Madvex: Instrumentation-based Adversarial Attacks on Machine Learning Malware Detection

TL;DR

This paper introduces an instrumentation-based method to generate adversarial examples in WebAssembly binaries, effectively evading machine learning malware detectors with minimal overhead.

Contribution

It presents a novel instrumentation technique to embed adversarial modifications into binaries, enabling reliable evasion of ML-based malware detection.

Findings

Effective evasion of CNN-based classifiers like Minos

Minimal size and performance overheads

Reliable adversarial example generation

Abstract

WebAssembly (Wasm) is a low-level binary format for web applications, which has found widespread adoption due to its improved performance and compatibility with existing software. However, the popularity of Wasm has also led to its exploitation for malicious purposes, such as cryptojacking, where malicious actors use a victim's computing resources to mine cryptocurrencies without their consent. To counteract this threat, machine learning-based detection methods aiming to identify cryptojacking activities within Wasm code have emerged. It is well-known that neural networks are susceptible to adversarial attacks, where inputs to a classifier are perturbed with minimal changes that result in a crass misclassification. While applying changes in image classification is easy, manipulating binaries in an automated fashion to evade malware classification without changing functionality is non-trivial. In this work, we propose a new approach to include adversarial examples in the code section of binaries via instrumentation. The introduced gadgets allow for the inclusion of arbitrary bytes, enabling efficient adversarial attacks that reliably bypass state-of-the-art machine learning classifiers such as the CNN-based Minos recently proposed at NDSS 2021. We analyze the cost and reliability of instrumentation-based adversarial example generation and show that the approach works reliably at minimal size and performance overheads.