RoMA: Robust Malware Attribution via Byte-level Adversarial Training with Global Perturbations and Adversarial Consistency Regularization
Yuxia Sun, Huihong Chen, Jingcai Guo, Aoxiang Sun, Zhetao Li, Haolin Liu
TL;DR
This work tackles the vulnerability of byte-level APT malware attribution to adversarial perturbations by introducing RoMA, a fast single-step adversarial training framework that leverages a Global Perturbation pool and Adversarial Consistency Regularization. RoMA augments a MalConv-GCG backbone with a GP-based perturbation strategy and a projection-based consistency objective, achieving strong robustness (e.g., >80% robust accuracy under PGD) while maintaining or improving clean accuracy and training efficiency. The authors also contribute AMG18, a diverse, imbalanced dataset for attribution research, and demonstrate that RoMA outperforms seven baselines across robustness and efficiency benchmarks. The approach advances practical, scalable defenses for malware attribution and provides publicly available models and data for reproducibility and broader evaluation.
Abstract
Attributing APT (Advanced Persistent Threat) malware to their respective groups is crucial for threat intelligence and cybersecurity. However, APT adversaries often conceal their identities, rendering attribution inherently adversarial. Existing machine learning-based attribution models, while effective, remain highly vulnerable to adversarial attacks. For example, the state-of-the-art byte-level model MalConv sees its accuracy drop from over 90% to below 2% under PGD (projected gradient descent) attacks. Existing gradient-based adversarial training techniques for malware detection or image processing were applied to malware attribution in this study, revealing that both robustness and training efficiency require significant improvement. To address this, we propose RoMA, a novel single-step adversarial training approach that integrates global perturbations to generate enhanced adversarial samples and employs adversarial consistency regularization to improve representation quality and resilience. A novel APT malware dataset named AMG18, with diverse samples and realistic class imbalances, is introduced for evaluation. Extensive experiments show that RoMA significantly outperforms seven competing methods in both adversarial robustness (e.g., achieving over 80% robust accuracy-more than twice that of the next-best method under PGD attacks) and training efficiency (e.g., more than twice as fast as the second-best method in terms of accuracy), while maintaining superior standard accuracy in non-adversarial scenarios.