Improving Adversarial Robustness in Android Malware Detection by Reducing the Impact of Spurious Correlations

TL;DR

The paper tackles adversarial robustness in Android malware detection by addressing the problem of spurious correlations that degrade generalization. It introduces a domain-adaptation-based defense that constructs a robust feature space H from the original space X by exploiting domain constraints and feature dependencies, using an OPF-driven clustering to form feature groups. A transformation lambda maps X to H, and a classifier f trained on H aims to learn functional malware patterns rather than biased cues, with distributions D_T^H and D_U^H better aligned. Empirical results on the DREBIN detector show that the proposed DREBIN-Robust outperforms Sec-SVM in robustness against realistic evasion attacks, sometimes by over 55%, while maintaining competitive clean performance and lower training time, demonstrating practical effectiveness of the approach.

Abstract

Machine learning (ML) has demonstrated significant advancements in Android malware detection (AMD); however, the resilience of ML against realistic evasion attacks remains a major obstacle for AMD. One of the primary factors contributing to this challenge is the scarcity of reliable generalizations. Malware classifiers with limited generalizability tend to overfit spurious correlations derived from biased features. Consequently, adversarial examples (AEs), generated by evasion attacks, can modify these features to evade detection. In this study, we propose a domain adaptation technique to improve the generalizability of AMD by aligning the distribution of malware samples and AEs. Specifically, we utilize meaningful feature dependencies, reflecting domain constraints in the feature space, to establish a robust feature space. Training on the proposed robust feature space enables malware classifiers to learn from predefined patterns associated with app functionality rather than from individual features. This approach helps mitigate spurious correlations inherent in the initial feature space. Our experiments conducted on DREBIN, a renowned Android malware detector, demonstrate that our approach surpasses the state-of-the-art defense, Sec-SVM, when facing realistic evasion attacks. In particular, our defense can improve adversarial robustness by up to 55% against realistic evasion attacks compared to Sec-SVM.

Figures (6)

• Figure 1: An illustration of our proposed domain-adaptation technique. In the initial feature space, the distributions of malware samples and adversarial examples differ significantly. However, in our proposed robust feature space, their distributions are more aligned.
• Figure 2: An example of the OPF process constructed to capture feature dependencies. (a) shows the completed weighted graph $\mathcal{G}$, where node $f_i$ represents the feature $f_i$ and $\varphi_{i,j}$ represents the correlation between $f_i$ and $f_j$. (b) the final OPF comprises two OPTs derived from $\mathcal{G}$. The colored nodes signify primary features, and $w_{f_i}$ denotes the path cost from $f_i$ to its relevant primary features.
• Figure 3: Overview of our method for applying domain constraints to construct a robust feature space.
• Figure 4: The evasion success rates of PK-Greedy against different DREBIN detectors when varying the number of added features.
• Figure 5: t-SNE visualization of malware and adversarial malware samples in (a) the feature space $\mathcal{X}$ and (b) our robust feature space $\mathcal{H}$.