Over the years, most research towards defenses against adversarial attacks on machine learning models has been in the image recognition domain. The ML-based malware detection domain has received less attention despite its importance. Moreover, most work exploring these defenses has focused on several methods but with no strategy when applying them. In this paper, we introduce StratDef, which is a strategic defense system based on a moving target defense approach. We overcome challenges related to the systematic construction, selection, and strategic use of models to maximize adversarial robustness. StratDef dynamically and strategically chooses the best models to increase the uncertainty for the attacker while minimizing critical aspects in the adversarial ML domain, like attack transferability. We provide the first comprehensive evaluation of defenses against adversarial attacks on machine learning for malware detection, where our threat model explores different levels of threat, attacker knowledge, capabilities, and attack intensities. We show that StratDef performs better than other defenses even when facing the peak adversarial threat. We also show that, of the existing defenses, only a few adversarially-trained models provide substantially better protection than just using vanilla models but are still outperformed by StratDef.

翻译：多年来，针对机器学习模型对抗攻击的防御研究主要集中在图像识别领域。尽管基于机器学习的恶意软件检测领域至关重要，但受到的关注较少。此外，大多数探索这些防御的研究侧重于若干方法，但未形成应用时的战略考量。本文提出StratDef——一种基于移动目标防御方法的战略防御系统。我们克服了系统化构建、选择及战略性使用模型以最大化对抗鲁棒性的相关挑战。StratDef动态且战略性地选择最佳模型，以增加攻击者的不确定性，同时最小化对抗机器学习领域中的关键因素（如攻击可迁移性）。我们首次对机器学习恶意软件检测中的对抗攻击防御进行了全面评估，其中威胁模型探索了不同威胁等级、攻击者知识、能力及攻击强度。研究表明，即使面对最高对抗威胁，StratDef的性能仍优于其他防御方法。我们还发现，在现有防御中，仅少数对抗训练模型能提供比单纯使用基础模型显著更好的保护，但其表现仍不及StratDef。