Adversarial Detection of Flash Malware: Limitations and Open Issues

TL;DR

This paper evaluates the robustness of machine learning-based Flash malware detectors against adversarial evasion, revealing inherent vulnerabilities in feature representations and discussing the limitations of current defense strategies.

Contribution

It introduces a formal definition of feature vector vulnerability in Flash malware detection and analyzes the effectiveness of existing defenses against adversarial examples.

Findings

Adversarial examples can evade detection with slight modifications to source malware.

Popular defense techniques like re-training may not always ensure robustness.

Feature vector indistinguishability from benign data indicates intrinsic vulnerability.

Abstract

During the past four years, Flash malware has become one of the most insidious threats to detect, with almost 600 critical vulnerabilities targeting Adobe Flash disclosed in the wild. Research has shown that machine learning can be successfully used to detect Flash malware by leveraging static analysis to extract information from the structure of the file or its bytecode. However, the robustness of Flash malware detectors against well-crafted evasion attempts - also known as adversarial examples - has never been investigated. In this paper, we propose a security evaluation of a novel, representative Flash detector that embeds a combination of the prominent, static features employed by state-of-the-art tools. In particular, we discuss how to craft adversarial Flash malware examples, showing that it suffices to manipulate the corresponding source malware samples slightly to evade detection. We then empirically demonstrate that popular defense techniques proposed to mitigate evasion attempts, including re-training on adversarial examples, may not always be sufficient to ensure robustness. We argue that this occurs when the feature vectors extracted from adversarial examples become indistinguishable from those of benign data, meaning that the given feature representation is intrinsically vulnerable. In this respect, we are the first to formally define and quantitatively characterize this vulnerability, highlighting when an attack can be countered by solely improving the security of the learning algorithm, or when it requires also considering additional features. We conclude the paper by suggesting alternative research directions to improve the security of learning-based Flash malware detectors.