Effectiveness of Adversarial Benign and Malware Examples in Evasion and Poisoning Attacks
Matouš Kozák, Martin Jureček
TL;DR
The paper addresses adversarial attacks in the Portable Executable malware domain, with a novel emphasis on benign adversarial examples (AEs) that can inflate false positives and erode trust in antivirus solutions. It formalizes benign AEs, adapts existing adversarial malware generators to produce them, and evaluates their effectiveness in evasion and poisoning against detectors like $f$ with inputs $x$ perturbed by $\delta$ such that $x_{adv} = x + \delta$ and $f(x_{adv}) = 0$. Key findings show that benign AEs can achieve evasion rates comparable to malware AEs and, in poisoning scenarios, can outperform malware AEs when combined from different generators, significantly reducing detection at fixed false positive rates. These results broaden the attack surface researchers and defenders must consider, highlighting practical risks to AV trust and motivating follow-up work on robust defenses against both benign and malicious perturbations.
Abstract
Adversarial attacks present significant challenges for malware detection systems. This research investigates the effectiveness of benign and malicious adversarial examples (AEs) in evasion and poisoning attacks on the Portable Executable file domain. A novel focus of this study is on benign AEs, which, although not directly harmful, can increase false positives and undermine trust in antivirus solutions. We propose modifying existing adversarial malware generators to produce benign AEs and show they are as successful as malware AEs in evasion attacks. Furthermore, our data show that benign AEs have a more decisive influence in poisoning attacks than standard malware AEs, demonstrating their superior ability to decrease the model's performance. Our findings introduce new opportunities for adversaries and further increase the attack surface that needs to be protected by security researchers.