|
| Author | Solution | Cores | Shortcomings |
|
| Hu et al. 2017 [44] | This paper proposes a GAN-based malware adversarial example generation algorithm (MalGAN), which can bypass the detection model based on black-box machine learning. | (1) Sampling malicious examples
(2) Generating adversarial examples
(3) Sampling benign examples
(4) Labeling
(5) Updating the weights according to the gradient. | This paper does not discuss the application of the algorithm in the white-box scenario. |
|
| Raff et al. 2017 [61] | Edward Raff et al. developed the first network architecture that could successfully process over 2 million steps of raw byte sequences. | Architecture features:
(1) Expand with sequence length
(2) The ability to consider local and global environments when examining the entire file
(3) Helps to analyze the interpretive ability of flagged malware. | The standardization of batch processing needs to be further explored. |
|
| Al-Dujaili et al. 2018 [45] | This paper proposes the SLEIPNIR framework, which uses saddle-point optimization to learn the malware detection model of executable files represented by binary encoding features. | (1) Frame construction based on saddle-point optimization
(2) Add randomization to the method
(3) An on-line measurement method is introduced. | No instructions were given on how to locate benign samples. |
|
| Kolosnjaji et al. 2018 [46] | This paper proposes a gradient-based evading attack. | (1) Adds a set of bytes to the end of the binary file to generate adversarial examples that do not break the malicious functionality of the source file
(2) Initializes the iteration counter, repeatedly sets the number of filled bytes and calculates the gradient. | The dataset is not large enough. The grain size is not fine. |
|
| Song et al. 2020 [47] | This paper presents a systematic framework for creating and evaluating real malware in order to achieve evasive attack. | (1) Adversarial example generation: design action set and verification function
(2) Minimize action sequence
(3) Feature interpretation. | The defend methods and robustness of the framework are less discussed. |
|
| Rosenberg et al. 2020 [48] | In this paper, a black-box attack against API-based machine learning malware classifiers is proposed. | (1) Use valid parameters with no operation effect
(2) Determine the increase in the number of API calls using the method of logarithmic transformation backtracking
(3) Use GAN to select generated API calls
(4) Use the adaptive evolutionary algorithm to realize the attack with high query efficiency based on the score. | Defense mechanisms are not discussed. |
|
| Ebrahimi et al. 2020 [49] | This paper presents MalRNN, a novel deep learning-based approach to automatically generate evasive malware variants. | (1) Obtain data through system sampling
(2) Learn the language model from benign malware binaries using character-level sequence-to-sequence RNN
(3) Ensure the ability to generate malware variants | (1) There is no discussion of defense mechanisms
(2) The antivirus avoidance method is simple |
|
| Nguyen et al. 2020 [22] | Thien Duc Nguyen et al. demonstrate that federated learning-based IoT intrusion detection systems are vulnerable to backdoor attacks and proposed a new kind of data poisoning attack. | By injecting a small amount of malicious data into the training process using only the compromised IoT device (rather than the gateway/client) and remaining undetected, the model is gradually backdoor. | Existing defense methods are ineffective against this attack, so new defense mechanisms are needed to defend against it. |
|
| Demetrio et al. 2020 [62] | Luca Demetrio et al. propose a general framework called RAMEn for performing black and white-box adversarial attacks on Windows malware detectors based on static code analysis. | (1) Two new attacks—Extend and Shift—were proposed to extend the DOS header and transfer the contents of the first part, respectively, according to the adversarial load of the injection
(2) The experimental results show that the proposed attack improves the tradeoff between the probability of avoidance and the number of bytes manipulated in the white-box and black-box attack settings. | Attackers cannot arbitrarily add adversarial loads because proposed content injection attack must adhere to certain restrictions imposed by the format. |
|
| Chen et al. 2020 [63] | This paper presents Android HIV, an automated tool for creating adversarial examples on the Android Malware Detector based on machine learning. | (1) Attack on MAMADROID: optimize the target function and modify the C&W algorithm; Jacobian matrix is calculated and JSMA algorithm is refined
(2) Attack on DREBIN: generate adversarial examples based on Jacobin. | There is no in-depth analysis of defense mechanisms against such attacks. Nor has the effectiveness of the different alternative model architectures been compared. |
|
