Creating valid adversarial examples of malware

Springer Science and Business Media LLC - 2024
Matouš Kozák1, Martin Jureček1, Mark Stamp2, Fabio Di Troia2
1Faculty of Information Technology, Czech Technical University in Prague, Prague, Czechia
2Department of Computer Science, San Jose State University, San Jose, USA

Tóm tắt

Because of its world-class results, machine learning (ML) is becoming increasingly popular as a go-to solution for many tasks. As a result, antivirus developers are incorporating ML models into their toolchains. While these models improve malware detection capabilities, they also carry the disadvantage of being susceptible to adversarial attacks. Although this vulnerability has been demonstrated for many models in white-box settings, a black-box scenario is more applicable in practice for the domain of malware detection. We present a method of creating adversarial malware examples using reinforcement learning algorithms. The reinforcement learning agents utilize a set of functionality-preserving modifications, thus creating valid adversarial examples. Using the proximal policy optimization (PPO) algorithm, we achieved an evasion rate of 53.84% against the gradient-boosted decision tree (GBDT) detector. The PPO agent previously trained against the GBDT classifier scored an evasion rate of 11.41% against the neural network-based classifier MalConv and an average evasion rate of 2.31% against top antivirus programs. Furthermore, we discovered that random application of our functionality-preserving portable executable modifications successfully evades leading antivirus engines, with an average evasion rate of 11.65%. These findings indicate that ML-based models used in malware detection systems are sensitive to adversarial attacks and that better safeguards need to be taken to protect these systems.

Từ khóa


Tài liệu tham khảo

Institute, A.-T.: Malware statistics & trends report: AV-TEST (2022). https://www.av-test.org/en/statistics/malware/ Sophos: Sophos Threat Report (2022). https://www.sophos.com/en-us/content/security-threat-report Ucci, D., Aniello, L., Baldoni, R.: Survey of machine learning techniques for malware analysis. Comput. Secur. 81, 123–147 (2019). https://doi.org/10.1016/j.cose.2018.11.001 Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 372–387 (2016). https://doi.org/10.1109/EuroSP.2016.36. IEEE Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hack. Tech. 13, 1–12 (2017). https://doi.org/10.1007/s11416-015-0261-z Erko, A.: Malware sandbox evasion: techniques, principles and solutions (2022). https://www.apriorit.com/dev-blog/545-sandbox-evading-malware Yuceel, H.C.: Virtualization/sandbox evasion—how attackers avoid malware analysis. Picus Güvenlik A.Ş (2022). https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis Kerckhoffs, A.: La cryptographie militaire. J. Sci. Militaires 9(4), 5–38 (1883) Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I.P., Tygar, J.D.: Adversarial machine learning. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence. AISec ’11, pp. 43–58. Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2046684.2046692 Sutton, R.S., Barto, A.G.: Reinforcement Learning: An Introduction. MIT Press (2018). https://doi.org/10.1016/S1364-6613(99)01331-5 Watkins, C.J.C.H.: Learning from delayed rewards. King’s College, Cambridge United Kingdom (1989). https://www.researchgate.net/publication/33784417_Learning_From_Delayed_Rewards Mnih, V., Kavukcuoglu, K., Silver, D., Graves, A., Antonoglou, I., Wierstra, D., Riedmiller, M.: Playing atari with deep reinforcement learning. CoRR arXiv:1312.5602 (2013). https://doi.org/10.48550/ARXIV.1312.5602 Mnih, V., Kavukcuoglu, K., Silver, D., Rusu, A.A., Veness, J., Bellemare, M.G., Graves, A., Riedmiller, M., Fidjeland, A.K., Ostrovski, G., et al.: Human-level control through deep reinforcement learning. Nature 518(7540), 529–533 (2015). https://doi.org/10.1038/nature14236 Sutton, R.S., McAllester, D., Singh, S., Mansour, Y.: Policy gradient methods for reinforcement learning with function approximation. In: Solla, S., Leen, T., Müller, K. (eds.) Proceedings of the 12th International Conference on Neural Information Processing Systems. NIPS’99, vol. 12, pp. 1057–1063. MIT Press, Cambridge, MA, USA (1999). https://proceedings.neurips.cc/paper/1999/file/464d828b85b0bed98e80ade0a5c43b0f-Paper.pdf Schulman, J., Wolski, F., Dhariwal, P., Radford, A., Klimov, O.: Proximal policy optimization algorithms. CoRR arXiv:1707.06347 (2017). https://doi.org/10.48550/arXiv.1707.06347 Kowalczyk, K.: Portable Executable File Format (2018). https://blog.kowalczyk.info/articles/pefileformat.html Karl Bridge, M.: PE Format - Win32 apps (2019). https://docs.microsoft.com/en-us/windows/win32/debug/pe-format Pietrek, M.: An In-Depth Look into the Win32 Portable Executable File Format (2008). https://docs.microsoft.com/en-us/previous-versions/bb985992(v=msdn.10)?redirectedfrom=MSDN Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: 3rd International Conference on Learning Representations (ICLR) (2015). https://doi.org/10.48550/ARXIV.1412.6572. arxiv:1412.6572 Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static pe machine learning malware models via reinforcement learning. CoRR arXiv:1801.08917 (2018). https://doi.org/10.48550/arXiv.1801.08917 Fang, Y., Zeng, Y., Li, B., Liu, L., Zhang, L.: Deepdetectnet vs rlattacknet: an adversarial method to improve deep learning-based static malware detection model. Plos one 15(4), 0231626 (2020). https://doi.org/10.1371/journal.pone.0231626 Song, W., Li, X., Afroz, S., Garg, D., Kuznetsov, D., Yin, H.: Mab-malware: a reinforcement learning framework for attacking static malware classifiers. arXiv preprint arXiv:2003.03100 (2020). https://doi.org/10.48550/ARXIV.2003.03100 Quertier, T., Marais, B., Morucci, S., Fournel, B.: Merlin–malware evasion with reinforcement learning. arXiv preprint (2022). https://doi.org/10.48550/ARXIV.2203.12980arXiv:2203.12980 Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., Roli, F.: Adversarial malware binaries: Evading deep learning for malware detection in executables. In: 2018 26th European Signal Processing Conference (EUSIPCO), pp. 533–537 (2018). https://doi.org/10.23919/EUSIPCO.2018.8553214 . IEEE. arXiv:1803.04173 Kreuk, F., Barak, A., Aviv-Reuven, S., Baruch, M., Pinkas, B., Keshet, J.: Deceiving end-to-end deep learning malware detectors using adversarial examples. CoRR arXiv:1802.04528 (2019) https://doi.org/10.48550/ARXIV.1802.04528 Demetrio, L., Biggio, B., Lagorio, G., Roli, F., Armando, A.: Explaining vulnerabilities of deep learning to adversarial malware binaries. arXiv:1901.03583 (2019) https://doi.org/10.48550/ARXIV.1901.03583 Yang, C., Xu, J., Liang, S., Wu, Y., Wen, Y., Zhang, B., Meng, D.: Deepmal: maliciousness-preserving adversarial instruction learning against static malware detection. Cybersecurity 4(1), 1–14 (2021). https://doi.org/10.1186/s42400-021-00079-5 Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. CoRR arXiv:1702.05983 (2017). https://doi.org/10.48550/ARXIV.1702.05983 Ebrahimi, M., Zhang, N., Hu, J., Raza, M.T., Chen, H.: Binary black-box evasion attacks against deep learning-based static malware detectors with adversarial byte-level language model. CoRR arXiv:2012.07994 (2020). https://doi.org/10.48550/ARXIV.2012.07994 Demetrio, L., Biggio, B., Lagorio, G., Roli, F., Armando, A.: Functionality-preserving black-box optimization of adversarial windows malware. IEEE Trans. Inf. Forensics Secur. 16, 3469–3478 (2021). https://doi.org/10.1109/TIFS.2021.3082330 Brockman, G., Cheung, V., Pettersson, L., Schneider, J., Schulman, J., Tang, J., Zaremba, W.: Openai gym. CoRR arXiv:1606.01540. https://doi.org/10.48550/ARXIV.1606.01540 (2016) Anderson, H.S., Roth, P.: Ember: an open dataset for training static pe malware machine learning models. CoRR arXiv:1804.04637 (2018). https://doi.org/10.48550/ARXIV.1804.04637 Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.: Malware detection by eating a whole exe (2017). https://doi.org/10.48550/ARXIV.1710.09435 Chen, S., Xue, M., Fan, L., Hao, S., Xu, L., Zhu, H., Li, B.: Automated poisoning attacks and defenses in malware detection systems: an adversarial machine learning approach. Comput. Secur. 73, 326–344 (2018). https://doi.org/10.1016/j.cose.2017.11.007 Thomas, R.: LIEF—Library to Instrument Executable Formats (2017). https://lief.quarkslab.com/ Carrera, E.: Pefile (2017). https://github.com/erocarrera/pefile Guarnieri, C.: Cuckoo Sandbox—Automated Malware Analysis (2012). https://cuckoosandbox.org/ Liang, E., Liaw, R., Nishihara, R., Moritz, P., Fox, R., Gonzalez, J., Goldberg, K., Stoica, I.: Ray rllib: A composable and scalable reinforcement learning library. CoRR arXiv:1712.09381 (2017). https://doi.org/10.48550/arXiv.1712.09381 rukaimi: PE Bliss, Cross-Platform Portable Executable C++ Library. GitHub (2012). https://github.com/BackupGGCode/portable-executable-library IBM: what is overfitting? (2022). https://www.ibm.com/topics/overfitting AV-Comparatives: Malware Protection Test March 2023 (2023). https://www.av-comparatives.org/tests/malware-protection-test-march-2023/
Thông tin
Thông tin xuất bản

Springer Science and Business Media LLC

Thông tin tác giả