Stealing and Evading Malware Classifiers and Antivirus at Low False Positive Conditions

TL;DR

This paper investigates model stealing attacks on malware classifiers and antivirus systems, proposing new neural network architectures and attack methods that achieve high surrogate accuracy with minimal data, enabling effective adversarial malware generation.

Contribution

It introduces a novel neural network architecture (dualFFNN) and a combined transfer and active learning attack (FFNN-TL) for efficient surrogate creation in malware detection systems.

Findings

Achieved up to 99% surrogate agreement with less than 4% of training data.

Successfully trained surrogates for antivirus systems with up to 99% agreement using fewer than 4,000 queries.

Generated adversarial malware that evades target models, with lower success than direct attacks but with less time and detection risk.

Abstract

Model stealing attacks have been successfully used in many machine learning domains, but there is little understanding of how these attacks work against models that perform malware detection. Malware detection and, in general, security domains have unique conditions. In particular, there are very strong requirements for low false positive rates (FPR). Antivirus products (AVs) that use machine learning are very complex systems to steal, malware binaries continually change, and the whole environment is adversarial by nature. This study evaluates active learning model stealing attacks against publicly available stand-alone machine learning malware classifiers and also against antivirus products. The study proposes a new neural network architecture for surrogate models (dualFFNN) and a new model stealing attack that combines transfer and active learning for surrogate creation (FFNN-TL). We achieved good surrogates of the stand-alone classifiers with up to 99\% agreement with the target models, using less than 4% of the original training dataset. Good surrogates of AV systems were also trained with up to 99% agreement and less than 4,000 queries. The study uses the best surrogates to generate adversarial malware to evade the target models, both stand-alone and AVs (with and without an internet connection). Results show that surrogate models can generate adversarial malware that evades the targets but with a lower success rate than directly using the target models to generate adversarial malware. Using surrogates, however, is still a good option since using the AVs for malware generation is highly time-consuming and easily detected when the AVs are connected to the internet.