On the robustness of malware detectors to adversarial samples

Muhammad Salman; Benjamin Zhao; Hassan Asghar; Muhammad Ikram; Sidharth Kaushik; Dali Kaafar

On the robustness of malware detectors to adversarial samples

Muhammad Salman, Benjamin Zhao, Hassan Asghar, Muhammad Ikram, Sidharth Kaushik, Dali Kaafar

School of Computing

Research output: Contribution to conference › Paper › peer-review

Abstract

Adversarial examples add imperceptible alterations to inputs with the objective to induce misclassification in machine learning models. They have been demonstrated to pose significant challenges in domains like image classification, with results showing that an adversarially perturbed image to evade detection against one classifier is most likely transferable to other classifiers. Adversarial examples have also been studied in malware analysis. Unlike images, program binaries cannot be arbitrarily perturbed without rendering them non-functional. Due to the difficulty of crafting adversarial program binaries, there is no consensus on the transferability of adversarially perturbed programs to different detectors. In this work, we explore the robustness of malware detectors against adversarially perturbed malware. We investigate the transferability of adversarial attacks developed against one detector, against other machine learning-based malware detectors with different feature space, and code similarity techniques, specifically, locality sensitive hashingbased detectors. Our analysis reveals that adversarial program binaries crafted for one detector are generally less effective against others. We also evaluate an ensemble of detectors and show that they can potentially mitigate the impact of adversarial program binaries. Finally, we demonstrate that substantial program changes made to evade detection may result in the transformation technique being identified, implying that the adversary must make minimal changes to the program binary.

Original language	English
Number of pages	20
Publication status	Accepted/In press - 30 Jul 2024
Event	Workshop on Security and Artificial Intelligenc - Bydgoszcz, Bydgoszcz, Poland Duration: 19 Sept 2024 → 20 Aug 2025 Conference number: 1 https://sites.google.com/view/secai2024

Workshop

Workshop	Workshop on Security and Artificial Intelligenc
Abbreviated title	SECAI
Country/Territory	Poland
City	Bydgoszcz
Period	19/09/24 → 20/08/25
Internet address	https://sites.google.com/view/secai2024

Cite this

@conference{717187781e5642658802cd1fe748c4b3,

title = "On the robustness of malware detectors to adversarial samples",

abstract = "Adversarial examples add imperceptible alterations to inputs with the objective to induce misclassification in machine learning models. They have been demonstrated to pose significant challenges in domains like image classification, with results showing that an adversarially perturbed image to evade detection against one classifier is most likely transferable to other classifiers. Adversarial examples have also been studied in malware analysis. Unlike images, program binaries cannot be arbitrarily perturbed without rendering them non-functional. Due to the difficulty of crafting adversarial program binaries, there is no consensus on the transferability of adversarially perturbed programs to different detectors. In this work, we explore the robustness of malware detectors against adversarially perturbed malware. We investigate the transferability of adversarial attacks developed against one detector, against other machine learning-based malware detectors with different feature space, and code similarity techniques, specifically, locality sensitive hashingbased detectors. Our analysis reveals that adversarial program binaries crafted for one detector are generally less effective against others. We also evaluate an ensemble of detectors and show that they can potentially mitigate the impact of adversarial program binaries. Finally, we demonstrate that substantial program changes made to evade detection may result in the transformation technique being identified, implying that the adversary must make minimal changes to the program binary. ",

author = "Muhammad Salman and Benjamin Zhao and Hassan Asghar and Muhammad Ikram and Sidharth Kaushik and Dali Kaafar",

year = "2024",

month = jul,

day = "30",

language = "English",

note = "Workshop on Security and Artificial Intelligenc, SECAI ; Conference date: 19-09-2024 Through 20-08-2025",

url = "https://sites.google.com/view/secai2024",

}

TY - CONF

T1 - On the robustness of malware detectors to adversarial samples

AU - Salman, Muhammad

AU - Zhao, Benjamin

AU - Asghar, Hassan

AU - Ikram, Muhammad

AU - Kaushik, Sidharth

AU - Kaafar, Dali

N1 - Conference code: 1

PY - 2024/7/30

Y1 - 2024/7/30

N2 - Adversarial examples add imperceptible alterations to inputs with the objective to induce misclassification in machine learning models. They have been demonstrated to pose significant challenges in domains like image classification, with results showing that an adversarially perturbed image to evade detection against one classifier is most likely transferable to other classifiers. Adversarial examples have also been studied in malware analysis. Unlike images, program binaries cannot be arbitrarily perturbed without rendering them non-functional. Due to the difficulty of crafting adversarial program binaries, there is no consensus on the transferability of adversarially perturbed programs to different detectors. In this work, we explore the robustness of malware detectors against adversarially perturbed malware. We investigate the transferability of adversarial attacks developed against one detector, against other machine learning-based malware detectors with different feature space, and code similarity techniques, specifically, locality sensitive hashingbased detectors. Our analysis reveals that adversarial program binaries crafted for one detector are generally less effective against others. We also evaluate an ensemble of detectors and show that they can potentially mitigate the impact of adversarial program binaries. Finally, we demonstrate that substantial program changes made to evade detection may result in the transformation technique being identified, implying that the adversary must make minimal changes to the program binary.

AB - Adversarial examples add imperceptible alterations to inputs with the objective to induce misclassification in machine learning models. They have been demonstrated to pose significant challenges in domains like image classification, with results showing that an adversarially perturbed image to evade detection against one classifier is most likely transferable to other classifiers. Adversarial examples have also been studied in malware analysis. Unlike images, program binaries cannot be arbitrarily perturbed without rendering them non-functional. Due to the difficulty of crafting adversarial program binaries, there is no consensus on the transferability of adversarially perturbed programs to different detectors. In this work, we explore the robustness of malware detectors against adversarially perturbed malware. We investigate the transferability of adversarial attacks developed against one detector, against other machine learning-based malware detectors with different feature space, and code similarity techniques, specifically, locality sensitive hashingbased detectors. Our analysis reveals that adversarial program binaries crafted for one detector are generally less effective against others. We also evaluate an ensemble of detectors and show that they can potentially mitigate the impact of adversarial program binaries. Finally, we demonstrate that substantial program changes made to evade detection may result in the transformation technique being identified, implying that the adversary must make minimal changes to the program binary.

M3 - Paper

T2 - Workshop on Security and Artificial Intelligenc

Y2 - 19 September 2024 through 20 August 2025

ER -