基于显著性分析的恶意代码对抗样本生成方法  

作　　者：詹达之 孙毅 张磊[3] 刘鑫 郭世泽 潘志松 ZHAN Dazhi;SUN Yi;ZHANG Lei;LIU Xin;GUO Shize;PAN Zhisong(Army Engineering University of PLA,Nanjing 210001,China;The Sixty-third Research Institute,National University of Defense Technology,Nanjing 210000,China;Academy of Military Sciences,Beijing 100091,China)

机构地区：[1]陆军工程大学,南京210001 [2]国防科技大学第六十三研究所,南京210000 [3]军事科学院,北京100091

出　　处：《信息安全学报》2024年第6期60-73,共14页Journal of Cyber Security

基　　金：国家自然科学基金(No.62076251,No.62106281)资助。

摘　　要：借助于人工智能技术的快速发展,深度学习模型越来越多得应用于恶意代码检测。由于深度学习模型具有更好的泛化性能,使其可以处理新的、未知的恶意代码,能够更好地应对日益增长的恶意代码威胁。然而,深度学习模型容易收到对抗样本的欺骗,即攻击者通过对样本进行微小的改动使模型预测错误。该脆弱性带来潜在的安全风险,导致恶意代码检测系统的鲁棒性大大降低。研究深度学习模型与对抗样本之间的对抗机理,利用生成的对抗样本挖掘恶意代码检测模型的弱点,增强模型分类的可解释性是评估和提高恶意代码检测系统鲁棒性的关键。因此,本文提出一种基于显著性分析的恶意代码对抗样本生成方法,首先使用可解释性技术分析模型检测恶意代码时输入特征的显著值分布情况,并对深度学习模型分类恶意代码的决策进行解释。然后挖掘PE文件中适合施加对抗扰动的非执行区域字节序列,并构建了基于显著性分析的恶意代码对抗样本生成框架SAM。通过修改代码非执行区域中少量的关键字节,得到功能保留且能有效规避检测的对抗样本。实验结果表明,本文提出的SAM方法在仅修改不超过1024个字节的情况下,生成的对抗样本在白盒模式下对MalConv模型实现了72.9%的规避成功率,黑盒模式下的成功率也达到了45%,相较其他方法有明显提升。With the rapid development of artificial intelligence technologies,deep learning models are increasingly being used for malware detection.Deep learning models are better able to deal with the growing threat of malware due to their better generalization performance,which allows them to handle new and unknown malware.However,deep learning models are vulnerable to the adversarial examples,where an adversary makes the model predict incorrectly by making minor changes.This vulnerability poses a potential security risk and leads to a significant reduction in the robustness of malware detection systems.Studying the adversarial mechanism between deep learning models and adversarial examples,mining the weaknesses of malware detection models using the generated adversarial examples,and enhancing the ex-plainability of model classification are the keys to evaluate and improve the robustness of malware detection systems.Therefore,this paper proposes a method for generating adversarial examples of malware based on saliency analysis,which first uses explainable techniques to analyze the distribution of saliency values of input features when the model detects malicious code and to interpret the decision of the deep learning model to classify malicious code.Then,we mine the byte sequences of non-executable regions in PE files that are suitable for applying adversarial perturbations,and construct a generation framework SAM(Saliency-based Adversarial Malware examples),which generates function-preserving and effective adversarial examples that can evade detection by modifying the salient bytes in the non-execution region of the code.The experimental results demonstrate that the SAM proposed achieves a 72.9%evasion rate against the MalConv in white-box mode and 45%in black-box mode with only modifications of no more than 1024 bytes,which is a significant improvement compared to other methods.

关 键 词：恶意代码检测 深度学习 对抗样本 显著性分析 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]