Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables

TL;DR

This paper demonstrates that deep learning-based malware detection can be evaded by minimal byte modifications, highlighting vulnerabilities in current models and emphasizing the need for more robust defenses.

Contribution

The authors introduce a gradient-based attack that effectively evades a recent deep malware detection network by altering less than 1% of the sample bytes, while maintaining malware functionality.

Findings

High evasion success rate with minimal byte changes

Less than 1% of bytes modified in malware samples

Vulnerabilities in deep learning malware detectors exposed

Abstract

Machine-learning methods have already been exploited as useful tools for detecting malicious executable files. They leverage data retrieved from malware samples, such as header fields, instruction sequences, or even raw bytes, to learn models that discriminate between benign and malicious software. However, it has also been shown that machine learning and deep neural networks can be fooled by evasion attacks (also referred to as adversarial examples), i.e., small changes to the input data that cause misclassification at test time. In this work, we investigate the vulnerability of malware detection methods that use deep networks to learn from raw bytes. We propose a gradient-based attack that is capable of evading a recently-proposed deep network suited to this purpose by only changing few specific bytes at the end of each malware sample, while preserving its intrusive functionality. Promising results show that our adversarial malware binaries evade the targeted network with high probability, even though less than 1% of their bytes are modified.