Due to the proliferation of malware, defenders are increasingly turning to automation and machine learning as part of the malware detection tool-chain. However, machine learning models are susceptible to adversarial attacks, requiring the testing of model and product robustness. Meanwhile, attackers also seek to automate malware generation and evasion of antivirus systems, and defenders try to gain insight into their methods. This work proposes a new algorithm that combines Malware Evasion and Model Extraction (MEME) attacks. MEME uses model-based reinforcement learning to adversarially modify Windows executable binary samples while simultaneously training a surrogate model with a high agreement with the target model to evade. To evaluate this method, we compare it with two state-of-the-art attacks in adversarial malware creation, using three well-known published models and one antivirus product as targets. Results show that MEME outperforms the state-of-the-art methods in terms of evasion capabilities in almost all cases, producing evasive malware with an evasion rate in the range of 32-73%. It also produces surrogate models with a prediction label agreement with the respective target models between 97-99%. The surrogate could be used to fine-tune and improve the evasion rate in the future.

翻译：由于恶意软件泛滥，防御方愈发依赖自动化与机器学习作为检测工具链的一环。然而，机器学习模型易受对抗攻击影响，需测试模型及产品的鲁棒性。同时，攻击者也在谋求自动化生成恶意软件并规避杀毒系统，而防御方则试图洞悉其手段。本文提出一种结合恶意软件规避与模型提取（MEME）攻击的新算法。MEME采用基于模型的强化学习，对Windows可执行二进制样本进行对抗性修改，同时训练一个与目标模型高度一致的替代模型以实施规避。为评估该方法，我们以三款知名公开模型及一款杀毒产品为目标，将其与两种现有顶尖的对抗性恶意软件生成攻击进行对比。结果表明，MEME在几乎全部案例中的规避能力均超越现有最优方法，生成的规避型恶意软件规避率达32-73%。其产生的替代模型与对应目标模型的预测标签一致性高达97-99%。未来可借助该替代模型进行微调以进一步提升规避率。