Machine learning based solutions have been successfully employed for automatic detection of malware on Android. However, machine learning models lack robustness to adversarial examples, which are crafted by adding carefully chosen perturbations to the normal inputs. So far, the adversarial examples can only deceive detectors that rely on syntactic features (e.g., requested permissions, API calls, etc), and the perturbations can only be implemented by simply modifying application's manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new attacking method that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK that can successfully deceive the machine learning detectors. We develop an automated tool to generate the adversarial examples without human intervention. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We demonstrate our attack on two state-of-the-art Android malware detection schemes, MaMaDroid and Drebin. Our results show that the malware detection rates decreased from 96% to 0% in MaMaDroid, and from 97% to 0% in Drebin, with just a small number of codes to be inserted into the APK.
翻译:在自动检测Android的恶意软件时,成功采用了基于机器学习的解决方案。然而,机器学习模型缺乏对对抗性实例的强力性,而对抗性实例则是通过在正常输入中添加精心选择的扰动来设计的。到目前为止,对抗性实例只能欺骗依赖合成特征的检测器(例如,请求许可、API电话等),而扰动只能通过简单的修改应用程序显示来实施。虽然最近的Android恶意检测器更多地依赖Dalvik bytecode而不是表现的语义学特征,但现有的攻击/破坏方法并不长久有效。在本文件中,我们采用了一种新的攻击方法,生成了机器人恶意软件的对抗实例,并避开了当前模型所检测的系统。为此,我们提出了对Android APK应用最佳的干扰方法,可以成功地对机器学习检测器进行欺骗。我们开发了一个自动工具,可以在没有人类干预的情况下生成小型对抗性示例。与现有的工作相比,我们的方法所设计的敌对性实例也可以将基于最近机器的检测器检测器检测器的检测器,而依靠Sildroid Ralder-ralmamamamato 。也可以在控制中演示中,可以将我们的测算中进行两次。