Generating Adversarial Examples Clause Samples

Generating Adversarial Examples. ‌ for the transferability attack (Section 4.3.1), we generate adversarial examples for substitute models using a variety of attacks: the Basic Iterative Method [116], Decision Tree attack [89], fast Gradient Sign Method [87], Jacobian Saliency Map Approach [160] and SVM attack [89] (see Table 3.3 for an overview of the applicable model for each attack). As these attacks produce continuous feature vectors and do not consider functionality preservation, we must perform additional steps to cater to these constraints, similar to Section 3.4.3. That is, after applying these attacks, we round the values in the generated continuous feature vectors to produce discrete feature vectors, representing the presence or absence of a feature (e.g., usage of a particular library). for example, if an attack changes the value of a particular feature to < 0.5, it is set to 0 in the feature vector; meanwhile, if the value is ≥ 0.5, it is set to 1 in the feature vector. We then check for invalid perturbations to preserve functionality within the feature-space. Only after invalid perturbations are reverted does an adversarial example proceed further in the attack pipeline according to the attack strategy. for the query attack (Section 4.3.2), we apply the attack strategies under the black-box and gray-box scenarios. In both scenarios, a malware sample is perturbed by transplanting features from benign samples [182, 229, 168]. for example, if a particular feature is enabled in benign samples (i.e., its value is 1 in the feature vectors), it is added to the malware sample (changed from 0 to 1 in the feature vector for the malware sample) in order to move closer to crossing the decision boundary. The difference between the black-box and gray-box attack strategies lies in the choice of which features to perturb first. The gray-box attacker perturbs features based on their frequency in benign samples using their knowledge of the dataset. Meanwhile, the black-box attacker chooses which features to perturb randomly, as in [182], as no further information is available. In both transferability and query attacks, the permitted (valid) perturbations (either feature addition or re- moval) for each dataset are determined by consulting industry documentation, previous work [124, 8, 168, 117], and the feature representation for each dataset. ▇▇▇▇▇▇ and AndroZoo allow for both feature addition and removal [124, 3] (see Appendix A.1 for a summary of the allowed perturbations). In contrast, due t...