Over the years, most research towards defenses against adversarial attacks on machine learning models has been in the image recognition domain. The malware detection domain has received less attention despite its importance. Moreover, most work exploring these defenses has focused on several methods but with no strategy when applying them. In this paper, we introduce StratDef, which is a strategic defense system based on a moving target defense approach. We overcome challenges related to the systematic construction, selection, and strategic use of models to maximize adversarial robustness. StratDef dynamically and strategically chooses the best models to increase the uncertainty for the attacker while minimizing critical aspects in the adversarial ML domain, like attack transferability. We provide the first comprehensive evaluation of defenses against adversarial attacks on machine learning for malware detection, where our threat model explores different levels of threat, attacker knowledge, capabilities, and attack intensities. We show that StratDef performs better than other defenses even when facing the peak adversarial threat. We also show that, of the existing defenses, only a few adversarially-trained models provide substantially better protection than just using vanilla models but are still outperformed by StratDef.
翻译:多年来,针对机器学习模型的对抗攻击的大部分研究都集中在图像识别领域。恶意软件检测领域得到的关注较少,尽管它非常重要。此外,大多数研究探索这些防御措施时都没有策略性地应用它们。在本文中,我们引入了StratDef,这是一种基于运动目标防御方法的策略性防御系统。我们克服了与构建、选择和战略性使用模型以最大化对抗鲁棒性相关的系统问题。 StratDef动态和策略性地选择最佳模型,从而增加攻击者的不确定性,同时最大限度地减少对抗ML领域的关键方面,如攻击的可转移性。我们首次全面评估了针对机器学习恶意软件检测的对抗攻击防御,其中我们的威胁模型探索了不同水平的威胁、攻击者知识、能力和攻击强度。我们表明,即使面对最高的对抗威胁,StratDef的性能也优于其他防御措施。我们还表明,现有防御措施中,只有少数对抗训练模型提供了比仅使用vanilla模型更好的保护,但仍然被StratDef超越。