Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware

Maiorca, Davide; Biggio, Battista

doi:10.1109/msec.2018.2875879

Cited by 38 publications

(41 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They can operate by analyzing and classifying information retrieved either from the structure or the content of the document. More specifically, all systems aimed to detect malicious PDF files share the same basic structure (reported in Figure 2), which is composed of three main components [63]:…”

Section: Machine Learning For Pdf Malware Detectionmentioning

confidence: 99%

“…In this attack, the attacker injects a specifically-crafted, malicious payload into a file that is recognized as benign by the classifier, by only exploiting black-box access to the classifier. The idea is that the corresponding feature modifications should not be sufficient to change the classification of the source sample from benign to malicious [62][63][64]83]. Such a strategy is exactly the opposite of mimicry attacks: while the latter inject benign information into a malicious file, reverse mimicry tends to minimize the amount of malicious information injected (by changing the injected payload when the attack fails).…”

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

“…We now summarize the results attained by testing evasive examples created with reverse-mimicry strategies. In particular, we report the results attained by [63], in which 500 samples for each reverse mimicry variant (for a total of 1500 samples) were created and tested against multiple systems in the wild [54,61,82,83,95]. Such comparison is the most recent and fair between multiple systems on evasive datasets.…”

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

“…Table 8 showed which works implemented the real attack samples either by addressing the inverse feature-mapping problem or by directly manipulating the PDF malware sample. In both cases, three major strategies were used to inject material while minimizing the risk of compromising the intrusive functionality of PDF malware, as depicted in Figure 5 [63]. We now provide a comprehensive description of each technique, by also referring to the works where they have been employed.…”

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

“…Such injection strategy can, however, be countered by extracting the content of each version of the PDF file and process it separately. Maiorca et al [61][62][63][64] employed this strategy to generate EXE Embedding attacks (belonging to reverse mimicry). More specifically, they leveraged the Metasploit framework [1] to automatically generate the infected evasive samples.…”

Section: Practical Implementation As Already Mentioned In Section 4mentioning

confidence: 99%

See 4 more Smart Citations

Towards Adversarial Malware Detection

Maiorca¹,

Biggio²,

Giacinto³

2019

ACM Comput. Surv.

Self Cite

View full text Add to dashboard Cite

Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines. Research showed that machine-learning algorithms provide effective detection mechanisms against such threats, but the existence of an arms race in adversarial settings has recently challenged such systems. In this work, we focus on malware embedded in PDF files as a representative case of such an arms race. We start by providing a comprehensive taxonomy of the different approaches used to generate PDF malware, and of the corresponding learning-based detection systems. We then categorize threats specifically targeted against learning-based PDF malware detectors, using a well-established framework in the field of adversarial machine learning. This framework allows us to categorize known vulnerabilities of learning-based PDF malware detectors and to identify novel attacks that may threaten such systems, along with the potential defense mechanisms that can mitigate the impact of such threats. We conclude the paper by discussing how such findings highlight promising research directions towards tackling the more general challenge of designing robust malware detectors in adversarial settings.:2 D. Maiorca et al.formats to conceal malicious code, making their detection significantly harder. Second, infection vectors can be effectively used in social engineering campaigns, as victims are more prone to receive and open documents or multimedia content. Finally, although vulnerabilities of third-party applications are often publicly disclosed, they are not promptly patched. The absence of proper security updates makes thus the lifespan of attacks perpetrated with infection vectors much longer.Machine learning-based technologies have been increasingly used both in academic and industrial environments (see e.g., [48]) to detect malware embedded in infection vectors like malicious PDF files. Research work has demonstrated that learning-based systems could be effective at detecting obfuscated attacks that are typically able to evade simple heuristics [23,65,82,95], but the problem is still far from being solved. Despite the significant increment of detected attacks, researchers started questioning the reliability of learning algorithms against adversarial attacks carefully-crafted against them [8-10, 17, 18]. Such attacks became widely popular when researchers showed that it was possible to evade deep learning algorithms for computer vision with adversarial examples, i.e., minimally-perturbed images that mislead classification [40,88]. The same attack principles have also been employed to craft adversarial malware samples, as first shown in [9], and subsequently explored in [29,42,52,96,99]. Such attacks can typically perform few, fine-grained changes on correctly detected, malicious samples to have them misclassified as legitimate. Acc...

show abstract

Section: Machine Learning For Pdf Malware Detectionmentioning

confidence: 99%

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

Section: Heuristic-based Evasion Attacksmentioning

confidence: 99%

Section: Practical Implementation As Already Mentioned In Section 4mentioning

confidence: 99%

See 3 more Smart Citations

Towards Adversarial Malware Detection

Maiorca¹,

Biggio²,

Giacinto³

2019

ACM Comput. Surv.

Self Cite

View full text Add to dashboard Cite

show abstract

VulGraB: Graph‐embedding‐based code vulnerability detection with bi‐directional gated graph neural network

Wang

Chen

2023

Softw Pract Exp

View full text Add to dashboard Cite

Code vulnerabilities can have serious consequences such as system attacks and data leakage, making it crucial to perform code vulnerability detection during the software development phase. Deep learning is an emerging approach for vulnerability detection tasks. Existing deep learning‐based code vulnerability detection methods are usually based on word2vec embedding of linear sequences of source code, followed by code vulnerability detection through RNNs network. However, such methods can only capture the superficial structural or syntactic information of the source code text, which is not suitable for modeling the complex control flow and data flow and miss edge information in the graph structure constructed by the source code, with limited effect of neural network model. To solve the above problems, this article proposes a code vulnerability detection method, named VulGraB, which is based on graph embedding and bidirectional gated graph neural networks. VulGraB uses node2vec to convert the program‐dependent graphs into graph embeddings of the code, which contain rich structure information of the source code, improving the ability of features to express nonlinear information to a certain extent. Then the BiGGNN is used for training, and finally the accuracy of the detection results is evaluated using target program. The bi‐directional gated neural network utilizes a bi‐directional recurrent structure, which is beneficial to global information aggregation. The experimental results show that the accuracy of VulGraB is significantly improved over the baseline models on two datasets, with F1 scores of 85.89% and 97.24% being the highest, demonstrating that VulGraB consistently outperforms other effective vulnerability detection models.

show abstract