Explainability Guided Adversarial Evasion Attacks on Malware Detectors

TL;DR

This paper explores using explainability techniques, specifically SHAP, to identify critical regions in Windows PE malware files for targeted adversarial evasion attacks, improving attack efficiency.

Contribution

It introduces a novel approach combining explainability and adversarial attacks on malware detectors, leveraging SHAP to optimize perturbation placement.

Findings

Explainability techniques can effectively identify impactful regions in malware files.

SHAP-based perturbation targeting improves evasion success rates.

Granular analysis of PE sections enhances attack precision.

Abstract

As the focus on security of Artificial Intelligence (AI) is becoming paramount, research on crafting and inserting optimal adversarial perturbations has become increasingly critical. In the malware domain, this adversarial sample generation relies heavily on the accuracy and placement of crafted perturbation with the goal of evading a trained classifier. This work focuses on applying explainability techniques to enhance the adversarial evasion attack on a machine-learning-based Windows PE malware detector. The explainable tool identifies the regions of PE malware files that have the most significant impact on the decision-making process of a given malware detector, and therefore, the same regions can be leveraged to inject the adversarial perturbation for maximum efficiency. Profiling all the PE malware file regions based on their impact on the malware detector's decision enables the derivation of an efficient strategy for identifying the optimal location for perturbation injection. The strategy should incorporate the region's significance in influencing the malware detector's decision and the sensitivity of the PE malware file's integrity towards modifying that region. To assess the utility of explainable AI in crafting an adversarial sample of Windows PE malware, we utilize the DeepExplainer module of SHAP for determining the contribution of each region of PE malware to its detection by a CNN-based malware detector, MalConv. Furthermore, we analyzed the significance of SHAP values at a more granular level by subdividing each section of Windows PE into small subsections. We then performed an adversarial evasion attack on the subsections based on the corresponding SHAP values of the byte sequences.