Adversarial Malware Generation in Linux ELF Binaries via Semantic-Preserving Transformations

TL;DR

This paper introduces a new adversarial malware generator for Linux ELF binaries, demonstrating effective evasion of malware detection systems through semantic-preserving modifications.

Contribution

It presents the first comprehensive ELF malware generator evaluated with multiple metrics, achieving a 67.74% evasion rate against MalConv classifier.

Findings

Achieved 67.74% evasion rate on ELF malware samples.

Modified benign-like strings to successfully evade detection.

Target classifier sensitive to strings at any executable location.

Abstract

Malware development and detection have undergone significant changes in recent years as modern concepts, such as machine learning, have been used for both adversarial attacks and defense. Despite intensive research on Windows Portable Executable (PE) files, there is minimal work on Linux Executable and Linkable Format (ELF). In this work, we summarize the academic papers submitted in this field and develop a new adversarial malware generator for the ELF format. Using a variety of metrics, we thoroughly evaluated our generator and achieved an Evasion Rate of 67.74 % while changing the confidence of the malware detector by -0.50 in the mean case for the dataset used. In our approach, we chose MalConv as the target classifier. Using this classifier, we found that the most successful modifications used strings typical of benign files as a data source. We conducted a variety of experiments and concluded that the target classifier appears sensitive to strings at any location within the executable file.