Outside the explosive successful applications of deep learning (DL) in natural language processing, computer vision, and information retrieval, there have been numerous Deep Neural Networks (DNNs) based alternatives for common security-related scenarios with malware detection among more popular. Recently, adversarial learning has gained much focus. However, unlike computer vision applications, malware adversarial attack is expected to guarantee malwares’ original maliciousness semantics. This paper proposes a novel adversarial instruction learning technique, DeepMal, based on an adversarial instruction learning approach for static malware detection. So far as we know, DeepMal is the first practical and systematical adversarial learning method, which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning (ML) models while preserving attack functionality in the real world. Moreover, our method conducts small-scale attacks, which could evade typical malware variants analysis (e.g., duplication check). We evaluate DeepMal on two real-world datasets, six typical DL models, and three typical ML models. Experimental results demonstrate that, on both datasets, DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94% and 82.86% respectively. Besides, three typical types of malware samples (Trojan horses, Backdoors, Ransomware) prove to preserve original attack functionality, and the mean duplication check ratio of malware adversarial samples is below 2.0%. Besides, DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.

除了深度学习（DL）在自然语言处理，计算机视觉和信息检索方面的爆炸性成功应用之外，还有许多基于深度神经网络（DNN）的替代方法可用于常见的与安全性相关的场景，其中恶意软件检测更为流行。近来，对抗学习已成为人们关注的焦点。但是，与计算机视觉应用程序不同，恶意软件对抗攻击有望保证恶意软件的原始恶意语义。本文提出了一种基于对抗指令学习方法的静态对抗恶意软件检测的新型对抗指令学习技术DeepMal。据我们所知，DeepMal是第一种实用且系统的对抗性学习方法，它可以直接生成对抗性样本，并有效绕过由DL和机器学习（ML）模型提供支持的静态恶意软件检测器，同时保留现实世界中的攻击功能。此外，我们的方法会进行小规模的攻击，从而可能逃避典型的恶意软件变体分析（例如，重复检查）。我们在两个真实的数据集，六个典型的DL模型和三个典型的ML模型上评估DeepMal。实验结果表明，在这两个数据集上，DeepMal均可以攻击典型的恶意软件检测器 和三种典型的ML模型。实验结果表明，在这两个数据集上，DeepMal均可以攻击典型的恶意软件检测器 和三种典型的ML模型。实验结果表明，在这两个数据集上，DeepMal均可以攻击典型的恶意软件检测器F1分数和F1分数分别下降最大93.94％和82.86％。此外，三种典型的恶意软件样本（特洛伊木马，后门程序，勒索软件）被证明可以保留原始攻击功能，恶意软件对抗性样本的平均重复检查率低于2.0％。此外，DeepMal可以逃避动态检测器，并且可以通过学习具有特定约束的更多动态功能轻松地进行增强。