Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Updating Windows Malware Detectors: Balancing Robustness and Regression against Adversarial EXEmples

Matous Kozak, Luca Demetrio, Dmitrijs Trizna, Fabio Roli

TL;DR

This work addresses the challenge of updating Windows malware detectors to withstand adversarial EXEmples without incurring performance regression. It introduces EXE-scanner, a lightweight plugin that can be attached to any baseline detector to detect and block adversarial EXEmples while preserving prior predictions. Through extensive experiments, EXE-scanner matches or surpasses adversarial training in robustness and demonstrates minimal or no regression, even when paired with commercial AV engines; SHAP analysis reveals perturbation artifacts that these attacks leave behind. The authors also release a large adversarial EXEmples dataset and code to support reproducibility and further research in robust malware detection.

Abstract

Adversarial EXEmples are carefully-perturbed programs tailored to evade machine learning Windows malware detectors, with an ongoing effort to develop robust models able to address detection effectiveness. However, even if robust models can prevent the majority of EXEmples, to maintain predictive power over time, models are fine-tuned to newer threats, leading either to partial updates or time-consuming retraining from scratch. Thus, even if the robustness against adversarial EXEmples is higher, the new models might suffer a regression in performance by misclassifying threats that were previously correctly detected. For these reasons, we study the trade-off between accuracy and regression when updating Windows malware detectors by proposing EXE-scanner, a plugin that can be chained to existing detectors to promptly stop EXEmples without causing regression. We empirically show that previously proposed hardening techniques suffer a regression of accuracy when updating non-robust models, exacerbating the gap when considering low false positives regimes and temporal drifts affecting data. Also, through EXE-scanner we gain evidence on the detectability of adversarial EXEmples, showcasing the presence of artifacts left inside while creating them. Due to its design, EXE-scanner can be chained to any classifier to obtain the best performance without the need for costly retraining. To foster reproducibility, we openly release the source code, along with the dataset of adversarial EXEmples based on state-of-the-art perturbation algorithms.

Updating Windows Malware Detectors: Balancing Robustness and Regression against Adversarial EXEmples

TL;DR

This work addresses the challenge of updating Windows malware detectors to withstand adversarial EXEmples without incurring performance regression. It introduces EXE-scanner, a lightweight plugin that can be attached to any baseline detector to detect and block adversarial EXEmples while preserving prior predictions. Through extensive experiments, EXE-scanner matches or surpasses adversarial training in robustness and demonstrates minimal or no regression, even when paired with commercial AV engines; SHAP analysis reveals perturbation artifacts that these attacks leave behind. The authors also release a large adversarial EXEmples dataset and code to support reproducibility and further research in robust malware detection.

Abstract

Adversarial EXEmples are carefully-perturbed programs tailored to evade machine learning Windows malware detectors, with an ongoing effort to develop robust models able to address detection effectiveness. However, even if robust models can prevent the majority of EXEmples, to maintain predictive power over time, models are fine-tuned to newer threats, leading either to partial updates or time-consuming retraining from scratch. Thus, even if the robustness against adversarial EXEmples is higher, the new models might suffer a regression in performance by misclassifying threats that were previously correctly detected. For these reasons, we study the trade-off between accuracy and regression when updating Windows malware detectors by proposing EXE-scanner, a plugin that can be chained to existing detectors to promptly stop EXEmples without causing regression. We empirically show that previously proposed hardening techniques suffer a regression of accuracy when updating non-robust models, exacerbating the gap when considering low false positives regimes and temporal drifts affecting data. Also, through EXE-scanner we gain evidence on the detectability of adversarial EXEmples, showcasing the presence of artifacts left inside while creating them. Due to its design, EXE-scanner can be chained to any classifier to obtain the best performance without the need for costly retraining. To foster reproducibility, we openly release the source code, along with the dataset of adversarial EXEmples based on state-of-the-art perturbation algorithms.
Paper Structure (22 sections, 4 figures, 13 tables)

This paper contains 22 sections, 4 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Malware Detection and Regression
  4. Adversarial EXEmples
  5. EXE-scanner: a Robust Plugin for AVs
  6. Dataset Creation
  7. EXE-scanner Architecture
  8. Experimental Analysis
  9. Experimental Setup
  10. EXE-scanner Architectures
  11. Transfer Attacks against EXE-scanner
  12. Hardening Models with EXE-scanner
  13. Explaining the Behavior of EXE-scanner
  14. Security Regression and Comparison with Adversarial Training
  15. Pairing EXE-scanner with Commercially AVs
  16. ...and 7 more sections

Figures (4)

  • Figure 1: The Windows PE file format. Each colored section highlights a specific component.
  • Figure 2: EXE-scanner in action: regular malware are blocked by the baseline AV, while adversarial EXEmples able to bypass the baseline are blocked by our detector. Goodware is passed through to avoid raising false alarms.
  • Figure 3: Distribution of malware families inside the set of unmodified malicious files. We flag as Unknown all those samples for which AVClass was unable to provide an answer, while we group as other the remaining family with less than 2.0% of presence in our dataset.
  • Figure 4: ROC (on the left) and precision-recall (on the right) curves for logistic regression, SVC, and GBDT EXE-scanners on the $\text{test}_1$ set.