Defending against Adversarial Malware Attacks on ML-based Android Malware Detection Systems
Ping He, Lorenzo Cavallaro, Shouling Ji
TL;DR
This work tackles the vulnerability of ML-based Android malware detection to real problem-space adversarial attacks that alter APKs under program-grammar constraints. It introduces ADD, a plug-in defense that revisits benign predictions by quantifying incompatibility between perturbable and imperturbable feature spaces via encoder-based projections and a customized contrastive loss. A calibrated threshold using TNIR and FNIR balances preserving original detection performance with detecting adversarial samples, achieving substantial improvements (NDASR ≈ 95% across models) and demonstrating transferability to real-world antivirus engines like VirusTotal. The approach offers a practical, cost-effective defense against realistic malware adversaries and paves the way for robust AMD systems in dynamic threat landscapes.
Abstract
Android malware presents a persistent threat to users' privacy and data integrity. To combat this, researchers have proposed machine learning-based (ML-based) Android malware detection (AMD) systems. However, adversarial Android malware attacks compromise the detection integrity of the ML-based AMD systems, raising significant concerns. Existing defenses against adversarial Android malware provide protections against feature space attacks which generate adversarial feature vectors only, leaving protection against realistic threats from problem space attacks which generate real adversarial malware an open problem. In this paper, we address this gap by proposing ADD, a practical adversarial Android malware defense framework designed as a plug-in to enhance the adversarial robustness of the ML-based AMD systems against problem space attacks. Our extensive evaluation across various ML-based AMD systems demonstrates that ADD is effective against state-of-the-art problem space adversarial Android malware attacks. Additionally, ADD shows the defense effectiveness in enhancing the adversarial robustness of real-world antivirus solutions.
