Marco Alecci

Marco Alecci, Mauro Conti, Francesco Marchiori et al.

Evasion attacks are a threat to machine learning models, where adversaries attempt to affect classifiers by injecting malicious samples. An alarming side-effect of evasion attacks is their ability to transfer among different models: this property is called transferability. Therefore, an attacker can produce adversarial samples on a custom model (surrogate) to conduct the attack on a victim's organization later. Although literature widely discusses how adversaries can transfer their attacks, their experimental settings are limited and far from reality. For instance, many experiments consider both attacker and defender sharing the same dataset, balance level (i.e., how the ground truth is distributed), and model architecture. In this work, we propose the DUMB attacker model. This framework allows analyzing if evasion attacks fail to transfer when the training conditions of surrogate and victim models differ. DUMB considers the following conditions: Dataset soUrces, Model architecture, and the Balance of the ground truth. We then propose a novel testbed to evaluate many state-of-the-art evasion attacks with DUMB; the testbed consists of three computer vision tasks with two distinct datasets each, four types of balance levels, and three model architectures. Our analysis, which generated 13K tests over 14 distinct attacks, led to numerous novel findings in the scope of transferable attacks with surrogate models. In particular, mismatches between attackers and victims in terms of dataset source, balance levels, and model architecture lead to non-negligible loss of attack performance.

Marco Alecci, Riccardo Cestaro, Mauro Conti et al.

Android virtualization enables an app to create a virtual environment, in which other apps can run. Originally designed to overcome the limitations of mobile apps dimensions, malicious developers soon started exploiting this technique to design novel attacks. As a consequence, researchers proposed new defence mechanisms that enable apps to detect whether they are running in a virtual environment. In this paper, we propose Mascara, the first attack that exploits the virtualization technique in a new way, achieving the full feasibility against any Android app and proving the ineffectiveness of existing countermeasures. Mascara is executed by a malicious app, that looks like the add-on of the victim app. As for any other add-on, our malicious one can be installed as a standard Android app, but, after the installation, it launches Mascara against the victim app. The malicious add-on is generated by Mascarer, the framework we designed and developed to automate the whole process. Concerning Mascara, we evaluated its effectiveness against three popular apps (i.e., Telegram, Amazon Music and Alamo) and its capability to bypass existing mechanisms for virtual environments detection. We analyzed the efficiency of our attack by measuring the overhead introduced at runtime by the virtualization technique and the compilation time required by Mascarer to generate 100 malicious add-ons (i.e., less than 10 sec). Finally, we designed a robust approach that detects virtual environments by inspecting the fields values of ArtMethod data structures in the Android Runtime (ART) environment.