Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers

Automatically Evading Classiﬁers
A Case Study on PDF Malware Classiﬁers
Weilin Xu David Evans Yanjun Qi
University of Virginia

View Slide

Machine Learning is Solving Our Problems
2
Fake
Spam IDS Malware
Fake
Accounts
…
…

View Slide

3

View Slide

4

View Slide

Machine Learning is Eating the World
Data
Scientist
Security
Expert
5
?

View Slide

Machine Learning is Eating the World
Data
Scientist
Security
Expert
6
No!
Security is different.

View Slide

Goal: Understand classiﬁers under attack.
Results: Vulnerable to automated evasion.
Security Tasks are Different:
Adversary Adapts
7

View Slide

Building Machine Learning Classiﬁers
8
Trained Classiﬁer
Labelled
Training
Data
ML
Algorithm
Training
(Supervised Learning)
Feature
Extraction
Vectors

View Slide

Assumption: Training Data is Representative
9
Labelled
Training
Data
ML
Algorithm
Feature
Extraction
Vectors
Deployment
Malicious / Benign
Operational Data
Trained Classiﬁer
Training
(Supervised Learning)

View Slide

Results: Evaded PDF Malware Classiﬁers
PDFrate*
[ACSAC’12]
Hidost
[NDSS’13]
Accuracy 0.9976 0.9996
False Negative Rate 0.0000 0.0056
False Negative Rate
with Adversary
1.0000 1.0000
10
* Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

View Slide

Results: Evaded PDF Malware Classiﬁers
PDFrate*
[ACSAC’12]
Hidost
[NDSS’13]
Accuracy 0.9976 0.9996
False Negative Rate 0.0000 0.0056
False Negative Rate
with Adversary
1.0000 1.0000
11
Very robust against “strongest
conceivable mimicry attack”.
* Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

View Slide

Variants
12
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
Based on Genetic Programming
Automated Evasion Approach

View Slide

Variants
13
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Modiﬁed
Parser
Extract Me If You Can:
Abusing PDF Parsers in Malware Detectors
Curtis Carmony,et al.

View Slide

Variants
14
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
Insert / Replace / Delete

View Slide

Variants
15
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
128
546
0
0

View Slide

Variants
16
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
128
546
0
0

View Slide

Variants
17
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
128
546
0
0
128
0

View Slide

Variants
18
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
128
0

View Slide

Variants
19
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
/Catalog /Pages
0
/JavaScript
eval(‘…’);
/Root
Mutation
Variants From
Benign
128
0

View Slide

Variants
20
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓

View Slide

Variants
21
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
Fitness Function
Oracle
Target Classiﬁer
f(x)
Malicious?
Score
Fitness Score
Variants

View Slide

Variants
22
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓
Fitness Function
Oracle
Target Classiﬁer
f(x)
Malicious?
Score
Fitness Score
Variants
Malicious
Benign

View Slide

Variants
23
Clone
Benign PDFs
Malicious PDF
Mutation
01011001101
Variants
Variants
Select
Variants
✓
✓
✗
✓

View Slide

Results: Evaded PDFrate 100%
24
Original Malware
Seeds

View Slide

Results: Evaded PDFrate 100%
25
Original Malware
Seeds
Evasive Variants

View Slide

Evaded PDFrate with Adjusted Threshold
26
Original Malware
Seeds
Evasive Variants
Evasive Variants
with lower threshold

View Slide

Results: Evaded Hidost 100%
27
Original Malware
Seeds

View Slide

Results: Evaded Hidost 100%
28
Original Malware
Seeds
Evasive Variants

View Slide

29
Difﬁculty varies by seed
Simple mutations often work
Complex mutations sometimes
needed.
Difﬁculty varied by targets:
PDFrate: 6 days to evade all
Hidost: 2 days to evade all
Results: Accumulated Evasion Rate

View Slide

Cross-Evasion Effects
30
PDF Malware
Seeds
Hidost
Evasive
PDF Malware
(against Hidost)
Automated Evasion
PDFrate
387/500 Evasive
(77.4%)
3/500 Evasive
(0.6%)
Gmail’s classiﬁer is secure?

View Slide

Cross-Evasion Effects
31
PDF Malware
Seeds
Hidost
Evasive
PDF Malware
(against Hidost)
Automated Evasion
PDFrate
387/500 Evasive
(77.4%)
3/500 Evasive
(0.6%)
Gmail’s classiﬁer is secure? different.

View Slide

Evading Gmail’s Classiﬁer
32
Evasion rate on : 135/380 (35.5%)

View Slide

Evading Gmail’s Classiﬁer
33
Evasion rate on : 179/380 (47.1%)

View Slide

Conclusion
34
Source Code: http://EvadeML.org
Vs.
Who will win this arm race?

View Slide

Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers

Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers

David Evans

More Decks by David Evans

Other Decks in Research

Featured

Transcript