AIMED: Evolving Malware with Genetic Programming to Evade Detection

Castro, Raphael Labaca; Schmitt, Corinna; Dreo, Gabi

doi:10.1109/trustcom/bigdatase.2019.00040

Cited by 35 publications

(22 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The generated adversarial files are not checked if they are valid, therefore some files can be corrupt. [14] uses the same set of operations as [25] combined with Genetic Algorithm to generate adversarial Windows PE files. In the The gadgets are then implanted on the malicious file.…”

Section: B Problem Space Attacksmentioning

confidence: 99%

“…A positive answer would enable model hardening at affordable computational cost and without developing specific attacks that work in the particular subject domain. We study this question through an empirical study that spans over three domains where realistic attacks exist: text classification where a problem-space attack (TextFooler [12]) replaces words in a sentence with their synonyms; botnet traffic detection where a constrained feature space attack (FENCE [13]) applies realistic modifications to network traffic features; and malware classification where a problem-space attack (AIMED [14]) modifies malware PE files. For each of these three domains, we generate examples using unrealistic attacks that are either domain-specific (e.g.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

Dyrmishi¹,

Ghamizi²,

Simonetto³

et al. 2022

Preprint

View full text Add to dashboard Cite

While the literature on security attacks and defense of Machine Learning (ML) systems mostly focuses on unrealistic adversarial examples, recent research has raised concern about the under-explored field of realistic adversarial attacks and their implications on the robustness of real-world systems. Our paper paves the way for a better understanding of adversarial robustness against realistic attacks and makes two major contributions. First, we conduct a study on three real-world use cases (text classification, botnet detection, malware detection)) and five datasets in order to evaluate whether unrealistic adversarial examples can be used to protect models against realistic examples. Our results reveal discrepancies across the use cases, where unrealistic examples can either be as effective as the realistic ones or may offer only limited improvement. Second, to explain these results, we analyze the latent representation of the adversarial examples generated with realistic and unrealistic attacks. We shed light on the patterns that discriminate which unrealistic examples can be used for effective hardening. We release our code, datasets and models to support future research in exploring how to reduce the gap between unrealistic and realistic adversarial attacks.

show abstract

Section: B Problem Space Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

Dyrmishi¹,

Ghamizi²,

Simonetto³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…By contrast, the deep convolutional net proposed by Johns and Coull et al [5] enforces spatial locality among features, which means both the location and magnitude of adversarial noise play a role in the success of evasion attacks. Even the GBDT model has been shown to be vulnerable to evasion attacks [4,8,22], albeit it with more advanced and computationally-intensive attacks. While each of these models has been previously been evaluated in an ad-hoc manner, we are the first to treat attacks on machine-learning models in a holistic manner using a single unifying framework, and in doing so we uncover two new attack methods that apply to both MalConv and the Coull et al 's model despite the unique architectural differences between the two.…”

Section: Gradient Boosting Decision Tree (Gbdt)mentioning

confidence: 99%

“…Since the attacker want to produce space for injecting the adversarial payload, they can alter the representation to their advantage by shifting content within the bounds of the specification. This is not the first work exploring the space of practical manipulations applicable to the Windows PE format [2,4,7,8,13,16,[22][23][24], and we will focus on manipulations that have not yet been proposed. In particular, these transformations can be used to create space inside the input binary, and hide all the malicious code from the target network, thereby making them more difficult to discover and remove, while also increasing the number of adversarial bytes that can be injected.…”

Section: Practical Manipulationsmentioning

confidence: 99%

Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection

Demetrio,

Coull,

Biggio

et al. 2020

Preprint

View full text Add to dashboard Cite

Recent work has shown that adversarial Windows malware samples -also referred to as adversarial EXEmples in this paper -can bypass machine learning-based detection relying on static code analysis by perturbing relatively few input bytes. To preserve malicious functionality, previous attacks either add bytes to existing non-functional areas of the file, potentially limiting their effectiveness, or require running computationally-demanding validation steps to discard malware variants that do not correctly execute in sandbox environments. In this work, we overcome these limitations by developing a unifying framework that not only encompasses and generalizes previous attacks against machine-learning models, but also includes two novel attacks based on practical, functionality-preserving manipulations to the Windows Portable Executable (PE) file format, based on injecting the adversarial payload by respectively extending the DOS header and shifting the content of the first section. Our experimental results show that these attacks outperform existing ones in both white-box and black-box attack scenarios by achieving a better trade-off in terms of evasion rate and size of the injected payload, as well as enabling evasion of models that were shown to be robust to previous attacks. To facilitate reproducibility and future work, we open source our framework and all the corresponding attack implementations. We conclude by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts naturally into the learning process.CCS Concepts: • Computing methodologies → Machine Learning; • Security and privacy → Malware and its mitigation.

show abstract

“…When tested with the actual AV classifier, the modified binary's evasiveness was reported to decrease to 9%. Similar approaches of modifying the binary, albeit using genetic algorithms such as AIMED [9] and FUMVar [26] have also been proposed. In [30], authors propose three types of adversarial attacks that are again based on genetic algorithms for intelligently modifying a PE malware binary's opcodes, API calls and system calls.…”

Section: Introductionmentioning

confidence: 99%

A Comparison of State-of-the-Art Techniques for Generating Adversarial Malware Binaries

Dasgupta¹,

Osman²

2021

Preprint

View full text Add to dashboard Cite

We consider the problem of generating adversarial malware by a cyber-attacker where the attacker's task is to strategically modify certain bytes within existing binary malware files, so that the modified files are able to evade a malware detector such as machine learning-based malware classifier. We have evaluated three recent adversarial malware generation techniques using binary malware samples drawn from a single, publicly available malware data set and compared their performances for evading a machine-learning based malware classifier called Mal-Conv. Our results show that among the compared techniques, the most effective technique is the one that strategically modifies bytes in a binary's header. We conclude by discussing the lessons learned and future research directions on the topic of adversarial malware generation.

show abstract

AIMED: Evolving Malware with Genetic Programming to Evade Detection

Cited by 35 publications

References 16 publications

On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection

A Comparison of State-of-the-Art Techniques for Generating Adversarial Malware Binaries

Contact Info

Product

Resources

About