Malware detectors based on deep learning (DL) have been shown to be susceptible to malware examples that have been deliberately manipulated in order to evade detection, a.k.a. adversarial malware examples. More specifically, it has been show that deep learning detectors are vulnerable to small changes on the input file. Given this vulnerability of deep learning detectors, we propose a practical defense against adversarial malware examples inspired by randomized smoothing. In our work, instead of employing Gaussian or Laplace noise when randomizing inputs, we propose a randomized ablation-based smoothing scheme that ablates a percentage of the bytes within an executable. During training, our randomized ablation-based smoothing scheme trains a base classifier based on ablated versions of the executable files. At test time, the final classification for a given input executable is taken as the class most commonly predicted by the classifier on a set of ablated versions of the original executable. To demonstrate the suitability of our approach we have empirically evaluated the proposed ablation-based model against various state-of-the-art evasion attacks on the BODMAS dataset. Results show greater robustness and generalization capabilities to adversarial malware examples in comparison to a non-smoothed classifier.

翻译：基于深度学习的恶意软件检测器已被证明易受到恶意软件样例的攻击，这些样例经过刻意篡改以规避检测，即对抗性恶意软件样例。具体而言，研究表明深度学习检测器对输入文件的微小变化十分敏感。针对这一脆弱性，我们提出一种受随机平滑启发的实用防御方法，用以对抗对抗性恶意软件样例。在本工作中，我们未采用高斯或拉普拉斯噪声对输入进行随机化处理，而是提出一种基于随机消融的平滑方案，该方案可消融可执行文件中一定比例的字节。训练阶段，基于随机消融的平滑方案利用可执行文件的消融版本训练基础分类器；测试阶段，给定输入可执行文件的最终分类结果由分类器对原始文件的一组消融版本进行多数投票得出。为验证所提方法的有效性，我们在BODMAS数据集上针对多种最先进的逃逸攻击对基于消融的模型进行了实证评估。结果表明，与非平滑分类器相比，该方法对对抗性恶意软件样例具有更强的鲁棒性和泛化能力。