The arms race: adversarial search defeats entropy used to detect malware
Article
Menéndez, H., Bhattacharya, S., Clark, D. and Barr, E. 2019. The arms race: adversarial search defeats entropy used to detect malware. Expert Systems with Applications. 118, pp. 246-260. https://doi.org/10.1016/j.eswa.2018.10.011
Type | Article |
---|---|
Title | The arms race: adversarial search defeats entropy used to detect malware |
Authors | Menéndez, H., Bhattacharya, S., Clark, D. and Barr, E. |
Abstract | Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%. |
Keywords | Malware, information theory, entropy, time series, packing, adversarial learning |
Publisher | Elsevier |
Journal | Expert Systems with Applications |
ISSN | 0957-4174 |
Publication dates | |
Online | 06 Oct 2018 |
15 Mar 2019 | |
Publication process dates | |
Deposited | 02 Feb 2020 |
Accepted | 06 Oct 2018 |
Output status | Published |
Publisher's version | License File Access Level Open |
Copyright Statement | © 2018 The Authors. |
Digital Object Identifier (DOI) | https://doi.org/10.1016/j.eswa.2018.10.011 |
Language | English |
https://repository.mdx.ac.uk/item/88vx0
Download files
16
total views3
total downloads1
views this month1
downloads this month