Against All Odds: Winning the Defense Challenge in an Evasion Competition with Diversification

Quiring, Erwin; Pirch, Lukas; Reimsbach, Michael; Arp, Daniel J.; Rieck, Konrad

doi:10.48550/arxiv.2010.09569

Cited by 3 publications

(3 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As the first place in the defender challenge of the Microsoft's 2020 Machine Learning Security Evasion Competition [86], Quiring et al present a combinatorial framework of adversarial defenses -PEberus [104] based on the following three defense methods as follows.…”

Section: Other Defense Methodsmentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

The malware has been being one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against the ever-increasing and ever-evolving threats of malware, tremendous efforts have been made to propose a variety of malware detection methods that attempt to effectively and efficiently detect malware so as to mitigate possible damages as earlier as possible. Recent studies have shown that, one the one hand, existing machine learning (ML) and deep learning (DL) techniques enable the superior detection of newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to confuse the targeted models. Basically, adversarial attacks are initially extensively studied in the domain of computer vision like image classification, and some quickly expanded to other domains, including natural language processing, audio recognition and even malware detection which is extremely critical to computers.In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. We then conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. We conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. In addition, a curated resource list of adversarial attacks and defenses for Windows PE malware detection is also available at https://github.com/ryderling/adversarial-attacks-and-defenses-for-windows-pe-malware-detection. CCS Concepts: • Security and privacy → Intrusion/anomaly detection and malware mitigation; • Theory of computation → Adversarial learning.

show abstract

Section: Other Defense Methodsmentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Several empirical defense methods have been proposed to improve robustness of ML classifiers [23,63]. Íncer Romeo et al [36] compose manually crafted Boolean features with a classifier that is constrained to be monotonically increasing with respect to selected inputs.…”

Section: Related Workmentioning

confidence: 99%

“…Demontis et al [23] show that the sensitivity of linear support vector machines to adversarial perturbations can be reduced by training with ℓ ∞ regularization of weights. In another work, Quiring et al [63] take advantage of heuristic-based semantic gap detectors and an ensemble of feature classifiers to improve empirical robustness. Compared to our work on certified adversarial defenses, these approaches do not provide formal guarantees.…”

Section: Related Workmentioning

confidence: 99%

Certified Robustness of Learning-based Static Malware Detectors

Huang¹,

Marchant²,

Lucas³

et al. 2023

Preprint

View full text Add to dashboard Cite

Certified defenses are a recent development in adversarial machine learning (ML), which aim to rigorously guarantee the robustness of ML models to adversarial perturbations. A large body of work studies certified defenses in computer vision, where ℓ 𝑝 norm-bounded evasion attacks are adopted as a tractable threat model. However, this threat model has known limitations in vision, and is not applicable to other domains-e.g., where inputs may be discrete or subject to complex constraints. Motivated by this gap, we study certified defenses for malware detection, a domain where attacks against ML-based systems are a real and current threat. We consider static malware detection systems that operate on byte-level data. Our certified defense is based on the approach of randomized smoothing which we adapt by: (1) replacing the standard Gaussian randomization scheme with a novel deletion randomization scheme that operates on bytes or chunks of an executable; and(2) deriving a certificate that measures robustness to evasion attacks in terms of generalized edit distance. To assess the size of robustness certificates that are achievable while maintaining high accuracy, we conduct experiments on malware datasets using a popular convolutional malware detection model, MalConv. We are able to accurately classify 91% of the inputs while being certifiably robust to any adversarial perturbations of edit distance 128 bytes or less. By comparison, an existing certification of up to 128 bytes of substitutions (without insertions or deletions) achieves an accuracy of 78%. In addition, given that robustness certificates are conservative, we evaluate practical robustness to several recently published evasion attacks and, in some cases, find robustness beyond certified guarantees. CCS CONCEPTS• Security and privacy → Logic and verification; Malware and its mitigation; • Computing methodologies → Machine learning.

show abstract

Using GANs to Improve the Accuracy of Machine Learning Models for Malware Detection

Simion

Bălan

Gavriluţ

2022

Intelligent Data Engineering and Automated Learning – IDEAL 2022

View full text Add to dashboard Cite

Against All Odds: Winning the Defense Challenge in an Evasion Competition with Diversification

Cited by 3 publications

References 28 publications

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Certified Robustness of Learning-based Static Malware Detectors

Using GANs to Improve the Accuracy of Machine Learning Models for Malware Detection

Contact Info

Product

Resources

About