Motivated by the transformative impact of deep neural networks (DNNs) in
various domains, researchers and anti-virus vendors have proposed DNNs for
malware detection from raw bytes that do not require manual feature
engineering. In this work, we propose an attack that interweaves
binary-diversification techniques and optimization frameworks to mislead such
DNNs while preserving the functionality of binaries. Unlike prior attacks, ours
manipulates instructions that are a functional part of the binary, which makes
it particularly challenging to defend against. We evaluated our attack against
three DNNs in white- and black-box settings, and found that it often achieved
success rates near 100%. Moreover, we found that our attack can fool some
commercial anti-viruses, in certain cases with a success rate of 85%. We
explored several defenses, both new and old, and identified some that can foil
over 80% of our evasion attempts. However, these defenses may still be
susceptible to evasion by attacks, and so we advocate for augmenting
malware-detection systems with methods that do not rely on machine learning.

该论文介绍了一种通过二进制多样性技术和优化框架欺骗深度神经网络的攻击方式来打破基于机器学习的恶意软件检测系统，攻击成功率可达 100%，但该论文也探索了一些能够使攻击失败的防御手段。