Adversarial Deep Ensemble: Evasion Attacks and Defenses for Malware Detection
This work addresses the critical problem of improving cybersecurity for malware detection systems, though it is incremental as it builds on existing adversarial training and ensemble methods.
The paper tackles the vulnerability of machine learning-based malware detectors to evasion attacks by proposing a new adversarial training method for deep neural network ensembles, which significantly enhances robustness against 26 different attacks on Android malware datasets, while also showing that ensemble attacks can effectively evade these enhanced detectors and degrade services like VirusTotal.
Malware remains a big threat to cyber security, calling for machine learning based malware detection. While promising, such detectors are known to be vulnerable to evasion attacks. Ensemble learning typically facilitates countermeasures, while attackers can leverage this technique to improve attack effectiveness as well. This motivates us to investigate which kind of robustness the ensemble defense or effectiveness the ensemble attack can achieve, particularly when they combat with each other. We thus propose a new attack approach, named mixture of attacks, by rendering attackers capable of multiple generative methods and multiple manipulation sets, to perturb a malware example without ruining its malicious functionality. This naturally leads to a new instantiation of adversarial training, which is further geared to enhancing the ensemble of deep neural networks. We evaluate defenses using Android malware detectors against 26 different attacks upon two practical datasets. Experimental results show that the new adversarial training significantly enhances the robustness of deep neural networks against a wide range of attacks, ensemble methods promote the robustness when base classifiers are robust enough, and yet ensemble attacks can evade the enhanced malware detectors effectively, even notably downgrading the VirusTotal service.