Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection
Abstract
:1. Introduction
- The evaluation study of the evasion ability of Windows PE attack methods performed in [5] was extended by considering a larger dataset of more recent Windows PE files with respect to the one used in [5]. We made the dataset that was prepared to conduct our evaluation study publicly available for future research studies. This evaluation study confirms the conclusions drawn in [5] that LGBM outperforms MalConv, while GAMMA generates a higher number of realistic adversarial Windows PE malware files that are able to fool both MalConv and LGBM.
- A new interpretative analysis was performed to explain how the attack methods considered in this study can change the Windows PE malware files to fool the decisions of machine learning models. This analysis shows that the less effective attack methods of the performed evaluation, i.e., Full DOS and FGSM padding + slack, produce the adversarial malware files closest to the binary files of the original counterpart malware. On the other hand, the most effective attack method of this study, i.e., GAMMA, produces the adversarial malware files that are the furthest from the binary files of the original counterpart malware. In addition, this study explains how each attack method fools the decision model produced with LGBM, which is the most accurate machine learning method of this study. Specifically, it discloses which input features of the decision model change importance in the decisions produced for the study’s adversarial malware files with respect to the decisions made using their original counterpart malware files.
- The adversarial training strategy was used as a defence adversarial learning approach to train a new LGBM model by incorporating the adversarial Windows PE malware files generated with the attack methods in both the training stage conducted to obtain the decision model and the evaluation stage conducted to measure the accuracy performance of the decision model. The evaluation results show that the use of the adversarial training strategy with GAMMA-produced samples can be an effective strategy to strengthen the LGBM model against this attack type. In addition, the study explains how the adversarial training strategy changes the decisions of the LGBM model in this case. We note that exploring the explainability of both machine learning and adversarial learning behaviours is nowadays crucial in gaining the trust of cybersecurity stakeholders in such technologies.
2. Background
2.1. Machine Learning Concepts and Terminologies
2.2. Windows PE Files
2.3. Windows PE File Collection
2.4. Adversarial Attacks and Defences
3. Materials and Methods
3.1. Machine Learning Models
3.2. Attack Methods
3.2.1. White-Box Attack Methods
- Extend. This white-box attack method [5] creates a new area within the binary file by increasing the size of the DOS header. It uses the new area in the DOS header to add noise bytes. According to [5], this byte injection is done by keeping the functionality of the executable file. Specifically, the method operates in four steps. First, it determines how many bytes must be injected into the DOS header. Then, it identifies the PE header offset of the added area to record the injected bytes. Subsequently, it applies all the requested changes to make the new file compliant with the PE format constraints. For example, it increases the offset to the PE header, the size of the header field and the section entries. Finally, it applies the perturbation to the bytes that can be modified in the DOS header to create the adversarial payload.
- Full DOS. This white-box attack method [5] applies noise to the bytes in the DOS header. It is based on the fact that the DOS header is still kept in Windows PE files to make these files still compatible with the older operating systems. In fact, the DOS header may be changed by keeping the functionality of the executable file except for the magic number “MZ” and the four-byte-long integer at offset “0 × 3c”. In particular, the magic number identifies the file uniquely, while the four-byte-long integer at offset “0 × 3c” points to the starting point of the PE header in the binary code. Both cannot be changed in order to obtain an executable file. Hence, this attack method perturbs the bytes that are placed in the DOS header in the areas before the magic number and after the pointer to the PE header.
- Shift: This white-box attack method [5] applies the shift operation in order to the first section to recover room to add an adversarial byte chunk. The added binary chunk must have a size that is a multiple of the file alignment. This constraint must be satisfied to obtain an executable file that keeps its functionality. The method operates in three steps. First, it identifies the position of the first Section in the binary file. Then, it injects the noise bytes in the selected position. Finally, it updates the offset of each Section within the Section Table by considering that a new chunk of bytes has been injected in the first Section. In this way, the loader can still find the content of each section by neglecting the adversarial content injected before the first Section.
- FGSM padding + slack. This white-box attack method [14] applies an iterative variant of the classical FGSM method [46] to the embedded representation of the binary file until it achieves evasion. It performs reconstruction at the end of the iterative perturbation process. In the reconstruction, each binary value that was appropriately perturbed within its embedded representation is transformed into a real byte within the raw byte input space through the application of the inverse transformation. To obtain an executable file that preserves its functionality, the noise is applied to a payload area that is injected into non-executable code sections. Specifically, this payload is injected through Slack Space and Padding manipulations. The Slack Space manipulation fills the space between sections. The compiler adds a chunk of zero bytes to each section to fill the gap. The Padding manipulation adds the padding bytes to the end of the code.
3.2.2. Black-Box Attack Methods
- GAMMA. This black-box attack method [15] uses an evolutionary algorithm that injects an adversarial perturbation into the Windows PE malware file. This method solves an optimisation problem by resorting to a penalty term to minimise the evasion probability, as well as the size of the binary content that is added to the PE file. The injected content is extracted from goodware binary files instead of being produced randomly. To find the optimised benign content, GAMMA selects benign content iteratively and optimises the selection and size of goodware-originated content using the selection, crossover and mutation functions. As in [15], we used the section evasion formulation of GAMMA, which resorts to the section injection operation to extract sections from goodware files and inject them as a new section into the produced adversarial malware file. In addition, a new section entry is added to the Section Table of the adversarial file. Notably, the authors of [15] showed that, although this operation changes both the byte distribution and the structure of the binary file, it preserves the code functionality by design.
3.2.3. Remarks on Adversarial PE Malware Execution and Structure
3.3. SHAP
3.4. Adversarial Training
4. Data and Evaluation Metrics
- “filetype: “PE32 executable” extension:exe after 1 January 2021”,
- “filetype: “PE32 executable” extension:exe after 1 January 2022”,
- “filetype: “PE32 executable” extension:exe after 1 January 2023”.
- Overall accuracy () measures the proportion of correctly classified Windows PE files, regardless of the class, out of all the predicted files, i.e., . This metric estimates the overall ability of a decision model to correctly classify a sample in its proper class, regardless of the class value.
- Precision () measures how many Windows PE malware files are correctly classified as malware, given all predictions of the malware class, i.e., . This metric estimates how often the decision model is correct when predicting the target class “malware”.
- Recall () measures how many Windows PE malware files are correctly classified as malware, given all occurrences of class malware, i.e., . This metric estimates whether the decision model can find all samples of the target class “malware”.
- Fscore () measures the harmonic mean of precision and recall, i.e., . As precision and recall are equally important, the Fscore is measured to estimate the trade-off between precision and recall. In particular, the higher the Fscore, the better the balance between precision and recall achieved by the evaluated approach.
- The false negative rate () measures the probability that Windows PE malware is wrongly classified as goodware, i.e., . The lower the false negative rate, the lower the number of malware files that are undetected.
- The false positive rate () measures the probability that Windows PE goodware is wrongly classified as malware, i.e., . The lower the false positive rate, the lower the number of goodware files that are wrongly detected as malware.
5. Results
- To evaluate the accuracy of the two pre-trained models, MalConv and LGBM, on the Windows PE dataset prepared for this study (Section 5.1).
- To evaluate the integrity of the two pre-trained models, MalConv and LGBM, with realistic adversarial Windows PE malware produced via the attack methods considered in this study (Section 5.2).
- To analyse the distance between original Windows PE malware and its adversarial counterparts (see Section 5.3).
- To explain why the LGBM model that was learned using engineered features may work differently when it produces decisions related to the malicious behaviour of the adversarial Windows PE malware files generated via the study attack methods (Section 5.4).
- To investigate the performance of adversarial training done with adversarial malware samples produced through realistic Windows PE attack methods (Section 5.5).
5.1. Accuracy Analysis of Pre-Trained MalConv and LGBM
5.2. Integrity Analysis of Pre-Trained MalConv and LGBM
5.3. Distance Analysis of Adversarial Windows PE Malware
5.4. XAI-Based Analysis of the Effect of Adversarial Windows PE Malware on Engineered Features
5.5. Performance Analysis of Adversarial Training with LGBM and Realistic Windows PE Attack Methods
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
Appendix A
References
- Singh, J.; Singh, J. A survey on machine learning-based malware detection in executable files. J. Syst. Archit. 2021, 112, 101861. [Google Scholar] [CrossRef]
- Tayyab, U.e.H.; Khan, F.B.; Durad, M.H.; Khan, A.; Lee, Y.S. A Survey of the Recent Trends in Deep Learning Based Malware Detection. J. Cybersecur. Priv. 2022, 2, 800–829. [Google Scholar]
- Gopinath, M.; Sibi Chakkaravarthy, S. A comprehensive survey on deep learning based malware detection techniques. Comput. Sci. Rev. 2023, 47, 100529. [Google Scholar] [CrossRef]
- Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.J.; Fergus, R. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, 14–16 April 2014; Conference Track Proceedings. Bengio, Y., LeCun, Y., Eds.; pp. 1–10, arXiv:1312.6199. [Google Scholar]
- Demetrio, L.; Coull, S.E.; Biggio, B.; Lagorio, G.; Armando, A.; Roli, F. Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection. ACM Trans. Priv. Secur. 2021, 24, 27. [Google Scholar] [CrossRef]
- Demetrio, L.; Biggio, B.; Roli, F. Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware. IEEE Secur. Priv. 2022, 20, 77–85. [Google Scholar] [CrossRef]
- Liang, H.; He, E.; Zhao, Y.; Jia, Z.; Li, H. Adversarial Attack and Defense: A Survey. Electronics 2022, 11, 1283. [Google Scholar] [CrossRef]
- Ling, X.; Wu, L.; Zhang, J.; Qu, Z.; Deng, W.; Chen, X.; Qian, Y.; Wu, C.; Ji, S.; Luo, T.; et al. Adversarial attacks against Windows PE malware detection: A survey of the state-of-the-art. Comput. Secur. 2023, 128, 103134. [Google Scholar] [CrossRef]
- Raff, E.; Barker, J.; Sylvester, J.; Brandon, R.; Catanzaro, B.; Nicholas, C.K. Malware detection by eating a whole exe. In Proceedings of the Workshops at the 32nd AAAI Conference on Artificial Intelligence, New Orleans, LA, USA, 2–7 February 2018. [Google Scholar]
- Anderson, H.S.; Roth, P. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. arXiv 2018, arXiv:1804.04637. [Google Scholar]
- Li, K.; Guo, W.; Zhang, F.; Du, J. GAMBD: Generating adversarial malware against MalConv. Comput. Secur. 2023, 130, 103279. [Google Scholar]
- Liu, L.; Kuang, X.; Liu, L.; Zhang, L. Defend against adversarial attacks in malware detection through attack space management. Comput. Secur. 2024, 141, 103841. [Google Scholar] [CrossRef]
- Barut, O.; Zhang, T.; Luo, Y.; Li, P. A Comprehensive Study on Efficient and Accurate Machine Learning-Based Malicious PE Detection. In Proceedings of the 2023 IEEE 20th Consumer Communications & Networking Conferencem CCNC 2023, Las Vegas, NV, USA, 8–11 January 2023; pp. 632–635. [Google Scholar] [CrossRef]
- Kreuk, F.; Barak, A.; Aviv-Reuven, S.; Baruch, M.; Pinkas, B.; Keshet, J. Adversarial Examples on Discrete Sequences for Beating Whole-Binary Malware Detection. arXiv 2018, arXiv:1802.04528. [Google Scholar]
- Demetrio, L.; Biggio, B.; Lagorio, G.; Roli, F.; Armando, A. Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware. IEEE Trans. Inf. Forensics Secur. 2021, 16, 3469–3478. [Google Scholar] [CrossRef]
- Demetrio, L.; Biggio, B. secml-malware: A Python Library for Adversarial Robustness Evaluation of Windows Malware Classifiers. arXiv 2021, arXiv:2104.12848. [Google Scholar]
- Lundberg, S.M.; Lee, S.I. A Unified Approach to Interpreting Model Predictions. In Proceedings of the 31st International Conference on Neural Information Processing Systems, NIPS 2017, Long Beach, CA, USA, 4–9 December 2017; NIPS. Curran Associates Inc.: Glasgow, UK, 2017; pp. 4768–4777. [Google Scholar]
- Chen, B.; Ren, Z.; Yu, C.; Hussain, I.; Liu, J. Adversarial Examples for CNN-Based Malware Detectors. IEEE Access 2019, 7, 54360–54371. [Google Scholar] [CrossRef]
- Adeke, J.M.; Liu, G.; Zhao, J.; Wu, N.; Bashir, H.M. Securing Network Traffic Classification Models against Adversarial Examples Using Derived Variables. Future Internet 2023, 15, 405. [Google Scholar] [CrossRef]
- Alotaibi, A.; Rassam, M.A. Adversarial Machine Learning Attacks against Intrusion Detection Systems: A Survey on Strategies and Defense. Future Internet 2023, 15, 62. [Google Scholar] [CrossRef]
- Al-Essa, M.; Andresini, G.; Appice, A.; Malerba, D. PANACEA: A Neural Model Ensemble for Cyber-Threat Detection. Mach. Learn. J. 2024, 1–44, in press. [Google Scholar]
- Chen, H.; Babar, M.A. Security for Machine Learning-based Software Systems: A Survey of Threats, Practices, and Challenges. ACM Comput. Surv. 2024, 56, 1–38. [Google Scholar] [CrossRef]
- Bishop, C.M.; Nasrabadi, N.M. Pattern Recognition and Machine Learning. J. Electron. Imaging 2007, 16, 049901. [Google Scholar] [CrossRef]
- Kattamuri, S.J.; Penmatsa, R.K.V.; Chakravarty, S.; Madabathula, V.S.P. Swarm Optimization and Machine Learning Applied to PE Malware Detection towards Cyber Threat Intelligence. Electronics 2023, 12, 342. [Google Scholar] [CrossRef]
- Ucci, D.; Aniello, L.; Baldoni, R. Survey of machine learning techniques for malware analysis. Comput. Secur. 2019, 81, 123–147. [Google Scholar] [CrossRef]
- Harang, R.E.; Rudd, E.M. SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection. arXiv 2020, arXiv:2012.07634. [Google Scholar]
- Yang, L.; Ciptadi, A.; Laziuk, I.; Ahmadzadeh, A.; Wang, G. BODMAS: An open dataset for learning based temporal analysis of PE malware. In Proceedings of the 2021 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 27 May 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 78–84. [Google Scholar] [CrossRef]
- Svec, P.; Balogh, S.; Homola, M.; Kluka, J. Knowledge-Based Dataset for Training PE Malware Detection Models. arXiv 2022, arXiv:2301.00153. [Google Scholar]
- Catak, F.O.; Yazı, A.F.; Elezaj, O.; Ahmed, J. Deep learning based Sequential model for malware analysis using Windows exe API Calls. PeerJ Comput. Sci. 2020, 6, e285. [Google Scholar] [CrossRef] [PubMed]
- Bosansky, B.; Kouba, D.; Manhal, O.; Sick, T.; Lisy, V.; Kroustek, J.; Somol, P. Avast-CTU Public CAPE Dataset. arXiv 2022, arXiv:2209.03188. [Google Scholar]
- Chakraborty, A.; Alam, M.; Dey, V.; Chattopadhyay, A.; Mukhopadhyay, D. A survey on adversarial attacks and defences. CAAI Trans. Intell. Technol. 2021, 6, 25–45. [Google Scholar] [CrossRef]
- Tian, Z.; Cui, L.; Liang, J.; Yu, S. A Comprehensive Survey on Poisoning Attacks and Countermeasures in Machine Learning. ACM Comput. Surv. 2022, 55, 1–35. [Google Scholar] [CrossRef]
- Khamaiseh, S.Y.; Bagagem, D.; Al-Alaj, A.; Mancino, M.; Alomari, H.W. Adversarial Deep Learning: A Survey on Adversarial Attacks and Defense Mechanisms on Image Classification. IEEE Access 2022, 10, 102266–102291. [Google Scholar]
- Muoka, G.W.; Yi, D.; Ukwuoma, C.C.; Mutale, A.; Ejiyi, C.J.; Mzee, A.K.; Gyarteng, E.S.A.; Alqahtani, A.; Al-antari, M.A. A Comprehensive Review and Analysis of Deep Learning-Based Medical Image Adversarial Attack and Defense. Mathematics 2023, 11, 4272. [Google Scholar] [CrossRef]
- Cinà, A.E.; Grosse, K.; Demontis, A.; Biggio, B.; Roli, F.; Pelillo, M. Machine Learning Security Against Data Poisoning: Are We There Yet? Computer 2024, 57, 26–34. [Google Scholar] [CrossRef]
- Macas, M.; Wu, C.; Fuertes, W. Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems. Expert Syst. Appl. 2024, 238, 122223. [Google Scholar] [CrossRef]
- Li, D.; Li, Q.; Ye, Y.F.; Xu, S. Arms Race in Adversarial Malware Detection: A Survey. ACM Comput. Surv. 2021, 55, 1–35. [Google Scholar] [CrossRef]
- Galovic, M.; Bosanský, B.; Lisý, V. Improving Robustness of Malware Classifiers using Adversarial Strings Generated from Perturbed Latent Representations. arXiv 2021, arXiv:2110.11987. [Google Scholar]
- Tong, L.; Li, B.; Hajaj, C.; Xiao, C.; Zhang, N.; Vorobeychik, Y. Improving Robustness of ML Classifiers against Realizable Evasion Attacks Using Conserved Features. In Proceedings of the 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, 14–16 August 2019; Heninger, N., Traynor, P., Eds.; USENIX Association: Berkeley, CA, USA, 2019; pp. 285–302. [Google Scholar]
- Lucas, K.; Pai, S.; Lin, W.; Bauer, L.; Reiter, M.K.; Sharif, M. Adversarial Training for Raw-Binary Malware Classifiers. In Proceedings of the 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, 9–11 August 2023; Calandrino, J.A., Troncoso, C., Eds.; USENIX Association: Berkeley, CA, USA, 2023; pp. 1163–1180. [Google Scholar]
- Bala, N.; Ahmar, A.; Li, W.; Tovar, F.; Battu, A.; Bambarkar, P. DroidEnemy: Battling adversarial example attacks for Android malware detection. Digit. Commun. Netw. 2022, 8, 1040–1047. [Google Scholar] [CrossRef]
- Shafin, S.S.; Ahmed, M.M.; Pranto, M.A.; Chowdhury, A. Detection of android malware using tree-based ensemble stacking model. In Proceedings of the 2021 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Brisbane, Australia, 8–10 December 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Khoda, M.E.; Kamruzzaman, J.; Gondal, I.; Imam, T.; Rahman, A. Malware detection in edge devices with fuzzy oversampling and dynamic class weighting. Appl. Soft Comput. 2021, 112, 107783. [Google Scholar] [CrossRef]
- D’Orazio, C.J.; Lu, R.; Choo, K.K.R.; Vasilakos, A.V. A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps. Appl. Math. Comput. 2017, 293, 523–544. [Google Scholar] [CrossRef]
- Ke, G.; Meng, Q.; Finley, T.; Wang, T.; Chen, W.; Ma, W.; Ye, Q.; Liu, T.Y. LightGBM: A Highly Efficient Gradient Boosting Decision Tree. In Proceedings of the 31st International Conference on Neural Information Processing Systems, NIPS 2017, Long Beach, CA, USA, 4–9 December 2017; Curran Associates Inc.: Glasgow, UK, 2017; pp. 3149–3157. [Google Scholar]
- Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and Harnessing Adversarial Examples. In Proceedings of the 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015; Conference Track Proceedings. Bengio, Y., LeCun, Y., Eds.; 2015; pp. 1–11, arXiv:1412.6572. [Google Scholar]
- Šarčević, A.; Pintar, D.; Vranić, M.; Krajna, A. Cybersecurity Knowledge Extraction Using XAI. Appl. Sci. 2022, 12, 8669. [Google Scholar] [CrossRef]
- Ndichu, S.; Kim, S.; Ozawa, S.; Ban, T.; Takahashi, T.; Inoue, D. Detecting Web-Based Attacks with SHAP and Tree Ensemble Machine Learning Methods. Appl. Sci. 2022, 12, 60. [Google Scholar] [CrossRef]
- Aslan, Ö.A.; Samet, R. A comprehensive review on malware detection approaches. IEEE Access 2020, 8, 6249–6271. [Google Scholar] [CrossRef]
- Mohanta, A.; Saldanha, A.; Mohanta, A.; Saldanha, A. Armoring and Evasion: The Anti-Techniques. In Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware; Springer: Berlin/Heidelberg, Germany, 2020; pp. 691–720. [Google Scholar]
- Guerra-Manzanares, A. Machine Learning for Android Malware Detection: Mission Accomplished? A Comprehensive Review of Open Challenges and Future Perspectives. Comput. Secur. 2024, 138, 103654. [Google Scholar] [CrossRef]
- Pierazzi, F.; Pendlebury, F.; Cortellazzi, J.; Cavallaro, L. Intriguing Properties of Adversarial ML Attacks in the Problem Space. In Proceedings of the 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, 18–21 May 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 1332–1349. [Google Scholar] [CrossRef]
- Chen, S.; Xue, M.; Fan, L.; Hao, S.; Xu, L.; Zhu, H.; Li, B. Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. Comput. Secur. 2018, 73, 326–344. [Google Scholar] [CrossRef]
- Li, D.; Li, Q. Adversarial Deep Ensemble: Evasion Attacks and Defenses for Malware Detection. IEEE Trans. Inf. Forensics Secur. 2020, 15, 3886–3900. [Google Scholar] [CrossRef]
Dataset | Malware | Goodware | Collection Time | Binary File Availability |
---|---|---|---|---|
EMBER | 400,000 | 400,000 | 2017–2018 | No |
SoReL | 9,919,251 | 9,470,626 | 2017–2019 | Malware |
BODMAS | 57,293 | 77,142 | 2019–2020 | Malware |
DasMalwerk | 104 | 0 | 2018 | Malware |
PEMML | 114,737 | 86,812 | Before 2018 | Goodware and malware |
MAL-API-2019 | 7107 | 0 | 2019 | No |
AVAST-CTU | 48,976 | 0 | 2017–2019 | No |
Model | ||||||
---|---|---|---|---|---|---|
MalConv | 0.8034 | 0.9766 | 0.6224 | 0.7603 | 0.3776 | 0.0150 |
LGBM | 0.9294 | 0.9857 | 0.8717 | 0.9252 | 0.1283 | 0.0127 |
Attack Method | MalConv | LGBM |
---|---|---|
7951 | 306 | |
6115 | −10 | |
3423 | 41 | |
4384 | −157 | |
6857 | 1266 |
Model | Test Set () | |||||||
---|---|---|---|---|---|---|---|---|
13,432 | 62 | 60 | 13,481 | 0.9955 | 0.9955 | 0.0044 | 0.0046 | |
() | 13,423 | 71 | 54 | 13,487 | 0.9954 | 0.9954 | 0.0040 | 0.0053 |
() | 13,422 | 72 | 55 | 13,486 | 0.9953 | 0.9953 | 0.0041 | 0.0053 |
() | 13,423 | 71 | 60 | 13,481 | 0.9952 | 0.9952 | 0.0044 | 0.0053 |
() | 13,430 | 64 | 62 | 13,479 | 0.9953 | 0.9953 | 0.0046 | 0.0047 |
() | 13,425 | 69 | 61 | 13,480 | 0.9952 | 0.9952 | 0.0045 | 0.0051 |
Model | Test Set () | |||||||
---|---|---|---|---|---|---|---|---|
13,432 | 62 | 95 | 21,398 | 0.9955 | 0.9963 | 0.0044 | 0.0046 | |
() | 13,423 | 71 | 69 | 21,424 | 0.9960 | 0.9967 | 0.0032 | 0.0053 |
13,432 | 62 | 84 | 19,571 | 0.9956 | 0.9963 | 0.0043 | 0.0046 | |
() | 13,422 | 72 | 77 | 19,578 | 0.9955 | 0.9962 | 0.0039 | 0.0053 |
13,432 | 62 | 77 | 16,887 | 0.9954 | 0.9959 | 0.0045 | 0.0046 | |
() | 13,423 | 71 | 79 | 16,885 | 0.9951 | 0.9956 | 0.0047 | 0.0053 |
13,432 | 62 | 81 | 17,844 | 0.9954 | 0.9960 | 0.0045 | 0.0046 | |
() | 13,430 | 64 | 83 | 17,842 | 0.9953 | 0.9959 | 0.0046 | 0.0047 |
13,432 | 62 | 135 | 20,265 | 0.9942 | 0.9952 | 0.0066 | 0.0046 | |
() | 13,425 | 69 | 63 | 20,337 | 0.9961 | 0.9968 | 0.0031 | 0.0051 |
Attack Method | ||||
---|---|---|---|---|
7916 | 35 | 7936 | 15 | |
6091 | 24 | 6093 | 22 | |
3406 | 17 | 3404 | 19 | |
4363 | 21 | 4363 | 21 | |
6782 | 75 | 6855 | 2 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Imran, M.; Appice, A.; Malerba, D. Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection. Future Internet 2024, 16, 168. https://doi.org/10.3390/fi16050168
Imran M, Appice A, Malerba D. Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection. Future Internet. 2024; 16(5):168. https://doi.org/10.3390/fi16050168
Chicago/Turabian StyleImran, Muhammad, Annalisa Appice, and Donato Malerba. 2024. "Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection" Future Internet 16, no. 5: 168. https://doi.org/10.3390/fi16050168
APA StyleImran, M., Appice, A., & Malerba, D. (2024). Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection. Future Internet, 16(5), 168. https://doi.org/10.3390/fi16050168