Adversarial Evasion in Non-Stationary Malware Detection: Minimizing Drift Signals through Similarity-Constrained Perturbations

TL;DR

This paper explores generating adversarial malware samples that evade classifiers while minimizing detectable drift signals, using similarity-constrained perturbations to enhance attack stealth in evolving environments.

Contribution

It introduces a novel similarity-regularized adversarial generation method that balances evasion success with drift signal minimization in non-stationary malware detection.

Findings

Similarity constraints reduce output drift signals effectively.

L2 regularization yields the best balance between evasion and detectability.

Higher perturbation budgets increase attack success and drift signals.

Abstract

Deep learning has emerged as a powerful approach for malware detection, demonstrating impressive accuracy across various data representations. However, these models face critical limitations in real-world, non-stationary environments where both malware characteristics and detection systems continuously evolve. Our research investigates a fundamental security question: Can an attacker generate adversarial malware samples that simultaneously evade classification and remain inconspicuous to drift monitoring mechanisms? We propose a novel approach that generates targeted adversarial examples in the classifier's standardized feature space, augmented with sophisticated similarity regularizers. By carefully constraining perturbations to maintain distributional similarity with clean malware, we create an optimization objective that balances targeted misclassification with drift signal minimization. We quantify the effectiveness of this approach by comprehensively comparing classifier output probabilities using multiple drift metrics. Our experiments demonstrate that similarity constraints can reduce output drift signals, with $\ell_2$ regularization showing the most promising results. We observe that perturbation budget significantly influences the evasion-detectability trade-off, with increased budget leading to higher attack success rates and more substantial drift indicators.