Automatically Evading Classifiers - NDSS Symposium · Based on Genetic Programming Automated...

Preview:

Click to see full reader

Citation preview

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers

Weilin Xu David Evans Yanjun Qi

University of Virginia

Machine Learning is Solving Our Problems

2

Fake

Spam IDS MalwareFake Accounts

3

4

Machine Learning is Eating the World

Data

Scientist

Security

Expert

5

?

Machine Learning is Eating the World

Data

Scientist

Security

Expert

6

No! Security is different.

Goal: Understand classifiers under attack. Results: Vulnerable to automated evasion.

Security Tasks are Different: Adversary Adapts

7

Building Machine Learning Classifiers

8

Trained ClassifierLabelledTraining

Data

MLAlgorithm

Training (Supervised Learning)

FeatureExtraction

Vectors

Assumption: Training Data is Representative

9

LabelledTraining

Data

MLAlgorithm

FeatureExtraction

Vectors

Deployment

Malicious / Benign

Operational Data

Trained Classifier

Training (Supervised Learning)

Results: Evaded PDF Malware ClassifiersPDFrate*

[ACSAC’12]Hidost

[NDSS’13]

Accuracy 0.9976 0.9996

False Negative Rate 0.0000 0.0056

False Negative Rate with Adversary 1.0000 1.0000

10

* Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

Results: Evaded PDF Malware ClassifiersPDFrate*

[ACSAC’12]Hidost

[NDSS’13]

Accuracy 0.9976 0.9996

False Negative Rate 0.0000 0.0056

False Negative Rate with Adversary 1.0000 1.0000

11

Very robust against “strongest conceivable mimicry attack”.

* Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

Variants

12

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

Variants

13

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/RootModifiedParser

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors

Curtis Carmony,et al.

Variants

14

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

Insert / Replace / Delete

Variants

15

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

128

546

0

0

Insert / Replace / Delete

Variants

16

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

128

546

0

0

Insert / Replace / Delete

Variants

17

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

128

546

0

0

128

0

Insert / Replace / Delete

Variants

18

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

128

0

Insert / Replace / Delete

Variants

19

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

/Catalog /Pages

0

/JavaScript

eval(‘…’);

/Root

Mutation

Variants From Benign

128

0

Insert / Replace / Delete

Variants

20

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

Variants

21

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

Fitness Function

Oracle

Target Classifier

f(x)

Malicious?

Score

Fitness ScoreVariants

Variants

22

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

Fitness Function

Oracle

Target Classifier

f(x)

Malicious?

Score

Fitness ScoreVariants

Malicious

Benign

Variants

23

Clone

Benign PDFsMalicious PDF

Mutation

01011001101Variants

Variants

Select Variants

✓✓✗✓

Based on Genetic ProgrammingAutomated Evasion Approach

Results: Evaded PDFrate 100%

24

Original Malware Seeds

Results: Evaded PDFrate 100%

25

Original Malware Seeds

Evasive Variants

Evaded PDFrate with Adjusted Threshold

26

Original Malware Seeds

Evasive Variants

Evasive Variants with lower threshold

Results: Evaded Hidost 100%

27

Original Malware Seeds

Results: Evaded Hidost 100%

28

Original Malware Seeds

Evasive Variants

29

Difficulty varies by seedSimple mutations often work Complex mutations sometimes needed.

Difficulty varied by targets:PDFrate: 6 days to evade all Hidost: 2 days to evade all

Results: Accumulated Evasion Rate

Cross-Evasion Effects

30

PDF MalwareSeeds

Hidost

EvasivePDF Malware

(against Hidost)Automated Evasion

PDFrate 387/500 Evasive (77.4%)

3/500 Evasive (0.6%)

Gmail’s classifier is secure?

Cross-Evasion Effects

31

PDF MalwareSeeds

Hidost

EvasivePDF Malware

(against Hidost)Automated Evasion

PDFrate 387/500 Evasive (77.4%)

3/500 Evasive (0.6%)

Gmail’s classifier is secure? different.

Evading Gmail’s Classifier

32

Evasion rate on : 135/380 (35.5%)

Evading Gmail’s Classifier

33

Evasion rate on : 179/380 (47.1%)

Conclusion

34

Source Code: http://EvadeML.org

Vs.

Who will win this arm race?

Recommended

National Diabetes Services Scheme (NDSS) INSULIN · PDF fileNational Diabetes Services Scheme (NDSS) INSULIN PUMP CONSUMABLES ORDER FORM. NDSS IPC Order Form 115 Soft Release O (6mm,
Documents
J. Habetzreder: Evading Greek Models
Documents
Cost Curves for Abstaining Classifiers
Documents
Mining Sequence Classifiers for Early Prediction
Documents
Statistical Tests for Comparing Classifiers - Statistical...1 data set, 2 classifiers McNemnar, 5x2 c.v., or a corrected version of the resampled t-test Multiple data sets, 2 classifiers
Documents
TOM HAMMICK : Evading Distopia - Campden Gallery · TOM HAMMICK : Evading Distopia. TOM HAMMICK Evading Distopia ... 2012 Daiwa Foundation Art Prize ... catalogue A Case for Art,
Documents
NDSS Symposium
Documents
Bayesian Classifiers - INAOE - Ciencias Computacionalesesucar/Clases-mgp/Notes/c4-clasif.pdf · Semi-Naive Bayesian Classifiers Multidimen. Bayesian Classifiers Bayesian Chain Classifiers
Documents
Bayesian Classifiers: Applications in Vision - INAOEccc.inaoep.mx/~bio/docs/CIIA_UnivVeracruzana_Oct2016_Presentation… · Bayesian Classifiers: ! Applications in Vision ... it
Documents
Fookune ndss gsm (1)
Documents
Windows 2000 Security Architecture - NDSS Symposium
Documents
”Industrial jointed arm robot evading dynamic objects”
Documents
Learning Kernel Classifiers
Documents
Zizek Evading The Issue
Documents
Absorption NDSS
Documents
Ensemble-based classifiers
Documents
7.1. Maximum Margin Classifiers
Documents
Classifiers and Machine Learning Techniques for Image ... · Classifiers and Machine Learning Techniques for Image Processing and ... use of classifiers and machine learning techniques
Documents
Evading the Net: Tax Crime in the Fisheries Sector Evading the Net: Tax Crime … · 2016. 3. 29. · Tax Crime in the Fisheries Sector Evading the Net: Tax Crime in the Fisheries
Documents
Aggressive Online Learning of Structured Classifiers
Documents