Go to DBLP homepageTransferability of Adversarial Examples in Machine Learning-based Malware Detection
Abstract: Machine Learning (ML) has been increasingly applied to malware detection in recent years. Adversarial example (AE) attack, a well-known attack against ML working across different mediums, is effective in evading or misleading ML-based malware detection systems. Such an attack could be made more effective if the generated AEs are transferable so that the AEs can evade different types of malware detection models. To better understand AE transferability in the malware domain, in this paper, we study AE transferability enhancement techniques and how they impact AE generation and Android malware detection. Firstly, we adapt the current image-based AE transferability enhancement techniques (i.e., ensemble sample (ES) and ensemble model (EM)) to malware. In the adapted ES and EM methods, we maintain malware functionality and executability while adding perturbations. Further, we develop a new transfer-based AE generation method, BATE, using a novel feature evenness metric. The idea is to spread perturbations more evenly among perturbed features by incorporating an evenness score in the objective function. We compare our proposed methods with EM and ES on a real Android dataset. The extensive evaluations demonstrate the effectiveness of our method in increasing the upper bound of AE transferability. We also confirm the effectiveness of our evenness-score-based method by showing quantitative correlations between AE transferability and feature evenness score.
Loading