Simone Aonzo & Luca Demetrio
Malware hide in subtle ways: a journey through entropy and adversarial stuffs
An open research problem on malware analysis is how to statically distinguish between packed and non-packed executables. This has an impact on antivirus software and malware analysis systems, which may need to apply different heuristics or to resort to more costly code emulation solutions to deal with the presence of potential packing routines. Therefore, a wrong answer to the question “is this executable packed?” can make the difference between malware evasion and detection. It has long been known that packing and entropy are strongly correlated, often leading to the wrong assumption that a low entropy score implies that an executable is NOT packed.
In addition, many industries currently use machine learning techniques for discriminating between malware and goodware, by feeding deep neural network with gigabytes of programs.
Even if they are sold as silver bullet solutions, recent work has shown these algorithms for malware detection are also susceptible to adversarial examples, i.e., carefully-crafted perturbations to input malware that enable misleading classification. The rationale behind these attacks depends on what the network really learned at training time, which is not what an expert malware analyst would imagine.
During the first part of the talk, Simone Aonzo will show how entropy and all the features used for solving “packed/not packed” problem is weak, while Luca Demetrio will conclude the seminar by showing the inefficiency of a particular network by applying a gradient attack on few bytes to evade detection.
Thursday, 10th October 2019
Dibris, Valletta Puggia, Conference Hall (322)
Simone Aonzo is a PhD student in Computer Science at the University of Genoa, but he also worked as an Android pentester. His research interests include most aspects of system security and in particular the areas of binary and malware analysis, reverse engineering, and phishing. He is a co-founder and member of the ZenHack CTF Team.
Luca Demetrio is a second-year PhD student in Computer Science, currently working inside the Computer Security Laboratory (CSecLab, https://csec.it) and a member of the ZenHack CTF Team (https://zenhack.it). His main interest is the application of adversarial machine learning to malware detection, with a strong emphasis on the offensive side. In particular, he is working on a new gradient and black box attacks to fool modern antiviruses techniques that leverage on statistical learning techniques.