Intra-Section Code Cave Injection for Adversarial Evasion Attacks on Windows PE Malware File
CoRR(2024)
摘要
Windows malware is predominantly available in cyberspace and is a prime
target for deliberate adversarial evasion attacks. Although researchers have
investigated the adversarial malware attack problem, a multitude of important
questions remain unanswered, including (a) Are the existing techniques to
inject adversarial perturbations in Windows Portable Executable (PE) malware
files effective enough for evasion purposes?; (b) Does the attack process
preserve the original behavior of malware?; (c) Are there unexplored
approaches/locations that can be used to carry out adversarial evasion attacks
on Windows PE malware?; and (d) What are the optimal locations and sizes of
adversarial perturbations required to evade an ML-based malware detector
without significant structural change in the PE file? To answer some of these
questions, this work proposes a novel approach that injects a code cave within
the section (i.e., intra-section) of Windows PE malware files to make space for
adversarial perturbations. In addition, a code loader is also injected inside
the PE file, which reverts adversarial malware to its original form during the
execution, preserving the malware's functionality and executability. To
understand the effectiveness of our approach, we injected adversarial
perturbations inside the .text, .data and .rdata sections, generated using the
gradient descent and Fast Gradient Sign Method (FGSM), to target the two
popular CNN-based malware detectors, MalConv and MalConv2. Our experiments
yielded notable results, achieving a 92.31
and 96.26
append attacks. Similarly, when targeting MalConv2, our approach achieved a
remarkable maximum evasion rate of 97.93
FGSM, significantly surpassing the 4.01
attacks.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要