Adversarial Examples with Unlimited Amount of Additions

doi:10.3778/j.issn.1673-9418.2302070

Abstract

Abstract: Malware detection methods based on gray images and deep learning have the characteristics of high detection accuracy and no need of feature engineering. Unfortunately, adversarial examples (AEs) can deceive such detection methods. However, it is difficult to reduce the detection accuracy of this kind of detection method greatly without destroying the functional integrity of the original file. By analyzing the structure and loading mechanism of portable executable (PE) files, this paper proposes an unrestricted add-amount bytecode attack (BAUAA). BAUAA generates adversarial samples by adding bytecode to a “section additional space” in the PE file that is scattered after each section and is not loaded into memory, and because of the unlimited amount of this space that can be added, the generated adversarial samples can be transformed into grayscale images that vary in size and texture, which can affect the discrimination accuracy of gray images and deep learning-based malware detection methods. The experimental results show that the detection accuracy of the malware detection method based on gray images and deep learning for the AEs generated by BAUAA is significantly lower than that for the non-AEs. To avoid the abuse of BAUAA in reality, it proposes a targeted AE detection method.

Key words: adversarial example, malware detection, gray image, portable executable (PE) file

摘要： 基于灰度图像和深度学习的恶意软件检测方法具有无需特征工程和检测精度高的特点，通过对抗样本能够欺骗该类检测方法。然而当前大部分研究所生成的对抗样本难以在不破坏原文件功能完整性的情况下大幅度降低该类检测方法对其的判别准确性。在分析可移植可执行（PE）文件的结构以及加载机制的基础上，提出一种不破坏PE文件原有功能且可添加量不受限的字节码攻击方法（BAUAA）。BAUAA通过在PE文件中分散于各区段之后且不会载入内存的“区段附加空间”添加字节码来生成对抗样本，并且由于该空间具有可添加量不受限的特点，可使得生成的对抗样本所转化的灰度图像在尺寸和纹理上发生变化，从而能够影响基于灰度图像和深度学习的恶意软件检测方法对其的判别准确性。实验结果表明，基于灰度图像和深度学习的恶意软件检测方法判别BAUAA所生成对抗样本的准确率明显低于其判别非对抗样本的准确率。为避免在现实中滥用BAUAA，提出一种针对性的对抗样本检测方法。

关键词: 对抗样本, 恶意软件检测, 灰度图像, 可移植可执行（PE）文件

JIANG Zhoujie, CHEN Yi, XIONG Ziman, GUO Chun, SHEN Guowei. Adversarial Examples with Unlimited Amount of Additions[J]. Journal of Frontiers of Computer Science and Technology, 2024, 18(2): 526-537.

蒋周杰, 陈意, 熊子漫, 郭春, 申国伟. 可添加量不受限的对抗样本[J]. 计算机科学与探索, 2024, 18(2): 526-537.

References

[1] AV-TEST. Malware[EB/OL]. [2023-02-10]. https://www.avtest. org/en/statistics/malware/.
[2] MOURTAJI Y, BOUHORMA M, ALGHAZZAWI D. Intelligent framework for malware detection with convolutional neural network[C]//Proceedings of the 2nd International Conference on Networking, Rabat, Mar 28-29, 2019. New York: ACM, 2019.
[3] XIAO M, GUO C, SHEN G, et al. Image-based malware classification using section distribution information[J]. Computers & Security, 2021: 102420.
[4] KALASH M, ROCHAN M, MOHAMMED N, et al. Malware classification with deep convolutional neural networks[C]//Proceedings of the 2018 9th IFIP International Conference on New Technologies, Mobility and Security, Paris, Feb 26-28, 2018. Piscataway: IEEE, 2018.
[5] DAI Y, LI H, QIAN Y, et al. A malware classification method based on memory dump grayscale image[J]. Digital Investigation, 2018, 27: 30-37.
[6] KANCHERLA K, MUKKAMALA S. Image visualization based malware detection[C]//Proceedings of the 2013 IEEE Symposium on Computational Intelligence in Cyber Security, Singapore, Apr 16-19, 2013. Piscataway: IEEE, 2013: 40-44.
[7] NAEEM H, GUO B, ULLAH F, et al. A cross-platform malware variant classification based on image representation[J]. KSII Transactions on Internet and Information Systems, 2019, 13(7): 3756-3777.
[8] XIN Z, PANG J, LIANG G. Image classification for malware detection using extremely randomized trees[C]//Proceedings of the 2017 11th IEEE International Conference on Anti-counterfeiting, Security, and Identification, Xiamen, Oct 27-29, 2017. Piscataway: IEEE, 2017: 54-59.
[9] GU S, CHENG S, ZHANG W. From image to code: executable adversarial examples of android applications[C]//Proceedings of the 2020 6th International Conference on Computing and Artificial Intelligence, Tianjin, Apr 23-26, 2020. New York: ACM, 2020: 261-268.
[10] PENG X, XIAN H, LU Q, et al. Semantics aware adversarial malware examples generation for black-box attacks[J]. App-lied Soft Computing, 2021, 109(3): 107506.
[11] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[J]. arXiv:1412.6572, 2014.
[12] SU J, VARGAS D V, SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841.
[13] KUCUK Y, YAN G. Deceiving portable executable malware classifiers into targeted misclassification with practical adversarial examples[C]//Proceedings of the 10th ACM Conference on Data and Application Security and Privacy, New Orleans, Mar 16-18, 2020. New York: ACM, 2020: 341-352.
[14] LIU X, ZHANG J, LIN Y, et al. ATMPA: attacking machine learning-based malware visualization detection methods via adversarial examples[C]//Proceedings of the International Symposium on Quality of Service, Phoenix, Jun 24-25, 2019. New York: ACM, 2019: 1-10.
[15] VI B N, NGUYEN H N, NGUYEN N T, et al. Adversarial examples against image-based malware classification systems[C]//Proceedings of the 2019 11th International Conference on Knowledge and Systems Engineering, Da Nang, Oct 24-26, 2019. Piscataway: IEEE, 2019: 1-5.
[16] SUCIU O, COULL S E, JOHNS J. Exploring adversarial examples in malware detection[C]//Proceedings of the 2019 IEEE Security and Privacy Workshops, San Francisco, May 19-23, 2019. Piscataway: IEEE, 2019: 8-14.
[17] Vxheaven. Vxheaven[EB/OL]. [2022-08-01]. https://web. archive.org/web/20170611163424/http://vxheaven.org/.
[18] Virusshare. Virusshare[EB/OL]. [2022-08-02]. https://viruss-hare.com/.
[19] NARAYANAN B N, DJANEYE-BOUNDJOU O, KEBEDE T M. Performance analysis of machine learning and pattern recognition algorithms for Malware classification[C]//Proceedings of the 2016 IEEE National Aerospace and Electronics Conference and Ohio Innovation Summit, Dayton, Jul 25-29, 2016. Piscataway: IEEE, 2016: 338-342.
[20] DAVULURU V S P, NARAYANAN B N, BALSTER E J. Convolutional neural networks as classification tools and feature extractors for distinguishing malware programs[C]// Proceedings of the 2019 IEEE National Aerospace and Electronics Conference, Dayton, Jul 15-19, 2019. Piscataway: IEEE, 2019: 273-278.
[21] 肖茂, 郭春, 申国伟, 等. 可保留可用性和功能性的对抗样本[J]. 计算机科学与探索, 2022, 16(10): 2286-2297.
XIAO M, GUO C, SHEN G W, et al. Adversarial example remaining availability and functionality[J]. Journal of Frontiers of Computer Science and Technology, 2022, 16(10): 2286-2297.
[22] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the 2017 IEEE Symposium on Security and Privacy, San Jose, May 22-26, 2017. Piscataway: IEEE, 2017: 39-57.
[23] KHORMALI A, ABUSNAINA A, CHEN S, et al. From blue-sky to practical adversarial learning[C]//Proceedings of the 2020 2nd IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, Atlanta, Oct 28-31, 2020. Piscataway: IEEE, 2020: 118-127.
[24] GOODFELLOW I, PAPERNOT N, MCDANIEL P, et al. Cleverhans v0.1: an adversarial machine learning library[J]. arXiv:1610.00768, 2016.
[25] 徐晓静, 徐向阳, 梁海华, 等. PE文件资源节的信息隐藏研究与方案实现[J]. 计算机应用, 2007, 27(3): 621-623.
XU X J, XU X Y, LIANG H H, et al. Information hiding scheme based on PE file resources section[J]. Journal of Computer Applications, 2007, 27(3): 621-623.
[26] TIAN Z W, YANG H F. Code fusion information-hiding algorithm based on PE file function migration[J]. EURASIP Journal on Image and Video Processing, 2021, 2021: 1-12.
[27] Microsoft. Microsoft[EB/OL]. [2022-08-09]. https://learn. microsoft.com/zh-cn/windows/win32/debug/pe-format/.
[28] KHORMALI A, ABUSNAINA A, CHEN S, et al. COPYCAT: practical adversarial attacks on visualization-based malware detection[J]. arXiv:1909.09735, 2019.