Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware

Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware

Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: ( i ) they are query-inefficient, as they rely on iteratively applying random transformation...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on information forensics and security 2021, Vol.16, p.3469-3478
Hauptverfasser: Demetrio, Luca, Biggio, Battista, Lagorio, Giovanni, Roli, Fabio, Armando, Alessandro
Format: Artikel
Sprache:eng
Schlagworte:
Adversarial examples
Anti-virus software
black-box optimization
Detectors
evasion attacks
Feature extraction
Iterative methods
Machine learning
Malware
malware detection
Minimization
Operating systems
Optimization
Payloads
Queries
Tradeoffs
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 3478
container_issue
container_start_page 3469
container_title IEEE transactions on information forensics and security
container_volume 16
creator Demetrio, Luca
Biggio, Battista
Lagorio, Giovanni
Roli, Fabio
Armando, Alessandro
description Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: ( i ) they are query-inefficient, as they rely on iteratively applying random transformations to the input malware; and ( ii ) they may also require executing the adversarial malware in a sandbox at each iteration of the optimization process, to ensure that its intrusive functionality is preserved. In this paper, we overcome these issues by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content (which will never be executed) either at the end of the malicious file, or within some newly-created sections. Our attacks are formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected payload. We empirically investigate this trade-off on two popular static Windows malware detectors, and show that our black-box attacks can bypass them with only few queries and small payloads, even when they only return the predicted labels. We also evaluate whether our attacks transfer to other commercial antivirus solutions, and surprisingly find that they can evade, on average, more than 12 commercial antivirus engines. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.
doi_str_mv 10.1109/TIFS.2021.3082330
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_9437194</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9437194</ieee_id><sourcerecordid>2536868169</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-c3bd91f1489c5309e45ff8559560bb980167ebf0935f5237b51614a2e4e633ff3</originalsourceid><addsrcrecordid>eNo9kE1PAjEQhhujiYj-AONlE8-LnX7RHoGIkqCYiPHYdJfWFJddbBcQf727gXCZmUyed5J5ELoF3APA6mE-Gb_3CCbQo1gSSvEZ6gDnIhXN7vw0A71EVzEuMWYMhOyg1_GmzGtflabw9T59CzbasPXlVzIsTP6dDqvfZLau_cr_mRZLKpcMFlsbogneFMmnLxfVLiYvptiZYK_RhTNFtDfH3kUf48f56Dmdzp4mo8E0zYmidZrTbKHAAZMq5xQry7hzknPFBc4yJTGIvs0cVpQ7Tmg_4yCAGWKZFZQ6R7vo_nB3HaqfjY21Xlab0DwRNeFUSCFBqIaCA5WHKsZgnV4HvzJhrwHrVptutelWmz5qazJ3h4y31p54xWgfmvIPS1BoiA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2536868169</pqid></control><display><type>article</type><title>Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware</title><source>IEEE Electronic Library (IEL)</source><creator>Demetrio, Luca ; Biggio, Battista ; Lagorio, Giovanni ; Roli, Fabio ; Armando, Alessandro</creator><creatorcontrib>Demetrio, Luca ; Biggio, Battista ; Lagorio, Giovanni ; Roli, Fabio ; Armando, Alessandro</creatorcontrib><description><![CDATA[Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: (<inline-formula> <tex-math notation="LaTeX">i </tex-math></inline-formula>) they are query-inefficient, as they rely on iteratively applying random transformations to the input malware; and (<inline-formula> <tex-math notation="LaTeX">ii </tex-math></inline-formula>) they may also require executing the adversarial malware in a sandbox at each iteration of the optimization process, to ensure that its intrusive functionality is preserved. In this paper, we overcome these issues by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content (which will never be executed) either at the end of the malicious file, or within some newly-created sections. Our attacks are formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected payload. We empirically investigate this trade-off on two popular static Windows malware detectors, and show that our black-box attacks can bypass them with only few queries and small payloads, even when they only return the predicted labels. We also evaluate whether our attacks transfer to other commercial antivirus solutions, and surprisingly find that they can evade, on average, more than 12 commercial antivirus engines. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.]]></description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2021.3082330</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Adversarial examples ; Anti-virus software ; black-box optimization ; Detectors ; evasion attacks ; Feature extraction ; Iterative methods ; Machine learning ; Malware ; malware detection ; Minimization ; Operating systems ; Optimization ; Payloads ; Queries ; Tradeoffs</subject><ispartof>IEEE transactions on information forensics and security, 2021, Vol.16, p.3469-3478</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2021</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-c3bd91f1489c5309e45ff8559560bb980167ebf0935f5237b51614a2e4e633ff3</citedby><cites>FETCH-LOGICAL-c293t-c3bd91f1489c5309e45ff8559560bb980167ebf0935f5237b51614a2e4e633ff3</cites><orcidid>0000-0001-5104-1476 ; 0000-0001-7752-509X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9437194$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,4024,27923,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9437194$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Demetrio, Luca</creatorcontrib><creatorcontrib>Biggio, Battista</creatorcontrib><creatorcontrib>Lagorio, Giovanni</creatorcontrib><creatorcontrib>Roli, Fabio</creatorcontrib><creatorcontrib>Armando, Alessandro</creatorcontrib><title>Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description><![CDATA[Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: (<inline-formula> <tex-math notation="LaTeX">i </tex-math></inline-formula>) they are query-inefficient, as they rely on iteratively applying random transformations to the input malware; and (<inline-formula> <tex-math notation="LaTeX">ii </tex-math></inline-formula>) they may also require executing the adversarial malware in a sandbox at each iteration of the optimization process, to ensure that its intrusive functionality is preserved. In this paper, we overcome these issues by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content (which will never be executed) either at the end of the malicious file, or within some newly-created sections. Our attacks are formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected payload. We empirically investigate this trade-off on two popular static Windows malware detectors, and show that our black-box attacks can bypass them with only few queries and small payloads, even when they only return the predicted labels. We also evaluate whether our attacks transfer to other commercial antivirus solutions, and surprisingly find that they can evade, on average, more than 12 commercial antivirus engines. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.]]></description><subject>Adversarial examples</subject><subject>Anti-virus software</subject><subject>black-box optimization</subject><subject>Detectors</subject><subject>evasion attacks</subject><subject>Feature extraction</subject><subject>Iterative methods</subject><subject>Machine learning</subject><subject>Malware</subject><subject>malware detection</subject><subject>Minimization</subject><subject>Operating systems</subject><subject>Optimization</subject><subject>Payloads</subject><subject>Queries</subject><subject>Tradeoffs</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1PAjEQhhujiYj-AONlE8-LnX7RHoGIkqCYiPHYdJfWFJddbBcQf727gXCZmUyed5J5ELoF3APA6mE-Gb_3CCbQo1gSSvEZ6gDnIhXN7vw0A71EVzEuMWYMhOyg1_GmzGtflabw9T59CzbasPXlVzIsTP6dDqvfZLau_cr_mRZLKpcMFlsbogneFMmnLxfVLiYvptiZYK_RhTNFtDfH3kUf48f56Dmdzp4mo8E0zYmidZrTbKHAAZMq5xQry7hzknPFBc4yJTGIvs0cVpQ7Tmg_4yCAGWKZFZQ6R7vo_nB3HaqfjY21Xlab0DwRNeFUSCFBqIaCA5WHKsZgnV4HvzJhrwHrVptutelWmz5qazJ3h4y31p54xWgfmvIPS1BoiA</recordid><startdate>2021</startdate><enddate>2021</enddate><creator>Demetrio, Luca</creator><creator>Biggio, Battista</creator><creator>Lagorio, Giovanni</creator><creator>Roli, Fabio</creator><creator>Armando, Alessandro</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0001-5104-1476</orcidid><orcidid>https://orcid.org/0000-0001-7752-509X</orcidid></search><sort><creationdate>2021</creationdate><title>Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware</title><author>Demetrio, Luca ; Biggio, Battista ; Lagorio, Giovanni ; Roli, Fabio ; Armando, Alessandro</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-c3bd91f1489c5309e45ff8559560bb980167ebf0935f5237b51614a2e4e633ff3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Adversarial examples</topic><topic>Anti-virus software</topic><topic>black-box optimization</topic><topic>Detectors</topic><topic>evasion attacks</topic><topic>Feature extraction</topic><topic>Iterative methods</topic><topic>Machine learning</topic><topic>Malware</topic><topic>malware detection</topic><topic>Minimization</topic><topic>Operating systems</topic><topic>Optimization</topic><topic>Payloads</topic><topic>Queries</topic><topic>Tradeoffs</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Demetrio, Luca</creatorcontrib><creatorcontrib>Biggio, Battista</creatorcontrib><creatorcontrib>Lagorio, Giovanni</creatorcontrib><creatorcontrib>Roli, Fabio</creatorcontrib><creatorcontrib>Armando, Alessandro</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Mechanical &amp; Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Demetrio, Luca</au><au>Biggio, Battista</au><au>Lagorio, Giovanni</au><au>Roli, Fabio</au><au>Armando, Alessandro</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2021</date><risdate>2021</risdate><volume>16</volume><spage>3469</spage><epage>3478</epage><pages>3469-3478</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract><![CDATA[Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: (<inline-formula> <tex-math notation="LaTeX">i </tex-math></inline-formula>) they are query-inefficient, as they rely on iteratively applying random transformations to the input malware; and (<inline-formula> <tex-math notation="LaTeX">ii </tex-math></inline-formula>) they may also require executing the adversarial malware in a sandbox at each iteration of the optimization process, to ensure that its intrusive functionality is preserved. In this paper, we overcome these issues by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content (which will never be executed) either at the end of the malicious file, or within some newly-created sections. Our attacks are formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected payload. We empirically investigate this trade-off on two popular static Windows malware detectors, and show that our black-box attacks can bypass them with only few queries and small payloads, even when they only return the predicted labels. We also evaluate whether our attacks transfer to other commercial antivirus solutions, and surprisingly find that they can evade, on average, more than 12 commercial antivirus engines. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.]]></abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TIFS.2021.3082330</doi><tpages>10</tpages><orcidid>https://orcid.org/0000-0001-5104-1476</orcidid><orcidid>https://orcid.org/0000-0001-7752-509X</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1556-6013
ispartof IEEE transactions on information forensics and security, 2021, Vol.16, p.3469-3478
issn 1556-6013
1556-6021
language eng
recordid cdi_ieee_primary_9437194
source IEEE Electronic Library (IEL)
subjects Adversarial examples
Anti-virus software
black-box optimization
Detectors
evasion attacks
Feature extraction
Iterative methods
Machine learning
Malware
malware detection
Minimization
Operating systems
Optimization
Payloads
Queries
Tradeoffs
title Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-22T06%3A10%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Functionality-Preserving%20Black-Box%20Optimization%20of%20Adversarial%20Windows%20Malware&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Demetrio,%20Luca&rft.date=2021&rft.volume=16&rft.spage=3469&rft.epage=3478&rft.pages=3469-3478&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2021.3082330&rft_dat=%3Cproquest_RIE%3E2536868169%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2536868169&rft_id=info:pmid/&rft_ieee_id=9437194&rfr_iscdi=true