Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables

TLDR

Machine learning, especially deep neural networks, is widely used to detect malicious executables by learning from features such as header fields, instruction sequences, or raw bytes, but these models can be deceived by small adversarial perturbations. This study examines how vulnerable deep‑learning malware detectors are to such evasion attacks. The authors design a gradient‑based method that alters only a few bytes at the end of a malware binary, preserving its malicious functionality while evading a state‑of‑the‑art deep network. Experiments show that the crafted adversarial binaries evade the target model with high probability, despite modifying less than 1 % of the file’s bytes.

Abstract

Machine learning has already been exploited as a useful tool for detecting malicious executable files. Data retrieved from malware samples, such as header fields, instruction sequences, or even raw bytes, is leveraged to learn models that discriminate between benign and malicious software. However, it has also been shown that machine learning and deep neural networks can be fooled by evasion attacks (also known as adversarial examples), i.e., small changes to the input data that cause misclassification at test time. In this work, we investigate the vulnerability of malware detection methods that use deep networks to learn from raw bytes. We propose a gradient-based attack that is capable of evading a recently-proposed deep network suited to this purpose by only changing few specific bytes at the end of each mal ware sample, while preserving its intrusive functionality. Promising results show that our adversarial malware binaries evade the targeted network with high probability, even though less than 1 % of their bytes are modified.

References

Page 1

	Year	Citations

Page 1