There has been a recent explosion in literature that relates to adversarial attacks on machine learning based malware detection. However, there are still several imprecisions regarding different types of attacks and their underlying assumptions. Whilst White Box and Black Box are widely used classifications for attacker models in this domain, we find that this terminology is insufficiently clear, and often improperly used. This paper aims to provide some clarity on this issue, and proposes an attack taxonomy based on (1) Knowledge of the attacker, (2) Modifications made, and (3) Realism of the attack, to provide better paper classifications. We further extend this to the data type classification of problem-space, in which attackers manipulate malware code or features without changing functionality; and feature-space, in which attackers manipulate feature representations. Showing distinct differences in how attacks are performed in these domains. To explain these limitations and showcase our approach we make use of eight personas (based on real papers) each with a distinct attack strategy from problem-space and feature-space methods. Finally, we show how our taxonomy provides much more precise information on the attacks from the papers.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

No More Paper Tigers: A Taxonomy of Realistic Adversarial Attacks on Machine Learning Based Malware Detection

  • Asma Al-Badi,
  • Luca Arnaboldi

摘要

There has been a recent explosion in literature that relates to adversarial attacks on machine learning based malware detection. However, there are still several imprecisions regarding different types of attacks and their underlying assumptions. Whilst White Box and Black Box are widely used classifications for attacker models in this domain, we find that this terminology is insufficiently clear, and often improperly used. This paper aims to provide some clarity on this issue, and proposes an attack taxonomy based on (1) Knowledge of the attacker, (2) Modifications made, and (3) Realism of the attack, to provide better paper classifications. We further extend this to the data type classification of problem-space, in which attackers manipulate malware code or features without changing functionality; and feature-space, in which attackers manipulate feature representations. Showing distinct differences in how attacks are performed in these domains. To explain these limitations and showcase our approach we make use of eight personas (based on real papers) each with a distinct attack strategy from problem-space and feature-space methods. Finally, we show how our taxonomy provides much more precise information on the attacks from the papers.