Attacks on Visualization-Based Malware Detection: Balancing Effectiveness and Executability

“…Benkraouda et al [20] proposes a framework that mixes a mask generator to highlight the bytes that are possible to manipulate while retaining executability, adversarial example generation using a Carlini-Wagner (CW) attack [47] and an optimization step that iteratively modifies the masked bytes by comparing the generated adversarial data to a set of known instructions. It fits the "Content Manipulation" category illustrated in Figure 2.…”

“…Regarding the data used to evaluate the attacks, most of the works listed here used some sort of private dataset either by collecting samples from malware hosting services or expanding public ones-Benkraouda et al [20] merged malimg [11] and benign samples from the Architecture Object Code Dataset (AOCD) [49], while Khormali et al [19] used BIG 2015 [31] and also formed a private IoT dataset. A summary of the functionalitypreserving attacks can be found in Table 2.…”

“…Benkraouda et al [20] Adversarial Generation + Optimization CNN [19,51] Private (combination of malimg [11] and AOCD [49])…”

“…The classification approaches evaluated in this work are based on methods that learn straight from the raw bytes of the file, ranging from methodologies that reinterpret the sample as a grayscale image up to preprocessing each sample as a 1D vector in their execution [9,[11][12][13][14][15][16][17][18][19][20]. We want to evaluate the vulnerability of these variants to the already known adversarial examples [21], which is an approach with increasing popularity in the literature, especially in the context of malware [10,12,19,20,[22][23][24][25]. There are some limitations that must be observed, though, since the perturbations added to malware samples must be drawn from a discrete domain.…”

On Deceiving Malware Classification with Section Injection

“…Benkraouda et al [20] proposes a framework that mixes a mask generator to highlight the bytes that are possible to manipulate while retaining executability, adversarial example generation using a Carlini-Wagner (CW) attack [47] and an optimization step that iteratively modifies the masked bytes by comparing the generated adversarial data to a set of known instructions. It fits the "Content Manipulation" category illustrated in Figure 2.…”

“…Regarding the data used to evaluate the attacks, most of the works listed here used some sort of private dataset either by collecting samples from malware hosting services or expanding public ones-Benkraouda et al [20] merged malimg [11] and benign samples from the Architecture Object Code Dataset (AOCD) [49], while Khormali et al [19] used BIG 2015 [31] and also formed a private IoT dataset. A summary of the functionalitypreserving attacks can be found in Table 2.…”

“…Benkraouda et al [20] Adversarial Generation + Optimization CNN [19,51] Private (combination of malimg [11] and AOCD [49])…”

“…The classification approaches evaluated in this work are based on methods that learn straight from the raw bytes of the file, ranging from methodologies that reinterpret the sample as a grayscale image up to preprocessing each sample as a 1D vector in their execution [9,[11][12][13][14][15][16][17][18][19][20]. We want to evaluate the vulnerability of these variants to the already known adversarial examples [21], which is an approach with increasing popularity in the literature, especially in the context of malware [10,12,19,20,[22][23][24][25]. There are some limitations that must be observed, though, since the perturbations added to malware samples must be drawn from a discrete domain.…”

On Deceiving Malware Classification with Section Injection