MalProtect: Stateful Defense Against Adversarial Query Attacks in ML-based Malware Detection

TL;DR

MalProtect is a novel stateful defense mechanism designed to detect and prevent adversarial query attacks in ML-based malware detection systems, significantly reducing attack success rates in Android and Windows environments.

Contribution

This paper introduces MalProtect, a new stateful defense tailored for malware detection, addressing the limitations of existing similarity-based methods in this domain.

Findings

Reduces evasion rate of adversarial attacks by over 80%

Outperforms prior stateful defenses in malware detection scenarios

Effective across various attacker strategies in Android and Windows malware

Abstract

ML models are known to be vulnerable to adversarial query attacks. In these attacks, queries are iteratively perturbed towards a particular class without any knowledge of the target model besides its output. The prevalence of remotely-hosted ML classification models and Machine-Learning-as-a-Service platforms means that query attacks pose a real threat to the security of these systems. To deal with this, stateful defenses have been proposed to detect query attacks and prevent the generation of adversarial examples by monitoring and analyzing the sequence of queries received by the system. Several stateful defenses have been proposed in recent years. However, these defenses rely solely on similarity or out-of-distribution detection methods that may be effective in other domains. In the malware detection domain, the methods to generate adversarial examples are inherently different, and therefore we find that such detection mechanisms are significantly less effective. Hence, in this paper, we present MalProtect, which is a stateful defense against query attacks in the malware detection domain. MalProtect uses several threat indicators to detect attacks. Our results show that it reduces the evasion rate of adversarial query attacks by 80+\% in Android and Windows malware, across a range of attacker scenarios. In the first evaluation of its kind, we show that MalProtect outperforms prior stateful defenses, especially under the peak adversarial threat.