Poster: RPAL-Recovering Malware Classifiers from Data Poisoning using Active Learning

Intuitively, poisoned machine learning (ML) models may forget their adversarial manipulation via retraining. However, can we quantify the time required for model recovery? From an adversarial perspective, is a small amount of poisoning sufficient to force the defender to retrain significantly more over time? This poster paper proposes RPAL, a new framework to answer these questions in the context of malware detection. To quantify recovery, we propose two new metrics: intercept, i.e., the first time in which the poisoned model's and vanilla model's performance intercept; recovery rate, i.e., the percentage of time after intercept that the poisoned model's performance is within a tolerance margin which approximates the vanilla model's performance. We conduct experiments on an Android malware dataset (2014-2016), with two feature abstractions based on Drebin and MaMaDroid, with uncertainty-sampling active learning (retraining), and label flipping (poisoning). We utilize the introduced parameter and metrics to demonstrate (i) how the active learning and poisoning rates impact recovery and (ii) that feature representation impacts recovery.