After artificial intelligence (AI) solved the two major problems of image classification and computer audio recognition successfully using countermeasures, it now targets the malware detection field. On March 12, 2018, a paper published jointly by the University of Munich, Cagliari, Italy, and Pluribus One, Italy, described how to defeat MalConv.
In 2017, researchers from Nvidia, Booz Allen, and the University of Maryland jointly trained a neural network called MalConv software to ingest EXE files and discover malware samples that existed. MalConv can perform static analysis on the executable file (ie view the contents of the binary file but it will not actually run). Once its neural network has a large enough learning set, malware can be analyzed in practical scenarios with an accuracy of up to 98%. However, because MalConv belongs to a set of neural networks, neural networks are very vulnerable to confrontational attacks.
Researchers are exploring the minimum changes required to disrupt artificial intelligence. They start with simple byte stuffing and add 10000 bytes to the end of the binary file. This method has reduced MalConv’s accuracy by more than half.
Compared to the malware sample, the 10 KB fill is only a minor change. The paper explained that “less than one percent of the bytes passed as input to the deep network.” However, such an attack can still be further streamlined because it can completely “attack bytes”. Put in the binary file, thereby greatly increasing the success rate of the attack.
However, the manipulation of bytes in an executable file is often more complicated and difficult, and it can hardly be done in an automated fashion; byte stuffing is very simple. Researchers have gradually found that gradient-based padding byte sequences work better than random padding bytes. The paper points out that adding random bytes does not really circumvent the neural network detection, but when a gradient-based attack fills 10,000 bytes, it can defraud MalConv with a success rate as high as 60%. This is because, with sufficient training, a gradient-based solution can create “an organised padding byte pattern specific to each sample,” which means that the malicious model has learned the specific mode in which the protection tool detects various types of malware samples.
Source: theregister
