(陆军工程大学 南京 中国 210001;国防科技大学第六十三研究所 南京 中国 210000;军事科学院 北京 中国 100091)
关键词:  恶意代码检测  深度学习  对抗样本  显著性分析
Generating Adversarial Malware Examples Based on Saliency Analysis
ZHAN Dazhi,SUN Yi,ZHANG Lei,LIU Xin,GUO Shize,PAN Zhisong
Army Engineering University of PLA, Nanjing 210001, China;The Sixty-third Research Institute, National University of Defense Technology, Nanjing 210000, China;Academy of Military Sciences, Beijing 100091, China
With the rapid development of artificial intelligence technologies, deep learning models are increasingly being used for malware detection. Deep learning models are better able to deal with the growing threat of malware due to their better generalization performance, which allows them to handle new and unknown malware. However, deep learning models are vulnerable to the adversarial examples, where an adversary makes the model predict incorrectly by making minor changes. This vulnerability poses a potential security risk and leads to a significant reduction in the robustness of malware detection systems. Studying the adversarial mechanism between deep learning models and adversarial examples, mining the weaknesses of malware detection models using the generated adversarial examples, and enhancing the explainability of model classification are the keys to evaluate and improve the robustness of malware detection systems. Therefore, this paper proposes a method for generating adversarial examples of malware based on saliency analysis, which first uses explainable techniques to analyze the distribution of saliency values of input features when the model detects malicious code and to interpret the decision of the deep learning model to classify malicious code. Then, we mine the byte sequences of non-executable regions in PE files that are suitable for applying adversarial perturbations, and construct a generation framework SAM (Saliency-based Adversarial Malware examples), which generates function-preserving and effective adversarial examples that can evade detection by modifying the salient bytes in the non-execution region of the code. The experimental results demonstrate that the SAM proposed achieves a 72.9% evasion rate against the MalConv in white-box mode and 45% in black-box mode with only modifications of no more than 1024 bytes, which is a significant improvement compared to other methods.
Key words:  malware detection  deep learning  adversarial example  saliency analysis