Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Rosenberg, Ishai; Shabtai, Asaf; Elovici, Yuval; Rokach, Lior

doi:10.1145/3427228.3427230

Cited by 35 publications

(15 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Following GADGET, Rosenberg et al [109] subsequently propose and implement a end-to-end adversarial attack framework, namely BADGER, which is consists of a series of query-efficient black-box attacks to misclassify such API call sequence-based malware detector as well as minimize the number of queries. Basically, to preserve the original functionality, the proposed attacks are limited to only inserting API calls with no effect or an irrelevant effect, e.g., opening a non-existent file.…”

Section: 21mentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

The malware has been being one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against the ever-increasing and ever-evolving threats of malware, tremendous efforts have been made to propose a variety of malware detection methods that attempt to effectively and efficiently detect malware so as to mitigate possible damages as earlier as possible. Recent studies have shown that, one the one hand, existing machine learning (ML) and deep learning (DL) techniques enable the superior detection of newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to confuse the targeted models. Basically, adversarial attacks are initially extensively studied in the domain of computer vision like image classification, and some quickly expanded to other domains, including natural language processing, audio recognition and even malware detection which is extremely critical to computers.In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. We then conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. We conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. In addition, a curated resource list of adversarial attacks and defenses for Windows PE malware detection is also available at https://github.com/ryderling/adversarial-attacks-and-defenses-for-windows-pe-malware-detection. CCS Concepts: • Security and privacy → Intrusion/anomaly detection and malware mitigation; • Theory of computation → Adversarial learning.

show abstract

Section: 21mentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Demetrio et al [82] generated adversarial Windows malware by making small manipulation in the file header of Windows malware samples to mislead MalConv [83], which is a DNNs-based windows malware detector. Rosenberg et al [84] presented a black-box attack to mislead API-based malware classifiers by perturbing API sequences of malware samples through an evolutionary algorithm. Kolosnjaji et al [85] proposed a gradient-based attack to generate adversarial malware binaries by manipulating malware binaries through appending padding bytes at the end of malware binary files.…”

Section: Adversarial Examples In Malware Detectionmentioning

confidence: 99%

EvadeDroid: A Practical Evasion Attack on Machine Learning for Black-box Android Malware Detection

Bostani¹,

Moonsamy²

2021

Preprint

View full text Add to dashboard Cite

Over the last decade, several studies have investigated the weaknesses of Android malware detectors against adversarial examples by proposing novel evasion attacks; however, the practicality of most studies in manipulating real-world malware is arguable. The majority of studies have assumed attackers know the details of the target classifiers used for malware detection, while in real life, malicious actors have limited access to the target classifiers. This paper presents a practical evasion attack, EvadeDroid, to circumvent black-box Android malware detectors. In addition to generating real-world adversarial malware, the proposed evasion attack can preserve the functionality of the original malware samples. EvadeDroid applies a set of functionalitypreserving transformations to morph malware instances into benign ones using an iterative and incremental manipulation strategy. The proposed manipulation technique is a novel, query-efficient optimization algorithm with the aim of finding and injecting optimal sequences of transformations into malware samples. Our empirical evaluation demonstrates the efficacy of EvadeDroid under hard-and soft-label attacks. Moreover, EvadeDroid is capable to generate practical adversarial examples with only a small number of queries, with evasion rate of 81%, 73%, and 75% for DREBIN, Sec-SVM, and MaMaDroid, respectively. Finally, we show that EvadeDroid is able to preserve its stealthiness against four popular commercial antivirus, thus demonstrating its feasibility in the real world.

show abstract

“…Recently, Rosenberg et al [41] presented a black-box variant of the attack in [37], by creating a substitute model and attacking it using a similar method, and extended it to hybrid classifiers combining static and dynamic features and architectures. Rosenberg et al [40] further presented both black-box and white-box query-efficient attacks based on perturbations generated using a GAN that was trained on benign samples.…”

Section: A Rnn Adversarial Examplesmentioning

confidence: 99%

“…We assume an adversary with full access to a trained target model, with unlimited number of possible queries, so query efficient attack (e.g., [40]) is not an issue. However, the adversary has no ability to influence that model.…”

Section: A Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

Defense Methods Against Adversarial Examples for Recurrent Neural Networks

Rosenberg,

Shabtai,

Elovici

et al. 2019

Preprint

Self Cite

View full text Add to dashboard Cite

Adversarial examples are known to mislead deep learning models to incorrectly classify them, even in domains where such models achieve state-of-the-art performance. Until recently, research on both attack and defense methods focused on image recognition, primarily using convolutional neural networks (CNNs). In recent years, adversarial example generation methods for recurrent neural networks (RNNs) have been published, demonstrating that RNN classifiers are also vulnerable to such attacks. In this paper, we present a novel defense method, termed sequence squeezing, to make RNN classifiers more robust against such attacks. Our method differs from previous defense methods which were designed only for non-sequence based models. We also implement four additional RNN defense methods inspired by recently published CNN defense methods. We evaluate our methods against state-of-the-art attacks in the cyber security domain where real adversaries (malware developers) exist, but our methods can be applied against other discrete sequence based adversarial attacks, e.g., in the NLP domain. Using our methods we were able to decrease the effectiveness of such attack from 99.9% to 15%.

show abstract

Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Cited by 35 publications

References 18 publications

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

EvadeDroid: A Practical Evasion Attack on Machine Learning for Black-box Android Malware Detection

Defense Methods Against Adversarial Examples for Recurrent Neural Networks

Contact Info

Product

Resources

About