Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Yuxin Ding,Miaomiao Shao,Cai Nie,Kunyang Fu

DOI: https://doi.org/10.3390/electronics11010154

IF: 2.9

2022-01-01

Electronics

Abstract:Deep learning methods have been applied to malware detection. However, deep learning algorithms are not safe, which can easily be fooled by adversarial samples. In this paper, we study how to generate malware adversarial samples using deep learning models. Gradient-based methods are usually used to generate adversarial samples. These methods generate adversarial samples case-by-case, which is very time-consuming to generate a large number of adversarial samples. To address this issue, we propose a novel method to generate adversarial malware samples. Different from gradient-based methods, we extract feature byte sequences from benign samples. Feature byte sequences represent the characteristics of benign samples and can affect classification decision. We directly inject feature byte sequences into malware samples to generate adversarial samples. Feature byte sequences can be shared to produce different adversarial samples, which can efficiently generate a large number of adversarial samples. We compare the proposed method with the randomly injecting and gradient-based methods. The experimental results show that the adversarial samples generated using our proposed method have a high successful rate.

Pavla Louthánová,Matouš Kozák,Martin Jureček,Mark Stamp

DOI: https://doi.org/10.1007/s11416-024-00519-z

2023-08-19

Abstract:Machine learning has proven to be a useful tool for automated malware detection, but machine learning models have also been shown to be vulnerable to adversarial attacks. This article addresses the problem of generating adversarial malware samples, specifically malicious Windows Portable Executable files. We summarize and compare work that has focused on adversarial machine learning for malware detection. We use gradient-based, evolutionary algorithm-based, and reinforcement-based methods to generate adversarial samples, and then test the generated samples against selected antivirus products. We compare the selected methods in terms of accuracy and practical applicability. The results show that applying optimized modifications to previously detected malware can lead to incorrect classification of the file as benign. It is also known that generated malware samples can be successfully used against detection models other than those used to generate them and that using combinations of generators can create new samples that evade detection. Experiments show that the Gym-malware generator, which uses a reinforcement learning approach, has the greatest practical potential. This generator achieved an average sample generation time of 5.73 seconds and the highest average evasion rate of 44.11%. Using the Gym-malware generator in combination with itself improved the evasion rate to 58.35%.

Cryptography and Security,Machine Learning

LIU Yanhua,LI Jiaqi,OU Zhengui,GAO Xiaoling,LIU Ximeng,MENG Weizhi,LIU Baoxu

DOI: https://doi.org/10.11959/j.issn.1000−436x.2022171

2022-01-01

Abstract:To solve the deficiency of the malicious code detector’s ability to detect adversarial input, an adversarial training driven malicious code detection enhancement method was proposed.Firstly, the applications were preprocessed by a decompiler tool to extract API call features and map them into binary feature vectors.Secondly, the Wasserstein generative adversarial network was introduced to build a benign sample library to provide a richer combination of perturbations for malicious sample evasion detectors.Then, a perturbation reduction algorithm based on logarithmic backtracking was proposed.The benign samples were added to the malicious code in the form of perturbations, and the added benign perturbations were culled dichotomously to reduce the number of perturbations with fewer queries.Finally, the adversarial malicious code samples were marked as malicious and the detector was retrained to improve its accuracy and robustness of the detector.The experimental results show that the generated malicious code adversarial samples can evade the detector well.Additionally, the adversarial training increases the target detector’s accuracy and robustness.

Weiwei Hu,Ying Tan

DOI: https://doi.org/10.1007/978-981-19-8991-9_29

2022-01-01

Abstract:Machine learning has been used to detect new malware in recent years, while malware authors have strong motivation to attack such algorithms. Malware authors usually have no access to the detailed structures and parameters of the machine learning models used by malware detection systems, and therefore they can only perform black-box attacks. This paper proposes a generative adversarial network (GAN) based algorithm named MalGAN to generate adversarial malware examples, which are able to bypass black-box machine learning based detection models. MalGAN uses a substitute detector to fit the black-box malware detection system. A generative network is trained to minimize the generated adversarial examples' malicious probabilities predicted by the substitute detector. The superiority of MalGAN over traditional gradient based adversarial example generation algorithms is that MalGAN is able to decrease the detection rate to nearly zero and make the retraining based defensive method against adversarial examples hard to work.

Xintong Li,Qi Li

DOI: https://doi.org/10.1016/j.cose.2020.102118

2021-05-01

Abstract:<p>In order to reduce the risk of malware, researchers proposed various malware detection methods, in which the machine learning-based method has been paid more and more attention. However, malware developers used a variety of countermeasures to evade detection. For example, they may generate so-called adversarial examples to interfere with machine-learning-based detectors. An adversarial example is one that makes changes to the malware so that the generated malware can evade detection while retaining the malicious functionality. In the complex adversarial environment, only the in-depth analysis of the adversarial code can comprehensively improve the detection level of the detector. In this work, we used improved reinforcement learning to generate adversarial examples. The method accepts malicious code samples as input, and takes detection engine and feature extractor as the environment, to output several malicious samples that can avoid the detection by adjusting each detection results. Compared with the existing methods based on reinforcement learning, our method can generate reward function automatically without manual setting, which greatly improves the flexibility of the model. We compared the effectiveness of our algorithm with other methods in some of the literature on a set of portable executable files (PEs). Experimental results show that our algorithm is more flexible and effective.</p>

computer science, information systems

Prithviraj Dasgupta,Zachariah Osman

DOI: https://doi.org/10.48550/arXiv.2111.11487

2021-11-23

Abstract:We consider the problem of generating adversarial malware by a cyber-attacker where the attacker's task is to strategically modify certain bytes within existing binary malware files, so that the modified files are able to evade a malware detector such as machine learning-based malware classifier. We have evaluated three recent adversarial malware generation techniques using binary malware samples drawn from a single, publicly available malware data set and compared their performances for evading a machine-learning based malware classifier called MalConv. Our results show that among the compared techniques, the most effective technique is the one that strategically modifies bytes in a binary's header. We conclude by discussing the lessons learned and future research directions on the topic of adversarial malware generation.

Cryptography and Security,Machine Learning

Matouš Kozák,Martin Jureček,Mark Stamp,Fabio Di Troia

DOI: https://doi.org/10.1007/s11416-024-00516-2

2023-06-24

Abstract:Machine learning is becoming increasingly popular as a go-to approach for many tasks due to its world-class results. As a result, antivirus developers are incorporating machine learning models into their products. While these models improve malware detection capabilities, they also carry the disadvantage of being susceptible to adversarial attacks. Although this vulnerability has been demonstrated for many models in white-box settings, a black-box attack is more applicable in practice for the domain of malware detection. We present a generator of adversarial malware examples using reinforcement learning algorithms. The reinforcement learning agents utilize a set of functionality-preserving modifications, thus creating valid adversarial examples. Using the proximal policy optimization (PPO) algorithm, we achieved an evasion rate of 53.84% against the gradient-boosted decision tree (GBDT) model. The PPO agent previously trained against the GBDT classifier scored an evasion rate of 11.41% against the neural network-based classifier MalConv and an average evasion rate of 2.31% against top antivirus programs. Furthermore, we discovered that random application of our functionality-preserving portable executable modifications successfully evades leading antivirus engines, with an average evasion rate of 11.65%. These findings indicate that machine learning-based models used in malware detection systems are vulnerable to adversarial attacks and that better safeguards need to be taken to protect these systems.

Cryptography and Security,Artificial Intelligence

Shaohan Wu,Jingfeng Xue,Yong Wang,Zixiao Kong

DOI: https://doi.org/10.3390/electronics12112346

IF: 2.9

2023-05-24

Electronics

Abstract:Recently, malware detection models based on deep learning have gradually replaced manual analysis as the first line of defense for anti-malware systems. However, it has been shown that these models are vulnerable to a specific class of inputs called adversarial examples. It is possible to evade the detection model by adding some carefully crafted tiny perturbations to the malicious samples without changing the sample functions. Most of the adversarial example generation methods ignore the information contained in the detection results of benign samples from detection models. Our method extracts sequence fragments called benign payload from benign samples based on detection results and uses an RNN generative model to learn benign features embedded in these sequences. Then, we use the end of the original malicious sample as input to generate an adversarial perturbation that reduces the malicious probability of the sample and append it to the end of the sample to generate an adversarial sample. According to different adversarial scenarios, we propose two different generation strategies, which are the one-time generation method and the iterative generation method. Under different query times and append scale constraints, the maximum evasion success rate can reach 90.8%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yanchen Qiao,Weizhe Zhang,Zhicheng Tian,Laurence T. Yang,Yang Liu,Mamoun Alazab

DOI: https://doi.org/10.1016/j.cose.2022.102762

IF: 5.105

2022-01-01

Computers & Security

Abstract:The deep learning methods had been proved to be effective for malware detection in the past. However, the recent studies show that deep learning models are vulnerable to adversarial attacks. Thus, the malware detection models based on deep learning face the threat of adversarial examples. As a popular case of adversarial examples, adversarial images are usually generated by adding unrecognizable perturbations to original pictures. When applying the same method to the windows PE (Portable Executable) malware, the original structure cannot be destroyed and the original functions of PE malware need to be preserved. Most existing windows adversarial malware generation works are derived from adversarial image methods with some adaptive modifications such as inserting perturbations in the slack space of the PE file. The both generation methods have some similarities but also many differences. Thus, directly using the methods of adversarial images to create malware effects the efficiency and fooling rate. In this paper, we overcome these issues by proposing a method for generating windows adversarial malware in PE format based on prototype samples of deep learning models. The prototype samples are the most typical ones of a certain category of the classification models. With the characteristic of the prototype samples, the bytes of the prototype samples are added as perturbations to the malware samples. This way can fast generate adversarial malware that could fool the target model. The proposed method is evaluated on a real world dataset of malware. Promising results show that the method can fool the deep learning based malware detection models with a high rate.(c) 2022 Elsevier Ltd. All rights reserved.

Wei Hu,Jie Cheng,Xulei Chong,Ru Zhang,Bingjie Lin,Ang Xia

DOI: https://doi.org/10.1109/prml56267.2022.9882255

2022-01-01

Abstract:To avoid detection, malicious code developers often use various obfuscation methods to evade detection by malicious code detection systems. In this paper, we propose a GAN-based anti-obfuscation training method for malicious code detection models. The method addresses the problem that the obfuscated malicious code can easily evade the malicious code detector. Based on the idea of adversarial training, the method proposes to use GAN to enhance the data of small samples of obfuscated malicious code samples and use the data-enhanced samples to train the malicious code for anti-obfuscation to improve the detection performance of the malicious code detector against the obfuscated malicious code. Finally, experiments are conducted on three different malicious code detectors, and the experiments show that the anti-obfuscation training method proposed in this paper helps to improve the anti-obfuscation capability of the malicious code detector and enhance its detection performance against the obfuscated malicious code.

Fangtian Zhong,Pengfei Hu,Guoming Zhang,Hong Li,Xiuzhen Cheng

DOI: https://doi.org/10.1016/j.cose.2022.102869

IF: 5.105

2022-01-01

Computers & Security

Abstract:Recent advances in machine learning offer attractive tools for sophisticated adversaries. An attacker could transform malware into its adversarial version but retain its malicious functionality by employing a ded-icated perturbation method. These adversarial malware examples have demonstrated the effectiveness to bypass antivirus engines. However, recent works only leverage a single perturbation method to gen-erate adversarial examples, which cannot defeat advanced detectors. In this paper, we propose a rein-forcement learning-based framework called MalInfo, which could generate powerful adversarial malware examples to evade the third-party detectors via an adaptive selection of a perturbation path for each malware in our collected dataset with 10 0 0 diverse malware. To cope with limited computation, MalInfo applies either dynamic programming or temporal difference learning to choose the optimal perturbation path where each path is formed by the combination of Obfusmal, Stealmal, and Hollowmal. We pro-vide a proof-of-concept implementation and extensive evaluation of our framework. Both the detection rate and evasive rate have substantially been improved compared with the state-of-art research MalFox Zhong et al. (2021). To be specific, The average detection rates for dynamic programming and temporal difference learning are 23 . 2% ( 21 . 9% lower than MalFox) and 27 . 5% ( 7 . 4% lower than MalFox), respectively, and the average evasive rates are 65 . 8% ( 17 . 1% higher than MalFox) and 59 . 4% ( 5 . 7% higher than MalFox), respectively.(c) 2022 Elsevier Ltd. All rights reserved.

Rayan Mosli,Thomas J. Slota,Yin Pan

DOI: https://doi.org/10.1109/hst53381.2021.9619825

2021-01-01

Abstract:Malconv is considered the state-of-the-art in mal-ware detection for Windows PE executables. It is a Convolutional Deep Learning model that is capable of consuming executable byte code to detect malware with high accuracy. Attacks have been created that can effectively generate adversarial examples to evade the detection of Malconv. However, these attacks generate adversarial examples by inserting benign bytes to maintain the malware’s malicious functionalities, an approach that is presumed to be easily detectable. In this paper, a novel black-box attack is proposed to create adversarial examples against Malconv, where functionally-equivalent instruction replacements are combined with Particle Swarm Optimization to create adversarial examples. The overall goal is to demonstrate that Malconv is prone to sophisticated attacks that interact with the executable portions of the malware.

Kai Tan,Dongyang Zhan,Lin Ye,Hongli Zhang,Binxing Fang

DOI: https://doi.org/10.1109/tc.2023.3339955

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Sequence-based deep learning models (e.g., RNNs), can detect malware by analyzing its behavioral sequences. Meanwhile, these models are susceptible to adversarial attacks. Attackers can create adversarial samples that alter the sequence characteristics of behavior sequences to deceive malware classifiers. The existing methods for generating adversarial samples typically involve deleting or replacing crucial behaviors in the original data sequences, or inserting benign behaviors that may violate the behavior constraints. However, these methods that directly manipulate sequences make adversarial samples difficult to implement or apply in practice. In this paper, we propose an adversarial attack approach based on Deep Q-Network and a heuristic backtracking search strategy, which can generate perturbation sequences that satisfy practical conditions for successful attacks. Subsequently, we utilize a novel transformation approach that maps modifications back to the source code, thereby avoiding the need to directly modify the behavior log sequences. We conduct an evaluation of our approach, and the results confirm its effectiveness in generating adversarial samples from real-world malware behavior sequences, which have a high success rate in evading anomaly detection models. Furthermore, our approach is practical and can generate adversarial samples while maintaining the functionality of the modified software.

Kun Li,Fan Zhang,Wei Guo

2023-05-22

Abstract:Malware detection models based on deep learning have been widely used, but recent research shows that deep learning models are vulnerable to adversarial attacks. Adversarial attacks are to deceive the deep learning model by generating adversarial samples. When adversarial attacks are performed on the malware detection model, the attacker will generate adversarial malware with the same malicious functions as the malware, and make the detection model classify it as benign software. Studying adversarial malware generation can help model designers improve the robustness of malware detection models. At present, in the work on adversarial malware generation for byte-to-image malware detection models, there are mainly problems such as large amount of injection perturbation and low generation efficiency. Therefore, this paper proposes FGAM (Fast Generate Adversarial Malware), a method for fast generating adversarial malware, which iterates perturbed bytes according to the gradient sign to enhance adversarial capability of the perturbed bytes until the adversarial malware is successfully generated. It is experimentally verified that the success rate of the adversarial malware deception model generated by FGAM is increased by about 84\% compared with existing methods.

Cryptography and Security,Artificial Intelligence

Jianhua Wang,Xiaolin Chang,Jelena Misic,Vojislav B. Misic,Yixiang Wang,Jianan Zhang

DOI: https://doi.org/10.1109/globecom46510.2021.9685442

2021-01-01

Abstract:Various Machine Learning (ML) models have been developed for malware detection. But their widespread application is challenged by adversarial attacks using adversarial malware examples. Generative Adversarial Networks (GAN) is one of the effective approaches to help build possible unknown attacks and expose the vulnerability of targeted systems. The existing GAN-based ML models have the weaknesses of unstable training and low-quality adversarial examples. In this paper, we propose a novel Mal-LSGAN model to tackle these weaknesses. By using a Least Square (LS) loss function and new activation function combinations, Mal-LSGAN achieves a higher Attack Success Rate (ASR) and a lower True Positive Rate (TPR) in 6 ML detectors, compared with the existing MalGAN and Imp-MalGAN. In Multi-Layer Perceptron (MLP), Mal-LSGAN can even decrease TPR from 97.81% of original examples to 2.92% of adversarial examples. The experimental results also demonstrate that Mal-Lsgangets the preferable transferability of adversarial malware examples.

Fangwei Wang,Yuanyuan Lu,Changguang Wang,Qingru Li

DOI: https://doi.org/10.1155/2021/8736946

2021-08-30

Wireless Communications and Mobile Computing

Abstract:5G is about to open Pandora’s box of security threats to the Internet of Things (IoT). Key technologies, such as network function virtualization and edge computing introduced by the 5G network, bring new security threats and risks to the Internet infrastructure. Therefore, higher detection and defense against malware are required. Nowadays, deep learning (DL) is widely used in malware detection. Recently, research has demonstrated that adversarial attacks have posed a hazard to DL-based models. The key issue of enhancing the antiattack performance of malware detection systems that are used to detect adversarial attacks is to generate effective adversarial samples. However, numerous existing methods to generate adversarial samples are manual feature extraction or using white-box models, which makes it not applicable in the actual scenarios. This paper presents an effective binary manipulation-based attack framework, which generates adversarial samples with an evolutionary learning algorithm. The framework chooses some appropriate action sequences to modify malicious samples. Thus, the modified malware can successfully circumvent the detection system. The evolutionary algorithm can adaptively simplify the modification actions and make the adversarial sample more targeted. Our approach can efficiently generate adversarial samples without human intervention. The generated adversarial samples can effectively combat DL-based malware detection models while preserving the consistency of the executable and malicious behavior of the original malware samples. We apply the generated adversarial samples to attack the detection engines of VirusTotal. Experimental results illustrate that the adversarial samples generated by our method reach an evasion success rate of 47.8%, which outperforms other attack methods. By adding adversarial samples in the training process, the MalConv network is retrained. We show that the detection accuracy is improved by 10.3%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Meng Li,Xiaoqi Jia,Rui Wang,Dongdai Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.08.063

2015-01-01

Abstract:In malicious code analysis and detection, the static analysis techniques are not effective to detect metamorphic/polymorphic ma-licious codes.Aiming at this problem, this paper proposes an approach for extracting the dynamic features of malicious code semantics.The method extracts the dynamic features of malicious codes in virtual environment so as to achieve the purpose of protecting physical machine. The primitive features extracted are then further sifted and processed to obtain API calling sequence information in regard to various code sam-ples.In order to make the features more effective, the traditional n-gram model is improved and the n-gram frequency information and the de-pendencies between APIs are added, the improved n-gram model is built as well.The analysis part in experimental result uses the machine learning methods, the decision trees, k-nearest neighbour, support vector machine and Bayesian networks are employed separately to perform a 10-fold crossover validation on the selected sample features.Experimental results show that this feature selection has best detection effect using decision tree J48, it can effectively detect the malicious codes using confusion and polymorphism technologies.

Fangtian Zhong,Xiuzhen Cheng,Dongxiao Yu,Bei Gong,Shuaiwen Song,Jiguo Yu

DOI: https://doi.org/10.48550/arXiv.2011.01509

2022-06-07

Abstract:Deep learning is a thriving field currently stuffed with many practical applications and active research topics. It allows computers to learn from experience and to understand the world in terms of a hierarchy of concepts, with each being defined through its relations to simpler concepts. Relying on the strong capabilities of deep learning, we propose a convolutional generative adversarial network-based (Conv-GAN) framework titled MalFox, targeting adversarial malware example generation against third-party black-box malware detectors. Motivated by the rival game between malware authors and malware detectors, MalFox adopts a confrontational approach to produce perturbation paths, with each formed by up to three methods (namely Obfusmal, Stealmal, and Hollowmal) to generate adversarial malware examples. To demonstrate the effectiveness of MalFox, we collect a large dataset consisting of both malware and benignware programs, and investigate the performance of MalFox in terms of accuracy, detection rate, and evasive rate of the generated adversarial malware examples. Our evaluation indicates that the accuracy can be as high as 99.0% which significantly outperforms the other 12 well-known learning models. Furthermore, the detection rate is dramatically decreased by 56.8% on average, and the average evasive rate is noticeably improved by up to 56.2%.

Cryptography and Security

Shaohua Wang,Yong Fang,Yijia Xu,Yaxian Wang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys57074.2022.00113

2022-01-01

Abstract:The arms race for Windows PE malware evasion and detection is ongoing. Recently, researchers have found that learning-based detectors are vulnerable to the attacks of adversarial examples. Therefore, the study on the generation of adversarial PE malware is of great significance and practical value for enhancing existing detection mechanisms. Current adversarial PE malware generation methods have several problems: destroying original functions, low efficiency, poor stability, weak flexibility, poor stealthiness, and lack of universality. We proposed a new black-box adversarial PE malware generation framework. It uses a novel Dropper processing method based on a puppet file combined with a size-penalized and entropy-constrained genetic algorithm that can efficiently generate adversarial PE malware with highly stealthy and universality. Experiments proved that our method could escape the target detectors with an extremely high success rate. In the case of bypassing commercial engines, the adversarial malware escaped an average of 37.76 engines more than the original malware. In addition, the results showed that exploring the method of generating adversarial PE malware can reveal the weaknesses of a target detector and thus improve its defensive capabilities by conducting data poisoning and dataset augmentation experiments.