Practical clean-label backdoor attack against static malware detection

Abstract

Deep learning models have demonstrated strong performance in detecting malware. However, their reliance on updates from third-party crowdsourced threat sources introduces vulnerabilities that can be exploited for backdoor attacks. Backdoored models exhibit normal behavior on clean samples but can be triggered to output specific target categories when a test sample contains a predefined trigger pattern. This makes backdoor attacks challenging to detect and poses significant security risks in malware detection. Researchers have proposed various methods for backdoor attacks on malware detectors. Yet, existing approaches struggle to meet three strict conditions simultaneously: (1) conducting attacks in black-box scenarios, (2) accessing correct labels during attacks, and (3) preserving the original functionality of files. This paper introduces a practical framework for black-box clean-label backdoor attacks. We analyze unused byte regions in the header of PE files as potential injection points for triggers. In a black-box setting, we develop universal adversarial triggers using a heuristic search algorithm, effectively embedding them as backdoor triggers to evade malware detection. Experimental results demonstrate the effectiveness of the proposed backdoor attack in manipulating state-of-the-art detection models with high success rates.