Table 3 Analysis of evasion attacks-based on devised examination criteria

D. Gibert et al. [60], 2023

Generative adversarial networks

Query-free feature-based attack

Perturbed features in executable

Black box attack

Evade ML detector with malicious executable

ML detectors are vulnerable to be evaded with query-free attacks

No

Victim detection decision

H. Yan et al. [61], 2023

Logistic regression, SVM, NB, decision tree, RF, xgBoost, ANN, ensemble model

Label-based evasion attack

Poisoned labeled samples

Black box attack

Transfer adversarially crafted samples to evade

Transfer-based evasion attack is a serious threat to ML and DL

No

Test time precision

H. Bostani et al. [62], 2022

ML-based malware detector

n-gram based attack on malware classifier

Transform malware samples into benign with n-gram based incremental strategy

Black box attack with model query access

Misclassification of android malware detector

DNN are more affected by evading surrogate models comparing to linear SVM based classifier

Yes

Test time prediction

Md. A. Ayub et al. [28], 2020

Multi-layer perceptron network

Jacobian-based saliency map attack

Iterative approach to insert perturbation near sensitive feature of benign samples

White box attack

Misclassify malicious sample as benign in IDS

Multi-layer perceptron can be exploited with evasion attack with minimal model’s knowledge

No

Test time prediction

Y. Shi et al. [63], 2017

Naïve Bayes classifier

Evasion attack with feed-forward neural networks

Feed poisoned samples with DL score under computed attack region

Exploratory black box attack

Misclassify test data samples

Controlled perturbations to labels and classification boundary may limit adversarial impact on DL

Yes

Model availability