Adversarial Samples on Android Malware Detection Systems for IoT Systems
Xiaolei Liu, Xiaojiang Du, Xiaosong Zhang, Qingxin Zhu, Mohsen Guizani

TL;DR
This paper introduces TLAMD, a genetic algorithm-based testing framework that effectively generates adversarial samples to evaluate the robustness of Android malware detection systems in IoT devices, achieving nearly 100% success rate.
Contribution
The paper presents a novel testing framework for IoT Android malware detection systems that does not require model training parameters and is effective in black-box scenarios.
Findings
Achieves nearly 100% success rate in generating adversarial samples.
Enables black-box testing of Android malware detection systems.
Uses genetic algorithms to optimize adversarial sample generation.
Abstract
Many IoT(Internet of Things) systems run Android systems or Android-like systems. With the continuous development of machine learning algorithms, the learning-based Android malware detection system for IoT devices has gradually increased. However, these learning-based detection models are often vulnerable to adversarial samples. An automated testing framework is needed to help these learning-based malware detection systems for IoT devices perform security analysis. The current methods of generating adversarial samples mostly require training parameters of models and most of the methods are aimed at image data. To solve this problem, we propose a \textbf{t}esting framework for \textbf{l}earning-based \textbf{A}ndroid \textbf{m}alware \textbf{d}etection systems(TLAMD) for IoT Devices. The key challenge is how to construct a suitable fitness function to generate an effective adversarial…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6| CPU | Inter(R) Core(TM) i5-7400 CPU @ 3.00GHz |
| Memery | 8GB |
| Video Card | Inter(R) HD Graphics 630 |
| Operating System | Windows 10 |
| Programming Language | Python 3.6 |
| Development Platform | Jupyter Notebook |
| Dependence | Tensorflow, Keras, numpy etc. |
| Class | Name | Numbers | Rate(/Total) |
|---|---|---|---|
| S1 | Hardware Components | 72 | 0.013% |
| S2 | Requested Permissions | 3812 | 0.704% |
| S3 | App Components | 218951 | 40.488% |
| S4 | Filtered Intents | 6379 | 1.178% |
| S5 | Restricted API Calls | 733 | 0.136% |
| S6 | Used Permissions | 70 | 0.013% |
| S7 | Suspicious API Calls | 315 | 0.058% |
| S8 | Network Address | 310447 | 57.4% |
| Modelsa | TP | FP | FN | TN | Accuracy | Precision | Recall |
| NN | 40770 | 0 | 74 | 1726 | 99.83% | 1 | 95.95% |
| LR | 40770 | 0 | 234 | 1566 | 99.45% | 1 | 96.32% |
| DT | 40770 | 0 | 60 | 1740 | 99.86% | 1 | 95.91% |
| RF | 40770 | 0 | 32 | 1768 | 99.92% | 1 | 95.85% |
| ET | 40770 | 0 | 16 | 1784 | 99.96% | 1 | 95.81% |
| aNN = Neural Network, LR = Logistic Regression, DT = Decision Tree, RF = Random Forest, ET = Extreme Tree. | |||||||
| Features | S1: Hardware components | S2: Requested permissions |
|---|---|---|
| Initialize Probability | 1% | 0.01% |
| Mutation Probability | 30% | 0.5% |
| Iterations | 50 | 50 |
| Population | 150 | 150 |
| Attacked Samples | 1000 | 1000 |
| Model | Category | Success Rate | Average of |
| NN | S1 | 1 | 2.25 |
| S2 | 1 | 2.33 | |
| LR | S1 | 0.998 | 2.66 |
| S2 | 0.995 | 1.94 | |
| DT | S1 | 0.896 | 1.05 |
| S2 | 0.992 | 1.68 | |
| RF | S1 | 0.866 | 2.89 |
| S2 | 0.995 | 9.54 | |
| ET | S1 | 0.833 | 2.81 |
| S2 | 0.945 | 9.36 | |
| aEach line of data in the table is the average of the 1000 sample tests results. | |||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Adversarial Samples on Android Malware Detection Systems for IoT Systems
Xiaolei Liu
University of Electronic and Science Technology of China
Xiaojiang Du
Temple University, USA
Xiaosong Zhang
University of Electronic and Science Technology of China
Qingxin Zhu
University of Electronic and Science Technology of China
Mohsen Guizani
University of Idaho, USA
Abstract
Many IoT(Internet of Things) systems run Android systems or Android-like systems. With the continuous development of machine learning algorithms, the learning-based Android malware detection system for IoT devices has gradually increased. However, these learning-based detection models are often vulnerable to adversarial samples. An automated testing framework is needed to help these learning-based malware detection systems for IoT devices perform security analysis. The current methods of generating adversarial samples mostly require training parameters of models and most of the methods are aimed at image data. To solve this problem, we propose a testing framework for learning-based Android malware detection systems(TLAMD) for IoT Devices. The key challenge is how to construct a suitable fitness function to generate an effective adversarial sample without affecting the features of the application. By introducing genetic algorithms and some technical improvements, our test framework can generate adversarial samples for the IoT Android Application with a success rate of nearly 100% and can perform black-box testing on the system.
K****eywords Internet of Things Malware Detection Adversarial Samples Machine Learning
1 Introduction
Since many IoT(Internet of Things) devices run Android systems or Android-like systems, with the popularity of IoT devices, Android malware for IoT devices is also increasing. Meanwhile, machine learning has received extensive attention and has gained tremendous application development in many fields, such as financial economics, driverless, medical, and network security. So there are many learning-based Android malware detection systems Ham *et al. *, (2014); McNeil *et al. *, (2016); Aswini & Vinod, (2015); Odusami *et al. *, (2018); Misra *et al. *, (2017); Alhassan *et al. *, (2018).
However, while machine learning brings us great convenience, it also exposes a lot of security problems Barreno *et al. *, (2010). Several papers have studied related Android and IoT security issues Wu *et al. *, (2016); Cheng *et al. *, (2017); Hei *et al. *, (2013); Du *et al. *, (2007, 2009). Scholars in the security field are increasingly concerned about the security issues associated with the lack of fairness and transparency in machine learning algorithms. An attacker can predict certain sensitive information by observing the model, or recover sensitive data in the data set through existing partial data. A current attack method is called a poisoning attack. Biggio B and Zhu attempted to attack the adaptive facial recognition system by poisoning attack Biggio *et al. *, (2012a, 2013, 2014); Zhu, (2013). During the model update, they injected malicious data to offset the central value of the recognition feature in the model, so as to achieve the purpose of verifying the attacker’s image. Biggio B and Nelson B also attacked the supervised learning algorithm SVM Biggio *et al. *, (2012b). Experiments show that the test error of the model classifier can be significantly increased during the gradient rise. However, the injected sample data must meet certain constraints in order to deceive the model, and must be the attacker to control the label of the injection point. Yang Chaofei, Wu Qing et al. conducted an experiment on poisoning attacks against neural network learning algorithmsYang *et al. *, (2017). Compared with the direct gradient algorithm, this proposed method can increase the attack sample generation speed by about 240 times.
In fact, although a poisoning attack can make the model go wrong, the attacker has to work hard on how to inject malicious data. Another common method can let models get the wrong result in a short time, that is, adversarial sample attack. Christian Szegedy et al. first proposed the concept of adversarial samples Szegedy *et al. *, (2013). By deliberately adding minor changes in the dataset, the perturbed samples will cause the model to output a false result with high confidence. Adversarial samples can increase the prediction error of the model, so that the originally correctly classified sample migrates to the other side of the decision area, thereby being classified into another category.
Existing models are vulnerable to adversarial samples Carlini & Wagner, (2017); Moosavi-Dezfooli *et al. *, (2017); Warde-Farley & Goodfellow, (2016); Papernot *et al. *, (2016b). For example, in a malware recognition system, by adding a small perturbation to the original software sample, the result of the sample classification can be changed with a high probability, and even the sample can be classified into an arbitrarily designated label according to the attacker’s idea. This makes adversarial samples attack a huge hazard to malware recognition systems Chen *et al. *, (2018b, a); Al-Dujaili *et al. *, (2018).
All the learning-based Android malware detection systems for IoT devices have the above problems, so a testing framework is needed to test the robustness of these detection systems. To address this challenge, we propose TLAMD, a testing framework for learning-based Android malware detection systems for IoT Devices. When the test results show that the detection system cannot resist the attack of the adversarial samples, it indicates that this detection system has potential safety hazards, and it needs to be reinforced.
Therefore, how to generate effective adversarial samples is the core issue of the entire testing framework. Our approach to generating adversarial samples for the Android IoT malware detection model is based on genetic algorithm. Without the knowledge of the model parameters, the original sample is used as the input of the approach, and finally the adversarial sample of the specific label is generated. The information used is only the probability of the various types of labels output by the model. We hope that this method can be a robust benchmark for the learning-based Android malware detection model for IoT devices. Our contribution is mainly reflected as follows:
-
We migrated the application of adversarial samples from the image recognition domain to the Android malware detection domain of IoT devices. In this process, simply replacing the model’s training data from a picture to an Android application is not possible. On the one hand, the data of the binary program is not continuous like the image data. On the other hand, random perturbation of the binary program may lead to the crash of the program, so special processing is required for the Android application to ensure the validity of the adversarial samples. We borrowed the processing method of Kathrin Grosse Grosse *et al. *, (2017), which realized the disturbance to the Android application by adding the request permission code in the file. The difference is that we have made corresponding analysis and restrictions on the types and quantities of permissions that can be added. This method can ensure that the original function of the app is not affected and can be used normally; and the app can be disturbed in the simplest way to achieve the effect of changing the model detection result;
-
We introduce the genetic algorithm into the adversarial sample generation method and implement the black-box attack against the machine learning model. Without knowing the internal parameters such as the gradient and structure of the target network, it is only necessary to know the probability of various types of labels output by the model. Compared to Kathrin Grosse’s approach, our approach not only implements black-box attacks, but also has a higher success rate, almost 100%.
The rest of the paper is organized as follows. Section 2 introduces the related background of our approach. Section 3 presents TLAMD(A Testing Framework for Learning-based Android Malware Detection Systems for IoT Devices). Section 4 presents and discusses our experimental results. Finally, further discussions and conclusions are accomplished in Section 5.
2 Related Background
2.1 Neural Network
The essence of the neural network is a function , the input is an n-dimensional vector, and the output is an m-dimensional vector. The function implies the model parameter . The purpose of the training network is to calculate the value of the parameter from the known partial sample information. After the model is completed, the result of predicting is to solve the value of by the function . In this paper, we mainly study the neural network of the classifier (that is, the output is an m-dimensional vector). The output of the last layer of the neural network uses a fully connected layer. The classifier outputs the index with the largest value in the output vector dimension as the result, that is:
[TABLE]
where is the category of .
Define as a single-layer fully-connected neural network. The output of the (n-1)-th layer is the input of the n-th layer, then:
[TABLE]
Typical n-layer fully connected neural networks are:
[TABLE]
[TABLE]
where is a linear or non-linear activation function. The commonly used activation functions are RELUMaas *et al. *, (2013), tanhMishkin & Matas, (2015), sigmoid, etc., is the weight of this layer, is the layer offset.
2.2 Genetic Algorithm
The idea of the genetic algorithm is to simulate the biological evolution process of natural selection. Using the thought of evolutionary theory, the process of finding the optimal solution of a certain objective function is simulated into the evolution process of the population. Based on the idea of the population, the algorithm uses a population containing information to perform an optimal search in multiple directions and completes the exchange and reconstruction of information in the search process.
The genetic algorithm can be used to search for the feasible solution space of a problem, and then find the possible optimal solution, which is the uncertainty optimization in the optimization problem. Uncertain optimization is to rely on random variables in the search direction, rather than a certain mathematical expression. Compared with other algorithms, the advantage is that when the optimization converges to the local extremum, the search result can jump out of an optimal solution and continue to search for a better feasible solution.
By choosing the appropriate objective function, the generation of the adversarial sample can be transformed into a solution to the optimization problem. The process of solving the optimal solution corresponding to the objective function is actually the process of generating the adversarial sample. This shows that genetic algorithms can be effectively applied to machine learning and other fields in terms of parameter optimization and function solving. In terms of parameter optimization, Zhi Chen, Tao Lin et al. used a parallel genetic algorithm to optimize the parameter selection of Support Vector Machine (SVM) Chen *et al. *, (2016). Experiments show that the proposed method is superior to the grid search in classification accuracy, the number of selected features and running time. Aaron Vose, Jacob Balma et al. optimized the hyperparameters of the neural network in deep learning based on genetic algorithms. Anh Viet Phan et al. proposed a GA-SVM model which can effectively improve classification performance based on genetic algorithm and SVM classifier Phan *et al. *, (2017). Francisco Villegas Alejandre, Nareli Cruz Cortes et al. selected features based on machine learning to detect botnetsAlejandre *et al. *, (2017). A genetic algorithm is used in this method to select the set of features that provide the highest detection rate.
2.3 Adversarial Samples
On many machine learning models, the decision boundary of the classifier has a certain margin of error. That is, when the disturbance satisfies , the classifier considers that the perturbed input is the same as the original input . Therefore, when the perturbation value on each feature element is less than , the classifier cannot discern the difference in the sample. However, changes in input characteristics have a cumulative effect on model predictions. Although the perturbation value on each feature element is small, the accumulated error is sufficient to influence the model prediction result.
On each neuron, the adversarial sample will have the following operations:
[TABLE]
Although the adversarial sample has no effect on the classification results of the single-dimensional neuron classifier. However, deep learning has a considerable number of neurons. The weight in each neuron has dimensions. If the average variation of an element in the weight vector is , the activation effect will increase by . And in a high dimensional linear classifier, each individual input feature is normalized. The result is that in the process of deep learning, a small change may not be enough to change the input result, but multiple disturbances to the input will cause the classifier to make a wrong classification result.
Many methods of generating adversarial samples need to know the parameters of the learning model to calculate the perturbation values, but some subsequent studies have shown that without knowing the parameters of the learning modelPapernot *et al. *, (2017, 2016c, 2016d); Narodytska & Kasiviswanathan, (2017). The attacker can interact with the black-box learning model to calculate the samples. Specifically, the attacker can estimate the boundary of the decision region of the model according to the difference of the model output brought by different samples, and then use the estimated boundary as a substitute model. Finally, the adversarial samples are calculated by the parameters of the substitute model. Considering that more and more malicious Android application detection methods based on machine learning, how to evaluate the robustness of these detection methods becomes a new problem. Since most machine learning algorithms are vulnerable to adversarial samples, we have thought of using the generated adversarial samples to test the robustness of these detection methods.
3 Methodology
3.1 Framework
The overview of TLAMD is shown in Figure1.
When the test results show that the detection system cannot resist the attack against the adversarial sample, it indicates that the system has potential safety hazards and it is necessary to implement such reinforcement measures as distillation defensePapernot *et al. *, (2016a) on the detection system. As we can see, how to generate an adversarial sample is the main challenge of this testing framework. Therefore, we will describe the algorithm in detail for generating an adversarial sample for Android malware.
3.2 Algorithm
Our goal is to add minor perturbations to the malware without changing the malware functionality, so that the previously trained detection model misidentifies it as normal software. Therefore, our approach generates an adversarial sample by adding permission features to the , and in order not to affect the function of the original malware, the disturbance does not reduce the existing permission features. For a single input sample , the classifier returns a two-dimensional vector , where indicates the probability that the software is a normal software, indicates the probability that the software is a malware, and satisfies the constraint . We aim to add a perturbation to make the classification result is less than . At the same time, the smaller the , the better, that is, the fewer the number of permission features added in the manifest file, the better. For example, for a specific malware , we use genetic algorithm to find out which permission features are added to , and finally make detected as normal software with minimum number of permission added.
From a mathematical point of view, the process of misjudging the detection model by adding the permission features is regarded as a problem to be solved. The feasible solution space of the problem is the disturbance if the detection model is successfully misjudged. The optimal solution is to minimize the disturbance value, that is, add the least permission feature. A genetic algorithm is a type of algorithm that finds the possible optimal solution by searching for a feasible solution space of a problem. Our approach is to use genetic algorithms to search for the minimum perturbation value that causes the detection model to be misjudged. The pseudo code of our approach is shown in Algorithm1.
The specific steps are as follows:
-
Randomly generate the population . is the number of individuals, the individual refers to the permission characteristics to be added in the category, and is the number of permission features in the category. 1 means to add the corresponding permission, otherwise 0 means not to add. Our strategy is to only add permissions and not reduce permissions. Therefore, if the original malicious sample has a certain permission feature, the permission cannot be removed, that is, the disturbance is 0.
-
Determine the fitness function.
[TABLE]
where and represent the two weights, is the added small disturbance, means that the probability of original malicious sample is still detected as a malware, indicates the number of permission features added.
When is much larger than , the sample after the addition of the disturbance must be detected as normal by the detection model to survive, and the individual detected as a malicious sample will be eliminated. The surviving individual must meet the minimum number of added permission features, otherwise it will also be eliminated. The fitness function defined in this way searches for an optimal solution that can successfully cause the detection model to be misjudged.
-
Perform mutation operations according to a certain probability to generate new individuals. The mutation refers to adding a disturbance to the corresponding category according to a certain probability, that is, changing the value from 0 to 1, and satisfying the constraint proposed in step 1).
-
Generate a new generation of the population from the mutation and return to step 2). If the preset number of iterations is reached, the loop is exited.
4 Experiments
4.1 Data Set and Environment
In order to verify the effectiveness of the adversarial sample, we attempt to train five different classifier models, including logistic regression (LR), decision tree (DT), and fully connected neural network (NN) and so on. The hardware environment and software environment of all experiments are as follows:
All the data we use in the experiments come from the DREBIN datasetArp *et al. *, (2014); Spreitzenbarth *et al. *, (2013). The DREBIN dataset has a total of 123,453 sample data for Android applications, including 5,560 malicious samples and contains as many as 545,333 behavioral features.
The features of the Android app in this dataset consist of eight categories:
S1) Hardware components, which are used to set the hardware permissions required by the software.
S2) Requested permissions, which are granted by the user at the time of installation and allow the application software to access the corresponding resources.
S3) App components, which include four different types of interfaces: activities, services, content providers and broadcast receivers.
S4) Filtered intents, which are used for process communication between different components and applications.
S5) Restricted API calls, access to a series of key API calls.
S6) Used permissions, a subset of permissions that are actually used and requested in S5.
S7) Suspicious API calls, API calls for allowing access to sensitive data and resources.
S8) Network addresses, the IP addresses accessed by the application, including the hostname and URL.
The first four classes are extracted from the manifest file, and the last four classes are extracted from the disassembly code. Since our method only adds permission requests to the file, we only cover the features in S1 to S4. In Section4.2.1, we further reduce the feature categories used.
4.2 Android Malware Detection Model
First, a detection model is trained to determine whether an Android sample is malware. When the detection model reaches a certain accuracy, our approach is used to generate an adversarial sample for the model.
4.2.1 Feature Extraction
We use a random forest approach to measure the importance of features in the feature extraction phase. The number of features is effectively reduced without affecting the accuracy of detection.
Random forest is an integrated learning in machine learning. It is an integrated classifier composed of multiple sets of decision trees: , where is a random variable subject to independent and identical distribution, and represents the number of decision trees. The principle is to generate multiple decision trees and let them learn independently and make corresponding predictions. Finally, observe which category is selected the most and get the result.
The specific steps are as follows:
-
Select out of bag (OOB) to calculate the corresponding out-of-bag data deviation for each decision tree.
-
Add random noise, perturb all samples of OOB, and then calculate the out-of-bag data deviation again.
-
Define and calculate the importance of the features:
[TABLE]
where is the number of forest decision trees.
If is greatly increased after adding random noise, the OOB accuracy rate decreases, indicating that this type of feature has a greater impact on the prediction result, that is, the importance is higher.
The sorting result of feature importance is shown in Figure2.
As we mentioned before, we only cover the four types of features from S1 to S4. Taking into account the number and importance of various features, we finally choose the two characteristics of S1 and S2.
4.2.2 Training Detection Model
To test the effectiveness of our method for different detection models, we trained five kinds of detection models.
a. Neural Network
Our neural network chooses a two-layer fully connected model with 200 neurons in each connected layer and the activation function is RELU. The output layer of the last layer has two neurons and is the activation unit. And no dropout operation is performed on each layer. To train our network, we used the gradient descent training method with a batches size of 256. All data was trained 5 times per iteration.
b. Logistic Regression
Since there are only two types of target predictions, we adopt a two-class logistic regression model. The penalty term selects the L2 paradigm, and the model parameters satisfy the Gaussian distribution, that is, the parameters are constrained so that they do not over-fitting. Considering that the solution problem is not a linear multi-core, and the number of samples is selected to be larger than the number of features, the dual method is not set. Set the condition for stopping the solution is that the loss function is less than or equal to ; the category weight defaults to 1. The maximum number of iterations of the algorithm convergence is set to 10.
c. Decision Tree
The decision tree is a tree structure used for classification. The maximum depth of the decision tree is set to 15 to prevent overfitting. The is set to 0. The is set to 2, indicating the minimum number of samples required for internal node subdivision. The is set to 10, indicating the minimum number of samples in the leaf node. The is set to None, which is expressed as the maximum number of leaf nodes in the decision tree. The is set to 0, which represents the minimum value of all sample weights and sums of leaf nodes.
d. Random Forest
Random forest is an integrated learning. Through the bootstrap resampling technique, a number of sample inputs are randomly selected from the original training set with repeated iterations. In this way, a new training set is obtained, and then several decision trees are generated to form a random forest. The is set to auto, that is, a single decision tree can utilize all permission features. The is set to 20, which means there are 20 decision trees to form the random forest to be trained. The is set to 20, that is, the minimum number of sample leaves in each decision tree is 20.
e. Extreme Tree
Extra Tree is equivalent to a variant of the random forest. Compared with random forests, the randomness is further calculated when dividing the local best, that is, the selection of the division points is calculated. Most of its parameters are the same as those of random forests, except that is set to 10 and is set to 50.
Finally, when the five detection models are trained, we test 42570 samples and the results are shown in Table3:
4.3 Simulation Experiments
After getting the trained detection models, we will generate adversarial samples for the five models. The features we add to the file are from S1 or S2. The parameters of the generation algorithm are also different depending on the permission category. The details are as shown in Table4.
The final experimental results are shown in Table5. In the ten sets of adversarial sample generation experiments for the five detection models, the success rates are above 80%, and most of them are close to 100%. In order to generate these adversarial samples, the average number of permission features added is less than three. On the one hand, it shows that the adversarial sample generated by our method is very effective and our approach is able to be a robust benchmark for the learning-based Android malware detection model for IoT devices; on the other hand, it shows that the existing machine learning algorithms are very vulnerable to the adversarial sample. Our TLAMD test framework is very necessary.
In subsequent experiments, we also performed a reinforcement method for the distillation defense of these models. However, the reinforced model is still unable to resist the attack of adversarial samples, and the success rate of our approach is still close to 100%. This means that when we want to reinforce existing machine learning models, common methods such as distillation defenses work poorly. We need to find a more effective defense method.
Fig.3 shows the most frequently added permissions in the ten sets of adversarial sample generation experiments for the five kinds of detection models. Compared to other permission features, these permissions are mostly permissions that involve sensitive privacy. In order to verify whether these features have a decisive influence on the model discrimination results, we have conducted further experiments. In the new experiment, we will not allow the algorithm to add the features listed in the figure. However, the success rate of the generated adversarial samples is consistent with the previous one in Table5, and the number of permission features added is slightly increased. It can be seen that those features that are added more frequently only have greater weight, but have no decisive influence on the results.
Fig.4 is a trend graph of fitness function values as a function of the number of iterations. As the number of iterations increases, the value of the fitness function decreases rapidly. It shows that it is very effective to use the genetic algorithm to solve the problem of generating adversarial samples.
By comparing the individual models, it can be found that the more complex the detection model, the better the effect of the adversarial samples generated for the model. This phenomenon may be different from what we expected. We believe that one possible reason is that the more complex the model, the more times the feature is processed. This makes small changes in features easily magnified, making the model very sensitive to adversarial samples.
Fig.5 is a box plot of the fitness function values of adversarial samples for five detection models with S1 permission features and Fig.6 is with S2 permission features. As can be seen from the figures, the adversarial samples generated by our approach is very stable. There are only a very small number of divergence points out of 1000 samples. By comparing Fig.5 and Fig.6, the stability of the adversarial sample generated by S2 is better. The reason is that the number of permission features in the S2 list is much larger than the number in the S1 list. This is equivalent to finding the optimal solution of the objective function in a larger space, so there is a greater probability of finding a better solution. Combined with Fig.3, it also provides us with an idea of how to strengthen the learning-based detection model. It is not useful to improve the defense of high-weight permission features. It is necessary to optimize the detection model so that it is not sensitive to small disturbances of all sample features.
5 Conclusions
To address the challenge of the lack of the testing framework for learning-based Android malware detection systems for IoT devices, we approach TLAMD. Our experimental results show that our approach generates high-quality adversarial samples with a success rate of nearly 100% by adding permission features. In the technical implementation of the TLAMD algorithm, the selection of feature and the range of disturbance are the keys to have a good result. We hope TLAMD can be a benchmark for learning-based IoT Android malware detection model. The limitation of TLAMD is our black-box approach need frequent model requests and our future work includes reducing the requesting times and designing an effective defense approach to reinforce the malware detection model.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Al-Dujaili et al. , (2018) Al-Dujaili, Abdullah, Huang, Alex, Hemberg, Erik, & O’Reilly, Una-May. 2018. Adversarial deep learning for robust detection of binary encoded malware. Pages 76–82 of: 2018 IEEE Security and Privacy Workshops (SPW) . IEEE.
- 2Alejandre et al. , (2017) Alejandre, Francisco Villegas, Cortés, Nareli Cruz, & Anaya, Eleazar Aguirre. 2017. Feature selection to detect botnets using machine learning algorithms. Pages 1–7 of: Electronics, Communications and Computers (CONIELECOMP), 2017 International Conference on . IEEE.
- 3Alhassan et al. , (2018) Alhassan, JK, Misra, Sanjay, Umar, A, Maskeliūnas, Rytis, Damaševičius, Robertas, & Adewumi, Adewole. 2018. A Fuzzy Classifier-Based Penetration Testing for Web Applications. Pages 95–104 of: International Conference on Information Theoretic Security . Springer.
- 4Arp et al. , (2014) Arp, Daniel, Spreitzenbarth, Michael, Hubner, Malte, Gascon, Hugo, Rieck, Konrad, & Siemens, CERT. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. Pages 23–26 of: Ndss , vol. 14.
- 5Aswini & Vinod, (2015) Aswini, AM, & Vinod, P. 2015. Towards the Detection of Android Malware using Ensemble Features. Journal of Information Assurance & Security , 10 (1).
- 6Barreno et al. , (2010) Barreno, Marco, Nelson, Blaine, Joseph, Anthony D, & Tygar, J Doug. 2010. The security of machine learning. Machine Learning , 81 (2), 121–148.
- 7Biggio et al. , (2012 a) Biggio, Battista, Fumera, Giorgio, Roli, Fabio, & Didaci, Luca. 2012 a. Poisoning adaptive biometric systems. Pages 417–425 of: Joint IAPR International Workshops on Statistical Techniques in Pattern Recognition (SPR) and Structural and Syntactic Pattern Recognition (SSPR) . Springer.
- 8Biggio et al. , (2012 b) Biggio, Battista, Nelson, Blaine, & Laskov, Pavel. 2012 b. Poisoning attacks against support vector machines. ar Xiv preprint ar Xiv:1206.6389 .
