Towards robust CNN-based malware classifiers using adversarial examples generated based on two saliency similarities

摘要

Targeted malware attacks are usually more purposeful and harmful than untargeted attacks, so it is important to perform the malware family classification. In classification tasks, convolutional neural networks (CNN) have shown superior performance. However, clean samples with intentional small-scale perturbations (i.e. adversarial examples) may lead to incorrect decisions made by CNN-based classifiers. The most successful approach to improve the robustness of classifiers is adversarially trained on practical adversarial examples. Despite many attempts, previous works have not dealt with generating executable adversarial examples in a pure black-box manner to emulate adversarial threats. The aim of this work is to generate realistic adversarial malware examples and improve the robustness of classifiers against these attacks. We first explain the decision of malware classification by the saliency detection technique and argue that there are two similarities in saliency distribution of CNN classifiers. To explore the under-researched Malware to Malware threats that deceive PE malware classifiers into targeted misclassification, we propose the Saliency Append (SA) attack method based on the two saliency similarities, which produces adversarial examples via only one query, achieving higher attack success rate than other append-based attacks. We use these examples to improve the robustness of classifiers by adversarially trained on the generated adversarial examples. Compared to classifiers trained on other attacks, our approach produces classifiers that are significantly more robust against the proposed SA attack as well as others.