Adversarial EXEmples

Demetrio, Luca; Coull, Scott E.; Biggio, Battista; Lagorio, Giovanni; Armando, Alessandro; Roli, Fabio

doi:10.1145/3473039

Cited by 73 publications

(55 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By varying the aggressiveness of smoothing we examine tradeoffs between robustness certification and accuracy. We find that it is possible to maintain a high accuracy of 91% while guaranteeing robustness to adversarial edits of up to 128 bytes on average, which exceeds edit distances of two published evasion attacks [20,22]. This suggests potential for operationalizing certifications of static malware detection, in some cases.…”

Section: Introductionmentioning

confidence: 85%

“…The certified radii we observe are close to the best radii theoretically achievable using our mechanism. For the Levenshtein byte-level edit distance threat model, we obtain radii of a few hundred bytes in size, which can certifiably defend against attacks that edit headers of PE files [20,22,57]. However, certifying robustness against more powerful attacks that modify thousands or millions of bytes remains an open challenge.…”

Section: Discussionmentioning

confidence: 99%

“…To ensure the attacked file x is useful after evading detection, we require that it is functionallyequivalent to the original file x. We focus on evasion attacks that misclassify malware as benign in our experiments, as these attacks dominate prior work [22]. However, for generality we also consider attacks in the opposite direction-where a benign file is misclassified as malicious-when outlining our threat model and deriving robustness certificates.…”

Section: Threat Modelmentioning

confidence: 99%

See 2 more Smart Citations

Certified Robustness of Learning-based Static Malware Detectors

Huang¹,

Marchant²,

Lucas³

et al. 2023

Preprint

View full text Add to dashboard Cite

Certified defenses are a recent development in adversarial machine learning (ML), which aim to rigorously guarantee the robustness of ML models to adversarial perturbations. A large body of work studies certified defenses in computer vision, where ℓ 𝑝 norm-bounded evasion attacks are adopted as a tractable threat model. However, this threat model has known limitations in vision, and is not applicable to other domains-e.g., where inputs may be discrete or subject to complex constraints. Motivated by this gap, we study certified defenses for malware detection, a domain where attacks against ML-based systems are a real and current threat. We consider static malware detection systems that operate on byte-level data. Our certified defense is based on the approach of randomized smoothing which we adapt by: (1) replacing the standard Gaussian randomization scheme with a novel deletion randomization scheme that operates on bytes or chunks of an executable; and(2) deriving a certificate that measures robustness to evasion attacks in terms of generalized edit distance. To assess the size of robustness certificates that are achievable while maintaining high accuracy, we conduct experiments on malware datasets using a popular convolutional malware detection model, MalConv. We are able to accurately classify 91% of the inputs while being certifiably robust to any adversarial perturbations of edit distance 128 bytes or less. By comparison, an existing certification of up to 128 bytes of substitutions (without insertions or deletions) achieves an accuracy of 78%. In addition, given that robustness certificates are conservative, we evaluate practical robustness to several recently published evasion attacks and, in some cases, find robustness beyond certified guarantees. CCS CONCEPTS• Security and privacy → Logic and verification; Malware and its mitigation; • Computing methodologies → Machine learning.

show abstract

Section: Introductionmentioning

confidence: 85%

Section: Discussionmentioning

confidence: 99%

Section: Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

Certified Robustness of Learning-based Static Malware Detectors

Huang¹,

Marchant²,

Lucas³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Our work is dedicated to detecting query-based black-box attacks and the function of this module is to reproduce typical query-based black-box attacks. Since malware adversarial attacks were investigated later than image adversarial attacks and most of the AEs are generated on feature vectors or substitute models [28,[36][37][38][39][40], there are not many query-based black-box attack methods that can generate real AE files and publish open source codes [14,15,41,42]. We choose two advanced score-based black-box attack frameworks [14,15].…”

Section: Reproduce Black-box Attacksmentioning

confidence: 99%

MalDBA: Detection for Query-Based Malware Black-Box Adversarial Attacks

et al. 2023

View full text Add to dashboard Cite

The increasing popularity of Industry 4.0 has led to more and more security risks, and malware adversarial attacks emerge in an endless stream, posing great challenges to user data security and privacy protection. In this paper, we investigate the stateful detection method for artificial intelligence deep learning-based malware black-box attacks, i.e., determining the presence of adversarial attacks rather than detecting whether the input samples are malicious or not. To this end, we propose the MalDBA method for experiments on the VirusShare dataset. We find that query-based black-box attacks produce a series of highly similar historical query results (also known as intermediate samples). By comparing the similarity among these intermediate samples and the trend of prediction scores returned by the detector, we can detect the presence of adversarial samples in indexed samples and thus determine whether an adversarial attack has occurred, and then protect user data security and privacy. The experimental results show that the attack detection rate can reach 100%. Compared to similar studies, our method does not require heavy feature extraction tasks or image conversion and can be operated on complete PE files without requiring a strong hardware platform.

show abstract

“…[46] proposed an adaptable white-box threat that is conscious of the defense mechanism and tries to overcome it. [47] Moreover, they spoke about the restrictions of their methodology and how it may be improved in the future to attack malware classifications based on the dynamic assessment. [48] generated a series of problem-space modifications that produce UAPs in the appropriate feature-space embedding and analyzed their performance across attack models of various rates of actual attacker information.…”

Section: Related Workmentioning

confidence: 99%

Fast and Robust Detection of Adversarial Attacks in the Problem Space using Machine Learning

Naseem

Sehar

2022

Preprint

View full text Add to dashboard Cite

Machine learning is widely accepted as an accurate statistical approach for malware detection to cope with the rising uncertainty risk and complexity of modern intrusions. Not only has machine learning security been asked, but it has also been challenged in the past. However, it has been identified that machine learning contains intrinsic weaknesses that may be exploited to avoid detection during testing. So, look at it another way, machine learning can become an intelligence system bottleneck. We use the related attack methodology to classify different types of attacks using learning-based malware detection techniques in this research by evaluating attackers with unique abilities and talents. After this, to carefully identify the security of Drebin, Android malware detection has been performed. We implemented and did a set of comparable malware detection using the linear SVM and other relevant techniques, including Sec-SVM, Reduced SVM, Reduced Sec-SVM, Na ̈ıve Bayes, Random Forest Classifier, and some deep neural networks. The main agenda of this paper is the presentation of a scalable and straightforward securelearning methodology that reduces the effect of adversarial attacks. In the presence of an attack, the detection accuracy is only a bit worsened. Finally, we evaluate that our robust technique may be accurately adapted to additional intrusion prevention tasks.

show abstract

Adversarial EXEmples

Cited by 73 publications

References 19 publications

Certified Robustness of Learning-based Static Malware Detectors

Certified Robustness of Learning-based Static Malware Detectors

MalDBA: Detection for Query-Based Malware Black-Box Adversarial Attacks

Fast and Robust Detection of Adversarial Attacks in the Problem Space using Machine Learning

Contact Info

Product

Resources

About