Malware detection in adversarial settings: Exploiting feature evolutions and confusions in android apps

Wei Yang, Deguang Kong, Tao Xie, Carl A. Gunter

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Existing techniques on adversarial malware generation employ feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: feasibility of these attacks is unknown. The synthesized mutations may break the inherent constraints posed by code structures of the malware, causing either crashes or malfunctioning of malicious payloads. To address the limitation, we present Malware Recomposition Variation (MRV), an approach that conducts semantic analysis of existing malware to systematically construct new malware variants for malware detectors to test and strengthen their detection signatures/models. In particular, we use two variation strategies (i.e., malware evolution attack and malware confusion attack) following structures of existing malware to enhance feasibility of the attacks. Upon the given malware, we conduct semantic-feature mutation analysis and phylogenetic analysis to synthesize mutation strategies. Based on these strategies, we perform program transplantation to automatically mutate malware bytecode to generate new malware variants. We evaluate our MRV approach on actual malware variants, and our empirical evaluation on 1,935 Android benign apps and 1,917 malware shows that MRV produces malware variants that can have high likelihood to evade detection while still retaining their malicious behaviors. We also propose and evaluate three defense mechanisms to counter MRV.

Original languageEnglish (US)
Title of host publicationProceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PublisherAssociation for Computing Machinery
Pages288-302
Number of pages15
ISBN (Electronic)9781450353458
DOIs
StatePublished - Dec 4 2017
Externally publishedYes
Event33rd Annual Computer Security Applications Conference, ACSAC 2017 - Orlando, United States
Duration: Dec 4 2017Dec 8 2017

Publication series

NameACM International Conference Proceeding Series
VolumePart F132521

Conference

Conference33rd Annual Computer Security Applications Conference, ACSAC 2017
CountryUnited States
CityOrlando
Period12/4/1712/8/17

Keywords

  • Adversarial classification
  • Malware detection

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Malware detection in adversarial settings: Exploiting feature evolutions and confusions in android apps'. Together they form a unique fingerprint.

Cite this