DOOM: A Novel Adversarial-DRL-Based Op-Code Level Metamorphic Malware Obfuscator for the Enhancement of IDS

TL;DR

DOOM employs adversarial deep reinforcement learning to generate op-code level metamorphic malware, significantly improving evasion of IDS and aiding in the development of advanced cyber defense mechanisms.

Contribution

First system to generate detailed op-code level metamorphic malware using efficient continuous action DRL, enhancing IDS testing and zero-day attack simulation.

Findings

Over 67% of malware evaded detection by IDS

Effective mimicry of zero-day attack patterns

Novel use of continuous action DRL in malware obfuscation

Abstract

We designed and developed DOOM (Adversarial-DRL based Opcode level Obfuscator to generate Metamorphic malware), a novel system that uses adversarial deep reinforcement learning to obfuscate malware at the op-code level for the enhancement of IDS. The ultimate goal of DOOM is not to give a potent weapon in the hands of cyber-attackers, but to create defensive-mechanisms against advanced zero-day attacks. Experimental results indicate that the obfuscated malware created by DOOM could effectively mimic multiple-simultaneous zero-day attacks. To the best of our knowledge, DOOM is the first system that could generate obfuscated malware detailed to individual op-code level. DOOM is also the first-ever system to use efficient continuous action control based deep reinforcement learning in the area of malware generation and defense. Experimental results indicate that over 67% of the metamorphic malware generated by DOOM could easily evade detection from even the most potent IDS. This achievement gains significance, as with this, even IDS augment with advanced routing sub-system can be easily evaded by the malware generated by DOOM.