Learn2Evade: Learning-Based Generative Model for Evading PDF Malware Classifiers

Abstract

Recent research has shown that a small perturbation to an input may forcibly change the prediction of a machine learning (ML) model. Such variants are commonly referred to as <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">adversarial examples</i> . Early studies have focused mostly on ML models for image processing and expanded to other applications, including those for malware classification. In this article, we focus on the problem of finding adversarial examples against ML-based portable document format (PDF) malware classifiers. We deem that our problem is more challenging than those against ML models for image processing because of the highly complex data structure of PDF and of an additional constraint that the generated PDF should exhibit malicious behavior. To resolve our problem, we propose a variant of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">generative adversarial networks</i> that generate evasive variant PDF malware (without any crash), which can be classified as benign by various existing classifiers yet maintaining the original malicious behavior. Our model exploits the target classifier as the second discriminator to rapidly generate an evasive variant PDF with our new feature selection process that includes unique features extracted from malicious PDF files. We evaluate our technique against three representative PDF malware classifiers (Hidost’13, Hidost’16, and PDFrate-v2) and further examine its effectiveness with AntiVirus engines from VirusTotal. To the best of our knowledge, our work is the first to analyze the performance against the commercial AntiVirus engines. Our model finds, with great speed, evasive variants for all selected seeds against state-of-the-art PDF malware classifiers and raises a serious security concern in the presence of adversaries. <p xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><i>Impact statement</i>—PDF has been one of the most popular media to conceal adversarial contents for many years. The reason being that adversaries can exploit the complex structure of PDF in their favor by hiding malicious content. In 2019, more than 73k PDF-based attacks were reported in one month, which accounts for 17% of newly detected threats. With increasing popularity, many ML-based techniques have been proposed for PDF malware classifiers. Such defense mechanisms include support vector machine and random forest classification models trained with a structural map of PDF (Hidost’13 and Hidost’16). Furthermore, ensemble training has been applied with metadata collected from PDF as the training data (PDFrate-v2). In recent studies, many researchers have attempted and succeeded in generating evasive PDF malware (adversarial examples) that bypass such defense techniques. However, the current method heavily relies on a random mutation algorithm resulting in repeated computation for a significant period of time. To resolve this, we propose a novel solution by employing a variant of generative adversarial networks, which is trained to identify intrinsic properties of PDF and to generate evasive PDF malware with the minimum perturbation to the original PDF. Our solution successfully generated evasive PDF malware with a maximum number of 12 manipulation operations and found effective against ML-based classifiers and AntiVirus engines provided by VirusTotal.