The Cylance AI-based antivirus product, prior to July 21, 2019, contains flaws that allow an adversary to craft malicious files that the AV product will likely mistake for benign files.
Cylance PROTECT is an endpoint protection system. It contains an antivirus functionality that uses a machine learning algorithm (specifically, a neural network) to classify executables as malicious or benign. Security researchers isolated properties of the machine learning algorithm allowing them to change most known-malicious files in simple ways that cause the Cylance product to misclassify the file as benign. Several common malware families, such as Dridex, Gh0stRAT, and Zeus, were reported as successfully modified to bypass the Cylance product in this way. The success rate of the bypass is reported as approximately 85% of malicious files tested. Cylance reports a 50% bypass creation success rate based on internal testing. Either way, attacker effort to find a successful bypass would be low. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware, just appending strings to it.
The specific attack reported by Skylight Cyber relies on a particular set of strings used by the Cylance product. Although Cylance used an ensemble model that made some uncommon model design choices to achieve a white-listing functionality, this over-reliance on specific details when classifying a file is an instance of a common weakness in machine learning algorithms. For a comprehensive discussion of attacks on machine learning systems, see Papernot N, McDaniel P, Sinha A, Wellman MP. SoK: Security and privacy in machine learning. IEEE EuroS&P 2018. Because this flaw is an instance of a broader category of weaknesses in machine learning algorithms, we do not expect an easy solution. Cylance describes their response as "three-fold: First, we have added anti-tampering controls to the parser in order to detect feature manipulation and prevent them from impacting the model score. Second, we have strengthened the model itself to detect when certain features become proportionally overweight. Lastly, we have removed the features in the model that were most susceptible to tampering." This patch should stop the specific keywords used by the Skylight Cyber researchers from allowing an attacker to bypass detection and increase attacker effort required to find similar bypass techniques.
An attacker can easily and significantly improve their malware's defense evasion against affected antivirus products. Unsophisticated attackers can leverage this flaw to change any executable to which they have access; the defense evasion does not require rewriting the malware, just appending strings to it.
Apply a patch
This document was written by Jonathan Spring and Allen Householder.
|Date First Published:||2019-08-01|
|Date Last Updated:||2019-08-01 17:20 UTC|