Skip to main content
SpringerLink
Log in

Towards robust CNN-based malware classifiers using adversarial examples generated based on two saliency similarities

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Targeted malware attacks are usually more purposeful and harmful than untargeted attacks, so it is important to perform the malware family classification. In classification tasks, convolutional neural networks (CNN) have shown superior performance. However, clean samples with intentional small-scale perturbations (i.e. adversarial examples) may lead to incorrect decisions made by CNN-based classifiers. The most successful approach to improve the robustness of classifiers is adversarially trained on practical adversarial examples. Despite many attempts, previous works have not dealt with generating executable adversarial examples in a pure black-box manner to emulate adversarial threats. The aim of this work is to generate realistic adversarial malware examples and improve the robustness of classifiers against these attacks. We first explain the decision of malware classification by the saliency detection technique and argue that there are two similarities in saliency distribution of CNN classifiers. To explore the under-researched Malware to Malware threats that deceive PE malware classifiers into targeted misclassification, we propose the Saliency Append (SA) attack method based on the two saliency similarities, which produces adversarial examples via only one query, achieving higher attack success rate than other append-based attacks. We use these examples to improve the robustness of classifiers by adversarially trained on the generated adversarial examples. Compared to classifiers trained on other attacks, our approach produces classifiers that are significantly more robust against the proposed SA attack as well as others.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data Availability

Data openly available in a public repository. The data that support the findings of this study are openly available in https://github.com/zhan8002/SaliencyAppendAttack.

Notes

  1. https://github.com/pan-unit42/public-tools/blob/master/powerware/powerware-decrypt.

  2. https://blog.kowalczyk.info/articles/pefileformat.html.

  3. https://cuckoosandbox.org.

  4. https://github.com/erocarrera/pefile.

References

  1. Al-Dujaili A, Huang A, Hemberg E, et al (2018) Adversarial deep learning for robust detection of binary encoded malware. In: 2018 IEEE Security and Privacy Workshops (SPW), IEEE, pp 76–82

  2. Al-Dujaili A, Srikant S, Hemberg E, et al (2019) On the application of Danskin’s theorem to derivative-free minimax problems. In: AIP conference proceedings, AIP Publishing LLC, p 020026

  3. Anderson B, McGrew D (2017) Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. In: Proceedings of the 23rd ACM SIGKDD, pp 1723–1732

  4. Andriushchenko M, Flammarion N (2020) Understanding and improving fast adversarial training. Adv Neural Inf Process Syst 33:16048–16059

    Google Scholar 

  5. Bakour K, Ünver HM (2021) Deepvisdroid: android malware detection by hybridizing image-based features with deep learning techniques. Neural Comput Appl 33(18):11,499-11,516

    Article  Google Scholar 

  6. Banescu S, Collberg C, Pretschner A (2017) Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning. In: 26th USENIX Security Symposium (USENIX Security 17), pp 661–678

  7. Bozkir AS, Cankaya AO, Aydos M (2019) Utilization and comparision of convolutional neural networks in malware recognition. In: 2019 27th signal processing and communications applications conference (SIU), IEEE, pp 1–4

  8. Calleja A, Tapiador J, Caballero J (2018) The malsource dataset: quantifying complexity and code reuse in malware development. IEEE Trans Inf Forensics Secur 14(12):3175–3190

    Article  Google Scholar 

  9. Ceschin F, Botacin M, Gomes HM, et al (2019) Shallow security: on the creation of adversarial variants to evade machine learning-based malware detectors. In: Proceedings of the 3rd reversing and offensive-oriented trends symposium, pp 1–9

  10. Chattopadhay A, Sarkar A, Howlader P, et al (2018) Grad-cam++: generalized gradient-based visual explanations for deep convolutional networks. In: 2018 IEEE winter conference on applications of computer vision), IEEE, pp 839–847

  11. Chen B, Ren Z, Yu C et al (2019) Adversarial examples for cnn-based malware detectors. IEEE Access 7:54,360-54,371

    Article  Google Scholar 

  12. Cui Z, Xue F, Cai X et al (2018) Detection of malicious code variants based on deep learning. IEEE Trans Industr Inf 14(7):3187–3196

    Article  Google Scholar 

  13. Demetrio L, Biggio B, Lagorio G, et al (2019) Explaining vulnerabilities of deep learning to adversarial malware binaries. In: Italian conference on cybersecurity

  14. Demetrio L, Biggio B, Lagorio G et al (2021) Functionality-preserving black-box optimization of adversarial windows malware. IEEE Trans Inf Forensics Secur 16:3469–3478

    Article  Google Scholar 

  15. Demetrio L, Coull SE, Biggio B et al (2021) Adversarial exemples: a survey and experimental evaluation of practical attacks on machine learning for windows malware detection. ACM Trans Priv Secur (TOPS) 24(4):1–31

    Article  Google Scholar 

  16. Dey S, Kumar A, Sawarkar M, et al (2019) Evadepdf: towards evading machine learning based pdf malware classifiers. In: International conference on security and privacy, Springer, pp 140–150

  17. Dimjašević M, Atzeni S, Ugrina I, et al (2016) Evaluation of android malware detection based on system calls. In: Proceedings of the 2016 ACM on international workshop on security and privacy analytics, pp 1–8

  18. Fu J, Xue J, Wang Y et al (2018) Malware visualization for fine-grained classification. IEEE Access 6:14,510-14,523

    Article  Google Scholar 

  19. Galovic M, Bosansky B, Lisy V (2021) Improving robustness of malware classifiers using adversarial strings generated from perturbed latent representations. arXiv preprint arXiv:2110.11987

  20. Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples

  21. Ilyas A, Engstrom L, Athalye A, et al (2018) Black-box adversarial attacks with limited queries and information. In: International conference on machine learning, PMLR, pp 2137–2146

  22. Isola P, Zhu JY, Zhou T, et al (2017) Image-to-image translation with conditional adversarial networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 1125–1134

  23. Kalash M, Rochan M, Mohammed N, et al (2018) Malware classification with deep convolutional neural networks. In: 2018 9th IFIP international conference on new technologies, mobility and security (NTMS), IEEE, pp 1–5

  24. Kancherla K, Mukkamala S (2013) Image visualization based malware detection. In: 2013 IEEE symposium on computational intelligence in cyber security (CICS), IEEE, pp 40–44

  25. Khormali A, Abusnaina A, Chen S, et al (2019) Copycat: practical adversarial attacks on visualization-based malware detection. arXiv preprint arXiv:1909.09735

  26. Kolosnjaji B, Demontis A, Biggio B, et al (2018) Adversarial malware binaries: Evading deep learning for malware detection in executables. In: 2018 26th European signal processing conference (EUSIPCO), IEEE, pp 533–537

  27. Kornish D, Geary J, Sansing V, et al (2018) Malware classification using deep convolutional neural networks. In: 2018 IEEE applied imagery pattern recognition workshop (AIPR), IEEE, pp 1–6

  28. Kreuk F, Barak A, Aviv-Reuven (2018) Deceiving end-to-end deep learning malware detectors using adversarial examples. arXiv preprint arXiv:1802.04528

  29. Kucuk Y, Yan G (2020) Deceiving portable executable malware classifiers into targeted misclassification with practical adversarial examples. In: Proceedings of the tenth ACM conference on data and application security and privacy, pp 341–352

  30. Kwon H, Yoon H, Park KW (2019) Poster: detecting audio adversarial example through audio modification. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 2521–2523

  31. Kwon H, Yoon H, Park KW (2020) Acoustic-decoy: detection of adversarial examples through audio modification on speech recognition system. Neurocomputing 417:357–370

    Article  Google Scholar 

  32. Lee D, Song IS, Kim KJ, et al (2011) A study on malicious codes pattern analysis using visualization. In: 2011 international conference on information science and applications, IEEE, pp 1–5

  33. Liu S (2021) Desktop os market share. Tech Rep

  34. Liu X, Zhang J, Lin Y, et al (2019) Atmpa: attacking machine learning-based malware visualization detection methods via adversarial examples. In: 2019 IEEE/ACM 27th international symposium on quality of service, pp 1–10

  35. Miyato T, Dai AM, Goodfellow IJ (2017) Adversarial training methods for semi-supervised text classification

  36. Nataraj L, Karthikeyan S, Jacob G, et al (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, pp 1–7

  37. Nouiehed M, Sanjabi M, Huang T, et al (2019) Solving a class of non-convex min-max games using iterative first order methods. Adv Neural Inf Process Syst 32

  38. Papernot N, McDaniel P, Jha S, et al (2016) The limitations of deep learning in adversarial settings. In: 2016 IEEE European symposium on security and privacy (EuroS &P), IEEE, pp 372–387

  39. Parihar AS, Kumar S, Khosla S (2022) S-dcnn: stacked deep convolutional neural networks for malware classification. Multimedia Tools and Applications pp 1–19

  40. Parildi ES, Hatzinakos D, Lawryshyn Y (2021) Deep learning-aided runtime opcode-based windows malware detection. Neural Comput Appl 33:11963–11983

    Article  Google Scholar 

  41. Park D, Khan H, Yener B (2019) Generation and evaluation of adversarial examples for malware obfuscation. In: 2019 18th IEEE international conference on machine learning and applications, pp 1283–1290

  42. Pierazzi F, Pendlebury F, Cortellazzi J, et al (2020) Intriguing properties of adversarial ml attacks in the problem space. In: 2020 IEEE symposium on security and privacy (SP), IEEE, pp 1332–1349

  43. Rice L, Wong E, Kolter Z (2020) Overfitting in adversarially robust deep learning. In: International conference on machine learning, PMLR, pp 8093–8104

  44. Rosenberg I, Shabtai A, Rokach L, et al (2018) Generic black-box end-to-end attack against state of the art api call based malware classifiers. In: International symposium on research in attacks, intrusions, and defenses, Springer, pp 490–510

  45. Rosenberg I, Shabtai A, Elovici Y, et al (2019) Defense methods against adversarial examples for recurrent neural networks. arXiv preprint arXiv:1901.09963

  46. Selvaraju RR, Cogswell M, Das (2017) Grad-cam: Visual explanations from deep networks via gradient-based localization. In: Proceedings of the IEEE international conference on computer vision, pp 618–626

  47. Shafahi A, Najibi M, Ghiasi MA, et al (2019) Adversarial training for free!. Adv Neural Inf Process Syst. 32

  48. Son TT, Lee C, Le-Minh H et al (2022) An enhancement for image-based malware classification using machine learning with low dimension normalized input images. J Inf Secur Appl 69(103):308

    Google Scholar 

  49. Song W, Li X, Afroz S, et al (2022) Mab-malware: a reinforcement learning framework for blackbox generation of adversarial malware. In: Proceedings of the 2022 ACM on Asia conference on computer and communications security, pp 990–1003

  50. Suciu O, Coull SE, Johns J (2019) Exploring adversarial examples in malware detection. In: 2019 IEEE security and privacy workshops (SPW), IEEE, pp 8–14

  51. Sun X, Zhongyang Y, Xin Z, et al (2014) Detecting code reuse in android applications using component-based control flow graph. In: IFIP international information security conference, Springer, pp 142–155

  52. Sundararajan M, Taly A, Yan Q (2017) Axiomatic attribution for deep networks. In: International conference on machine learning, PMLR, pp 3319–3328

  53. Szegedy C, Zaremba W, Sutskever I, et al (2013) Intriguing properties of neural networks

  54. Tramèr F, Kurakin A, Papernot N, et al (2017) Ensemble adversarial training: attacks and defenses. arXiv preprint arXiv:1705.07204

  55. Tsipras D, Santurkar S, Engstrom L, et al (2018) Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152

  56. Upchurch J, Zhou X (2016) Malware provenance: code reuse detection in malicious software at scale. In: 2016 11th international conference on malicious and unwanted software (MALWARE), IEEE, pp 1–9

  57. Wang C, Xu C, Wang C et al (2018) Perceptual adversarial networks for image-to-image transformation. IEEE Trans Image Process 27(8):4066–4079

  58. Wang J, Zhang H (2019) Bilateral adversarial training: towards fast training of more robust models against adversarial attacks. In: Proceedings of the IEEE/CVF international conference on computer vision, pp 6629–6638

  59. Wong E, Rice L, Kolter JZ (2020) Fast is better than free: revisiting adversarial training. arXiv preprint arXiv:2001.03994

  60. Yan J, Qi Y, Rao Q (2018) Detecting malware with an ensemble method based on deep neural network. Secur Commun Netw 2018:7247095

    Article  Google Scholar 

  61. Yuan J, Zhou S, Lin L, et al (2020) Black-box adversarial attacks against deep learning based malware binaries detection with gan. In: ECAI 2020. IOS Press, p 2536–2542

  62. Yuxin D, Siyi Z (2019) Malware detection based on deep learning algorithm. Neural Comput Appl 31(1):461–472

    Article  Google Scholar 

  63. Zhang H, Wang J (2019) Defense against adversarial attacks using feature scattering-based adversarial training. Adv Neural Inf Process Syst. 32

  64. Zhou B, Khosla A, Lapedriza A, et al (2016) Learning deep features for discriminative localization. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2921–2929

Download references

Acknowledgements

The authors would like to thank this work was supported by the National Natural Science Foundation of China No.62076251 and No.62106281.

Author information

Authors and Affiliations

  1. Army Engineering University of PLA, Nanjing, 210000, Jiangsu, China

    Dazhi Zhan, Jun Chen, Shize Guo & Zhisong Pan

  2. National University of Defense Technology, Changsha, 410070, Hunan, China

    Yue Hu & Weili Li

Authors
  1. Dazhi Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yue Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Weili Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jun Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shize Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhisong Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhisong Pan.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A Familial differences

To better analyze the performance of the proposed Saliency Append (SA) attack, Fig. 7 shows the success rate of malware samples from different families on Malimg that can attack into another malware families or benign class, where rows are original class label and columns are target class label. The number in the cell shows the average percentage of adversarial examples generated from original class that can be disguised as target class with different padding rates. We notice that the success rate of the attack is not evenly distributed, for example, when the adversary aims to disguise malware into benign sample, the samples of VB.AT are almost impossible to succeed, while success rate of other families of malware samples reaches 38.7–99.8%.

Fig. 7
figure 7

Success rate of adversarial examples

Full size image
Fig. 8
figure 8

Success rate of different malware families as the original class (the stability)

Full size image

We calculated the marginal probability of the attack. The stabilities of different malware families are shown in Fig. 8, which indicates the average success rate from the original class attack into the target class. The lower value denotes that the malware family is harder to disguise as other families. We can see that malware samples of Allaple.A and Allaple.L are more likely to disguise as another malware class of samples, while those attacks with VB.AT and Yuner.A samples as the original input have a lower success rate. As Fig. 9 shows, there is a significant difference in the average success rate of different malware families as the target class. We can observe that malware samples are difficulty disguised as Allaple.A and Allaple.L, and no sample can successfully attack into VB.AT. However, when Fakerean and Benign as target class, the success rate reached 59% and even exceeded 83% when Instantaccess and Yuner.A as target class. These characteristics can be exploited by adversaries to improve their attack capabilities, while defenders can be targeted to enhance the robustness of classifiers against specific classes of adversarial examples.

Fig. 9
figure 9

Success rate of different malware families as the target class

Full size image

Appendix B Incorporating SA attack

Current append-based attacks often use random noises to initialize the perturbations, and then iterative optimization to obtain the adversarial example that evades detection. These attack methods can significantly improve the attack success rate when combine with the proposed SA attack. Instead of random noise, the appended perturbations are initialized by salient bytes that can quickly push the samples across the decision boundary. On this basis, by incorporating the Gradient-based or genetic algorithm to iteratively modify these perturbations, adversarial examples can be generated more efficiently (Table 10).

Table 10 Comparing the success rate of adversarial attacks with incorporated SA against CNN\(^{1}\) models
Full size table

Experimental results show that in both RAMEn [15] and GAMMA [14], initializing the perturbation with salient bytes achieves a higher attack success rate than initializing with random noise. This implies that incorporating with SA is an option to improve attack performance with little additional time consumption.

Appendix C ML model

Although our work mainly focuses on CNN models, we also tested the results of attacking ML models in Tables 11 and 12, and we can see that all attack methods have difficulty in successfully deceiving the models to identify the malware as another family. A closer inspection of the table shows SA attack achieves a higher success rate against the logistic regression model, probably because logistic regression can be seen as a neural network with a single layer of neurons, so the attack has some effect.

Table 11 The average success rates of attacks of adversarial examples on ML models in M2M problem, where the saliency distribution estimated by all CNN\(^{1}\) model
Full size table
Table 12 The average success rates of attacks of adversarial examples on ML models in M2B problem, where the saliency distribution estimated by all CNN\(^{1}\) model
Full size table

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhan, D., Hu, Y., Li, W. et al. Towards robust CNN-based malware classifiers using adversarial examples generated based on two saliency similarities. Neural Comput & Applic 35, 17129–17146 (2023). https://doi.org/10.1007/s00521-023-08590-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-023-08590-1

Keywords

Search

Navigation