Several moving target defenses (MTDs) to counter adversarial ML attacks have been proposed in recent years. MTDs claim to increase the difficulty for the attacker in conducting attacks by regularly changing certain elements of the defense, such as cycling through configurations. To examine these claims, we study for the first time the effectiveness of several recent MTDs for adversarial ML attacks applied to the malware detection domain. Under different threat models, we show that transferability and query attack strategies can achieve high levels of evasion against these defenses through existing and novel attack strategies across Android and Windows. We also show that fingerprinting and reconnaissance are possible and demonstrate how attackers may obtain critical defense hyperparameters as well as information about how predictions are produced. Based on our findings, we present key recommendations for future work on the development of effective MTDs for adversarial attacks in ML-based malware detection.

翻译：近年来，针对对抗性机器学习攻击的多种移动目标防御方法已被提出。移动目标防御通过定期改变防御的某些要素（例如循环切换配置），声称能增加攻击者实施攻击的难度。为验证这些主张，我们首次研究了应用于恶意软件检测领域的几种新型移动目标防御方法在对抗性机器学习攻击中的有效性。在不同威胁模型下，我们证明：通过现有及新型攻击策略，迁移攻击和查询攻击在Android和Windows平台上均可实现对这些防御的高逃逸率。同时，我们证实了指纹识别和侦察攻击的可行性，并展示了攻击者如何获取关键防御超参数以及预测生成过程的信息。基于研究结果，我们为未来在基于机器学习的恶意软件检测中开发有效的对抗性攻击移动目标防御方法提出了关键建议。