Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

How to Train your Antivirus: RL-based Hardening through the Problem-Space (2402.19027v2)

Published 29 Feb 2024 in cs.CR and cs.AI

Abstract: ML-based malware detection on dynamic analysis reports is vulnerable to both evasion and spurious correlations. In this work, we investigate a specific ML architecture employed in the pipeline of a widely-known commercial antivirus company, with the goal to harden it against adversarial malware. Adversarial training, the sole defensive technique that can confer empirical robustness, is not applicable out of the box in this domain, for the principal reason that gradient-based perturbations rarely map back to feasible problem-space programs. We introduce a novel Reinforcement Learning approach for constructing adversarial examples, a constituent part of adversarially training a model against evasion. Our approach comes with multiple advantages. It performs modifications that are feasible in the problem-space, and only those; thus it circumvents the inverse mapping problem. It also makes possible to provide theoretical guarantees on the robustness of the model against a particular set of adversarial capabilities. Our empirical exploration validates our theoretical insights, where we can consistently reach 0% Attack Success Rate after a few adversarial retraining iterations.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (60)
  1. Malware classification and composition analysis: A survey of recent developments. Journal of Information Security and Applications, 59:102828, 2021.
  2. When malware is packin’heat; limits of machine learning classifiers based on static analysis features. In Network and Distributed Systems Security (NDSS) Symposium 2020, 2020.
  3. Soteria: Detecting adversarial examples in control flow graph-based malware classifiers. In 2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS), pages 888–898. IEEE, 2020.
  4. Learning to evade static pe machine learning malware models via reinforcement learning. arXiv preprint arXiv:1801.08917, 2018.
  5. B. Biggio and F. Roli. Wild patterns: Ten years after the rise of adversarial machine learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2154–2156, 2018.
  6. J. Burr and S. Xu. Improving adversarial attacks against executable raw byte classifiers. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pages 1–2. IEEE, 2021.
  7. CAPEv2. Capev2 sandbox. https://github.com/kevoreilly/CAPEv2.
  8. N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. Ieee, 2017.
  9. Chocolately. Chocolately. https://chocolatey.org/.
  10. Deep reinforcement learning from human preferences. Advances in neural information processing systems, 30, 2017.
  11. M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In 12th USENIX Security Symposium (USENIX Security 03), 2003.
  12. Shieldfs: a self-healing, ransomware-aware filesystem. In Proceedings of the 32nd annual conference on computer security applications, pages 336–347, 2016.
  13. A systematic survey of program comprehension through dynamic analysis. IEEE Transactions on Software Engineering, 35(5):684–702, 2009.
  14. Autoaugment: Learning augmentation policies from data. arXiv preprint arXiv:1805.09501, 2018.
  15. K. Cucci. Vmwarecloak. https://github.com/d4rksystem/VMwareCloak.
  16. Cuckoo. Cuckoo sandbox. https://github.com/cuckoosandbox/cuckoo.
  17. Decoding the secrets of machine learning in malware classification: A deep dive into datasets, feature extraction, and model performance. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 60–74, 2023.
  18. On the empirical effectiveness of unrealistic adversarial hardening against realistic adversarial attacks. In 2023 IEEE symposium on security and privacy (SP), pages 1384–1400. IEEE, 2023.
  19. A systematical and longitudinal study of evasive behaviors in windows malware. Computers & Security, 113:102550, 2022.
  20. Improving robustness of malware classifiers using adversarial strings generated from perturbed latent representations. arXiv preprint arXiv:2110.11987, 2021.
  21. Shortcut learning in deep neural networks. Nature Machine Intelligence, 2(11):665–673, 2020.
  22. Generalisation in humans and deep neural networks. Advances in neural information processing systems, 31, 2018.
  23. J. Gilmer and D. Hendrycks. A discussion of ’adversarial examples are not bugs, they are features’: Adversarial example researchers need to expand what is meant by ’robustness’. Distill, 2019. https://distill.pub/2019/advex-bugs-discussion/response-1.
  24. Adversarial examples for malware detection. In Computer Security–ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II 22, pages 62–79. Springer, 2017.
  25. D. Hendrycks and T. Dietterich. Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261, 2019.
  26. W. Hu and Y. Tan. Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983, 2017.
  27. Adversarial examples are not bugs, they are features. Advances in neural information processing systems, 32, 2019.
  28. K. K. Ispoglou and M. Payer. {{\{{malWASH}}\}}: washing malware to evade dynamic analysis. In 10th USENIX workshop on offensive technologies (WOOT 16), 2016.
  29. Does every second count? time-based evolution of malware behavior in sandboxes. In NDSS, 2021.
  30. Universal adversarial perturbations for malware. arXiv e-prints, pages arXiv–2102, 2021.
  31. A robust minimax approach to classification. Journal of Machine Learning Research, 3(Dec):555–582, 2002.
  32. A framework for enhancing deep neural networks against adversarial malware. IEEE Transactions on Network Science and Engineering, 8(1):736–750, 2021.
  33. An adversarial machine learning method based on opcode n-grams feature in malware detection. In 2020 IEEE Fifth International Conference on Data Science in Cyberspace (DSC), pages 380–387. IEEE, 2020.
  34. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  35. Longitudinal study of the prevalence of malware evasive techniques. arXiv preprint arXiv:2112.11289, 2021.
  36. Jsongrinder. jl: automated differentiable neural architecture for embedding arbitrary json data. The Journal of Machine Learning Research, 23(1):13508–13512, 2022.
  37. Impeding behavior-based malware analysis via replacement attacks to malware specifications. Journal of Computer Virology and Hacking Techniques, 13:193–207, 2017.
  38. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts. In 2017 IEEE Symposium on Security and Privacy (SP), pages 1009–1024. IEEE, 2017.
  39. Transforming malicious code to rop gadgets for antivirus evasion. IET Information Security, 13(6):570–578, 2019.
  40. D. Park and B. Yener. A survey on practical adversarial examples for malware classifiers. In Reversing and Offensive-oriented Trends Symposium, pages 23–35, 2020.
  41. Glove: Global vectors for word representation. In Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pages 1532–1543, 2014.
  42. Explaining classifiers trained on raw hierarchical multiple-instance data. arXiv preprint arXiv:2208.02694, 2022.
  43. T. Pevny and P. Somol. Discriminative models for multi-instance problems with tree structure. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pages 83–91, 2016.
  44. T. Pevnỳ and P. Somol. Using neural network formalism to solve multiple-instance problems. In Advances in Neural Networks-ISNN 2017: 14th International Symposium, ISNN 2017, Sapporo, Hakodate, and Muroran, Hokkaido, Japan, June 21–26, 2017, Proceedings, Part I 14, pages 135–142. Springer, 2017.
  45. Intriguing properties of adversarial ml attacks in the problem space. In 2020 IEEE symposium on security and privacy (SP), pages 1332–1349. IEEE, 2020.
  46. C. Polska. Drakvuf sandbox. https://github.com/CERT-Polska/drakvuf-sandbox.
  47. Malware detection by eating a whole exe. In Workshops at the thirty-second AAAI conference on artificial intelligence, 2018.
  48. Robust malware detection models: learning from adversarial attacks and defenses. Forensic Science International: Digital Investigation, 37:301183, 2021.
  49. Sequence squeezing: A defense method against adversarial examples for api call-based rnn variants. In 2021 International Joint Conference on Neural Networks (IJCNN), pages 1–10. IEEE, 2021.
  50. Generic black-box end-to-end attack against state of the art api call based malware classifiers. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018, Heraklion, Crete, Greece, September 10-12, 2018, Proceedings 21, pages 490–510. Springer, 2018.
  51. A general framework for adversarial examples with objectives. ACM Transactions on Privacy and Security (TOPS), 22(3):1–30, 2019.
  52. Adversarial examples in constrained domains. arXiv preprint arXiv:2011.01183, 2020.
  53. Attack and defense of dynamic analysis-based, adversarial neural malware detection models. In MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), pages 1–8. IEEE, 2018.
  54. Policy gradient methods for reinforcement learning with function approximation. Advances in neural information processing systems, 12, 1999.
  55. Differentiating malware from cleanware using behavioural analysis. In 2010 5th international conference on malicious and unwanted software, pages 23–30. Ieee, 2010.
  56. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems, 33:1633–1645, 2020.
  57. A malware instruction set for behavior-based analysis. None, 2009.
  58. Adaptive malware control: Decision-based attacks in the problem space of dynamic analysis. In Proceedings of the 1st Workshop on Robust Malware Analysis, pages 3–14, 2022.
  59. Towards robust and reliable algorithmic recourse. Advances in Neural Information Processing Systems, 34:16926–16937, 2021.
  60. VirusTotal. Virustotal. https://www.virustotal.com.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (8)
  1. Jacopo Cortellazzi (4 papers)
  2. Ilias Tsingenopoulos (2 papers)
  3. Branislav Bošanský (16 papers)
  4. Simone Aonzo (4 papers)
  5. Davy Preuveneers (5 papers)
  6. Wouter Joosen (12 papers)
  7. Fabio Pierazzi (15 papers)
  8. Lorenzo Cavallaro (32 papers)
Citations (1)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets