This work addresses the vulnerability of existing machine learning–based binary function classifiers to targeted mimicry attacks under query-free, black-box settings, where effective defenses are currently lacking. The authors propose Kelpie, a novel framework that, for the first time, enables targeted mimicry attacks against such classifiers without any queries and with only black-box access. Kelpie leverages semantics-preserving binary code transformations to alter malicious payloads so they are misclassified as a specified benign function type, without changing their underlying malicious behavior. By integrating multiple binary representations and model-agnostic attack strategies, Kelpie is applicable across diverse classifier architectures. Experimental results demonstrate high attack success rates on six state-of-the-art binary function classifiers, effectively disguising keyloggers and wipers as benign functions, thereby validating its practical efficacy.

Binary function classifiers play a crucial role in maintaining the security and integrity of software systems by detecting malicious code and unauthorized modifications. However, machine learning-based classifiers are vulnerable to adversarial attacks that can evade detection. In this study, we present Kelpie, a novel framework for executing mimicry attacks, a stronger type of targeted evasion attacks, on binary function classifiers in a black-box, zero-query setting. Unlike previous approaches that rely on querying the target classifier to refine untargeted evasion attacks, Kelpie leverages code transformations that preserve the functionality of malicious payloads while causing them to be misclassified as we want. Through extensive experimentation, we demonstrate that Kelpie can successfully execute mimicry attacks against six state-of-the-art binary function classifiers representing different model architectures without requiring direct interaction with them. We further validate our approach with a practical demonstration, involving a keylogger and a wiper concealed within benign-looking functions embedded in an application. This work, to our best knowledge, is the first to demonstrate such a mimicry attack in a black-box, zero-query context, raising important questions about the reliability and security of existing machine learning-based binary function classifiers.