Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Certified Adversarial Robustness of Machine Learning-based Malware Detectors via (De)Randomized Smoothing (2405.00392v1)

Published 1 May 2024 in cs.CR and cs.AI

Abstract: Deep learning-based malware detection systems are vulnerable to adversarial EXEmples - carefully-crafted malicious programs that evade detection with minimal perturbation. As such, the community is dedicating effort to develop mechanisms to defend against adversarial EXEmples. However, current randomized smoothing-based defenses are still vulnerable to attacks that inject blocks of adversarial content. In this paper, we introduce a certifiable defense against patch attacks that guarantees, for a given executable and an adversarial patch size, no adversarial EXEmple exist. Our method is inspired by (de)randomized smoothing which provides deterministic robustness certificates. During training, a base classifier is trained using subsets of continguous bytes. At inference time, our defense splits the executable into non-overlapping chunks, classifies each chunk independently, and computes the final prediction through majority voting to minimize the influence of injected content. Furthermore, we introduce a preprocessing step that fixes the size of the sections and headers to a multiple of the chunk size. As a consequence, the injected content is confined to an integer number of chunks without tampering the other chunks containing the real bytes of the input examples, allowing us to extend our certified robustness guarantees to content insertion attacks. We perform an extensive ablation study, by comparing our defense with randomized smoothing-based defenses against a plethora of content manipulation attacks and neural network architectures. Results show that our method exhibits unmatched robustness against strong content-insertion attacks, outperforming randomized smoothing-based defenses in the literature.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (27)
  1. The rise of machine learning for detection and classification of malware: Research developments, trends and challenges. Journal of Network and Computer Applications, 153:102526, 2020.
  2. Ember: an open dataset for training static pe malware machine learning models. 2018.
  3. Novel feature extraction, selection and fusion for effective malware family classification. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, page 183–194, 2016.
  4. Malware detection by eating a whole EXE. In 32ns AAAI Conference on Artificial Intelligence, pages 268–276, 2018.
  5. Deep convolutional malware classifiers can learn from raw executables and labels only. In 6th International Conference on Learning Representations, ICLR, 2018.
  6. Auditing static machine learning anti-malware tools against metamorphic attacks. Computers & Security, 102:102159, 2021.
  7. Classifying sequences of extreme length with constant memory applied to malware detection. In 35th AAAI Conference on Artificial Intelligence, pages 9386–9394, 2021.
  8. Exploring adversarial examples in malware detection. In IEEE Security and Privacy Workshops, pages 8–14. IEEE, 2019.
  9. Adversarial exemples: A survey and experimental evaluation of practical attacks on machine learning for windows malware detection. ACM Transactions on Privacy and Security, 2021.
  10. Functionality-preserving black-box optimization of adversarial windows malware. IEEE Trans. Inf. Forensics Secur., 16:3469–3478, 2021.
  11. Optimization of code caves in malware binaries to evade machine learning detectors. Computers & Security, 116:102643, 2022.
  12. Adversarial training for raw-binary malware classifiers. In Proceedings of the 32nd USENIX Security Symposium. USENIX, 2023.
  13. Towards a practical defense against adversarial attacks on deep learning-based malware detectors via randomized smoothing, 2023.
  14. RS-Del: Edit distance robustness certificates for sequence classifiers via randomized deletion. In Advances in Neural Information Processing Systems, NeurIPS, 2023.
  15. (de)randomized smoothing for certifiable defense against patch attacks. In 33rd Advances in Neural Information Processing Systems 33, 2020.
  16. Certified robustness of static deep learning-based malware detectors against patch and append attacks. In Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, page 173–184, 2023.
  17. Non-negative networks against adversarial attacks, 2018.
  18. Learning understandable neural networks with nonnegative weight constraints. IEEE Transactions on Neural Networks and Learning Systems, 26(1):62–69, 2015.
  19. Malware makeover: Breaking ml-based static analysis by modifying executable bytes. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, page 744–758. ACM, 2021.
  20. The limitations of adversarial training and the blind-spot attack. In 7th International Conference on Learning Representations, ICLR, 2019.
  21. Certified adversarial robustness via randomized smoothing. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, ICML, volume 97, pages 1310–1320. PMLR, 2019.
  22. Certified adversarial robustness with additive noise. In Hanna M. Wallach, Hugo Larochelle, Alina Beygelzimer, Florence d’Alché-Buc, Emily B. Fox, and Roman Garnett, editors, 32nd Advances in Neural Information Processing Systems (NeurIPS), pages 9459–9469, 2019.
  23. Certified robustness to adversarial examples with differential privacy. In Symposium on Security and Privacy, SP, pages 656–672. IEEE, 2019.
  24. Pytorch: An imperative style, high-performance deep learning library. In Advances in Neural Information Processing Systems 32, pages 8024–8035. 2019.
  25. Bodmas: An open dataset for learning based temporal analysis of pe malware. In 4th Deep Learning and Security Workshop, 2021.
  26. Adversarial malware binaries: Evading deep learning for malware detection in executables. In 26th European Signal Processing Conference, EUSIPCO, pages 533–537. IEEE, 2018.
  27. Explaining vulnerabilities of deep learning to adversarial malware binaries. In Proceedings of the Third Italian Conference on Cyber Security, volume 2315 of CEUR Workshop Proceedings, 2019.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now