Adaptive Malware Control: Decision-Based Attacks in the Problem Space of Dynamic Analysis.

Adversarial malware have been widely explored, most often on static analysis based detection and feature space manipulations. With the prevalence of encryption, obfuscation, and packing, dynamic behavior is considered much more revealing of a program's nature. At the same time, defining and performing attacks through the feature representation of malware faces several obstacles, especially in dynamic analysis. However, if program behavior is both malleable and indicative of malicious intent, we concern ourselves with the question of how it can be adaptively controlled in order to evade detection. In this work, we redefine adversarial attacks on malware behavior so that they can be performed directly by the original binary and thus obviate the need to compute gradients through feature representations. We theoretically prove that this can occur even in the fully black-box case where only the final, hard-label decision is disclosed. Furthermore, we empirically evaluate our approach by training state-of-the-art sequence models for detecting malware behavior, constructing several malware manipulation environments, and training a host of reinforcement learning (RL) agents on them that learn evasive policies through interaction. Finally, we utilize the adversarial behavior learned by the RL agents to adversarially train the original detection models and we show that while an indispensable approach, the degree of robustness it imparts can be deceptive; especially when we consider adversaries with broader action sets.