In recent years, cyber security researchers have regularly devised sophisticated hardware and software measures to counter malware, but malware creators have relentlessly discovered and exploited newer vulnerabilities to compromise computer systems. Traditional antivirus systems have long relied on signature-based detection methods, which often prove inadequate in combating rapidly evolving and sophisticated malware threats. To address these challenges, researchers have increasingly turned to machine learning techniques, aiming to enhance the effectiveness and efficiency of antivirus systems. In the realm of creating malware capable of evading commercial antivirus engines, cybercriminals now face the task of deceiving these machine learning algorithms (Adversarial attacks) in addition to the other static analysis tools. One of the solutions to this problem requires employing machine learning or genetic algorithms to optimize and enhance malware’s evasiveness through a series of carefully tailored modifications. This thesis proposes an adversarial attack based on a genetic algorithm that enhances malware evasiveness against commercial antivirus engines by discovering the optimal sequence of functionality-preserving modifications. By optimal sequence, we refer to the sequence of modifications that enables the malware to evade as many antivirus engines as possible while minimizing the number of changed bytes, ensuring a stealthy and efficient attack. Here, functionality-preserving modifications refer to changes that do not compromise the functionality and workflow of the malware in any way. These modifications are made possible by leveraging on a metamorphic engine already developed, which we optimized and adapted to our genetic algorithm. Notably, the malware optimization process utilizes outputs from a small set of antivirus engines from VirusTotal, rendering this approach a black-box attack. In this work, we optimized a dataset of 102 malwares to evaluate the effectiveness of the genetic algorithm. Our findings indicate that the enhanced malware is capable of evading, on average, 25.77% more antivirus engines from VirusTotal than the original malware. This percentage is calculated based on an evaluation set of 45 antivirus engines, while the other 30 are used in the training set in our genetic algorithm. Remarkably, these improvements were achieved by changing only 3 KB in the original malware
Negli ultimi anni, i ricercatori di sicurezza informatica hanno regolarmente ideato sofisticate misure hardware e software per contrastare nuovi malware, ma i creatori di malware hanno inesorabilmente scoperto e sfruttato nuove vulnerabilità per compromettere i sistemi informatici. I tradizionali sistemi antivirus si sono basati da lungo tempo su metodi di rilevamento signature-based, che spesso si dimostrano inadeguati nel contrastare minacce malware sofisticate in rapida evoluzione. Per affrontare queste sfide, i ricercatori si sono sempre più rivolti alle tecniche di apprendimento automatico, mirando a migliorare l’efficacia e l’efficienza dei sistemi antivirus. Nel campo della creazione di malware capaci di eludere gli antivirus commerciali, i criminali informatici si trovano ora di fronte al compito di eludere questi algoritmi di apprendimento automatico (attacchi avversari), oltre agli altri strumenti di analisi statica. Una delle soluzioni a questo problema richiede l’impiego di apprendimento automatico o algoritmi genetici per ottimizzare e migliorare l’evasività del malware attraverso una serie di modifiche attentamente studiate. Questa tesi propone un attacco avversario basato su un algoritmo genetico che potenzia l’evasività del malware contro dei motori antivirus commerciali scoprendo la sequenza ottimale di modifiche functionality-preserving. Con sequenza ottimale, si fa riferimento alla sequenza di modifiche che consente al malware di eludere il maggior numero possibile di motori antivirus, minimizzando al contempo il numero di byte modificati, garantendo un attacco furtivo ed efficiente. Qui, le modifiche che preservano la funzionalità si riferiscono a cambiamenti che non compromettono in alcun modo la funzionalità e il flusso di lavoro del malware. Queste modifiche sono rese possibili utilizzando un motore metamorfico già sviluppato, che abbiamo ottimizzato e adattato al nostro algoritmo genetico. Il processo di ottimizzazione del malware utilizza gli output di un piccolo insieme di antivirus da VirusTotal, rendendo questo approccio un attacco "black-box". In questo lavoro, abbiamo ottimizzato un dataset di 102 malware per valutare l’efficacia dell’algoritmo genetico. Le nostre conclusioni indicano che il malware potenziato è in grado di eludere, in media, il 25,77% in più di antivirus da VirusTotal rispetto al malware originale. Questa percentuale è calcolata sulla base di un insieme di valutazione di 45 antivirus, mentre gli altri 30 vengono utilizzati nell’insieme di addestramento nel nostro algoritmo genetico. Queste migliorie sono state ottenute modificando solo 3 KB nel malware originale.
EMEGO: enhancing malware evasion through genetic optimization
Barotti, Matteo
2022/2023
Abstract
In recent years, cyber security researchers have regularly devised sophisticated hardware and software measures to counter malware, but malware creators have relentlessly discovered and exploited newer vulnerabilities to compromise computer systems. Traditional antivirus systems have long relied on signature-based detection methods, which often prove inadequate in combating rapidly evolving and sophisticated malware threats. To address these challenges, researchers have increasingly turned to machine learning techniques, aiming to enhance the effectiveness and efficiency of antivirus systems. In the realm of creating malware capable of evading commercial antivirus engines, cybercriminals now face the task of deceiving these machine learning algorithms (Adversarial attacks) in addition to the other static analysis tools. One of the solutions to this problem requires employing machine learning or genetic algorithms to optimize and enhance malware’s evasiveness through a series of carefully tailored modifications. This thesis proposes an adversarial attack based on a genetic algorithm that enhances malware evasiveness against commercial antivirus engines by discovering the optimal sequence of functionality-preserving modifications. By optimal sequence, we refer to the sequence of modifications that enables the malware to evade as many antivirus engines as possible while minimizing the number of changed bytes, ensuring a stealthy and efficient attack. Here, functionality-preserving modifications refer to changes that do not compromise the functionality and workflow of the malware in any way. These modifications are made possible by leveraging on a metamorphic engine already developed, which we optimized and adapted to our genetic algorithm. Notably, the malware optimization process utilizes outputs from a small set of antivirus engines from VirusTotal, rendering this approach a black-box attack. In this work, we optimized a dataset of 102 malwares to evaluate the effectiveness of the genetic algorithm. Our findings indicate that the enhanced malware is capable of evading, on average, 25.77% more antivirus engines from VirusTotal than the original malware. This percentage is calculated based on an evaluation set of 45 antivirus engines, while the other 30 are used in the training set in our genetic algorithm. Remarkably, these improvements were achieved by changing only 3 KB in the original malware| File | Dimensione | Formato | |
|---|---|---|---|
|
Tesi_Matteo_Barotti.pdf
accessibile in internet solo dagli utenti autorizzati
Descrizione: EMEGO: Enhancing Malware Evasion through Genetic Optimization
Dimensione
5.46 MB
Formato
Adobe PDF
|
5.46 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/208152