Matouš Kozák,Martin Jureček,Mark Stamp,Fabio Di Troia

DOI: https://doi.org/10.1007/s11416-024-00516-2

2023-06-24

Abstract:Machine learning is becoming increasingly popular as a go-to approach for many tasks due to its world-class results. As a result, antivirus developers are incorporating machine learning models into their products. While these models improve malware detection capabilities, they also carry the disadvantage of being susceptible to adversarial attacks. Although this vulnerability has been demonstrated for many models in white-box settings, a black-box attack is more applicable in practice for the domain of malware detection. We present a generator of adversarial malware examples using reinforcement learning algorithms. The reinforcement learning agents utilize a set of functionality-preserving modifications, thus creating valid adversarial examples. Using the proximal policy optimization (PPO) algorithm, we achieved an evasion rate of 53.84% against the gradient-boosted decision tree (GBDT) model. The PPO agent previously trained against the GBDT classifier scored an evasion rate of 11.41% against the neural network-based classifier MalConv and an average evasion rate of 2.31% against top antivirus programs. Furthermore, we discovered that random application of our functionality-preserving portable executable modifications successfully evades leading antivirus engines, with an average evasion rate of 11.65%. These findings indicate that machine learning-based models used in malware detection systems are vulnerable to adversarial attacks and that better safeguards need to be taken to protect these systems.

Cryptography and Security,Artificial Intelligence

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Prithviraj Dasgupta,Zachariah Osman

DOI: https://doi.org/10.48550/arXiv.2111.11487

2021-11-23

Abstract:We consider the problem of generating adversarial malware by a cyber-attacker where the attacker's task is to strategically modify certain bytes within existing binary malware files, so that the modified files are able to evade a malware detector such as machine learning-based malware classifier. We have evaluated three recent adversarial malware generation techniques using binary malware samples drawn from a single, publicly available malware data set and compared their performances for evading a machine-learning based malware classifier called MalConv. Our results show that among the compared techniques, the most effective technique is the one that strategically modifies bytes in a binary's header. We conclude by discussing the lessons learned and future research directions on the topic of adversarial malware generation.

Cryptography and Security,Machine Learning

Fangtian Zhong,Pengfei Hu,Guoming Zhang,Hong Li,Xiuzhen Cheng

DOI: https://doi.org/10.1016/j.cose.2022.102869

IF: 5.105

2022-01-01

Computers & Security

Abstract:Recent advances in machine learning offer attractive tools for sophisticated adversaries. An attacker could transform malware into its adversarial version but retain its malicious functionality by employing a ded-icated perturbation method. These adversarial malware examples have demonstrated the effectiveness to bypass antivirus engines. However, recent works only leverage a single perturbation method to gen-erate adversarial examples, which cannot defeat advanced detectors. In this paper, we propose a rein-forcement learning-based framework called MalInfo, which could generate powerful adversarial malware examples to evade the third-party detectors via an adaptive selection of a perturbation path for each malware in our collected dataset with 10 0 0 diverse malware. To cope with limited computation, MalInfo applies either dynamic programming or temporal difference learning to choose the optimal perturbation path where each path is formed by the combination of Obfusmal, Stealmal, and Hollowmal. We pro-vide a proof-of-concept implementation and extensive evaluation of our framework. Both the detection rate and evasive rate have substantially been improved compared with the state-of-art research MalFox Zhong et al. (2021). To be specific, The average detection rates for dynamic programming and temporal difference learning are 23 . 2% ( 21 . 9% lower than MalFox) and 27 . 5% ( 7 . 4% lower than MalFox), respectively, and the average evasive rates are 65 . 8% ( 17 . 1% higher than MalFox) and 59 . 4% ( 5 . 7% higher than MalFox), respectively.(c) 2022 Elsevier Ltd. All rights reserved.

Xintong Li,Qi Li

DOI: https://doi.org/10.1016/j.cose.2020.102118

2021-05-01

Abstract:<p>In order to reduce the risk of malware, researchers proposed various malware detection methods, in which the machine learning-based method has been paid more and more attention. However, malware developers used a variety of countermeasures to evade detection. For example, they may generate so-called adversarial examples to interfere with machine-learning-based detectors. An adversarial example is one that makes changes to the malware so that the generated malware can evade detection while retaining the malicious functionality. In the complex adversarial environment, only the in-depth analysis of the adversarial code can comprehensively improve the detection level of the detector. In this work, we used improved reinforcement learning to generate adversarial examples. The method accepts malicious code samples as input, and takes detection engine and feature extractor as the environment, to output several malicious samples that can avoid the detection by adjusting each detection results. Compared with the existing methods based on reinforcement learning, our method can generate reward function automatically without manual setting, which greatly improves the flexibility of the model. We compared the effectiveness of our algorithm with other methods in some of the literature on a set of portable executable files (PEs). Experimental results show that our algorithm is more flexible and effective.</p>

computer science, information systems

Yanchen Qiao,Weizhe Zhang,Zhicheng Tian,Laurence T. Yang,Yang Liu,Mamoun Alazab

DOI: https://doi.org/10.1016/j.cose.2022.102762

IF: 5.105

2022-01-01

Computers & Security

Abstract:The deep learning methods had been proved to be effective for malware detection in the past. However, the recent studies show that deep learning models are vulnerable to adversarial attacks. Thus, the malware detection models based on deep learning face the threat of adversarial examples. As a popular case of adversarial examples, adversarial images are usually generated by adding unrecognizable perturbations to original pictures. When applying the same method to the windows PE (Portable Executable) malware, the original structure cannot be destroyed and the original functions of PE malware need to be preserved. Most existing windows adversarial malware generation works are derived from adversarial image methods with some adaptive modifications such as inserting perturbations in the slack space of the PE file. The both generation methods have some similarities but also many differences. Thus, directly using the methods of adversarial images to create malware effects the efficiency and fooling rate. In this paper, we overcome these issues by proposing a method for generating windows adversarial malware in PE format based on prototype samples of deep learning models. The prototype samples are the most typical ones of a certain category of the classification models. With the characteristic of the prototype samples, the bytes of the prototype samples are added as perturbations to the malware samples. This way can fast generate adversarial malware that could fool the target model. The proposed method is evaluated on a real world dataset of malware. Promising results show that the method can fool the deep learning based malware detection models with a high rate.(c) 2022 Elsevier Ltd. All rights reserved.

Bojan Kolosnjaji,Ambra Demontis,Battista Biggio,Davide Maiorca,Giorgio Giacinto,Claudia Eckert,Fabio Roli

DOI: https://doi.org/10.23919/eusipco.2018.8553214

2018-09-01

Abstract:Machine learning has already been exploited as a useful tool for detecting malicious executable files. Data retrieved from malware samples, such as header fields, instruction sequences, or even raw bytes, is leveraged to learn models that discriminate between benign and malicious software. However, it has also been shown that machine learning and deep neural networks can be fooled by evasion attacks (also known as adversarial examples), i.e., small changes to the input data that cause misclassification at test time. In this work, we investigate the vulnerability of malware detection methods that use deep networks to learn from raw bytes. We propose a gradient-based attack that is capable of evading a recently-proposed deep network suited to this purpose by only changing few specific bytes at the end of each mal ware sample, while preserving its intrusive functionality. Promising results show that our adversarial malware binaries evade the targeted network with high probability, even though less than 1 % of their bytes are modified.

Abdullah Al-Dujaili,Alex Huang,Erik Hemberg,Una-May O'Reilly

DOI: https://doi.org/10.48550/arXiv.1801.02950

2018-03-25

Abstract:Malware is constantly adapting in order to avoid detection. Model based malware detectors, such as SVM and neural networks, are vulnerable to so-called adversarial examples which are modest changes to detectable malware that allows the resulting malware to evade detection. Continuous-valued methods that are robust to adversarial examples of images have been developed using saddle-point optimization formulations. We are inspired by them to develop similar methods for the discrete, e.g. binary, domain which characterizes the features of malware. A specific extra challenge of malware is that the adversarial examples must be generated in a way that preserves their malicious functionality. We introduce methods capable of generating functionally preserved adversarial malware examples in the binary domain. Using the saddle-point formulation, we incorporate the adversarial examples into the training of models that are robust to them. We evaluate the effectiveness of the methods and others in the literature on a set of Portable Execution~(PE) files. Comparison prompts our introduction of an online measure computed during training to assess general expectation of robustness.

Cryptography and Security,Machine Learning

Yan Jia,Nie Chujiang,Su Purui

DOI: https://doi.org/10.11999/jeit191059

2020-01-01

Abstract:Machine learning is widely used in malicious code detection and plays an important role in malicious code detection products. Constructing adversarial samples for malicious code detection machine learning models is the key to discovering defects in malicious code detection models, evaluating and improving malicious code detection systems. This paper proposes a method for generating malicious code adversarial samples based on genetic algorithms. The generated samples combat effectively the malicious code detection model based on machine learning, while ensuring the consistency of the executable and malicious behavior of malicious code samples, and improving effectively the authenticity of the generated adversarial samples and the accuracy of the model adversarial evaluation are presented. The experiments show that the proposed method of generating adversarial samples reduces the detection accuracy of the MalConv malicious code detection model by 14.65%, and can directly interfere with four commercial machine-based malicious code detection engines in VirusTotal. Among them, the accuracy rate of Cylance detection is only 53.55%.

Weiwei Hu,Ying Tan

DOI: https://doi.org/10.1007/978-981-19-8991-9_29

2022-01-01

Abstract:Machine learning has been used to detect new malware in recent years, while malware authors have strong motivation to attack such algorithms. Malware authors usually have no access to the detailed structures and parameters of the machine learning models used by malware detection systems, and therefore they can only perform black-box attacks. This paper proposes a generative adversarial network (GAN) based algorithm named MalGAN to generate adversarial malware examples, which are able to bypass black-box machine learning based detection models. MalGAN uses a substitute detector to fit the black-box malware detection system. A generative network is trained to minimize the generated adversarial examples' malicious probabilities predicted by the substitute detector. The superiority of MalGAN over traditional gradient based adversarial example generation algorithms is that MalGAN is able to decrease the detection rate to nearly zero and make the retraining based defensive method against adversarial examples hard to work.

Jun Chen,Jingfei Jiang,Rongchun Li,Yong Dou

DOI: https://doi.org/10.1088/1742-6596/1575/1/012011

2020-01-01

Abstract:Machine learning technology has been applied in filed of malware detection; it can improve efficiency of malware detection to deal with more and more increasing malware variants. However, malware detection model based on machine learning also has weakness which can be cheated by adversarial examples. Researching on method of generating adversarial examples could be benefit to exposing vulnerability of malware detection model and designing better malware detector. In this paper, we propose a reinforcement learning environment named gym-malware-mini based on gym-malware through which we generate adversarial examples using DQN and A2C deep reinforcement learning algorithm. As a result, DQN agent learned better policy of generating adversarial examples in gym-malware-mini, Success rate is increased by 18% compared with gym-malware. Success rate of DQN agent and A2C agent is increased by 20% and 15% compared with random agent in gym-malware-mini environment.

Daniel Gibert,Jordi Planes,Quan Le,Giulio Zizzo

DOI: https://doi.org/10.1109/EuroSPW59978.2023.00052

2023-06-16

Abstract:Malware detectors based on machine learning (ML) have been shown to be susceptible to adversarial malware examples. However, current methods to generate adversarial malware examples still have their limits. They either rely on detailed model information (gradient-based attacks), or on detailed outputs of the model - such as class probabilities (score-based attacks), neither of which are available in real-world scenarios. Alternatively, adversarial examples might be crafted using only the label assigned by the detector (label-based attack) to train a substitute network or an agent using reinforcement learning. Nonetheless, label-based attacks might require querying a black-box system from a small number to thousands of times, depending on the approach, which might not be feasible against malware detectors. This work presents a novel query-free approach to craft adversarial malware examples to evade ML-based malware detectors. To this end, we have devised a GAN-based framework to generate adversarial malware examples that look similar to benign executables in the feature space. To demonstrate the suitability of our approach we have applied the GAN-based attack to three common types of features usually employed by static ML-based malware detectors: (1) Byte histogram features, (2) API-based features, and (3) String-based features. Results show that our model-agnostic approach performs on par with MalGAN, while generating more realistic adversarial malware examples without requiring any query to the malware detectors. Furthermore, we have tested the generated adversarial examples against state-of-the-art multimodal and deep learning malware detectors, showing a decrease in detection performance, as well as a decrease in the average number of detections by the anti-malware engines in VirusTotal.

Cryptography and Security

Daniel Gibert,Carles Mateu,Jordi Planes,Joao Marques-Silva

DOI: https://doi.org/10.1016/j.cose.2020.102159

2021-03-01

Abstract:Malicious software is one of the most serious cyber threats on the Internet today. Traditional malware detection has proven unable to keep pace with the sheer number of malware because of their growing complexity, new attacks and variants. Most malware implement various metamorphic techniques in order to disguise themselves, therefore preventing successful analysis and thwarting the detection by signature-based anti-malware engines. During the past decade, there has been an increase in the research and deployment of anti-malware engines powered by machine learning, and in particular deep learning, due to their ability to handle huge volumes of malware and generalize to never-before-seen samples. However, there is little research about the vulnerability of these models to adversarial examples. To fill this gap, this paper presents an exhaustive evaluation of the state-of-the-art approaches for malware classification against common metamorphic attacks. Given the limitations found in deep learning approaches, we present a simple architecture that increases 14.95% the classification performance with respect to MalConv's architecture. Furthermore, the use of the metamorphic techniques to augment the training set is investigated and results show that it significantly improves the classification of malware belonging to families with few samples.

computer science, information systems

Jianhua Wang,Xiaolin Chang,Jelena Misic,Vojislav B. Misic,Yixiang Wang,Jianan Zhang

DOI: https://doi.org/10.1109/globecom46510.2021.9685442

2021-01-01

Abstract:Various Machine Learning (ML) models have been developed for malware detection. But their widespread application is challenged by adversarial attacks using adversarial malware examples. Generative Adversarial Networks (GAN) is one of the effective approaches to help build possible unknown attacks and expose the vulnerability of targeted systems. The existing GAN-based ML models have the weaknesses of unstable training and low-quality adversarial examples. In this paper, we propose a novel Mal-LSGAN model to tackle these weaknesses. By using a Least Square (LS) loss function and new activation function combinations, Mal-LSGAN achieves a higher Attack Success Rate (ASR) and a lower True Positive Rate (TPR) in 6 ML detectors, compared with the existing MalGAN and Imp-MalGAN. In Multi-Layer Perceptron (MLP), Mal-LSGAN can even decrease TPR from 97.81% of original examples to 2.92% of adversarial examples. The experimental results also demonstrate that Mal-Lsgangets the preferable transferability of adversarial malware examples.

Rayan Mosli,Thomas J. Slota,Yin Pan

DOI: https://doi.org/10.1109/hst53381.2021.9619825

2021-01-01

Abstract:Malconv is considered the state-of-the-art in mal-ware detection for Windows PE executables. It is a Convolutional Deep Learning model that is capable of consuming executable byte code to detect malware with high accuracy. Attacks have been created that can effectively generate adversarial examples to evade the detection of Malconv. However, these attacks generate adversarial examples by inserting benign bytes to maintain the malware’s malicious functionalities, an approach that is presumed to be easily detectable. In this paper, a novel black-box attack is proposed to create adversarial examples against Malconv, where functionally-equivalent instruction replacements are combined with Particle Swarm Optimization to create adversarial examples. The overall goal is to demonstrate that Malconv is prone to sophisticated attacks that interact with the executable portions of the malware.

Trong-Nghia To,Danh Le Kim,Do Thi Thu Hien,Nghi Hoang Khoa,Hien Do Hoang,Phan The Duy,Van-Hau Pham

2023-09-25

Abstract:Recently, there has been a growing focus and interest in applying machine learning (ML) to the field of cybersecurity, particularly in malware detection and prevention. Several research works on malware analysis have been proposed, offering promising results for both academic and practical applications. In these works, the use of Generative Adversarial Networks (GANs) or Reinforcement Learning (RL) can aid malware creators in crafting metamorphic malware that evades antivirus software. In this study, we propose a mutation system to counteract ensemble learning-based detectors by combining GANs and an RL model, overcoming the limitations of the MalGAN model. Our proposed FeaGAN model is built based on MalGAN by incorporating an RL model called the Deep Q-network anti-malware Engines Attacking Framework (DQEAF). The RL model addresses three key challenges in performing adversarial attacks on Windows Portable Executable malware, including format preservation, executability preservation, and maliciousness preservation. In the FeaGAN model, ensemble learning is utilized to enhance the malware detector's evasion ability, with the generated adversarial patterns. The experimental results demonstrate that 100\% of the selected mutant samples preserve the format of executable files, while certain successes in both executability preservation and maliciousness preservation are achieved, reaching a stable success rate.

Cryptography and Security,Machine Learning

James Lee Hu,Mohammadreza Ebrahimi,Hsinchun Chen

DOI: https://doi.org/10.48550/arXiv.2112.01724

2021-12-03

Cryptography and Security

Abstract:Deep Learning (DL)-based malware detectors are increasingly adopted for early detection of malicious behavior in cybersecurity. However, their sensitivity to adversarial malware variants has raised immense security concerns. Generating such adversarial variants by the defender is crucial to improving the resistance of DL-based malware detectors against them. This necessity has given rise to an emerging stream of machine learning research, Adversarial Malware example Generation (AMG), which aims to generate evasive adversarial malware variants that preserve the malicious functionality of a given malware. Within AMG research, black-box method has gained more attention than white-box methods. However, most black-box AMG methods require numerous interactions with the malware detectors to generate adversarial malware examples. Given that most malware detectors enforce a query limit, this could result in generating non-realistic adversarial examples that are likely to be detected in practice due to lack of stealth. In this study, we show that a novel DL-based causal language model enables single-shot evasion (i.e., with only one query to malware detector) by treating the content of the malware executable as a byte sequence and training a Generative Pre-Trained Transformer (GPT). Our proposed method, MalGPT, significantly outperformed the leading benchmark methods on a real-world malware dataset obtained from VirusTotal, achieving over 24.51\% evasion rate. MalGPT enables cybersecurity researchers to develop advanced defense capabilities by emulating large-scale realistic AMG.

Yuxin Ding,Miaomiao Shao,Cai Nie,Kunyang Fu

DOI: https://doi.org/10.3390/electronics11010154

IF: 2.9

2022-01-01

Electronics

Abstract:Deep learning methods have been applied to malware detection. However, deep learning algorithms are not safe, which can easily be fooled by adversarial samples. In this paper, we study how to generate malware adversarial samples using deep learning models. Gradient-based methods are usually used to generate adversarial samples. These methods generate adversarial samples case-by-case, which is very time-consuming to generate a large number of adversarial samples. To address this issue, we propose a novel method to generate adversarial malware samples. Different from gradient-based methods, we extract feature byte sequences from benign samples. Feature byte sequences represent the characteristics of benign samples and can affect classification decision. We directly inject feature byte sequences into malware samples to generate adversarial samples. Feature byte sequences can be shared to produce different adversarial samples, which can efficiently generate a large number of adversarial samples. We compare the proposed method with the randomly injecting and gradient-based methods. The experimental results show that the adversarial samples generated using our proposed method have a high successful rate.

Kun Li,Fan Zhang,Wei Guo

2023-05-22

Abstract:Malware detection models based on deep learning have been widely used, but recent research shows that deep learning models are vulnerable to adversarial attacks. Adversarial attacks are to deceive the deep learning model by generating adversarial samples. When adversarial attacks are performed on the malware detection model, the attacker will generate adversarial malware with the same malicious functions as the malware, and make the detection model classify it as benign software. Studying adversarial malware generation can help model designers improve the robustness of malware detection models. At present, in the work on adversarial malware generation for byte-to-image malware detection models, there are mainly problems such as large amount of injection perturbation and low generation efficiency. Therefore, this paper proposes FGAM (Fast Generate Adversarial Malware), a method for fast generating adversarial malware, which iterates perturbed bytes according to the gradient sign to enhance adversarial capability of the perturbed bytes until the adversarial malware is successfully generated. It is experimentally verified that the success rate of the adversarial malware deception model generated by FGAM is increased by about 84\% compared with existing methods.

Cryptography and Security,Artificial Intelligence

Shuai He,Cai Fu,Hong Hu,Jiahe Chen,Jianqiang Lv,Shuai Jiang

DOI: https://doi.org/10.1145/3597503.3639141

2024-01-01

Abstract:Recent methods have demonstrated that machine learning (ML) based static malware detection models are vulnerable to adversarial attacks. However, the generated malware often fails to generalize to production-level anti-malware software (AMS), as they usually involve multiple detection methods. This calls for universal solutions to the problem of malware variants generation. In this work, we demonstrate how the proposed method, MalwareTotal, has allowed malware variants to continue to abound in ML-based, signature-based, and hybrid anti-malware software. Given a malicious binary, we develop sequential bypass tactics that enable malicious behavior to be concealed within multi-faceted manipulations. Through 12 experiments on real-world malware, we demonstrate that an attacker can consistently bypass detection (98.67%, and 100% attack success rate against ML-based methods EMBER and MalConv, respectively; 95.33%, 92.63%, and 98.52% attack success rate against production-level anti-malware software ClamAV, AMS A, and AMS B, respectively) without modifying the malware functionality. We further demonstrate that our approach outperforms state-of-the-art adversarial malware generation techniques both in attack success rate and query consumption (the number of queries to the target model). Moreover, the samples generated by our method have demonstrated transferability in the real-world integrated malware detector, VirusTotal. In addition, we show that common mitigation such as adversarial training on known attacks cannot effectively defend against the proposed attack. Finally, we investigate the value of the generated adversarial examples as a means of hardening victim models through an adversarial training procedure, and demonstrate that the accuracy of the retrained model against generated adversarial examples increases by 88.51 percentage points.