The arms race: adversarial search defeats entropy used to detect malware

Article


Menéndez, H., Bhattacharya, S., Clark, D. and Barr, E. 2019. The arms race: adversarial search defeats entropy used to detect malware. Expert Systems with Applications. 118, pp. 246-260. https://doi.org/10.1016/j.eswa.2018.10.011
TypeArticle
TitleThe arms race: adversarial search defeats entropy used to detect malware
AuthorsMenéndez, H., Bhattacharya, S., Clark, D. and Barr, E.
Abstract

Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%.

KeywordsMalware, information theory, entropy, time series, packing, adversarial learning
PublisherElsevier
JournalExpert Systems with Applications
ISSN0957-4174
Publication dates
Online06 Oct 2018
Print15 Mar 2019
Publication process dates
Deposited02 Feb 2020
Accepted06 Oct 2018
Output statusPublished
Publisher's version
License
File Access Level
Open
Copyright Statement

© 2018 The Authors.
Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)

Digital Object Identifier (DOI)https://doi.org/10.1016/j.eswa.2018.10.011
LanguageEnglish
Permalink -

https://repository.mdx.ac.uk/item/88vx0

Download files


Publisher's version
1-s2.0-S0957417418306535-main(4).pdf
License: CC BY 4.0
File access level: Open

  • 16
    total views
  • 3
    total downloads
  • 1
    views this month
  • 1
    downloads this month

Export as