Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware
Summary of seminar presented by Vasudeva Vallabhajosyula; based on Demetrio et al. paper; CSCE 689 601 ML-Based Cyber Defenses
The paper discusses techniques for optimizing adversarial attacks on Windows malware. This blog is originally written for CSCE 689:601 and is the 13th blog of the series: "Machine Learning-Based CyberDefenses".
Paper highlights
The paper targets enhancing evasion techniques against Windows Defender, treating it as a black box. It critiques current attacker methods and suggests a new approach. This involves a unique set of black box attacks, preserving query and functionality by adding benign elements.
The paper outlines challenges in prior adversarial models:
High query requirement.
Complex optimization, sandbox resets, ineffective input transformations.
Excessive manipulations performed on input samples.
Lack of attack constraints.
Addressing Challenges:
Enhancing query efficiency through intelligent query generation rather than random approaches.
Emphasizing functionality preservation over evasion during attacks.
Leveraging ambiguities in file formats for improved effectiveness.
Boosting stealthiness by framing attacks as constrained minimization problems, optimizing evasion probability while penalizing payload size.
The Windows Portable Executable (PE) format comprises:
MZ: Holding the DOS header and a stub program.
PE Header: Offering crucial details about the executable file.
Optional Header: Providing extra information like entry point and loading address preferences.
Section Table: Describing the layout of sections within the executable.
Sections: Containing executable code and data, organized with distinct characteristics and permissions.
Different OS reads the PE file in different ways.
The paper presents GAMMA (Genetic Adversarial Learning Malware Attack), a method for optimizing attacks on Windows malware.
GAMMA maps a malicious input X to K functionality-preserving manipulations (s). The classification model output, f(x), determines X's maliciousness, with θ as the decision threshold.
Attack Formulation: Minimize F(s) = f(x⊕s) + λ*C(s), where λ is a hyperparameter and C(s) penalizes manipulation size. Lowering C increases f, aiming to minimize manipulation's impact while considering payload size.
GAMMA generates payloads from benign programs, injects them into malware, and evaluates the objective function combining detector response and size constraint.
Section Injection Attack: Injecting malicious code or data into specific sections of a program exploits vulnerabilities in code execution.
Padding Attack: Adding extra data or code to manipulate system behavior or bypass security measures.
Random Attack: Generating malicious inputs randomly, without a specific strategy, to evade detection or cause harm.
Soft Label vs. Hard Label: Hard Label assigns inputs to one class with certainty, while soft labels provide probabilities for multiple classes, offering a degree of certainty.
Takeaways
Attackers target bypassing black-box models like malware detectors without understanding their internals. Despite sandbox availability, attackers find it challenging to evade detection due to model ensemble, dynamic environment, complex algorithms, and evolving defenses. This study formally defines practical attacks, aiming to guarantee successful attacks while maintaining malware functionality.
Mathematical Formulation: The paper provides a structured approach to generating adversarial samples through a mathematical formulation. Evasion problem is minimized by the detection function, treating antivirus as this function.
For effective sample modification, adding more content is straightforward but risks flagging as malware due to file size suspicion.
Objective: Minimize detection and payload size, forming a multi-objective formulation. Aim to minimize query count to avoid suspicion.
If we only aimed to minimize detection, we could use a gradient method. But with multiple objectives, there's no deterministic solution - it is an exponential problem. So, we aim to find the best possible or approximate solution, using heuristics or brute force.
The paper used an approximate genetic algorithm, which begins with initial solution guesses and explores a pool of candidates. Some candidates are prioritized for future exploration based on their efficiency. However, there's no assurance of finding the best solution. By mixing genes of two solutions, better solutions can emerge, resembling evolutionary processes. Nonetheless, the method ultimately relies on educated guesses. This highlights the adaptability of concepts from fields like NLP, computer vision, and genetics to cyber problems.
Preserving malware functionality is paramount to ensure its harmful capabilities remain intact. For example, removing encryption from ransomware via a genetic algorithm would be counterproductive as encryption is a crucial malware function. Maintaining functionality ensures evasion attempts are effective while retaining intended malicious behavior.
Understanding the distinction between feature space and problem space is crucial. Problem space refers to the actual binary file, while feature space involves extracted features like statistical properties or structural characteristics.
Mathematical operations are conducted on features rather than directly on the binary. Aligning modifications in the feature space with meaningful changes in the problem space is vital, though challenging.
To ensure coherence, the feature vector should accurately represent the binary, and vice versa. For example, removing the encryption function should be reflected in both the feature space and the binary.
The paper proposes altering particular areas of the binary, such as slack space or code caves - unused regions storing data without impacting functionality. These regions, similar to padding with 0 bytes, are optimal for modifications without functional repercussions.
In cases where the binary lacks slack spaces, alternatives include:
Creating slack spaces by appending or inserting data, possibly at the binary's end or within it.
Targeting areas in the binary unaffected by size, such as entry points, for modifications. This might involve complex methods like rewriting specific binary sections.
main() function.Binary files are classified as static or dynamic. Static binaries incorporate all necessary libraries and dependencies within the executable file during compilation, resulting in larger sizes. Dynamic binaries rely on external libraries loaded at runtime, resulting in smaller sizes as they only contain code specific to functionality.
Dynamic linking offers smaller binaries and efficient memory use but introduces overheads:
Dependency Management: Managing external libraries can be complex due to various versions and operating systems.
Runtime Overhead: Additional steps during runtime for locating and loading libraries may slightly slow startup times.
Security Concerns: Relying on external libraries introduces potential security risks, necessitating careful management for system security.
There are two main types of attacks: white box and black box. White box attacks, which have access to the internal workings of the system, are generally easier to execute. On the other hand, black box attacks, which lack such access, are more challenging. This paper categorizes attacks into soft label and hard label attacks. Hard labels simply indicate whether something is malicious or not, while soft labels provide additional information such as confidence scores. Soft label attacks are particularly useful in black box scenarios as they offer more guidance, potentially making them easier to execute compared to hard label attacks.
To mitigate attacks, limiting feedback to attackers is crucial, achieved through Moving Target Defense (MTD). MTD uses a pool of models, each offering correct labels but differing in internal configurations or algorithms. For example, one model may provide confidence scores, while another offers different information. By alternating models, attackers cannot discern which one is used, making exploitation harder. This reduces feedback usefulness to attackers, enhancing system security without compromising usability for legitimate users.