Bypassing NGAV for Fun and Profit

Conference:  BlackHat EU 2020



The presentation discusses the use of adversarial attacks to bypass next-generation antivirus (NGAV) systems and the importance of explainability algorithms in understanding the impact of feature modifications.
  • NGAV systems can be bypassed by modifying features in a way that does not harm the malicious functionality of the malware
  • Explainability algorithms can help attackers understand which features are more impactful and focus on them
  • The order in which perturbations are made can make a difference in the results
  • Small perturbations can eventually have a significant impact due to the non-linear nature of the classifier
The presenters demonstrated a concrete use case of how they bypassed a commercial NGAV system by iteratively modifying features such as import address table entries and using a trampoline into the entry points. They achieved a significant change in the precision of the classifier without changing the functionality of the malware. The order in which they made the perturbations and the use of explainability algorithms were crucial in their success.


In this talk, we demonstrate the first methodological approach to "reverse engineer" a NGAV model and features without reversingthe product, and generate a PE malware that bypasses next generation anti-virus (NGAV) products (e.g., Cylance). Previous such attacks against such machine learning based malware classifiers only add new features and do not modify existing features to avoid harming the modified malware executable's functionality, making such executables easier to detect.In contrast, we split the adversarial example generation task into two parts:find the importance of all features for a specific sample using explainability algorithms, andconduct a feature-specific modification (e.g., checksums, timestamp, IAT, etc.), feature-by-feature.In order to apply our attack to NGAV with unknown classifier architecture, we leverage the concept of transferability, i.e., different classifiers using different features subsets and trained on different datasets still have similar subset of important features. Using this concept, we attack a publicly available classifier and generate malware PE files that evade not only that classifier, but also commercial NGAV. We also demonstrate additional techniques, such as the sliding window approach to understand the most important features in the attacked classifier.