Go to DBLP homepageSemantics-Preserving Node Injection Attacks Against GNN-Based ACFG Malware Classifiers
Abstract: To increase security for devices connected to the internet, research has gone into using Graph Neural Networks (GNNs) to inhibit the spread of malware through detection. GNN classifiers that use Attributed Control Flow Graphs (ACFGs) have demonstrated favorable results in classifying software binaries as malicious or benign. In this work, we show that such classifiers are vulnerable to Adversarial Examples (AEs) by proposing several grey-box adversarial attacks that perform node injection and preserve the semantics of a program. We demonstrate that adversaries can take advantage of the aggregation properties of GNNs to apply effective perturbation outside of the original ACFG nodes of a software binary through node injection. We conducted experiments on our methods and compared them against two similar semantics-preserving adversarial attacks. Our results have shown that our methods of applying perturbation through node injection can result in higher evasion rates while decreasing the amount of perturbation needed to fool detectors. Namely, we deliver an evasion rate of up to 94.83% with only 2.49% of total perturbation, in comparison with a maximum evasion of 79.50% at 2.78% perturbation by a state-of-the-art approach and only 27.44% at 2.95% perturbation by the baseline attack. Our results highlight the need for creating more robust GNN malware detectors.
Loading