Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information

TL;DR

This paper introduces BagAmmo, a novel black-box adversarial attack on FCG-based Android malware detection systems that perturbs function call graphs without altering malware functionality, achieving over 99.9% success rate.

Contribution

The paper presents BagAmmo, the first black-box attack leveraging GAN and co-evolution to generate effective adversarial examples for FCG-based malware detection without system knowledge.

Findings

Achieves over 99.9% attack success rate on multiple models

Effective under concept drift and data imbalance scenarios

Outperforms state-of-the-art attack SRL

Abstract

The function call graph (FCG) based Android malware detection methods have recently attracted increasing attention due to their promising performance. However, these methods are susceptible to adversarial examples (AEs). In this paper, we design a novel black-box AE attack towards the FCG based malware detection system, called BagAmmo. To mislead its target system, BagAmmo purposefully perturbs the FCG feature of malware through inserting "never-executed" function calls into malware code. The main challenges are two-fold. First, the malware functionality should not be changed by adversarial perturbation. Second, the information of the target system (e.g., the graph feature granularity and the output probabilities) is absent. To preserve malware functionality, BagAmmo employs the try-catch trap to insert function calls to perturb the FCG of malware. Without the knowledge about feature granularity and output probabilities, BagAmmo adopts the architecture of generative adversarial network (GAN), and leverages a multi-population co-evolution algorithm (i.e., Apoem) to generate the desired perturbation. Every population in Apoem represents a possible feature granularity, and the real feature granularity can be achieved when Apoem converges. Through extensive experiments on over 44k Android apps and 32 target models, we evaluate the effectiveness, efficiency and resilience of BagAmmo. BagAmmo achieves an average attack success rate of over 99.9% on MaMaDroid, APIGraph and GCN, and still performs well in the scenario of concept drift and data imbalance. Moreover, BagAmmo outperforms the state-of-the-art attack SRL in attack success rate.