Evasive Ransomware Attacks Using Low-level Behavioral Adversarial Examples

TL;DR

This paper explores how low-level behavioral adversarial examples can be used to evade AI-based ransomware detection by manipulating source code behaviors such as threading and encryption timing.

Contribution

It introduces the concept of low-level behavioral adversarial examples and demonstrates how they can be used to generate evasive ransomware using source code modifications.

Findings

Attacker can significantly reduce detection rates by controlling ransomware behaviors.

Micro-behavior control functions can simulate changing source code in ransomware.

Evasive ransomware can be generated by manipulating threading, encryption ratio, and delays.

Abstract

Protecting state-of-the-art AI-based cybersecurity defense systems from cyber attacks is crucial. Attackers create adversarial examples by adding small changes (i.e., perturbations) to the attack features to evade or fool the deep learning model. This paper introduces the concept of low-level behavioral adversarial examples and its threat model of evasive ransomware. We formulate the method and the threat model to generate the optimal source code of evasive malware. We then examine the method using the leaked source code of Conti ransomware with the micro-behavior control function. The micro-behavior control function is our test component to simulate changing source code in ransomware; ransomware's behavior can be changed by specifying the number of threads, file encryption ratio, and delay after file encryption at the boot time. We evaluated how much an attacker can control the behavioral features of ransomware using the micro-behavior control function to decrease the detection rate of a ransomware detector.