Deceiving End-to-End Deep Learning Malware Detectors using Adversarial Examples

TL;DR

This paper demonstrates how adversarial examples can be crafted to deceive deep learning malware detectors by minimally modifying executable files, achieving high evasion rates while preserving file functionality.

Contribution

It introduces a novel loss function for generating adversarial examples in discrete input spaces like executable bytes, enabling effective malware detection evasion.

Findings

High detection evasion rate achieved

Adversarial payloads are transferable across files

Generated payloads mimic benign data entropy

Abstract

In recent years, deep learning has shown performance breakthroughs in many applications, such as image detection, image segmentation, pose estimation, and speech recognition. However, this comes with a major concern: deep networks have been found to be vulnerable to adversarial examples. Adversarial examples are slightly modified inputs that are intentionally designed to cause a misclassification by the model. In the domains of images and speech, the modifications are so small that they are not seen or heard by humans, but nevertheless greatly affect the classification of the model. Deep learning models have been successfully applied to malware detection. In this domain, generating adversarial examples is not straightforward, as small modifications to the bytes of the file could lead to significant changes in its functionality and validity. We introduce a novel loss function for generating adversarial examples specifically tailored for discrete input sets, such as executable bytes. We modify malicious binaries so that they would be detected as benign, while preserving their original functionality, by injecting a small sequence of bytes (payload) in the binary file. We applied this approach to an end-to-end convolutional deep learning malware detection model and show a high rate of detection evasion. Moreover, we show that our generated payload is robust enough to be transferable within different locations of the same file and across different files, and that its entropy is low and similar to that of benign data sections.