Adversarial Robustness of Deep Learning-Based Malware Detectors via (De)Randomized Smoothing

Deep learning-based malware detectors have been shown to be susceptible to adversarial malware examples, i.e. malware examples that have been deliberately manipulated in order to avoid detection. In light of the vulnerability of deep learning detectors to subtle input file modifications, we propose a practical defense against adversarial malware examples inspired by (de)randomized smoothing. In this work, we reduce the chances of sampling adversarial content injected by malware authors by selecting correlated subsets of bytes, rather than using Gaussian noise to randomize inputs like in the Computer Vision domain. During training, our chunk-based smoothing scheme trains a base classifier to make classifications on a subset of contiguous bytes or chunk of bytes. At test time, a large number of chunks are then classified by a base classifier and the consensus among these classifications is then reported as the final prediction. We propose two strategies to determine the location of the chunks used for classification: 1) randomly selecting the locations of the chunks and 2) selecting contiguous adjacent chunks. To showcase the effectiveness of our approach, we have trained two classifiers with our chunk-based smoothing schemes on the BODMAS dataset. Our findings reveal that the chunk-based smoothing classifiers exhibit greater resilience against adversarial malware examples generated with state-of-the-art evasion attacks, outperforming a non-smoothed classifier and a randomized smoothing-based classifier by a great margin.


Introduction
Nowadays, anti-malware engines frequently utilize Machine Learning (ML) techniques as part of a multilayered detection system, to defend against malware and to complement traditional signature-based and heuristic-based detection methods.In this work, we focus on static ML-based malware detectors, which refer to a ML-based malware detector trained using information about computer files obtained through static analysis, i.e. the analysis of computer programs without executing them.Broadly speaking, static ML-based malware detectors can be grouped in two main categories: (1) Feature-based detectors and (2) end-to-end detectors.Feature-based detectors [1] rely heavily on domain knowledge to extract a set of features used to characterize the executables, which is time consuming and requires deep knowledge of the executable's file format and assembly code.Feature engineering is a continuous process.Malware authors continually adapt and modify their malicious code to evade being detected.Thus, new features might be required in the future and old ones might become obsolete or weaponized to evade detection [2,3].As a result, recent research has been directed to build models that are able to perform their own feature extraction, i.e. deep learningbased or end-to-end detectors [4][5][6].For instance, Raff et al. [4] introduced MalConv, a shallow CNN architecture that automatically learns features directly from raw byte inputs by performing convolutions.
A Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing End-to-end detectors, including MalConv, are trained with both benign and malicious code, learning to identify common byte patterns within these files.Malware authors are aware of this circumstance, and to avoid detection they try to disguise their malicious executables to resemble benign code, causing the detection system to misclassify the modified malicious executables as benign.These executables that have been specifically modified to evade detection by machine learning-based detectors are known as adversarial malware examples.A simple.yet effective method to evade end-to-end detectors is to inject content extracted from benign examples within the malicious executables [7,8].As a result, the "benign" byte patterns found in the adversarial malware examples might end up flipping the classification output of end-to-end detectors from malicious to benign.Furthermore, researchers have developed sophisticated attacks that inject and optimize small adversarial payloads within malicious executables in a way that the resulting adversarial malware examples are minimally modified but still evade detection.Depending on the access to the models, these attacks can be divided into white-box [9,10] and black-box attacks [8,11].For instance, Demetrio et al. [10] proposed an attack that is able to evade end-to-end detectors by injecting and optimizing a small sized payload of 1024 bytes between the headers and the sections of Portable Executable files.
Given the vulnerabilities of deep learning detectors against the aforementioned functionality-preserving content manipulation attacks, we propose a robust defense mechanism against adversarial malware examples inspired by (de)randomized smoothing [12], a class of certifiably robust image classifiers which have been proposed against patch attacks.Our approach works as follows: (1) During training, a base classifier, f (x), is trained to make classifications based on an ablated version of a given input file.This ablated version is generated by only selecting a small chunk of bytes from a given input file; the rest of the file is not used for classification.This frees our detection system of being constrained by the size of the executables without any downgrade in performance.(2) At test time, the final classification g(x) is taken as the class most commonly predicted by f on a set of ablated versions of the file x.By doing so, our (de)randomized smoothing-based classifier will be more resilient to byte manipulation attacks as the injected adversarial payloads will only affect a small portion of the executable files, and thus, won't be able to flip its classification output.
The main contributions of this work are the following: • We propose a robust model agnostic defense against functionality-preserving content manipulation attacks.
• We introduce two chunk-based ablation schemes specifically designed for the task of malware detection.
• We present an empirical evaluation of state-of-the-art deep learning malware detection models state-of-theart evasion attacks on the BODMAS dataset, showing that the proposed smoothing scheme is more robust to such attacks compared to a baseline classifier.
The rest of the paper is organized as follows.Section 2 provides an overview of the functionality-preserving attacks specifically designed against deep learning-based malware detectors and the defenses developed so far.Section 3 presents our (de)randomized smoothing approach to defend against adversarial malware examples and introduces two chunk-based schemes specifically designed for the task of malware detection.Section 4 evaluates the proposed defense mechanism against various state-of-the-art evasion attacks.Finally, Section 5 summarizes our concluding remarks and presents some future lines of research.

Related Work
In this section, we provide background on the task of malware detection and introduce the state-of-the-art evasion attacks specifically designed to evade end-to-end malware detectors.

The Task of Malware Detection
Malware detection refers to the task of determining if a particular piece of software is benign or malicious.Lately, deep learning-based malware detectors [4][5][6] have been proposed to detect malware based on the raw byte sequences of Portable Executable files.This approaches, instead of relying in manual feature engineering, they learn patterns directly from the raw bytes through one or more convolutional layers.As shown in the literature [13,14], however, machine learning-based models are vulnerable to adversarial examples, i.e. input examples that have been deliberately manipulated to evade detection, and deep learning-based models for malware detection are not an exception [7,8,10,11].
In the context of malware detection, given a target malware detector f , the goal of an adversarial attack on a malicious example x is to generate an adversarial example x adv by manipulating x in such a way that x adv has the same functionality as x, but it is misclassified as benign by the target malware detector f .Differently from adversarial attacks on image classifiers, the adversarial malware examples do not necessarily have to look imperceptibly similar to the A Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing original malware example, but only require to keep the functionality of the executable intact.Nevertheless, the existing literature [7,9] has proposed to limit the number of introduced perturbations in the adversarial malware examples to minimize the amount of change made to the original code while still achieving the desired evasion result.

Functionality-Preserving Content Manipulation Attacks
The attacks specifically designed in the literature to evade deep learning-based malware detectors achieve evasion by manipulating Portable Executable files by injecting new content or patching/modifying existing content within the files.This can be done by injecting the adversarial payloads into newly-created sections [8], at the overlay or end of the file [7], between the header and the sections [10] or between sections [11].See Figure 1 for a visual representation of the aforementioned practical content manipulation attacks.For a more detailed description of each of the attacks we refer the readers to [7,8,10,11] Figure 1: A graphical depiction of the PE file format and some practical manipulations [7,8,10,11].
A simple, yet effective technique to craft these adversarial payloads is to use benign content.This is because end-toend malware detectors are trained with both benign and malicious executables and thus, injecting a substantial amount of benign content can potentially lead to the confusion of the classifier.In addition to the simple benign content injection attack, more elaborated evasion attacks have been recently proposed in the literature to evade end-to-end malware detectors [7,8,10,11].
These evasion attacks can be broadly divided into white-box attacks [7,9,10] and black-box attacks [8,11], depending on the malware authors' access and knowledge of the target malware detector.On the one hand, white-box attacks rely on complete knowledge of the target malware detector, i.e. training algorithm, input and output, and access to the model parameters.For example, Freuk et al. [9] and Suciu et al. [7] adapted the Fast Gradient Method (FGM) originally described in [15] to generate a small-sized adversarial payload that caused the malicious executables to be misclassified as benign.Conversely, in black-box attacks, the attackers have limited information about the ML-based system that they want to attack.In a black-box setting, the attackers might have access to the inputs and outputs of the model but they have no access to information about its architecture, inner workings and parameters.Blackbox attacks only require the score (score-based attacks) or the label (label-based attacks) predicted by the malware detector.For instance, Demetrio et al. [8,10] proposed RAMEN and GAMMA, respectively.RAMEN [10] is a general framework for developing adversarial attacks on ML-based malware detection systems that rely on static code analysis.This framework includes three novel attacks, Full DOS, Extend, and Shift, which manipulate the DOS header, extend it, and shift the content of the first section, respectively.payload with genetic algorithms.Similarly, Yuste et al. [11] dynamically extended and optimized the bytes in unused blocks, referred to as code caves, from Portable Executable (PE) files to generate the adversarial malware examples.

Adversarial Defenses
As far as we are aware, two defenses have been proposed so far to defend against evasion attacks.
Lucas et al. [18] explored the application of adversarial training to improve the robustness of deep learning-based malware detectors against certain adversarial attacks.Their findings indicate that data augmentation alone does not deter state-of-the-art attacks.However, in specific cases, models can be made slightly more resilient to attacks by adversarially training them using lower-effort or less sophisticated versions of the same attacks.For instance, in their work, Lucas et al. [18] adversarially trained a deep learning-based detector with adversarial examples generated by three attacks: (1) In-Place Replacement attack (IPR) [19], (2) Displacement attack (Disp) [19] and (3) Padding attack [7].
The model was then subsequently evaluated against an attack that combines In-Place Replacement and Displacement.
In their evaluation, the adversarially trained model exhibited an accuracy of 49% whereas the accuracy of the original model was 25%.Thus, their work shows that although adversarial training helps building more resilient models against the attacks seen during training, it is not enough to defend against state-of-the-art attacks, leaving the detectors vulnerable to unknown threats.In addition, generating adversarial malware examples is computationally expensive and non-trivial, and as a result, training models with adversarial training requires more computational resources compared to standard training procedures.
Alternatively, Gibert et al. [20] proposed a randomized smoothing scheme to improve the robustness of end-to-end malware classifiers against adversarial malware examples.Randomized smoothing is a technique that increases the robustness of ML-based classifiers against adversarial attacks by adding random noise to the input data during both training and inference, with the goal of making the classifier's predictions stable and resilient to small perturbations.
In their work, a base malware classifier f is trained to make classifications based on an ablated version x of a given executable file x, where x consists of a copy of the original executable x with the bytes ablated given a probability p. Afterwards, at inference time, L ablated versions of an input executable x are generated and the final classification is determined as the class that the malware classifier most frequently predicts across the set of ablated versions of the executable.Unlike adversarial training, smoothing-based classifiers focus on blurring the decision boundaries within the input space, improving the classifier's resilience against a broader range of attacks [21].
Randomized smoothing, however, while effective against certain types of adversarial attacks, has limitations when applied to defending against adversarial malware examples.This is because the constraints imposed by executable files present unique challenges and thus, the adversarial attacks in the malware domain differ from attacks/perturbations in image or text data.Specifically, in the context of malware detection, attackers often inject an adversarial payload within specific parts of the executable files rather than making arbitrary modifications to bytes.Unlike image pixels or text characters, the bytes within executable files serve functional roles, and arbitrary modifications to these bytes can break the intended functionality of the executable.As a result, randomized smoothing, which inject random noise, might not be the most suitable defense against adversarial malware examples.

(De)Randomized Smoothing for Malware Detection
To defend against adversarial malware examples, in this paper we propose a chunk-based ablation smoothing scheme that takes into account the particularities of the adversarial attacks specifically designed against deep learning-based malware detectors and the structured nature of Portable executable files.Our approach is inspired by (de)randomized smoothing [12], a class of certifiably robust image classifiers which have been proposed against patch attacks.
In our (de)randomized smoothing scheme, a base malware classifier, f , is trained to make classifications based on an ablated version x of a given executable file x.This ablated version x consists of only a subset of contiguous bytes or chunk of bytes from the original file x.The rest of the file is ablated.This functionality is implemented by the operation ABLATE_train(x, p), where p indicates the percentage of byte values from the original file that the sampled chunk of bytes must have.The training procedure is defined in Algorithm 1.
Let x be an input file, p be the proportion of the chunk size compared to the size of the original file, and f be a base classifier.At test time, we generate L chunks from x using the function ABLATE_inference(x, p, L), and classify each chunk of bytes into its corresponding class using f .To make the final classification, we count the number of chunks of x that the base classifier returns for each class and divide it by the total number of chunks L.An overview of the chunk-based ablation scheme is provided in Figure 2.This binary classification problem can be formally defined as follows.Let C = {c 1 , c 2 } be the set of all possible classes, i.e. benign and malicious.For each class c i ∈ C, let N i be the number of chunks of x that the base classifier f returns as belonging to class c i .Then, the probability of input file x belonging to class c i can be estimated as: where N i is the number of chunks of x that belong to class c i according to the base classifier f .
The final classification of x can then be determined as: where ŷ is the predicted class for input file x.
The function ABLATE_inference(x, p, L) generates L chunks from the input file x according to the schemes defined in Sections 3.1, and 3.2.

Randomized Chunk-based Ablation Scheme
This section describes the Randomized Chunk-based Ablation (RCA) scheme.The RCA scheme works by dividing the input file represented as a byte sequence into several randomly sampled chunks and classifying each chunk independently.The classification results from all the chunks are then combined by a majority vote to determine the final A Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing prediction for the input file.This approach aims to improve the model's resiliency to adversarial examples and to reduce the sensitivity to the ordering of the input sequence.
The RCA scheme has three key components: 1. Sampling L chunks randomly from the input sequence using a uniform distribution.
3. Combining the classification results by taking a majority vote.
To generate L chunks from the input example, the ABLATE_inference(x, p, L) functions is used, where the parameter p determines the size of the chunks.This function, defined in Algorithm 2, works by randomly sampling chunks from the input sequence to generate multiple versions of it.

Structural Chunk-based Ablation Scheme
This section describes a different strategy for classifying byte sequences named Structural Chunk-based Ablation (SCA) scheme.In contrast to the RCA scheme, the SCA scheme samples chunks in an orderly way from the start of the input byte sequence to its end, instead of randomly sampling chunks.
The SCA scheme has three key components: 1. Sampling L sequentially adjacent chunks from the input sequence.

Combining the classification results by taking a majority vote.
The SCA scheme takes as input a byte sequence x and samples L sequentially adjacent chunks of equal size according to the file percentage p.Notice that depending on the number of chunks to sample L and the chunk size, the chunks might overlap with one another.The SCA approach is useful for classifying byte sequences where the order of the sequence is important.By sampling chunks sequentially, the SCA approach takes into account the structural properties of the input sequence, which can improve the classification accuracy.

Evaluation
We now empirically evaluate the proposed randomized chunk-based ablation (RCA) and structural chunk-based ablation (SCA) schemes to determine the robustness of the smoothing approaches against adversarial malware examples generated by four state-of-the-art evasion attacks.

Experimental Setup
Here we describe the details of the experimental setup, including data sources, machine learning models for malware detection, and parameters for the randomized and structural chunk-based ablation models.Smoothing The experiments have been run on a machine with an Intel Core i7-11800H CPU, 1xGeforce GTX3070 GPU and 32Gb RAM.The code has been implemented with PyTorch [22] and will be made publicly available in our Github repository1 after acceptance.

BODMAS Dataset
The dataset used in this paper to evaluate the proposed ablation-based classification schemes is the BODMAS dataset [23].This dataset consists of 57,293 malware with family information (581 families and 77,142 benign Windows PE files collected from August 2019 to September 2020.Similar to [20], we have only considered those executables that are equal to or smaller than 1Mb.The reduced dataset consists of 39,380 and 37,739 benign and malicious executables, respectively 2 .Furthermore, we have split the dataset into training (80%), validation (10%) and test (10%) sets using the timestamp of each example.As a result, the training set contains the oldest examples while the test set contains the newest examples.

Malware Detectors
In this work, we experiment with a deep learning-based malware detector called MalConv [4].MalConv was one of the first end-to-end deep learning model proposed for malware detection.End-to-end models learn to classify examples directly from raw byte sequences, instead of relying on feature engineering.The network architecture of MalConv consists of an embedding layer, a gated convolutional layer, a global-max pooling layer and a fully-connected layer.See Figure 3. • NS-MalConv.This detector corresponds to a non-smoothed MalConv model [4].It serves as a non-robust baseline as no specific technique has been employed to improve its robustness to evasion attacks.
• RCA-MalConv.This detector implements the randomized chunk-based ablation scheme proposed in Section 3.1 using MalConv as a base detector.
• SCA-MalConv.This detector implements the structural chunk-based ablation scheme proposed in Section 3.2 using MalConv as a base detector.

Empirical Robustness Evaluation
In this section, we empirically evaluate the robustness of the chunk-based smoothing schemes to several published evasion attacks.By doing so, we aim to provide a complete picture of the strengths and weaknesses of the proposed defenses.We provide details of the performance of the proposed defenses against non-adversarial examples in Section 4.2.1 and we present the results of the ablation-based schemes against four state-of-the-art evasion attacks in Section 4.2.2.

Non-Adversarial Evaluation
Both randomized and structural chunk-based ablation schemes depend on two hyperparameters: (1) the proportion of bytes containing each chunk with respect to the file size, denoted by p, and ( 2) the number of chunks to use for classification, denoted by L.
It is important to note that both parameters affect the behavior of both schemes differently.The greater the number of chunks used for classification in the randomized-based scheme the more stable the results produced will be.This is because the randomized-based scheme randomly samples chunks from a single example.As a result, the more chunks are sampled the less variability.On the other hand, the greater the number of chunks in the structural-based scheme the more overlapping between chunks will be.For example, if the size of the chunks is equal to 5% the original size of the files and the number of chunks for classification is 20 then there won't be any overlapping between chunks.On the other hand, if the number of chunks for classification is 100 then there will be an 80% of overlapping between adjacent chunks.
We would like to note that we have chosen the same hyperparameters for the MalConv model as those in the original paper [4].The only difference between the hyperparameters of the NS-MalConv, RCA-MalConv and SCA-MalConv is the number of epochs used during training.In the case of NS-MalConv, the model is trained on the entire binary file in each step.However, for the RCA-MalConv and SCA-MalConv, only a small portion of the input file is used during each training step, and so a larger number of epochs (in this case, 50) is needed to ensure that the model is trained on enough chunks from the file.In addition, early stopping is employed, causing the training process to terminate immediately once the malware's detection validation performance drops for more than 5 epochs.Padds bytes at the end of the executables and manipulates the bytes from the slack space Shift [10] White-box Creates space between the headers and the sections of the executables GAMMA [8] Black-box Creates new sections with benign content Code caves [11] Black-box Dynamically extends and optimize the size of the code caves with a genetic algorithm

Empirical Robustness Against SOTA Evasion attacks
We consider four recently published attacks designed to bypass static PE malware detectors as summarized in Table 3.To perform the attacks, we have adapted the open source implementation of the attacks from secml-malware library [24].These attacks range from manipulating very few bytes from the PE headers [10], to injecting hundreds to thousands of bytes [7-9, 11, 25].Since some attacks might take hours to run per file, we have used one smaller-sized test set containing 500 malware examples randomly subsampled from the test set.By employing a smaller subset, we aim to reduce the computational overhead of using genetic algorithms to optimize the adversarial payloads.We would like to denote that our evaluation set is comparable in size to prior work [7,9,10,25].If supported by the attack, i.e.Shift, Slack and GAMMA, early stopping is employed, causing the attack to terminate immediately once the malware detector's prediction changes from malicious to benign.
We would like to point out that the white-box attacks cannot be directly applied against the randomized smoothing (RS-MalConv) and the (de)randomized smoothing classifiers (RCA-MalConv, SCA-MalConv) as they require computing the gradients, and the majority vote employed by the smoothing-based classifiers is not differentiable.To overcome this situation, the adversarial payloads have been optimized using genetic algorithms (GAs) as described in Gibert et al. [20].
Next, the impact of the evasion attacks on the malware detectors is measured.

Slack+Padding Attack
Suciu et al. [7] proposed an evasion attack against malware detectors that modifies the bytes in the slack space and some bytes appended at the end of the file using the fast gradient sign method [15] (FGSM).The FGSM method works by perturbing the input data by a small amount in the direction of the gradient of the loss function with respect to the input.The FGSM method is a fast and effective way to generate adversarial examples, as it only requires one forward and backward pass through the network to compute the gradient.Unfortunately, GAs have been used to optimize the appended payload as the FGSM method can't be applied on the smoothing-based classifiers.In our experiments, we allowed the attack to inject 500 and 10000 bytes at the end of executables.Results are shown in

GAMMA Attack
Demetrio et al. [8] proposed an evasion attack that rely on injecting benign content either at the end of the file, or within some newly created sections.Afterwards, the injected adversarial payload is optimized using genetic algorithms.Figure 6 presents the detection accuracy of the ML-based models against the GAMMA attack using different hyperparameters.GAMMA allows you to define the population size, the total number of iterations to perform, i.e.

Optimization of Code Caves Attack
Yuste et al. [11] introduced a method for generating malware examples based on dynamically extending unused blocks within the executables, referred to as code caves.Code caves are areas within the binary that are typically unused or contain extraneous code, typically employed by malware authors to embed malicious payloads with the goal of achieving misclassification.After extending the code caves, an adversarial payload is injected and optimized using genetic algorithms.Figure 7 showcases the detection accuracy of the detectors against the code caves attack.You can observe that our chunk-based smoothing classifiers achieves notably higher detection accuracy compared to its non-smoothed counterpart, setting a new benchmark in terms of detection accuracy and representing a substantial advancement in the field.

Discussion
In this section we discuss the advantages and limitations of non-smoothed and chunk-based smoothed detectors at training and test time.
The main advantage of training a malware detector on the whole binary information is that it provides a comprehensive and complete representation of the input sample.By taking as input the whole binary file, the classifier can learn to recognize patterns related to the overall structure of the binary file, including the headers, sections, segments, and specific data blocks.However, existing literature [26] has shown that the MalConv model does not extract meaningful characteristics from the content of the data and text sections within binary files.Instead, it tends to extract features based on attributes present in the file headers.On the other hand, the proposed chunk-based classifiers do not have access to a complete picture of the binary file but only to a subset of the bytes, without any information about the At inference time, the non-smoothed detectors make predictions faster and with less computational resources than the smoothed detectors as they only assess a given input sample once.On the other hand, smoothed detectors (RCA-MalConv and SCA-MalConv) are slightly slower because they need to assess each chunk independently and then aggregate the predictions.Cf.Considering these findings, it is worthwhile to consider using SCA-MalConv and RCA-MalConv over NS-MalConv for the malware detection task as the benefits of higher detection rates for adversarial examples outweigh the slightly higher inference time.Furthermore, our malware classification system based on chunks is interpretable by design.By assessing the maliciousness of each chunk independently, our method facilitates a finer-grained analysis of the file.This allows to identify which specific chunks within a file exhibit malicious or benign traits.As a result, the predictions for each chunk can serve as the basis for generating a visual depiction or an overview of the file, emphasizing chunks with the higher and lower maliciousness scores.
A Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing

Conclusions
In this paper, we present a robust model agnostic adversarial defense against adversarial malware examples.Building upon prior research on (de)randomized smoothing, we introduce two chunk-based ablation schemes to build robust static learning-based classifiers.The novel application of our chunk-based ablation scheme creates new robust models, named RCA-MalConv and SCA-MalConv, that generalize better than the non-smoothed MalConv and the randomized smoothing-based MalConv against adversarial malware examples generated with state-of-the-art evasion techniques.
Our approach establishes a new benchmark in terms of detection accuracy and represents a substantial leap forward within the field.Given the inherently adversarial nature of cybersecurity, we believe that our efforts will stimulate further research in adversarial attacks and defenses for the domain of malware detection.

Future Work
The methods proposed in this paper are designed to classify files by breaking them down into smaller, fixed-size chunks, and then determining whether each chunk is benign or malicious.While this approach has shown promise in accurately classifying files, it is based on the assumption that all code within a malicious executable is malicious and all code within a benign executable is benign, which may not hold true in all cases.In some cases, a malicious file might only contain a small portion of malicious code while the majority of its code is benign.For simplicity purposes, in this work, all chunks within a malicious file are labeled as malicious, but a more fine-grained labelling of the chunks might improve our approach's accuracy.
Another line of research could be investigating approaches to identify and remove the adversarial content from the executables, i.e. the sequence of bytes specifically injected to flip the prediction of the classifier.
These attacks are shown to outperform existing ones in both white-box and black-box scenarios, achieving a better trade-off in terms of evasion rate and size of the injected payload.Conversely, GAMMA (Genetic Adversarial Machine Learning Malware Attack) generates adversarial malware examples by injecting an adversarial payload into newly-created sections and optimizing the A Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing

AFigure 2 :
Figure 2: Illustration of the chunk-based ablation smoothing scheme.The preprocessing step extracts chunks of the input example as described in Sections 3.1 and 3.2

Figure 3 :
Figure 3: Graphical depiction of the MalConv architecture.Using MalConv as a basis, four malware detectors have been considered:

Figure 4 .Figure 4 :
Figure 4: Detection accuracy of the malware detectors on the adversarial examples generated by Suciu et al [7].
Figure 5 presents the detection accuracy of the ML-based models against the shift attack for different extension amounts.Notice that when adding an adversarial payload of 4096 bytes the NS-MalConv is only able to detect 40.80% of the adversarial examples while the RCA-MalCOnv and SCA-MalConv have 97.00% and 96.80% of accuracy, respectively.

Figure 5 :
Figure 5: Detection accuracy of the malware detectors on the adversarial examples generated by the Shift attack [10].

A
Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing 100 by default, whether to use a hard or soft label, and the amount of goodware sections to inject.In our experiments, a constraint has been imposed on the maximum size of the adversarial malware examples generated by the GAMMA attack, limiting it to twice the size of the original input.The rationale behind this decision is to mitigate the possibility of injecting excessively large adversarial payloads in pursuit of evading the malware classifier.

Figure 6 :
Figure 6: Detection accuracy of the malware detectors on the adversarial examples generated by the GAMMA attack [8].

AFigure 7 :
Figure 7: Detection accuracy of the malware detectors on the adversarial examples generated with the code caves optimization attack [11].Hyperparameters of the genetic algorithm: (1) Probability of a solution in the population to be mutated, p 1 = 0.1, and (2) percentage of genes in each solution to be mutated, p 2 = 0.1.

Table 1 :
Performance metrics of RCA-MalConv and SCA-MalConv models on the validation set given different chunk sizes.

Table 1
Robust Defense against Adversarial Attacks on Deep Learning-based Malware Detectors via (De)Randomized Smoothing presents the accuracy and F1 score of the RCA-MalConv and SCA-MalConv with varying chunk sizes.It can be observed that the greatest accuracy and F1 score has been achieved by the SCA-MalConv and RCA-MalConv with a chunk size equal to 5% of the original file size.Compared to the accuracy and F1-score of the non-smoothed classifier (Table2), the chunk-based approaches achieve similar detection accuracies compared to a non-smoothing classifier while being more robust to evasion attacks.A

Table 2 :
Performance metrics of the MalConv models on the test set and the sub-test sets of 500 malware examples used for adversarial attack evaluation.With the sub-test set being composed of only malware we simply report the accuracy.

Table 3 :
Summary of the evasion attacks used to assess the robustness of the proposed smoothing classifiers.

Table 4 .
[7,10]r, the non-smoothed detectors are vulnerable to attacks that manipulate the entire input sample, such as injecting small adversarial payloads[7,10].On the contrary, smoothed detectors can be more accurate on adversarial examples as the adversarial code won't affect all the chunks, but a subset of them.According to the findings presented in Section 4.2.1 and 4.2.2,SCA-MalConv and RCA-MalConv have similar detection accuracy on clean examples as NS-MalConv while providing higher detection rates for adversarial examples.

Table 4 :
Training and testing time comparison between the smoothed and non-smoothed detectors.The training procedure for both RCA-MalConv and SCA-MalConv models is identical, and thus, their training time is the same.However, their performance differ during testing as RCA-MalConv randomly samples chunks for classification while SCA-MalConv orderly samples chunks.