Windows malware detectors based on machine learning are vulnerable to adversarial examples, even if the attacker is only given black-box query access to the model. The main drawback of these attacks is that: ( $i$ ) they are query-inefficient, as they rely on iteratively applying random transformations to the input malware; and ( $ii$ ) they may also require executing the adversarial malware in a sandbox at each iteration of the optimization process, to ensure that its intrusive functionality is preserved. In this paper, we overcome these issues by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content (which will never be executed) either at the end of the malicious file, or within some newly-created sections. Our attacks are formalized as a constrained minimization problem which also enables optimizing the trade-off between the probability of evading detection and the size of the injected payload. We empirically investigate this trade-off on two popular static Windows malware detectors, and show that our black-box attacks can bypass them with only few queries and small payloads, even when they only return the predicted labels. We also evaluate whether our attacks transfer to other commercial antivirus solutions, and surprisingly find that they can evade, on average, more than 12 commercial antivirus engines. We conclude by discussing the limitations of our approach, and its possible future extensions to target malware classifiers based on dynamic analysis.

中文翻译：

---

对抗性 Windows 恶意软件的功能保留黑盒优化

基于机器学习的 Windows 恶意软件检测器容易受到对抗样本的攻击，即使攻击者只获得了对该模型的黑盒查询访问权限。这些攻击的主要缺点是：（ $i$ ) 它们查询效率低下，因为它们依赖于对输入恶意软件迭代地应用随机转换；和 （ $ii$ ) 他们可能还需要在优化过程的每次迭代中在沙箱中执行对抗性恶意软件，以确保保留其侵入性功能。在本文中，我们通过提出一种新颖的黑盒攻击系列来克服这些问题，这些攻击既具有查询效率又保留功能，因为它们依赖于在结束时注入良性内容（永远不会执行）恶意文件，或在一些新创建的部分中。我们的攻击被形式化为约束最小化问题，这也可以优化逃避检测的概率和注入的有效载荷大小之间的权衡。我们根据经验研究了两种流行的静态 Windows 恶意软件检测器的这种权衡，并表明我们的黑盒攻击可以仅用很少的查询和小的有效载荷绕过它们，即使它们只返回预测的标签。我们还评估了我们的攻击是否会转移到其他商业防病毒解决方案上，并惊讶地发现它们平均可以躲避超过 12 个商业防病毒引擎。最后，我们讨论了我们方法的局限性，以及基于动态分析的目标恶意软件分类器未来可能的扩展。