Strengthening the robustness of machine learning-based malware detectors against realistic evasion attacks remains one of the major obstacles for Android malware detection. To that end, existing work has focused on interpreting domain constraints of Android malware in the problem space, where problem-space realizable adversarial examples are generated. In this paper, we provide another promising way to achieve the same goal but based on interpreting the domain constraints in the feature space, where feature-space realizable adversarial examples are generated. Specifically, we present a novel approach to extracting feature-space domain constraints by learning meaningful feature dependencies from data, and applying them based on a novel robust feature space. Experimental results successfully demonstrate the effectiveness of our novel robust feature space in providing adversarial robustness for DREBIN, a state-of-the-art Android malware detector. For example, it can decrease the evasion rate of a realistic gradient-based attack by $96.4\%$ in a limited-knowledge (transfer) setting and by $13.8\%$ in a more challenging, perfect-knowledge setting. In addition, we show that directly using our learned domain constraints in the adversarial retraining framework leads to about $84\%$ improvement in a limited-knowledge setting, with up to $377\times$ faster implementation than using problem-space adversarial examples.
翻译:加强机器学习的恶意软件探测器对现实的规避攻击的强大性,仍然是安卓恶意软件探测的主要障碍之一。为此,现有工作的重点是在问题空间解释安卓恶意软件在问题空间的域限制,这里产生了问题-空间可实现的对抗性实例。在本文中,我们提供了另一个有希望的方法,以实现同样的目标,但基于对功能空间可实现的对抗性实例的域限制的解释。具体地,我们介绍了一种新颖的方法,通过从数据中学习有意义的特征依赖性,并根据新颖的强势空间加以应用,来排除地空域限制。实验结果成功地展示了我们新颖的强势功能空间在为问题空间中的DREBIN提供对抗性强健性功能方面的有效性,DREBIN是一个最先进的、最先进的机器人软件探测器。例如,它可以将现实的梯度攻击的逃漏率降低96.4美元,在有限的知识(转让)设置中减少13.8美元,在更具挑战性、最完美的知识环境中减少13.8美元。此外,我们表明,在对抗性空间框架中直接利用我们所学的域限制,利用有限的域限制-空间改进了8美元,在8-4级再培训框架内,在8-4级框架中,在8美元方面,利用有限的数字-4的改进。