research-article

FUMVar: a practical framework for generating Fully-working and Unseen Malware Variants

Authors:

Hyoungshick Kim,

Jin B. HongAuthors Info & Claims

SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

Pages 1656 - 1663

https://doi.org/10.1145/3412841.3442039

Published: 22 April 2021 Publication History

Abstract

It is crucial to understand how malware variants are generated to bypass malware detection systems and understand their characteristics to improve the detectors' performances. To achieve this goal, we propose an evolutionary-based framework named FUMVar to generate Fully-working and Unseen Malware Variants. In particular, we applied FUMVar on portable executable (PE) files that have been used extensively to infect Windows operating systems. Compared to the state-of-the-art approach named AIMED, our experimental results show that FUMVar generated 25% more evasive malware variants while reducing the time taken to generate them by 23%. Furthermore, FUMVar generated malware variants that bypassed commercial anti-malware engines, such as TrendMicro, with an alarming rate of up to 73% false-negative rate. To improve the detection techniques, we evaluate how different perturbations enhance the evasiveness and how different malware categories are affected by those perturbations. The results show that perturbations' effectiveness varies significantly by up to 6 times (e.g., section add v.s. unpack), and more suitable perturbations can be selected for different malware categories due to their varying applications. This information can then be used to develop more robust malware detection systems to detect unseen malware variants more effectively.

References

[1]

Hyrum S Anderson, Anant Kharkar, Bobby Filar, David Evans, and Phil Roth. 2018. Learning to evade static PE machine learning malware models via reinforcement learning. arXiv preprint arXiv:1801.08917 (2018).

[2]

Andrea Cani, Marco Gaudesi, Ernesto Sanchez, Giovanni Squillero, and Alberto Tonda. 2014. Towards Automated Malware Creation: Code Generation and Code Integration. In Proc. of the 29th Annual ACM Symposium on Applied Computing (SAC 2014). 157--160.

Digital Library

[3]

Raphael Labaca Castro, Corinna Schmitt, and Gabi Dreo. 2019. AIMED: Evolving Malware with Genetic Programming to Evade Detection. In Proc. of 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2019).

[4]

Raphael Labaca Castro, Corinna Schmitt, and Gabi Dreo Rodosek. 2019. ARMED: How Automatic Malware Modifications Can Evade Static Detection?. In Proc. of 5th IEEE International Conference on Information Management (ICIM 2019).

[5]

Jusop Choi, Dongsoon Shin, Hyoungshick Kim, Jason Seotis, and Jin B. Hong. 2019. AMVG: Adaptive Malware Variant Generation Framework Using Machine Learning. In Proc. of 24th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2019).

[6]

Luca Demetrio, Battista Biggio, Giovanni Lagorio, Fabio Roli, and Alessandro Armando. 2020. Efficient Black-box Optimization of Adversarial Windows Malware with Constrained Manipulations. arXiv preprint arXiv:2003.13526 (2020).

[7]

John C Gower and Gavin JS Ross. 1969. Minimum spanning trees and single linkage cluster analysis. Journal of the Royal Statistical Society: Series C (Applied Statistics) 18, 1 (1969), 54--64.

[8]

Weiwei Hu and Ying Tan. 2017. Generating adversarial malware examples for black-box attacks based on GAN. arXiv preprint arXiv:1702.05983 (2017).

[9]

Paul Jaccard. 1912. The distribution of the flora in the alpine zone. 1. New phytologist 11, 2 (1912), 37--50.

[10]

Jesse Kornblum. 2006. Identifying almost identical files using context triggered piecewise hashing. Digital investigation 3 (2006), 91--97.

[11]

MalwareBazaar. [n. d.]. MalwareBazaar. https://bazaar.abuse.ch/ access date: 26 June 2020.

[12]

Daniel Nieuwenhuizen. 2017. A behavioural-based approach to ransomware detection.

[13]

Matt Pietrek. 1994. Peering inside the PE: a tour of the win32 (R) portable executable file format. Microsoft Systems Journal-US Edition 9, 3 (1994), 15--38.

[14]

Babak Bashari Rad, Maslin Masrom, and Suhaimi Ibrahim. 2012. Camouflage in malware: from encryption to metamorphism. International Journal of Computer Science and Network Security 12, 8 (2012), 74--83.

[15]

Mark Russinovich. 2018. Microsoft sysinternals: Process monitor v3. 60.

[16]

Ian Shiel and Stephen O'Shaughnessy. 2019. Improving file-level fuzzy hashes for malware variant classification. Digital Investigation 28 (2019), S88--S94.

[17]

Romain Thomas. 2017. LIEF: Library to Instrument Executable Formats.

[18]

Daniele Ucci, Leonardo Aniello, and Roberto Baldoni. 2019. Survey of machine learning techniques for malware analysis. Computers & Security 81 (2019).

[19]

Jason Upchurch and Xiaobo Zhou. 2015. Variant: a malware similarity testing framework. In Proc. of 10th IEEE International Conference on Malicious and Unwanted Software (MALWARE 2015).

Digital Library

[20]

Timothy Vidas and Nicolas Christin. 2014. Evading Android Runtime Analysis via Sandbox Detection. In Proc. of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014).

Digital Library

[21]

Zhixing Xu, Sayak Ray, Pramod Subramanyan, and Sharad Malik. 2017. Malware detection using machine learning based analysis of virtual memory access patterns. In Proc. of Design, Automation & Test in Europe Conference & Exhibition (DATE 2017).

[22]

Yanfang Ye, Tao Li, Donald Adjeroh, and S. Sitharama Iyengar. 2017. A Survey on Malware Detection Using Data Mining Techniques. Comput. Surveys 50, 3, Article 41 (2017).

[23]

Yanfang Ye, Dingding Wang, Tao Li, Dongyi Ye, and Qingshan Jiang. 2008. An intelligent PE-malware detection system based on association mining. Journal in computer virology 4, 4 (2008), 323--334.

Cited By

Jin BChoi JHong JKim H(2023)On the Effectiveness of Perturbations in Generating Evasive Malware VariantsIEEE Access10.1109/ACCESS.2023.326226511(31062-31074)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3262265
Miura HKimura TAman HHirata K(2023)Game-theoretic approach to epidemic modeling of countermeasures against future malware evolutionComputer Communications10.1016/j.comcom.2023.05.001206:C(160-171)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.comcom.2023.05.001
Tirumala SNepal NRay S(2022)Raspberry Pi-based Intelligent Cyber Defense Systems for SMEs and Smart-homes: An Exploratory StudyEAI Endorsed Transactions on Smart Cities10.4108/eetsc.v6i18.23456:18(e4)Online publication date: 3-Aug-2022
https://doi.org/10.4108/eetsc.v6i18.2345
Show More Cited By

Index Terms

FUMVar: a practical framework for generating Fully-working and Unseen Malware Variants
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Bio-inspired approaches
        Genetic algorithms
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Adapting novelty towards generating antigens for antivirus systems
GECCO '22: Proceedings of the Genetic and Evolutionary Computation Conference

It is well known that anti-malware scanners depend on malware signatures to identify malware. However, even minor modifications to malware code structure results in a change in the malware signature thus enabling the variant to evade detection by ...
Mystique: Evolving Android Malware for Auditing Anti-Malware Tools
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

In the arms race of attackers and defenders, the defense is usually more challenging than the attack due to the unpredicted vulnerabilities and newly emerging attacks every day. Currently, most of existing malware detection solutions are individually ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

March 2021

2075 pages

ISBN:9781450381048

DOI:10.1145/3412841

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Jiman Hong
Soongsil University, South Korea
,
Program Chairs:
Alessio Bechini
University of Pisa, Italy
,
Eunjee Song
Baylor University

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 April 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Ministry of Science and ICT, South Korea
Australia-Korea Foundation of Department of Foreign Affairs and Trade, Australian Government

Conference

SAC '21

Sponsor:

SIGAPP

SAC '21: The 36th ACM/SIGAPP Symposium on Applied Computing

March 22 - 26, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
138
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)3

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jin BChoi JHong JKim H(2023)On the Effectiveness of Perturbations in Generating Evasive Malware VariantsIEEE Access10.1109/ACCESS.2023.326226511(31062-31074)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3262265
Miura HKimura TAman HHirata K(2023)Game-theoretic approach to epidemic modeling of countermeasures against future malware evolutionComputer Communications10.1016/j.comcom.2023.05.001206:C(160-171)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.comcom.2023.05.001
Tirumala SNepal NRay S(2022)Raspberry Pi-based Intelligent Cyber Defense Systems for SMEs and Smart-homes: An Exploratory StudyEAI Endorsed Transactions on Smart Cities10.4108/eetsc.v6i18.23456:18(e4)Online publication date: 3-Aug-2022
https://doi.org/10.4108/eetsc.v6i18.2345
Ahmed MKim HCamtepe SNepal S(2021)Peeler: Profiling Kernel-Level Events to Detect RansomwareComputer Security – ESORICS 202110.1007/978-3-030-88418-5_12(240-260)Online publication date: 4-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-030-88418-5_12

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents