This is the first paper of the course where we deep dive into attack strategies used by the authors to win the MLSec competition. This blog is originally written for CSCE 689:601 and is the 11th blog of the series: "Machine Learning-Based CyberDefenses".

Paper highlights

• The paper explores techniques for bypassing machine learning-based security models.

• The authors participated in a competition assessing the resilience of three static ML models (MalConv, Non-negative MalConv and LightGBM) from a hosting company. They were provided with 50 samples, resulting in 150 adversarial samples.

• The dataset consisted of 50 Portable Executables (PEs) for Windows across 21 malware families like Emotet, Loki, Ramnit, and Xtrat.

• The authors were able to identify the following weaknesses in the given models:

  • Raw binary data-based models are susceptible to manipulation by appending additional data.

  • Frequency-based models can be deceived by embedding benign/goodware strings within the binaries.

  • Portable executable format-based classifiers may exhibit bias towards detecting packers rather than identifying malicious concepts.

• Therefore, evasion techniques included appending random data (>1MB), embedding goodware strings (>10,000 strings), and altering binary headers (e.g., version numbers, checksums).

• It was observed that the files which were not packed were not being flagged as malicious but when the same files were packed with UPS, they were flagged as malicious meaning that model was biased towards UPX packed files. Using a different packer like Telock which packs and encrypts the binary worked in many cases but resulted in compatibility issues for xtreme rat family. Embedding malware into a dropper resulted in increased file size.

• Once these weaknesses were understood, the authors automated the process of generating malware variants capable of bypassing detection by exploiting these vulnerabilities. This involved scripting the creation of new files that embed payloads within standard PE headers and sections, followed by the appending of data to these files to ensure evasion.

• Due to constraints such as size limitations imposed by the challenge, existing solutions like Telock and Dr0p1t are unsuitable. Therefore, the authors developed their own dropper, which involved embedding the original malware sample as a PE binary resource.

Takeaways

• The concept of adversarial attacks involves appending random data, typically more than 1MB, to manipulate the output of machine learning models.

Malconv is characterized by its featureless nature, meaning it solely focuses on identifying crucial bytes within a file. Rather than extracting specific features or providing explanations, Malconv relies on statistical analysis. However, this approach lacks robustness, as each byte is mapped to a neuron in the model. When the size of the file exceeds the number of neurons, a many-to-one mapping occurs, ideally requiring a one-to-one mapping for accurate classification.

If many benign and few malicious bytes are mapped to the same neuron, the overall classification tends to lean towards benign.

• Appending data at the end of a file is preferred in adversarial attacks because inserting it in the middle can disrupt the binary structure, potentially rendering the file unusable. By adding data at the end, the file's operation remains intact since neural networks typically process bytes sequentially. To mitigate:

  1. Feature-based models: These models use a feature extractor to parse and extract relevant information from bytes while discarding irrelevant data. By focusing on meaningful file characteristics, this approach enhances resilience to adversarial attacks.

  2. Non-negative Malconv models: These models are designed to prevent negative parameter values, which can help reduce the impact of large strings of random data. However, the effectiveness of this approach may vary depending on the specific implementation and the nature of the adversarial attacks.

• The effectiveness of non-negative Malconv models was observed to degrade when large strings of random data were used (>10k strings).

  • This approach might have exploited an implementation error or bug in the model, allowing the attack to succeed despite the expectation that it should have been robust against such manipulation.

  • However, it is important to note that this type of attack isn't always feasible or practical because it results in a significant increase in file size. As file size increases, computational overhead also increases.

• A dropper is a technique used to evade detection by embedding malicious content within benign code. Droppers act as dynamic loaders, hiding malicious content within a benign external shell. This makes the binary appear harmless, challenging neural network-based models that are based on the principle of detecting patterns and shapes within data. Neural networks struggle to distinguish between installers of legitimate software and those with malicious payloads based solely on external appearances.

• Droppers often hide the malicious payload within the resource section of the PE file, which contains various data types like icons and images. By storing the malicious binary within this section, droppers evade detection by traditional feature-based analysis methods, as the payload remains hidden within seemingly benign data.

• One approach to enhance defense mechanisms is through adversarial training. Adversarial training involves exposing ML model to various adversarial examples during the training process, thereby improving its resilience to such attacks.

• A defense strategy against dropper attacks involves a preprocessing step where suspected dropper files are unpacked before classification. This step removes the packing layer to reveal the underlying payload, which can be analyzed using traditional or advanced detection techniques. Dedicated unpackers can automate this process for certain packers, while manual analysis may be required for others.

• Windows uses patching methods to identify missing information and aid file execution, ensuring compatibility and security. Operating system loaders often tolerate slightly modified files to accommodate legacy systems. For instance, a file with a header indicating a size of 100 bytes might actually contain 5 MB of additional data. While ideally, the loader should issue a warning in such cases, this doesn't always happen.

  💡

  This issue can't be resolved at the ML level but requires OS-level solutions, emphasizing the need for a pipeline of solutions.

• LightGBM is a feature-based model which focuses on the header. So attackers can provide benign headers to make their files look benign.

• Packers are techniques used to compress or encrypt executable files to evade detection. Payloads can be delivered to systems through packers in two main ways: storing them locally within the file or externally, such as on a remote server.

  💡

  Malicious downloaders can deliver harmful files while appearing benign, making detection challenging. Merely checking URLs isn't enough, as attackers can change domains and create chains from files to downloaders to URLs, complicating detection.

• The paper's antivirus detection rate demonstrates that even legitimate antivirus software can be bypassed by sophisticated malware. However, not all antivirus solutions are equally susceptible. Some use robust defense mechanisms like pipelines, heuristics, and dynamic detection methods.

• Today's seminar focused on white-box testing, where the internal workings and algorithms of systems are transparent. In contrast, the next seminar will likely cover black-box testing, where testers have limited knowledge of the system's internal mechanisms, simulating real-world scenarios where attackers have little to no visibility into the target system's internals.

References

• https://dl.acm.org/doi/10.1145/3375894.3375898

• https://github.com/D4Vinci/Dr0p1t-Framework