MalPatch: Evading DNN-Based Malware Detection With Adversarial Patches
Dazhi Zhan, Yexin Duan, Yue Hu, Weili Li, Shize Guo, Zhisong Pan
Abstract
Static analysis is a crucial protection layer that enables modern antivirus systems to address the rampant proliferation of malware. These systems are increasingly relying on deep neural networks (DNNs) to automatically extract reliable features and achieve outstanding detection accuracy. Since DNNs are known to be vulnerable to adversarial examples, several studies have proposed practical evasion attacks to generate adversarial perturbations that can evade malware detectors. These attacks, however, require specific designs for the given input sample, prohibiting them from large-scale deployment. Therefore, it is more practical to generate sample-agnostic perturbations that do not involve recalculations regardless of the input malware sample. To this end, we leverage an adversarial patch attack, which is a special type of adversarial attack that dose not know the sample being modified during the attack construction process. In particular, we propose a new adversarial attack against malware detection systems called MalPatch. It locates the nonfunctional part of malware for adversarial patch injection to protect its executability while generating adversarial examples based on different strategies. The generated patch can be injected into any malware sample, fooling the detector into classifying it as benign. Experimental results demonstrate that MalPatch is effective under different attack settings. In the white-box setting, MalPatch achieves 69%-78% success rates against DNN detectors based on raw byte features and 47%-96% success rates against four grayscale detectors based on image features. In the black-box setting, the success rates of MalPatch against the same models reach 54%-74% and 27%-42%, respectively. We conclude by discussing several of its potential countermeasures and the generality of our approach.