Numerous open-source and commercial malware detectors are available. However, their efficacy is threatened by new adversarial attacks, whereby malware attempts to evade detection, e.g., by performing feature-space manipulation. In this work, we propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors when confronted with adversarial attacks. The framework introduces the concept of Accrued Malicious Magnitude (AMM) to identify which malware features could be manipulated to maximize the likelihood of evading detection. We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware. We find that (i) commercial antivirus engines are vulnerable to AMM-guided test cases; (ii) the ability of a manipulated malware generated using one detector to evade detection by another detector (i.e., transferability) depends on the overlap of features with large AMM values between the different detectors; and (iii) AMM values effectively measure the fragility of features (i.e., capability of feature-space manipulation to flip the prediction results) and explain the robustness of malware detectors facing evasion attacks. Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.

翻译：目前存在大量开源和商业恶意软件检测器。然而，其有效性受到新型对抗攻击的威胁——恶意软件试图规避检测，例如通过特征空间操纵。本文提出一种可解释性引导且与模型无关的测试框架，用于评估恶意软件检测器面对对抗攻击时的鲁棒性。该框架引入“累积恶意量”（AMM）概念，以识别哪些恶意软件特征可能被操纵从而最大化规避检测的可能性。我们利用该框架测试了多种先进恶意软件检测器识别被操纵恶意软件的能力。研究发现：（i）商业反病毒引擎易受AMM引导测试用例的攻击；（ii）利用某一检测器生成的被操纵恶意软件对其他检测器（即可迁移性）的规避能力，取决于不同检测器之间具有较大AMM值的特征重叠程度；（iii）AMM值能有效衡量特征的脆弱性（即特征空间操纵以翻转预测结果的能力），并解释恶意软件检测器面对规避攻击时的鲁棒性。我们的发现揭示了当前恶意软件检测器的局限性，同时指明了其改进方向。