Chaoran Li, Xiao Chen, Derui Wang, Sheng Wen, Muhammad Ejaz Ahmed, Seyit Camtepe, Yang Xiang

2021-07-07

Abstract:Machine learning (ML) has been widely used for malware detection on different operating systems, including Android. To keep up with malware's evolution, the detection models usually need to be retrained periodically (e.g., every month) based on the data collected in the wild. However, this leads to poisoning attacks, specifically backdoor attacks, which subvert the learning process and create evasion ‘tunnels’ for manipulated malware samples. To date, we have not found any prior research that explored this critical problem in Android malware detectors. Although there are already some similar works in the image classification field, most of those similar ideas cannot be borrowed to solve this problem, because the assumption that the attacker has full control of the training data collection or labelling process is not realistic in real-world malware detection scenarios. In this article, we are motivated to study the …

Jiayi Hua,Kailong Wang,Meizhen Wang,Guangdong Bai,Xiapu Luo,Haoyu Wang

2024-01-05

Abstract:Mobile malware has become one of the most critical security threats in the era of ubiquitous mobile computing. Despite the intensive efforts from security experts to counteract it, recent years have still witnessed a rapid growth of identified malware samples. This could be partly attributed to the newly-emerged technologies that may constantly open up under-studied attack surfaces for the adversaries. One typical example is the recently-developed mobile machine learning (ML) framework that enables storing and running deep learning (DL) models on mobile devices. Despite obvious advantages, this new feature also inadvertently introduces potential vulnerabilities (e.g., on-device models may be modified for malicious purposes). In this work, we propose a method to generate or transform mobile malware by hiding the malicious payloads inside the parameters of deep learning models, based on a strategy that considers four factors (layer type, layer number, layer coverage and the number of bytes to replace). Utilizing the proposed method, we can run malware in DL mobile applications covertly with little impact on the model performance (i.e., as little as 0.4% drop in accuracy and at most 39ms latency overhead).

Cryptography and Security

Yuyang Zhou,Guang Cheng,Shui Yu,Zongyao Chen,Yujia Hu

DOI: https://doi.org/10.1109/tifs.2024.3414339

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning (ML) has been widely adopted for Android malware detection to deal with serious threats brought by explosive malware attacks. However, it has been recently proven that ML-based detection systems exhibit inherent vulnerabilities to evasion attacks, which inject adversarial perturbations into a malicious app to hide its malicious behaviors and evade detection. To date, researchers have not found effective solutions for this critical problem. Although there are some similar works in the image classification field, most of those ideas cannot be borrowed due to the significant differences between images and Android apps. In this paper, we exploit Moving Target Defense (MTD) to continually change the attack surface of the protected detector and create uncertainty on the attacker side. We thus propose a novel Android malware detection framework named MTDroid, which fully leverages a seamless blend of dynamicity, diversity, and heterogeneity to mitigate the impact of evasion attacks. To this end, we develop a dynamic model pool to decrease the exposure time of a single classifier, by building and rebuilding multiple heterogeneous models with distinct data. We then generate diversified variant models to provide defensive measures against various attacks, and further improve robustness through ensemble learning. Specifically, we propose a two-stage selection algorithm to optimize the ensemble learning process, and design a hybrid update strategy to refresh the framework dynamically. The experimental results show that MTDroid significantly enhances the robustness against a wide range of attacks and outperforms the state-of-the-art methods upon three popular practical datasets.

Guangquan Xu,Hongfei Shao,Jingyi Cui,Hongpeng Bai,Jiliang Li,Guangdong Bai,Shaoying Liu,Weizhi Meng,Xi Zheng

DOI: https://doi.org/10.1016/j.cose.2023.103359

IF: 5.105

2023-01-01

Computers & Security

Abstract:The security problems of Android applications have been gradually exposed with the increasing popularity of the Android OS. Machine learning (ML) and deep learning (DL) based Android malware detection is still suffering from adversarial attacks, although it has better performance than traditional methods. In this paper, we propose a query-efficient black-box attack method called GenDroid, which can generate high-quality Android adversarial examples with a low number of queries. We take GenDroid as an attack framework and extend it with the attention mechanism and JSMA algorithm to improve the efficiency of adversarial example production. We evaluate the effectiveness of our attack on two state-of-the-art Android malware detection schemes, Drebin and MaMaDroid. Compared with four state-of-the-art adversarial attacks on real-world datasets, GenDroid achieves higher misclassification rates with significantly the fewest number of queries on the two datasets. In addition, we have validated the effectiveness of our attack on real-world commercial anti-virus engines. Finally, to enhance the security of Android malware detector and defend against the GenDroid attack, we use combined features consisting of the associated Android features, the spatial properties of Android adversarial examples and the uncertainty to detect adversarial examples, which can achieve a high detection rate of 95.71%.

Hemant Rathore,Sanjay K. Sahay,Piyush Nikam,Mohit Sewak

DOI: https://doi.org/10.1007/s10796-020-10083-8

2021-01-28

Abstract:The current state-of-the-art Android malware detection systems are based on machine learning and deep learning models. Despite having superior performance, these models are susceptible to adversarial attacks. Therefore in this paper, we developed eight Android malware detection models based on machine learning and deep neural network and investigated their robustness against adversarial attacks. For this purpose, we created new variants of malware using Reinforcement Learning, which will be misclassified as benign by the existing Android malware detection models. We propose two novel attack strategies, namely single policy attack and multiple policy attack using reinforcement learning for white-box and grey-box scenario respectively. Putting ourselves in the adversary's shoes, we designed adversarial attacks on the detection models with the goal of maximizing fooling rate, while making minimum modifications to the Android application and ensuring that the app's functionality and behavior do not change. We achieved an average fooling rate of 44.21% and 53.20% across all the eight detection models with a maximum of five modifications using a single policy attack and multiple policy attack, respectively. The highest fooling rate of 86.09% with five changes was attained against the decision tree-based model using the multiple policy approach. Finally, we propose an adversarial defense strategy that reduces the average fooling rate by threefold to 15.22% against a single policy attack, thereby increasing the robustness of the detection models i.e. the proposed model can effectively detect variants (metamorphic) of malware. The experimental analysis shows that our proposed Android malware detection system using reinforcement learning is more robust against adversarial attacks.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xiao Chen,Chaoran Li,Derui Wang,Sheng Wen,Jun Zhang,Surya Nepal,Yang Xiang,Kui Ren

DOI: https://doi.org/10.1109/TIFS.2019.2932228

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning based solutions have been successfully employed for automatic detection of malware on Android. However, machine learning models lack robustness to adversarial examples, which are crafted by adding carefully chosen perturbations to the normal inputs. So far, the adversarial examples can only deceive detectors that rely on syntactic features (e.g., requested permissions, API calls, etc), and the perturbations can only be implemented by simply modifying application's manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new attacking method that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK that can successfully deceive the machine learning detectors. We develop an automated tool to generate the adversarial examples without human intervention. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We demonstrate our attack on two state-of-the-art Android malware detection schemes, MaMaDroid and Drebin. Our results show that the malware detection rates decreased from 96 0

Ping He,Yifan Xia,Xuhong Zhang,Shouling Ji

DOI: https://doi.org/10.1145/3576915.3623117

2023-01-01

Abstract:The widespread adoption of the Android operating system has made malicious Android applications an appealing target for attackers. Machine learning-based (ML-based) Android malware detection (AMD) methods are crucial in addressing this problem; however, their vulnerability to adversarial examples raises concerns. Current attacks against ML-based AMD methods demonstrate remarkable performance but rely on strong assumptions that may not be realistic in real-world scenarios, e.g., the knowledge requirements about feature space, model parameters, and training dataset. To address this limitation, we introduce ADVDROIDZERO, an efficient query-based attack framework against ML-based AMD methods that operates under the zero knowledge setting. Our extensive evaluation shows that ADVDROIDZERO is effective against various mainstream ML-based AMD methods, in particular, state-of-the-art such methods and real-world antivirus solutions.

Hongchen Cao,Shuai Li,Yuming Zhou,Ming Fan,Xuejiao Zhao,Yutian Tang

DOI: https://doi.org/10.48550/arXiv.2107.12732

2021-07-27

Software Engineering

Abstract:Deep learning is a powerful weapon to boost application performance in many fields, including face recognition, object detection, image classification, natural language understanding, and recommendation system. With the rapid increase in the computing power of mobile devices, developers can embed deep learning models into their apps for building more competitive products with more accurate and faster responses. Although there are several works about adversarial attacks against deep learning models in mobile apps, they all need information about the models' internals (i.e., structures, weights) or need to modify the models. In this paper, we propose an effective black-box approach by training a substitute model to spoof the deep learning system inside the apps. To evaluate our approach, we select 10 real-world deep-learning apps with high popularity from Google Play to perform black-box adversarial attacks. Through the study, we find three factors that can influence the performance of attacks. Our approach can reach a relatively high attack success rate of 66.60% on average. Compared with other adversarial attacks on mobile deep learning models, in terms of the average attack success rates, our approach outperforms counterparts by 27.63%.

Yonghong Huang,Utkarsh Verma,Celeste Fralick,Gabriel Infante-Lopez,Brajesh Kumarz,Carl Woodward

DOI: https://doi.org/10.48550/arXiv.1904.05747

2019-04-17

Abstract:Machine learning (ML) classifiers are vulnerable to adversarial examples. An adversarial example is an input sample which is slightly modified to induce misclassification in an ML classifier. In this work, we investigate white-box and grey-box evasion attacks to an ML-based malware detector and conduct performance evaluations in a real-world setting. We compare the defense approaches in mitigating the attacks. We propose a framework for deploying grey-box and black-box attacks to malware detection systems.

Cryptography and Security,Machine Learning

Sen Chen,Minhui Xue,Lingling Fan,Shuang Hao,Lihua Xu,Haojin Zhu,Bo Li

DOI: https://doi.org/10.48550/arXiv.1706.04146

2017-10-31

Abstract:The evolution of mobile malware poses a serious threat to smartphone security. Today, sophisticated attackers can adapt by maximally sabotaging machine-learning classifiers via polluting training data, rendering most recent machine learning-based malware detection tools (such as Drebin, DroidAPIMiner, and MaMaDroid) ineffective. In this paper, we explore the feasibility of constructing crafted malware samples; examine how machine-learning classifiers can be misled under three different threat models; then conclude that injecting carefully crafted data into training data can significantly reduce detection accuracy. To tackle the problem, we propose KuafuDet, a two-phase learning enhancing approach that learns mobile malware by adversarial detection. KuafuDet includes an offline training phase that selects and extracts features from the training set, and an online detection phase that utilizes the classifier trained by the first phase. To further address the adversarial environment, these two phases are intertwined through a self-adaptive learning scheme, wherein an automated camouflage detector is introduced to filter the suspicious false negatives and feed them back into the training phase. We finally show that KuafuDet can significantly reduce false negatives and boost the detection accuracy by at least 15%. Experiments on more than 250,000 mobile applications demonstrate that KuafuDet is scalable and can be highly effective as a standalone system.

Cryptography and Security

Hongyi Chen,Jinshu Su,Linbo Qiao,Yi Zhang,Qin Xin

DOI: https://doi.org/10.1007/978-3-030-00018-9_41

2018-01-01

Abstract:Android has become the most popular platform for mobile devices, and also it has become a popular target for malware developers. At the same time, researchers have proposed a large number of methods, both static and dynamic analysis methods, to fight against malwares. Among these, Machine learning based methods are quite effective in Android malware detection, the accuracy of which can be up to 98%. Thus, malware developers have the incentives to develop more advanced malwares to evade detection. This paper presents an adversary attack pattern that will compromise current machine learning based malware detection methods. The malware developers can perform this attack easily by splitting malicious payload into two or more apps. The split apps will all be classified as benign by current methods. Thus, we proposed a method to deal with this issue. This approach, realized in a tool, called ColluDroid, can identify the collusion apps by analyzing the communication between apps. The evaluation results show that ColluDroid is effective in finding out the collusion apps. Also, we showed that it’s easy to split an app to evade detection. According to our split simulation, the evasion rate is 78%, when split into two apps; while the evasion rate comes to 94.8%, when split into three apps.

Yujin Huang,Chunyang Chen

DOI: https://doi.org/10.1109/tifs.2022.3172213

IF: 7.231

2022-05-20

IEEE Transactions on Information Forensics and Security

Abstract:On-device deep learning is rapidly gaining popularity in mobile applications. Compared to offloading deep learning from smartphones to the cloud, on-device deep learning enables offline model inference while preserving user privacy. However, such mechanisms inevitably store models on users' smartphones and may invite adversarial attacks as they are accessible to attackers. Due to the characteristic of the on-device model, most existing adversarial attacks cannot be directly applied for on-device models. In this paper, we introduce a grey-box adversarial attack framework to hack on-device models by crafting highly similar binary classification models based on identified transfer learning approaches and pre-trained models from TensorFlow Hub. We evaluate the attack effectiveness and generality in terms of four different settings including pre-trained models, datasets, transfer learning approaches and adversarial attack algorithms. The results demonstrate that the proposed attacks remain effective regardless of different settings, and significantly outperform state-of-the-art baselines. We further conduct an empirical study on real-world deep learning mobile apps collected from Google Play. Among 53 apps adopting transfer learning, we find that 71.7% of them can be successfully attacked, which includes popular ones in medicine, automation, and finance categories with critical usage scenarios. The results call for the awareness and actions of deep learning mobile app developers to secure the on-device models. The code of this work is available at https://github.com/Jinxhy/SmartAppAttack.

Sen Chen,Minhui Xue,Lingling Fan,Shuang Hao,Lihua Xu,Haojin Zhu

2017-01-01

Abstract:The evolution of mobile malware poses a serious threat to smartphone security. Today, sophisticated attackers can adapt by maximally sabotaging machine-learning classifiers via polluting training data, rendering most recent machine learning-based malware detection tools (such as Drebin and DroidAPIMiner) ineffective. In this paper, we explore the feasibility of constructing crafted malware samples; examine how machine-learning classifiers can be misled under three different threat models; then conclude that injecting carefully crafted data into training data can significantly reduce detection accuracy. To tackle the problem, we propose KuafuDet, a two-phase learning enhancing approach that learns mobile malware by adversarial detection. KuafuDet includes an offline training phase that selects and extracts features from the training set, and an online detection phase that utilizes the classifier trained by the first phase. To further address the adversarial environment, these two phases are intertwined through a self-adaptive learning scheme, wherein an automated camouflage detector is introduced to filter the suspicious false negatives and feed them back into the training phase. We finally show KuafuDet significantly reduces false negatives and boosts the detection accuracy by at least 15%. Experiments on more than 250,000 mobile applications demonstrate that KuafuDet is scalable and can be highly effective as a standalone system.

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smart:phones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malv -are detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android mahvare detection and can achieve a high level of 96% accuracy with real-world Android application sets.

Zizhuang Deng,Kai Chen,Guozhu Meng,Xiaodong Zhang,Ke Xu,Yao Cheng

DOI: https://doi.org/10.1145/3548606.3559388

2022-09-20

Abstract:Famous for its superior performance, deep learning (DL) has been popularly used within many applications, which also at the same time attracts various threats to the models. One primary threat is from adversarial attacks. Researchers have intensively studied this threat for several years and proposed dozens of approaches to create adversarial examples (AEs). But most of the approaches are only evaluated on limited models and datasets (e.g., MNIST, CIFAR-10). Thus, the effectiveness of attacking real-world DL models is not quite clear. In this paper, we perform the first systematic study of adversarial attacks on real-world DNN models and provide a real-world model dataset named RWM. Particularly, we design a suite of approaches to adapt current AE generation algorithms to the diverse real-world DL models, including automatically extracting DL models from Android apps, capturing the inputs and outputs of the DL models in apps, generating AEs and validating them by observing the apps' execution. For black-box DL models, we design a semantic-based approach to build suitable datasets and use them for training substitute models when performing transfer-based attacks. After analyzing 245 DL models collected from 62,583 real-world apps, we have a unique opportunity to understand the gap between real-world DL models and contemporary AE generation algorithms. To our surprise, the current AE generation algorithms can only directly attack 6.53% of the models. Benefiting from our approach, the success rate upgrades to 47.35%.

Computer Science

Jiaxiang Chen

DOI: https://doi.org/10.54254/2755-2721/71/20241665

2024-09-02

Abstract:In recent years, significant advancements have been made in cyber security, particularly through the application of machine learning (ML) methods. ML-based techniques have enhanced system security by effectively distinguishing between malicious and benign objects across various domains, including spam email detection, social media content filtering, intrusion detection systems, and malware detection. This paper focuses on the specific area of ML-based malware detection and its advantages over traditional methods, such as improved accuracy and the ability to generalize to unknown threats. Despite these advancements, ML-based malware detection systems are vulnerable to adversarial attacks, especially in black-box scenarios where the internal workings of the detection model are not accessible. This paper provides a comprehensive review of adversarial attacks on black-box malware detection systems and examines the current defense mechanisms against these attacks. Understanding the challenges and strategies in this field, this review aims to offer insights into enhancing the robustness and security of ML-based malware detection systems.

Chun Yang,Jinghui Xu,Shuangshuang Liang,Yanna Wu,Yu Wen,Boyang Zhang,Dan Meng

DOI: https://doi.org/10.1186/s42400-021-00079-5

2021-05-14

Abstract:Abstract Outside the explosive successful applications of deep learning (DL) in natural language processing, computer vision, and information retrieval, there have been numerous Deep Neural Networks (DNNs) based alternatives for common security-related scenarios with malware detection among more popular. Recently, adversarial learning has gained much focus. However, unlike computer vision applications, malware adversarial attack is expected to guarantee malwares’ original maliciousness semantics. This paper proposes a novel adversarial instruction learning technique, DeepMal, based on an adversarial instruction learning approach for static malware detection. So far as we know, DeepMal is the first practical and systematical adversarial learning method, which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning (ML) models while preserving attack functionality in the real world. Moreover, our method conducts small-scale attacks, which could evade typical malware variants analysis (e.g., duplication check). We evaluate DeepMal on two real-world datasets, six typical DL models, and three typical ML models. Experimental results demonstrate that, on both datasets, DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94% and 82.86% respectively. Besides, three typical types of malware samples (Trojan horses, Backdoors, Ransomware) prove to preserve original attack functionality, and the mean duplication check ratio of malware adversarial samples is below 2.0%. Besides, DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.

computer science, information systems, interdisciplinary applications, software engineering

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smartphones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malware detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android malware detection and can achieve a high level of 96% accuracy with real-world Android application sets.

Hongyi Chen,Jinshu Su,Linbo Qiao,Qin Xin

DOI: https://doi.org/10.3390/app8101718

2018-01-01

Applied Sciences

Abstract:Android has become the most popular mobile platform, and a hot target for malware developers. At the same time, researchers have come up with numerous ways to deal with malware. Among them, machine learning based methods are quite effective in Android malware detection, the accuracy of which can be as high as 98%. Thus, malware developers have the incentives to develop more advanced malware to evade detection. This paper presents an adversary attack scenario (Collusion Attack) that will compromise current machine learning based malware detection methods, especially Support Vector Machines (SVM). The malware developers can perform this attack easily by splitting malicious payload into two or more apps. Meanwhile, attackers may hide their malicious behavior by using advanced techniques (Evasion Attack), such as obfuscation, etc. According to our simulation, 87.4% of apps can evade Linear SVM by Collusion Attack. When performing Collusion and Evasion Attack simultaneously, the evasion rate can reach 100% at a low cost. Thus, we proposed a method to deal with this issue. This approach, realized in a tool, called ColluDroid, can identify the collusion apps by analyzing the communication between apps. In addition, it can integrate secure learning methods (e.g., Sec-SVM) to fight against Evasion Attack. The evaluation results show that ColluDroid is effective in finding out the collusion apps and ColluDroid-Sec-SVM has the best performance in the presence of both Collusion and Evasion Attack.