Updating Windows Malware Detectors: Balancing Robustness and Regression against Adversarial EXEmples

TL;DR

This paper introduces EXE-scanner, a plugin that enhances Windows malware detectors by promptly identifying adversarial EXEmples, balancing robustness and performance without extensive retraining, and highlights the detectability of such adversarial samples.

Contribution

The paper presents EXE-scanner, a plugin that can be integrated with existing detectors to prevent adversarial EXEmples efficiently, addressing the trade-off between robustness and regression.

Findings

Existing hardening techniques cause accuracy regression on non-robust models.

EXE-scanner effectively detects adversarial EXEmples with artifacts analysis.

The approach avoids costly retraining and maintains detection performance.

Abstract

Adversarial EXEmples are carefully-perturbed programs tailored to evade machine learning Windows malware detectors, with an ongoing effort to develop robust models able to address detection effectiveness. However, even if robust models can prevent the majority of EXEmples, to maintain predictive power over time, models are fine-tuned to newer threats, leading either to partial updates or time-consuming retraining from scratch. Thus, even if the robustness against adversarial EXEmples is higher, the new models might suffer a regression in performance by misclassifying threats that were previously correctly detected. For these reasons, we study the trade-off between accuracy and regression when updating Windows malware detectors by proposing EXE-scanner, a plugin that can be chained to existing detectors to promptly stop EXEmples without causing regression. We empirically show that previously proposed hardening techniques suffer a regression of accuracy when updating non-robust models, exacerbating the gap when considering low false positives regimes and temporal drifts affecting data. Also, through EXE-scanner we gain evidence on the detectability of adversarial EXEmples, showcasing the presence of artifacts left inside while creating them. Due to its design, EXE-scanner can be chained to any classifier to obtain the best performance without the need for costly retraining. To foster reproducibility, we openly release the source code, along with the dataset of adversarial EXEmples based on state-of-the-art perturbation algorithms.