Malicious software (malware) is a major cyber threat that has to be tackled with Machine Learning (ML) techniques because millions of new malware examples are injected into cyberspace on a daily basis. However, ML is vulnerable to attacks known as adversarial examples. In this paper, we survey and systematize the field of Adversarial Malware Detection (AMD) through the lens of a unified conceptual framework of assumptions, attacks, defenses, and security properties. This not only leads us to map attacks and defenses to partial order structures, but also allows us to clearly describe the attack-defense arms race in the AMD context. We draw a number of insights, including: knowing the defender's feature set is critical to the success of transfer attacks; the effectiveness of practical evasion attacks largely depends on the attacker's freedom in conducting manipulations in the problem space; knowing the attacker's manipulation set is critical to the defender's success; the effectiveness of adversarial training depends on the defender's capability in identifying the most powerful attack. We also discuss a number of future research directions.
翻译:恶意软件(恶意软件)是一个重大的网络威胁,必须用机器学习(ML)技术来解决,因为数百万新的恶意软件实例每天都被注入网络空间。然而,ML很容易受到称为对抗性例子的攻击。在本文中,我们通过一个统一的假设、攻击、防御和安全财产概念框架的镜头,对反反反恶意软件(AMD)探测领域进行调查和系统化。这不仅导致我们绘制攻击地图,防御部分秩序结构,而且还使我们能够清楚地描述AMD背景下的攻击防御军备竞赛。我们提出了一些见解,包括:了解被告的特征对转移攻击的成功至关重要;实际规避攻击的效力在很大程度上取决于攻击者在问题空间进行操纵的自由;了解攻击者的操纵对辩护人的成功至关重要;对抗性训练的效力取决于辩护人确定最强大攻击的能力。我们还讨论了一些未来的研究方向。