UCLA

Ever since the earliest days of the Internet, malware has been a problem for computers. Since then, this problem’s severity has only increased, with important organizations like universities and hospitals suffering major security breaches due to malware. As detection techniques get more advanced, so do attackers' evasion attempts. One such method, called the mimicry attack, introduces benign behavior to malware to produce a benign classification in detectors even while retaining its malicious behaviors. In this document, I will describe the work we did on developing malware detection methods that remain effective in the presence of such evasion attacks. Using Windows APIs, our detection pipeline generates a summary of program behavior, vectorizes it in a way that's robust to modifications, and constrains features to reduce the impact of added benign behaviors. We use two methods of constraining features, enforcing monotonicity on them and removing them from the feature vector. To evaluate this detection pipeline and other methods, we use hooking and injection techniques to generate mimicry attacks that can insert benign behavior in more locations than prior work, and are thus produce stronger attacks than prior work. Our results show that our methods can effectively and consistently detect malware that use both mimicry attacks and adversarial attacks with minimal accuracy loss in vanilla data.