PAD: Towards Principled Adversarial Malware Detection Against Evasion Attacks
This work addresses the critical issue of securing malware detection systems against adversarial attacks, providing a principled solution with broad implications for cybersecurity, though it is domain-specific to malware detection.
The paper tackles the problem of evasion attacks on machine learning-based malware detection by proposing a new adversarial training framework called PAD, which offers theoretical guarantees and significantly outperforms state-of-the-art defenses, achieving detection accuracies over 83.45% against 27 evasion attacks with less than a 2.16% accuracy drop in attack-free scenarios.
Machine Learning (ML) techniques can facilitate the automation of malicious software (malware for short) detection, but suffer from evasion attacks. Many studies counter such attacks in heuristic manners, lacking theoretical guarantees and defense effectiveness. In this paper, we propose a new adversarial training framework, termed Principled Adversarial Malware Detection (PAD), which offers convergence guarantees for robust optimization methods. PAD lays on a learnable convex measurement that quantifies distribution-wise discrete perturbations to protect malware detectors from adversaries, whereby for smooth detectors, adversarial training can be performed with theoretical treatments. To promote defense effectiveness, we propose a new mixture of attacks to instantiate PAD to enhance deep neural network-based measurements and malware detectors. Experimental results on two Android malware datasets demonstrate: (i) the proposed method significantly outperforms the state-of-the-art defenses; (ii) it can harden ML-based malware detection against 27 evasion attacks with detection accuracies greater than 83.45%, at the price of suffering an accuracy decrease smaller than 2.16% in the absence of attacks; (iii) it matches or outperforms many anti-malware scanners in VirusTotal against realistic adversarial malware.