Level Up with RealAEs: Leveraging Domain Constraints in Feature Space to Strengthen Robustness of Android Malware Detection

The vulnerability to adversarial examples remains one major obstacle for Machine Learning (ML)-based Android malware detection. Realistic attacks in the Android malware domain create Realizable Adversarial Examples (RealAEs), i.e., AEs that satisfy the domain constraints of Android malware. Recent studies have shown that using such RealAEs in Adversarial Training (AT) is more effective in defending against realistic attacks than using unrealizable AEs (unRealAEs). This is because RealAEs allow defenders to explore certain pockets in the feature space that are vulnerable to realistic attacks. However, existing defenses commonly generate RealAEs in the problem space, which is known to be time-consuming and impractical for AT. In this paper, we propose to generate RealAEs in the feature space, leading to a simpler and more efficient solution. Our approach is driven by a novel interpretation of Android domain constraints in the feature space. More concretely, our defense first learns feature-space domain constraints by extracting meaningful feature dependencies from data and then applies them to generating feature-space RealAEs during AT. Extensive experiments on DREBIN, a well-known Android malware detector, demonstrate that our new defense outperforms not only unRealAE-based AT but also the state-of-the-art defense that relies on non-uniform perturbations. We further validate the ability of our learned feature-space domain constraints in representing Android malware properties by showing that our feature-space domain constraints can help distinguish RealAEs from unRealAEs.

翻译：对抗样本的脆弱性仍是基于机器学习（ML）的安卓恶意软件检测面临的主要障碍之一。安卓恶意软件领域的现实攻击会产生可实现对抗样本（RealAEs），即满足安卓恶意软件领域约束的对抗样本。近期研究表明，在对抗训练（AT）中使用此类RealAEs比使用不可实现对抗样本（unRealAEs）能更有效地防御现实攻击，这是因为RealAEs使防御者能够探索特征空间中易受现实攻击的特定区域。然而，现有防御方法通常在问题空间中生成RealAEs，这被公认为耗时且不适用于AT。本文提出在特征空间中生成RealAEs，从而提供更简单高效的解决方案。我们的方法建立在对特征空间中安卓领域约束的全新解释之上。具体而言，我们的防御机制首先通过从数据中提取有意义的特征依赖性来学习特征空间领域约束，然后在AT过程中将其应用于生成特征空间RealAEs。在知名安卓恶意软件检测器DREBIN上的大量实验表明，我们的新防御不仅优于基于unRealAE的AT，还优于依赖非均匀扰动的最新防御方法。我们进一步验证了所学特征空间领域约束在表征安卓恶意软件特性方面的能力，证明其特征空间领域约束有助于区分RealAEs与unRealAEs。