Intriguing Properties of Adversarial ML Attacks in the Problem Space [Extended Version]

TL;DR

This paper formalizes problem-space adversarial attacks in ML, introduces a novel Android malware attack, and evaluates adversarial training's robustness, highlighting practical threats and defenses.

Contribution

It provides a formal framework for problem-space attacks, proposes a new Android malware attack overcoming previous limitations, and assesses adversarial training effectiveness.

Findings

Problem-space attacks can evade classifiers with minimal artifacts.

The proposed attack successfully evades state-of-the-art malware classifiers.

Adversarial training offers limited robustness against generated adversarial malware.

Abstract

Recent research efforts on adversarial machine learning (ML) have investigated problem-space attacks, focusing on the generation of real evasive objects in domains where, unlike images, there is no clear inverse mapping to the feature space (e.g., software). However, the design, comparison, and real-world implications of problem-space attacks remain underexplored. This article makes three major contributions. Firstly, we propose a general formalization for adversarial ML evasion attacks in the problem-space, which includes the definition of a comprehensive set of constraints on available transformations, preserved semantics, absent artifacts, and plausibility. We shed light on the relationship between feature space and problem space, and we introduce the concept of side-effect features as the by-product of the inverse feature-mapping problem. This enables us to define and prove necessary and sufficient conditions for the existence of problem-space attacks. Secondly, building on our general formalization, we propose a novel problem-space attack on Android malware that overcomes past limitations in terms of semantics and artifacts. We have tested our approach on a dataset with 150K Android apps from 2016 and 2018 which show the practical feasibility of evading a state-of-the-art malware classifier along with its hardened version. Thirdly, we explore the effectiveness of adversarial training as a possible approach to enforce robustness against adversarial samples, evaluating its effectiveness on the considered machine learning models under different scenarios. Our results demonstrate that "adversarial-malware as a service" is a realistic threat, as we automatically generate thousands of realistic and inconspicuous adversarial applications at scale, where on average it takes only a few minutes to generate an adversarial instance.