# Adversarial EXEmples: evasion attacks against Windows malware detectors

In this laboratory, you will learn how to use SecML to create adversarial examples against Windows malware detector implemented through machine learning techniques. To do so, we will use [SecML malware](https://github.com/pralab/secml_malware), a SecML plugin containing most of the strategies developed to evade detectors.

[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](
https://colab.research.google.com/github/fabiogueunige/Trustworthy/blob/HEAD/03-AdversarialEXEmples.ipynb)  

In [None]:
try:
    import secml_malware
except ImportError:
    %pip install git+https://github.com/elastic/ember.git
    %pip install secml-malware

# The Windows PE file format
Before starting the explanations of attacks, we remind how Windows programs are stored as file, following the [Windows Portable Executable (PE)](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) file format.
There are tons of Python libraries for dissecting programs, one of the best is [lief](https://github.com/lief-project/LIEF).
The latter is also used inside `secml-malware` to perturb samples, as shown later on in this tutorial.
Opening an executable is straight-forward:

In [None]:
import lief

exe_path = 'exe/calc.exe'
exe_object: lief.PE = lief.parse(exe_path)

Now, the `exe_object` contains all the information of the loaded program.
We can look for all the components. For instance, here is how you can read the header metadata:

In [None]:
print('DOS Header')
print(exe_object.dos_header)

print('PE Header')
print(exe_object.header)

print('Optional Header')
print(exe_object.optional_header)

print('Sections')
for s in exe_object.sections:
    print(s.name, s.characteristics_lists)

This library is also very useful for manipulating the EXEs.
For instance, in few lines of code you can add sections to a program.

In [None]:
# Importa la libreria LIEF per manipolare file PE (Portable Executable)
import lief

# Crea una nuova sezione PE. La dimensione del nome della sezione è limitata a 8 byte.
new_section : lief.PE.Section = lief.PE.Section()

# Assegna il nome alla nuova sezione
new_section.name = '.newsec'

# Imposta il contenuto della nuova sezione come una lista di valori ASCII dei caratteri nella stringa
new_section.content = [ord(i) for i in "This is my newly created section"]

# Imposta le caratteristiche della sezione, in questo caso la sezione è scartabile dalla memoria
new_section.characteristics = lief.PE.SECTION_CHARACTERISTICS.MEM_DISCARDABLE

# Aggiunge la nuova sezione all'oggetto PE esistente
exe_object.add_section(new_section)

# Crea un costruttore PE per ricostruire il binario con la nuova sezione
builder = lief.PE.Builder(exe_object)

# Costruisce il nuovo binario
builder.build()

# Analizza il binario appena costruito per ottenere l'oggetto PE aggiornato
exe_object = lief.PE.parse(builder.get_build())

# Stampa i nomi delle sezioni e le loro caratteristiche
print('Sections')
for s in exe_object.sections:
    print(s.name, s.characteristics_lists)

# Scrive il nuovo binario su un file
builder.write('new_exe.file')

As you can see, the new section appeared as last one.
More information on how to use lief on the [documentation of the library](https://lief-project.github.io/doc/stable/index.html).

# Evasion of End-to-end Deep Neural Network for Malware Detection

In this tutorial, you will learn how to use this plugin to test the already implemented attacks against a PyTorch network of your choice.
We first instantiate a deep neural network trained on raw bytes, called MalConv, and we pass it to SecML Malware.

In [None]:
# Importa il modulo os per interagire con il sistema operativo
import os

# Importa il modulo magic per identificare i tipi di file
import magic

# Importa CArray dalla libreria secml per la manipolazione di array
from secml.array import CArray

# Importa il modello MalConv dalla libreria secml_malware
from secml_malware.models.malconv import MalConv

# Importa CClassifierEnd2EndMalware e End2EndModel dalla libreria secml_malware
# CClassifierEnd2EndMalware è un modello che prende un dispositivo e restituisce un output
from secml_malware.models.c_classifier_end2end_malware import CClassifierEnd2EndMalware, End2EndModel

# Crea un'istanza del modello MalConv (Malware Convolution, un modello basato su pytorch)
net = MalConv()

# Avvolge il modello MalConv con CClassifierEnd2EndMalware per creare un modello end-to-end
net = CClassifierEnd2EndMalware(net)

# Carica il modello pre-addestrato e aggiunge anche un po' di padding all'input
net.load_pretrained_model()

# Stampa la rappresentazione del modello caricato
print(net)

Firstly, we have created the network (MalConv) and it has been passed wrapped with a *CClassifierEnd2EndMalware* model class.
This object generalizes PyTorch end-to-end ML models.
Since MalConv is already coded inside the plugin, the weights are also stored, and they can be retrieved with the *load_pretrained_model* method.

If you wish to use diffierent weights, pass the path to the PyTorch *pth* file to that method.

In [None]:
from secml_malware.attack.whitebox.c_header_evasion import CHeaderEvasion # Attack Dos Header

# Load the malware sample to be attacked 
partial_dos = CHeaderEvasion(net, random_init=False, iterations=10, optimize_all_dos=False, threshold=0)

This is how an attack is created, no further action is needed.
The `random_init` parameter specifies if the bytes should be assigned with random values before beginning the optimization process, `iterations` sets the number of steps of the attack, `optimize_all_dos` sets if all the DOS header should be perturbed, or just the first 58 bytes, while `threshold` is the detection threshold used as a stopping condition.

If you want to see how much the network is deteriorated by the attack, set this parameter to 0, or it will stop as soon as the confidence decreases below such value.

In [None]:
# Definisce la cartella contenente i file eseguibili
folder = "exe"

# Inizializza le liste per i dati di input, le etichette e i nomi dei file
X = []
y = []
file_names = []

# Itera su tutti i file nella cartella specificata
for i, f in enumerate(os.listdir(folder)):
    # Costruisce il percorso completo del file
    path = os.path.join(folder, f)
    
    # Verifica se il percorso è un file, altrimenti continua con il prossimo file
    if not os.path.isfile(path):
        continue
    
    # Verifica se il file è un eseguibile PE32, altrimenti continua con il prossimo file
    if "PE32" not in magic.from_file(path):
        continue
    
    # Legge il contenuto del file in modalità binaria
    with open(path, "rb") as file_handle:
        code = file_handle.read()
    
    # Converte il contenuto del file in un array numpy utilizzando il modello end-to-end
    x = End2EndModel.bytes_to_numpy(
        code, net.get_input_max_length(), 256, False
    )
    
    # Predice la probabilità di malware e ottiene la confidenza
    _, confidence = net.predict(CArray(x), True)

    # Se la confidenza è inferiore a 0.5, continua con il prossimo file
    if confidence[0, 1].item() < 0.5:
        continue

    # Stampa il nome del file aggiunto e la sua confidenza
    print(f"> Added {f} with confidence {confidence[0,1].item()}")
    
    # Aggiunge l'array numpy alla lista degli input
    X.append(x)
    
    # Aggiunge la confidenza alla lista delle etichette
    conf = confidence[1][0].item()
    y.append([1 - conf, conf])
    
    # Aggiunge il percorso del file alla lista dei nomi dei file
    file_names.append(path)

We load a simple dataset from the provided `exe` that you have filled with malware to test the attacks.
Since we are dealing with SecML, we need to load all the programs inside as CArrays.
Once we have built the dataset, we can run the instantiated attack.  
Model if not heck the overfitting than very bad (decision trees are more robust)

In [None]:
# Showed part
for sample, label in zip(X, y):
    # run the attack
    y_pred, adv_score, adv_ds, f_obj = partial_dos.run(CArray(sample), CArray(label[1]))
    # return the probabilities of the attack (know how fast reduce the confidence of the attack)
    print(partial_dos.confidences_)

In [None]:
import matplotlib.pyplot as plt

# plotting the confidence of the attack
plt.plot(partial_dos.confidences_)

Inside the `adv_ds` object, you can find the adversarial example computed by the attack.
You can reconstruct the functioning example by using a specific function inside the plugin.

In [None]:
# Ottiene il primo esempio avversario dal dataset avversario
adv_x = adv_ds.X[0, :]

# Crea un campione reale dall'esempio avversario utilizzando il file originale
real_adv_x = partial_dos.create_real_sample_from_adv(file_names[0], adv_x)

# Stampa la lunghezza del campione reale avversario
print(len(real_adv_x))

# Converte il campione reale avversario in un array numpy utilizzando il modello end-to-end
real_x = End2EndModel.bytes_to_numpy(real_adv_x, net.get_input_max_length(), 256, False)

# Predice la probabilità di malware e ottiene la confidenza per il campione reale avversario
_, confidence = net.predict(CArray(real_x), True)

# Stampa la confidenza del campione reale avversario
print(confidence[0, 1].item())

... and you're done!
If you want to create a real sample (stored on disk), just have a look at the `create_real_sample_from_adv` of each attack. It accepts a third string argument that will be used as a destination file path for storing the adversarial example.

We used one attack, which is the Partial DOS one. But what if we want to use others?
SecML malware is shipped with different attacking strategies, that can be easily created similarly to the DOS Header attack. A complete list of them can be found in the [source code](https://github.com/pralab/secml_malware/tree/master/secml_malware/attack/whitebox) or the [documentation](https://secml-malware.readthedocs.io/en/docs/source/secml_malware.attack.whitebox.html) of the other white box attacks.
To give you a practical example, we now use an attack that append bytes at the end of the file (padding) and replace unusued space between sections (slack), and it leverages an iterative version of [FGSM attack](https://arxiv.org/abs/1802.04528) to optimize the byte values of executables.

In [None]:
# Importa l'attacco whitebox CKreukEvasion dalla libreria secml_malware
from secml_malware.attack.whitebox import CKreukEvasion

# Crea un'istanza dell'attacco CKreukEvasion con i parametri specificati
ifgsm = CKreukEvasion(net, how_many_padding_bytes=58, epsilon=1.0, iterations=10, threshold=0)

# Itera su ogni campione e etichetta nei dati di input e nelle etichette
for i, (sample, label) in enumerate(zip(X, y)):
    # Esegue l'attacco IFGSM sul campione e ottiene la previsione, il punteggio avversario, il dataset avversario e l'oggetto funzione
    y_pred, adv_score, adv_ds, f_obj = ifgsm.run(CArray(sample), CArray(label[1]))
    
    # Stampa le confidenze dell'attacco
    print(ifgsm.confidences_)
    
    # Crea un campione reale dall'esempio avversario utilizzando il file originale
    real_adv_x = ifgsm.create_real_sample_from_adv(file_names[i], adv_ds.X[i, :])
    
    # Legge e stampa la lunghezza del file originale
    with open(file_names[i], 'rb') as f:
        print('Original length: ', len(f.read()))
    
    # Stampa la lunghezza del campione avversario reale
    print('Adversarial sample length: ', len(real_adv_x))

In [None]:
from secml.figure import CFigure

fig = CFigure()
fig.sp.plot(partial_dos.confidences_, label='dos')
fig.sp.plot(ifgsm.confidences_, label='kreuk')
fig.sp.plot([0, 10], [0.5, 0.5], label='threshold', linestyle='--', c='r')
fig.sp.xlabel('Iterations')
fig.sp.ylabel('Malware class confidence')
fig.sp.legend()
fig.show()

As you notice, the attacks behave differently. Can you guess why?

# Gradient-free evasion of Windows Malware Detectors

We move to gradient-free approaches, and we will leverage optimisation of adversarial content injected through new sections inside the input executable.

In [None]:
import os

import magic
import numpy as np
from secml.array import CArray

from secml_malware.attack.blackbox.c_wrapper_phi import CEnd2EndWrapperPhi
from secml_malware.attack.blackbox.ga.c_base_genetic_engine import CGeneticAlgorithm
from secml_malware.models.c_classifier_end2end_malware import CClassifierEnd2EndMalware
from secml_malware.models.malconv import MalConv

net = CClassifierEnd2EndMalware(MalConv())
net.load_pretrained_model()
net = CEnd2EndWrapperPhi(net)

Firstly, we have created the network (MalConv) and it has been passed wrapped with a *CClassifierEnd2EndMalware* model class.
Since MalConv is already coded inside the plugin, the weights are also stored, and they can be retrieved with the *load_pretrained_model* method.

If you wish to use diffierent weights, pass the path to the PyTorch *pth* file to that method.

Then, we wrap it inside a `CEnd2EndWrapperPhi`, that is an interface that abstracts from the feature extraction phase of the model.
This is needed for the black-box settings of the attack.

We will start by optimizing byte-per-byte through the injection of padding bytes.

In [None]:
# Importa la libreria numpy per la manipolazione degli array
import numpy as np

# Definisce la cartella contenente i file eseguibili
folder = 'exe'

# Inizializza le liste per i dati di input, le etichette e i nomi dei file
X_gf = []
y_gf = []
file_names_gf = []

# Itera su tutti i file nella cartella specificata
for i, f in enumerate(os.listdir(folder)):
    # Costruisce il percorso completo del file
    path = os.path.join(folder, f)
    
    # Verifica se il percorso è un file, altrimenti continua con il prossimo file
    if not os.path.isfile(path):
        continue
    
    # Verifica se il file è un eseguibile PE32, altrimenti continua con il prossimo file
    if "PE32" not in magic.from_file(path):
        continue
    
    # Legge il contenuto del file in modalità binaria
    with open(path, "rb") as file_handle:
        code = file_handle.read()
    
    # Converte il contenuto del file in un array CArray utilizzando numpy
    x = CArray(np.frombuffer(code, dtype=np.uint8))
    
    # Predice la probabilità di malware e ottiene la confidenza
    _, confidence = net.predict(x, True)

    # Se la confidenza è inferiore a 0.5, continua con il prossimo file
    if confidence[0, 1].item() < 0.5:
        continue

    # Stampa il nome del file aggiunto e la sua confidenza
    print(f"> Added {f} with confidence {confidence[0,1].item()}")
    
    # Aggiunge l'array CArray alla lista degli input
    X_gf.append(x)
    
    # Aggiunge l'etichetta alla lista delle etichette (1 indica malware)
    y_gf.append(1)
    
    # Aggiunge il percorso del file alla lista dei nomi dei file
    file_names_gf.append(path)

In [None]:
# Importa l'attacco blackbox CBlackBoxPaddingEvasionProblem dalla libreria secml_malware
from secml_malware.attack.blackbox.c_black_box_padding_evasion import CBlackBoxPaddingEvasionProblem

# Importa l'algoritmo genetico CGeneticAlgorithm dalla libreria secml_malware
from secml_malware.attack.blackbox.ga.c_base_genetic_engine import CGeneticAlgorithm

# Crea un'istanza dell'attacco CBlackBoxPaddingEvasionProblem con i parametri specificati
attack_padding = CBlackBoxPaddingEvasionProblem(net, population_size=10, penalty_regularizer=1e-6, iterations=500, how_many_padding_bytes=4096)

# Crea un'istanza dell'algoritmo genetico con l'attacco specificato
engine = CGeneticAlgorithm(attack_padding)

# Itera su ogni campione e etichetta nei dati di input e nelle etichette
for sample, label in zip(X_gf, y_gf):
    # Esegue l'attacco genetico sul campione e ottiene la previsione, il punteggio avversario, il dataset avversario e l'oggetto funzione
    y_pred, adv_score, adv_ds, f_obj = engine.run(sample, label)
    
    # Stampa le confidenze dell'attacco
    print(engine.confidences_)

Under the hood, the attack is optimizing each the 4096 bytes, one by one. To speed up the process, we can inject chunks of goodware content, and let the optimizer decide how much to extract.

In [None]:
from secml_malware.attack.blackbox.c_gamma_sections_evasion import CGammaSectionsEvasionProblem
goodware_folder = 'exe/goodware'
section_population, what_from_who = CGammaSectionsEvasionProblem.create_section_population_from_folder(goodware_folder, how_many=10, sections_to_extract=['.rdata'])

gamma_attack = CGammaSectionsEvasionProblem(section_population, net, population_size=10, penalty_regularizer=1e-6, iterations=100, threshold=0)

For the section injection attack implemented with GAMMA, we need first to extract the goodware sections.
Then, we create a `CGammaSectionsEvasionProblem` object, that contains the attack.

In [None]:
engine_gamma = CGeneticAlgorithm(gamma_attack)
for sample, label in zip(X, y):
    y_pred, adv_score, adv_ds, f_obj = engine_gamma.run(sample, CArray(label[1]))

Inside the `adv_ds` object, you can find the adversarial example computed by the attack.
You can reconstruct the functioning example by using a specific function inside the plugin:

In [None]:
adv_x = adv_ds.X[0,:]
engine_gamma.write_adv_to_file(adv_x,'adv_exe')
with open('adv_exe', 'rb') as h:
    code = h.read()
real_adv_x = CArray(np.frombuffer(code, dtype=np.uint8))
_, confidence = net.predict(CArray(real_adv_x), True)
print(confidence[0,1].item())

... and you're done!
If you want to create a real sample (stored on disk), just have a look at the `create_real_sample_from_adv` of each attack. It accepts a third string argument that will be used as a destination file path for storing the adversarial example.