IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO.

1, FIRST QUARTER 2023 467

A Survey of Adversarial Attack and Defense

Methods for Malware Classification
in Cyber Security
Senming Yan , Student Member, IEEE, Jing Ren , Member, IEEE, Wei Wang , Member, IEEE,
Limin Sun, Wei Zhang , Fellow, IEEE, and Quan Yu, Senior Member, IEEE

Abstract—Malware poses a severe threat to cyber security. I. I NTRODUCTION

Attackers use malware to achieve their malicious purposes, such
as unauthorized access, stealing confidential data, blackmail-
ing, etc. Machine learning-based defense methods are applied
to classify malware examples. However, such methods are vul-
nerable to adversarial attacks, where attackers aim to generate
adversarial examples that can evade detection. Defenders also
develop various approaches to enhance the robustness of mal-
ware classifiers against adversarial attacks. Both attackers and
defenders evolve in the continuous confrontation of malware
classification. In this paper, we firstly summarize a unified mal-
ware classification framework. Then, based on the framework,
we systematically survey the Defense-Attack-Enhanced-Defense
process and provide a comprehensive review of (i) machine
learning-based malware classification, (ii) adversarial attacks
on malware classifiers, and (iii) robust malware classification.
Finally, we highlight the main challenges faced by both attack-
ers and defenders and discuss some promising future work
directions.
Index Terms—Cyber security, malware, malware classification,
adversarial examples, adversarial robustness.
Manuscript received 3 May 2022; revised 4 September 2022; accepted
4 November 2022. Date of publication 28 November 2022; date of current
version 24 February 2023. This work was supported in part by the National
Research and Development Program of China under Grant 2020YFB1807503;
in part by NSFC Fund under Grant U20A20156 and Grant 61842202; and in
part by the Young Scientists Fund of the National Natural Science Foundation
of China under Grant 62002342. (Corresponding author: Quan Yu.)
Senming Yan is with the Institute of Information Engineering, Chinese
Academy of Sciences, Beijing 100000, China, also with the School of Cyber
Security, University of Chinese Academy of Sciences, Beijing 100000, China,
and also with the Department of Mathematics and Theories, Peng Cheng
Laboratory, Shenzhen 518066, China (e-mail:
A. Background
ITH the development of information and communi-
W cation technologies such as Internet of Things (IoT)
and cloud computing, numerous vulnerable devices are con-
nected to the Internet and intentionally exploited by attackers,
which lead to severe security issues. During the COVID-19
pandemic, cyber attacks on critical infrastructure and online
meeting platforms have increased significantly [1]. Besides,
cyber attacks affect the security of not only the virtual world
but also the physical world, such as industrial facilities and
vehicles [2], [3], [4]. There are different types of cyber attacks,
including malware attacks, Denial of Service (DoS), phish-
ing, social engineering. According to the cyber threat report
published by IBM [5], as a common means of cyber attacks,
malware has become a key threat to cyber security.
Malware, a.k.a., malicious software, is intentionally
developed by attackers to disrupt the normal operation of var-
ious systems, including personal computers, servers, mobile
devices, IoT devices [6], [7], [8], etc. Attackers use malware to
achieve their malicious purposes, such as achieving unautho-
rized access to the system, leaking confidential information,
damaging the system, blackmailing, etc. According to the
malicious functions, malware can be classified into viruses,
worms, trojans, ransomware, downloaders, rogue software,
etc [9]. The number of malware examples is continuously
increasing [10], which poses a severe threat to cyber security.
In order to prevent them from causing serious damage, there
is an urgent need to identify and analyze malware examples.
Malware classification methods are proposed to address this

[email protected]). issue. Malware classification refers to (i) identifying malicious
Jing Ren is with the School of Information and Communication software examples or (ii) classifying malware examples into
Engineering, University of Electronic Science and Technology of China,
Chengdu 610056, China, and also with the Department of Mathematics and
different classes. Traditional malware classification methods,
Theories, Peng Cheng Laboratory, Shenzhen 518066, China (e-mail: renjing@ such as anomaly-based methods and signature-based methods,
uestc.edu.cn). extract specific features from software examples and then clas-
Wei Wang and Quan Yu are with the Department of Mathematics
and Sciences, Peng Cheng Laboratory, Shenzhen 518066, China (e-mail:
sify them according to predefined rules [11]. Such methods
[email protected]; [email protected]). rely on the experience of security analysts and are hard to
Limin Sun is with the Institute of Information Engineering, Chinese process input examples in real-time.
Academy of Sciences, Beijing 100000, China, and also with the School of
Cyber Security, University of Chinese Academy of Sciences, Beijing 100000,
Machine Learning (ML) has been widely applied to different
China (e-mail: [email protected]). fields, such as computer vision, natural language process-
Wei Zhang is with the School of Electrical Engineering and ing, and recommender systems, due to its advanced learning
Telecommunications, The University of New South Wales, Sydney,
NSW 2052, Australia (e-mail: [email protected]

). and generalization capabilities [12]. Some researchers leverage
Digital Object Identifier 10.1109/COMST.2022.3225137 ML models for malware classification. Unlike traditional
1553-877X 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
468
Fig. 1. The roadmap of this paper.
methods, such ML-based malware classification methods
require less expert knowledge and achieve higher efficiency
[13], [14].
However, ML techniques also introduce additional security
risks to the cyber security domain. More specifically, attackers
are able to generate adversarial malware examples to bypass
ML-based malware classifiers, which are referred to adversar-
ial attacks [15], [16]. These threats severely limit the practical
application of ML-based methods [17].
To deal with them, researchers propose various defense
methods to correctly detect or classify adversarial examples,
which enhance the adversarial robustness of ML-based mal-
ware classifiers [18], [19]. Nonetheless, as stronger attacks
continue to emerge, some of the defense methods are no longer
effective [20]. To better understand the evolution of attack
and defense of ML-based malware classification, as shown in
Figure 1, we use a Defense-Attack-Enhanced-Defense process
to survey the related research works.
B. The Defense-Attack-Enhanced-Defense Process
1) Defense (Defenders Use ML-Based Models to Classify
or Detect Malware Examples): With the rapid development
of ML techniques, researchers propose to use ML models for
malware classification. Some of the methods extract static fea-
tures from input examples without actually running them [14],
[21], [22], [23], [24]. Others execute input software exam-
ples and extract dynamic features from them [25], [26], [27],
[28], [29]. Some researchers also propose to use a mix of both
dynamic and static features for malware classification. These
ML-based malware classification methods have achieved high
performance, but they also introduce serious security risks to
the cyber security domain.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
2) Attack (Attackers Generate Adversarial Malware
Examples to Bypass the ML-Based Malware Classifiers): ML
models are vulnerable to adversarial attacks [30]. Attackers
craft adversarial examples by adding small perturbations
to original examples, in order to mislead ML models to
make incorrect predictions. Attack methods are widely
studied in the ML domain, especially in the Deep Learning
(DL) domain. Such adversarial attacks are introduced to
the cyber security domain due to the broad application of
ML. Researchers propose adversarial attack methods against
malware classification [16], spam detection [31], Intrusion
Detection Systems (IDS) [32], etc. Attackers propose various
attack methods to generate adversarial malware examples
to bypass ML-based malware classifiers. For white-box
attacks, gradient information is used to guide the generation
of adversarial perturbations [33], [34], [35]. For black-box
attacks, some researchers train a substitute model to fit
the black-box victim classifier and then leverage white-box
methods [36], [37], [38]. Others only use prediction results
to manipulate original examples and generate adversarial
examples [39], [40], [41], [42].
3) Enhanced-Defense (Defenders Enhance the Adversarial
Robustness of ML-Based Malware Classifiers to Defend
Against Adversarial Attacks): Researchers also propose
defense methods to improve the robustness of ML mod-
els against adversarial attacks, such as adversarial train-
ing [43], [44], ensemble learning [45], [46], GAN-based
defense [47], [48], etc. Such methods aim to improve the
correctness of the model and increase the cost of adversar-
ial attacks. In the cyber security domain, ML-based malware
classifiers can be enhanced by applying defense methods to
various phases of malware classification. Some researchers
propose to preprocess input data by identifying and remov-
ing adversarial examples [49]. Some defense methods select
subsets of features in order to increase the difficulty of
adversarial malware attacks [19], [50]. Besides, adversarial
training and ensemble learning methods are introduced to
improve the adversarial robustness of ML-based malware
classifiers [16], [34], [51], [52].
In the defense-Attack-Enhanced-Defense process, attackers
and defenders evolve in continuous confrontation. To help
further research works in related fields, we aim to system-
atically survey the adversarial attack and defense methods for
ML-based malware classification in this paper.
C. Main Contributions
To summarize, we have made the following contributions
in this paper:
• We summarize a unified malware classification frame-
work including five main phases. The framework
concludes the general process of ML-based malware clas-
sification methods. Moreover, both adversarial attack and
enhanced-defense methods can also be described under
the framework. Specifically, attackers leverage knowledge
gained from different phases as a guidance to gener-
ate adversarial examples, while defenders enhance the
adversarial robustness of ML-based malware classifiers
in different phases of the framework.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
• In order to better understand the evolution of attack-
ers and defenders, we systematically survey the
Defense-Attack-Enhanced-Defense process of malware
classification under the unified framework, including
(i) ML-based malware classification methods, (ii) adver-
sarial attack methods on ML-based malware classifiers,
and (iii) defense methods to enhance the adversarial
robustness of ML-based malware classifiers.
• We study the main challenges in the Defense-Attack-
Enhanced-Defense process and further propose some
promising future work directions from the perspective of
both attackers and defenders.
D. Related Work
Some articles survey both attack and defense methods in the
DL domain, which is beyond the scope of this paper, but some
of these methods are introduced to the cyber security domain.
Akhtar and Mian [53] survey adversarial attack methods in the
computer vision domain. Yuan et al. [54] survey adversarial
attack and defense methods in the broad field of DL, includ-
ing computer vision, natural language processing, and cyber
security domains.
Some research works survey the defense methods related to
malware classification, which are different from the perspec-
tive of this paper. Raff and Nicholas [55], Odusami et al. [56],
and Raju et al. [57] survey malware classification methods
on Windows, Android, and IoT devices, respectively. Such
articles only focus on specific platforms. Ucci et al. [58] sur-
vey ML-based malware analysis techniques according to their
objective, features, and algorithms. Ye et al. [59] survey mal-
ware classification methods based on data mining techniques.
These articles are from the perspective of defenders, thus the
process of confrontation is not involved.
Rosenberg et al. [60] survey adversarial attack and
defense of different classifiers in the cyber security domain,
such as malware classifiers, URL detectors, IDS, spam fil-
ters, etc. However, we concentrate on attack and defense
methods related to malware classification in this paper.
Demetrio et al. [61] focus on adversarial malware attacks
on the Windows platform. They propose the RAMEN attack
framework to survey and evaluate existing attack methods,
which is from the perspective of attackers.
The most relevant work is [62], which focuses on the adver-
sarial attack and defense methods of malware classification.
They survey and systematize the field of adversarial mal-
ware classification based on the basic assumptions, attacks
methods, defenses methods, and security properties. They also
provide a series of insights to help develop both attack and
defense methods. Different from them, in this paper, we sum-
marize a unified malware classification framework based on
systematic research on different attack and defense meth-
ods. We use the framework to introduce various research
works related to the Defense-Attack-Enhanced-Defense pro-
cess of malware classification according to the continuous
evolution of attackers and defenders, including ML-based
malware classification, adversarial malware attacks, and the
adversarial robustness of malware classifiers. Moreover, we
also summarize the main challenges and propose several future
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
469
work directions from the perspective of both attackers and
defenders.
E. Structure of the Paper
The roadmap of this paper is shown in Figure 1. We
introduce the unified malware classification framework in
Section II. Section III surveys several malware classifica-
tion methods based on either static or dynamic features.
Sections IV and V introduce various adversarial attack and
defense methods of adversarial malware classification. We dis-
cuss future work directions in Section VI and draw conclusions
in Section VII.
II. U NIFIED M ALWARE C LASSIFICATION F RAMEWORK
As shown in Figure 2, we summarize a unified malware
classification framework in this paper, in order to better survey
different research works in the Defense-Attack-Enhanced-
Defense process and further understand the evolution of both
attackers and defenders.
We summarize the general process of ML-based malware
classification into five phases, including Data Preprocessing,
Feature Collection, Feature Extraction, Classification, and
Decision Making:
1) Data Preprocessing: Original examples are first prepro-
cess to fit the classification framework and produce input
examples. Data augmentation and equalization techniques
can be used in this phase to train stronger malware
classifiers. Some malware classification methods unpack
original examples for further analysis. Unpacking tech-
niques can also balance training data, which leads to more
convincing experimental results.
2) Feature Collection: Low-level features (either static fea-
tures or dynamic features) are collected, which can be
used to distinguish malicious examples from benign ones.
Static malware classification methods collect static fea-
tures from input example, such as raw bytes, operation
codes, function calls, etc. Dynamic methods execute input
examples and collect their behavioral features, such as
Application Programming Interface (API) calls, network
traffic, hardware-based features, etc.
3) Feature Extraction: High-level features are extracted
to select important features, reduce feature size, and
construct input features for the classification model.
Specifically, in this phase, some feature vectorization
techniques (such as byte embedding and word embed-
ding) and some feature compression methods (such as
malware images and feature selection) can be leveraged.
4) Classification: ML-based models are chosen as mal-
ware classifiers to make predictions on input features.
Basic ML models can be used as malware classi-
fiers, such as Support Vector Machine (SVM), Logistic
Regression (LR), Random Forest (RF), etc. Some DL
models are also used, such as Deep Neural Network
(DNN), Convolutional Neural Network (CNN), Recurrent
Neural Network (RNN), etc.
5) Decision Making: Final decisions are made based on
the predictions from individual classifiers. Specifically,
the ensemble learning method can be used to combine
470
Fig. 2. The unified malware classification framework.
predictions and produce final predictions. Binary-
classification methods produce probabilities of malicious
or benign examples, while multi-classification methods
produce probabilities of different malware families.
The data preprocessing phase manipulates original examples
in the input space, which is related to their format (e.g., binary
input space for binary executable files). The feature collection
phase maps input examples from input space to feature space.
The feature space consists of selected features that represent
the key properties of input examples. The features extraction
phase works in feature space and produces input features for
the classification phase.
We summarize various ML-based malware classification
methods under the unified framework. It is worth mentioning
that some of the methods do not implement all of these phases.
Moreover, both adversarial attack and defense methods can
also be presented under the unified framework. For adversarial
attacks on ML-based malware classifiers, attackers manipu-
late original examples in the feature space using knowledge
acquired from the classification and decision making phases.
Attackers map the modified examples back to the input space
to generate usable adversarial examples. For defense methods
to enhance the robustness of ML-based malware classifiers,
defenders develop defense techniques in different phases in
the unified framework to defend against adversarial malware
attacks. Among the five stages, only the feature collection
phase cannot be enhanced, since defenders should not change
the types of features collected by malware classifiers.
III. ML-BASED M ALWARE C LASSIFICATION
Malware classification problems refer to the classification of
given software examples based on certain criteria. According
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
to the classification objectives, malware classification prob-
lems can be categorized into two different types:
1) Binary-Classification: A given software example is deter-
mined as malicious or benign, which is also called
malware detection in many studies.
2) Multi-Classification: A given malware example is classi-
fied into one malware family.
The input features used for malware classification are
generally divided into static features and dynamic features.
(i) Malware classification based on static features extracts
static information of the software example for classification,
without actually executing the program. Information such as
binary code, assembly code, and source code is commonly
used. (ii) Malware classification methods based on dynamic
features execute the software examples in an isolated envi-
ronment. The dynamic metrics of the running program are
extracted as input features for malware classification.
Static methods do not require the actual execution of pro-
grams, which are more efficient and thus capable of real-time
classification. On the other hand, the dynamic features of
programs at runtime are intuitively more powerful evidence
indicating malicious behaviors, which cannot be captured by
static methods. However, dynamic methods need to execute
programs and thus inevitably lead to more computational costs.
With the rapid development and broad application of ML,
especially DL, ML-based models are extensively utilized for
malware classification. In this section, we systematically sur-
vey ML-based malware classification methods. We classify
these methods according to the types of features they use for
classification, as shown in Figure 3. We describe them under
the unified malware classification framework as introduced in
Section II. We summarize them in Table II according to the
techniques used in different phases of the framework. Besides,
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION 471

Fig. 3. Different types of ML-based malware classification methods.

TABLE I
we analyze and compare different types of ML-based malware C OMMONLY-U SED M ALWARE C LASSIFICATION DATA S OURCES
classification methods in Table III. Then, we introduce several
challenges and corresponding solutions in the malware classi-
fication domain. Some commonly-used malware classification
data sources are listed in Table I.

A. Malware Classification Based on Static Features

Some malware classifiers extract static features for clas-
sification. Commonly used static features include malware
images, raw bytes, operation codes, etc.
1) Image-Based Methods: Some researchers propose to
convert binary executable files into images. Then, existing
DL-based methods from the computer vision domain can be
directly applied to classify malware examples.
Cui et al. [21] propose to convert input examples into
gray-scale images and then apply CNN-based model for multi-
classification. In the preprocessing phase, executable files are
first truncated to a uniform length to ensure that the converted
images have the same size to fit the CNN network. Image
data augmentation and equalization methods are leveraged to
solve the insufficient data and unbalanced distribution prob-
lems. Every eight bits in the binary string are regarded as
one pixel in grayscale images. A CNN-based model serves
as the multi-class malware classifier. The proposed method is
evaluated on the Malimg dataset [66] and it achieves 94.5%
accuracy.
Vasan et al. [70] extend image-based malware classifica-
tion methods and propose the IMCEC framework, which
gains knowledge from large-scale models pretrained on
ImageNet [71], including the Visual Geometry Group network Kim et al. [74] propose the Deep-Convolutional GAN
(VGG) [72] and the Residual Neural Network (ResNet) [73]. (DCGAN) framework to detect zero-day malware. Input
The pre-trained models are connected to Softmax classifiers examples are first converted into images. As in the clas-
and SVM models and combined using ensemble learning. sic GAN architecture [75], the generator aims to gener-
IMCEC achieves 99.5% accuracy on the Malimg dataset [66]. ate fake malware images, while the discriminator learns to

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
472 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023

TABLE II
ML-BASED M ALWARE C LASSIFICATION M ETHODS

identify them. The authors use the transfer learning method Challenge (BIG 2015) dataset [63]. Results show that DCGAN
to train the malware classifier based on the discriminator. achieves 95.74% accuracy and it can deal with zero-day
DCGAN is evaluated on the Microsoft Malware Classification malware.

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
TABLE III
C OMPARISON A MONG ML-BASED M ALWARE C LASSIFICATION M ETHODS
2) Raw Byte-Based Methods: Directly using raw bytes as
input features does not require the data preprocessing and
feature collection phases, but it is hard to implement due to
the limited input length of DL models. To address this issue,
Raff et al. [14] propose the MalConv framework, which uses
the 1D-CNN network to process raw byte sequences. In the
convolutional layer, large kernel sizes and stride values are set
to compress input features and reduce the memory overhead.
Besides, the DeConv regularization is implemented to solve
the overfitting problem. MalConv is the first practical malware
classifier directly using raw bytes as input features. Besides,
Raff et al. further improve both memory efficiency and speed
of the original MalConv framework [76]. They propose the
fixed-memory convolution, which leverages the sparse gradi-
ent of max-pooling layers to break the limitation of the input
length. The Global Channel Gating (GCG) technique is also
introduced to handle long time-steps of inputs. The improved
MalConv framework is tested on the EMBER [64] dataset and
achieves 93.29% accuracy.
3) Opcode-Based Methods: Opcodes, a.k.a, operation
codes or instruction codes, are part of the executed instructions
in machine language. Opcodes can be used as important fea-
tures for malware classification. Shabtai et al. [22] propose to
use opcode patterns for malware classification. Binary files are
preprocessed by unpacking tools and disassembled by IDA Pro
to extract opcode sequences. Term Frequency (TF) and Term
Frequency-Inverse Document Frequency (TF-IDF) algorithms
are utilized to calculate opcode n-grams patterns of each file.
The 1,000 most frequent patterns are used as input features.
The authors train eight ML models on a dataset containing
26,093 examples collected from VX Heaven and Windows
XP and labeled by Kaspersky anti-virus. Results show that
the proposed methods achieves up to 95% accuracy.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
473
Instead of n-grams patterns, Wang et al. [77] propose
to leverage information entropy for feature extraction. They
first unpack the original files and use the W32asm tool to
decompile them. The collected opcode sequences are fur-
ther selected according to their information entropy. The
authors also propose a density-based clustering algorithm
to measure the similarities among examples and identify
malicious ones. The proposed method is evaluated on a
dataset containing 11,655 malicious and 1,000 benign exam-
ples. It achieves 88.45% accuracy and high classification
efficiency.
Jeon and Moon [23] propose to use the Convolutional
Recurrent Neural Network (CRNN) for malware classification.
To solve the problem of input length, in the feature extraction
phase, the Opcode-level Convolutional Autoencoder (OCAE)
compresses opcode sequences. The compressed sequences
are then converted into vectors using one-hot encoding and
word embedding techniques. Then, a deep RNN model makes
final predictions. The authors run tests on a dataset includ-
ing 1,000 malicious examples from VirusShare and 1,000
benign examples from Windows 10. Results show that the
CRNN-based classifier achieves 96% accuracy and 95% TPR.
4) Function Call-Based Methods: Function calls indicate
the behavioral features of software examples without actually
executing them. Microsoft Windows systems use the Dynamic-
Link Library (DLL) to share codes and data across programs.
Schultz et al. [78] propose to use DLL function calls for mal-
ware classification. In the feature collection phase, the GNU
Bin–Util is used to analyze Windows PE binary files. Three
kinds of features are processed and selected: (i) the list of
DLLs, (ii) the list of DLL functions calls, and (iii) the number
of different function calls in each DLL. The processed features
are fed into a rule-based classifier named Ripper. The authors
474
run tests on a dataset containing 4,266 software examples and
Ripper achieves 89% accuracy.
Huda et al. [79] use function call statistics for malware clas-
sification. Input examples are first unpacked and processed by
IDA Pro to acquire function call lists. The filter and wrap-
per approaches are proposed, where the filter uses function
statistics to extract feature subsets and the wrapper uses the
SVM-based model to make predictions on the feature subsets.
The classifier runs these two approaches iteratively and finally
acquires the ability to automatically select the optimal feature
subset. The proposed method is evaluated on a dataset con-
taining 66,703 software examples. Experimental results show
that it achieves over 94% accuracy with a feature subset of
only 14 function calls.
5) Hybrid Static Methods: Arp et al. [67] propose the
Drebin framework for Android malware classification, which
leverages multiple static features extracted from Android apps.
Drebin collects static features from both Android manifest
files and disassembled codes, such as requested permissions,
API calls, and network addresses. The collected features
are vectorized and fed into an SVM-based classifier. The
authors also design sentence templates to automatically gener-
ate explanations. Drebin is evaluated on a dataset containing
5,560 malicious and 123,453 benign Android apps. Results
show that it achieves 93% accuracy and 1% FPR.
Schultz et al. [78] propose to use strings and bytes extracted
from programs as features. They use the GNU strings tool
to acquire printable characters and use the HexDump tool
to acquire hexadecimal strings. An ensemble of multiple
Naive Bayes (NB) models is chosen as the malware clas-
sifier. Different from them, Saxe and Berlin [24] select
four static features including entropy histograms,Windows
PE import table, Windows PE metadata, and contextual fea-
tures. A DNN model with multiple layers is used as the
classifier. Instead of making binary predictions, the proposed
framework also provides malicious probabilities for security
analysts.
There are a large number of malware examples and source
codes in public archives like GitHub. Rokon et al. [80] propose
the SourceFinder framework to identify malware repositories
on GitHub. To narrow down the search scope, they select key-
words to query the repositories related to malware on GitHub.
Multiple string-based features are collected, such as the titles,
descriptions, topics, folder names, etc. These features are fur-
ther vectorized using the Bag of Words (BoW) model and the
word embedding model. Seven ML-based models are evalu-
ated on a dataset containing 1,000 repositories collected from
GitHub and manually labeled by experts. Results show that
it achieves 89% accuracy. Besides, SourceFinder identifies
7,504 malware-related repositories on GitHub.
B. Malware Classification Based on Dynamic Features
Some malware classifiers use dynamic features for clas-
sification, including API calls, network features, behavioral
graphs, etc.
1) API-Based Methods: Application Programming
Interfaces (APIs) indicate the dynamic behaviors of
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
software. Patterns of API calls can be used for malware
classification.
Huang and Stokes [25] propose a multi-task malware clas-
sification framework named MtNet. They use a light-weighted
emulation system to run input files and extract API calls,
which are further merged into high-level features. These high-
level features are ranked based on mutual information analysis
and reduced using the Principal Component Analysis (PCA)
method. A DNN model with two kinds of softmax out-
put layers is trained to solve the multi-task problem. The
dataset is provided by Microsoft and includes 6.5M exam-
ples. Results show that MtNet achieves 99% accuracy for
binary-classification and 97% accuracy for multi-classification.
Inspired by natural language processing methods,
Pascanu et al. [26] propose to learn the language that
software speaks for malware classification. Low-level API
calls are encoded into a high-level event streams by anti-virus
engines. Echo State Networks (ESNs) and RNNs are trained
to predict the next API using unsupervised learning. The
trained models are able to extract key features from event
streams. Their hidden states are fed into ML models, such as
LR and Multilayer Perceptron (MLP). The proposed method
is evaluated on a dataset containing 50,000 Windows PE files.
Results show that it achieves 98.3% TPR and 0.1% FPR.
Instead of only using API names, Rabadi and Teo [81]
propose to use both names and parameters of API calls as fea-
tures. The authors first run the input examples on the Cuckoo
Sandbox environment and extract their API calls. The API
arguments contain key features but lead to high computa-
tional costs. To address this issue, two light-weighted API
information extraction methods are proposed. The extracted
API-based features are vectorized by the hashing function.
ML-based models are trained as malware classifiers such
as SVM, Decision Tree (DT), eXtreme Gradient Boosting
(XGBoost), etc.
Amer et al. [27] propose to use the API fusion for mal-
ware classification, which makes full use of the behavioral
features of API call sequences. To acquire high-level API fea-
tures, original API calls are vectorized using the Word2Vec
model and clustered according to their similarities. Bigrams of
API calls are also extracted. The authors use these high-level
sequential features to create transition matrices. The Maximum
Likelihood Estimation (MLE) method calculates the transi-
tion probabilities and makes the final decision. The proposed
method is tested on a dataset with 68,698 Windows PE files
and 70,693 Android apps. Results show that it achieves 99.7%
and 97.7% accuracy, respectively.
2) Network-Based Methods: Malware can use network
communications to achieve malicious purposes, such as
downloading files and leaking data. Nari and Ghorbani [82]
propose a malware classification framework based on network
behaviors. It first uses the TShark tool to extract network flows
based on the protocols and ports. A network behavioral graph
is generated for each example to represent the dependencies
between network flows. Then, multiple graph-based features
are calculated, such as graph size, root out-degree, average
out-degree, etc. The extracted features are vectorized and clas-
sified by a DT model. The authors run tests on the CRC
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
dataset in the AES network sandbox. Experimental results
show that the proposed method achieves over 94% accuracy.
Different from them, Arivudainambi et al. [92] use PCA to
reduce network-based features. The dimensionality reduction
framework automatically learns compressed input features. A
CNN-based model serves as the malware classifier.
3) Behavioral Graph-Based Methods: Some methods con-
vert dynamic features into behavioral graphs so that malware
classification problems are converted into graph classification
problems, which can be solved by DL-based methods.
Wang et al. [28] propose the ProvDetector framework to
monitor software examples at the kernel level and use their
interactions with the operating system for malware clas-
sification. ProvDetector first builds the provenance graphs
of processes and uses the Rare Path Selection algorithm
to extract key paths. The selected paths are vectorized
and fed into the density-based Local Outlier Factor classi-
fier. Then, a threshold-based method makes final decisions.
The dataset is collected from VirusShare and VirusSign
and contains 15,000 malware examples. Results show that
ProvDetector achieves 96.5% accuracy with low computational
costs.
Besides running time, malicious behaviors may also per-
form in the software installation stage. Han et al. [29] propose
the SIGL framework to detect malicious installation behav-
iors. SIGL converts log files into installation graphs and uses
the Word2Vec model to vectorize them. To learn the patterns
of benign installation graphs, SIGL leverages an autoencoder
framework, including a Graph-LSTM encoder and an MLP
decoder. Malicious activities lead to high reconstruction loss
in the proposed autoencoder network, which is used to detect
and prioritize anomalous behaviors. To construct the dataset,
the authors combine benign installers with malware exam-
ples from VirusTotal, in order to acquire malicious installers.
Besides, SIGL can also provide valuable guidance information
for security analysts.
Kwon et al. [83] observe that even benign executable files
can download other malicious programs online. To this end,
the Downloader Graph Abstraction (DGA) method is proposed
to describe the download activities of programs. DGA first
collects downloading data from IDS and anti-virus engines.
Downloader Graph (DG) and Influence Graph (IG) are con-
structed based on the collected data. DG is built for each host
and IG is built for each downloader, where IG is a subgraph
of DG. Multiple features of IG are extracted as input fea-
tures, such as IG diameter, growth rate, and URL patterns. RF
is selected as the malware classifier and trained on a dataset
containing 88,214 examples. Results show that DGA achieves
96% TPR and 1% FPR.
4) Hardware-Based Methods: Existing malware classifi-
cation methods mainly use software-based features. Their
high computational overhead is a major issue for real-time
classification. To this end, malware classification methods
based on hardware features are proposed.
Chen et al. [84] propose the HeNet framework based on
control flow traces collected by hardware. HeNet first uti-
lizes the Intel Processor Trace (Intel PT) tool to acquire the
control flows with low overhead. The collected information
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
475
is compressed into data packets and then converted into
time series of grayscale images. HeNet uses transfer learning
to train multiple classifiers from pre-trained networks such
as VGG [72] and Inception [93]. Predictions from different
classifiers are combined as an ensemble model.
Some researchers also propose to implement malware clas-
sifiers using hardware. Ozsoy et al. [85] propose the Malware-
Aware Processors (MAP) method, which first collects multiple
hardware features related to hardware events, memory, instruc-
tions, and branches. MAP implements LR and NN models
with x86-based hardware. The online detection unit combines
predictions using the Exponentially Weighted Moving Average
(EWMA) method. The dataset contains 1,087 examples from
9 malware families, which are collected online and labeled
by VirusTotal. Results show that MAP achieves up to 94%
accuracy with high classification efficiency.
IoT devices have become popular targets of attackers in
these years [3], [5]. Pham et al. [86] propose a hardware-based
method using side-channel features for IoT malware classifica-
tion. It first collects ElectroMagnetic (EM) field-based features
on IoT devices, which are unable to be detected or manipu-
lated by malware. Then, the Short-Time Fourier Transform
(STFT) algorithm is leveraged to transfer time-domain EM
data to the spectrogram. The authors also use Linear
Discriminant Analysis (LDA) method to reduce input fea-
tures. Several ML models are evaluated on a dataset contains
4,790 ARM IoT malware examples collected from Virusign.
Results show that the proposed method achieves up to 99%
accuracy.
5) Hybrid Dynamic Methods: Some researchers use a mix-
ture of multiple dynamic features for malware classification.
Mohaisen et al. [87] propose the AMAL malware classifi-
cation framework consisting of AutoMal and MaLabel sub-
systems. Specifically, AutoMal collects dynamic information
associated with files, memory, network, and registry, by run-
ning and monitoring programs in virtualized environments.
MaLabel generates high-level features from the collected
information. Multiple ML models and clustering algorithms
are evaluated on two malware datasets containing 4,000 and
115,000 examples. Results show that AMAL achieves 99.5%
precision for classification and 98% precision for clustering.
Alsulami and Mancoridis [88] propose to use multiple
behavioral features of Windows PE files for classification.
The Windows Cache Manager (WCM) monitors software and
stores runtime information in prefetch files. The authors col-
lect the lists of loaded files from prefetch files and then
vectorize them as input features. The DL-based malware clas-
sifier includes a convolutional layer and an LSTM layer. The
proposed method is evaluated on a dataset containing 100,000
examples collected from VirusShare and labeled by anti-virus
engines. Results show that it performs well on rare malware
families and can be extended to new families.
C. Malware Classification Based on Hybrid Features
Some researchers also propose to use the mixture of both
static and dynamic features for malware classification. Such
methods take advantage of both types of features.
476
Attackers apply anti-analysis obfuscation techniques to
increase the difficulty of malware classification and analysis.
To address this issue, O’Shaughnessy and Sheridan [89]
propose a hybrid multi-classification framework. For static
features, it directly uses raw bytes of the input examples.
For dynamic features, it implements the Virtual Machine
Introspection (VMI) tool to execute malware and collect
memory dump files. The processed data is converted into
images using space-filling curves. Then, the framework
extracts visual features from the images and uses ML-based
models as malware classifiers. To evaluate the proposed frame-
work, 13,599 Windows PE malware examples from 23 families
are collected from VirusTotal. Results show that it achieves
over 97% accuracy.
Different from them, Yoo et al. [90] propose to leverage
the structural and operational features of Windows PE files
for malware classification. For static features, the proposed
method collects and computes the sizes, count-based features,
entropy features, etc., from input examples. For dynamic fea-
tures, API calls, location features, network features, etc. are
collected. Both static and dynamic features are combined as
input features. The authors design an ensemble of RF and
MLP-based models as the malware classifier, which uses major
voting to make final decisions.
Xu et al. [91] propose the Hybrid Analysis for Detection of
Malware (HADM) method for Android malware classification.
HADM uses hybrid features of APK examples for classifica-
tion, including requested permissions, API calls, advertising
networks, instruction sequences, etc. The collected features
are vectorized and fed into DNN-based models to extract
high-level features. The outputs of different DNN models are
combined using the Multiple Kernel Learning (MKL) method.
The HADM framework is evaluated on an Android APK
dataset, which is collected from Google Play and VirusShare
and contains 5,888 APK examples. Results show that HADM
achieves over 94% accuracy.
D. Challenges
Existing ML-based malware classification methods face sev-
eral challenges, i.e., classifier aging problems, data distribution
problems, and virtual environment problems, which lead to
less reliable experimental results.
1) Classifier Aging Problem: ML-based malware classifi-
cation methods have been widely used to detect real-world
malware. Although these methods perform well on the train-
ing and testing datasets, their performance may degrade
as the malware evolves. Such a phenomenon is commonly
called classifier aging (a.k.a., model degradation or concept
drift) [94]. The problem is due to changes in the data dis-
tribution of real-world malware with the evolution of attack
methods. Malware classifiers trained on old datasets are hard
to generalize to new examples.
To overcome this aging problem, one intuitive way is
to retrain the malware classifiers periodically [95], [96],
or to retrain the classifier when the performance starts to
degrade [97], which is online learning. However, retraining the
model requires too much human work to collect and label data.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
And how to identify the performance degradation is still an
open issue. Another potential direction is to extract more stable
features as the internal semantic information used in [98]. But
whether these features are stable enough for the aging problem
remains to be further investigated.
2) Data Bias Problem: Existing ML-based malware classi-
fication methods have achieved high accuracy in experimental
settings. Malware classification seems to be a well-solved
problem. However, the distribution bias of the training and
testing datasets makes it difficult for the trained models to
generalize to real-world data distributions.
Some distribution bias is due to careless data acquisition,
which introduces additional features to malicious examples.
These features are irrelevant to malicious behaviors, but they
are extracted and learned by malware classifiers. Such prob-
lems cause the classifiers to predict unexpected results. For
example, malware developers commonly employ packing tech-
niques to prevent feature extraction. Thus, the model trained
on packed malicious and unpacked benign examples produces
high FPR on packed benign examples, which means the model
uses ‘Packing’ as malicious features [99].
As proposed in [100], there are generally two kinds of
biases: (i) spatial bias, which means training and testing
distributions are different from real-world data distributions,
and (ii) temporal bias, which means the division of training
and testing dataset ignores temporal order. However, identi-
fying and eliminating the dataset biases is highly related to
data preprocessing, label aggregation, engine independence,
engine reputation, experiments, malware coverage, and data
sharing [101], which are still open issues.
3) Virtual Environment Problem: Sandboxes are commonly
utilized by researchers to run software examples and extract
dynamic features for malware classification. However, some
malware can use several indicators (e.g., static fingerprints,
behavioral patterns, hardware-based features, etc.) to identify
the executing environment and hide malicious behaviors in
virtual environments [102], [103], [104].
To address this issue, Miramirkhani et al. [104] also propose
two practical methods: (i) cloning real systems to sandboxes,
or (ii) simulating user actions on a newly installed system.
However, since the system continuously evolves and envi-
ronment cloning is not practicable, it is difficult to build a
virtual environment as similar as possible to the real system.
A more radical approach is to construct a Parallel Adversarial
Network (PAN) that accompanies the operation network, as
proposed in [105]. The PAN and the operation network share
the same physical network resources using network slicing and
virtualization techniques. The PAN evolves with the operation
network and can be deployed on different kinds of networks.
Therefore, we believe that PAN is suitable as the malware
analysis environment.
IV. A DVERSARIAL ATTACKS ON ML-BASED
M ALWARE C LASSIFIERS
ML-based models are widely used in malware classifica-
tion tasks and they have already achieved high performance.
However, these ML-based models also introduce additional
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
TABLE IV
L IST OF N OTATIONS
security risks into the cyber security domain. Specifically,
adversarial examples are input examples that can mis-
lead models to make wrong predictions. They can be
regarded as vulnerabilities in ML models. Adversarial
attack algorithms can be exploited by attackers to con-
struct adversarial malware examples and thus bypass ML-
based malware classifiers, which poses a huge challenge to
defenders.
Based on the information of victim models that attackers can
access (attack knowledge), adversarial malware attack methods
are categorized into white-box attacks and black-box attacks:
1) White-box Attacks: Attackers have full knowledge of the
victim model, including training data, model structure,
parameters, gradient information, and predictions.
2) Black-box Attacks: Attackers can only access limited
knowledge about the victim model, such as train-
ing dataset and classification results (either labels or
scores).
According to the attackers’ goals, there are two kinds of
adversarial attack methods:
1) Targeted Attacks: Attackers mislead the victim model to
produce a chosen classification result.
2) Untargeted Attacks: Attackers mislead the victim model
to produce a wrong classification result.
In this section, we introduce commonly-used methods to
generate adversarial malware examples from the perspective
of attackers. Since many of these attack methods are derived
from the ML domain, we first survey adversarial attack meth-
ods against ML models. Then we introduce adversarial attack
methods on ML-based malware classifiers. The notations used
in this section are introduced in Table IV.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
477
A. Adversarial Attacks on ML Models
The concept of adversarial attacks is first proposed by
Szegedy et al. [30] in 2014. The authors argue that although
DNN models achieve high performance in multiple fields, their
learning processes are uninterpretable. ML-based models have
blind spots, which can be exploited by attackers to bypass
them. The predictions of models can be significantly changed
by applying tiny perturbations to the original examples. These
perturbed examples are known as adversarial examples, which
are leveraged by attackers to perform adversarial attacks.
1) White-Box Adversarial Attacks: Multiple adversarial
attack methods are proposed in white-box settings.
a) L-BFGS attack: Szegedy et al. [30] first model adver-
sarial example generation as an optimization problem. The
adversarial perturbation can be generated by minimizing both
(i) the scale of perturbation and (ii) the probability that the
victim model makes correct predictions. The proposed method
is known as the box-constrained L-BFGS attack, which uses
linear search strategies to solve an optimization problem:
 
min c · η + L θ, xadv , ytarget .
b) FGSM attack: Goodfellow et al. [43] explain that
high-dimensional and linear property are the main causes
of adversarial examples. Tiny perturbations added to original
examples may cause significant changes to the outputs. Based
on the insight, they propose a simple yet effective method
called the Fast Gradient Sign Method (FGSM) to generate
adversarial examples, which leverages gradient information of
the victim model. The FGSM attack is formulated as
η =  · sign(x L(θ, x , ytrue )),
xadv = x + η.
The proposed FGSM algorithm is an untargeted attack-
ing method. The generated adversarial examples can mislead
the classifier to predict wrong labels with high confidence.
Researchers also propose a series of attack algorithms based
on FGSM, such as R+FGSM [46], targeted FGSM [106], etc.
c) Least-likely class attack: Kurakin et al. [107] propose
that predicting the least-likely class is the severest mistake for
a well-trained classifier. The least-likely class (i.e., ytarget )
can be calculated as
 
ytarget = arg min p(y|x ) .
y
The authors extend the FGSM method and mislead the victim
model to produce the least-likely label:
  
xadv = x −  · sign x L θ, x , ytarget .
d) PGD attack: Madry et al. [44] extend the FGSM
attack and propose the multi-step Projected Gradient Descent
(PGD) attack, which takes small steps to optimize the pertur-
bations and projects them into a specific range (S) iteratively.
The PGD attack is defined as

n+1 n
xadv = (xadv +  · sign(x L(θ, x , ytrue ))).
x +S
478 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023

e) DeepFool attack: Moosavi-Dezfooli et al. [108] pro- The C&W attack uses a binary search algorithm to auto-
pose the DeepFool attack to accurately measure the robustness matically choose the constant c. To solve the box-constraint
of the victim model and generate adversarial perturbations. problem, three different approaches are applied, including pro-
Suppose a classifier Fk predicts the probability of k classes, jected gradient descent, clipped gradient descent, and change
where Fk = W T x + b. The classification problem is to find of variables. Results show that C&W attack can successfully
the optimal class (k̂ ) with the highest probability: crack defensive distillation [110] method.
2) Black-Box Adversarial Attacks: Multiple adversarial
k̂ = arg max Fk (x ). attack methods are proposed in black-box settings.
k
a) Substitution attack: Papernot et al. [111] propose to
DeepFool first computes the distance between the original
train substitute models for black-box attacks. The proposed
example and the decision boundary. The original example (x)
method is based on the transferability of adversarial examples,
is located inside a convex polyhedron. Let wk be the k th
i.e., the crafted adversarial examples are able to attack other
column of W, the closest adversarial hyperplane (l̂ ) of the
similar models. Attackers choose a set of input examples and
decision boundary is computed as
query the DL-based victim model to label them. Then, they
|Fk (x ) − Fk̂ (x )| train the substitute model on the labeled dataset. The trained
l̂ = arg min .
k =k̂ wk − wk̂  substitute model is a white-box model to fit the black-box vic-
tim model. The authors apply two white-box attack algorithms,
The authors propose that the minimum perturbation is gener- including FGSM [43] and JSMA [109], to craft adversarial
ated by projecting the original example to the hyperplane (l̂ ), examples on the substitute model. Besides, the substitution
which can be computed as attack can also be generalized to ML-based models, such as
|F (x ) − Fk̂ (x )|   LR, SVM, K-Nearest Neighbors (KNN), etc.
η = l̂ w − w , b) Boundary attack: Brendel et al. [112] propose the
wl̂ − wk̂ 2 l̂ k̂
boundary attack method. It first crafts a large adversarial exam-
xadv = x + η.
ple and then tries to reduce the scale of the perturbations.
f) JSMA attack: Papernot et al. [109] propose the Specifically, the boundary attack first takes a large step to
Jacobian-based Saliency Map Attack (JSMA) method to craft generate a starting example. Then, it iteratively modifies the
adversarial examples, which solves a targeted optimization example along the decision boundary. In each iteration, the
problem: boundary attack takes an orthogonal step randomly sampled
from Gaussian Distribution and moves towards the original
arg min η, s. t. F (x + η) = ytarget . example. The authors show that the boundary attack is compet-
η
itive with some white-box attack methods and can be applied
The JSMA attack first computes the forward derivative with
to real-world black-box models.
respect to the original example, i.e., the Jacobian of the deci-
c) Optimization attack: Cheng et al. [113] propose
sion function. JSMA then applies chain rule to recursively
a query-efficient black-box attack method based on
compute the derivative of each layer. Suppose the victim
optimization, which only takes hard-label predictions as
DNN model learns a N-dimensional function and the inputs
inputs. Let δ be the search direction. g(δ) represents the
are M-dimensional. Let H and W be the output vectors and
distance between the original and adversarial examples. The
weights of the hidden layers in the victim model. Let b be
attack method is defined as
the bias of neurons and let f be active functions of neurons in
hidden layers. The forward derivative is computed as δ
g(δ) = arg min f x + λ = ytrue .
  λ>0 δ
∂F (x ) ∂Fj (x )
F (x ) = = , The attacker searches for the optimal direction δ ∗ that mini-
∂x ∂xi i∈1,...,M ,j ∈1,...,N
mizes the distance function g(δ). The problem can be solved
∂Fj (x ) ∂Hn
= Wn+1,j · using zeroth-order optimization algorithms. Then, the optimal
∂xi ∂xi adversarial example is generated as
∂fn+1,j  
× Wn+1,j · Hn + bn+1,j . δ∗
∂xi xadv = x + g(δ ∗ ) .
δ ∗ 
JSMA then uses the computed derivatives to generate the
Adversarial Saliency Map to represent the influence of input The crafted adversarial examples have higher quality because
features on output values. JSMA uses an iterative algorithm to smaller perturbations are generated. Besides, the authors show
select important features and update adversarial perturbations. that the optimization attack can extend to ML models, such
g) C&W attack: Carlini and Wagner [20] propose the as Gradient Boosting Decision Tree (GBDT).
C&W attack, which is a targeted attack algorithm. Multiple d) SimBA attack: Guo et al. [114] propose the Simple
distance metrics are used to measure scale of perturba- Black-box Attack (SimBA) method. With limited times of
tions, including L0 , L2 , and L∞ . C&W generates adversarial queries, the optimization problem of constrained black-box
perturbations by solving an optimization problem: adversarial attacks can be modified as
  arg max L(x + η, ytrue ),
min η + c · L θ, x + η, ytarget , η
s. t. x + η ∈ [0, 1]n . s. t. η < dmax and queries ≤ qmax ,
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
Fig. 4. The process of adversarial malware attacks.
where dmax is the maximum size of perturbations and qmax is
the maximum number of queries. The attack algorithm chooses
a step size  and a direction δ from a set of orthonormal
candidate vectors Q. SimBA iteratively chooses a perturbation
value of either (x +  · δ) or (x −  · δ) that can decrease the
prediction confidence of the victim model. The SimBA attack
only acquires less than 20 lines of PyTorch code, which is
simple to implement.
e) AdvGAN: Xiao et al. [115] propose the AdvGAN
attack based on the GAN architecture. The generator gen-
erates adversarial perturbations to bypass the discriminator.
The discriminator learns to distinguish the perturbed examples
from the real ones. The loss function of AdvGAN includes
the adversarial attack loss, the target label loss, and the
hinge loss. AdvGAN uses dynamic distillation to calculate
the adversarial loss of the victim model in black-box set-
tings. Attackers train the generator by minimizing the loss
function. Mangla et al. [116] extend AdvGAN using the
encoder-decoder architecture and propose the AdvGAN++
framework. AdvGAN++ first maps the original examples
into the latent space. The generator takes the extracted fea-
tures and noise vectors as inputs and generates adversarial
examples.
f) Zoo attack: Chen et al. [117] propose the Zeroth-Order
Optimization (ZOO) black-box attack. It assumes that attack-
ers have access to the input data and prediction scores of
the victim model. The loss function of the ZOO attack is
defined as
max log[F (x )]ytrue − max log[F (x )]i , −k
i=ytrue
where k is a parameter to control the transferability of attacks.
Attackers estimate the gradient information of the loss func-
tion. Then, ZOO applies multiple optimization algorithms to
iteratively generate adversarial examples based on the esti-
mated gradient. It is shown that ZOO achieves comparable
performance to white-box attacks.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
479
B. Adversarial Attacks on ML-Based Malware Classifiers
Generating adversarial malware examples is different from
malware attacks in the ML domain. As described above, in the
ML domain, attackers modify original examples in a contin-
uous feature space. It is simple to map the modified features
back to input space because tiny perturbations do not severely
affect the original image. However, the feature space is discrete
(usually binary) in the malware domain. To craft meaningful
adversarial malware examples, modified features need to be
mapped back to input space while preserving the function-
alities of original malware examples, which is known as the
Inverse-Mapping problem in this paper. Some of the adversar-
ial attack methods derived from the ML domain can be applied
to generate adversarial malware examples. Researchers also
propose specific methods based on the properties of malware
examples.
Figure 4 shows the general process of generating adversarial
malware examples. Attackers take original malware examples
as input and aim to generate adversarial examples that can
bypass the victim classifier. As shown in the figure, the black
arrows denote the process of attackers using the victim classi-
fier to make predictions, which is consistent with the unified
malware classification framework. Specifically, original exam-
ples are mapped from the input space into the feature space
through feature collection. After that, attackers use prediction
results and internal information of the victim model to mod-
ify original examples in the feature space and map them back
to the input space. The red arrows denote the process of
attackers generating adversarial examples. According to the
attack knowledge they use, adversarial malware attacks can
, be categorized into white-box attacks (left) and black-box
attacks (right). As shown in Table V, we summarize these
attacks according to their attack knowledge, features, attack
algorithms, and inverse-mapping manipulations. Besides, we
compare different types of attack methods in Table VI.
1) White-Box Attacks: In white-box settings, attackers have
full access to the victim model. They can utilize both internal
information and prediction results of the model to generate
adversarial malware examples.
480 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023

TABLE V
A DVERSARIAL ATTACK M ETHODS ON ML-BASED M ALWARE C LASSIFIERS

TABLE VI
C OMPARISON A MONG A DVERSARIAL ATTACK M ETHODS ON ML-BASED M ALWARE C LASSIFIERS

a) FGSM-based attacks: Kreuk et al. [35] propose a may break the functionalities of the program. To generate
white-box targeted attack method against the MalConv [14] adversarial binary files, the FGSM [43] method is first used
framework. The authors argue that small changes to raw bytes to acquire gradient information of the victim model and craft

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
adversarial examples in the feature space. Suppose the input
file x is represented as z in the embedding domain, adversarial
examples are generated as
  
zadv = z −  · sign zadv L θ, zadv , ytarget .
Then zadv is mapped back to adversarial binary file xadv . To
preserve the functionalities, the authors propose to generate
adversarial payloads and inject them to the original exam-
ples. The proposed method is evaluated on a dataset containing
7,150 benign files from Windows and 10,866 malicious files
from the BIG 2015 dataset [63]. Results show that it achieves
over 99% attack success rates with few payloads inserted.
Al-Dujaili et al. [34] propose a white-box attack method,
which uses gradient-based methods to generate adversarial
examples in the feature space and maps them back to the
binary input space. Let S be a set of binary feature vectors,
the attack method is modeled as an optimization problem:
xadv = arg max L(θ, x , ytrue ).
x ∈S
Multiple gradient-based methods, are utilized to solve
the optimization problem, including FGSM and BGA.
Specifically, instead of generating perturbations in the fea-
ture space, BGA methods search multiples feasible vertices
and choose the optimal one based on gradient information.
The selected vertices are used to craft adversarial malware
examples. The proposed attack methods are evaluated on
DNN-based PE malware classifiers. Results show that they
achieve up to 99% attack success rates.
b) JSMA-based attacks: Grosse et al. [16] propose to
apply the JSMA method [109] for adversarial malware attacks.
The proposed method attacks Android malware classifiers,
which uses multiple Android manifest and code features as
inputs. Attackers first calculate the Jacobian matrix of the vic-
tim model to estimate the direction where perturbations affect
the predictions. Then, the optimal perturbations are selected
iteratively to craft adversarial examples. To preserve the orig-
inal functionalities, only positive changes are performed (e.g.,
adding new features) to original examples. The authors choose
L1 norm to limit the number of modified features. The JSMA-
based attack is evaluated on classifiers trained on the Drebin
dataset. Results show that it achieves 62% success rates and
it breaks feature reduction-based defense.
c) Optimization-based attacks: Biggio et al. [33] propose
the gradient descent attack, which is a white-box method
using gradient information and the Kernel Density Estimation
(KDE) technique to generate adversarial examples. The gradi-
ent descent attack generates adversarial examples by solving
an optimization problem, i.e., attackers minimize the accu-
racy of the victim classifier with limited perturbations (dmax ),
which is formulated as
arg min F (xadv ), s. t. η ≤ dmax .
xadv
The gradient-based algorithms may fail to converge. To this
end, the KDE loss is added to make generated examples closer
to the benign distribution and thus increase the probabilities of
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
481
successful attacks. The optimization problem is modified as:
i
λ xadv − xi
arg min L(xadv ) = F (xadv ) − k· ,
xadv n h
yi =ben
where λ is a hyper-parameter to control the weight of KDE
loss, and h is a bandwidth parameter for KDE. The gradi-
ent descent attack is evaluated on both image classification
and malware classification tasks against ML-based classifiers.
Results show that it achieves up to 100% success rates.
Kolosnjaji et al. [118] propose a white-box untargeted attack
against the MalConv [14] malware classifier. The authors also
leverage gradient information to generate adversarial payloads
and then append them to the end of original examples. Let
lenmax be the maximum length of the adversarial payload,
the optimization problem is formulated as
arg min F (xadv ), s. t. Dis(x , xadv ) ≤ lenmax .
x adv
The authors propose a gradient-based method to solve the
optimization problem. To deal with the non-differentiable
property of the embedding layer, they define a line that has
the same direction as the gradient. The generated feature-space
vector moves along the line to minimize F (xadv ). Then, the
optimal byte is selected when it is closest to the line and
reduces the F value. The authors use an iterative algorithm to
generate adversarial bytes and insert adversarial payloads. The
attack method is evaluated on a dataset containing 9,195 mali-
cious and 4,000 benign examples. Results show that it achieves
60% success rates with less than 1% bytes inserted.
Li and Li [52] propose the Mixture of Attacks method,
which combines multiple attack algorithms (h) and manipula-
tion sets (M) to attack Android malware classifiers. Individual
attack algorithms include gradient-based attacks, gradient-free
attacks, obfuscation attacks, etc. The proposed attack is based
on the loss function of the victim model, where high loss
values indicate strong attacks. The Max strategy chooses
the optimal attack and generates adversarial examples in the
feature space by maximizing the loss function:
ĥ, M̂ = arg max L(F (h(M , x )), ytrue ).
h,M
The Max strategy iteratively updates the adversarial pertur-
bations. To solve the inverse-mapping problem, it selects
both incremental manipulations (e.g., inserting string and junk
codes) and decremental manipulations (e.g., modifying XML
files). The Mixtures of Attacks method is evaluated on both
Drebin [67] and AndroZoo [68] datasets. Results show that it
achieves 100% attack success rates on DNN-based models.
d) Feature-based attacks: Some researchers develop
adversarial malware attacks based on the properties of input
features of the victim classifiers.
Abusnaina et al. [119] propose the white-box Graph
Embedding and Augmentation (GEA) method to generate
adversarial malware examples against graph-based IoT mal-
ware classifiers. The victim classifiers extract graph-based data
as input features for malware classification. The GEA attack
generates adversarial perturbations based on graph features
while preserving the functionalities of original examples. GEA
482
first leverages the Radare2 tool to construct the Control Flow
Graphs (CFG) of original examples xorigin and target exam-
ples xtarget . Graph embedding combines these two examples
and generates an adversarial example xadv , which maintains
the functionalities of xorigin and misleads the victim model to
predict label ytarget . GEA is evaluated on a deep CNN-based
malware classifier. Results show that it achieves 100% suc-
cess rates and it can successfully craft adversarial examples
on each IoT malware in the dataset.
Chen et al. [120] propose the EvnAttack framework to
generate adversarial examples on API call-based malware clas-
sifiers. It manipulates the feature space of original examples
to craft adversarial examples. Let c i be the cost of modifying
a specific feature, the evasion cost (C) is calculated as
C (x , xadv ) = c i |xadv
i
− x i |.
i authors reverse-engineer HMDs by training a substitute model
Adversarial examples are generated with limited evasion cost.
The goal of EvnAttack is defined as
F (xadv ) = ben, s. t. C (x , xadv ) ≤ manmax ,
where manmax is the maximum number of manipulations. To
reduce the evasion cost, the contributions of different APIs are
measured by calculating the relevance scores. Then, API calls
with higher benign scores are injected, while those with higher
malicious scores are removed. EvnAttack iteratively manipu-
lates original examples to maximize the loss of victim model
and minimize the evasion cost. EvnAttack is evaluated on a
dataset containing 10,000 PE examples with 3,503 API fea-
tures. Results show that it achieves over 97% attack success
rates with manmax = 55.
2) Black-Box Attacks: In black-box settings, attackers have
limited knowledge about the victim model. Only prediction
results of the victim model are available.
a) Substitution-based black-box attacks: Substitution-
based attacks train substitute models to fit the black-box victim
models based on the prediction results. Then, adversarial mal-
ware examples are generated on the substitute models using
white-box attack methods.
i) Substitute Model-Based Attacks: Rosenberg et al. [38]
propose a black-box attack method against API call-based
malware classifiers. The authors first utilize a Jacobian-based
data augmentation technique for selecting input examples and
minimizing the number of queries. The Gated Recurrent Unit
(GRU) serves as the substitute model, which is trained on the
selected examples. Then, the FGSM attack is performed on
the substitute model. In order to preserve the functionalities
of original examples, the authors propose a mimicry attack,
which iteratively chooses adversarial API calls and inserts
them to a random position of the original API sequence, until
the generated examples can successfully bypass the victim
model. The proposed attack is evaluated on several DL-based
malware classifiers trained on a dataset containing 500,000
examples. Results show that it achieves up to 100% attack
success rates. Besides, the crafted adversarial examples can
be transferred to attack other similar classifiers.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
Hu and Tan [121] also propose an attack method against API
call-based malware classifiers. To preserve the original func-
tionalities, attackers only insert irrelevant API calls. An RNN
model, consisting of a Gumbel-Softmax layer and a sequence
decoder, is designed to generate adversarial API sequences
from original sequences. The generative RNN model produces
one-hot encoded adversarial sequences and softmax output
vectors. The victim model labels the encoded sequences to
train an LSTM-based substitute model. The substitute model
is trained to fit the victim model, while the generative model
learns to update the adversarial sequences. The proposed attack
is evaluated on a dataset containing 180,000 examples col-
lected from the Malwr website. Results show that it can reduce
the accuracy of the victim model by over 90%.
Khasawneh et al. [122] propose an attack method against
black-box Hardware-based Malware Detectors (HMDs). The
to fit them. They first query the victim HMDs to label the input
examples, which are then used to train the ML-based substitute
model. The substitute model provides internal information for
attackers. In order to preserve the functionalities, the authors
propose block-level and function-level approaches to dynam-
ically insert instructions into original examples. The weights
of the substitute model are leveraged to measure the influence
of instructions. Then, attackers select and modify significant
instructions. Results show that the proposed attack achieves
nearly 100% success rates.
ii) GAN-Based Attacks: Hu and Tan [36] propose the
MalGAN attack framework based on the GAN architecture.
The black-box victim classifier serves as the discriminator. An
ML-based generator aims to generate adversarial examples to
minimize the accuracy of the victim classifier. A substitute
detector is also trained to fit the victim classifier. It provides
gradient information for the generator. The loss function of
the substitute detector is formulated as
LD = −Exben log(1 − D(x )) − Exmal log D(x ).
Let z be the input noise vector, the loss function of the
generator is formulated as
LG = Exmal log D(G(x , z )).
MalGAN is evaluated on a dataset containing 180,000 exam-
ples. Several ML models are trained as the victim classifiers.
Results show that MalGAN achieves nearly 100% attack
success rates on all of these classifiers.
Yuan et al. [37] propose the GAPGAN attack framework
based on the GAN architecture. The generator generates adver-
sarial payloads (aadv ) at the byte level. To preserve the
original functionalities, GAPGAN appends these payloads to
the end of the binary files (i.e., xadv = [xmal , aadv ]). The loss
function of the generator is defined as
LG = −(1 − β)Exadv (D(x )) − βEaadv (D(a)).
Both (xben ) and (xadv ) are used to query the victim classi-
fier. The discriminator are trained to fit the classifier using
a distance metric. The loss function of the discriminator is
defined as
LD = Exben ,xadv D(x ), F (x ).
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
GAPGAN is evaluated on MalConv [14] classifiers trained
on four datasets. Results show that GAPGAN achieves 100%
attack success rates with only 2.5% bytes appended.
b) Pure black-box attacks: Some attackers directly use
prediction results of the victim models to generate adversar-
ial malware examples, without accessing the training data or
internal information of them.
i) Optimization-Based Attacks: Some researchers model
black-box adversarial malware attacks as optimization prob-
lems. They also propose several algorithms to solve them.
Rosenberg et al. [40] propose a query-efficient black-box
attack method, which uses either scores or decisions as attack
knowledge. Let S be the input domain, the proposed attack
generate perturbations by solving an optimization problem:
arg min F (x + η) = F (x ), s. t. x + η ∈ S .
η
The proposed method attacks API call-based malware classi-
fiers. The original APIs are modified using either (i) randomly
generated perturbations or (ii) benign perturbations generated
by a trained SeqGAN model [124]. Besides, a backtrack-
ing algorithm limits the scale of perturbations. For score-
based attacks, the authors propose an adaptive Evolutionary
Algorithm (EA) to update the adversarial API sequences. The
proposed attack is evaluated on several ML-based models
trained on a dataset containing 500,000 PE binary files. Results
show that it achieves 98% and 64% success rates for score-
based and decision-based attacks, respectively. Moreover, the
proposed attack requires fewer queries and less attack knowl-
edge.
Kucuk and Yan [41] propose a black-box targeted attack
method against three different PE malware classifiers, which
use opcodes, API calls, and system calls for classification.
The authors assume that attackers have access to the source
code of malware examples. Attackers also need samples from
the target class, which are called anchor samples. To bypass
opcode-based classifiers, the authors first extract CFGs from
original examples at the LLVM-IR level. The bogus control
flow method is utilized to add fake basic blocks to the origi-
nal CFGs. The modification leverages always-true conditions,
to preserve the functionalities of original examples. Attackers
compute the KL divergence to measure the fitness of modi-
fied examples. The authors also propose a genetic algorithm to
craft adversarial malware examples. Besides, for API call and
system call-based classifiers, attackers use the same genetic
algorithm with different modification strategies and fitness
functions. The proposed method is evaluated on three different
victim classifiers. Results show that it achieves 75%, 83.3%,
and 91.7% attack success rates, respectively.
Xu et al. [123] propose a black-box attack method against
PDF malware classifiers. Attackers stochastically modify PDF
malware to generate adversarial variants that can bypass the
victim model while preserving the functionalities of original
examples. The proposed attack needs prediction probabilities
(i.e., soft labels) as attack knowledge. PDF malware examples
are first converted into tree-like structures. Attackers modify
them by inserting and deleting elements in the constructed
PDF tree. The genetic programming algorithm iteratively
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
483
selects subsets of PDF variants with higher fitness values
until successful adversarial examples are crafted. It is shown
that the proposed attack achieves 100% success rates on the
PDFrate [125] and Hidost [126] classifiers.
Demetrio et al. [17] model adversarial malware attacks
as an optimization problem with limited query times and
payload length. The Genetic Adversarial Machine learning
Malware Attack (GAMMA) framework is proposed to solve
the optimization problem. GAMMA modifies binary files by
inserting adversarial payloads, including padding content and
injecting benign sections, in order to preserve the functionali-
ties of original examples. GAMMA is evaluated against both
MalConv [14] and DT-based malware classifiers trained on
the EMBER dataset [64]. It can effectively bypass these clas-
sifiers with short payloads and few queries. Moreover, it is
also shown that the generated adversarial examples can be
transferred to attack commercial anti-virus engines.
ii) Action-Based Attacks: Some researchers propose to take
actions to manipulate malware examples and generate adver-
sarial examples. Reinforcement Learning algorithms are also
introduced to guide the attackers to take these actions.
Anderson et al. [39] propose to use Reinforcement Learning
(RL) [127] algorithms to generate adversarial examples in pure
black-box settings. The authors propose to model adversarial
malware attacks as the Markov Decision Process (MDP). The
victim classifier serves as the environment in the RL frame-
work, which is a ML-based model based on hybrid static
features. The agent utilizes deep Q-learning algorithms [128]
to select actions to modify original examples and generate
adversarial examples. Rewards from the environment are set
as ten for successful attacks and zero for failed attacks. Ten
different actions are selected to manipulate malware examples
while keeping their functionalities.
Song et al. [42] propose a black-box attack framework
against real-world anti-virus engines. The authors first define a
series of macro-actions and micro-actions. Macro-actions are
large-scale perturbations, while micro-actions are atomic per-
turbations applied to binary files. A binary rewriter randomly
selects macro-actions to modify the original examples, until an
adversarial example is successfully crafted. Then, an action
minimizer iteratively evaluates the effectiveness of macro-
actions and removes unnecessary ones. A feature interpreter
finds the precise reasons for adversarial attacks by breaking
the selected macro-actions into micro-actions. The proposed
method is evaluated on both ML-based classifiers and com-
mercial anti-virus engines. Results show that the attack method
achieves 56% success rates on open-source models and up to
28.8% success rates on anti-virus engines. Besides, it is also
shown that the generated adversarial examples are transferable
among different classifiers.
Song et al. [42] extend their action-based method and pro-
pose the RL-based MAB-Malware framework. The authors
model adversarial malware attack as a Multi-Armed Bandit
(MAB) problem. MAB-Malware chooses action-content pairs
to modify input examples. The MAB-Malware framework also
includes a binary rewriter and an action minimizer. The mod-
ified binary rewriter uses the Thompson Sampling algorithm
to sample a value and use it to choose optimal action-content
484
pairs to modify examples iteratively until successful adversar-
ial examples are generated. Then, the action minimizer reduces
the scale of perturbations by replacing a macro-action with
multiple micro-actions. MAB-Malware is evaluated on both
ML-based models and anti-virus engines. Experimental results
show that it achieves over 97% attack success rates on the
MalConv [14] classifier.
C. Challenges
1) Query-Efficiency: In most attack methods, attackers
need to continuously generate and update adversarial exam-
ples based on the results of querying the victim model.
However, excessive times of queries are easily detected and
blocked by defenders, which makes the attack methods inef-
fective in real-world scenarios. We observe that only few
research works have considered the query-efficiency problem
when developing adversarial malware attack methods [40].
We believe that query times should be introduced to attack
methods as an additional constraint, especially black-box
attacks.
2) Inverse-Mapping Problem: There are huge differences
between adversarial attacks in the ML domain and the cyber
security domain. Specifically, in the ML domain, the input
space is the same as the feature space. Thus, attackers can
generate adversarial perturbations in the feature space and
directly add them to original examples. The modified exam-
ples are likely to be valid and difficult to recognize by humans.
However, in the cyber security domain, the feature space is
not directly related to the input space. Since programs follow
strict structural specifications, inverse-mapping manipulations
are more difficult. Small modifications (even only one byte)
may cause them to crash or disrupt their behaviors. Therefore,
in order to manipulate original malware examples and pro-
duce usable adversarial examples, it is essential to preserve
their original functionalities.
Some attack methods only try to craft adversarial examples
in the feature space, without keeping their functionalities in
the input space [121]. To address this issue, four input-space
constraints are proposed in [129], including available trans-
formations, preserving semantics, plausibility, and robustness
to preprocessing. To satisfy these constraints, the functional-
ities and semantics of original software examples need to be
preserved. The generated adversarial examples should be able
to bypass human analysts and robust to preprocessing-based
defense. However, these constraints may introduce additional
side-effect features [129].
Moreover, it is much more computationally inefficient to
dynamically execute and verify the modified software exam-
ples. To this end, several techniques are proposed to manipu-
late software examples while preserving their functionalities,
such as appending (or injecting) bytes to unused sections [17],
[118], basic block-level insertion [41], [122], taking lim-
ited modifying actions [39], [42], etc. However, some of
these manipulations can be easily detected and disabled by
preprocessing-based defense [129]. These attack methods are
not practical in real-world attacks, which means they have poor
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
robustness to defense methods. We believe that developing
more better inverse-mapping methods is still an open issue.
V. E NHANCING A DVERSARIAL ROBUSTNESS OF
ML-BASED M ALWARE C LASSIFIERS
Various methods are proposed to enhance ML-based mal-
ware classifiers against adversarial attacks. Some of these
methods are derived from the ML domain, where defense
methods are widely studied to enhance ML models, such as
adversarial training, adversarial example detection, ensemble
learning, etc. In the cyber security domain, some researchers
also leverage the specific properties of malware examples to
develop defense methods.
In this section, we first survey commonly-used methods to
improve the robustness of classifiers in the ML domain. Then
we summarize defense methods to enhance the adversarial
robustness of ML-based malware classifiers under the unified
framework introduced in Section II. The notations used in this
section are introduced in Table IV.
A. Enhancing ML Models
Multiple methods are proposed to enhance the robustness
of ML models. Based on the defense algorithms they use, we
categorize them into adversarial training, randomization-based
defense, adversarial examples detection, etc.
1) Adversarial Training: Szegedy et al. [30] show that
training on both adversarial examples and original examples
can help to improve the robustness of classifiers.
a) FGSM-based adversarial training: Goodfellow
et al. [43] modify the loss function of the original training
process of ML-based models by adding an adversarial
objective function based on the FGSM attack. The modified
loss function (L ) is formulated as
L (θ, x , ytrue ) = αL(θ, x , ytrue )
+ (1 − α)L(θ, x + sign(x L(θ, x , ytrue ))),
where α is a hyperparameter to control the weights of the
training loss and the adversarial loss. Adversarial training
minimizes the classification loss when input examples are
perturbed by attackers. The proposed defense is considered
a special data augmentation technique that detects and fixes
flaws in the classifier. Kurakin et al. [106] also recommend
using the batch normalization technique to apply adversarial
training to large-scale datasets.
b) PGD-based adversarial training: Madry et al. [44]
propose a saddle point optimization problem to model the
objective of adversarial robustness. Let S be a set of available
perturbations. The optimization problem is defined as
arg min Ex ,ytrue max L(θ, x + η, ytrue ) .
θ η∈S
As shown above, the saddle point problem defines a clear
goal for robust classifiers. Specifically, it includes an inner
maximization problem and an outer minimization problem.
The inner maximization problem finds the optimal attack
against a given victim model, while the outer minimization
problem updates the parameters to minimize the adversarial
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
loss. It is shown that stronger adversaries and larger models
make the defense method more effective. Besides, Madry et al.
also propose that adversarial training makes the decision
boundary more complicated so that the model is more robust
to adversarial examples.
c) Free adversarial training: Shafahi et al. [130] argue
that the PGD-based adversarial training has a high com-
putational overhead. They propose a Free Adversarial
Training (FreeAT) method, which uses the calculated gradi-
ent information to solve both inner and outer optimization
problems. Specifically, in each iteration, FreeAT first calcu-
lates the gradient value of the protected model and updates the
parameters, in order to solve the outer minimization problem:
θ = θ −  · Ex ,ytrue θ L(θ, x + η, ytrue ).
Then, FreeAT solves the inner maximization problem by
updating the adversarial perturbation:
η = η −  · x L(θ, x + η, ytrue ).
d) Fast adversarial training: Wong et al. [131] propose
the Fast Adversarial Training (FastAT) method, which com-
bines FGSM-based adversarial training with random initializa-
tion, in order to acquire stronger adversaries and train more
robust models. In each iteration, a perturbation is randomly
initialized as
η = Uniform(−, ).
Then, the FGSM method is used to update the perturba-
tion. The parameters of the protected model are updated
based on the crafted adversarial examples using the Stochastic
Gradient Descent (SGD) algorithm. Experimental results show
that FastAT achieves comparable accuracy to FreeAT and
PGD-based defense methods with lower computational costs.
e) YOPO adversarial training: Zhang et al. [132] pro-
pose the You Only Propagate Once (YOPO) algorithm to
reduce the high computational costs of adversarial training.
The authors observe that adversarial perturbations are only
coupled with the first layer of the neural network. YOPO
algorithm uses a slack variable to iteratively update adversar-
ial perturbations, without requiring full gradient calculations.
After several times of updating adversarial perturbations, one
full forward and backward propagation is computed to update
the parameters of the model. YOPO achieves comparable
accuracy to the PGD-based defense with less time overhead.
f) Rob-GAN: GAN architecture is used to enhance the
adversarial robustness of ML models. Liu and Hsieh [48] pro-
pose the Rob-GAN framework. During the training phase, the
generator aims to generate fake examples that can fool the dis-
criminator. An attacker generates adversarial examples using
the PGD attack. The discriminator learns to distinguish both
fake and adversarial examples from clean ones. Experimental
results show that Rob-GAN effectively enhances the adversar-
ial robustness of the discriminator model. Besides, adversarial
training makes the GAN network faster to train.
2) Defensive Distillation: Model distillation [133] is
proposed to transfer knowledge from a large teacher model
to a small student model. The distillation technique com-
presses the scale of the teacher models while preserving
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
485
their performance. Some researchers also propose to uti-
lize distillation to enhance the adversarial robustness of DL
models.
Papernot et al. [110] propose the defensive distillation
framework to defend against adversarial attacks. The defensive
distillation framework consists of an initial network and a dis-
tilled network. The initial network (F), which is a DNN-based
model, is trained on input examples with prediction labels (i.e.,
hard labels). Let T be the temperature parameter and let k be
the number of classes, the initial network predicts probability
vectors (y), which is formulated as

e yi /T
F (x ) = k −1 yj /T
.
j =0 e i∈0···k −1
Training examples and soft labels predicted by the initial
network are combined as a new dataset to train the distilled
network (F d ). The distilled network has the same architec-
ture as the initial network. Soft labels provide more detailed
information to train the distilled model and help smooth the
decision boundary, which reduces the gradient information
exploited by adversarial malware attacks.
3) Randomization-Based Defense: Some researchers use
randomization-based techniques to increase the difficulties of
adversarial attacks. Xie et al. [134] propose that random-
izing input examples before they are fed into the victim
model can enhance the model against adversarial attacks. The
defense method adds several randomization layers to the orig-
inal model, including random resizing layers, random padding
layers, and random selection layers. Input examples are first
sent into these layers to produce randomly transformed exam-
ples before they are fed into the original model. The authors
argue that the randomization-based defense does not require
retraining the model, which is more efficient.
4) Adversarial Example Detection: Xu et al. [135] propose
the feature squeezing method to identify adversarial exam-
ples and enhance DL-based models. Two different techniques
are used to squeeze the feature space of input examples,
including squeezing color depth and spatial smoothing. Feature
squeezing reduces the searching space that is leveraged by
attackers to generate adversarial perturbations. Adversarial
examples can be identified by measuring the difference
between predictions on original examples and squeezed ones.
The authors also propose that combining adversarial training
with feature squeezing can further improve the effectiveness
of both defense methods.
Meng and Chen [136] propose the MagNet framework to
detect adversarial examples and enhance classifiers. The core
component of MagNet is a detection model, which determines
an input example is either adversarial or clean. The authors
propose two main causes of adversarial attacks, which are
(i) examples that are not related to the task, and (ii) exam-
ples that are too close to the decision boundary. Two different
detectors are used to identify these two types of adversar-
ial examples. One detector uses the autoencoder architecture
to learn the distribution of clean examples. Another detec-
tor uses probability-divergence to identify unrelated examples.
Examples that pass these two detectors are regarded as clean
486
Fig. 5. Different types of defense methods to enhance the adversarial robustness of ML-based malware classifiers.
ones. MagNet can effectively defend against white-box attacks,
such as DeepFool, C&W, and FGSM.
5) Adversarial Example Purification: Naseer et al. [137]
propose a self-supervised-based defense framework to remove
adversarial perturbations from input examples. The Self-
Supervised Perturbation (SSP) method automatically generates
adversarial perturbations using the FGSM attack. SSP pro-
vides a supervision signal to train the Neural Representation
Purifier (NRP), which learns to automatically remove adver-
sarial perturbations and recover clean examples. Specifically,
NRP consists of three basic components: (i) a generator that
recovers adversarial examples, (ii) a fixed feature extractor
that generates feature vectors, and (iii) a discriminator that
distinguishes adversarial examples from clean ones. The NRP
method is easy to deploy and able to deal with unseen attacks.
Samangouei et al. [47] propose the Defense-GAN frame-
work to learn the distribution of clean examples and recover
adversarial examples to clean ones. Defense-GAN utilizes the
WGAN framework [138] as the generative model. The gen-
erator aims to minimize the reconstruction loss and learn the
distribution of clean examples. The discriminator aims to dis-
tinguishes natural input examples from artificially crafted ones.
The trained generator can reduce perturbations of adversarial
examples, which have different distributions from clean ones.
In the deployment phase, input examples are first fed into the
generator to produce purified examples and then send into the
protected classifier. It is shown that Defense-GAN has little
impact on the performance of the protected classifier.
6) Ensemble Learning: Abbasi and Gagné [45] propose
the Specialists+1 defense method, which uses an ensemble
of diverse ML-based classifiers to improve the adversarial
robustness. The authors propose to use confusion matri-
ces to select feature subsets and train multiple classifiers.
The predictions of individual classifiers are combined by
voting.
However, it is worth noting that ensemble learning does not
necessarily lead to better robustness. He et al. [139] evaluate
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
the effectiveness of ensemble learning-based defense against
adversarial attacks. Three kinds of ensemble defense methods
are selected, including (i) multiple feature squeezing tech-
niques, (ii) the Specialists+1 ensemble defense, and (iii) an
ensemble of three DL-based classifiers. All these defense
methods are evaluated on white-box attacks such as DeepFool
and FGSM. Experimental results show that these attack meth-
ods can successfully generate adversarial examples with low
costs, which indicates that an ensemble of weak classifiers
cannot provide a more robust classifier.
Tramèr et al. [46] propose the ensemble adversarial learn-
ing method to enhance the robustness of DL-based models. It
augments training data with adversarial examples crafted on
other pre-trained models, in order to decouple the data argu-
mentation process from the victim model. Then, the proposed
defense method uses the generated examples to update the
protected model by solving the saddle-point optimization
problem. Ensemble adversarial learning leverages the trans-
ferability of adversarial examples to enhance the robustness
of the protected model.
B. Enhancing ML-Based Malware Classifiers
Several defense methods are proposed to improve the adver-
sarial robustness of malware classifiers. These methods aim to
enhance different phases of malware classifiers, as summa-
rized in Section II. It is worth mentioning that the feature
collection phase is not enhanced since defenders should not
change the types of features used by malware classifiers. As
shown in Figure 5, we classify these defense methods into
four categories, including preprocessing-based, feature-based,
classification-based, and decision-based methods. We summa-
rize these methods in Table VII and compare different types
of defense methods in Table VIII.
1) Preprocessing-Based Defense: Some defense methods
detect adversarial examples in the data preprocessing phase
before they are fed to the malware classifiers.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION 487

TABLE VII
M ETHODS TO E NHANCE ROBUSTNESS OF M ALWARE C LASSIFIERS

TABLE VIII
C OMPARISON A MONG D EFENSE M ETHODS TO E NHANCE ML-BASED M ALWARE C LASSIFIERS

Smutz and Stavrou [49] propose to identify adversarial results, which are then integrated into a final prediction by
examples by measuring the performance of ensemble clas- voting. The mutual agreement analysis method is proposed
sifiers. Multiple individual classifiers predict classification to measure the diversity of predictions made by individual

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
488
classifiers. In addition to the original prediction result, the
ensemble model produces a mutual agreement rate (A) to mea-
sure the uncertainty of the prediction. Let v be votes for the
classes, A = |v −0.5|∗2. A prediction is considered to be sus-
picious when A is below a specific threshold. The proposed
method is evaluated on both PDFrate and Drebin malware
classifiers. Experimental results show that the defense method
reduces the effectiveness of gradient descent and KDE-based
attacks [33].
Chen et al. [140] propose a two-phase KuafuDet defense
framework to detect adversarial malware examples and use
them to retrain the model, in order to improve the adversar-
ial robustness. 564 syntax and semantic features are collected
from the input Android app examples, and 195 features
among them are selected as significant features for malware
classification. Input examples are first fed into multiple ML-
based classifiers. Then, negative examples are sent into the
Camouflage Detector, which is able to identify adversarial mal-
ware examples. The detector measures the similarities between
input examples based on the Jaccard index, the Jaccard-weight
similarity, and the Cosine similarity. The detected adversarial
examples are further used to retrain the classifiers, in order
to improve their adversarial robustness. The KuafuDet frame-
work is evaluated on a dataset containing 252,900 Android app
examples downloaded from the Internet. Experimental results
show that it can reduce FNR and improve accuracy by over
15% with high efficiency.
2) Feature-Based Defense: Some defense methods enhance
the adversarial robustness of ML-based malware classifiers in
the feature extraction phase.
a) Feature selection: Zhang et al. [50] propose an adver-
sarial feature selection method, which uses reduced feature
sets for classification, in order to improve both the robustness
and generalization capabilities of ML-based malware classi-
fiers. The authors propose that the optimal adversarial example
∗ ) is defined as
(xadv
∗ The computed edge values are the distance between differ-
xadv = arg min Dis(x , xadv ).
xadv
Let δ be a binary feature selection vector, where ‘1’ means the
feature is selected. The optimal feature selection vector (δ ∗ )
can be generated as
δ ∗ = arg max Gen(δ) + λ · Rob(δ),
δ show that it achieves over 99% accuracy and is robust against
where Gen and Rob measure the generalization and robustness
capabilities of the classifier with the feature selection vector δ.
Specifically, Gen(δ) is defined as the classification accuracy
of the model trained on selected features. The robustness term
Rob(δ) maximizes the evasion cost of the optimal adversarial
example (xδ∗ ), which is formulated as
Rob(δ) = Exmal Dis(xδ , xδ∗ ).
The proposed method can be implemented on ML-based clas-
sifiers using the Wrapper-based Adversarial Feature Selection
(WAFS) algorithm. The defense method is evaluated on ML-
based spam detectors and PDF malware classifiers. WAFS
significantly enhances the adversarial robustness of the mod-
els against both white-box and black-box attacks, and the
generalization capability of the models is also improved.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
b) Feature reduction: Wang et al. [19] propose the
Random Feature Nullification (RFN) method to enhance deep
models against gradient-based adversarial attacks. An addi-
tional layer is added between input examples and the original
network to randomly choose and nullify input features. A
binary matrix (I), which has the same dimensions as the input
features, serves the nullification mask matrix. Element-wise
multiplication of x and I is calculated to produce nullified
features. The classifier uses the nullified features for malware
classification. The objective function of training a DL-based
model with feature nullification can be modified as
arg min L(θ, x · I , ytrue ).
θ
The optimization problem can be solved by the SGD algo-
rithm. The nullification mask is fixed in each iteration, which
makes it easier to compute the derivatives and update the
parameters of ML-based classifiers. The authors argue that
RFN makes the model more non-deterministic and thus the
effectiveness of adversarial examples is reduced. The proposed
defense can be applied to different tasks such as image classi-
fication and malware classification. RFN is evaluated on DNN
models trained on a malware dataset containing over 30,000
examples. Results show that it achieves over 60% accuracy
against adversarial examples. RFN is simple to implement and
it can also be combined with other defense methods such as
adversarial training.
c) Robust feature extraction: Azmoodeh et al. [142] pro-
pose a robust IoT malware classification method based on
opcode sequences. CFGs are first extracted to represent the
relation between opcodes. The vertices (V) of CFGs are names
of opcodes. The edge values (E) are updated by a heuristic
algorithm. Suppose s and t are indexes of opcode Vi and Vj
in an opcode sequence, then Ei,j is computed as
2
Ei,j = min(|s−t−1|)
.
s,t
1+α·e
ent opcodes. Extracted CFGs are then converted into feature
vectors using the graph embedding method. The authors pro-
pose to use a CNN-based model for malware classification.
The defense method is evaluated on an IoT software dataset
collected from VirusTotal containing 1,206 examples. Results
adversarial attacks based on junk code insertion.
Tong et al. [141] propose to use conserved features for clas-
sification to improve the adversarial robustness of malware
classifiers. Conserved features, which are directly related to the
malicious functionalities of original examples, are extracted to
argument the features for classification. The authors propose
an algorithm to automatically identify these conserved fea-
tures. The defense method revises the process of adversarial
training by keeping the conserved features unmodified when
generating adversarial examples and updating the protected
classifiers. The proposed defense method is evaluated on ML-
based PDF malware classifiers against multiple attacks, such as
EvadeML [123] and MalGAN [36]. Experimental results show
that the enhanced classifiers achieve up to 100% accuracy,
exceeding the original adversarial training.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
3) Classification-Based Defense: Some defense methods
work in the classification phase. They aim to modify the victim
classifiers to acquire more robust models.
a) Adversarial training: As mentioned above,
Chen et al. [120] propose the EvnAttack framework,
which calculates the contributions of different input features
to craft strong adversarial examples. To defend against
the EvnAttack, the authors also propose the SecDefender
framework to enhance the adversarial robustness of malware
classifiers. SecDefender iteratively retrains the model with
both original examples and adversarial examples, until no
successful adversarial example can be generated. The authors
also propose to add a security regularization term to the
original loss function, which aims to maximize the costs
of the strongest adversarial attack. Malware classifiers are
retrained using the modified objective function. Experimental
results show that SecDefender reduces the effectiveness of
white-box EvnAttack methods.
Al-Dujaili et al. [34] propose the SLEIPNIR defense frame-
work against adversarial malware attacks, which leverages
adversarial training to solve the saddle-point optimization
problem. For the inner-maximization problem, several white-
box attack methods based on FGSM and BGA are performed
to craft optimal adversarial examples. For the outer-
minimization problem, SLEIPNIR uses adversarial training to
retrain the classifier to make correct predictions. The modified
saddle-point optimization problem is defined as
 
arg min Exadv ,xben max L(θ, xadv , mal ) + L(θ, xben , ben) .
θ 
The outer-minimization problem can be solved by gradient-
based algorithms such as SGD. The SLEIPNIR framework
is evaluated on a PE software dataset against several white-
box attack methods. Experimental results show that it can
significantly reduce attack success rates.
b) Defensive distillation: Grosse et al. [16] evaluate the
effectiveness of defensive distillation and adversarial train-
ing methods against JSMA-based adversarial malware attacks.
Experimental results show that defensive distillation has some
positive effects on robustness. However, the defensive distilla-
tion defense also leads to a significant decrease in classification
accuracy. For the adversarial training method, experimental
results show that it significantly reduces the attack success
rates. The authors argue that adversarial training is more
effective than defensive distillation to enhance the adversarial
robustness of ML-based malware classifiers.
c) Attack detection: Based on the insight that adversar-
ial examples have a different distribution from clean ones,
Grosse et al. [145] propose to use statistical tests to identify
adversarial examples. Statistical hypothesis testing is utilized
to determine whether two examples are sampled from the same
distribution. Maximum Mean Discrepancy (MMD) and Energy
Distance (ED) methods are also leveraged to measure the dis-
tance between different distributions. 50 adversarial examples
are extracted from each class to run statistical tests to detect
the diversity of different distributions. The classification model
is also modified with an additional output value to identify
adversarial examples. The proposed method is evaluated on
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
489
both malware classifiers and image classifiers against white-
box FGSM and JSMA attacks. Results show that the enhanced
classifier achieves over 80% accuracy on identifying adver-
sarial malware examples. The proposed defense method also
significantly increases the costs of attackers. Over 150% addi-
tional perturbations need to be generated to craft adversarial
examples.
Li et al. [143] propose a robust Android malware detection
framework, combing the Variational Autoencoder (VAE) and
the Multi-Layer Perceptron (MLP) to classify malware exam-
ples. The FD-VAE framework consists of an encoder model
(Enc) and a decoder model (Dec). The encoder compresses
input features into Gaussian Distribution with mean (μ) and
variance (σ). The decoder samples from the distribution and
reconstructs feature vectors to minimize the reconstruction
loss, which is defined as
  
L1 = Exben x log Dec(Enc(x ))
 
+ (1 − x ) log 1 − Dec(Enc(x )) .
The KL divergence is used to measure the difference
between the compressed Gaussian Distribution and the union
Gaussian Distribution, which is computed as
L2 = KL(N (μ, σ), N (0, 1)).
The authors also propose the disentangle loss function to
distinguish between clean and adversarial examples:
 
L3 = Exi ,xj Dis xi , xj , where
2
  μi −  μj , yi = yj
Dis xi , xj =  2 
max k − μi − μj , 0 , yi = yj
The overall loss function of the FD-VAE is computed as
LFD−VAE = λ1 L1 + λ2 L2 + λ3 L3 . A trained FD-VAE
model serves as both the classifier and the feature extractor.
It predicts adversarial examples when the reconstruction loss
exceeds a threshold value. The encoder of FD-VAE generates
compressed features, which are sent to the MLP model for
classification. Prediction results from FD-VAE and MLP are
combined using the OR function. The proposed defense frame-
work is evaluated on the AndroZoo dataset containing 58,447
Android apps. Results show that it improves the adversarial
robustness against both white-box and black-box attacks.
d) Verifiable robustness: Chen et al. [144] propose to use
verifiable robustness properties to train ML-based PDF mal-
ware classifiers. Attackers aim to solve a search problem and
perform modifications on original PDF files to craft adversar-
ial examples. Such modifications are based on the tree-like
structure of PDF files, such as deleting or inserting nodes into
the PDF tree. The robustness properties are used to ensure the
worst-case robustness of the victim classifiers and increase the
search costs of adversarial attacks. The subtree distance metric
measures the difference between PDF trees and thus bounds
the modifications performed by attackers. The distance metric
of two PDF examples is defined as
  
Dis x , x  = num of (rootx .subtrees ∪ rootx  .subtrees)

− (rootx .subtrees ∩ rootx  .subtrees) .
490
Subtrees of the two PDF examples are extracted with
depth = 1. The metric defines a series of properties to mea-
sure the robustness of classifiers within a limited distance. Let
S be the input set, robust models can be trained using these
properties by solving a saddle-point optimization problem:
arg min L(θ, x , ytrue ) + max L(θ, xadv , ytrue ) .
θ xadv ∈S
The defense method is evaluated on several ML-based models
trained on the Contagio dataset containing 19,000 PDF exam-
ples. The authors define the Verified Robust Accuracy (VRA)
to measure the accuracy of input examples classified cor-
rectly within a limited distance. Results show that the defense
method achieves over 92% VRA and over 99% accuracy.
4) Decision-Based Defense: Stokes et al. [51] propose to
use ensemble learning to enhance the robustness of ML-based
malware classifiers, which aims to increase the cost of adver-
sarial attacks. The key idea is that although it is easy for
attackers to generate adversarial examples against a single
classifier, it is much more difficult to attack an ensemble of
multiple classifiers with different properties. In the proposed
defense, predictions of the individual classifiers are aggre-
gated by voting with a threshold value of 50%. The ensemble
defense is evaluated on DNN-based models trained on a
dataset containing over 2.3M software examples. Experimental
results show that it significantly reduces the attack suc-
cess rates of white-box gradient-based attacks. Moreover, the
authors also argue that increasing the number of individual
classifiers can increase the difficulty of adversarial attacks.
Li and Li [52] propose the adversarial deep ensemble
defense method, which performs the Max strategy to gen-
erate optimal adversarial examples and uses them to retrain
the ensemble of multiple classifiers. Let F be the function of
a deep ensemble, the adversarial deep ensemble method can
be modeled as a saddle-point optimization problem, which is
defined as
arg min L(F (x ), ytrue ) + max L(F (h(M , x )), ytrue ) .
θ h,M
The ensemble model has better generalization capabilities
when the individual classifiers are effective and independent.
The authors also propose to retrain the individual classifiers
using adversarial examples generated by different attack meth-
ods. The optimization problem can be solved by the Lagrange
multiplier with the parameters of individual classifiers frozen.
The defense method is evaluated on DL-based classifiers
trained on Android Drebin and AndroZoo datasets. Results
show that it is effective against multiple attack methods.
5) Hybrid Defense: Some defense methods work in
multiple phases in the unified malware classification frame-
work.
Khasawneh et al. [122] propose the resilient HMD (RHMD)
method, which enhances the adversarial robustness of HMDs
against substitution-based adversarial attacks. RHMD uses
two kinds of randomization-based strategies including ran-
dom collection and random features, in order to increase the
costs of adversarial attacks. Multiple malware classifiers are
trained using different data collection periods and different
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
feature sets. RHMD randomly selects these trained classifiers
to make predictions. The authors propose to use the Probably
Approximately Correct (PAC) learnability theory to evaluate
the effectiveness of RHMD. It is proved that the diversity
of classifiers makes it harder to reserve-engineer the malware
classifiers, as well as craft adversarial examples.
Chen et al. [146] propose the SecureDroid framework
to improve the robustness of Android malware classifiers.
SecureDroid first extracts binary feature vectors from input
Android app examples. A feature selection method known as
SecCLS is used to analyze the importance of input features
based on (i) the cost (c) of modifying them, and (ii) their
contributions (weights w) to the classification problem. The
importance value (I) of feature i is computed as
|wi |
I (i ) ∝ .
ci
SecCLS aims to increase the modifications of adversarial
attacks. The authors propose that a secure classifier can be
trained by reducing the probability that important features are
selected. The probability of selecting feature i is inversely
proportional to its importance value:
1
P (i ) ∝ .
I (i )
Feature subsets are selected to train multiple classifiers using
SecCLS. An ensemble learning approach called SecENS is
proposed to aggregate predictions of individual classifiers.
In SecENS, individual classifiers use unique feature subsets,
while the ensemble of them covers the whole feature space.
The SecureDroid framework is evaluated on datasets collected
from Comodo. Results show that SecureDroid achieves over
80% accuracy with 50% of features modified.
Li and Li [147] propose a robust malware classification
framework working in multiple phases. Input examples are
first checked and revised in the preprocessing phase. An
encoder-decoder architecture is designed to learn semantics-
preserving representations as input features. The framework
uses an ensemble of multiple different malware classifiers to
make final predictions. Each model is trained on a randomly
selected subset of the generated features. Adversarial training
is utilized to improve their robustness. The authors apply the
proposed framework to the AICS 2019’ challenge and results
show that it achieves 93% accuracy.
C. Challenges
1) Evolution of Attackers: The game between attackers and
defenders continues. Some of the defense methods are no
longer effective with stronger attacks being proposed. For
example, in the ML domain, the defensive distillation tech-
nique is cracked by the C&W attack [20]. Another example is
that six gradient obfuscation-based defenses proposed at ICLR
2017 are cracked by [148] in 2018. Carlini and Wagner [149]
use the C&W attack to crack ten defense methods.
Similar problems also arise in the cyber security domain. To
verify the effectiveness of existing defenses, several methods
including defensive distillation, adversarial training, ensemble
learning, and random feature nullification are systematically
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
evaluated in [150]. Both white-box and black-box attack meth-
ods, such as FGSM, BGA, JSMA, and MalGAN, perform
adversarial attacks against these defense methods. Evaluation
results show that only adversarial training can significantly
improve robustness against most adversarial attacks, while
some other methods hardly contribute to adversarial robust-
ness.
2) Provability and Interpretability: It is worth noting that
most of the surveyed defense methods are experimentally
shown to be effective but not mathematically proved to be
robust. This leads to potential unknown vulnerabilities in ML-
based malware classifiers. Therefore, we believe that currently
effective defense methods may be cracked by new attack meth-
ods in the future, thus it is essential to develop provable
defense methods. Besides, due to the weak interpretability of
ML models (especially DL models), the reasoning processes
of them are not clear. Some irrelevant features may be auto-
matically extracted and learned as significant features. This
makes it difficult to apply some of the existing ML-based
malware classification methods in practice. Therefore, we pro-
pose to develop ML-based malware classifiers with better
interpretability.
VI. F UTURE W ORK D IRECTIONS
In this section, we discuss some future work directions
of malware classification domain from the perspectives of
attackers and defenders, respectively.
A. Attackers
1) Generating Usable Adversarial Examples: As men-
tioned in Section IV, attackers need to manipulate malware
examples in the features space and map them back to the
input space. It is more complex to generate adversarial exam-
ples in the malware domain than in the traditional ML domain,
because (i) the input space of malware examples is discrete
(usually binary), and (ii) the functionalities of original malware
examples should be preserved. In the ML domain, adversarial
attacks add small perturbations to original image examples to
generate adversarial image examples. These modified exam-
ples are still valid images because small perturbations are
hardly noticed by humans. However, for malware examples, a
modification of even one single bit can significantly affect the
original functionalities. In order to generate usable adversar-
ial examples, we believe that preserving the functionalities of
original examples should be considered as the first principle
when developing adversarial malware attacks.
2) Better Inverse-Mapping Manipulations: Various
inverse-mapping manipulations are proposed to modify
malware examples and generate adversarial examples. Some
attacks add adversarial perturbations to unused parts of the
executable files at the byte level, such as appending byes
and inserting bytes into unused sections [35], [37]. Some
attacks take limited actions to modify original examples [34],
[39], [42]. Some attacks leverage the internal information of
malware examples to add more stealthy perturbations [17],
[41], [122]. In addition, to effectively bypass malware classi-
fiers, attack methods need better robustness, which means the
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
491
generated adversarial perturbations are hard to be detected
or removed by defenders. We believe that developing more
robust inverse-mapping manipulations is still an open issue.
3) Aiming at Stronger Classifiers: Different types of mal-
ware classifiers are used as victim classifiers to evaluate
the effectiveness of adversarial attack methods. Researchers
select basic ML-based models [33], [36], DL-based mod-
els [34], [119], malware classifiers proposed in other research
works [37], [123], and even anti-virus engines [42] as victim
models. We believe that evaluating attack methods on stronger
malware classifiers produces more convincing results. Some
of the malware classifiers achieve high performance and they
are widely studied by other researchers [14], [67]. Besides,
commercial anti-virus engines are black-box malware clas-
sifiers designed for detecting real-world malware examples.
Bypassing such classifiers indicates that the evaluated attack
method is able to generate usable adversarial malware exam-
ples in real-world settings. Moreover, these classifiers provide
a unified standard for evaluating attack methods.
B. Defenders
1) Robustness and Accuracy: Existing malware classifica-
tion methods have achieved good performance. However, in
order to apply these methods for real-world detection tasks,
they should be robust to adversarial malware attacks. As
proposed in [151], perfect classifiers cannot be bypassed and
adversarial examples are inputs inaccurately classified by the
classifiers. So enhancing the adversarial robustness of clas-
sifiers is essentially improving their performance. Moreover,
in real-world cyber attacks, attackers usually have plenty of
computing resources to generate adversarial malware exam-
ples. A single successfully created adversarial example can
cause severe damage to the target system. Therefore, we rec-
ommend considering not only accuracy but also adversarial
robustness when designing malware classification methods.
2) Large-Scale Malware Classification Datasets: Some
researchers evaluate their malware classification methods on
datasets manually collected from online malware reposito-
ries such as VirusShare and VirusTotal [23], [28], [29], while
others use open-source malware datasets [25], [70], [74],
[76]. Open-source datasets provide unified criteria for evalu-
ating different malware classification methods. Some of these
datasets extract high-level features of original software exam-
ples, such as Malimg [66], Ember [64] and Drebin [67]. Some
datasets provide both processed binary files and extracted fea-
tures, such as SoReL-20M [65] and BIG 2015 [63] datasets.
Both executable malware examples and benign software exam-
ples are difficult to collect and release due to legal issues and
intellectual property protection. Moreover, as reported in [99]
and [100], there are several biases in existing malware datasets,
which may lead to unreliable experimental results. We recom-
mend considering data distribution biases when constructing
new malware classification datasets.
3) Adapting to Real-World Settings: To deploy malware
classification methods in real-world settings, these methods
need to process software examples in real-time. As introduced
in Section III, static-feature-based methods are more efficient,
492
while dynamic-feature-based methods can detect malicious
behaviors. There is a trade-off between security and availabil-
ity. As a part of the defense system, malware classifiers should
not significantly affect the normal operation of the protected
system. We recommend using a hybrid classification method,
combining both static and dynamic methods. Static methods
can be used as a preliminary detector, and only suspicious
examples are fed into dynamic classifiers for further analysis.
In addition to availability, it is also worth noting that
some systems have limited resources. For example, some IoT
devices have limited storage space and computing power.
Mobile devices are powered by batteries and their energy
consumption should be considered. Some model compression
and acceleration methods, such as model distillation [133],
network quantization [152] and hardware-based model acceler-
ation [153], can help to apply ML-based malware classification
methods to such systems.
4) Virtual Analysis Environments: As mentioned in
Section III, for dynamic feature-based malware classification
methods, input examples are analyzed in virtual environments
and then their behavioral features are collected. Some
malware examples are able to identify artificially created
environments and hide their malicious behaviors. Some
researchers propose cloning real environments or simulating
user behaviors to build virtual analysis environments [104].
However, such methods cannot adapt to the evolution of the
protected system, and cloning and simulating operations have
high costs. We believe that it is still an open issue to build
more realistic virtual environments that can (i) dynamically
evolve with the real system, and (ii) apply to different types
of systems.
One promising solution is constructing a Parallel
Adversarial Network (PAN) that accompanies the pro-
tected network [105]. PAN shares the same resources with
the protected network and evolves with it. Another advantage
of PAN is that it can be extended to different types of private
networks, such as industrial networks and corporate networks.
5) Immunology-Inspired Defense Framework: The abilities
of both attackers and defenders evolve over time. Defenders
need to predict the evolution of attackers and deploy defense
strategies before new attacks arrive. However, predicting
unknown attacks is difficult because defenders usually lack
the information of attackers.
To address this issue, Yu et al. [105] acquire several inspira-
tions from the immune system and propose that the capabilities
of defenders can be enhanced by contesting with attackers in
real environments and evolving attack and defense strategies
dynamically. To enhance the adversarial robustness of a mal-
ware classifier, defenders can deploy an identical classifier
in the PAN and continuously perform different adversar-
ial attack methods on it. Successfully generated adversarial
examples indicate vulnerabilities in the protected classifier.
Defense capabilities further evolve by applying defense algo-
rithms such as adversarial training. The protected classifier is
enhanced in the continuous game of adversarial attack and
defense.
6) Interpretable Models and Provable Robustness: As
proposed in [154], it is hard to defend against adversarial
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
attacks because a perfectly robust model should make correct
predictions on every possible input examples, while attackers
only need to exploit one vulnerability to perform a success-
ful adversarial attack. To prove the adversarial robustness of
malware classifiers, one possible method is brute-force traver-
sal. However, it is impossible to examine the prediction of
each example on the huge (almost infinite) input space. To
address this issue, ML-based malware classifiers should have
better interpretability and even give explanations for making
specific predictions. Basic ML models such as DT and LR
can be used as malware classifiers due to their solid basis
in mathematics. Moreover, in the ML domain, researchers
propose various methods to improve the interpretability of
ML models [155]. In the malware domain, some methods
achieve verifiable robustness of malware classifiers based on
the properties of specific file types [144]. However, such meth-
ods are difficult to extend to other malware classifiers. We
believe that improving the interpretability and providing prov-
able robustness of ML-based malware classifiers are still open
issues.
VII. C ONCLUSION
ML techniques significantly improve the capabilities of
malware classifiers but also introduce security risks to the
cyber security domain. In this paper, we summarize a uni-
fied malware classification framework and use the framework
to survey the Defense-Attack-Enhanced-Defense process of
ML-based malware classification. Specifically, we first sur-
vey ML-based malware classification methods, which are
categorized into static and dynamic methods according to
the input features. Then, we survey adversarial attack meth-
ods on ML-based malware classifiers in both white-box and
black-box attack settings. We also survey defense meth-
ods to enhance the robustness of malware classifiers against
adversarial attacks, which work in different phases of the uni-
fied framework. Finally, we summarize the main challenges
faced by both attackers and defenders and further discuss
some promising future work directions. According to the
surveyed literature, the capabilities of attackers and defend-
ers evolve in the battle of ML-based malware classification.
We hope this study will lead to further discussions on the
evolution of attack and defense of ML-based malware classi-
fication and finally realize more robust malware classification
methods.
R EFERENCES
[1] H. S. Lallie et al., “Cyber security in the age of COVID-19: A timeline
and analysis of cyber-crime and cyber-attacks during the pandemic,”
Comput. Security, vol. 105, Jun. 2021, Art. no. 102248.
[2] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar, “A
survey on IoT security: Application areas, security threats, and solution
architectures,” IEEE Access, vol. 7, pp. 82721–82743, 2019.
[3] Y. Li, Q. Luo, J. Liu, H. Guo, and N. Kato, “TSP security in intelli-
gent and connected vehicles: Challenges and solutions,” IEEE Wireless
Commun., vol. 26, no. 3, pp. 125–131, Jun. 2019.
[4] Q. Luo, J. Liu, J. Wang, Y. Tan, Y. Cao, and N. Kato, “Automatic con-
tent inspection and forensics for children android apps,” IEEE Internet
Things J., vol. 7, no. 8, pp. 7123–7134, Aug. 2020.
[5] (IBM Corp., Armonk, NY, USA). X-Force Threat Intelligence
Index 2022. (Feb. 2022). [Online]. Available: https://www.ibm.com/
downloads/cas/ADLMYLAZ
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
[6] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and
N. Modadugu, “The ghost in the browser analysis of Web-based mal-
ware,” in Proc. USENIX HotBots, Cambridge, MA, USA, Apr. 2007,
pp. 1–9.
[7] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey
of mobile malware in the wild,” in Proc. ACM SPSM, Chicago, IL,
USA, Oct. 2011, pp. 3–14.
[8] A. Costin and J. Zaddach, “IoT malware: Comprehensive survey, anal-
ysis framework and case studies,” in Proc. BlackHat, Las Vegas, NV,
USA, Aug. 2018, pp. 1–9.
[9] S. Basole and M. Stamp, “Cluster analysis of malware family relation-
ships,” 2021, arXiv:2103.05761.
[10] I. H. Sarker, A. S. M. Kayes, S. Badsha, H. AlQahtani, P. A. Watters,
and A. Ng, “Cybersecurity data science: An overview from machine
learning perspective,” J. Big Data, vol. 7, no. 1, p. 41, 2020.
[11] N. Idika and A. P. Mathur, “A survey of malware detection techniques,”
Ph.D. dissertation, Dept. Comput. Sci., Purdue Univ., West Lafayette,
IN, USA, 2007.
[12] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” Nature, vol. 521,
no. 7553, pp. 436–444, 2015.
[13] D. Gibert, C. Mateu, and J. Planes, “HYDRA: A multimodal deep
learning framework for malware classification,” Comput. Security,
vol. 95, Aug. 2020, Art. no. 101873.
[14] E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and
C. K. Nicholas, “Malware detection by eating a whole EXE,” in Proc.
AAAI Workshop, New Orleans, LA, USA, Feb. 2018, pp. 268–276.
[15] O. Suciu, S. E. Coull, and J. Johns, “Exploring adversarial examples
in malware detection,” in Proc. IEEE SP Workshops, San Francisco,
CA, USA, May 2019, pp. 8–14.
[16] K. Grosse, N. Papernot, P. Manoharan, M. Backes, and P. McDaniel,
“Adversarial perturbations against deep neural networks for malware
classification,” 2016, arXiv:1606.04435.
[17] L. Demetrio, B. Biggio, G. Lagorio, F. Roli, and A. Armando,
“Functionality-preserving black-box optimization of adversarial win-
dows malware,” IEEE Trans. Inf. Forensics Security, vol. 16,
pp. 3469–3478, 2021.
[18] D. Li, Q. Li, Y. Ye, and S. Xu, “A framework for enhancing deep
neural networks against adversarial malware,” IEEE Trans. Netw. Sci.
Eng., vol. 8, no. 1, pp. 736–750, Jan.–Mar. 2021.
[19] Q. Wang et al., “Adversary resistant deep neural networks with an
application to malware detection,” in Proc. ACM SIGKDD, Halifax,
NS, Canada, Aug. 2017, pp. 1145–1153.
[20] N. Carlini and D. Wagner, “Towards evaluating the robustness of neu-
ral networks,” in Proc. IEEE SP, San Jose, CA, USA, May 2017,
pp. 39–57.
[21] Z. Cui, F. Xue, X. Cai, Y. Cao, G.-G. Wang, and J. Chen, “Detection
of malicious code variants based on deep learning,” IEEE Trans. Ind.
Informat., vol. 14, no. 7, pp. 3187–3196, Jul. 2018.
[22] A. Shabtai, R. Moskovitch, C. Feher, S. Dolev, and Y. Elovici,
“Detecting unknown malicious code by applying classification tech-
niques on opcode patterns,” Security Inform., vol. 1, no. 1, pp. 1–22,
Feb. 2012.
[23] S. Jeon and J. Moon, “Malware-detection method with a convolutional
recurrent neural network using opcode sequences,” Inf. Sci., vol. 535,
pp. 1–15, Oct. 2020.
[24] J. Saxe and K. Berlin, “Deep neural network based malware detec-
tion using two dimensional binary program features,” in Proc. IEEE
MALWARE, Fajardo, PR, USA, Oct. 2015, pp. 11–20.
[25] W. Huang and J. W. Stokes, “MtNet: A multi-task neural network
for dynamic malware classification,” in Proc. DIMVA, San Sebastián,
Spain, Jul. 2016, pp. 399–418.
[26] R. Pascanu, J. W. Stokes, H. Sanossian, M. Marinescu, and A. Thomas,
“Malware classification with recurrent networks,” in Proc. IEEE
ICASSP, South Brisbane, QLD, Australia, Apr. 2015, pp. 1916–1920.
[27] E. Amer, I. Zelinka, and S. El-Sappagh, “A multi-perspective malware
detection approach through behavioral fusion of API call sequence,”
Comput. Security, vol. 110, Nov. 2021, Art. no. 102449.
[28] Q. Wang et al., “You are what you do: Hunting stealthy malware
via data provenance analysis,” in Proc. NDSS, San Diego, CA, USA,
Feb. 2020, pp. 1–17.
[29] X. Han et al., “SIGL: Securing software installations through deep
graph learning,” in Proc. USENIX Security, Aug. 2021, pp. 2345–2362.
[30] C. Szegedy et al., “Intriguing properties of neural networks,” in Proc.
ICLR, Banff, AB, Canada, Apr. 2014, pp. 1–10.
[31] V. Kuleshov, S. Thakoor, T. Lau, and S. Ermon, “Adversarial exam-
ples for natural language classification problems,” in Proc. ICLR,
Vancouver, BC, Canada, Apr. 2018, pp. 1–13.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
493
[32] Z. Lin, Y. Shi, and Z. Xue, “IDSGAN: Generative adversarial
networks for attack generation against intrusion detection,” 2018,
arXiv:1809.02077.
[33] B. Biggio et al., “Evasion attacks against machine learning at test
time,” in Proc. ECML, PKDD, Prague, Czech Republic, Sep. 2013,
pp. 387–402.
[34] A. Al-Dujaili, A. Huang, E. Hemberg, and U. O’Reilly, “Adversarial
deep learning for robust detection of binary encoded malware,” in Proc.
IEEE SP Workshops, Francisco, CA, USA, May 2018, pp. 76–82.
[35] F. Kreuk, A. Barak, S. Aviv-Reuven, M. Baruch, B. Pinkas, and
J. Keshet, “Deceiving end-to-end deep learning malware detectors
using adversarial examples,” in Proc. NIPS Workshops, Montreal, QC,
Canada, Dec. 2018, pp. 1–6.
[36] W. Hu and Y. Tan, “Generating adversarial malware examples for
black-box attacks based on GAN,” 2017, arXiv:1702.05983.
[37] J. Yuan, S. Zhou, L. Lin, F. Wang, and J. Cui, “Black-box adversarial
attacks against deep learning based malware binaries detection with
GAN,” in Proc. ECAI, Santiago de Compostela, Spain, Aug. 2020,
pp. 2536–2542.
[38] I. Rosenberg, A. Shabtai, L. Rokach, and Y. Elovici, “Generic black-
box end-to-end attack against state of the art API call based malware
classifiers,” in Proc. RAID, Heraklion, Greece, Sep. 2018, pp. 490–510.
[39] H. S. Anderson, A. Kharkar, B. Filar, and P. Roth, “Evading machine
learning malware detection,” in Proc. BlackHat, Las Vegas, NV, USA,
Jul. 2017, pp. 1–6.
[40] I. Rosenberg, A. Shabtai, Y. Elovici, and L. Rokach, “Query-efficient
black-box attack against sequence-based malware classifiers,” in Proc.
ACM ACSAC, Austin, TX, USA, Dec. 2020, pp. 611–626.
[41] Y. Kucuk and G. Yan, “Deceiving portable executable malware clas-
sifiers into targeted misclassification with practical adversarial exam-
ples,” in Proc. ACM CODASPY, New Orleans, LA, USA, Mar. 2020,
pp. 341–352.
[42] W. Song, X. Li, S. Afroz, D. Garg, D. Kuznetsov, and H. Yin, “MAB-
malware: A reinforcement learning framework for attacking static
malware classifiers,” 2020, arXiv:2003.03100.
[43] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing
adversarial examples,” in Proc. ICLR, San Diego, CA, USA, May 2015,
pp. 1–11.
[44] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards
deep learning models resistant to adversarial attacks,” in Proc. ICLR,
Vancouver, BC, Canada, Apr. 2018, pp. 1–28.
[45] M. Abbasi and C. Gagné, “Robustness to adversarial examples through
an ensemble of specialists,” in Proc. ICLR, Toulon, France, Aug. 2017,
pp. 1–9.
[46] F. Tramèr, A. Kurakin, N. Papernot, I. J. Goodfellow, D. Boneh, and
P. D. McDaniel, “Ensemble adversarial training: Attacks and defenses,”
in Proc. ICLR, Vancouver, BC, Canada, Apr. 2018, pp. 1–20.
[47] P. Samangouei, M. Kabkab, and R. Chellappa, “Defense-GAN:
Protecting classifiers against adversarial attacks using generative mod-
els,” in Proc. ICLR, Vancouver, BC, Canada, Apr. 2018, pp. 1–17.
[48] X. Liu and C. Hsieh, “Rob-GAN: Generator, discriminator, and
adversarial attacker,” in Proc. IEEE CVPR, Long Beach, CA, USA,
Jun. 2019, pp. 11234–11243.
[49] C. Smutz and A. Stavrou, “When a tree falls: Using diversity in ensem-
ble classifiers to identify evasion in malware detectors,” in Proc. NDSS,
San Diego, CA, USA, Jan. 2016, pp. 1–15.
[50] F. Zhang, P. P. K. Chan, B. Biggio, D. S. Yeung, and F. Roli,
“Adversarial feature selection against evasion attacks,” IEEE Trans.
Cybern., vol. 46, no. 3, pp. 766–777, Mar. 2016.
[51] J. W. Stokes, D. Wang, M. Marinescu, M. Marino, and B. Bussone,
“Attack and defense of dynamic analysis-based, adversarial neural mal-
ware detection models,” in Proc. IEEE MILCOM, Angeles, CA, USA,
Oct. 2018, pp. 1–8.
[52] D. Li and Q. Li, “Adversarial deep ensemble: Evasion attacks and
defenses for malware detection,” IEEE Trans. Inf. Forensics Security,
vol. 15, pp. 3886–3900, 2020.
[53] N. Akhtar and A. Mian, “Threat of adversarial attacks on deep learning
in computer vision: A survey,” IEEE Access, vol. 6, pp. 14410–14430,
2018.
[54] X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial examples: Attacks and
defenses for deep learning,” IEEE Trans. Neural Netw. Learn. Syst.,
vol. 30, no. 9, pp. 2805–2824, Sep. 2019.
[55] E. Raff and C. Nicholas, “A survey of machine learning meth-
ods and challenges for windows malware classification,” 2020,
arXiv:2006.09271.
494 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
[56] M. Odusami, O. Abayomi-Alli, S. Misra, O. Shobayo,
R. Damasevicius, and R. Maskeliunas, “Android malware detec-
tion: A survey,” in Proc. ICAI, Bogotá, Colombia, Nov. 2018,
pp. 255–266.
[57] A. D. Raju, I. Y. Abualhaol, R. S. Giagone, Y. Zhou, and S. Huang,
“A survey on cross-architectural IoT malware threat hunting,” IEEE
Access, vol. 9, pp. 91686–91709, 2021.
[58] D. Ucci, L. Aniello, and R. Baldoni, “Survey of machine learning tech-
niques for malware analysis,” Comput. Security, vol. 81, pp. 123–147,
Mar. 2019.
[59] Y. Ye, T. Li, D. A. Adjeroh, and S. S. Iyengar, “A survey on malware
detection using data mining techniques,” ACM Comput. Surv., vol. 50,
no. 3, pp. 1–40, 2018.
[60] I. Rosenberg, A. Shabtai, Y. Elovici, and L. Rokach, “Adversarial
machine learning attacks and defense methods in the cyber security
domain,” ACM Comput. Surv., vol. 54, no. 5, pp. 1–36, 2021.
[61] L. Demetrio, S. E. Coull, B. Biggio, G. Lagorio, A. Armando, and
F. Roli, “Adversarial EXEmples: A survey and experimental evalu-
ation of practical attacks on machine learning for windows malware
detection,” ACM Trans. Privay Security, vol. 24, no. 4, pp. 1–31, 2021.
[62] D. Li, Q. Li, Y. Ye, and S. Xu, “Arms race in adversarial malware
detection: A survey,” ACM Comput. Surv., vol. 55, no. 1, pp. 1–35,
2021.
[63] R. Ronen, M. Radu, C. Feuerstein, E. Yom-Tov, and M. Ahmadi,
“Microsoft malware classification challenge,” 2018, arXiv:1802.10135.
[64] H. S. Anderson and P. Roth, “EMBER: An open dataset for training
static PE malware machine learning models,” 2018, arXiv:1804.04637.
[65] R. E. Harang and E. M. Rudd, “SOREL-20M: A large scale benchmark
dataset for malicious PE detection,” 2020, arXiv:2012.07634.
[66] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, “Malware
images: Visualization and automatic classification,” in Proc. ACM
VizSec, Pittsburgh, PA, USA, Jul. 2011, pp. 1–7.
[67] D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and
C. Siemens, “DREBIN: Effective and explainable detection of android
malware in your pocket,” in Proc. NDSS, San Diego, CA, USA,
Feb. 2014, pp. 23–26.
[68] K. Allix, T. F. Bissyandé, J. Klein, and Y. L. Traon, “AndroZoo:
Collecting millions of android apps for the research community,” in
Proc. ACM MSR, Austin, TX, USA, May 2016, pp. 468–471.
[69] N. Srndic and P. Laskov, “Hidost: A static machine-learning-based
detector of malicious files,” EURASIP J. Inf. Security, vol. 2016, no. 1,
2016. [Online]. Available: https://jis-eurasipjournals.springeropen.com/
articles/10.1186/s13635-016-0045-0
[70] D. Vasan, M. Alazab, S. Wassan, B. Safaei, and Q. Zheng, “Image-
based malware classification using ensemble of CNN architectures,”
Comput. Security, vol. 92, May 2020, Art. no. 101748.
[71] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei,
“ImageNet: A large-scale hierarchical image database,” in Proc. IEEE
CVPR, Miami, FL, USA, Jun. 2009, pp. 248–255.
[72] K. Simonyan and A. Zisserman, “Very deep convolutional networks for
large-scale image recognition,” in Proc. ICLR, San Diego, CA, USA,
May 2015, pp. 1–14.
[73] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image
recognition,” in Proc. IEEE CVPR, Las Vegas, NV, USA, Jun. 2016,
pp. 770–778.
[74] J.-Y. Kim, S.-J. Bu, and S.-B. Cho, “Zero-day malware detection
using transferred generative adversarial networks based on deep autoen-
coders,” Inf. Sci., vols. 460–461, pp. 83–102, Sep. 2018.
[75] I. Goodfellow et al., “Generative adversarial nets,” in Proc. NIPS,
Montreal, QC, Canada, Dec. 2014, pp. 2672–2680.
[76] E. Raff, W. Fleshman, R. Zak, H. S. Anderson, B. Filar, and
M. McLean, “Classifying sequences of extreme length with constant
memory applied to malware detection,” in Proc. AAAI, Feb. 2021,
pp. 9386–9394.
[77] C. Wang, Z. Qin, J. Zhang, and H. Yin, “A malware variants detection
methodology with an opcode based feature method and a fast density
based clustering algorithm,” in Proc. IEEE ICNC-FSKD, Changsha,
China, Aug. 2016, pp. 481–487.
[78] M. G. Schultz, E. Eskin, F. Zadok, and S. J. Stolfo, “Data mining
methods for detection of new malicious executables,” in Proc. IEEE
SP, Oakland, CA, USA, May 2001, pp. 38–49.
[79] S. Huda, J. Abawajy, M. Alazab, M. Abdollalihian, R. Islam, and
J. Yearwood, “Hybrids of support vector machine wrapper and filter
based framework for malware detection,” Future Gener. Comput. Syst.,
vol. 55, pp. 376–390, Feb. 2016.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
[80] M. O. F. Rokon, R. Islam, A. Darki, E. E. Papalexakis, and
M. Faloutsos, “SourceFinder: Finding malware source-code from pub-
licly available repositories in GitHub,” in Proc. RAID, San Sebastian,
Spain, Oct. 2020, pp. 149–163.
[81] D. Rabadi and S. G. Teo, “Advanced windows methods on malware
detection and classification,” in Proc. ACM ACSAC, Austin, TX, USA,
Dec. 2020, pp. 54–68.
[82] S. Nari and A. A. Ghorbani, “Automated malware classification based
on network behavior,” in Proc. IEEE ICNC, San Diego, CA, USA,
Jan. 2013, pp. 642–647.
[83] B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitras, “The
dropper effect: Insights into malware distribution with downloader
graph analytics,” in Proc. ACM CCS, Denver, CO, USA, Oct. 2015,
pp. 1118–1129.
[84] L. Chen, S. Sultana, and R. Sahita, “HeNet: A deep learning approach
on Intel processor trace for effective exploit detection,” in Proc. IEEE
SP Workshops, San Francisco, CA, USA, May 2018, pp. 109–115.
[85] M. Ozsoy, K. N. Khasawneh, C. Donovick, I. Gorelik, N. Abu-
Ghazaleh, and D. Ponomarev, “Hardware-based malware detection
using low-level architectural features,” IEEE Trans. Comput., vol. 65,
no. 11, pp. 3332–3344, Nov. 2016.
[86] D.-P. Pham, D. Marion, M. Mastio, and A. Heuser, “Obfuscation
revealed: Leveraging electromagnetic signals for obfuscated malware
classification,” in Proc. ACM ACSAC, Dec. 2021, pp. 706–719.
[87] A. Mohaisen, O. Alrawi, and M. Mohaisen, “AMAL: High-
fidelity, behavior-based automated malware analysis and classification,”
Comput. Security, vol. 52, pp. 251–266, Jul. 2015.
[88] B. Alsulami and S. Mancoridis, “Behavioral malware classifica-
tion using convolutional recurrent neural networks,” in Proc. IEEE
MALWARE, Nantucket, MA, USA, Oct. 2018, pp. 103–111.
[89] S. O’Shaughnessy and S. Sheridan, “Image-based malware classi-
fication hybrid framework based on space-filling curves,” Comput.
Security, vol. 116, May 2022, Art. no. 102660.
[90] S. Yoo, S. Kim, S. Kim, and B. B. Kang, “AI-HydRa: Advanced
hybrid approach using random forest and deep learning for malware
classification,” Inf. Sci., vol. 546, pp. 420–435, Feb. 2021.
[91] L. Xu, D. P. Zhang, N. Jayasena, and J. Cavazos, “HADM: Hybrid
analysis for detection of malware,” in Proc. SAI IntelliSys, London,
U.K., Sep. 2016, pp. 702–724.
[92] D. Arivudainambi, K. A. V. Kumar, S. S. Chakkaravarthy, and P. Visu,
“Malware traffic classification using principal component analysis and
artificial neural network for extreme surveillance,” Comput. Commun.,
vol. 147, pp. 50–57, Nov. 2019.
[93] C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna,
“Rethinking the inception architecture for computer vision,” in Proc.
IEEE CVPR, Las Vegas, NV, USA, Jun. 2016, pp. 2818–2826.
[94] F. Barbero, F. Pendlebury, F. Pierazzi, and L. Cavallaro, “Transcending
transcend: Revisiting malware classification in the presence of concept
drift,” 2021, arXiv:2010.03856.
[95] A. Narayanan, L. Yang, L. Chen, and L. Jinliang, “Adaptive and scal-
able android malware detection through online learning,” in Proc. IEEE
IJCNN, Vancouver, BC, Canada, Jul. 2016, pp. 2484–2491.
[96] F. Maggi, W. Robertson, C. Kruegel, and G. Vigna, “Protecting a
moving target: Addressing Web application concept drift,” in Proc.
RAID, Saint-Malo, France, Sep. 2009, pp. 21–40.
[97] R. Jordaney et al., “Transcend: Detecting concept drift in malware clas-
sification models,” in Proc. USENIX Security, Vancouver, BC, Canada,
Aug. 2017, pp. 625–642.
[98] X. Zhang et al., “Enhancing state-of-the-art classifiers with API seman-
tics to detect evolved android malware,” in Proc. ACM SIGSAC,
Nov. 2020, pp. 757–770.
[99] H. Aghakhani et al., “When malware is Packin’ heat; limits of machine
learning classifiers based on static analysis features,” in Proc. NDSS,
San Diego, CA, USA, Feb. 2020, pp. 1–20.
[100] F. Pendlebury, F. Pierazzi, R. Jordaney, J. Kinder, and L. Cavallaro,
“TESSERACT: Eliminating experimental bias in malware classification
across space and time,” in Proc. USENIX Security, Santa Clara, CA,
USA, Aug. 2019, pp. 729–746.
[101] S. Zhu et al., “Measuring and modeling the label dynamics of
online anti-malware engines,” in Proc. USENIX Security, Aug. 2020,
pp. 2361–2378.
[102] T. Vidas and N. Christin, “Evading android runtime analysis via sand-
box detection,” in Proc. ACM AsiaCCS, Kyoto, Japan, Jun. 2014,
pp. 447–458.
YAN et al.: SURVEY OF ADVERSARIAL ATTACK AND DEFENSE METHODS FOR MALWARE CLASSIFICATION
[103] A. Yokoyama et al., “SandPrint: Fingerprinting malware sandboxes to
provide intelligence for sandbox evasion,” in Proc. RAID, Paris, France,
Sep. 2016, pp. 165–187.
[104] N. Miramirkhani, M. P. Appini, N. Nikiforakis, and M. Polychronakis,
“Spotless sandboxes: Evading malware analysis systems using wear-
and-tear artifacts,” in Proc. IEEE SP, San Jose, CA, USA, May 2017,
pp. 1009–1024.
[105] Q. Yu et al., “An immunology-inspired network security architecture,”
IEEE Wireless Commun., vol. 27, no. 5, pp. 168–173, Oct. 2020.
[106] A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial machine
learning at scale,” in Proc. ICLR, Toulon, France, Apr. 2017, pp. 1–17.
[107] A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples
in the physical world,” in Proc. ICLR Workshop, Toulon, France,
Apr. 2017, pp. 1–14.
[108] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple
and accurate method to fool deep neural networks,” in Proc. IEEE
CVPR, Las Vegas, NV, USA, Jun. 2016, pp. 2574–2582.
[109] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and
A. Swami, “The limitations of deep learning in adversarial settings,” in
Proc. IEEE EuroS P, Saarbrücken, Germany, Mar. 2016, pp. 372–387.
[110] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation
as a defense to adversarial perturbations against deep neural networks,”
in Proc. IEEE SP, San Jose, CA, USA, May 2016, pp. 582–597.
[111] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and
A. Swami, “Practical black-box attacks against machine learning,” in
Proc. ACM AsiaCCS, Abu Dhabi, UAE, Apr. 2017, pp. 506–519.
[112] W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial
attacks: Reliable attacks against black-box machine learning models,”
in Proc. ICLR, Vancouver, BC, Canada, Apr. 2017, pp. 1–12.
[113] M. Cheng, T. Le, P.-Y. Chen, J. Yi, H. Zhang, and C.-J. Hsieh, “Query-
efficient hard-label black-box attack: An optimization-based approach,”
in Proc. ICLR, New Orleans, LA, USA, May 2018, pp. 1–14.
[114] C. Guo, J. Gardner, Y. You, A. G. Wilson, and K. Weinberger, “Simple
black-box adversarial attacks,” in Proc. ICML, Long Beach, CA, USA,
Jun. 2019, pp. 2484–2493.
[115] C. Xiao, B. Li, J.-Y. Zhu, W. He, M. Liu, and D. Song, “Generating
adversarial examples with adversarial networks,” in Proc. IJCAI,
Stockholm, Sweden, Jul. 2018, pp. 3905–3911.
[116] P. Mangla, S. Jandial, S. Varshney, and V. N. Balasubramanian,
“AdvGAN++: Harnessing latent layers for adversary generation,”
in Proc. IEEE ICCV Workshops, Seoul, South Korea, Oct. 2019,
pp. 2045–2048.
[117] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, and C.-J. Hsieh, “ZOO: Zeroth
order optimization based black-box attacks to deep neural networks
without training substitute models,” in Proc. ACM AISec, Dallas, TX,
USA, Nov. 2017, pp. 15–26.
[118] B. Kolosnjaji et al., “Adversarial malware binaries: Evading deep learn-
ing for malware detection in executables,” in Proc. IEEE EUSIPCO,
Roma, Italy, Sep. 2018, pp. 533–537.
[119] A. Abusnaina, A. Khormali, H. Alasmary, J. Park, A. Anwar, and
A. Mohaisen, “Adversarial learning attacks on graph-based IoT mal-
ware detection systems,” in Proc. IEEE ICDCS, Dallas, TX, USA,
Jul. 2019, pp. 1296–1305.
[120] L. Chen, Y. Ye, and T. Bourlai, “Adversarial machine learning in mal-
ware detection: Arms race between evasion attack and defense,” in
Proc. IEEE EISIC, Athens, Greece, Sep. 2017, pp. 99–106.
[121] W. Hu and Y. Tan, “Black-box attacks against RNN based malware
detection algorithms,” in Proc. AAAI Workshops, New Orleans, LA,
USA, Feb. 2018, pp. 245–251.
[122] K. N. Khasawneh, N. B. Abu-Ghazaleh, D. Ponomarev, and L. Yu,
“RHMD: Evasion-resilient hardware malware detectors,” in Proc.
IEEE/ACM MICRO, Cambridge, MA, USA, Oct. 2017, pp. 315–327.
[123] W. Xu, Y. Qi, and D. Evans, “Automatically evading classifiers: A
case study on PDF malware classifiers,” in Proc. NDSS, San Diego,
CA, USA, Feb. 2016, pp. 1–15.
[124] L. Yu, W. Zhang, J. Wang, and Y. Yu, “SeqGAN: Sequence generative
adversarial nets with policy gradient,” in Proc. AAAI, San Francisco,
CA, USA, Feb. 2017, pp. 2852–2858.
[125] C. Smutz and A. Stavrou, “Malicious PDF detection using metadata
and structural features,” in Proc. ACM ACSAC, Orlando, FL, USA,
Dec. 2012, pp. 239–248.
[126] N. Srndic and P. Laskov, “Detection of malicious PDF files based on
hierarchical document structure,” in Proc. NDSS, San Diego, CA, USA,
Feb. 2013, pp. 1–16.
[127] R. S. Sutton and A. G. Barto, Reinforcement Learning: An Introduction.
Cambridge, MA, USA: MIT Press, 2018.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
495
[128] V. Mnih et al., “Playing Atari with deep reinforcement learning,” 2013,
arXiv:1312.5602.
[129] F. Pierazzi, F. Pendlebury, J. Cortellazzi, and L. Cavallaro, “Intriguing
properties of adversarial ML attacks in the problem space,” in Proc.
IEEE SP, San Francisco, CA, USA, May 2020, pp. 1332–1349.
[130] A. Shafahi et al., “Adversarial training for free!” in Proc. NIPS,
Vancouver, BC, Canada, Dec. 2019, pp. 3353–3364.
[131] E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting
adversarial training,” in Proc. ICLR, Addis Ababa, Ethiopia, Apr. 2020,
pp. 1–17.
[132] D. Zhang, T. Zhang, Y. Lu, Z. Zhu, and B. Dong, “You only propagate
once: Accelerating adversarial training via maximal principle,” in Proc.
NIPS, Vancouver, BC, Canada, Dec. 2019, pp. 227–238.
[133] G. Hinton, O. Vinyals, and J. Dean, “Distilling the knowledge in a
neural network,” 2015, arXiv:1503.02531.
[134] C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. Yuille, “Mitigating adver-
sarial effects through randomization,” in Proc. ICLR, Vancouver, BC,
Canada, Apr. 2018, pp. 1–16.
[135] W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial
examples in deep neural networks,” in Proc. NDSS, San Diego, CA,
USA, Feb. 2017, pp. 1–15.
[136] D. Meng and H. Chen, “MagNet: A two-pronged defense against adver-
sarial examples,” in Proc. ACM CCS, Dallas, TX, USA, Oct. 2017,
pp. 135–147.
[137] M. Naseer, S. Khan, M. Hayat, F. S. Khan, and F. Porikli, “A self-
supervised approach for adversarial robustness,” in Proc. IEEE CVPR,
Seattle, WA, USA, Jun. 2020, pp. 262–271.
[138] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein generative adver-
sarial networks,” in Proc. ICML, Sydney, NSW, Australia, Aug. 2017,
pp. 214–223.
[139] W. He, J. Wei, X. Chen, N. Carlini, and D. Song, “Adversarial example
defense: Ensembles of weak defenses are not strong,” in Proc. USENIX
WOOT, Vancouver, BC, Canada, Aug. 2017, pp. 1–11.
[140] S. Chen et al., “Automated poisoning attacks and defenses in malware
detection systems: An adversarial machine learning approach,” Comput.
Security, vol. 73, pp. 326–344, Mar. 2018.
[141] L. Tong, B. Li, C. Hajaj, C. Xiao, N. Zhang, and Y. Vorobeychik,
“Improving robustness of ML classifiers against realizable evasion
attacks using conserved features,” in Proc. USENIX Security, Santa
Clara, CA, USA, Aug. 2019, pp. 285–302.
[142] A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust mal-
ware detection for Internet of (battlefield) Things devices using deep
Eigenspace learning,” IEEE Trans. Sustain. Comput., vol. 4, no. 1,
pp. 88–95, Jan.–Mar. 2019.
[143] H. Li, S. Zhou, W. Yuan, X. Luo, C. Gao, and S. Chen, “Robust android
malware detection against adversarial example attacks,” in Proc.
ACM/IW3C2 WWW, Ljubljana, Slovenia, Apr. 2021, pp. 3603–3612.
[144] Y. Chen, S. Wang, D. She, and S. Jana, “On training robust
PDF malware classifiers,” in Proc. USENIX Security, Aug. 2020,
pp. 2343–2360.
[145] K. Grosse, P. Manoharan, N. Papernot, M. Backes, and P. McDaniel,
“On the (statistical) detection of adversarial examples,” 2017,
arXiv:1702.06280.
[146] L. Chen, S. Hou, and Y. Ye, “SecureDroid: Enhancing security of
machine learning-based detection against adversarial android mal-
ware attacks,” in Proc. ACM ACSAC, Orlando, FL, USA, Dec. 2017,
pp. 362–372.
[147] D. Li and Q. Li, “Enhancing robustness of deep neural networks against
adversarial malware samples: Principles, framework, and application
to AICS’2019 challenge,” in Proc. AAAI Workshops (AICS), 2019,
pp. 1–9.
[148] A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a
false sense of security: Circumventing defenses to adversarial exam-
ples,” in Proc. ICML, Stockholm, Sweden, Jul. 2018, pp. 274–283.
[149] N. Carlini and D. Wagner, “Adversarial examples are not easily
detected: Bypassing ten detection methods,” in Proc. ACM AISec,
Dallas, TX, USA, Nov. 2017, pp. 3–14.
[150] R. Podschwadt and H. Takabi, “Effectiveness of adversarial exam-
ples and defenses for malware classification,” in Proc. SecureComm,
Orlando, FL, USA, Oct. 2019, pp. 380–393.
[151] N. Papernot, P. McDaniel, A. Sinha, and M. Wellman, “Towards
the science of security and privacy in machine learning,” 2016,
arXiv:1611.03814.
[152] I. Hubara, M. Courbariaux, D. Soudry, R. El-Yaniv, and Y. Bengio,
“Quantized neural networks: Training neural networks with low
precision weights and activations,” J. Mach. Learn. Res., vol. 18,
pp. 6869–6898, Jan. 2017.
496 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 25, NO. 1, FIRST QUARTER 2023
[153] S. Han et al., “EIE: Efficient inference engine on compressed deep neu-
ral network,” in Proc. IEEE/ACM ISCA, Seoul, South Korea, Jun. 2016,
pp. 243–254.
[154] G. Ian and P. Nicolas. “Is attacking machine learning easier than
defending it?” cleverhans.io. Accessed: Feb. 15, 2017. [Online].
Available: http://www.cleverhans.io/security/privacy/ml/2017/02/15/
why-attacking-machine-learning-is-easier-than-defending-it.html
[155] M. Du, N. Liu, and X. Hu, “Techniques for interpretable machine
learning,” Commun. ACM, vol. 63, no. 1, pp. 68–77, 2019.
Senming Yan (Student Member, IEEE) received the
B.E. degree in software engineering from Xidian
University, China, in 2020. He is currently pursuing
the Ph.D. degree with the Institute of Information
Engineering, Chinese Academy of Sciences, and the
School of Cyber Security, University of Chinese
Academy of Sciences, China. His research interests
include network security, Internet of Things security,
and AI security.
Jing Ren (Member, IEEE) received the B.E. and
Ph.D. degrees in communication engineering from
the University of Electronic Science and Technology
of China (UESTC), Chengdu, China, in 2007
and 2015, respectively, where she is currently an
Instructor and a Research Assistant with Peng Cheng
Laboratory. Her research interests include network
architecture and protocol design, software-defined
networking, and network security.
Wei Wang (Member, IEEE) received the B.S. degree
from Central South University, Changsha, China, in
2010, the M.S. degree from Southeast University,
Nanjing, China, in 2013, and the Ph.D. degree
from The University of New South Wales, Sydney,
Australia, in 2017. From 2018 to 2021, he was
a Postdoctoral Research Fellow with the School
of Electrical Engineering and Telecommunications,
The University of New South Wales. He is cur-
rently a Senior Research Scientist (equivalent to
Associate Professor) with Peng Cheng Laboratory,
Shenzhen, China. His current research interests include millimeter-wave
communications, wireless localization, machine learning for wireless com-
munications, and cyber security. He serves as an Editor of IEEE
W IRELESS C OMMUNICATIONS L ETTERS. He received the IEEE W IRELESS
C OMMUNICATIONS L ETTERS Exemplary Reviewer Award from 2017 to
2019, IEEE T RANSACTIONS ON C OMMUNICATIONS Exemplary Reviewer
Award in 2017, and the Best Paper Award for IEEE/CIC International
Conference on Communications in China in 2016.
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on May 28,2024 at 06:03:47 UTC from IEEE Xplore. Restrictions apply.
Limin Sun received the B.S. and Ph.D. degrees
from the National University of Defense Technology,
Changsha, China, in 1988 and 1998, respec-
tively. He is a Professor with the Institute of
Information Engineering, Chinese Academy of
Sciences, Beijing, China. He is also with the School
of Cyber Security, University of Chinese Academy
of Sciences, Beijing. His research interests include
mobile vehicle networks, Internet of Things security,
and wireless sensor networks.
Wei Zhang (Fellow, IEEE) received the Ph.D.
degree from the Chinese University of Hong Kong
in 2005.
He is currently a Professor with the School of
Electrical Engineering and Telecommunications,
The University of New South Wales, Sydney,
Australia. His current research interests include 5G
and beyond.
Prof. Zhang has served as a member in
various ComSoc boards/standing committees,
including Journals Board, Technical Committee
Recertification Committee, Finance Standing Committee, Information
Technology Committee, Steering Committee of IEEE T RANSACTIONS ON
G REEN C OMMUNICATIONS AND N ETWORKING and Steering Committee of
IEEE N ETWORKING L ETTERS. He currently serves as an Area Editor for the
IEEE T RANSACTIONS ON W IRELESS C OMMUNICATIONS and the Editor-in-
Chief of Journal of Communications and Information Networks. Previously, he
served as an Editor for IEEE T RANSACTIONS ON C OMMUNICATIONS, IEEE
T RANSACTIONS ON W IRELESS C OMMUNICATIONS, IEEE T RANSACTIONS
ON C OGNITIVE C OMMUNICATIONS AND N ETWORKING , and IEEE
J OURNAL ON S ELECTED A REAS IN C OMMUNICATIONS—Cognitive Radio
Series. Within the IEEE ComSoc, he has taken many leadership positions,
including the Chair of Wireless Communications Technical Committee
from 2019 to 2020, the Vice Director of Asia Pacific Board from 2016 to
2021, the Editor-in-Chief of IEEE W IRELESS C OMMUNICATIONS L ETTERS
from 2016 to 2019, the Member-at-Large on the Board of Governors from
2018 to 2020, the Technical Program Committee Chair of APCC 2017 and
ICCC 2019, and the Award Committee Chair of Asia Pacific Board and
Technical Committee on Cognitive Networks. He has been an IEEE ComSoc
Distinguished Lecturer from 2016 to 2017. He is a Vice President of IEEE
Communications Society from 2022 to 2023.
Quan Yu (Senior Member, IEEE) received the B.S.
degree in radio physics from Nanjing University,
China, in 1986, the M.S. degree in radio wave prop-
agation from Xidian University, China, in 1988, and
the Ph.D. degree in fiber optics from the University
of Limoges, France, in 1992. He is currently a
Research Professor with Peng Cheng Laboratory.
His main areas of research interest are the archi-
tecture of wireless networks and cognitive radio.
He is an Academician of the Chinese Academy of
Engineering and the Founding Editor-in-Chief of the
Journal of Communications and Information Networks.