Over the years, most research towards defenses against adversarial attacks on machine learning models has been in the image recognition domain. The malware detection domain has received less attention despite its importance. Moreover, most work exploring these defenses has focused on several methods but with no strategy when applying them. In this paper, we introduce StratDef, which is a strategic defense system based on a moving target defense approach. We overcome challenges related to the systematic construction, selection, and strategic use of models to maximize adversarial robustness. StratDef dynamically and strategically chooses the best models to increase the uncertainty for the attacker while minimizing critical aspects in the adversarial ML domain, like attack transferability. We provide the first comprehensive evaluation of defenses against adversarial attacks on machine learning for malware detection, where our threat model explores different levels of threat, attacker knowledge, capabilities, and attack intensities. We show that StratDef performs better than other defenses even when facing the peak adversarial threat. We also show that, of the existing defenses, only a few adversarially-trained models provide substantially better protection than just using vanilla models but are still outperformed by StratDef.

翻译：长期以来，针对机器学习模型对抗攻击的防御研究主要集中于图像识别领域。尽管恶意软件检测领域至关重要，但受到的关注却相对较少。此外，现有防御探索大多聚焦于若干具体方法，却缺乏应用这些方法的策略性框架。本文提出StratDef——一种基于移动目标防御方法的战略防御系统。我们克服了系统化构建、选择及策略性使用模型以最大化对抗鲁棒性方面的挑战。StratDef能够动态且策略性地选取最优模型，在增加攻击者不确定性的同时，最小化对抗机器学习领域的关键风险（如攻击可迁移性）。我们首次对基于机器学习的恶意软件检测中对抗攻击的防御措施进行了全面评估，所构建的威胁模型涵盖了不同威胁等级、攻击者知识水平、攻击能力及攻击强度。实验表明，即便面对最高强度的对抗威胁，StratDef的表现仍优于其他防御方案。同时我们发现，现有防御中仅有少数对抗训练模型能提供比标准模型更显著的保护效果，但这类模型在性能上仍不及StratDef。