PDF files have proved to be excellent malicious-code bearing vectors. Thanks to their flexible logical structure, an attack can be hidden in several ways, and easily deceive protection mechanisms based on file-type filtering. Recent work showed that malicious PDF files can be accurately detected by analyzing their logical structure, with excellent results. In this paper, we present and practically demonstrate a novel evasion technique, called reverse mimicry, that can easily defeat such kind of analysis. We implement it using real samples and validate our approach by testing it against various PDF malware detectors proposed so far. Finally, we highlight the importance of developing systems robust to adversarial attacks and propose a framework to strengthen PDF malware detection against evasion.

Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection

MAIORCA, DAVIDE;CORONA, IGINO;GIACINTO, GIORGIO
2013

Abstract

PDF files have proved to be excellent malicious-code bearing vectors. Thanks to their flexible logical structure, an attack can be hidden in several ways, and easily deceive protection mechanisms based on file-type filtering. Recent work showed that malicious PDF files can be accurately detected by analyzing their logical structure, with excellent results. In this paper, we present and practically demonstrate a novel evasion technique, called reverse mimicry, that can easily defeat such kind of analysis. We implement it using real samples and validate our approach by testing it against various PDF malware detectors proposed so far. Finally, we highlight the importance of developing systems robust to adversarial attacks and propose a framework to strengthen PDF malware detection against evasion.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11584/106938
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 83
  • ???jsp.display-item.citation.isi??? ND
social impact