Adversarial Approximation of a Black-Box Malware Detector

Abstract

A deployed machine learning-based malware detection model is effectively a black-box for an adversary whose objective is evading the model. In such a set-ting, the adversary has no access to details of the black-box except its prediction on a given input. With such limited leverage, the adversary has no choice but to explore avenues to infer the model’s decision boundary, based on which adversarial inputs are crafted to evade it. Inferring the best approximation of a black-box model’s decision boundary is a non-trivial exercise for which an exact solution is unattainable. This is because there are exponentially many combinations of model architectures, parameters, and training examples to explore. In this context, the adversary prefers an optimal strategy that yields the best approximation of the black-box with minimal effort. This thesis presents a novel adversarial approximation approach for a black-box malware detector. Beginning with publicly accessible input-set for the black-box model, our approach leverages the recent advances in image transformation for deep neural networks and transferability of knowledge from publicly available pre-trained models to obtain an acceptable approximation of a black-box malware detector. Experimental evaluation of our approach against a 93% black-box model trained on raw-byte sequence features of benign and malware Windows executables achieves up to 92% accurate approximator that leverages the Inception V3 pre-trained model. On a comparison dataset disjoint with the black-box’s and the approximator’s training sets,our approach achieved 90.1% similarity between the target black-box and the approximated model, showing the viability of our approach for approximation of black-box malware detectors with optimal effort.