Research On Malware Adversarial Attacks And Defense Strategies Against Adversarial Examples

In recent years,machine learning(ML)-based malware detection methods attract more attention due to the high detection accuracy,the ability of classifying massive potential malware and reducing the response time to new malware threats.Unfortunately,recent studies indicate that ML models are vulnerable to adversarial attacks which fool the models to output incorrect results.In the field of malware detection,adversarial examples should bypass the detection of machine learning models and the original functions of the malware are well-reserved.Previous malware adversarial attacks are usually divided into the following steps:First,some features are extracted from a malware sample,and the extracted features are composed into a feature vector.Second,functionirrelevant features are added to the feature vector to bypass the detection of machine learning models.However,the adversarial examples generated by such methods are essentially feature vectors and cannot be executed directly to perform malicious actions.Some of the state-of-the-art adversarial attacks even damage original malware functionalities.To address these challenges,in this paper we propose an effective black-box attack methodology named Malicious-function Reserved Automated Attack(MRA2)against ML-based malware detection models.Our attack can automatically locate the functionirrelevant parts of executable malware files and generate a subset of executable adversarial examples with malicious function well-reserved.To evaluate the effectiveness of the proposed MRA2,we conduct extensive experiments on a series of popular ML models,including CNN,SVM and RF.In addition,a novel defense strategy is proposed which utilizes the well-designed translate layer to improve the robustness of the ML-models.During our experimental evaluations,we consider two types of adversarial attacks,including injection and non-injection attacks.Experimental results demonstrate that our attack achieves up-to 100%success rate in the best case and 100%malware-function reservation with online sandbox tests.In order to evaluate the success rate of MRA2 under existing defense methods,this paper reimplements three defense strategies:adversarial training,ensemble training and SafetyNet.The experimental results show that MRA2 can evade the defense deployed machine learning based malware detectors with up-to 96%success rate in the best case.In order to mitigate such attack,various proactive and passive defenses are proposed.However,most of them are only effective against specific types of adversarial attacks,and cannot defend white box attacks and black box attacks at the same time.In addition,most of passive defence strategies bring additional overheads in training detectors.To address these challenges,this paper proposes a defense method against adversarial attacks called AdvTrans,which introduce a well-designed translation layer into the deep learning models to improve the robustness of models.In the AdvTrans,the input images are translated by the well-designed translation layer to destroy the perturbations added to adversarial examples.Besides,a novel method is proposed to augment the training set.With the augment training set,the accuracy of the machine learning models are not reduced by the translation layer.To evaluate the robustness of the proposed AdvTrans,we first re-implemented mainstream white box attacks(FGSM and CW)and the black box attack based on one-pixel attack,and then the accuracy of models deployed with adversarial training,ensemble training,SafetyNet and AdvTrans are evaluated under the above attacks.The average magnitude of perturbations is also calculated on original models and models deployed with the above defence strategies.Experimental results show that AdvTrans is robust against both black box attacks and white box attacks and can detect adversarial examples without training detector,which reduces training overheads.