Efficient Black-box Optimization of Adversarial Windows Malware with Constrained Manipulations

Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box access to the model. The main drawback of these attacks is that they require executing the adversarial malware sample in a sandbox at each iteration of its optimization process, to ensure that its intrusive functionality is preserved. In this paper, we present a novel black-box attack that leverages a set of semantics-preserving, constrained malware manipulations to overcome this computationally-demanding validation step. Our attack is formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected adversarial payload. We investigate this trade-off empirically, on two popular static Windows malware detectors, and show that our black-box attack is able to bypass them with only few iterations and changes. We also evaluate whether our attack transfers to other commercial antivirus solutions, and surprisingly find that it can increase the probability of evading some of them. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.