A novel method for improving the robustness of deep learning-based malware detectors against adversarial attacks

Abstract

Malware is constantly evolving with rising concern for cyberspace. Deep learning-based malware detectors are being used as a potential solution. However, these detectors are vulnerable to adversarial attacks. The adversarial attacks manipulate files in such a way that the resulting malware files evade being detected. Adversarial training is one of the techniques used to develop malware detectors using saddle-point (min–max) formulation. In adversarial training, malware samples are manipulated using multiple adversarial attacks to generate adversarially poisoned malware samples. These poisoned malware samples are incorporated in the training of models to make them robust against evasion attacks (i.e. attacks at the testing time). In this work, ten neural network-based malware detectors are developed, with nine trained with a particular adversarial attack and one without such training. To consider the characteristics of multiple adversarial attacks and utilise the performance of the ten detectors on various evasion attacks, a novel approach is developed to design a malware detector by training a neural network with a mixture of multiple adversarial attacks. This novel approach achieved the best performance among all the eleven malware detectors. Experimental results demonstrated that the new approach significantly enhanced the robustness of the malware detector and achieved the lowest evasion rates of 12% on average on VirusShare and 18% on average on VXHeaven datasets, respectively, against all possible evasion attacks. The experiments show that the detectors trained with other adversarial attacks such as DeepFool and multi-step bit gradient ascent achieve higher evasion rates of 17% and 36% on VirusShare, and 24% and 45% on VXHeaven datasets, respectively.