Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection (1808.04218v4)

Abstract: Machine learning based solutions have been successfully employed for automatic detection of malware on Android. However, machine learning models lack robustness to adversarial examples, which are crafted by adding carefully chosen perturbations to the normal inputs. So far, the adversarial examples can only deceive detectors that rely on syntactic features (e.g., requested permissions, API calls, etc), and the perturbations can only be implemented by simply modifying application's manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new attacking method that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK that can successfully deceive the machine learning detectors. We develop an automated tool to generate the adversarial examples without human intervention. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We demonstrate our attack on two state-of-the-art Android malware detection schemes, MaMaDroid and Drebin. Our results show that the malware detection rates decreased from 96% to 0% in MaMaDroid, and from 97% to 0% in Drebin, with just a small number of codes to be inserted into the APK.

• The paper introduces a novel adversarial attack methodology that perturbs Dalvik bytecode, reducing detection rates from over 96% to 0% in tested systems.
• The authors developed an automated tool that crafts adversarial APKs with minimal code injections, preserving malware functionality while evading detection.
• Experimental evaluation on MaMaDroid and Drebin confirms the approach's efficacy, highlighting critical vulnerabilities in current machine learning-based malware detectors.

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

The research paper titled "Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection" addresses the vulnerability of machine learning-based Android malware detection systems to adversarial attacks. The authors, Xiao Chen, Chaoran Li, Derui Wang, Sheng Wen, Jun Zhang, Surya Nepal, Yang Xiang, and Kui Ren, propose a novel methodology for crafting adversarial examples that can effectively bypass state-of-the-art detection systems by manipulating Android application package files (APK).

Key Contributions and Findings

1. Adversarial Attack Methodology: The paper introduces an attack method that generates adversarial examples by applying carefully chosen perturbations to the Dalvik bytecode of Android APKs. This approach contrasts with previous methods that primarily altered syntactic features extracted from the Android manifest. By targeting the control-flow and data-dependency graph features obtained from Dalvik bytecode, the researchers demonstrate a sophisticated attack capable of evading more robust, semantically-aware malware detectors.
2. Automation Tool: The authors developed an automated tool capable of crafting adversarial examples without requiring manual intervention. This tool facilitates the generation of manipulated APKs by inserting minimal code alterations directly into the bytecode, ensuring that the original functionality of the malware remains intact while evading detection.
3. Experimental Evaluation: The effectiveness of the attack was demonstrated against two prevalent Android malware detection frameworks: MaMaDroid and Drebin. Notably, the detection rate of malware samples reduced dramatically from 96% to 0% in MaMaDroid and from 97% to 0% in Drebin with minimal code injections. These results underscore the vulnerability of current machine learning-based detection mechanisms to adversarial manipulation.
4. Real-World Scenarios: Several scenarios were considered based on the attacker's knowledge about the detection system. The paper examined the attack effectiveness with varying degrees of system knowledge, from having only the feature set ('Scenario F') to having access to both the feature and training sets alongside querying capabilities ('Scenario FTB').

Implications and Future Directions

This research highlights the pressing need for developing more resilient machine learning models for malware detection, especially as attackers evolve their strategies. The demonstrated vulnerabilities call for advanced defense mechanisms that can withstand adversarial perturbations. Potential directions include:

• Adversarial Training: Incorporating adversarial examples into the training datasets of detectors could improve robustness. However, this approach requires balancing between overfitting to adversarial samples and maintaining generalization to benign and malware instances.
• Model Ensemble Techniques: Using ensemble approaches that combine multiple models with different feature sets and architectures may provide a multifaceted defense level, making it harder for adversarial examples to succeed.
• Refinement of Features: Adoption of hybrid approaches that combine static and dynamic feature extraction could potentially reduce the effectiveness of attacks focusing solely on static bytecode manipulation.

The paper contributes significantly to understanding the deficiencies in current malware detection methodologies and accentuates the importance of continued advancements in defense strategies to protect against sophisticated adversarial techniques in malware domains.