Over the last decade, several studies have investigated the weaknesses of Android malware detectors against adversarial examples by proposing novel evasion attacks; however, their practicality in manipulating real-world malware remains arguable. The majority of studies have assumed attackers know the details of the target classifiers used for malware detection, while in reality, malicious actors have limited access to the target classifiers. This paper presents a practical evasion attack, EvadeDroid, to circumvent black-box Android malware detectors. In addition to generating real-world adversarial malware, the proposed evasion attack can also preserve the functionality of the original malware samples. EvadeDroid prepares a collection of functionality-preserving transformations using an n-gram-based similarity method, which are then used to morph malware instances into benign ones via an iterative and incremental manipulation strategy. The proposed manipulation technique is a novel, query-efficient optimization algorithm with the aim of finding and injecting optimal sequences of transformations into malware samples. Our empirical evaluation demonstrates the efficacy of EvadeDroid under hard- and soft-label attacks. Moreover, EvadeDroid is capable to generate practical adversarial examples with only a small number of queries, with evasion rates of $81\%$, $73\%$, $75\%$, and $79\%$ for DREBIN, Sec-SVM, MaMaDroid, and ADE-MA, respectively. Finally, we show that EvadeDroid is able to preserve its stealthiness against five popular commercial antivirus, thus demonstrating its feasibility in the real world.
翻译:过去十年来,一些研究调查了Android 恶意软件探测器对对抗性证据的弱点,提出了新颖的规避攻击建议;然而,它们操纵真实世界的恶意软件的实用性仍然是可以论证的。大多数研究假设攻击者知道用于恶意软件检测的目标分类器的细节,而实际上恶意行为者接触目标分类器的渠道有限。本文介绍了一种实际的规避攻击,EvadeDroid,目的是绕过黑箱和机器人恶意软件探测器。除了产生真实世界的对抗性恶意软件外,拟议的规避攻击还可以维护原始恶意软件样品的功能。此外,EvadeDroid利用基于正克的类似方法准备了一套功能保护功能的变换。然后通过迭代和递增的操纵战略将恶意软件转换成良性软件。提议的操纵技术是一种新颖的、有查询效率的优化算法,目的是寻找和将最优的变换序列注入恶意软件样本。我们的经验评估了EvadeDroid在硬性和软标签攻击下的效力。此外,EvadeDroidrodroid用基于n-gy proid prival private pract pract pract practal$ practal press,我们能够产生一个实际的对抗真实的抗变现成本, $ $