Domain Constraints in Feature Space: Strengthening Robustness of Android Malware Detection against Realizable Adversarial Examples. (arXiv:2205.15128v2 [cs.LG] UPDATED)

Strengthening the robustness of machine learning-based Android malware
detectors in the real world requires incorporating realizable adversarial
examples (RealAEs), i.e., AEs that satisfy the domain constraints of Android
malware. However, existing work focuses on generating RealAEs in the problem
space, which is known to be time-consuming and impractical for adversarial
training. In this paper, we propose to generate RealAEs in the feature space,
leading to a simpler and more efficient solution. Our approach is driven by a
novel interpretation of Android malware properties in the feature space. More
concretely, we extract feature-space domain constraints by learning meaningful
feature dependencies from data and applying them by constructing a robust
feature space. Our experiments on DREBIN, a well-known Android malware
detector, demonstrate that our approach outperforms the state-of-the-art
defense, Sec-SVM, against realistic gradient- and query-based attacks.
Additionally, we demonstrate that generating feature-space RealAEs is faster
than generating problem-space RealAEs, indicating its high applicability in
adversarial training. We further validate the ability of our learned
feature-space domain constraints in representing the Android malware properties
by showing that (i) re-training detectors with our feature-space RealAEs
largely improves model performance on similar problem-space RealAEs and (ii)
using our feature-space domain constraints can help distinguish RealAEs from
unrealizable AEs (unRealAEs).