Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples
Recently, malware detection models based on deep learning have gradually replaced manual analysis as the first line of defense for anti-malware systems. However, it has been shown that these models are vulnerable to a specific class of inputs called adversarial examples. It is possible to evade the...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2023-05-01
|
| Series: | Electronics |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2079-9292/12/11/2346 |
| _version_ | 1797597725372448768 |
|---|---|
| author | Shaohan Wu Jingfeng Xue Yong Wang Zixiao Kong |
| author_facet | Shaohan Wu Jingfeng Xue Yong Wang Zixiao Kong |
| author_sort | Shaohan Wu |
| collection | DOAJ |
| description | Recently, malware detection models based on deep learning have gradually replaced manual analysis as the first line of defense for anti-malware systems. However, it has been shown that these models are vulnerable to a specific class of inputs called adversarial examples. It is possible to evade the detection model by adding some carefully crafted tiny perturbations to the malicious samples without changing the sample functions. Most of the adversarial example generation methods ignore the information contained in the detection results of benign samples from detection models. Our method extracts sequence fragments called benign payload from benign samples based on detection results and uses an RNN generative model to learn benign features embedded in these sequences. Then, we use the end of the original malicious sample as input to generate an adversarial perturbation that reduces the malicious probability of the sample and append it to the end of the sample to generate an adversarial sample. According to different adversarial scenarios, we propose two different generation strategies, which are the one-time generation method and the iterative generation method. Under different query times and append scale constraints, the maximum evasion success rate can reach 90.8%. |
| first_indexed | 2024-03-11T03:09:33Z |
| format | Article |
| id | doaj.art-678976fe168f42418169c4a9138206d3 |
| institution | Directory Open Access Journal |
| issn | 2079-9292 |
| language | English |
| last_indexed | 2024-03-11T03:09:33Z |
| publishDate | 2023-05-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Electronics |
| spelling | doaj.art-678976fe168f42418169c4a9138206d32023-11-18T07:43:43ZengMDPI AGElectronics2079-92922023-05-011211234610.3390/electronics12112346Black-Box Evasion Attack Method Based on Confidence Score of Benign SamplesShaohan Wu0Jingfeng Xue1Yong Wang2Zixiao Kong3School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, ChinaSchool of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, ChinaRecently, malware detection models based on deep learning have gradually replaced manual analysis as the first line of defense for anti-malware systems. However, it has been shown that these models are vulnerable to a specific class of inputs called adversarial examples. It is possible to evade the detection model by adding some carefully crafted tiny perturbations to the malicious samples without changing the sample functions. Most of the adversarial example generation methods ignore the information contained in the detection results of benign samples from detection models. Our method extracts sequence fragments called benign payload from benign samples based on detection results and uses an RNN generative model to learn benign features embedded in these sequences. Then, we use the end of the original malicious sample as input to generate an adversarial perturbation that reduces the malicious probability of the sample and append it to the end of the sample to generate an adversarial sample. According to different adversarial scenarios, we propose two different generation strategies, which are the one-time generation method and the iterative generation method. Under different query times and append scale constraints, the maximum evasion success rate can reach 90.8%.https://www.mdpi.com/2079-9292/12/11/2346adversarial examplesevasion attackmalware detectionartificial intelligence security |
| spellingShingle | Shaohan Wu Jingfeng Xue Yong Wang Zixiao Kong Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples Electronics adversarial examples evasion attack malware detection artificial intelligence security |
| title | Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples |
| title_full | Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples |
| title_fullStr | Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples |
| title_full_unstemmed | Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples |
| title_short | Black-Box Evasion Attack Method Based on Confidence Score of Benign Samples |
| title_sort | black box evasion attack method based on confidence score of benign samples |
| topic | adversarial examples evasion attack malware detection artificial intelligence security |
| url | https://www.mdpi.com/2079-9292/12/11/2346 |
| work_keys_str_mv | AT shaohanwu blackboxevasionattackmethodbasedonconfidencescoreofbenignsamples AT jingfengxue blackboxevasionattackmethodbasedonconfidencescoreofbenignsamples AT yongwang blackboxevasionattackmethodbasedonconfidencescoreofbenignsamples AT zixiaokong blackboxevasionattackmethodbasedonconfidencescoreofbenignsamples |