logo
allArticlesConferencesPresentations

Bypassing NGAV for Fun and Profit

Conference:  BlackHat EU 2020

2020-12-10

Summary

The presentation discusses the use of adversarial attacks to bypass next-generation antivirus (NGAV) systems and the importance of explainability algorithms in understanding the impact of feature modifications.
  • NGAV systems can be bypassed by modifying features in a way that does not harm the malicious functionality of the malware
  • Explainability algorithms can help attackers understand which features are more impactful and focus on them
  • The order in which perturbations are made can make a difference in the results
  • Small perturbations can eventually have a significant impact due to the non-linear nature of the classifier
The presenters demonstrated a concrete use case of how they bypassed a commercial NGAV system by iteratively modifying features such as import address table entries and using a trampoline into the entry points. They achieved a significant change in the precision of the classifier without changing the functionality of the malware. The order in which they made the perturbations and the use of explainability algorithms were crucial in their success.

Abstract

In this talk, we demonstrate the first methodological approach to "reverse engineer" a NGAV model and features without reversingthe product, and generate a PE malware that bypasses next generation anti-virus (NGAV) products (e.g., Cylance). Previous such attacks against such machine learning based malware classifiers only add new features and do not modify existing features to avoid harming the modified malware executable's functionality, making such executables easier to detect.In contrast, we split the adversarial example generation task into two parts:find the importance of all features for a specific sample using explainability algorithms, andconduct a feature-specific modification (e.g., checksums, timestamp, IAT, etc.), feature-by-feature.In order to apply our attack to NGAV with unknown classifier architecture, we leverage the concept of transferability, i.e., different classifiers using different features subsets and trained on different datasets still have similar subset of important features. Using this concept, we attack a publicly available classifier and generate malware PE files that evade not only that classifier, but also commercial NGAV. We also demonstrate additional techniques, such as the sliding window approach to understand the most important features in the attacked classifier.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Lost in the Loader: The Many Faces of the Windows PE File Format

Conference:  BlackHat USA 2021
Authors:
2021-11-10

DeepLocker - Concealing Targeted Attacks with AI Locksmithing

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Generating YARA Rules by Classifying Malicious Byte Sequences

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Leveraging Streaming-Based Outlier Detection and SliceLine to Stop Heavily Distributed Bot Attacks

Conference:  Black Hat Asia 2023
Authors: Antoine Vastel, Konstantina Kontoudi
2023-05-11

Why does my security camera scream like a Banshee? Signal analysis and RE of a proprietary audio-data encoding protocol

Conference:  Defcon 29
Authors:
2021-08-01

Hands-Off Features Releases With Keptn, OpenFeature, And OpenTelemetry

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Johannes Bräuer, Michael Beemer
2022-10-28