel of St. Martin of Tours, fleurs de lis
in quatrefoils above large windows; narrow pointed arch windows with single lights
in basement. Chapel of St. Saviour (easternmost), rectangular plan; cross on gable;
statues in niches of buttresses and wall. Chapel of St. Columba, angel on roof;
statues in niches of buttresses. Chapel of St. Boniface, statues in niches of
buttresses; small mullioned windows of three lights in basement. Chapel of St.
Ansgarius, rectangular plan; parapet of quatrefoil tracery; pinnacles on buttresses.
Three of the chapels have the following sculptures by Mr. Gutzon Borglum:
Chapel of St. Saviour: On eastern wall above the great window, the Christ Child; in
niches of buttresses on either side of window, Angels of the Resurrection; and
beneath the window, the Virgin, seated between (left) St. Simeon who blessed the
infant Jesus (Luke ii. 25-35) and (right) St. Zacharias, father of John the Baptist
(Luke i. 67-80).[11] Chapel of St. Columba: On roof, an angel with hands joined in
prayer; in upper part of great window, St. Columba with tamed wolf, recalling how
he subdued wild beasts as well as wild tribes; and in niches of buttresses the four
patron saints of the British Isles (left to right): St. David of Wales in beretta and
fringed gown: St. George of England in armor with cross on shield and dragon at
feet; St. Andrew of Scotland with diagonal cross[12]; and St. Patrick of Ireland, in
Bishop’s robes, with crozier in right hand and shamrock in left. Chapel of St.
Boniface: In niches of buttresses, Charlemagne, with crown and sword; Alcuin,
Charlemagne’s preceptor, in monastic garb with manuscripts in right hand;
Gutenberg, with book in each hand, his initials “J.G.” on one; and Luther, in
scholar’s gown, with book between hands.
The Clerestory of the Choir rises above the roofs of the chapels. In the canopied
niches near the top of the turrets and buttresses are 10 stone figures 9½ feet high
by Mr. Borglum, as follows (south to north): St. James the Less with fuller’s club
(indicating manner of his martyrdom), and St. Philip with Latin cross (symbol of his
crucifixion), together on turret; St. Bartholomew[13]; St. Thomas with square
(spiritual architect); St. James the Great with staff (pilgrim); St. Peter with key (to the
kingdom of Heaven); St. Andrew with diagonal cross; St. Matthew[13] with drapery
over head; and St. Simeon with saw, and St. Jude with spear, (indicating manner of
their death), together on turret.
Fourteen Stone Shields (only 12 in place), in the spandrels of the clerestory
windows above the seven Chapels of Tongues, bear (or will bear) the following
devices (south to north:) Above Chapel of St. James, (left) winged ox; and (right)
artist’s palette, brushes and maulsticks, and lily, symbolizing St. Luke.[14] Above
Chapel of St. Ambrose (left) lily, and (right) rose, both symbols of the Virgin Mary.
Above Chapel of St. Martin of Tours, (left) eagle, and (right) chalice, symbols of St.
John. Above Chapel of St. Saviour, (left) letters ΙϹ, ΧϹ, ΝΙ, ΚΑ, in four quarters
formed by a Greek cross, signifying Jesus Christ Conquers; and (right), initials SP,
SF, SS, of the Latin words Sanctus Pater, Sanctus Filius, Sanctus Spiritus, (Holy
Father, Holy Son, Holy Spirit,) in a trefoil, symbolizing the Trinity.[15] Above Chapel
of St. Columba, (left) crossed keys, symbol of St. Peter, and (right) crossed swords,
symbol of St. Paul. Above Chapel of St. Boniface, (left) winged lion; and (right) fig
tree, both symbols of St. Mark. Above Chapel of St. Ansgarius, (left) winged man
and (right) axe and book, both symbols of St. Matthew.

1. Jesus Christ Conquers. 2. Holy Father, Holy Son, Holy Spirit. 3 and 4. Saint Luke.
 Surmounting the roof of the Choir, and facing eastward, is a bronze statue, 9½
feet high, by Mr. Borglum, representing St. Gabriel as Angel of the Resurrection,
blowing a trumpet.

THE WEST FRONT

(From Architect’s Drawing)

West Front
Returning to Amsterdam avenue at 112th street, we come to what will be the
main entrance of the Cathedral. In the space (now unoccupied) between the
sidewalk and the foundation of the Nave will be the West Front (see figure 1 of
plan). The tentative design for the West Front provides for three large and two
smaller recessed portals, similar to the plan of Bourges Cathedral. Above the north
and south portals rise two heavily buttressed square towers, named after St. Peter
(north) and St. Paul (south), presenting strong relief. Above the central portal is the
great Rose Window, flanked by the mullioned Gothic windows of the towers. Above
these, a gallery of niches containing statues extends entirely across the façade,
after the manner of the Gallery of Kings at Rheims Cathedral. Above this rise the
belfries of the two towers, each surmounted by pointed turrets at the four corners,
while between them, just above the gallery, appears the gable of the Nave. The
West front is 220 feet wide and 80 feet deep, including the buttressing. The towers
are 50 feet square, 235 feet high to the top of the parapets and 265 feet high to the
top of the pinnacles.

THE EXTERIOR OF THE NAVE

(Composite Photograph of Model. Human figure shows scale)

The Nave
Crossing the space to be occupied by the West Front, we ascend temporary
steps to the foundation of the Nave (figure 2 of plan). Superstructure not yet begun
(June 15th, 1924). Here the visitor should pause and imagine himself entering the
western limb of the Cathedral, 225 feet long, 132 feet wide, 175 feet high outside
and 130 feet high inside, built in pure 13th century Gothic adapted to the
requirements of the plan. The central aisle,[16]—as wide between the centers of
piers as 112th street is between building lines—has two narrower aisles on each
side. Instead of the closely-grown-up forest effect produced by the columns of many
Gothic cathedrals, an air of openness and spaciousness, which distinguishes this
Cathedral throughout, is given by the relatively small number of piers and columns
and their ingenious disposition. In this arrangement the architect has made two
notable departures from the ordinary Gothic type: One is the erection of the
clerestory on the secondary line of columns (those nearest the side walls,) which
modifies the exterior system of flying buttresses, and the other is the introduction of
intermediate slender columns in the primary line of piers, resolving the Nave into a
system of four squares or double bays instead of eight rectangular bays. As the
primary ranges of piers and columns rise to the spring of the arches which support
the roof of the Nave, instead of being shortened to support the clerestory, an effect
of great spaciousness and lofty aspiration is produced; and this arrangement,
together with the rhythmic alternation of great piers and relatively small clustered
columns, allows a play of light and shade surpassing that of any mediaeval
cathedral. Under the roofs of the north and south aisles runs the triforium gallery;
and there are many beautiful details of ornament, including the tracery, panelling,
capitals, niches, pinnacles and sculptures. A light and cheerful effect is produced by
the illumination through 32 stained glass windows—eight in the aisle and eight in
the clerestory on each side,—and the great Rose Window in the west end.
While standing at the west end of the foundation, the visitor should survey the
great area of floor space that lies before him; then, looking eastward 225 feet (the
length of a city block and half the width of a street) imagine the present temporary
west wall of the Crossing removed, and the view extended about 225 feet farther to
the High Altar in the Sanctuary. He will then have an idea of the great vista of the
completed church.
 ONE SIDE OF THE INTERIOR OF THE NAVE

(Composite Photograph of Model. Figures of choristers show scale)

Speaking of the building of the Cathedral in general and of the Nave in particular,
in his address to the 138th Annual Convention of the Diocese of New York on May
11, 1921, Bishop Manning said: “As to the practical value and importance of the
Cathedral, no one who knows anything of its work or of the multitudes that gather
here for worship can entertain a question. Large as it is, the present space is
insufficient. The Nave is urgently needed, not only that the great ideal which the
building embodies may be carried forward, but that there may be room for the
people who come for spiritual help, and that the Cathedral may meet its unequalled
missionary opportunity. I hope that our people, and especially those who have the
stewardship of wealth, will keep this great spiritual and missionary enterprise in
mind, and that many may be moved to aid it. The building waits only for the
necessary funds. And in the revised drawings, we at last have plans which by their
majesty and beauty worthily express the aim and ideal of this great structure ... I
believe that we have now a plan worthy of the unequalled opportunity of this
glorious Temple of God, and of its relation to the greatest and most complex city in
the world. I believe that for the carrying forward towards completion of such a
building as this, of which the whole country may be proud, and for the upholding of
the spiritual, social and civic ideals which it embodies, not only the people of our
own Church but many others in this metropolis and elsewhere will be glad to make
their gifts and to have their part and share with us.”
 The Crossing
Walking the length of the Nave foundation (2 on plan) we pass through temporary
doorways and enter the Crossing (3), so-called from its location at the intersection
of the long and short arms of the cruciform ground plan. In this space, 100 feet
square, floored with concrete, are 1500 chairs for the congregation. To the
eastward, the Crossing opens into the Choir (10) and Ambulatory (12-12). On the
north, west and south sides the spaces between the ponderous piers of Maine
granite are filled with temporary windows and concrete walls which will be removed
when the Nave (2) and the North and South Transepts (4 and 5) are built. The
removal of these temporary walls will improve the acoustics. The rough, unadorned
piers on the north, west and south sides will eventually be faced with Frontenac
stone like those on the east side. The massiveness of this masonry may be judged
by the fact that a single pair of these piers with their connecting arch weighs 4000
tons. The Dome of the Crossing, 162 feet (just the height of Niagara Falls) above
the floor, is a remarkable piece of construction, the tiles having been laid by the
ingenious Gustavino method without the support of scaffolding. The present dome
is temporary; the permanent vault will be 200 feet above the floor. Mr. J. P. Morgan,
Mr. George S. Bowdoin and Mr. Harris C. Fahnestock were large contributors to the
building of the Crossing.

THE NAVE FOUNDATION AND CROSSING

 The Pulpit, a memorial of Bishop Henry Codman Potter, is made of Knoxville,
Tenn., marble, an uncrystalline limestone favorable for very fine work. On the newel
posts of the stairs are the figures of the two great prophets of the Old and New
Testaments, Isaiah (south) and John the Baptist (north.) In the five principal Gothic
niches are as many scenes in the life of Christ (north to south): The Nativity, Jesus
Among the Doctors, the Crucifixion, the Resurrection, and the Supper at Emmaus
(Luke xxiv. 30-31). In the smaller niches are the figures of eight great exponents of
the Holy Scriptures and champions of human freedom (north to south); St. Jerome,
St. Gregory, St. Chrysostom, St. Peter, St. Paul, Hugh Latimer, Bossuet, and Bishop
Phillips Brooks of Massachusetts.[17] Beneath these niches runs a moulding of
grape-vine design symbolizing Christ the true vine[18] (John xv. 1) and beneath this
one of roses symbolizing Christ the Rose of Sharon (Cant. ii. 1). On the base are
the symbols of the four Evangelists: The winged man for St. Matthew, winged lion
for St. Mark, winged ox for St. Luke, and eagle for St. John.[19] The pulpit is
surmounted by a carved oak canopy of Gothic tracery, upon which is the beginning
of the Gloria in Excelsis:

“Glory be to God on high and on ‖ earth ‖ peace ‖ good will towards ‖ men. We praise
thee ‖ we bless thee, we ‖ worship ‖ thee, we glorify thee, we give thanks ‖ to thee for thy
great glory. O Lord God, heavenly King.”
 THE PULPIT

On the side of the stairs is inscribed:

“In Memory of ‖ Henry Codman Potter ‖ the gift of ‖ Mrs. Russell Sage ‖ A.D. 1916.”

The pulpit, which cost $30,000, was designed by Mr. Henry Vaughan and
executed by Messrs. John Evans & Co. of Boston.
 ONE OF THE BARBERINI TAPESTRIES

Barberini Tapestries. The tapestries in the Crossing and Ambulatory were woven
in the first half of the 17th century on the papal looms founded by Cardinal Barberini
under the patronage of his uncle Pope Urban VIII. They were executed under the
direction of the master weaver Jacques della Riviera from cartoons painted by Jean
Francois Romanelli. The cartoons are now in the Vatican. The tapestries, originally
designed for the throne room of the Barberini Palace at Rome, afterward a part of
the Ffoulke Collection in Washington, and finally presented to the Cathedral by Mrs.
Elizabeth U. Coles, are twelve in number and represent scenes in the life of Christ.
Four of them hang in the Crossing as follows: In the northeast corner, the Delivery
of the Keys to St. Peter; southeast corner, the Last Supper; southwest corner, the
Adoration of the Shepherds; and northwest corner, the Flight of Joseph and Mary
with the infant Jesus into Egypt. Seven hang in the Ambulatory, as follows (north to
south): Christ’s Baptism, the Annunciation, the Adoration of the Magi, the Crucifixion
(directly behind and above the High Altar,) the Transfiguration, the Resurrection,
and the Agony in the Garden. The twelfth, a map of the Holy Land, is not at present
hung. These works are all 15 feet 8 inches high and average 14 feet 1 inch wide.
The Delivery of the Keys to St. Peter, the Last Supper, and the Flight into Egypt are
more than 17 feet wide. These tapestries appear more like paintings than products
of the loom.

THE INTERIOR OF THE CROSSING AND CHOIR

The Litany Desk at the eastern end of the middle aisle (often removed) is of
carved oak. Surmounting the ends are two praying angels, while on the front are
statues of St. Michael with sword, St. John with chalice, and St. Gabriel with lilies,
all facing the Altar. An inscription reads:
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com