Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

MalPurifier: Enhancing Android Malware Detection with Adversarial Purification against Evasion Attacks (2312.06423v1)

Published 11 Dec 2023 in cs.CR, cs.AI, and cs.LG

Abstract: Machine learning (ML) has gained significant adoption in Android malware detection to address the escalating threats posed by the rapid proliferation of malware attacks. However, recent studies have revealed the inherent vulnerabilities of ML-based detection systems to evasion attacks. While efforts have been made to address this critical issue, many of the existing defensive methods encounter challenges such as lower effectiveness or reduced generalization capabilities. In this paper, we introduce a novel Android malware detection method, MalPurifier, which exploits adversarial purification to eliminate perturbations independently, resulting in attack mitigation in a light and flexible way. Specifically, MalPurifier employs a Denoising AutoEncoder (DAE)-based purification model to preprocess input samples, removing potential perturbations from them and then leading to correct classification. To enhance defense effectiveness, we propose a diversified adversarial perturbation mechanism that strengthens the purification model against different manipulations from various evasion attacks. We also incorporate randomized "protective noises" onto benign samples to prevent excessive purification. Furthermore, we customize a loss function for improving the DAE model, combining reconstruction loss and prediction loss, to enhance feature representation learning, resulting in accurate reconstruction and classification. Experimental results on two Android malware datasets demonstrate that MalPurifier outperforms the state-of-the-art defenses, and it significantly strengthens the vulnerable malware detector against 37 evasion attacks, achieving accuracies over 90.91%. Notably, MalPurifier demonstrates easy scalability to other detectors, offering flexibility and robustness in its implementation.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. Zimperium. 2022 global mobile threat report. [Online]. Available: https://www.zimperium.com/global-mobile-threat-report/
  2. T. Shishkova. The mobile malware threat landscape in 2022. [Online]. Available: https://securelist.com/mobile-threat-report-2022/108844/
  3. H. Zhu, Y. Li, R. Li, J. Li, Z. You, and H. Song, “Sedmdroid: An enhanced stacking ensemble framework for android malware detection,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 2, pp. 984–994, 2021.
  4. J. Xu, Y. Li, R. H. Deng, and K. Xu, “Sdac: A slow-aging solution for android malware detection using semantic distance based api clustering,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 1149–1163, 2022.
  5. J. Qiu, Q.-L. Han, W. Luo, L. Pan, S. Nepal, J. Zhang, and Y. Xiang, “Cyber code intelligence for android malware detection,” IEEE Transactions on Cybernetics, vol. 53, no. 1, pp. 617–627, 2022.
  6. H.-J. Zhu, L.-M. Wang, S. Zhong, Y. Li, and V. S. Sheng, “A hybrid deep network framework for android malware detection,” IEEE Transactions on Knowledge and Data Engineering, vol. 34, no. 12, pp. 5558–5570, 2022.
  7. W. Fang, J. He, W. Li, X. Lan, Y. Chen, T. Li, J. Huang, and L. Zhang, “Comprehensive android malware detection based on federated learning architecture,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 3977–3990, 2023.
  8. F. Pierazzi, F. Pendlebury, J. Cortellazzi, and L. Cavallaro, “Intriguing properties of adversarial ml attacks in the problem space,” in 2020 IEEE symposium on security and privacy (SP).   IEEE, 2020, pp. 1332–1349.
  9. K. Zhao, H. Zhou, Y. Zhu, X. Zhan, K. Zhou, J. Li, L. Yu, W. Yuan, and X. Luo, “Structural attack against graph based android malware detection,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 3218–3235.
  10. H. Li, Z. Cheng, B. Wu, L. Yuan, C. Gao, W. Yuan, and X. Luo, “Black-box adversarial example attack towards fcg based android malware detection under incomplete feature information,” in 32rd USENIX Security Symposium (USENIX Security 23), 2023.
  11. A. Demontis, M. Melis, B. Biggio, D. Maiorca, D. Arp, K. Rieck, I. Corona, G. Giacinto, and F. Roli, “Yes, machine learning can be more secure! a case study on android malware detection,” IEEE transactions on dependable and secure computing, vol. 16, no. 4, pp. 711–724, 2019.
  12. X. Chen, C. Li, D. Wang, S. Wen, J. Zhang, S. Nepal, Y. Xiang, and K. Ren, “Android hiv: A study of repackaging malware for evading machine-learning detection,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 987–1001, 2020.
  13. D. Li and Q. Li, “Adversarial deep ensemble: Evasion attacks and defenses for malware detection,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3886–3900, 2020.
  14. C. Li, X. Chen, D. Wang, S. Wen, M. E. Ahmed, S. Camtepe, and Y. Xiang, “Backdoor attack on machine learning based android malware detectors,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 5, pp. 3357–3370, 2022.
  15. G. Severi, J. Meyer, S. Coull, and A. Oprea, “{{\{{Explanation-Guided}}\}} backdoor poisoning attacks against malware classifiers,” in 30th USENIX security symposium (USENIX security 21), 2021, pp. 1487–1504.
  16. O. Suciu, R. Marginean, Y. Kaya, H. Daume III, and T. Dumitras, “When does machine learning {{\{{FAIL}}\}}? generalized transferability for evasion and poisoning attacks,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1299–1316.
  17. A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli, “Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks,” in 28th USENIX security symposium (USENIX security 19), 2019, pp. 321–338.
  18. D. Li, Q. Li, Y. Ye, and S. Xu, “A framework for enhancing deep neural networks against adversarial malware,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 1, pp. 736–750, 2021.
  19. Y. Qiao, W. Zhang, Z. Tian, L. T. Yang, Y. Liu, and M. Alazab, “Adversarial elf malware detection method using model interpretation,” IEEE Transactions on Industrial Informatics, vol. 19, no. 1, pp. 605–615, 2023.
  20. D. Li, S. Cui, Y. Li, J. Xu, F. Xiao, and S. Xu, “Pad: Towards principled adversarial malware detection against evasion attacks,” IEEE Transactions on Dependable and Secure Computing, 2023.
  21. X. Jia, Y. Zhang, B. Wu, J. Wang, and X. Cao, “Boosting fast adversarial training with learnable adversarial initialization,” IEEE Transactions on Image Processing, vol. 31, pp. 4417–4430, 2022.
  22. C. P. Lau, J. Liu, H. Souri, W.-A. Lin, S. Feizi, and R. Chellappa, “Interpolated joint space adversarial training for robust and generalizable defenses,” IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023.
  23. H. Li, S. Zhou, W. Yuan, X. Luo, C. Gao, and S. Chen, “Robust android malware detection against adversarial example attacks,” in Proceedings of the Web Conference 2021, 2021, pp. 3603–3612.
  24. M. Naseer, S. Khan, M. Hayat, F. S. Khan, and F. Porikli, “A self-supervised approach for adversarial robustness,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 262–271.
  25. J. Yoon, S. J. Hwang, and J. Lee, “Adversarial purification with score-based generative models,” in International Conference on Machine Learning.   PMLR, 2021, pp. 12 062–12 072.
  26. F. Croce, S. Gowal, T. Brunner, E. Shelhamer, M. Hein, and T. Cemgil, “Evaluating the adversarial robustness of adaptive test-time defenses,” in International Conference on Machine Learning.   PMLR, 2022, pp. 4421–4435.
  27. R. Theagarajan and B. Bhanu, “Privacy preserving defense for black box classifiers against on-line adversarial attacks,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 12, pp. 9503–9520, 2022.
  28. W. Nie, B. Guo, Y. Huang, C. Xiao, A. Vahdat, and A. Anandkumar, “Diffusion models for adversarial purification,” in International Conference on Machine Learning.   PMLR, 2022, pp. 16 805–16 827.
  29. G. Xu, G. Xin, L. Jiao, J. Liu, S. Liu, M. Feng, and X. Zheng, “Ofei: A semi-black-box android adversarial sample attack framework against dlaas,” IEEE Transactions on Computers, 2023.
  30. D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket.” in Ndss, vol. 14, 2014, pp. 23–26.
  31. K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon, “Androzoo: Collecting millions of android apps for the research community,” in Proceedings of the 13th international conference on mining software repositories, 2016, pp. 468–471.
  32. N. Šrndić and P. Laskov, “Practical evasion of a learning-based classifier: A case study,” in 2014 IEEE symposium on security and privacy.   IEEE, 2014, pp. 197–211.
  33. C. Jeon, I. Yun, J. Jung, M. Wolotsky, and T. Kim, “Avpass: Leaking and bypassing antivirus detection model automatically,” in Black Hat USA 2017.   Black Hat, 2017.
  34. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in International Conference on Learning Representations, 2018.
  35. T. Zhang and Z. Zhu, “Interpreting adversarially trained convolutional neural networks,” in International conference on machine learning.   PMLR, 2019, pp. 7502–7511.
  36. A. Al-Dujaili, A. Huang, E. Hemberg, and U.-M. O’Reilly, “Adversarial deep learning for robust detection of binary encoded malware,” in 2018 IEEE Security and Privacy Workshops (SPW).   IEEE, 2018, pp. 76–82.
  37. W. Hu and Y. Tan, “Generating adversarial malware examples for black-box attacks based on gan,” in International Conference on Data Mining and Big Data.   Springer, 2022, pp. 409–423.
  38. V. Vo, E. M. Abbasnejad, and D. Ranasinghe, “Query efficient decision based sparse attacks against black-box deep learning models,” in International Conference on Learning Representations, 2021.
  39. F. Croce and M. Hein, “Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks,” in International conference on machine learning.   PMLR, 2020, pp. 2206–2216.
  40. T. Kim, B. Kang, M. Rho, S. Sezer, and E. G. Im, “A multimodal deep learning method for android malware detection using various features,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 3, pp. 773–788, 2019.
  41. K. Grosse, N. Papernot, P. Manoharan, M. Backes, and P. McDaniel, “Adversarial examples for malware detection,” in European symposium on research in computer security, 2017, pp. 62–79.
  42. K. Grosse, P. Manoharan, N. Papernot, M. Backes, and P. McDaniel, “On the (statistical) detection of adversarial examples,” arXiv preprint arXiv:1702.06280, 2017.
  43. T. Pang, C. Du, Y. Dong, and J. Zhu, “Towards robust detection of adversarial examples,” Advances in neural information processing systems, vol. 31, 2018.
  44. D. Li and Q. Li, “Enhancing robustness of deep neural networks against adversarial malware samples: Principles, framework, and application to aics’2019 challenge,” in The AAAI-19 Workshop on Artificial Intelligence for Cyber Security (AICS), 2019.
  45. O. Bryniarski, N. Hingun, P. Pachuca, V. Wang, and N. Carlini, “Evading adversarial example detection defenses with orthogonal projected gradient descent,” in International Conference on Learning Representations, 2022.
  46. L. Onwuzurike, E. Mariconti, P. Andriotis, E. D. Cristofaro, G. Ross, and G. Stringhini, “Mamadroid: Detecting android malware by building markov chains of behavioral models (extended version),” ACM Transactions on Privacy and Security (TOPS), vol. 22, no. 2, pp. 1–34, 2019.
  47. M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, “Dl-droid: Deep learning based android malware detection using real devices,” Computers & Security, vol. 89, p. 101663, 2020.
  48. Y. Zhang, Y. Sui, S. Pan, Z. Zheng, B. Ning, I. Tsang, and W. Zhou, “Familial clustering for weakly-labeled android malware using hybrid representation learning,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3401–3414, 2019.
  49. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 9185–9193.
  50. B. G. Doan, S. Yang, P. Montague, O. De Vel, T. Abraham, S. Camtepe, S. S. Kanhere, E. Abbasnejad, and D. C. Ranashinghe, “Feature-space bayesian adversarial learning improved malware detector robustness,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 12, 2023, pp. 14 783–14 791.
  51. M. Ficco, “Malware analysis by combining multiple detectors and observation windows,” IEEE Transactions on Computers, vol. 71, no. 6, pp. 1276–1290, 2022.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Yuyang Zhou (20 papers)
  2. Guang Cheng (136 papers)
  3. Zongyao Chen (1 paper)
  4. Shui Yu (46 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. GitHub - SEU-ProactiveSecurity-Group/MalPurifier (31 stars)