Ch4os: Discretized Generative Adversarial Network for Functionality-preserving Evasive Modification on Malware

Christopher Molloy, Furkan Alaca, Steven H. H. Ding.

International Conference on Artificial Neural Networks 2024, September 17-20, Lugano-Viganello, Switzerland.

Rapid advancements in Artificial Intelligence (AI) have led to applications in varying domains. Due to the exponential growth of cyberspace in recent years, the domain of cybersecurity has seen substantial integrations of AI to aid in handling large amounts of data. The discipline of malware analysis within cybersecurity has leveraged AI to develop advanced analysis techniques. Within malware analysis, AI has been applied to both malware detection and evasive malware generation. Adversarial Learning on Malware (ALM) is the study of evasive modifications that is focused on AI-based detection tools. Most of the existing ALM evasive modification methods produce samples that are not valid executables. Solutions that produce effective valid executables are limited to injecting random code from a finite set of benign samples. Instead of using known code, we aim to optimize the injected bytes to increase evasion probability through adversarial learning. We propose Ch4os, a malware modification system trained in a Generative Adversarial Network setting. We introduce the Valid Machine Code Execution (VaME) activation function, guaranteeing functionality of modified malware samples while preserving differentiability of the learning process. As well, to address the challenge of learning efficiency and stability, we introduce the Binary Copier Pre-training (BCP) method. We conduct experiments on a dataset of chronologically separated malware for a simulated real-world detection scenario and show Ch4os can generate 152% more evasive samples compared to the state-of-the-art.