[BA] Detecting Adversarial Malware Examples as Concept Drift
Detecting Adversarial Malware Examples as Concept Drift
Malware samples carefully perturbed to evade classification – adversarial examples, and the evolving domain of software – concept drift are two of the main challenges in machine learning for malware detection.
This work establishes a similarity between adversarial examples and concept drift, by evaluating how well CADE, a concept drift detection system designed without adversarial examples in mind, is able to detect adversarial examples.
The evaluation includes multiple Android malware classifiers and attacks, in feature and problem space.
Neither the malware classifier nor the concept drift detection is trained on adversarial examples.
CADE detects adversarial malware examples much more frequently as concept drift than non-adversarial samples, even for small perturbations.
Additionally, a targeted white-box attack is developed that evades the malware classifier and the drift detection system by only adding two features at the median.