Upgrade to Pro — share decks privately, control downloads, hide ads and more …

黑吃黑的藝術:機器學習惡意程式偵測之對抗樣本

Dange
August 30, 2019

 黑吃黑的藝術:機器學習惡意程式偵測之對抗樣本

Dange

August 30, 2019
Tweet

More Decks by Dange

Other Decks in Research

Transcript

  1. Adversarial Example in Image + 0.007 x = “panda” 57.7%

    confidence “nematode” 8.2% confidence “gibbon” 99.3% confidence Goodfellow, Ian J., Jonathon Shlens, and Christian Szegedy. "Explaining and harnessing adversarial examples." arXiv preprint arXiv:1412.6572 (2014).
  2. Attack Strategy • Modify feature vector • Modify raw PE

    • Specially crafted by experts • Gradient-based attack • Reinforcement learning
  3. Feature Vector Perturbation Hu, Weiwei, and Ying Tan. "Generating adversarial

    malware examples for black-box attacks based on GAN." arXiv preprint arXiv:1702.05983 (2017).
  4. • AnalyzeFile hashed C: \Users\Administrator\Desktop\mimikatz_with_slight_modification.exe 143020851E35E3234DBCC879759322E8AD4D6D3E89EAE1F662BF8EA9B9898 D05 • LocalAnalyzeItem LocalInfinity.ComputeScore

    begin • LocalAnalyzeItem, C: \Users\Administrator\Desktop\mimikatz_with_slight_modification.exe score -852 detector execution_control • Detected as 'Unsafe'! path:'C: \Users\Administrator\Desktop\mimikatz_with_slight_modification.exe' hash: 143020851E35E3234DBCC879759322E8AD4D6D3E89EAE1F662BF8EA9B9898 D05
  5. Gradient-based Attack Demetrio, Luca, et al. "Explaining Vulnerabilities of Deep

    Learning to Adversarial Malware Binaries." arXiv preprint arXiv:1901.03583 (2019).
  6. Action • adding a function to the import address table

    that is never used • manipulating existing section names • creating new (unused) sections • appending bytes to extra space at the end of sections • creating a new entry point which immediately jumps to the original entry point • removing signer information • manipulating debug info • packing or unpacking the file • modifying (breaking) header checksum • appending bytes to the overlay(end of PE file)
  7. State • Static Windows PE file features compressed to 2350

    dimensions • General file information (size) • Header info • Section characteristics • Imported/exported functions • Strings • File byte and entropy histograms
  8. Attack Target in Original Work • Static PE malware classifier

    • gradient boosted decision tree • trained on 100,000 malicious and benign samples • ROC-AUC score is 0.993
  9. Why Attack Win Defender? • Windows’ built-in antivirus • 18%

    of Windows 7 and Windows 8 are running Windows Defender • more than 50% of Windows 10 are running Windows Defender • Get the full score in AV-Test. https://windowsreport.com/windows-defender-enterprise-antivirus/ https://www.av-test.org/en/antivirus/home-windows/
  10. Evade Rate • After training 8 hr • < 40

    actions • Evade rate : 81.2%
  11. Conclusion • There are blind spots / hallucinate in classifier.

    • Avoid setting detect engine at local. • Restrict the access frequency. • Do not show the full information (score) in the log.