Towards a Practical Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via Randomized Smoothing

TL;DR

This paper introduces a practical defense for deep learning malware detectors using randomized ablation smoothing, which improves robustness against adversarial malware examples by ablating parts of executable files during training and testing.

Contribution

The paper proposes a novel ablation-based randomized smoothing method for malware detection that enhances robustness against adversarial attacks, differing from traditional noise-based approaches.

Findings

Enhanced robustness against evasion attacks

Improved generalization to adversarial malware

Outperforms non-smoothed classifiers in experiments

Abstract

Malware detectors based on deep learning (DL) have been shown to be susceptible to malware examples that have been deliberately manipulated in order to evade detection, a.k.a. adversarial malware examples. More specifically, it has been show that deep learning detectors are vulnerable to small changes on the input file. Given this vulnerability of deep learning detectors, we propose a practical defense against adversarial malware examples inspired by randomized smoothing. In our work, instead of employing Gaussian or Laplace noise when randomizing inputs, we propose a randomized ablation-based smoothing scheme that ablates a percentage of the bytes within an executable. During training, our randomized ablation-based smoothing scheme trains a base classifier based on ablated versions of the executable files. At test time, the final classification for a given input executable is taken as the class most commonly predicted by the classifier on a set of ablated versions of the original executable. To demonstrate the suitability of our approach we have empirically evaluated the proposed ablation-based model against various state-of-the-art evasion attacks on the BODMAS dataset. Results show greater robustness and generalization capabilities to adversarial malware examples in comparison to a non-smoothed classifier.