Stealing and evading malware classifiers and antivirus at low false positive conditions

Model stealing attacks have been successfully used in many machine learning domains, but there is little understanding of how these work against models that perform malware detection. Malware detection and, general, security domains unique conditions. In particular, are very strong requirements for low false positive rates (FPR). Antivirus products (AVs) use complex systems to steal, binaries continually change, and the whole environment adversarial by nature. This study evaluates active model publicly available stand-alone classifiers also antivirus products. The proposes a new neural network architecture surrogate (dualFFNN) attack combines transfer creation (FFNN-TL). We achieved good surrogates with up 99\% agreement target models, using less than 4% original training dataset. Good AV were trained 99% 4,000 queries. uses best generate evade both AVs (with without an internet connection). Results show can evades targets lower success rate directly malware. Using surrogates, however, still option since generation highly time-consuming easily detected when connected internet.