Adversarial Robustness of Image Based Android Malware Detection Models

The last five years have shown a tremendous increase in the number of Android smartphone users. So has been the case with malicious Android applications that aim to jeopardize user data, security, and privacy. Most existing Android malware detection engines find it challenging to keep up with the pace of incoming malware and their sophistication of evasion techniques against the detection engines. This has prompted researchers to delve into using machine learning and deep learning algorithms to construct state-of-the-art malware detection models. However, research indicates that these detection models might be vulnerable to adversarial attacks prompting a thorough investigation. Therefore, we first propose a image based malware detection pipeline that uses an embedding layer-based hybrid CNN named E-CNN that uses Android permissions and intents as features for malware detection. The permission and intent based E-CNN detection models achieved baseline accuracy of 93.48% and 76.7% respectively. We then act as an adversary and propose the ECO-FGSM adversarial evasion attack against the above detection models. The ECO-FGSM attack converts malware samples into adversarial malware samples so that they are forcefully misclassified as benign by the detection models. The proposed attack achieved a high fooling rate of 55.72% and 99.97% against permission and intent based E-CNN detection models, respectively. We also identified a list of most vulnerable permissions and intents to generate adversarial samples. We then use adversarial retraining as a defense strategy to counter the ECO-FGSM attack against the detection models. The adversarial defense helped improve the baseline accuracies of permission and intent based E-CNN detection models by 3.41% and 11.4%, respectively. We reattack the adversarially retrained models using the ECO-FGSM attack to validate their adversarial robustness. We found a reduction in the fooling rate by 23.28% and 97.55% against permission and intent-based E-CNN detection models, respectively. Finally, we conclude that investigating the adversarial robustness of the malware detection models is an essential step that helps improve their performance and robustness before real-world deployment.