Adapting Novelty towards Generating Antigens for Antivirus systems

TL;DR

This paper introduces a framework that uses evolutionary algorithms to generate diverse malware variants capable of evading antivirus detection, aiding in the development of more robust malware detection systems.

Contribution

It presents a novel assembly source code-based framework with code transformation and novelty search metrics for generating malware variants that evade scanners.

Findings

Generated variants evade over 98% of antivirus scanners

Framework effectively produces diverse malware variants

Variants can serve as antigens for malware analysis

Abstract

It is well known that anti-malware scanners depend on malware signatures to identify malware. However, even minor modifications to malware code structure results in a change in the malware signature thus enabling the variant to evade detection by scanners. Therefore, there exists the need for a proactively generated malware variant dataset to aid detection of such diverse variants by automated antivirus scanners. This paper proposes and demonstrates a generic assembly source code based framework that facilitates any evolutionary algorithm to generate diverse and potential variants of an input malware, while retaining its maliciousness, yet capable of evading antivirus scanners. Generic code transformation functions and a novelty search supported quality metric have been proposed as components of the framework to be used respectively as variation operators and fitness function, for evolutionary algorithms. The results demonstrate the effectiveness of the framework in generating diverse variants and the generated variants have been shown to evade over 98% of popular antivirus scanners. The malware variants evolved by the framework can serve as antigens to assist malware analysis engines to improve their malware detection algorithms.