UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

The arms race: Adversarial search defeats entropy used to detect malware

Menéndez, HD; Bhattacharya, S; Clark, D; Barr, ET; (2019) The arms race: Adversarial search defeats entropy used to detect malware. Expert Systems with Applications , 118 pp. 246-260. 10.1016/j.eswa.2018.10.011. Green open access

[img]
Preview
Text
Menendez Benito_The arms race. Adversarial search defeats entropy used to detect malware_VoR.pdf - ["content_typename_Published version" not defined]

Download (1MB) | Preview

Abstract

Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%.

Type: Article
Title: The arms race: Adversarial search defeats entropy used to detect malware
Open access status: An open access version is available from UCL Discovery
DOI: 10.1016/j.eswa.2018.10.011
Publisher version: https://doi.org/10.1016/j.eswa.2018.10.011
Language: English
Additional information: © 2018 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
Keywords: Malware, Information theory, Entropy, Time series, Packing, Adversarial learning
UCL classification: UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: http://discovery.ucl.ac.uk/id/eprint/10060098
Downloads since deposit
82Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item