Binary Black-Box Adversarial Attacks with Evolutionary Learning against IoT Malware Detection

Wang, Fangwei; Lu, Yuanyuan; Wang, Changguang; Li, Qingru

doi:https://doi.org/10.1155/2021/8736946

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Work Experimental Results and Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Heterogeneous Systems and Algorithms for Next Generation Information Centric Networks, Internet of Things, and 5G Systems

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 8736946 | https://doi.org/10.1155/2021/8736946

Binary Black-Box Adversarial Attacks with Evolutionary Learning against IoT Malware Detection

Fangwei Wang,^1,2Yuanyuan Lu,¹Changguang Wang,^1,2and Qingru Li^1,2

Academic Editor: Dr. Muhammad Shafiq

Received28 May 2021

Accepted12 Aug 2021

Published30 Aug 2021

Abstract

5G is about to open Pandora’s box of security threats to the Internet of Things (IoT). Key technologies, such as network function virtualization and edge computing introduced by the 5G network, bring new security threats and risks to the Internet infrastructure. Therefore, higher detection and defense against malware are required. Nowadays, deep learning (DL) is widely used in malware detection. Recently, research has demonstrated that adversarial attacks have posed a hazard to DL-based models. The key issue of enhancing the antiattack performance of malware detection systems that are used to detect adversarial attacks is to generate effective adversarial samples. However, numerous existing methods to generate adversarial samples are manual feature extraction or using white-box models, which makes it not applicable in the actual scenarios. This paper presents an effective binary manipulation-based attack framework, which generates adversarial samples with an evolutionary learning algorithm. The framework chooses some appropriate action sequences to modify malicious samples. Thus, the modified malware can successfully circumvent the detection system. The evolutionary algorithm can adaptively simplify the modification actions and make the adversarial sample more targeted. Our approach can efficiently generate adversarial samples without human intervention. The generated adversarial samples can effectively combat DL-based malware detection models while preserving the consistency of the executable and malicious behavior of the original malware samples. We apply the generated adversarial samples to attack the detection engines of VirusTotal. Experimental results illustrate that the adversarial samples generated by our method reach an evasion success rate of 47.8%, which outperforms other attack methods. By adding adversarial samples in the training process, the MalConv network is retrained. We show that the detection accuracy is improved by 10.3%.

1. Introduction

With the commercialization and popularization of 5G, the IoT is coming closer to reality [1]. Meanwhile, with the scale expansion of connected terminals, data storage, and utilization, security issues are becoming more and more complex. As the methods of network crime are also constantly updated, the probability of network attack is greatly increased, which is not conducive to protecting personal privacy [2]. Therefore, in the 5G era, designing a model with good robustness is an important issue.

At present, malware attacks remain as one of the most urgent security issues users facing. In the last decade, deep neural network-based malware detection has fulfilled remarkable achievements [3]. A growing community of researchers is attempting to apply deep learning to malware detection and classification tasks [4–9]. Saxe and Berlin [10] extracted the binary features of PE files, which are portable executable ones under Windows operation systems and utilized a four-layer feed-forward neural network to detect malware. Kalash et al. [11] transformed malware binaries into greyscale images and classified malware by the use of a CNN. The DL-based malicious detection and classification models are now widely used.

However, much recent work indicates that adversarial attacks can cause serious damage to deep neural networks [12–15]. Adversarial examples in computer vision applications have been widely proven. In malware detection, adversarial modifications often need minor changes to malicious binaries. Different from language and images, codes are discrete sequences, which means that the generation technique of adversarial samples in images cannot be transferred to the malware detection field. Moreover, a minor change in the sequence may result in its functionality be changed completely. For example, in a binary file, changing a single byte may lead to a completely ineffective bytecode or distinct functionality. Therefore, it remains a great challenge to implement practical black-box attacks on malware binary-based deep learning models. Recently, a series of research works have been done in adversarial attacks. Hu and Tan [16] proposed adversarial modification of feature vectors. However, the malware binaries were not modified actually. This method cannot guarantee that the modified feature vector can be converted to actual binaries. Moreover, it destroyed the format or affected the functionality of the malware. Anderson et al. [17] directly modified malware binaries to perform adversarial attacks. In theory, these methods cannot disrupt the original functionality of the malware. However, in practice, we have found that these seemingly reliable methods also damage the malicious functionality. During an adversarial attack, if the malicious functionality of the original sample is destroyed, the adversarial attack is invalid. Therefore, it is necessary to perform malicious functionality detection on generated adversarial samples. However, most of the previous work did not address this issue. Besides, some of the previous work was done in a white-box adversarial model [18–20]. The white-box adversarial model requires knowing malware classifier architecture, making their methods impractical in real network environments. Therefore, while retaining the primary malicious functionality of the binaries, it is a great challenge to implement a practical black-box attack on the malware detection model based on deep learning.

This paper proposes an evolutionary algorithm-based adversarial sample generation method. In our approach, the generated samples by rewriting the file structure and adding adversarial information evade successfully the malware detection model, while preserving the original behavior of PE files. We test 1000 PE samples in four popular antivirus software on VirusTotal, showing that the method proposed can generate adversarial samples in binary format. The contributions of this paper are highlighted as follows. (1)This paper proposes a new method of generating adversarial samples by the use of the evolutionary algorithm, which can automatically generate valid adversarial samples(2)This paper uses a well-designed feature library as rewriting material in the evolutionary process, which helps generate modified samples with fewer attempts(3)This paper applies the adversarial samples generated to attack DL-based malware detection engines on VirusTotal and obtains better experimental results than other attack methods

The rest of this study is organized as follows. Section 2 is a concise introduction of malware detection and adversarial attack methods. Section 3 proposes our attack framework in detail. Section 4 describes the experimental settings and main results and gives a deep analysis. Section 5 concludes this paper as well as the research directions.

2.1. Machine Learning-Based Malware Detection Methods

In malware detection, machine learning (ML) is a popular approach. Moreover, in recent years, many ML-based malware detection methods have been put forward [21–24]. These methods are mainly categorized in static analysis [25, 26] and dynamic behavior analysis [27, 28]. Static analysis learns the statistical features of malware (e.g., API calls, OpCode), whereas dynamic behavior analysis detects abnormal (possibly malicious) behavior by observing deviations from the baseline of the system. Recently, malware detection efforts prefer to use raw software binaries as the input of DL models [29–31].

NVIDIA’s research group [32] proposed the MalConv network, which took the raw byte sequences of PE files as input directly, achieved 98.88% detection accuracy. Compared with the detection model that extracts only some features of PE files as input, MalConv links other discrete features. Therefore, it can detect samples with arbitrary size and avoid missing important features. This paper assesses the effectiveness and performance of our framework using the MalConv detection system.

2.2. Adversarial Attack against Malware Detection Model

DL-based malware detection approaches are susceptible to adversarial attacks [33–37]. Adversarial modifications by manipulating only a small fraction of raw binary data may lead to misclassification. Moreover, the raw binary contents of data are not changed in a nutshell; otherwise, its originally momentous functionality might lose.

Prior work has proposed various ways of adversarial attack against ML-based malware detection models. Through appending bytes at the end of a binary file while preserving its intrusive functionality, Kolosnjaji et al. [20] designed a gradient-based attack model. However, it is based on white-box attacks and cannot be applied to real scenarios. Kreuk et al. [38] proposed a modification method that injected a minor byte sequence into the originally binary file. It is also based on white-box attacks and is not efficient in real scenarios. Anderson et al. [17] designed an effective model which is based on a deep reinforcement learning method to attack static PE antimalware engines. In their work, the reward function and the environment of reinforcement learning were artificially defined. Later, Fang et al. [39] improved Anderson et al.’s work by autonomously generating the reward function according to the expert strategy. Numerous experiments showed that Fang et al.’s method [39] is more nimble and efficacious than Anderson et al.’s method [17]. Yuan et al. [40] proposed an adversarial sample generation model named GAPGAN. GAPGAN initially maps the discrete malware binaries into a contiguous space; the output is input to the generator of GAPGAN to generate adversarial payloads. Finally, the generated payloads are appended to the originally binary file to create an adversarial one. Because the valid part of the binary file was not changed, the original functionality of the binary file is preserved. GAPGAN can perform an efficient black-box attack. However, the modification action in GAPGAN involves only a simple action. The GAPGAN cannot perform complicated modifications similar to real malware writers. Song et al. [41] presented a framework for creating adversarial malware and evaluated the evasion capabilities in realistic scenarios. The authors firstly revealed the root causes that adversarial samples evade the malware detection method.

This study puts forward a novel binary manipulation-based attack framework, which generates adversarial samples with an evolutionary learning algorithm. Our method can adaptively simplify the actions of modifying binary samples and use an evolutionary algorithm to make adversarial samples more targeted. The generated adversarial samples by statically rewriting the PE file keep their dynamic behavior consistent and can evade the DL-based malware detection models. Experimental results verify the effectiveness of our method, which can efficiently and quickly generate adversarial samples without human intervention.

3. Adversarial Sample Generation Based on Evolutionary Algorithm

3.1. Problem Description

Our ultimate objective is to generate an antagonistic sample, which manipulates the classifier to classify malicious software as benign by mistake while still retaining the malicious function of the original sample.

Let us consider a classifier that maps any binary file into a unique category label. denotes that is malicious, and denotes is benign. Let be an action set that is used to modify the malware samples. denotes an original sample, whereas denotes a modified sample. The functionality detecting function is used to check whether retains the same malicious functionality with . When the output of the functionality detection function is 1, we consider that retains the malicious functionality of and then save as the adversarial sample . The specific formulae can be detailed in Section 3.3.3.

In brief, for the malware sample , our goal is to generate an adversarial sample which makes , and if , .

3.2. Rewriting Actions

PE file is a generic term for executable files in Windows operating system. A PE file consists of a header, section table, and section data. The MS-DOS header consists of three parts: a DOS header, the true PE header, and an optional header, and it includes some basic messages about the executable file. Section table describes the characteristics of each file section. The section table consists of a series of IMAGE_SECTION_HEADER structures arranged in a sequence. The structures and sections are arranged in a fixed order. Section data consists of 4 main parts: .text, .data, .rdata, and .idata, and the data part includes the practical contents relating to every section. The PE file format is shown in Figure 1.

For a black-box model, we have no idea of the exact features of the classifier involved. However, by observing the chosen features in some open-sourced classifiers, we can make a wild guess at some of the common features in malware detection models. An adversarial sample is generated by modifying one or several features. The chosen actions of modifying the features should be easy to execute. Moreover, after the features are modified, the executability and functionality of malware should not be corrupted. In this paper, all actions applied to the PE file are shown as follows. (1)Appending some bytes to the PE file(2)Inserting an unused function to the import address table(3)Appending some bytes to the untapped space in a section(4)Adding a new section(5)Changing a section name(6)Packing the file(7)Unpacking the file

The malicious binary file is modified through the following steps. Firstly, the original PE file is read, then the content in the specified location is added or deleted, and finally, the relative virtual address of the PE file is modified.

3.3. The Proposed Framework

The workflow of the framework includes three parts: the generation of the feature library, the generation of the modified samples, and the generation of the adversarial samples. Firstly, the feature library is generated using MalGAN. In the processing of generating the adversarial samples, the modified features are randomly selected from the feature library according to the rewriting actions. Then, modified samples by evolutionary algorithms are generated. Finally, the generated modified samples are tested whether the malicious functionality of the original samples remains or not. If a modified sample has the same malicious functionality as the original one, we save it as an adversarial sample. Figure 2 gives an overview of our framework. The details of the three parts are given in the following.

3.3.1. Generation of Feature Library

To efficiently generate adversarial samples, we collect and generate the rewritten feature library using MalGAN. MalGAN, proposed by Hu and Tan [16], is used to generate adversarial samples for attacks based on GAN. The MalGAN architecture primarily consists of three components: a generator, a discriminator, and a black-box detector. By only adding a random number to API calls, MalGAN can transform a malicious feature vector into its opposed version.

Our work is built on this work. Firstly, we construct the sample library consisting of malicious and benign samples and extract their binary features, such as the import functions and section names. Then, they are stored in a feature mapping dictionary for convenient retrieval and future operations. Next, we use the feature mapping dictionary to generate separate feature mapping for each malicious and benign sample and send them as the input to the MalGAN. After running for a few epochs, the MalGAN can generate adversarial feature mappings. Finally, according to the adversarial feature dictionary, the adversarial feature mappings are mapped into the feature library.

Once the feature library is generated, the modified features needed are randomly selected from the feature library according to the rewriting operation when generating modified samples.

3.3.2. Generation of Modified Samples Based on Evolutionary Algorithm

Evolutionary algorithms simulate the evolution of species in nature, such as selection, crossover, and mutation, which are often used to solve some optimization problems by choosing the brightest individual from the whole population. Different from traditional optimization algorithms such as calculus-based methods and exhaustive enumeration methods, evolutionary learning is a global optimization algorithm, which is highly robust and widely applicable.

This study uses an evolutionary algorithm for sample rewriting to generate modifications. The evolutionary algorithm can adaptively simplify the actions of modifying samples and make the adversarial sample more targeted. It can efficiently generate modified samples without human intervention. Compared with other existing methods, the evolutionary algorithm starts from the string set, which improves the speed of the algorithm and is easy to parallel computing. There is no backpropagation of weights and biases in deep learning and optimization of the loss function, which decreases the probability of obtaining a local optimum.

In the process of evolution, malware samples are considered individuals. Atomic manipulation of rewriting samples is a gene with a genetic message, and the predictive effect of the detecting model on modified samples is fitness. The generation process of the modified sample is shown in Figure 3.

The detailed evolutionary process is as follows. (1)Step 1. Population initialization. segments of the genome are generated randomly(2)Step 2. Binary modification. Firstly, segment genomes from binary sequences are mapped to candidate action sequences. Then, the malware samples are rewritten by candidate action sequences to generate modified samples(3)Step 3. Fitness calculation. The modified samples are fed into the MalConv network, and the output of the MalConv is used as the fitness of the individual. A smaller output value of MalConv indicates a higher fitness. The higher the fitness, the higher the probability that a gene sequence will be selected for retention(4)Step 4. Selecting the best offspring according to the fitness as the parent of the next generation(5)Step 5. Performing genetic manipulation on the selected parents. New offspring through crossover and mutation are reproduced(6)Step 6. The assessment of end condition. When the action sequence has reached a minimum value or the maximum number of iterations is reached, the evolution is ended. If the end condition is satisfied, the modified samples are output. Otherwise, skip to Step 2

The detailed process is described in Algorithm 1.

Input: malware samples , population scale, number of generations
Output: modified samples
BEGIN
for in do
Initialize the population;
while current generation or action sequence is not minimum do
Map binary sequences to action sequences;
Modify malware sample based on the action sequences;
Calculate fitness;
Select the best offspring;
Perform crossover;
Perform mutation;
Increase current generation;
end while
Append the optimal result to ;
end for
Return ;
END

3.3.3. Generation of the Adversarial Samples

It should also be noted that the functionality of a malware sample may be corrupted during the modification process. In other words, its attacking characteristics may be damaged. We consider an adversarial sample without malicious functionality to be invalid. To detect whether the malicious functionality of the modified sample is retained, we use the sandbox to collect behaviors of the modified samples and original samples. If the behavior of the modified sample is the same as that of the original one, we think that it retains the malicious function of the original sample, and it is saved as an adversarial sample.

Suppose a behavior of the original sample is indicated as the set , and behavior of the modified sample is indicated as set . We denote the total number of similar behaviors in and as and the size of as . The behavior similarity between and is defined as :

Because the modification operation is a direct manipulation on the original sample, it can inevitably alter the behaviors of the original samples. Therefore, we assume that if , the samples and have the same behaviors; that is, . It also means that the modified sample retains its original malicious functionality. In the end, we save the modified sample retained originally the malicious functionality as the adversarial sample .

4. Experimental Results and Analysis

This section firstly gives the setting of our experiments, including the datasets, evaluation metrics, and the target malware detection model. Then, we analyze the experiment results.

4.1. Experimental Settings and Evaluation Metrics

In the experiment, we construct a dataset with 1000 malware samples from VirusTotal. Moreover, we also produce some adversarial examples for PE binaries to evaluate the effectiveness of our proposed method.

To assess the effectiveness of adversarial samples, we measure some evaluation metrics in Table 1. denotes the number of modified files that have structural integrity or executability. denotes the total amount of samples. denotes the number of modified samples that retain the originally malicious functionality. denotes the number of adversarial ones that can evade malware detection engines. The computer specification used for the experiments is as follows: CPU: Intel Core I5-6500, 3.20 GHz, 4 cores, 8 threads; memory: 2 GiB; and operating system: Ubuntu 16.04.

4.2. Experimental Results of Adversarial Attack

This section demonstrates some performances of our approach under antiattack scenes and compares the results with some methods available.

In our experiment, the attacked model is the MalConv proposed by Raff et al. [32]. We train attacked MalConv network using a dataset with 6230 malicious samples from VirusTotal and 5660 benign samples from web crawling and achieve 98.4% detection accuracy.

Furthermore, to explore the validity of the presented binary-based attack method against a deep learning-based detection system, we compare our approach with other byte-level attack methods, including the DQEAF method [39], which is based on reinforcement learning and Aut. method [41], which is based on code randomization and binary manipulation. The results are shown in Tables 2 and 3, respectively.

Table 2 shows the performance comparison of adversarial samples generated by different methods. From the three evaluation metrics of generated samples, our approach outperforms other similar methods. The reason is that the selected action of modifying malicious samples is built on ensuring the execution of PE files. The specific modifying actions, such as inserting, changing, and adding actions, are taken from the generated feature library. The feature library has also been carefully designed to ensure the authenticity of all actions. Therefore, the modification does not involve invalid actions which damage the primary structure of malware or lose its original functionality. Meanwhile, our action set does not cover the irreversible actions, such as removing signatures, which makes our action set is more effective. Our approach can do a heuristic random search which simplifies the modification actions and does not require performing action sequence minimization and marking action weights and success content as the other two methods, which significantly raises the efficiency of our method.

To further test the effectiveness, we evaluate it using four representative malware detection engines on VirusTotal, including ClamAV, Cylance, Endgame, and Trapmine. Table 3 demonstrates different evasion rates of adversarial samples produced by some methods against different detection engines. From Table 3, we can see that the evasion rate of our method has a better performance compared with the other two in most cases. Meanwhile, to test the efficiency, we record the evasion rate with the generation increase, shown in Figure 4. From Figure 4, we can find that our method reaches a relatively stable evasion rate after 15 generations, which shows that our method is very efficient.

4.3. Defense against Adversarial Sample Attack

To defend against adversarial attacks, more and more defense countermeasures have been proposed. Among them, adversarial training is one of the most popular ways [42], in which adversarial samples are added to the training set; thus, DL models can adjust the decision strategies. Compared with other adversarial defense methods, adversarial training does not require modifying the detection model and is easy to implement.

In this paper, we use adversarial samples generated by evolutionary algorithms to test on MalConv network. Table 4 shows the performance evaluation on MalConv with and without adversarial training. The experimental results show that the detection accuracy increased from 80.2% to 90.5% after the adversarial training. It also illustrates that adversarial training can effectively improve the model robustness to adversarial attacks.

5. Conclusion

To make DL-based IoT malware detection models more robust and effective, we propose a framework for generating adversarial samples and their defense. Our framework firstly adopts an evolutionary algorithm to generate modified samples, and then, the modified samples that retain the originally malicious functionality are saved as adversarial samples. This method does not need to obtain any information of the special detection models containing extracted features, internal parameters, etc. Moreover, our approach is entirely automated without human intervention. The experimental results demonstrate that our method can ensure the diversity of generated samples and greatly enhance the efficiency of adversarial sample generation. This paper also demonstrates that adversarial training is one of the effective methods to combat adversarial sample attacks.

The action space has a great influence on the diversity and versatility of evolutionary optimization algorithms. Defining more effective modification actions to expand the search space of evolutionary algorithms is our urgent task. Our future work also includes accelerating the convergence speed and improving the stability of the evolutionary algorithm. Moreover, we will also explore more methods of generating adversarial samples to defend against adversarial attacks on IoT.

Data Availability

The dataset can be obtained from the website: https://www.virustotal.com (accessed on 22 April 2021).

Conflicts of Interest

The authors declare no conflict of financial or associative interest in connection with the manuscript submitted.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant No. 61572170), the Natural Science Foundation of Hebei Province of China (Grant Nos. F2019205163 and F2021205004), the Science and Technology Foundation Project of Hebei Normal University (Grant No. L2021K06), the Science Foundation of Returned Overseas of Hebei Province of China (Grant No. C2020342), the Science Foundation of Department of Human Resources and Social Security of Hebei Province (Grant Nos. 201901028 and ZD2021062), and the Natural Science Foundation of Hebei Normal University (Grant No. L072018Z10).

References

J. Qiu, Z. Tian, C. du, Q. Zuo, S. Su, and B. Fang, “A survey on access control in the age of Internet of Things,” IEEE Internet of Things Journal, vol. 7, no. 6, pp. 4682–4696, 2020.
View at: Publisher Site | Google Scholar
Y. Xu, C. Zhang, Q. Zeng, G. Wang, J. Ren, and Y. Zhang, “Blockchain-enabled accountability mechanism against information leakage in vertical industry services,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 2, pp. 1202–1213, 2021.
View at: Publisher Site | Google Scholar
X. Yan, Y. Xu, X. Xing, B. Cui, Z. Guo, and T. Guo, “Trustworthy network anomaly detection based on an adaptive learning rate and momentum in IIoT,” IEEE Transactions on Industrial Informatics, vol. 16, no. 9, pp. 6182–6192, 2020.
View at: Publisher Site | Google Scholar
A. Sharma, P. Malacaria, and M. H. R. Khouzani, “Malware detection using 1-dimensional convolutional neural networks,” in 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 247–256, Stockholm, Sweden, 2019.
View at: Publisher Site | Google Scholar
X. Pei, L. Yu, and S. Tian, “AMalNet: a deep learning framework based on graph convolutional networks for malware detection,” Computers & Security, vol. 93, p. 101792, 2020.
View at: Publisher Site | Google Scholar
J. Hemalatha, S. A. Roseline, S. Geetha, S. Kadry, and R. Damaševičius, “An efficient densenet-based deep learning model for malware detection,” Entropy, vol. 23, no. 3, pp. 344–367, 2021.
View at: Publisher Site | Google Scholar
S. Yoo, S. Kim, S. Kim, and B. B. Kang, “AI-HydRa: advanced hybrid approach using random forest and deep learning for malware classification,” Information Sciences, vol. 546, no. 9, pp. 420–435, 2021.
View at: Publisher Site | Google Scholar
Y. Xu, J. Ren, Y. Zhang, C. Zhang, B. Shen, and Y. Zhang, “Blockchain empowered arbitrable data auditing scheme for network storage as a service,” IEEE Transactions on Services Computing, vol. 13, no. 2, pp. 289–300, 2019.
View at: Publisher Site | Google Scholar
Y. Xu, Q. Zeng, G. Wang, C. Zhang, J. Ren, and Y. Zhang, “An efficient privacy-enhanced attribute-based access control mechanism,” Concurrency & Computation Practice & Experience, vol. 32, no. 5, 2020.
View at: Publisher Site | Google Scholar
J. Saxe and K. Berlin, “Deep neural network based malware detection using two dimensional binary program features,” in 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), pp. 11–20, Fajardo, USA, 2015.
View at: Publisher Site | Google Scholar
M. Kalash, M. Rochan, N. Mohammed, N. D. B. Bruce, Y. Wang, and F. Iqbal, “Malware classification with deep convolutional neural networks,” in 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5, Paris, France, 2018.
View at: Publisher Site | Google Scholar
X. Liu, J. Zhang, Y. Lin, and H. Li, “ATMPA: attacking machine learning-based malware visualization detection methods via adversarial examples,” in IEEE/ACM 27th International Symposium on Quality of Service (IWQoS), pp. 1–10, Phoenix Arizona, USA, 2019.
View at: Publisher Site | Google Scholar
H. Rathore, S. K. Sahay, P. Nikam, and M. Sewak, “Robust Android malware detection system against adversarial attacks using q-learning,” Information Systems Frontiers, vol. 22, no. 8, pp. 1–20, 2020.
View at: Publisher Site | Google Scholar
C. Zhang, Y. Xu, Y. Hu, J. Wu, J. Ren, and Y. Zhang, “A blockchain-based multi-cloud storage data auditing scheme to locate faults,” IEEE Transactions on Cloud Computing, 2021.
View at: Publisher Site | Google Scholar
D. Li, Q. Li, Y. Ye, and S. Xu, “A framework for enhancing deep neural networks against adversarial malware,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 1, pp. 736–750, 2021.
View at: Publisher Site | Google Scholar
W. Hu and Y. Tan, “Generating adversarial malware examples for black-box attacks based on GAN,” 2017, http://arxiv.org/abs/1702.05983.
View at: Google Scholar
H. S. Anderson, A. Kharkar, B. Filar, D. Evans, and P. Roth, “Learning to evade static PE machine learning malware models via reinforcement learning,” 2018, http://arxiv.org/abs/1801.08917.
View at: Google Scholar
K. Grosse, N. Papernot, P. Manoharan, M. Backes, and P. McDaniel, “Adversarial perturbations against deep neural networks for malware classification,” 2016, http://arxiv.org/abs/1606.04435.
View at: Google Scholar
O. Suciu, S. E. Coull, and J. Johns, “Exploring adversarial examples in malware detection,” in 2019 IEEE Security and Privacy Workshops (SPW), pp. 8–14, San Francisco, CA, USA, 2019.
View at: Publisher Site | Google Scholar
B. Kolosnjaji, A. Demontis, B. Biggio et al., “Adversarial malware binaries: evading deep learning for malware detection in executables,” in 2018 26th European Signal Processing Conference (EUSIPCO), pp. 533–537, Rome, Italy, 2018.
View at: Publisher Site | Google Scholar
M. Shafiq, Z. Tian, A. K. Bashir, X. du, and M. Guizani, “CorrAUC: a malicious bot-IoT traffic detection method in IoT network using machine-learning techniques,” IEEE Internet of Things Journal, vol. 8, no. 5, pp. 3242–3254, 2021.
View at: Publisher Site | Google Scholar
S. Su, Z. Tian, S. Liang, S. Li, S. du, and N. Guizani, “A reputation management scheme for efficient malicious vehicle identification over 5G networks,” IEEE Wireless Communications, vol. 27, no. 3, pp. 46–52, 2020.
View at: Publisher Site | Google Scholar
C. Luo, Z. Tan, G. Min, J. Gan, W. Shi, and Z. Tian, “A novel web attack detection system for Internet of Things via ensemble classification,” IEEE Transactions on Industrial Informatics, vol. 17, no. 8, pp. 5810–5818, 2021.
View at: Publisher Site | Google Scholar
M. Shafiq, Z. Tian, A. Bashir, A. Jolfaei, and X. Yu, “Data mining and machine learning methods for sustainable smart cities traffic classification: a survey,” Sustainable Cities and Society, vol. 60, 2020.
View at: Publisher Site | Google Scholar
J. Yan, Y. Qi, and Q. Rao, “Detecting malware with an ensemble method based on deep neural network,” Security and Communication Networks, vol. 2018, Article ID 7247095, 16 pages, 2018.
View at: Publisher Site | Google Scholar
X. Liu, Y. Lin, H. Li, and J. Zhang, “A novel method for malware detection on ML-based visualization technique,” Computers & Security, vol. 89, 2020.
View at: Publisher Site | Google Scholar
W. Huang and J. W. Stokes, “MtNet: a multi-task neural network for dynamic malware classification,” in Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 399–418, Springer, 2016.
View at: Publisher Site | Google Scholar
B. Kolosnjaji, A. Zarras, G. Webster, and C. Eckert, “Deep learning for classification of malware system call sequences,” in Australasian Joint Conference on Artificial Intelligence, pp. 137–149, Springer, 2016.
View at: Publisher Site | Google Scholar
R. Taheri, M. Ghahramani, R. Javidan, M. Shojafar, Z. Pooranian, and M. Conti, “Similarity-based Android malware detection using Hamming distance of static binary features,” Future Generation Computer Systems, vol. 105, no. 4, pp. 230–247, 2020.
View at: Publisher Site | Google Scholar
H. Guo, S. Huang, C. Huang et al., “A lightweight cross-version binary code similarity detection based on similarity and correlation coefficient features,” IEEE Access, vol. 8, pp. 120501–120512, 2020.
View at: Publisher Site | Google Scholar
N. A. Azeez, O. E. Odufuwa, S. Misra, J. Oluranti, and R. Damaševičius, “Windows PE malware detection using ensemble learning,” Informatics, vol. 8, no. 1, pp. 10–20, 2021.
View at: Publisher Site | Google Scholar
E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. K. Nicholas, “Malware detection by eating a whole EXE,” 2017, http://arxiv.org/abs/1710.09435.
View at: Google Scholar
J. Lin, L. Xu, Y. Liu, and X. Zhang, “Black-box adversarial sample generation based on differential evolution,” Journal of Systems and Software, vol. 170, no. 8, Article 110767, pp. 1–11, 2020.
View at: Google Scholar
R. Taheri, R. Javidan, M. Shojafar, Z. Pooranian, A. Miri, and M. Conti, “On defending against label flipping attacks on malware detection systems,” Neural Computing and Applications, vol. 32, no. 18, pp. 14781–14800, 2020.
View at: Publisher Site | Google Scholar
M. Li, Y. Sun, H. Lu, S. Maharjan, and Z. Tian, “Deep reinforcement learning for partially observable data poisoning attack in crowdsensing systems,” IEEE Internet of Things Journal, vol. 7, no. 7, pp. 6266–6278, 2020.
View at: Publisher Site | Google Scholar
R. Podschwadt and H. Takabi, “On effectiveness of adversarial examples and defenses for malware classification,” in International Conference on Security and Privacy in Communication Systems, pp. 380–393, Springer, 2019.
View at: Publisher Site | Google Scholar
D. Maiorca, B. Biggio, and G. Giacinto, “Towards adversarial malware detection,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–36, 2019.
View at: Publisher Site | Google Scholar
F. Kreuk, A. Barak, S. Aviv-Reuven, M. Baruch, B. Pinkas, and J. Keshet, “Deceiving end-to-end deep learning malware detectors using adversarial examples,” 2018, http://arxiv.org/abs/1802.04528.
View at: Google Scholar
Z. Fang, J. Wang, B. Li, S. Wu, Y. Zhou, and H. Huang, “Evading anti-malware engines with deep reinforcement learning,” IEEE Access, vol. 7, pp. 48867–48879, 2019.
View at: Publisher Site | Google Scholar
J. Yuan, S. Zhou, L. Lin, F. Wang, and J. Cui, “Black-box adversarial attacks against deep learning based malware binaries detection with GAN,” in the 24th European Conference on Artificial Intelligence (ECAI 2020), pp. 2536–2542, Santiago de Compostela, Spain, 2020.
View at: Publisher Site | Google Scholar
W. Song, X. Li, S. Afroz, D. Garg, D. Kuznetsov, and H. Yin, “Automatic generation of adversarial examples for interpreting malware classifiers,” 2020, http://arxiv.org/abs/2003.03100.
View at: Google Scholar
I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2015, http://arxiv.org/abs/1412.6572.
View at: Google Scholar

Copyright

Copyright © 2021 Fangwei Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

813

Downloads

655

Citations

Wireless Communications and Mobile Computing

Heterogeneous Systems and Algorithms for Next Generation Information Centric Networks, Internet of Things, and 5G Systems

Binary Black-Box Adversarial Attacks with Evolutionary Learning against IoT Malware Detection

Abstract

1. Introduction

2. Related Work

2.1. Machine Learning-Based Malware Detection Methods

2.2. Adversarial Attack against Malware Detection Model

3. Adversarial Sample Generation Based on Evolutionary Algorithm

3.1. Problem Description

3.2. Rewriting Actions

3.3. The Proposed Framework

3.3.1. Generation of Feature Library

3.3.2. Generation of Modified Samples Based on Evolutionary Algorithm

3.3.3. Generation of the Adversarial Samples

4. Experimental Results and Analysis

4.1. Experimental Settings and Evaluation Metrics

4.2. Experimental Results of Adversarial Attack

4.3. Defense against Adversarial Sample Attack

5. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright