Adversarial EXEmples are carefully-perturbed programs tailored to evade machine learning Windows malware detectors, with an on-going effort in developing robust models able to address detection effectiveness. However, even if robust models can prevent the majority of EXEmples, to maintain predictive power over time, models are fine-tuned to newer threats, leading either to partial updates or time-consuming retraining from scratch. Thus, even if the robustness against attacks is higher, the new models might suffer a regression in performance by misclassifying threats that were previously correctly detected. For these reasons, we study the trade-off between accuracy and regression when updating Windows malware detectors, by proposing EXE-scanner, a plugin that can be chained to existing detectors to promptly stop EXEmples without causing regression. We empirically show that previously-proposed hardening techniques suffer a regression of accuracy when updating non-robust models. On the contrary, we show that EXE-scanner exhibits comparable performance to robust models without regression of accuracy, and we show how to properly chain it after the base classifier to obtain the best performance without the need of costly retraining. To foster reproducibility, we openly release source code, along with the dataset of adversarial EXEmples based on state-of-the-art perturbation algorithms.

翻译：对抗性EXEmples是经过精心扰动的程序，旨在规避基于机器学习的Windows恶意软件检测器，当前持续致力于开发鲁棒模型以应对检测有效性挑战。然而，即便鲁棒模型能够阻止绝大多数EXEmples，为维持随时间推移的预测能力，模型仍需针对新型威胁进行微调，这导致要么进行部分更新，要么耗费大量时间从头重新训练。因此，即使对抗攻击的鲁棒性有所提高，新模型也可能因误分类原本正确检测的威胁而出现性能回归。基于这些原因，我们通过提出EXE-scanner（一种可串联至现有检测器以即时阻止EXEmples且不引发回归的插件）来研究更新Windows恶意软件检测器时准确率与回归之间的权衡。实验表明，先前提出的加固技术在更新非鲁棒模型时存在准确率回归现象。相反，我们证明EXE-scanner在无准确率回归前提下展现出与鲁棒模型相当的性能，并展示了如何将其正确串联在基分类器之后以获得最优性能，且无需进行昂贵的重新训练。为确保可复现性，我们公开了源代码以及基于最新扰动算法构建的对抗性EXEmples数据集。