TY - GEN
T1 - FUMVar
T2 - 36th Annual ACM Symposium on Applied Computing, SAC 2021
AU - Jin, Beomjin
AU - Choi, Jusop
AU - Kim, Hyoungshick
AU - Hong, Jin B.
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/3/22
Y1 - 2021/3/22
N2 - It is crucial to understand how malware variants are generated to bypass malware detection systems and understand their characteristics to improve the detectors' performances. To achieve this goal, we propose an evolutionary-based framework named FUMVar to generate Fully-working and Unseen Malware Variants. In particular, we applied FUMVar on portable executable (PE) files that have been used extensively to infect Windows operating systems. Compared to the state-of-the-art approach named AIMED, our experimental results show that FUMVar generated 25% more evasive malware variants while reducing the time taken to generate them by 23%. Furthermore, FUMVar generated malware variants that bypassed commercial anti-malware engines, such as TrendMicro, with an alarming rate of up to 73% false-negative rate. To improve the detection techniques, we evaluate how different perturbations enhance the evasiveness and how different malware categories are affected by those perturbations. The results show that perturbations' effectiveness varies significantly by up to 6 times (e.g., section add v.s. unpack), and more suitable perturbations can be selected for different malware categories due to their varying applications. This information can then be used to develop more robust malware detection systems to detect unseen malware variants more effectively.
AB - It is crucial to understand how malware variants are generated to bypass malware detection systems and understand their characteristics to improve the detectors' performances. To achieve this goal, we propose an evolutionary-based framework named FUMVar to generate Fully-working and Unseen Malware Variants. In particular, we applied FUMVar on portable executable (PE) files that have been used extensively to infect Windows operating systems. Compared to the state-of-the-art approach named AIMED, our experimental results show that FUMVar generated 25% more evasive malware variants while reducing the time taken to generate them by 23%. Furthermore, FUMVar generated malware variants that bypassed commercial anti-malware engines, such as TrendMicro, with an alarming rate of up to 73% false-negative rate. To improve the detection techniques, we evaluate how different perturbations enhance the evasiveness and how different malware categories are affected by those perturbations. The results show that perturbations' effectiveness varies significantly by up to 6 times (e.g., section add v.s. unpack), and more suitable perturbations can be selected for different malware categories due to their varying applications. This information can then be used to develop more robust malware detection systems to detect unseen malware variants more effectively.
KW - malware generation
KW - malware variation
KW - windows PE
UR - https://www.scopus.com/pages/publications/85104960194
U2 - 10.1145/3412841.3442039
DO - 10.1145/3412841.3442039
M3 - Conference contribution
AN - SCOPUS:85104960194
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1656
EP - 1663
BT - Proceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 2021
PB - Association for Computing Machinery
Y2 - 22 March 2021 through 26 March 2021
ER -