Table of Contents
Fetching ...

Defending against Adversarial Malware Attacks on ML-based Android Malware Detection Systems

Ping He, Lorenzo Cavallaro, Shouling Ji

TL;DR

This work tackles the vulnerability of ML-based Android malware detection to real problem-space adversarial attacks that alter APKs under program-grammar constraints. It introduces ADD, a plug-in defense that revisits benign predictions by quantifying incompatibility between perturbable and imperturbable feature spaces via encoder-based projections and a customized contrastive loss. A calibrated threshold using TNIR and FNIR balances preserving original detection performance with detecting adversarial samples, achieving substantial improvements (NDASR ≈ 95% across models) and demonstrating transferability to real-world antivirus engines like VirusTotal. The approach offers a practical, cost-effective defense against realistic malware adversaries and paves the way for robust AMD systems in dynamic threat landscapes.

Abstract

Android malware presents a persistent threat to users' privacy and data integrity. To combat this, researchers have proposed machine learning-based (ML-based) Android malware detection (AMD) systems. However, adversarial Android malware attacks compromise the detection integrity of the ML-based AMD systems, raising significant concerns. Existing defenses against adversarial Android malware provide protections against feature space attacks which generate adversarial feature vectors only, leaving protection against realistic threats from problem space attacks which generate real adversarial malware an open problem. In this paper, we address this gap by proposing ADD, a practical adversarial Android malware defense framework designed as a plug-in to enhance the adversarial robustness of the ML-based AMD systems against problem space attacks. Our extensive evaluation across various ML-based AMD systems demonstrates that ADD is effective against state-of-the-art problem space adversarial Android malware attacks. Additionally, ADD shows the defense effectiveness in enhancing the adversarial robustness of real-world antivirus solutions.

Defending against Adversarial Malware Attacks on ML-based Android Malware Detection Systems

TL;DR

This work tackles the vulnerability of ML-based Android malware detection to real problem-space adversarial attacks that alter APKs under program-grammar constraints. It introduces ADD, a plug-in defense that revisits benign predictions by quantifying incompatibility between perturbable and imperturbable feature spaces via encoder-based projections and a customized contrastive loss. A calibrated threshold using TNIR and FNIR balances preserving original detection performance with detecting adversarial samples, achieving substantial improvements (NDASR ≈ 95% across models) and demonstrating transferability to real-world antivirus engines like VirusTotal. The approach offers a practical, cost-effective defense against realistic malware adversaries and paves the way for robust AMD systems in dynamic threat landscapes.

Abstract

Android malware presents a persistent threat to users' privacy and data integrity. To combat this, researchers have proposed machine learning-based (ML-based) Android malware detection (AMD) systems. However, adversarial Android malware attacks compromise the detection integrity of the ML-based AMD systems, raising significant concerns. Existing defenses against adversarial Android malware provide protections against feature space attacks which generate adversarial feature vectors only, leaving protection against realistic threats from problem space attacks which generate real adversarial malware an open problem. In this paper, we address this gap by proposing ADD, a practical adversarial Android malware defense framework designed as a plug-in to enhance the adversarial robustness of the ML-based AMD systems against problem space attacks. Our extensive evaluation across various ML-based AMD systems demonstrates that ADD is effective against state-of-the-art problem space adversarial Android malware attacks. Additionally, ADD shows the defense effectiveness in enhancing the adversarial robustness of real-world antivirus solutions.
Paper Structure (26 sections, 8 equations, 2 figures, 10 tables, 5 algorithms)

This paper contains 26 sections, 8 equations, 2 figures, 10 tables, 5 algorithms.

Figures (2)

  • Figure 1: Adversarial Android malware attack framework.
  • Figure 2: The overview of ADD. It operates in three stages: space quantification stage, feature projection stage, and threshold calibration stage.