Practical clean-label backdoor attack against static malware detection

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-03-01 Epub Date: 2024-12-16 DOI:10.1016/j.cose.2024.104280

Dazhi Zhan , Kun Xu , Xin Liu , Tong Han , Zhisong Pan , Shize Guo

{"title":"Practical clean-label backdoor attack against static malware detection","authors":"Dazhi Zhan , Kun Xu , Xin Liu , Tong Han , Zhisong Pan , Shize Guo","doi":"10.1016/j.cose.2024.104280","DOIUrl":null,"url":null,"abstract":"<div><div>Deep learning models have demonstrated strong performance in detecting malware. However, their reliance on updates from third-party crowdsourced threat sources introduces vulnerabilities that can be exploited for backdoor attacks. Backdoored models exhibit normal behavior on clean samples but can be triggered to output specific target categories when a test sample contains a predefined trigger pattern. This makes backdoor attacks challenging to detect and poses significant security risks in malware detection. Researchers have proposed various methods for backdoor attacks on malware detectors. Yet, existing approaches struggle to meet three strict conditions simultaneously: (1) conducting attacks in black-box scenarios, (2) accessing correct labels during attacks, and (3) preserving the original functionality of files. This paper introduces a practical framework for black-box clean-label backdoor attacks. We analyze unused byte regions in the header of PE files as potential injection points for triggers. In a black-box setting, we develop universal adversarial triggers using a heuristic search algorithm, effectively embedding them as backdoor triggers to evade malware detection. Experimental results demonstrate the effectiveness of the proposed backdoor attack in manipulating state-of-the-art detection models with high success rates.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104280"},"PeriodicalIF":5.4000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824005868","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/12/16 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Deep learning models have demonstrated strong performance in detecting malware. However, their reliance on updates from third-party crowdsourced threat sources introduces vulnerabilities that can be exploited for backdoor attacks. Backdoored models exhibit normal behavior on clean samples but can be triggered to output specific target categories when a test sample contains a predefined trigger pattern. This makes backdoor attacks challenging to detect and poses significant security risks in malware detection. Researchers have proposed various methods for backdoor attacks on malware detectors. Yet, existing approaches struggle to meet three strict conditions simultaneously: (1) conducting attacks in black-box scenarios, (2) accessing correct labels during attacks, and (3) preserving the original functionality of files. This paper introduces a practical framework for black-box clean-label backdoor attacks. We analyze unused byte regions in the header of PE files as potential injection points for triggers. In a black-box setting, we develop universal adversarial triggers using a heuristic search algorithm, effectively embedding them as backdoor triggers to evade malware detection. Experimental results demonstrate the effectiveness of the proposed backdoor attack in manipulating state-of-the-art detection models with high success rates.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

针对静态恶意软件检测的实用干净标签后门攻击

深度学习模型在检测恶意软件方面表现出了很强的性能。然而，它们对来自第三方众包威胁源的更新的依赖带来了可以被后门攻击利用的漏洞。后门模型在干净的样本上表现出正常的行为，但是当测试样本包含预定义的触发模式时，可以触发输出特定的目标类别。这使得后门攻击难以检测，并在恶意软件检测中构成重大安全风险。研究人员提出了各种后门攻击恶意软件检测器的方法。然而，现有的方法很难同时满足三个严格的条件：(1)在黑盒场景下进行攻击；(2)在攻击期间访问正确的标签；(3)保持文件的原始功能。本文介绍了一种实用的黑盒干净标签后门攻击框架。我们分析PE文件头中未使用的字节区域作为触发器的潜在注入点。在黑盒设置中，我们使用启发式搜索算法开发通用对抗性触发器，有效地将其嵌入后门触发器以逃避恶意软件检测。实验结果表明，所提出的后门攻击在操纵最先进的检测模型方面具有很高的成功率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.