Black-Box Attacks against RNN based Malware Detection Algorithms

TL;DR

This paper demonstrates that RNN-based malware detection systems are highly vulnerable to sequential adversarial examples generated by a novel generative RNN, effectively bypassing detection in experiments.

Contribution

It introduces a new method for generating sequential adversarial examples to attack RNN-based malware detection systems, highlighting their vulnerability.

Findings

RNN malware detectors fail to identify most adversarial examples

The generative RNN successfully creates effective adversarial sequences

Attack method bypasses existing RNN detection algorithms

Abstract

Recent researches have shown that machine learning based malware detection algorithms are very vulnerable under the attacks of adversarial examples. These works mainly focused on the detection algorithms which use features with fixed dimension, while some researchers have begun to use recurrent neural networks (RNN) to detect malware based on sequential API features. This paper proposes a novel algorithm to generate sequential adversarial examples, which are used to attack a RNN based malware detection system. It is usually hard for malicious attackers to know the exact structures and weights of the victim RNN. A substitute RNN is trained to approximate the victim RNN. Then we propose a generative RNN to output sequential adversarial examples from the original sequential malware inputs. Experimental results showed that RNN based malware detection algorithms fail to detect most of the generated malicious adversarial examples, which means the proposed model is able to effectively bypass the detection algorithms.