Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EGAN: Evolutional GAN for Ransomware Evasion

Daniel Commey, Benjamin Appiah, Bill K. Frimpong, Isaac Osei, Ebenezer N. A. Hammond, Garth V. Crosby

TL;DR

The paper addresses the challenge of generating adversarial ransomware that remains functional while evading detectors. It proposes EGAN, a hybrid framework combining Evolution Strategy (CMA-ES) and Generative Adversarial Networks to select mutation actions and produce adversarial PE files. Empirical results show strong evasion of static, AI-powered detectors on VirusTotal and transferable evasion to some non-AI scanners and sandboxes, though dynamic analysis results vary. The work underscores the risk of adversarial training in PE-based ransomware and motivates more robust defenses against evasion tactics.

Abstract

Adversarial Training is a proven defense strategy against adversarial malware. However, generating adversarial malware samples for this type of training presents a challenge because the resulting adversarial malware needs to remain evasive and functional. This work proposes an attack framework, EGAN, to address this limitation. EGAN leverages an Evolution Strategy and Generative Adversarial Network to select a sequence of attack actions that can mutate a Ransomware file while preserving its original functionality. We tested this framework on popular AI-powered commercial antivirus systems listed on VirusTotal and demonstrated that our framework is capable of bypassing the majority of these systems. Moreover, we evaluated whether the EGAN attack framework can evade other commercial non-AI antivirus solutions. Our results indicate that the adversarial ransomware generated can increase the probability of evading some of them.

EGAN: Evolutional GAN for Ransomware Evasion

TL;DR

The paper addresses the challenge of generating adversarial ransomware that remains functional while evading detectors. It proposes EGAN, a hybrid framework combining Evolution Strategy (CMA-ES) and Generative Adversarial Networks to select mutation actions and produce adversarial PE files. Empirical results show strong evasion of static, AI-powered detectors on VirusTotal and transferable evasion to some non-AI scanners and sandboxes, though dynamic analysis results vary. The work underscores the risk of adversarial training in PE-based ransomware and motivates more robust defenses against evasion tactics.

Abstract

Adversarial Training is a proven defense strategy against adversarial malware. However, generating adversarial malware samples for this type of training presents a challenge because the resulting adversarial malware needs to remain evasive and functional. This work proposes an attack framework, EGAN, to address this limitation. EGAN leverages an Evolution Strategy and Generative Adversarial Network to select a sequence of attack actions that can mutate a Ransomware file while preserving its original functionality. We tested this framework on popular AI-powered commercial antivirus systems listed on VirusTotal and demonstrated that our framework is capable of bypassing the majority of these systems. Moreover, we evaluated whether the EGAN attack framework can evade other commercial non-AI antivirus solutions. Our results indicate that the adversarial ransomware generated can increase the probability of evading some of them.
Paper Structure (14 sections, 1 equation, 6 figures, 2 tables)

This paper contains 14 sections, 1 equation, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Background
  3. Adversarial Ransomware samples
  4. Evolution Strategy
  5. Generative Adversarial Network
  6. Methodology
  7. Feature extraction
  8. Adversarial feature vector generation
  9. Adversarial Ransomware generation
  10. Experiments
  11. Bypassing Static AI-powered commercial antivirus
  12. Bypass other Static Commercial Scanners
  13. Dynamic Analysis with Sandboxes
  14. Discussion and Conclusion

Figures (6)

  • Figure 1: Overview of EGAN, an Evolution GAN adversarial Ransomware Examples Generator.
  • Figure 2: Screenshot of VirusTotal scanned results showing EGAN evasive against popular AI-powered AV. https://t.ly/gbaC
  • Figure 3: VirusTotal scanned results for popular Ransomware samples and their adversarial counterparts.
  • Figure 4: Kaspersky detection results for transformed Ransomware. The Kaspersky Threat Intelligence portal found no data on this file. https://t.ly/O8KA
  • Figure 5: Screenshot of Cuckoo sandbox report.
  • ...and 1 more figures