Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer
Article
Menéndez, H., Clark, D. and T. Barr, E. 2021. Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer. Entropy. 23 (4). https://doi.org/10.3390/e23040395
Type | Article |
---|---|
Title | Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer |
Authors | Menéndez, H., Clark, D. and T. Barr, E. |
Abstract | Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants. |
Keywords | coevolution, adversarial machine learning, malware arm race, EEE, VirusTotal, hothouse |
Publisher | MDPI |
Journal | Entropy |
ISSN | 1099-4300 |
Publication dates | |
26 Mar 2021 | |
Publication process dates | |
Deposited | 07 Apr 2021 |
Submitted | 28 Feb 2021 |
Accepted | 23 Mar 2021 |
Output status | Published |
Publisher's version | License File Access Level Open |
Copyright Statement | Copyright: © 2021 by the authors. Licensee MDPI, Basel, Switzerland. |
Digital Object Identifier (DOI) | https://doi.org/10.3390/e23040395 |
Language | English |
https://repository.mdx.ac.uk/item/89517
Download files
Publisher's version
entropy-23-00395.pdf | ||
entropy-23-00395.xml | ||
additional-files.zip | ||
License: CC BY 4.0 | ||
File access level: Open |
29
total views6
total downloads1
views this month1
downloads this month