Machine Learning (ML) techniques facilitate automating malicious software (malware for short) detection, but suffer from evasion attacks. Many researchers counter such attacks in heuristic manners short of both theoretical guarantees and defense effectiveness. We hence propose a new adversarial training framework, termed Principled Adversarial Malware Detection (PAD), which encourages convergence guarantees for robust optimization methods. PAD lays on a learnable convex measurement that quantifies distribution-wise discrete perturbations and protects the malware detector from adversaries, by which for smooth detectors, adversarial training can be performed heuristically with theoretical treatments. To promote defense effectiveness, we propose a new mixture of attacks to instantiate PAD for enhancing the deep neural network-based measurement and malware detector. Experimental results on two Android malware datasets demonstrate: (i) the proposed method significantly outperforms the state-of-the-art defenses; (ii) it can harden the ML-based malware detection against 27 evasion attacks with detection accuracies greater than 83.45%, while suffering an accuracy decrease smaller than 2.16% in the absence of attacks; (iii) it matches or outperforms many anti-malware scanners in VirusTotal service against realistic adversarial malware.

翻译：机器学习技术促进了恶意软件检测的自动化，但容易受到规避攻击的影响。许多研究者采用缺乏理论保障和防御效能的启发式方法应对此类攻击。为此，我们提出一种新的对抗训练框架——原则性对抗恶意软件检测方法（PAD），该框架为鲁棒优化方法提供收敛性保证。PAD建立在可学习的凸度量基础上，该度量能量化分布层面的离散扰动并保护恶意软件检测器免受对抗攻击，使得对于光滑检测器，对抗训练可以通过理论指导的启发式方法执行。为提升防御效能，我们提出一种新的攻击混合策略来实例化PAD，以增强基于深度神经网络的度量模型和恶意软件检测器。在两个安卓恶意软件数据集上的实验表明：（i）所提方法显著优于当前最先进的防御方法；（ii）该方法能强化基于机器学习的恶意软件检测系统抵御27种规避攻击，检测准确率超过83.45%，且在无攻击情况下准确率下降幅度小于2.16%；（iii）在VirusTotal服务中，该方法在应对真实对抗性恶意软件时达到或超越了多种反恶意软件扫描器的性能。