AIMED-RL: Exploring Adversarial Malware Examples with Reinforcement Learning

Labaca-Castro, Raphael; Franz, Sebastian; Rodosek, Gabi Dreo

doi:10.1007/978-3-030-86514-6_3

Cited by 11 publications

(6 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another reinforcement learning approach is presented in [28], in which Labaca-Castro et al presented the AIMED-RL adversarial attack framework. This attack can generate adversarial examples that lead machine learning models to misclassify malicious files without compromising their functionality.…”

Section: Reinforcement Learning-based Attacksmentioning

confidence: 99%

A comparison of adversarial malware generators

Louthánová,

Kozák,

Jureček

et al. 2024

J Comput Virol Hack Tech

View full text Add to dashboard Cite

Machine learning has proven to be a valuable tool for automated malware detection, but machine learning systems have also been shown to be subject to adversarial attacks. This paper summarizes and compares related work on generating adversarial malware samples, specifically malicious Windows Portable Executable files. In contrast with previous research, we not only compare generators of adversarial malware examples theoretically, but we also provide an experimental comparison and evaluation for practical usability. We use gradient-based, evolutionary-based, and reinforcement-based approaches to create adversarial samples, which we test against selected antivirus products. The results show that applying optimized modifications to previously detected malware can lead to incorrect classification of the file as benign. Moreover, generated malicious samples can be effectively employed against detection models other than those used to produce them, and combinations of methods can construct new instances that avoid detection. Based on our findings, the Gym-malware generator, which uses reinforcement learning, has the greatest practical potential. This generator has the fastest average sample production time of 5.73 s and the highest average evasion rate of 44.11%. Using the Gym-malware generator in combination with itself further improved the evasion rate to 58.35%. However, other tested methods scored significantly lower in our experiments than reported in the original publications, highlighting the importance of a standardized evaluation environment.

show abstract

Section: Reinforcement Learning-based Attacksmentioning

confidence: 99%

A comparison of adversarial malware generators

Louthánová,

Kozák,

Jureček

et al. 2024

J Comput Virol Hack Tech

View full text Add to dashboard Cite

show abstract

“…On the basis of gym-malware, there are multiple follow-up work [20,39,41,42,72,76,139] proposing problem-space black-box adversarial attacks against static PE malware detection models.…”

Section: 22mentioning

confidence: 99%

“…Naturally, they propose an improved RL-based adversarial attack framework of AMG-VAC on the basis of gym-malware [8,9] by adopting the variational actor-critic, which has been demonstrated to be the state-of-the-art performance in handling environments with combinatorially large state space. As previous RL-based adversarial attacks tend to generate homogeneous and long sequences of transformations, Labaca-Castro et al [72] thus present an RLbased adversarial attack framework of AIMED-RL as well. The main difference between AIMED-RL and other RL-based adversarial attacks is that AIMED-RL introduces a novel penalization to the reward function for increasing the diversity of the generated sequences of transformations while minimizing the corresponding lengths.…”

Section: 22mentioning

confidence: 99%

See 1 more Smart Citation

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

The malware has been being one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against the ever-increasing and ever-evolving threats of malware, tremendous efforts have been made to propose a variety of malware detection methods that attempt to effectively and efficiently detect malware so as to mitigate possible damages as earlier as possible. Recent studies have shown that, one the one hand, existing machine learning (ML) and deep learning (DL) techniques enable the superior detection of newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to confuse the targeted models. Basically, adversarial attacks are initially extensively studied in the domain of computer vision like image classification, and some quickly expanded to other domains, including natural language processing, audio recognition and even malware detection which is extremely critical to computers.In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. We then conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. We conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. In addition, a curated resource list of adversarial attacks and defenses for Windows PE malware detection is also available at https://github.com/ryderling/adversarial-attacks-and-defenses-for-windows-pe-malware-detection. CCS Concepts: • Security and privacy → Intrusion/anomaly detection and malware mitigation; • Theory of computation → Adversarial learning.

show abstract

“…Numerous research has been published in the literature to test the robustness of machine learning-based systems against adversarial samples. Some researchers took the liberty of using gradient based algorithms [15] and genetic algorithms [16], [17], while tremendous work has been conducted on exploiting reinforcement learning [18], [19], [20], [21] to produce modifications in malware files and help them evade detection methods. Anderson et al [18] were one of the first to show that reinforcement learning (RL) can be successfully used to generate adversarial examples in the problem space for Windows Portable Executable (PE) files by introducing some semantic preserving actions to modify the malware.…”

mentioning

confidence: 99%

A Deep Reinforcement Learning Framework to Evade Black-Box Machine Learning Based IoT Malware Detectors Using GAN-Generated Influential Features

Arif,

Aslam,

Al-Otaibi

et al. 2023

IEEE Access

View full text Add to dashboard Cite

In the internet of things (IoT) networks, machine learning (ML) is significantly used for malware and adversary detection. Recently, research has shown that adversarial attacks have put ML-based models at risk. This problem is exacerbated in an IoT environment because of the absence of adequate security measures. Consequently, it is crucial to evaluate the strength of such malware detectors using powerful adversarial samples. The existing adversarial sample generation strategies either rely on high-level image features or an unfiltered feature set, making it challenging to determine which feature modifications are crucial in evading malware detection systems, without compromising the malware functionality. This encourages us to propose an evasion framework named IF-MalEvade, based on Generative Adversarial Network (GAN) and Deep Reinforcement Learning (DRL) that effectively generates fully-working, malware samples with several effective perturbations such as header section manipulation and benign bytes insertion. The DRL framework selects a few suitable action sequences to change malicious samples, thus allowing our malware samples to bypass various black-box ML based malware detectors and the detection search engines of VirusTotal, while maintaining the executability and malicious behavior of the original malware samples. The neural networks of GAN take in the unfiltered feature set of malware dataset and using minimax objective function yields a set of useful features that are subsequently used by the DRL agent to make effective changes. Experimental results illustrated that by utilizing the influential features in sequence of transformations, the adversarial samples generated by our model outperformed the state-of-the-art evasion models with an impressive evasion rate. Additionally, the detection rate of well-known machine learning models was also brought down to upto 97%. Furthermore, when the machine learning models were retrained using adversarial samples, a 35% increase in detection accuracy was observed.

show abstract

AIMED-RL: Exploring Adversarial Malware Examples with Reinforcement Learning

Cited by 11 publications

References 14 publications

A comparison of adversarial malware generators

A comparison of adversarial malware generators

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

A Deep Reinforcement Learning Framework to Evade Black-Box Machine Learning Based IoT Malware Detectors Using GAN-Generated Influential Features

Contact Info

Product

Resources

About