Abstract

Recent research has shown that a small perturbation to an input may forcibly change the prediction of a machine learning (ML) model. Such variants are commonly referred to as <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">adversarial examples</i> . Early studies have focused mostly on ML models for image processing and expanded to other applications, including those for malware classification. In this article, we focus on the problem of finding adversarial examples against ML-based portable document format (PDF) malware classifiers. We deem that our problem is more challenging than those against ML models for image processing because of the highly complex data structure of PDF and of an additional constraint that the generated PDF should exhibit malicious behavior. To resolve our problem, we propose a variant of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">generative adversarial networks</i> that generate evasive variant PDF malware (without any crash), which can be classified as benign by various existing classifiers yet maintaining the original malicious behavior. Our model exploits the target classifier as the second discriminator to rapidly generate an evasive variant PDF with our new feature selection process that includes unique features extracted from malicious PDF files. We evaluate our technique against three representative PDF malware classifiers (Hidost’13, Hidost’16, and PDFrate-v2) and further examine its effectiveness with AntiVirus engines from VirusTotal. To the best of our knowledge, our work is the first to analyze the performance against the commercial AntiVirus engines. Our model finds, with great speed, evasive variants for all selected seeds against state-of-the-art PDF malware classifiers and raises a serious security concern in the presence of adversaries. <p xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><i>Impact statement</i>—PDF has been one of the most popular media to conceal adversarial contents for many years. The reason being that adversaries can exploit the complex structure of PDF in their favor by hiding malicious content. In 2019, more than 73k PDF-based attacks were reported in one month, which accounts for 17% of newly detected threats. With increasing popularity, many ML-based techniques have been proposed for PDF malware classifiers. Such defense mechanisms include support vector machine and random forest classification models trained with a structural map of PDF (Hidost’13 and Hidost’16). Furthermore, ensemble training has been applied with metadata collected from PDF as the training data (PDFrate-v2). In recent studies, many researchers have attempted and succeeded in generating evasive PDF malware (adversarial examples) that bypass such defense techniques. However, the current method heavily relies on a random mutation algorithm resulting in repeated computation for a significant period of time. To resolve this, we propose a novel solution by employing a variant of generative adversarial networks, which is trained to identify intrinsic properties of PDF and to generate evasive PDF malware with the minimum perturbation to the original PDF. Our solution successfully generated evasive PDF malware with a maximum number of 12 manipulation operations and found effective against ML-based classifiers and AntiVirus engines provided by VirusTotal.

Highlights

  • M ACHINE learning (ML) has extensively adapted in a large number of application areas including speech recognition and image processing

  • Portable Document Format (PDF)-generative adversarial networks (GANs) already proved its imposing capability in generating adversarial examples by evading opensource PDF malware classifiers, we further demonstrate its effectiveness by evading commercial AntiVirus engines

  • There was an drastic improvement in the time required to evade PDF malware classifiers for 500 samples

Read more

Summary

Introduction

M ACHINE learning (ML) has extensively adapted in a large number of application areas including speech recognition and image processing. One important such area is security, to which a variety of ML-based techniques have been applied in recent years. Several studies have empirically evinced a great potential and effectiveness of ML in solving certain security problems like malware detection [1], [2]. We describe the threat model and current state-of-the-art PDF malware classifiers. We elaborate on recent evasion attacks for such classifiers and categorization of attack method. The types of information that can be provided to an attacker are threefold: (1) the training dataset and its labels, (2) the feature set and the feature extraction algorithm of the classifier with its extracted feature types and (3) the knowledge of the classification function and its hyper-parameters

Methods
Results
Discussion
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.