endgameinc / gym-malware Goto Github PK

License: MIT License

Python 100.00%

gym-malware's Introduction

Malware Env for OpenAI Gym

Citing

If you use this code in a publication please cite the following paper:


Hyrum S. Anderson, Anant Kharkar, Bobby Filar, David Evans, Phil Roth, "Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning", in ArXiv e-prints. Jan. 2018.

@ARTICLE{anderson2018learning,
  author={Anderson, Hyrum S and Kharkar, Anant and Filar, Bobby and Evans, David and Roth, Phil},
  title={Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning},
  journal={arXiv preprint arXiv:1801.08917},
  archivePrefix = "arXiv",
  eprint = {1801.08917},
  primaryClass = "cs.CR",
  keywords = {Computer Science - Cryptography and Security},
  year = 2018,
  month = jan,
  adsurl = {http://adsabs.harvard.edu/abs/2018arXiv180108917A},
}

This is a malware manipulation environment for OpenAI's gym. OpenAI Gym is a toolkit for developing and comparing reinforcement learning algorithms. This makes it possible to write agents that learn to manipulate PE files (e.g., malware) to achieve some objective (e.g., bypass AV) based on a reward provided by taking specific manipulation actions.

Objective

Create an AI that learns through reinforcement learning which functionality-preserving transformations to make on a malware sample to break through / bypass machine learning static-analysis malware detection.

Basics

There are two basic concepts in reinforcement learning: the environment (in our case, the malware sample) and the agent (namely, the algorithm used to change the environment). The agent sends actions to the environment, and the environment replies with observations and rewards (that is, a score).

This repo provides an environment for manipulating PE files and providing rewards that are based around bypassing AV. An agent can be deployed that have already been written for the rich gym framework. For example

https://github.com/pfnet/chainerrl [recommended]
https://github.com/matthiasplappert/keras-rl

Setup

The EvadeRL framework is built on Python3.6 we recommend first creating a virtualenv (details can be found here) with Python3.6 then performing the following actions ensure you have the correct python libraries:

pip install -r requirements.txt

EvadeRL also leverages a Library to Instrument Executable Formats aptly named LIEF. It allows our agent to modify the binary on-the-fly. To add it to your virtualenv just pip install one of their pre-built packages. Examples below:

Linux

pip install https://github.com/lief-project/LIEF/releases/download/0.7.0/linux_lief-0.7.0_py3.6.tar.gz

OSX

pip install https://github.com/lief-project/LIEF/releases/download/0.7.0/osx_lief-0.7.0_py3.6.tar.gz

Once completed ensure you've moved malware samples into the

gym_malware/gym_malware/envs/utils/samples/

If you are unsure where to acquire malware samples see the Data Acquisition section below. If you have samples in the correct directory you can check to see if your environment is correctly setup by running :

python test_agent_chainer.py

Note that if you are using Anaconda, you may need to

conda install libgcc

in order for LIEF to operate properly.

Data Acquisition

If you have a VirusTotal API key, you may download samples to the gym_malware/gym_malware/envs/utils/samples/ using the Python script download_samples.py.

Gym-Malware Environment

EvadeRL pits a reinforcement agent against the malware environment consisting of the following components:

Action Space
Independent Malware Classifier
OpenAI framework malware environment (aka gym-malware)

Action Space

The moves or actions that can be performed on a malware sample in our environment consist of the following binary manipulations:

append_zero
append_random_ascii
append_random_bytes
remove_signature
upx_pack
upx_unpack
change_section_names_from_list
change_section_names_to random
modify_export
remove_debug
break_optional_header_checksum

The agent will randomly select these actions in an attempt to bypass the classifier (info on default classifier below). Over time, the agent learns which combinations lead to the highest rewards, or learns a policy (like an optimal plan of attack for any given observation).

Independent Classifier

Included as a default model is a gradient boosted decision trees model trained on 50k malicious and 50k benign samples with the following features extracted:

Byte-level data (e.g. histogram and entropy)
Header
Section
Import/Exports

gym-malware's People

Contributors

Stargazers

Watchers

Forkers

mahervieux chubbymaggie michalkoczwara bijaye athivvat davehardy20 johndpope nonpavit cs24 m0ckupc0de benjaminjon zyxtarmo randubin mrace jack51706 wildturtles helaibai jerusalemsbell hkingz xuxiaochuan ml-lab 0x4e38 clicknull guchinoma slavaforks codeaudit youtubezou awesome-ml viliev enascimento austin-taylor dunggau tzubal pradityamsook xiaolangyuxin antojoseph kaitoops wxdublin duoergun0729 shriramkumar nsudeep olivierh59500 johnjohnsp1 millpopulus fanmcgrady sgros pazocal mi5victim gavz eos21 snyiu100 khodges42 sherlly rdincel1 vexs1991 sulasen datadrug shaynewang andreszeng jellify ripkitten gnof junglecn manishshukla ma3k4h3d tubutubucorn allewwaly terminiter phoenixml farmers-tan sycor4x 33swordsman yf817 f0829 airob shadowliangliang susmitjha techyajay gyh75520 inarikami xiaopengfei9376 angriestalien mollymillion4 inspectordidi iemos tugric thewover ryanbekabe walt1998 litpuvn mingyu-academic pekosugar c4pt000 nikhileshksingh dange0 ei-grad kingkarlito parth1993 dlbd008 bedangsen

gym-malware's Issues

I see a lot of exceptions on string lief.PE.parse(self.bytez)

Hello. I tried to reproduce your method with my dataset and ran into a problem.

I'm working with python3.6 on Arch Linux.

$ pip freeze
backports.weakref==1.0rc1
bleach==1.5.0
cached-property==1.3.1
certifi==2018.1.18
chainer==2.0.1
chainerrl==0.2.0
chardet==3.0.4
decorator==4.2.1
filelock==3.0.0
future==0.16.0
gym==0.9.2
h5py==2.7.0
html5lib==0.9999999
idna==2.5
ipython==6.1.0
ipython-genutils==0.2.0
jedi==0.11.1
Keras==2.0.5
keras-rl==0.3.0
lief==0.8.3
Markdown==2.6.11
nose==1.3.7
numpy==1.13.1
parso==0.1.1
pexpect==4.3.1
pickleshare==0.7.4
Pillow==5.0.0
prompt-toolkit==1.0.15
protobuf==3.5.1
ptyprocess==0.5.2
pyglet==1.3.0
Pygments==2.2.0
PyYAML==3.12
requests==2.18.1
scikit-learn==0.18.2
scipy==0.19.1
simplegeneric==0.8.1
six==1.11.0
sklearn==0.0
tensorflow==1.2.1
Theano==0.9.0
traitlets==4.3.2
urllib3==1.21.1
wcwidth==0.1.7
Werkzeug==0.14.1

PE format files are in the samles directory.
A typical file looks like this:

file 0426fd4a5075d8e1f5d919d817a72c6d1155180b74216235c7fd2249e746b5cb
0426fd4a5075d8e1f5d919d817a72c6d1155180b74216235c7fd2249e746b5cb: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed

Cut from the log:

new hash: 5c0f2e48530947912c8df9c55b0f378d0ed3fa84d6207b30f717dd23c4b4d1d2
score=0.9811470102965859 (hidden), label=1.0
overlay_append
new hash: 15dce7f20d8bf5272f60303dae9af4a44a0d06681ec06f1e5251b5184a17f8bf
score=0.9811470102965859 (hidden), label=1.0
section_rename
Process Process-70:

Traceback (most recent call last):
File "/usr/lib64/python3.6/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib64/python3.6/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "/home/ghost/PycharmProjects/gym-malware/gym_malware/envs/controls/manipulate2.py", line 359, in helper
shared_list[:] = _action(seed)
File "/home/ghost/PycharmProjects/gym-malware/gym_malware/envs/controls/manipulate2.py", line 112, in section_rename
binary = lief.PE.parse(self.bytez)
_pylief.bad_file

I hope for your help.

numpy module version

Execute on windows

I have tried running this project on Windows. But could not execute it properly, got more or less 6 errors and was unable to solve them. Does it only work on linux & mac?

Can not download files from VirusTotal

I can not download the malware samples from Virustotal using the download_samples.py script inside the repo folder[Kindly see the error in the image below]. I will highly appreciate your help on this.

My Python version is 3.8

I have checked that there is no similar issue.

Manipulated PE can't execute

I wrote a strip down script to test manipulate.modify_without_breaking

import numpy as np
from gym_malware.envs.utils import interface
from gym_malware.envs.controls import manipulate2 as manipulate

# np.random.seed(322333)
# random_action = lambda bytez: np.random.choice( list(manipulate.ACTION_TABLE.keys()) )
random_action = lambda bytez: 'section_append'
# original 32bit putty.exe in sha256 file name
bytez = interface.fetch_file('1d673f12ddf0e6cc1545a79471fd5dd56bf0ff9ccff49ff91b41b4085b727665')
action = random_action(bytez)
print(action)
bytez_mod = manipulate.modify_without_breaking( bytez, [action] )
with open("putty-mod32.exe", "wb") as new_file:
    new_file.write(bytez_mod)

The result PE was executed within a Windows 7 32bit but not executable/functional.

The only action that produced functional PE was overlay_append which didn't use LIEF. I tested both GUI & console windows PEs with overlay_append, the resultant files have different sha256-sum from the originals and are functional.

Unfortunately, for other actions that involved LIEF are used, the new file is not functional. I am using macOS python3.6 for this test.

When I ran the script in console, I did notice some error message for all actions that involved LIEF:

Any idea what could be the issue? Thanks!

Black-box scenario

If my understanding is correct you are using the same feature space for the RL agent (file test_agent_chainer.py, line 63) and the targeted classifier (file envs/utils/interface.py, line 98). I'm working on an extension of your work but I'm wondering if this is truly a black-box attack scenario when both the agent and classifier are using the same feature space.

Thanks for clarification

multiprogress is too heavy

Multiprogress is so heavy that it takes much extra time.
However, thread can't be killed conveniently when the lief timeout
Is there any way to solve this problem?

Can I use this code to make commercial software?

Is there any limitation for commercial using?

BrokenPipeError: [Errno 32] Broken pipe

python3 download_samples.py --vtapikey key is provided here --virustotal --zipfile 290

Namespace(nconcurrent=3, virusshare=False, virustotal=True, vtapikey=' ', zipfile=['290'], zipfilepassword=None)
Traceback (most recent call last):
File "download_samples.py", line 167, in
use_virustotal(args)
File "download_samples.py", line 92, in use_virustotal
0007df5e92070f8d12411078070bdcafb24df81c837d8113a1e047ed7ac9fba1 downloading
for i in range(args.narchiveprocs):
AttributeError: 'Namespace' object has no attribute 'narchiveprocs'
Process Process-4:
Traceback (most recent call last):
File "/usr/lib/python3.5/multiprocessing/managers.py", line 709, in _callmethod
conn = self._tls.connection
AttributeError: 'ForkAwareLocal' object has no attribute 'connection'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.5/multiprocessing/process.py", line 249, in _bootstrap
self.run()
File "/usr/lib/python3.5/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "download_samples.py", line 51, in download_worker_function
sha256 = download_queue.get()
File "", line 2, in get
File "/usr/lib/python3.5/multiprocessing/managers.py", line 713, in _callmethod
self._connect()
File "/usr/lib/python3.5/multiprocessing/managers.py", line 700, in _connect
conn = self._Client(self._token.address, authkey=self._authkey)
File "/usr/lib/python3.5/multiprocessing/connection.py", line 487, in Client
c = SocketClient(address)
File "/usr/lib/python3.5/multiprocessing/connection.py", line 614, in SocketClient
s.connect(address)
FileNotFoundError: [Errno 2] No such file or directory
Process Process-3:
Traceback (most recent call last):
File "/usr/lib/python3.5/multiprocessing/process.py", line 249, in _bootstrap
self.run()
File "/usr/lib/python3.5/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "download_samples.py", line 51, in download_worker_function
sha256 = download_queue.get()
File "", line 2, in get
File "/usr/lib/python3.5/multiprocessing/managers.py", line 717, in _callmethod
kind, result = conn.recv()
File "/usr/lib/python3.5/multiprocessing/connection.py", line 250, in recv
buf = self._recv_bytes()
File "/usr/lib/python3.5/multiprocessing/connection.py", line 407, in _recv_bytes
buf = self._recv(4)
File "/usr/lib/python3.5/multiprocessing/connection.py", line 383, in _recv
raise EOFError
EOFError
0007df5e92070f8d12411078070bdcafb24df81c837d8113a1e047ed7ac9fba1 had a problem
0007df5e92070f8d12411078070bdcafb24df81c837d8113a1e047ed7ac9fba1 done
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python3.5/multiprocessing/process.py", line 249, in _bootstrap
self.run()
File "/usr/lib/python3.5/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "download_samples.py", line 67, in download_worker_function
download_queue.task_done()
File "", line 2, in task_done
File "/usr/lib/python3.5/multiprocessing/managers.py", line 716, in _callmethod
conn.send((self._id, methodname, args, kwds))
File "/usr/lib/python3.5/multiprocessing/connection.py", line 206, in send
self._send_bytes(ForkingPickler.dumps(obj))
File "/usr/lib/python3.5/multiprocessing/connection.py", line 404, in _send_bytes
self._send(header + buf)
File "/usr/lib/python3.5/multiprocessing/connection.py", line 368, in _send
n = write(self._handle, buf)
BrokenPipeError: [Errno 32] Broken pipe

FileNotFoundError: [Errno 2] No such file or directory: 'upx': 'upx'

Hello I am getting this error. While executing test_agent_chainer.py. Please help me out.

ValueError while running test_agent_kerasrl.py

Traceback (most recent call last):
File "test_agent_kerasrl.py", line 59, in
dqn_success, _ = evaluate( model_policy(dqn) )
File "test_agent_kerasrl.py", line 23, in evaluate
action = action_function( bytez )
File "test_agent_kerasrl.py", line 53, in f
action_index = boltzmann_action( q_values ) # alternative: best_action
File "test_agent_kerasrl.py", line 42, in
boltzmann_action = lambda x : np.argmax( np.random.multinomial( 1, softmax(x).flatten()))
File "mtrand.pyx", line 4617, in mtrand.RandomState.multinomial (numpy/random/mtrand/mtrand.c:37769)
ValueError: sum(pvals[:-1]) > 1.0