English

Generating End-to-End Adversarial Examples for Malware Classifiers Using Explainability

Cryptography and Security 2022-06-02 v2

Abstract

In recent years, the topic of explainable machine learning (ML) has been extensively researched. Up until now, this research focused on regular ML users use-cases such as debugging a ML model. This paper takes a different posture and show that adversaries can leverage explainable ML to bypass multi-feature types malware classifiers. Previous adversarial attacks against such classifiers only add new features and not modify existing ones to avoid harming the modified malware executable's functionality. Current attacks use a single algorithm that both selects which features to modify and modifies them blindly, treating all features the same. In this paper, we present a different approach. We split the adversarial example generation task into two parts: First we find the importance of all features for a specific sample using explainability algorithms, and then we conduct a feature-specific modification, feature-by-feature. In order to apply our attack in black-box scenarios, we introduce the concept of transferability of explainability, that is, applying explainability algorithms to different classifiers using different features subsets and trained on different datasets still result in a similar subset of important features. We conclude that explainability algorithms can be leveraged by adversaries and thus the advocates of training more interpretable classifiers should consider the trade-off of higher vulnerability of those classifiers to adversarial attacks.

Keywords

Cite

@article{arxiv.2009.13243,
  title  = {Generating End-to-End Adversarial Examples for Malware Classifiers Using Explainability},
  author = {Ishai Rosenberg and Shai Meir and Jonathan Berrebi and Ilay Gordon and Guillaume Sicard and Eli David},
  journal= {arXiv preprint arXiv:2009.13243},
  year   = {2022}
}

Comments

Accepted as a conference paper at IJCNN 2020

R2 v1 2026-06-23T18:50:37.491Z