Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

TL;DR

This paper develops adversarial deep learning techniques to create robust malware detectors that can withstand binary adversarial examples while preserving malware functionality, evaluated on PE files.

Contribution

It introduces saddle-point optimization methods for generating functionally preserved adversarial malware examples in the binary domain, enhancing model robustness.

Findings

Methods effectively generate adversarial malware that preserves functionality.

Robust models show improved detection rates against adversarial examples.

Online robustness measure correlates with actual model performance.

Abstract

Malware is constantly adapting in order to avoid detection. Model based malware detectors, such as SVM and neural networks, are vulnerable to so-called adversarial examples which are modest changes to detectable malware that allows the resulting malware to evade detection. Continuous-valued methods that are robust to adversarial examples of images have been developed using saddle-point optimization formulations. We are inspired by them to develop similar methods for the discrete, e.g. binary, domain which characterizes the features of malware. A specific extra challenge of malware is that the adversarial examples must be generated in a way that preserves their malicious functionality. We introduce methods capable of generating functionally preserved adversarial malware examples in the binary domain. Using the saddle-point formulation, we incorporate the adversarial examples into the training of models that are robust to them. We evaluate the effectiveness of the methods and others in the literature on a set of Portable Execution~(PE) files. Comparison prompts our introduction of an online measure computed during training to assess general expectation of robustness.