The Naked Sun: Malicious Cooperation Between Benign-Looking Processes
This work addresses a critical security problem for malware detection systems by exposing vulnerabilities in behavioral modeling, with incremental novelty in attack design.
The paper tackles the robustness of behavioral malware detectors to evasion, specifically for anti-ransomware, by identifying novel attacks that distribute malware workload across cooperating processes to avoid detection. The most effective attack reduces the accuracy of a state-of-the-art classifier from 98.6% to 0% using only 18 cooperating processes.
Recent progress in machine learning has generated promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper thoroughly examines the robustness of behavioral malware detectors to evasion, focusing particularly on anti-ransomware evasion. We choose ransomware as its behavior tends to differ significantly from that of benign processes, making it a low-hanging fruit for behavioral detection (and a difficult candidate for evasion). Our analysis identifies a set of novel attacks that distribute the overall malware workload across a small set of cooperating processes to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6% to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors even in a black-box setting.