Lost in the Loader:The Many Faces of the Windows PE File Format

Nisi, Dario; Graziano, Mariano; Fratantonio, Yanick; Balzarotti, Davide

doi:10.1145/3471621.3471848

Cited by 5 publications

(6 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure 2 shows that we can achieve a certified accuracy in excess of 90% at a Levenshtein distance radius of 128 bytes when 𝑝 del = 99.5%. This radius is larger than the median Levenshtein distance of two attacks that manipulate headers of PE files [20,57] (see Table 4). We can therefore provide reasonable robustness guarantees against these two attacks.…”

Section: Levenshtein Distance Threat Model We First Present Resultsmentioning

confidence: 87%

“…The certified radii we observe are close to the best radii theoretically achievable using our mechanism. For the Levenshtein byte-level edit distance threat model, we obtain radii of a few hundred bytes in size, which can certifiably defend against attacks that edit headers of PE files [20,22,57]. However, certifying robustness against more powerful attacks that modify thousands or millions of bytes remains an open challenge.…”

Section: Discussionmentioning

confidence: 99%

“…We also consider attackers than perform instruction-level edits in Section 3.3.3. We note that edit distance is a reasonable proxy for the cost of running evasion attacks that iteratively apply localized functionalitypreserving edits (e.g., [20,52,57,60,76]). For these attacks, the edit distance scales roughly linearly with the number of attack iterations, and therefore the adversary has an incentive to minimize edit distance.…”

Section: 22mentioning

confidence: 99%

“…To answer this question, we apply five published evasion attacks [20,21,42,52,57] against an undefended model and a model employing our randomized deletion smoothing (RS-Del). We find that RS-Del is surprisingly helpful at delivering additional robustness 1 We will release an open-source implementation of our mechanisms upon publication.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Certified Robustness of Learning-based Static Malware Detectors

Huang¹,

Marchant²,

Lucas³

et al. 2023

Preprint

View full text Add to dashboard Cite

Certified defenses are a recent development in adversarial machine learning (ML), which aim to rigorously guarantee the robustness of ML models to adversarial perturbations. A large body of work studies certified defenses in computer vision, where ℓ 𝑝 norm-bounded evasion attacks are adopted as a tractable threat model. However, this threat model has known limitations in vision, and is not applicable to other domains-e.g., where inputs may be discrete or subject to complex constraints. Motivated by this gap, we study certified defenses for malware detection, a domain where attacks against ML-based systems are a real and current threat. We consider static malware detection systems that operate on byte-level data. Our certified defense is based on the approach of randomized smoothing which we adapt by: (1) replacing the standard Gaussian randomization scheme with a novel deletion randomization scheme that operates on bytes or chunks of an executable; and(2) deriving a certificate that measures robustness to evasion attacks in terms of generalized edit distance. To assess the size of robustness certificates that are achievable while maintaining high accuracy, we conduct experiments on malware datasets using a popular convolutional malware detection model, MalConv. We are able to accurately classify 91% of the inputs while being certifiably robust to any adversarial perturbations of edit distance 128 bytes or less. By comparison, an existing certification of up to 128 bytes of substitutions (without insertions or deletions) achieves an accuracy of 78%. In addition, given that robustness certificates are conservative, we evaluate practical robustness to several recently published evasion attacks and, in some cases, find robustness beyond certified guarantees. CCS CONCEPTS• Security and privacy → Logic and verification; Malware and its mitigation; • Computing methodologies → Machine learning.

show abstract

Section: Levenshtein Distance Threat Model We First Present Resultsmentioning

confidence: 87%

Section: Discussionmentioning

confidence: 99%

Section: 22mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Certified Robustness of Learning-based Static Malware Detectors

Huang¹,

Marchant²,

Lucas³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…The PE file structure has 5 main components like DOS header, DOS stub, PE header, section table, and n number of sections. Some of the most common section present are .text, .idata, .edata, rsrc, .rdata and .debug [8][9]. Malware Analysis In reverse engineering, we have certain steps that need to be taken.…”

Section: Pe Structure Analysismentioning

confidence: 99%

Malware Reverse Engineering to Find the Malicious Activity of Emotet

Chandran

2023

Advances in Transdisciplinary Engineering

View full text Add to dashboard Cite

Emotet is a Trojan that is commonly spread through emails. It was initially designed to steal banking credentials. It uses a number of strategies and infection vectors to spread over space and establish persistence on infected devices. This paper proposes a framework for analyzing Emotet malware through the process of reverse engineering, to reduce this time consumption we have researched some function calls that can help us in understanding the activity and where to locate the payload. The research is done for two types of files only, they are EXE and DLL files. Firstly we analyze the PE structure of the file using CFF explorer and check for irregularities in the address of the header. using Ghidra we further our analysis of the sample to check for irregularities, API calls, strings and many other information relating to structure of our file. On finding the common functionality and understanding its usage we can determine the kind of behavior the sample would perform and the API calls used for malicious activity. Based on the malicious activity performed we will determine whether the sample provided is Emotet or clean.

show abstract