基于控制流变换的恶意程序检测GNN模型对抗样本生成方法  

作　　者：李奕轩 贾鹏 范希明 陈尘 LI Yixuan;JIA Peng;FAN Ximing;CHEN Chen(School of Cyber Science and Engineering,Sichuan University,ChengDu 610065,China;China Electronics Technology Cyber Security Co.,Ltd.,Beijing 100048,China)

机构地区：[1]四川大学网络空间安全学院,成都610065 [2]中国电子科技网络信息安全有限公司,北京100048

出　　处：《信息网络安全》2024年第12期1896-1910,共15页Netinfo Security

基　　金：国家重点研发计划[2021YFB3101803]。

摘　　要：基于控制流图的图神经网络检测器在恶意程序检测领域取得了显著的成果,是目前的主流也是最先进的方法。现有的针对恶意程序图神经网络检测模型的对抗样本生成方法,主要通过修改控制流图的基本块或边特征实现,而不是修改输入到模型的原始二进制程序。其做法在真实场景下受限,即攻击方难以直接接触到控制流图的特征提取过程,也难以获得模型中间层的特征形式。文章提出通过变换中间语言改变二进制程序控制流图的对抗攻击框架IRAttack,该框架能够针对基于控制流图的图神经网络检测模型高效地产生对抗样本。文章通过插入语义NOP指令、控制流扁平化、控制流虚假化3种修改中间语言的操作,改变对二进制程序进行特征提取后产生的控制流图的节点特征和结构特征。同时,结合模糊测试思想选择需要修改的位置和添加的内容,从而更高效地产生可以误导检测模型的样本。文章在5472个良性样本和5230个恶意样本上,使用两种不同的特征提取方式和3种模型架构进行两两组合,训练了6种模型作为攻击目标。实验结果显示,相较于同背景下的SRLAttack与IMalerAttack,IRAttack的平均攻击成功率分别提升了46.39%和62.69%。The GNN(Graph Neural Network)detector based on control flow graphs has achieved significant results in the field of malware detection,being the current mainstream and most advanced method.Existing adversarial sample generation methods for GNN detection models targeting malware mainly achieve their goals by modifying the basic blocks or edge features of the control flow graph rather than altering the original binary program input to the model.These methods are limited in real-world scenarios,where attackers find it difficult to directly access the feature extraction process of the control flow graph or obtain the intermediate layer features of the model.This paper proposed an adversarial attack framework,IRAttack,that changes the control flow graph of a binary program by transforming the IR(Intermediate Representation)to efficiently generate adversarial samples against control flow graph-based GNN detection models.This paper modify the IR using three operations:inserting semantic NOP(No Operation)instructions,control flow flattening,and control flow obfuscation,to alter the node and structural features of the control flow graph extracted from the binary program.Additionally,This paper combine fuzz testing ideas to select the positions to be modified and the content to be added,thus more effectively generating samples that can mislead GNN detection models.This paper conducted experiments on 5472 benign samples and 5230 malicious samples,using two different feature extraction methods and three model architectures in pairwise combinations,resulting in six models as attack targets.Experimental results show that the average attack success rate of IRAttack,compared to SRLAttack and IMalerAttack under the same conditions,has increased by 46.39%and 62.69%,respectively.

关 键 词：对抗样本生成 图神经网络 恶意程序检测 控制流图变换 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]