Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Abstract Recent progress in machine learning has led to promising results behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. hold great promise as they are intrinsically related the functioning of each malware, and therefore considered difficult evade. Indeed, while a significant amount exists on evasion static features, dynamic seen limited work. This paper examines robustness ransomware detectors proposes multiple novel techniques evade them. Ransomware behavior differs significantly from that benign processes, making it an ideal best case for detectors, candidate evasion. We identify propose set attacks distribute overall workload across small independent, cooperating order avoid generation features. Our most effective attack decreases accuracy state-of-the-art classifier 98.6 0% using only 18 processes. Furthermore, we show our be against commercial black-box setting. Finally, evaluate detector designed attack, well discuss potential directions mitigate advanced attack.