EvadeDroid: A Practical Evasion Attack on Machine Learning for Black-box Android Malware Detection

Summary of seminar based on Bostani et al. paper; CSCE 689 601 ML-Based Cyber Defenses

EvadeDroid: A Practical Evasion Attack on Machine Learning for Black-box Android Malware Detection

The paper describes a practical evasion attack on machine learning for Black-box android malware detection called EvadeDroid. This blog is originally written for CSCE 689:601 and is the 15th blog of the series: "Machine Learning-Based CyberDefenses".

Paper highlights

  • One major challenge in creating effective evasion techniques is the risk of "query overload". Excessive querying of the model can arouse suspicion and prompt defensive responses.

  • Problems with adversarial techniques include feature manipulation, which can be risky, especially for discrete features, due to the irreversible mapping of code changes. Additionally, evasion techniques depend on accurate knowledge of the target system, which may be unavailable or inaccurate, posing challenges to their effectiveness.

  • In Android malware evasion, attackers use sophisticated techniques to evade antivirus (AV) detection:

    • Opaque Predicates: Attackers use opaque predicates to obscure malicious code behavior. These conditions evaluate to constants but are challenging to analyze statically, complicating detection. For example, attackers may use NP-hard problems or XOR operations with identical operands to create complexity for static analysis tools

    • Obfuscation Techniques: Malware authors use various obfuscation methods to hide code functionality. Techniques include encryption, code rearrangement, insertion of junk code, and polymorphic techniques. These methods aim to evade signature-based detection and hinder analysis by security tools.

    • Dynamic Code Loading: Attackers dynamically load code at runtime instead of including it directly in the application package (APK). This can occur through reflection, dynamic class loading, or downloading code from remote servers. By loading malicious code components dynamically, attackers evade static analysis, as the entire codebase may not be present during initial inspection.

  • An APK (Android Application Package) is the file format for distributing and installing apps on Android. It includes XML files for structure and configuration, along with DEX (Dalvik Executable) files containing compiled code for Android devices.

  • Threat Model:

    • Goal: Deceive Static ML-based Malware Detectors: Develop techniques to deceive static ML-based malware detectors tailored for Android apps. These detectors analyze app characteristics without execution, aiming to detect malware based on predefined features or patterns.

    • Constraints:

      1. Lack of Knowledge: Attackers lack knowledge about detector features, model, or dataset, complicating evasion. Innovative strategies are needed to bypass detection effectively.

      2. Minimize Queries: Attackers aim to minimize detector queries to avoid suspicion and detection. Excessive queries can trigger defensive actions, reducing evasion effectiveness.

      3. Minimize File Size: Transforming malware should minimize file size while evading detection. Smaller files reduce detection likelihood and aid in distribution.

  • The proposed method optimizes malware manipulation to evade static ML-based malware detectors using iterative incremental algorithms and random search techniques. It involves key components such as Gadgets, fundamental units of program functionality within malware, identified through gadget extraction. Donor Selection involves choosing applications to extract gadgets for manipulation, effective for unobfuscated applications. The Objective Function evaluates manipulation effectiveness based on criteria like soft label (probabilistic output) and optimal or non-optimal hard labels (correct or incorrect classification).

  • Experiment: The evasion technique undergoes evaluation against diverse malware detectors, including DREBIN, SEC-SVM, ADE-MA, MAMADROID, and Opcode-SVM. These detectors vary in detection methodologies, posing challenges for attackers to devise a universal evasion strategy.

  • Datasets and Metrics: Evaluation uses two datasets, with detectors trained on an inaccessible dataset. Malicious samples are identified if detected by four or more engines on VirusTotal. Metrics used: true positive rate (TPR), false positive rate (FPR), evasion rate (ER), and evasion time (ET). Consideration is given to dataset bias, temporal bias, and the presence of both malware and goodware samples.

Results and Analysis: Results demonstrate the efficacy of the evasion technique across detectors and datasets. However, evaluation may be biased due to data snooping, necessitating rigorous experimental design and validation. Attacks are categorized into white-box, gray-box, semi-gray, and contemporary black-box categories, reflecting varied knowledge and access levels during evasion.

Attack TypeDescription
White BoxAttacker has full knowledge of the system, including model internals, for precise evasion strategies.
Gray BoxAttacker has partial knowledge, experimenting based on limited information for realistic attacks.
Semi-GrayAttacker's knowledge evolves over time, starting limited and potentially approaching white-box levels.
Contemporary Black BoxAttacker lacks detailed system insight, relying on experimentation and external knowledge.

Takeaways

  • The paper focuses on a specific aspect, overlooking the dynamic interplay between evolving attack techniques and the natural drift in software characteristics over time. This narrow focus fails to address the concurrent nature of attacks and drift in the real world, which is common for research as the idea is to focus on one thing.

  • The evasion strategy involves adding benign code segments to the malicious code to obscure its malicious intent. By integrating harmless functionality, the malware's composition is altered, potentially masking its malicious behavior and making it less detectable to the detector.

But why focus on ensuring the added code is not just benign, but also similar in structure and composition to the existing malware code?

  • The strategy of ensuring added code resembles existing malware serves to maintain the application's structure, reducing detection likelihood. By closely matching malicious code, it's harder for detectors to distinguish between benign and malicious components. This involves integrating benign code segments resembling malware, maximizing evasion effectiveness. We cannot make an exact match with benign files because malware should remain a malware at the end!

  • To evade detection while maintaining operational integrity, "dead code" insertion is used. Dead code, statically present but inactive during runtime, obscures malware functionality, complicating analysis. Conditional statements like "if 0:{add benign code here}" ensure added code remains inactive yet present, challenging static analyzers.

  • Sophisticated static analyzers can exclude dead code from analysis by identifying reachable or executable code, prompting the use of Opaque predicates. These conditions, evaluating to constants, obscure reachability, complicating analysis and making it challenging for analyzers to interpret code functionality accurately.

Examples of opaque predicates:

  1. Using XOR operation: if xor(eax, eax)

  2. Using dynamic variables: if var1 - var2 (where var1 and var2 are dynamic variables)

  3. Using function calls: if func1() - func2() (where func1 and func2 are functions that return values)

  4. Jumping to dynamic locations: jump to dynamic location

  • The Android platform differs from x86 platforms in its architecture and execution mechanisms. Unlike x86, which executes code directly, Android utilizes an abstraction layer between hardware and software via ART and the JVM. This difference impacts code execution and attack methods. While droppers are commonly used in x86 platforms to deploy malware, they are less prevalent in Android due to various factors.

  • The absence of a resource section in Java code on the Android platform restricts the functionality of droppers. Attackers resort to directly modifying code and creating new APK files with malicious payloads. This exploits Android's flexibility for more effective attacks. Despite similarities in deploying malware across platforms, Android's unique characteristics demand specialized approaches. It's the same thing without being the same thing!

AspectPE File (Compiled)Java Bytecode (Interpreted)
Compilation vs. InterpretationCompiled from source code to machine-readable binaryTranslated from source code to platform-independent bytecode
Nature of FileContains assembly instructionsContains intermediate instructions for the Java Virtual Machine
ExecutionDirect execution by the operating systemInterpreted and executed by the Java Virtual Machine (JVM)
Runtime ProcessingNo additional processing at runtimeTranslated into actual code at runtime by the JVM
Flexibility and SpeedFast execution due to precompiled codeSlightly slower execution due to runtime interpretation and translation
Initial ProcessingPreprocessing done during compilationNo initial processing; code generated on demand, which can result in slower execution times
  • Effective detectors for Android permissions use various techniques. One approach is to represent permissions as a boolean vector and use ML, such as GANs, to identify combinations indicative of malicious behavior. Alternatively, NLP techniques like TF-IDF analyze manifest file text.

  • A challenge in Android malware detection is concept drift in manifest files, where requested permissions evolve, requiring detection models to adapt continuously. In ML, gadgets are specific code sequences characteristic of attacks, like buffer overflow. They are crucial for intrusion detection system study.

  • Markov chains, which represent a series of probabilistic transitions between states, have found applications in cybersecurity. For instance, they can be used to model the behavior of attackers or the evolution of security threats over time. Additionally, Markov chains have been applied in text generation tasks, which have implications for security, such as generating phishing emails or malware variants.

    💡
    The intersection of theoretical concepts and practical applications in cybersecurity highlights its dynamic complexity, requiring interdisciplinary approaches to effectively tackle emerging challenges.

References