Bayesian Learned Models Can Detect Adversarial Malware For Free

TL;DR

This paper demonstrates that Bayesian models can effectively detect adversarial malware by quantifying epistemic uncertainty, providing a computationally efficient alternative to adversarial training across multiple malware domains.

Contribution

It introduces a Bayesian approach using mutual information to detect adversarial malware without sacrificing model performance, applicable to Android, Windows, and PDF malware.

Findings

Bayesian models can identify adversarial malware in feature and problem space.

Uncertainty measurement detects concept drift and adversarial samples.

Diversity-promoting posterior approximations improve detection accuracy.

Abstract

The vulnerability of machine learning-based malware detectors to adversarial attacks has prompted the need for robust solutions. Adversarial training is an effective method but is computationally expensive to scale up to large datasets and comes at the cost of sacrificing model performance for robustness. We hypothesize that adversarial malware exploits the low-confidence regions of models and can be identified using epistemic uncertainty of ML approaches -- epistemic uncertainty in a machine learning-based malware detector is a result of a lack of similar training samples in regions of the problem space. In particular, a Bayesian formulation can capture the model parameters' distribution and quantify epistemic uncertainty without sacrificing model performance. To verify our hypothesis, we consider Bayesian learning approaches with a mutual information-based formulation to quantify uncertainty and detect adversarial malware in Android, Windows domains and PDF malware. We found, quantifying uncertainty through Bayesian learning methods can defend against adversarial malware. In particular, Bayesian models: (1) are generally capable of identifying adversarial malware in both feature and problem space, (2) can detect concept drift by measuring uncertainty, and (3) with a diversity-promoting approach (or better posterior approximations) lead to parameter instances from the posterior to significantly enhance a detectors' ability.