Adversarial Attacks on Transformers-Based Malware Detectors Yash Jakhotiya

2025-04-24 1 0 252.66KB 6 页 10玖币

侵权投诉

Adversarial Attacks on Transformers-Based Malware

Detectors

Yash Jakhotiya∗

Department of Computer Engineering,

College of Engineering, Pune

jakhotiyays16.comp@coep.ac.in

Heramb Patil

Department of Computer Engineering,

College of Engineering, Pune

herambnp16.comp@coep.ac.in

Jugal Rawlani

Department of Computer Engineering,

College of Engineering, Pune

rawlanijr16.comp@coep.ac.in

Dr. Sunil B. Mane

Department of Computer Engineering,

College of Engineering, Pune

sunilbmane.comp@coep.ac.in

Abstract

Signature-based malware detectors have proven to be insufﬁcient as even a small

change in malignant executable code can bypass these signature-based detectors.

Many machine learning-based models have been proposed to efﬁciently detect a

wide variety of malware. Many of these models are found to be susceptible to

adversarial attacks - attacks that work by generating intentionally designed inputs

that can force these models to misclassify. Our work aims to explore vulnerabilities

in the current state of the art malware detectors to adversarial attacks. We train

a Transformers-based malware detector, carry out adversarial attacks resulting in

a misclassiﬁcation rate of 23.9% and propose defenses that reduce this misclassi-

ﬁcation rate to half. An implementation of our work can be found at

https://

github.com/yashjakhotiya/Adversarial-Attacks-On-Transformers.

1 Introduction

Malware is software written to steal credentials of computer users, damage computer systems, or

encrypt documents for ransom, among other nefarious goals. In Q1 of 2021 alone, around 87.6

million new types of malware and 2.51 million new types of ransomware were detected, summing the

total number of malware detected till 2021 to more than 1.51 billion and these ﬁgures keep growing

constantly [Beek et al., 2021].

A prevalent way used in commercial antivirus products is using signature-based malware detection

with signatures extracted by expert analysts but it has a small room for variation and is susceptible

to evasion by obfuscation [Canfora et al., 2015]. Many machine learning-based malware analysis

methods have been proposed [Schultz et al., 2001] [Kolter and Maloof, 2004] [Dai et al., 2009]

[Baldangombo et al., 2013] that automatically derive features from malware executables that are

generalizable enough to counter current obfuscation techniques and can extend to new types of

malware.

These machine learning-based approaches work by deriving static features to categorize malware.

However, focusing only on static features may not represent the full semantic meaning of an ex-

ecutable [Aghakhani et al., 2020]. Deep learning-based approaches that can automatically learn

representational feature space mappings from malware executable code have been proposed in an

effort to have better generalizability [Saxe and Berlin, 2015] [Kalash et al., 2018] [Tobiyama et al.,

∗Corresponding author

ML Safety Workshop, 36th Conference on Neural Information Processing Systems (NeurIPS 2022).

arXiv:2210.00008v2 [cs.CR] 5 Nov 2022

2016]. In recent years, the advancement in deep learning has enabled it to provide performance at

par with what humans can do on several tasks [Silver et al., 2017] resulting in growing faith in such

real world deployed systems [Tesla, 2020] [Apple, 2020] [Grigorescu et al., 2020]. However, deep

learning systems are found to be vulnerable to adversarial attacks [Szegedy et al., 2013], which are

malicious inputs specially designed to confuse a trained model to wrongly classify the output.

2 Related Work

Rule-based signature-based approaches require a cybersecurity researcher to manually set up rules,

or categorize a binary as malware and mark its signature. This would require researchers to know

how every new malware works and is not a scalable approach. [Saxe and Berlin, 2015] propose a

deep learning based approach to help solve this problem. [Stokes et al., 2017] describe using deep

learning for malware detection as a double-edged sword, where deep learning could be really helpful

in identifying new, yet unknown malware, but miscreants can also come up with ways to fool the

neural networks by creating adversarial samples with small perturbations that do not change the

sample’s original function, but rather fools the network into classifying it into some other class.

[Kalash et al., 2018] used CNNs to classify binaries as malware or benign ﬁles where binaries

converted to an image representation were used. The authors were able to achieve best accuracy of

98.52% for the Malimg dataset [Nataraj et al., 2011], and best accuracy of 98.99% for the Microsoft

Malware Dataset [Ronen et al., 2018]. [Chen et al., 2019] evaluated various methods of conducting

adversarial attacks on CNN based malware detectors. The success rate of white-box attacks for the

Fast Gradient Sign Method (FGSM) was really low around 3%, whereas for the Bit-Flip Attack (BFA)

it was around a mean of 20%.

After the success which recurrent neural networks have shown for other tasks, they have been tried

for the task of malware detection [Beek et al., 2021]. [Tobiyama et al., 2016] used a combination of

convolutional neural networks and recurrent neural networks for the purpose of malware detection.

RNNs were used for feature extraction and CNNs were used for feature classiﬁcation. They obtain a

best case AUC score of 0.96. With the use of RNN for malware detection, it became known that even

they are susceptible to adversarial samples due to the general susceptibility of neural networks to

adversarial attacks [Hu and Tan, 2017]. To simulate the more realistic black-box nature of attacks,

[Hu and Tan, 2017] ﬁrst trained a substitute RNN to simulate the behavior of the detector to be

attacked. Another RNN was trained to create adversarial samples from malware inputs.

Previous methods did not look at the whole meaning of the assembly code, but rather looked

at different chunks of the assembly language instructions. To overcome this, Transformer-based

neural networks for malware detection were proposed by [Li et al., 2021]. These Transformer-

based approaches achieve better accuracy than previous approaches ([Moskovitch et al., 2008],

[Baldangombo et al., 2013], [Saxe and Berlin, 2015], [Mourtaji et al., 2019]) in all experiments.

3 Training a Transformer for malware detection

In this section we list down the details of training a competitive Transformers-based malware detector

on which we will carry out an adversarial attack in section 5, and evaluate defenses against the attack

in section 6.

3.1 System Design and Architecture

Our malware detection system is mainly divided into 3 parts: 1.

Assembly Module

- The assembly

module consists of a disassembler, a tokenizer and a Transformer. The input to the assembly module

is an exe ﬁle, which is fed directly to the disassembler. The assembly module is responsible to

calculate assembly language features, which would be used for ﬁnal classiﬁcation. 2.

Static Feature

Module

- The static feature module consists of a DLL extractor, and a string extractor. The input to

this is the same as that to the assembly module, an exe ﬁle. The DLL extractor extracts PE imports

from the ﬁle, and the string extractor extracts all the printable strings from the given input ﬁle. The

static feature module outputs two set of vectors, one from the DLL extractor, and the other from

string extractor. The output from the static feature module will be used for ﬁnal classiﬁcation. 3.

Neural Network Module

- The neural network module consists of a neural network, which takes in

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

AdversarialAttacksonTransformers-BasedMalwareDetectorsYashJakhotiyaDepartmentofComputerEngineering,CollegeofEngineering,Punejakhotiyays16.comp@coep.ac.inHerambPatilDepartmentofComputerEngineering,CollegeofEngineering,Puneherambnp16.comp@coep.ac.inJugalRawlaniDepartmentofComputerEngineering,Collegeo...

展开>> 收起<<

Adversarial Attacks on Transformers-Based Malware Detectors Yash Jakhotiya.pdf

共6页,预览2页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Adversarial Attacks on Transformers-Based Malware Detectors Yash Jakhotiya

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: