Level Up with ML Vulnerability Identification: Leveraging Domain Constraints in Feature Space for Robust Android Malware Detection

TL;DR

The paper tackles the vulnerability of ML-based Android malware detection to realistic evasion by modeling domain constraints directly in the feature space. It proposes learning feature-space domain constraints using correlations and a modified Optimum-Path Forest (OPF) to produce two dependency sets, Υ (perfect) and Λ (relatively strong), and a CSR-based mechanism to detect adversarial examples. These learned constraints are then applied in two defense avenues: detection of realizable AEs and adversarial training/retraining that generates feature-space realizable AEs, yielding superior robustness compared with norm-bounded or pure problem-space approaches. Empirical results across multiple detectors (DREBIN, DroidAPIMiner, RAMDA, R-PackDroid) and attacks show high AE detection rates (e.g., 89.6% in the abstract-summarized evaluation) and significant robustness improvements (up to 77.9% robustness gain and up to 70x faster training than problem-space AE generation), demonstrating practical, scalable defenses against realistic evasion in AMD.

Abstract

Machine Learning (ML) promises to enhance the efficacy of Android Malware Detection (AMD); however, ML models are vulnerable to realistic evasion attacks--crafting realizable Adversarial Examples (AEs) that satisfy Android malware domain constraints. To eliminate ML vulnerabilities, defenders aim to identify susceptible regions in the feature space where ML models are prone to deception. The primary approach to identifying vulnerable regions involves investigating realizable AEs, but generating these feasible apps poses a challenge. For instance, previous work has relied on generating either feature-space norm-bounded AEs or problem-space realizable AEs in adversarial hardening. The former is efficient but lacks full coverage of vulnerable regions while the latter can uncover these regions by satisfying domain constraints but is known to be time-consuming. To address these limitations, we propose an approach to facilitate the identification of vulnerable regions. Specifically, we introduce a new interpretation of Android domain constraints in the feature space, followed by a novel technique that learns them. Our empirical evaluations across various evasion attacks indicate effective detection of AEs using learned domain constraints, with an average of 89.6%. Furthermore, extensive experiments on different Android malware detectors demonstrate that utilizing our learned domain constraints in Adversarial Training (AT) outperforms other AT-based defenses that rely on norm-bounded AEs or state-of-the-art non-uniform perturbations. Finally, we show that retraining a malware detector with a wide variety of feature-space realizable AEs results in a 77.9% robustness improvement against realizable AEs generated by unknown problem-space transformations, with up to 70x faster training than using problem-space realizable AEs.

Figures (8)

• Figure 1: Feature space achieved by existing unrealistic attacks (blue) may not cover the realizable AE space (gray). The $\epsilon$-ball covers all possible AEs that can be generated for the malware sample (red).
• Figure 2: Illustration of generating AEs in the problem space $\mathcal{Z}$ and the feature space $\mathcal{X}$ where $\psi$ shows a mapping function from $\mathcal{Z}$ to $\mathcal{X}$. The feature-space perturbations $\delta_1$, $\delta_2$, $\delta_3$, and $\delta_4$ correspond to the problem-space transformations $t_1$, $t_2$, $t_3$, and $t_4$, respectively. The dashed lines are the decision boundaries that distinguish malware from benignware. The areas surrounded by solid closed curves represent the realizable problem space and feature space, which meet problem-space domain constraints $\Gamma_{\mathcal{Z}}$ and feature-space domain constraints $\Gamma_{\mathcal{X}}$, respectively. $z^*$ and $x^*$ are realizable AEs but $z'$ and $x'$ are unrealizable AEs
• Figure 3: The dependency of two units in the app $z$ is represented by the dependency of two corresponding features in the feature representation $x$.
• Figure 4: Overview of our method for learning domain constraints from data based on meaningful feature dependencies. $\varphi_{a,b}$ shows correlation coefficient between $f_a$ and $f_b$, and $c_{f_a}$ represents the path cost from $f_a$ to the best prototype identified by solving equation (\ref{['eq:cost_function']}).
• Figure 5: Illustration of generating a feature-space realizable AE $x^*_1$ by adding missed meaningful dependent features $\eta$ to unrealizable AE $x'_1$. The area surrounded by the black closed curve represents the actual realizable feature space determined by the complete domain constraints $\Gamma_{\mathcal{X}}$, while the blue closed curve area represents the realizable feature space determined by our learned domain constraints $\Gamma'_{\mathcal{X}}$. Our learned realizable space is a subset of the actual realizable space due to the limitation of learning from finite data.