Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer

Article


Menéndez, H., Clark, D. and T. Barr, E. 2021. Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer. Entropy. 23 (4). https://doi.org/10.3390/e23040395
TypeArticle
TitleGetting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer
AuthorsMenéndez, H., Clark, D. and T. Barr, E.
Abstract

Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants.

Keywordscoevolution, adversarial machine learning, malware arm race, EEE, VirusTotal, hothouse
PublisherMDPI
JournalEntropy
ISSN1099-4300
Publication dates
Print26 Mar 2021
Publication process dates
Deposited07 Apr 2021
Submitted28 Feb 2021
Accepted23 Mar 2021
Output statusPublished
Publisher's version
License
File Access Level
Open
Copyright Statement

Copyright: © 2021 by the authors. Licensee MDPI, Basel, Switzerland.
This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/)

Digital Object Identifier (DOI)https://doi.org/10.3390/e23040395
LanguageEnglish
Permalink -

https://repository.mdx.ac.uk/item/89517

Download files


Publisher's version
  • 29
    total views
  • 6
    total downloads
  • 1
    views this month
  • 1
    downloads this month

Export as