Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

Malware Detection in Adversarial Setting: Exploiting Feature Evolutions and Confusions in Android Apps

Existing work on adversarial malware generation employs feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: the feasibility of the attack is unknown. The synthesized mutations may break the inherent constraints posed by code structures of the malware, causing either crashes or malfunctioning of malicious payloads. To address the limitation, we present Malware Recomposition Variation (MRV), an approach that conducts semantic analysis of existing malware to systematically construct new malware variants for malware detectors to test and strengthen their detection signatures/models. In particular, we use two variation strategies (i.e., malware evolution attacks and confusion a‹acks) following structures of existing malware to enhance the feasibility of the attacks. Upon the given malware, we conduct semantic feature mutation analysis and phylogenetic analysis to synthesize mutation strategies. Based on these strategies, we perform program transplantation to automatically mutate the malware bytecode to generate new malware variants. We evaluate our technique on actual malware variants and our empirical evaluation on 1,935 Android benign apps and 1,917 malware shows that MRV produces malware variants that can have high likelihood to evade detection while still retaining their malicious behaviors. We also propose and evaluate three defense mechanisms to counter MRV.

Wei Yang
University of Illinois Urbana-Champaign
United States

Deguang Kong
Yahoo Research
United States

Tao Xie
University of Illinois Urbana-Champaign
United States

Carl Gunter
University of Illinois Urbana-Champaign
United States

Hongxia Jing
Samsung Research America
United States

 

Powered by OpenConf®
Copyright©2002-2017 Zakon Group LLC