Core Concepts
Malware classifiers based on machine learning models are vulnerable to adversarial attacks that can fool the models into misclassifying malicious applications as benign. Researchers have proposed various evasion attack techniques and defense mechanisms to build more robust malware detectors.
Abstract
This paper provides a comprehensive review of adversarial machine learning in the context of Android malware classifiers. It first presents an extensive background on Android malware classifiers, followed by an examination of the latest advancements in adversarial attacks and defenses.
The key highlights are:
Machine learning models have significantly improved malware detection, but they are susceptible to adversarial attacks that perform slight modifications in malware samples, leading to misclassification.
Evasion attacks involve carefully crafting adversarial samples that can evade the malware classifier, while poisoning attacks involve injecting malicious data into the training set. Various attack techniques like FGSM, BIM, PGD, C&W, and DeepFool have been explored.
Defenses against adversarial attacks aim to either detect adversarial samples or build more robust classifiers. Techniques like adversarial training, input regularization, defensive distillation, and feature denoising have been proposed to improve model robustness.
Adversarial detection methods use properties of benign and adversarial samples to identify adversarial inputs, such as kernel density estimation, Bayesian uncertainty, local intrinsic dimensionality, and feature attribution-based approaches.
The paper provides guidelines for designing robust malware classifiers and outlines future research directions in this domain.
Stats
"Applications, called apps, downloaded from the Google Play Store, the primary app store for Android-compatible mobile devices, were malicious [138]."
"A longitudinal study further revealed that anti-malware solutions detected around 5 million malicious apps on mobile platforms in the first quarter of 2023 alone [126]."
Quotes
"Malware classifiers are vulnerable to such perturbation, known as adversarial samples [135], but continue to classify Android applications with very high confidence, albeit with unexpected results."
"An adversary can model these manipulations during the training process or when testing the model. When implementing an evasion attack, an adversary crafts a test sample to evade the original classification decision."