Abstract
Recent progress in machine learning has led to promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them. Ransomware behavior differs significantly from that of benign processes, making it an ideal best case for behavioral detectors, and a difficult candidate for evasion. We identify and propose a set of novel attacks that distribute the overall malware workload across a small set of independent, cooperating processes in order to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6 to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors in a black-box setting. Finally, we evaluate a detector designed to identify our most effective attack, as well as discuss potential directions to mitigate our most advanced attack.
Highlights
The problem of automatic malware detection is a difficult one, with no full solution in sight despite decades of research
This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them
While our work has focused on obfuscating ransomware-related features, the underlying principles are general and likely to apply to a wide range of behavioral detectors that analyze the runtime behavior of different types of malware
Summary
The problem of automatic malware detection is a difficult one, with no full solution in sight despite decades of research. Behavioral approaches sidestep the challenges of obfuscated binary analysis Instead, they focus on the runtime behavior of malware processes, which is difficult to alter without breaking core functionality, and is considered a reliable fingerprint for malware presence. They focus on the runtime behavior of malware processes, which is difficult to alter without breaking core functionality, and is considered a reliable fingerprint for malware presence This strong push toward malware behavioral analysis, coupled with the recent improvements in the field of machine learning (ML), has resulted in a multitude of ML-based behavioral approaches to malware detection. One way to ‘‘trick’’ f is to alter its training dataset, causing it to learn an incorrect boundary between classes
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
