Optimization of code caves in malware binaries to evade machine learning detectors

This research was supported by the Ministerio de Ciencia, Innovación y Universidades (Grant Refs. PGC2018-095322-B-C22 and PID2019-111429RB-C21), by the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and the Excellence Program EPUC3M17. Th...

Descripción completa

Detalles Bibliográficos
Autores: Yuste, Javier, García Pardo, Eduardo, Tapiador, Juan
Tipo de recurso: artículo
Fecha de publicación:2022
País:España
Institución:Universidad Rey Juan Carlos
Repositorio:BURJC-Digital. Repositorio Institucional de la Universidad Rey Juan Carlos
OAI Identifier:oai:burjcdigital.urjc.es:10115/24407
Acceso en línea:https://hdl.handle.net/10115/24407
Access Level:acceso abierto
Palabra clave:Malware
Evasion
Machine learning
Adversarial example
Genetic algorithm
id ES_9d3a70a1a0cbcfcc32e567c1938f3edf
oai_identifier_str oai:burjcdigital.urjc.es:10115/24407
network_acronym_str ES
network_name_str España
repository_id_str
spelling Optimization of code caves in malware binaries to evade machine learning detectorsYuste, JavierGarcía Pardo, EduardoTapiador, JuanMalwareEvasionMachine learningAdversarial exampleGenetic algorithmThis research was supported by the Ministerio de Ciencia, Innovación y Universidades (Grant Refs. PGC2018-095322-B-C22 and PID2019-111429RB-C21), by the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and the Excellence Program EPUC3M17. The opinions, findings, conclusions, or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders.Machine Learning (ML) techniques, especially Artificial Neural Networks, have been widely adopted as a tool for malware detection due to their high accuracy when classifying programs as benign or malicious. However, these techniques are vulnerable to Adversarial Examples (AEs), i.e., carefully crafted samples designed by an attacker to be misclassified by the target model. In this work, we propose a general method to produce AEs from existing malware, which is useful to increase the robustness of ML-based models. Our method dynamically introduces unused blocks (caves) in malware binaries, preserving their original functionality. Then, by using optimization techniques based on Genetic Algorithms, we determine the most adequate content to place in such code caves to achieve misclassification. We evaluate our model in a black-box setting with a well-known state-of-the-art architecture (MalConv), resulting in a successful evasion rate of 97.99 % from the 2k tested malware samples. Additionally, we successfully test the transferability of our proposal to commercial AV engines available at VirusTotal, showing a reduction in the detection rate for the crafted AEs. Finally, the obtained AEs are used to retrain the ML-based malware detector previously evaluated, showing an improve on its robustness.Elsevier202320232022info:eu-repo/semantics/articleapplication/pdfhttps://hdl.handle.net/10115/24407reponame:BURJC-Digital. Repositorio Institucional de la Universidad Rey Juan Carlosinstname:Universidad Rey Juan CarlosInglésAtribución 4.0 Internacionalhttp://creativecommons.org/licenses/by/4.0/info:eu-repo/semantics/openAccessoai:burjcdigital.urjc.es:10115/244072026-06-24T12:48:17Z
dc.title.none.fl_str_mv Optimization of code caves in malware binaries to evade machine learning detectors
title Optimization of code caves in malware binaries to evade machine learning detectors
spellingShingle Optimization of code caves in malware binaries to evade machine learning detectors
Yuste, Javier
Malware
Evasion
Machine learning
Adversarial example
Genetic algorithm
title_short Optimization of code caves in malware binaries to evade machine learning detectors
title_full Optimization of code caves in malware binaries to evade machine learning detectors
title_fullStr Optimization of code caves in malware binaries to evade machine learning detectors
title_full_unstemmed Optimization of code caves in malware binaries to evade machine learning detectors
title_sort Optimization of code caves in malware binaries to evade machine learning detectors
dc.creator.none.fl_str_mv Yuste, Javier
García Pardo, Eduardo
Tapiador, Juan
author Yuste, Javier
author_facet Yuste, Javier
García Pardo, Eduardo
Tapiador, Juan
author_role author
author2 García Pardo, Eduardo
Tapiador, Juan
author2_role author
author
dc.subject.none.fl_str_mv Malware
Evasion
Machine learning
Adversarial example
Genetic algorithm
topic Malware
Evasion
Machine learning
Adversarial example
Genetic algorithm
description This research was supported by the Ministerio de Ciencia, Innovación y Universidades (Grant Refs. PGC2018-095322-B-C22 and PID2019-111429RB-C21), by the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and the Excellence Program EPUC3M17. The opinions, findings, conclusions, or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders.
publishDate 2022
dc.date.none.fl_str_mv 2022
2023
2023
dc.type.none.fl_str_mv info:eu-repo/semantics/article
format article
dc.identifier.none.fl_str_mv https://hdl.handle.net/10115/24407
url https://hdl.handle.net/10115/24407
dc.language.none.fl_str_mv Inglés
language_invalid_str_mv Inglés
dc.rights.none.fl_str_mv Atribución 4.0 Internacional
http://creativecommons.org/licenses/by/4.0/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Atribución 4.0 Internacional
http://creativecommons.org/licenses/by/4.0/
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv Elsevier
publisher.none.fl_str_mv Elsevier
dc.source.none.fl_str_mv reponame:BURJC-Digital. Repositorio Institucional de la Universidad Rey Juan Carlos
instname:Universidad Rey Juan Carlos
instname_str Universidad Rey Juan Carlos
reponame_str BURJC-Digital. Repositorio Institucional de la Universidad Rey Juan Carlos
collection BURJC-Digital. Repositorio Institucional de la Universidad Rey Juan Carlos
repository.name.fl_str_mv
repository.mail.fl_str_mv
_version_ 1869414724805853184
score 15,81155