def aimed(bin_bytes, sample, size_population, length_sequence, files_expected,
scanner):
'''
AIMED: Automatic Intelligent Malware Modifications to Evade Detection
This function implements GP to find PE adversarial examples.
Input:
bin_bytes: binaries from input malware sample
sample: malware sample in terminal
size_population: population size for GP (Default: 4)
length_sequence: length of perturbation sequence
files_expected: number of malware mutations expected as output
scanner: commercial AV or malware model classifier
'''
# Create a dict with all perturbations
actions = f.actions_vector(m.ACTION_TABLE.keys())
# Inject children sequences to S to create four S'
mutation = {}
mutation['Malware_Bytes'], mutation['Malware_Sample'], mutation['Actions'], \
mutation['Files_Expected'], mutation['hash_sample'], mutation['Scanner']= \
bin_bytes, sample, actions, files_expected, f.hash_files(sample), scanner
# Call evolution algorithm to find successfull mutations
print(
'\n### AIMED: Automatic Intelligent Malware Modifications to Evade Detection ###'
)
population = gp.Population(size=size_population,
length_sequence=length_sequence,
show_sequences=True)
return population.generation(mutation=mutation)
def armed2(bin_bytes, sample, n, rounds, files_expected, scanner):
'''
ARMED-II: Automatic Random Malware Modifications to Evade Detection -- Incremental Iterations
This function injects random perturbations sequentially to input PE malware
in order to find adversarial examples. After each injection, the malware
mutation will be tested for functionality and evasion.
Input:
bin_bytes: binaries from input malware sample
sample: malware sample in terminal
n: number of perturbations to inject
rounds: number of rounds to run when searching for evasions
files_expected: number of malware mutations expected as output
scanner: commercial AV or malware model classifier
'''
# Create a dict with all perturbations
actions = f.actions_vector(m.ACTION_TABLE.keys())
# Get VT detections for original sample to use as benchmark
hash_sample = f.hash_files(sample)
sample_report = f.get_report_VT(hash_sample, rescan=False)
#sample_report = {'positives': 49, 'total': 66} # Debug mode (without VT/offline)
# Inject perturbations and check for detection
chosen_actions = [None] * n
new_mutations = 0
for x in range(n):
for r in range(rounds):
# Create random action and add it to sequence
random_actions = f.create_random_actions(actions, x + 1)
chosen_actions[x] = random_actions[0]
print(
'\n### ARMED-II: Automatic Random Malware Modifications to Evade Detection ###\n'
)
print('# Manipulation Box # Round {} # Perturbation {} of {} #\n'.
format(r + 1, x + 1, n))
# Call a recursive function to inject x perturbations on a given sample (Print = Perturbation: x+1)
mod_sample = f.rec_mod_files(bin_bytes, actions, chosen_actions, x,
x + 1)
print('\n# Sandbox (Oracle) # Round {} # Perturbation {} of {} #'.
format(r + 1, x + 1, n))
# Send the modified sample to sandbox to check functionality (not corrupt)
json_send = f.send_local_sandbox(mod_sample)
# Calculate hashes from original and modified sample
mod_sample_hash = f.hash_files(mod_sample)
# Collect info to writeCSV function
CSV = f.collect_info_CSV(sample, sample_report, x, chosen_actions,
mod_sample_hash, hash_sample)
# Malware analysis & malware detection stages
useVT = False
funcional = False
funcional, url_sandbox = malware_analysis(mod_sample, json_send,
useVT, CSV)
# Increase number of mutations to match -m given based on local checks
if funcional:
print(
'# Malware Classifier # Round {} # Perturbation {} of {} #\n'
.format(r + 1, int(CSV['Perturbations']), n))
#Check if mutations is detected
start = time()
mutation = CSV['Perturbations'] + '_m.exe'
print('Running detection for:', mutation)
detected = malware_detection(mutation, scanner)
new_mutations += save_file_database(detected, mutation,
url_sandbox, CSV, scanner)
if new_mutations == files_expected:
break
# Show time
print('Evasive mutations found: {}'.format(new_mutations))
def armed(bin_bytes, sample, n, rounds, files_expected, detection_threshold,
scanner):
'''
ARMED: Automatic Random Malware Modifications to Evade Detection
This function injects n random perturbations to input PE malware
in order to find adversarial examples.
Input:
bin_bytes: binaries from input malware sample
sample: malware sample in terminal
n: number of perturbations to inject
rounds: number of rounds to run when searching for evasions
files_expected: number of malware mutations expected as output
detection_threshold: run until number of detections is below threshold (only for VirusTotal)
scanner: commercial AV or malware model classifier
'''
# Decide whether to use remote (VirusTotal) or local detection & remote or local sandbox
useVT = False
useHA = False
# Iterate to generate -m mutations for all perturbations on the loop
start = time()
max_number_perts = n
while n <= max_number_perts:
new_samples = 0
new_corrupt_samples = 0
for r in range(rounds):
# Create a dict with all perturbations & choose random actions
actions = f.actions_vector(m.ACTION_TABLE.keys())
chosen_actions = f.create_random_actions(actions, n)
# Call a recursive function to inject n perturbations on a given sample
print(
'\n### ARMED: Automatic Random Malware Modifications to Evade Detection ###\n'
)
print('# Manipulation Box # Round {} of {} #\n'.format(
r + 1, rounds))
perturbs = n - 1
start_pert = time()
mod_sample = f.rec_mod_files(bin_bytes, actions, chosen_actions,
perturbs, n)
print('Time injecting perturbations: {} s'.format(
round(time() - start_pert, 2)))
# Send the modified sample to sandbox to check functionality (not corrupt)
print('\n# Sandbox (Oracle) # Round {} of {} #'.format(
r + 1, rounds))
# Check if use remote or local sandbox
if useHA:
json_send_HA = f.send_HA(mod_sample, 120)
else:
json_send = f.send_local_sandbox(mod_sample)
# Calculate hashes from original and modified sample
hash_sample = f.hash_files(sample)
mod_sample_hash = f.hash_files(mod_sample)
# Get VT detections for original sample to use as benchmark
sample_report = f.get_report_VT(hash_sample, rescan=False)
#sample_report = {'positives': 49, 'total': 66} # Debug mode (without VT/offline)
# Collect info to writeCSV function
CSV = f.collect_info_CSV(sample, sample_report, n - 1,
chosen_actions, mod_sample_hash,
hash_sample)
# Malware analysis & malware detection stages
funcional = False
funcional, url_sandbox = malware_analysis(mod_sample, json_send,
useVT, CSV)
# Check if use remote or local detection along with functionality
if useVT and funcional:
new_samples += 1
CSV['Full_Analysis_Report'] = url_sandbox
vt_positives = malware_detection_VT(sample_report, CSV)
if vt_positives < detection_threshold:
break
elif not useVT and funcional:
print(
'# Malware Classifier # Round {} # Perturbation {} of {} #\n'
.format(r + 1, int(CSV['Perturbations']), n))
# Check if mutation is detected
start = time()
mutation = CSV['Perturbations'] + '_m.exe'
print('Running detection for:', mutation)
detected = malware_detection(mutation, scanner)
new_samples += save_file_database(detected, mutation,
url_sandbox, CSV, scanner)
elif not funcional:
new_corrupt_samples += 1
if r == rounds - 1:
print('\n## Summary ##')
if new_samples == files_expected:
break
print('Evasive mutations found: {}'.format(new_samples))
print('Corrupt mutations found: {}'.format(new_corrupt_samples))
n += 1
return new_samples, new_corrupt_samples