Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Menéndez, Héctor D.; Llorente, José Luís

doi:10.3390/e21050513

Cited by 13 publications

(10 citation statements)

References 59 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An interesting application of VirusTotal is AVClass, a tool whose aim is to identify the ground truth on the malware family classification problem by averaging the opinion of the different engines of VirusTotal [ 28 ]. There are also tools like MimickAV [ 29 ] that prove the predictability of VirusTotal and auditing studies that show how obfuscation changes the outcome of anti-viruses [ 30 ]. Nevertheless, from our current knowledge, no author has used it to study the malware arms race coevolution.…”

Section: Related Workmentioning

confidence: 99%

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Menéndez

Clark

Barr

2021

Entropy

Self Cite

View full text Add to dashboard Cite

Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants.

show abstract

Section: Related Workmentioning

confidence: 99%

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Menéndez

Clark

Barr

2021

Entropy

Self Cite

View full text Add to dashboard Cite

show abstract

“…There are multiple contributions to the analysis of malware based on using binary, static and/or dynamic features to feed machine learning to detect malware. Some examples are already mentioned, such as structural entropy [97], and its extensions to metamorphic malware detection [11], time-series features [71], and mimicking antivirus behaviours [70]. Other good examples -more classical-, are the work Schultz et al [92] who used n-gram features to feed different machine learning approaches for Windows malware detection; Kolter and Maloof who also [52] included the information gain metric and byte-level analysis to the n-gram features; Stolfo et al [98] who applied a similar methodology to PDF malware detection; Tabish et al [101] who combined the n-grams with histograms to extract different metrics from information-theory; and Santos et al [89] who used n-gram features but reduced the labelling process by using semi-supervised methods.…”

Section: Learning-based Detectionmentioning

confidence: 99%

“…It is also important to consider that some anti-viruses will be predictable. MimickAV [70] will allow determining which anti-viruses are more predictable and therefore vulnerable to potential evasion attacks based on the transferability of evasive samples [28].…”

Section: Toolsmentioning

confidence: 99%

Malware: The Never-Ending Arm Race

Menéndez¹

2021

OJC

View full text Add to dashboard Cite

"Antivirus is death"' and probably every detection system that focuses on a single strategy for indicators of compromise. This famous quote that Brian Dye --Symantec's senior vice president-- stated in 2014 is the best representation of the current situation with malware detection and mitigation. Concealment strategies evolved significantly during the last years, not just like the classical ones based on polimorphic and metamorphic methodologies, which killed the signature-based detection that antiviruses use, but also the capabilities to fileless malware, i.e. malware only resident in volatile memory that makes every disk analysis senseless. This review provides a historical background of different concealment strategies introduced to protect malicious --and not necessarily malicious-- software from different detection or analysis techniques. It will cover binary, static and dynamic analysis, and also new strategies based on machine learning from both perspectives, the attackers and the defenders.

show abstract

“…For instance, Calleja et al [ 45 ] applied adversarial machine learning to cheat malware family classification based on static analysis. These ideas have also been extended to audit antiviruses by measuring the way they can be mimicked [ 46 ].…”

Section: Related Workmentioning

confidence: 99%

Detecting Malware with Information Complexity

Alshahwan

Barr

Clark

et al. 2020

Entropy

Self Cite

View full text Add to dashboard Cite

Malware concealment is the predominant strategy for malware propagation. Black hats create variants of malware based on polymorphism and metamorphism. Malware variants, by definition, share some information. Although the concealment strategy alters this information, there are still patterns on the software. Given a zoo of labelled malware and benign-ware, we ask whether a suspect program is more similar to our malware or to our benign-ware. Normalized Compression Distance (NCD) is a generic metric that measures the shared information content of two strings. This measure opens a new front in the malware arms race, one where the countermeasures promise to be more costly for malware writers, who must now obfuscate patterns as strings qua strings, without reference to execution, in their variants. Our approach classifies disk-resident malware with 97.4% accuracy and a false positive rate of 3%. We demonstrate that its accuracy can be improved by combining NCD with the compressibility rates of executables using decision forests, paving the way for future improvements. We demonstrate that malware reported within a narrow time frame of a few days is more homogeneous than malware reported over two years, but that our method still classifies the latter with 95.2% accuracy and a 5% false positive rate. Due to its use of compression, the time and computation cost of our method is nontrivial. We show that simple approximation techniques can improve its running time by up to 63%. We compare our results to the results of applying the 59 anti-malware programs used on the VirusTotal website to our malware. Our approach outperforms each one used alone and matches that of all of them used collectively.

show abstract

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Cited by 13 publications

References 59 publications

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Malware: The Never-Ending Arm Race

Detecting Malware with Information Complexity

Contact Info

Product

Resources

About