Plain Source Code Obfuscation as an Effective Attack Method on IoT Malware Image Classification

Plain Source Code Obfuscation as an Effective Attack Method on IoT Malware Image Classification

연구 분야: Analysis

학회: 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)

IoT malware is rapidly increasing due to variants easily generated from publicly available source codes. Malware image classification capable of fast and accurate malware identification attracts attention. Since the classification by imaging is affected by malware binary changes, a binary modification without behavioral changes can be a potential attacking method to the classification by imaging. There are concerns that by combining the publicly available malware source code with readily available source code obfuscation tools, it is possible to construct an effective attack that bypasses image classifiers relatively simply. In this study, we show the effectiveness of the attack by source code obfuscation and the possibility of defense against the attack. The contribution of this research is twofold. 1) We showed that Obfuscator-LLVM (oLLVM) code obfuscation could be used as an attack method on malware image classification. The obfuscated malware binaries made by oLLVM were misclassified by VGG16-based image classifier for all the attacked malware families including Mirai, Lightaidra, and Bashlite. 2) We showed that classifier training with obfuscated samples could address this attack method. We confirmed that the malware image classifier trained with obfuscated malware binaries made by oLLVM could classify with an accuracy of 100% the malware family with obfuscation as the obfuscated original malware family.