A er analyzing deep neural networks susceptibility to adversarial samples, we discover that the current defense mechanisms are limited and, more importantly, cannot provide theoretical guarantees of robustness against adversarial sampled-based a acks
Adversary Resistant Deep Neural Networks with an Application to Malware Detection
KDD, pp.1145-1153, (2017)
Outside the highly publicized victories in the game of Go, there have been numerous successful applications of deep learning in the fields of information retrieval, computer vision, and speech recognition. In cybersecurity, an increasing number of companies have begun exploring the use of deep learning (DL) in a variety of security tasks ...更多
下载 PDF 全文
- Approaches have been introduced that range from signature-based solutions that compare an unidenti ed piece of code to known malware to sandboxing solutions that execute a le within a virtual environment so as to determine whether the le is malicious or not.
- Recent research has demonstrated that malware detection approaches based on deep neural networks (DNNs) can recognize abstract complex pa erns from a large amount of malware samples.
- Given a target DNN, the authors refer to adversarial samples that are generated from other di erent DNN models but still maintain their a ack e cacy against the target as cross-model adversarial samples
- Malware detection has evolved sigi cantly over the past
- Given the observation and analysis above, going beyond concealing the adversarial space, we argue that an adversary-resistant deep neural networks (DNNs) model needs to be robust against adversarial samples generated from its best approximation
- In light of this argument, this paper presents a new adversary-resistant DNN that increases the di culty in nding its blind spots and ”immunizes” itself against adversarial samples generated from its best approximation
- With certain perturbations added to the data samples, Table 3 rst shows that the standard DNN model exhibits poor resistance when classifying adversarial samples
- We proposed a simple method for constructing deep neural network models that are robust to adversarial samples
- Using our proposed Random Feature Nulli cation, we have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs. is implies that our proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples
- The authors thoroughly analyze the limited resistance provided by existing defense techniques introduced in Section 3.
- According to [13, 20, 24], existing defense techniques can be generalized as training a standard DNN with various regularization terms.
- With certain perturbations added to the data samples, Table 3 rst shows that the standard DNN model exhibits poor resistance when classifying adversarial samples.
- Is strengthens the previous analysis in Section 4
- These mechanisms have been shown to provide certain resistance to already seen adversarial samples and so-called ‘cross-model’ adversarial samples 6, they are even more vulnerable to more speci cally cra ed adversarial samples
- The authors examine the generality of the proposed method by applying it to the MNIST and CIFAR-10 image recognition tasks.
- It should be noted that, since the malware samples are highly sparse in the feature space, the authors test the method with nulli cation rate varies in a wide range from 10% to 50%.
- With respect to classi cation accuracy, the proposed method demonstrates roughly similar performance at various nulli cation rates.
- Based on this result, the authors adopted 50% as the feature nulli cation rate in the experiments to follow
- The authors proposed a simple method for constructing deep neural network models that are robust to adversarial samples.
- Using the proposed Random Feature Nulli cation, the authors have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs.
- Is implies that the proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples.
- Using the proposed Random Feature Nulli cation, the authors have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs. is implies that the proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples.
- Table1: Sample of manipulated features in malware dataset where each row feature contains a sequence of two events where the events happened in the same order as displayed
- Table2: Classi cation accuracy vs. model resistance with various feature nulli cation rates on a malware dataset
- Table3: Classi cation accuracy vs. model resistance of different learning methods on the malware dataset. Dropout rates are 50% and feature nulli cation rates are 80%. ‘Adv
- Table4: Classi cation accuracy vs. model resistance with various feature nulli cation rates on MNIST and CIFAR-10
- Table5: Classi cation accuracy vs. model resistance with di erent learning methods, under di erent φ, for both MNIST and CIFAR-10. In this table, dropout rates and feature nulli cation rates are set 50% for both datasets
- Table6: e hyper parameters of MNIST models. Note that standard DNN stands for DNN trained without any regularization
- Table7: e hyper parameters of Malware models
- Table8: e hyper parameters of CIFAR-10 models, in this experiment we use CNN instead of standard DNN
- Table9: e network structure of CIFAR-10 models
- In order to defend against adversarial samples, recent research has mainly focused on two di erent approaches – data augmentation and model complexity enhancement. In this section, we summarize these techniques and discuss their limitations as follows.
3.1 Data Augmentation
To resolve the issue of “blind spots” (a more informal name given to adversarial samples), many methods which could be considered as sophisticated forms of data augmentation3 have been proposed (e.g. [9, 11, 20]). In principle, these methods expand the training set by combining known samples with potential blind spots, the process of which is called adversarial training . Here, we analyze the limitations of data augmentation mechanisms and argue that these limitations also apply to adversarial training methods.
Given the high dimensionality of data distributions that a DNN typically learns from, the input space is generally too broad to be fully explored . is implies that, for each DNN model, there could also be an adversarial space carrying an in nite amount of blind spots. erefore, data augmentation based approaches must face the challenge of covering these very large spaces. Since adversarial training is a form of data augmentation, such a tactic cannot possibly hope to cover an in nite space.
- We gratefully acknowledge partial support from the National Science Foundation
benign so ware samples: 14399
WINDOWS FILE:Execute:[system]\slc.dll, WINDOWS FILE:Execute:[system]\cryptsp.dll WINDOWS FILE:Execute:[system]\wersvc.dll, WINDOWS FILE:Execute:[system]\faultrep.dll WINDOWS FILE:Execute:[system]\imm32.dll, WINDOWS FILE:Execute:[system]\wer.dll WINDOWS FILE:Execute:[system]\ntmarta.dll, WINDOWS FILE:Execute:[system]\apphelp.dll WINDOWS FILE:Execute:[system]\faultrep.dll, WINDOWS FILE:Execute:[system]\imm32.dll. 0, indicating a benign program. e dataset is split into 26,078 training examples, with 14,399 benign so ware samples and 11,679 malicious so ware samples, and 6,000 testing samples, with 3,000 benign so ware samples and 3,000 malicious so ware samples. e task is to classify whether a given sample is benign or malicious. Adversarial perturbation for malware samples can be computed according to Equation (1)
Note that the nulli cation rate hyper-parameter p is simply an expectation (see detail in Section 4), while the other hyper parameter σ is set to be 0.05. digits, ranging from 0 to 9. e dataset is split into a training set of 60,000 samples and a test set of 10,000 samples. e CIFAR-10 dataset consists of 60,000 images, divided into 10 classes. e training split contains 50,000 samples while the test split contains 10,000 samples
digits, ranging from 0 to 9. e dataset is split into a training set of 60,000 samples and a test set of 10,000 samples. e CIFAR-10 dataset consists of 60,000 images, divided into 10 classes. e training split contains 50,000 samples while the test split contains 10,000 samples. Since the samples of CIFAR-10 dataset are color images, each image is made up of 32×32 pixels where each pixel is represented by three color channels (i.e., RGB)
- Hyrum Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially-Tuned Domain Generation and Detection. arXiv:1610.01969 [cs.CR]
- Ma Wol Andrew Davis. 2015. h ps://www.blackhat.com/docs/us-15/materials/
- Marco Barreno, Blaine Nelson, Anthony D. Joseph, and J. D. Tygar. 2010. e Security of Machine Learning. Mach. Learn. 81, 2 (Nov. 2010), 121–148.
- Konstantin Berlin, David Slater, and Joshua Saxe. 2015. Malicious behavior detection using windows audit logs. In Proceedings of the 8th ACM Workshop on
- Ran Bi. 201Deep Learning can be easily fooled. h p://www.kdnuggets.com/ 2015/01/deep- learning- can- be- easily- fooled.html.
- Ba ista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Srndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion A acks against
- BIZETY 2016. h ps://www.bizety.com/2016/02/05/
- George Dahl, Jack W. Stokes, Li Deng, and Dong Yu. 2013. Large-Scale Malware Classi cation Using Random Projections and Neural Networks. In Proceedings
- Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
- Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, and Patrick McDaniel. 2016. Adversarial Perturbations Against Deep Neural Networks for Malware Classi cation. arXiv preprint arXiv:1606.04435 (2016).
- Shixiang Gu and Luca Rigazio. 2014. Towards deep neural network architectures robust to adversarial examples. arXiv:1412.5068 [cs] (2014).
- Mike James. 2014. h p://www.i-programmer.info/news/105-arti cial-intelligence/
- D.K. Kang, J. Zhang, A. Silvescu, and V. Honavar. 2005. Multinomial event model based abstraction for sequence and text classi cation. Abstraction, Reformulation and Approximation (2005), 901–901.
- Will Knight. 2015. Antivirus at Mimics the Brain Could Catch h ps://www.technologyreview.com/s/542971/
- Alex Krizhevsky and Geo rey Hinton. 2009. Learning multiple layers of features from tiny images. (2009).
- Yann LeCun, Corinna Cortes, and Christopher JC Burges. 1998. e MNIST database of handwri en digits. (1998).
- Cade Metz. 2015. h ps://www.wired.com/2015/11/
- MIT Technology Review 2016. Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds em. MIT Technology Review.
- Linda Musthaler. 2016. How to use deep learning AI to detect and prevent malware and APTs in real-time.
- Alexander G. Ororbia II, C. Lee Giles, and Daniel Kifer. 2016. Unifying Adversarial Training Algorithms with Flexible Deep Data Gradient Regularization. arXiv:1601.07213 [cs] (2016).
- Nicolas Papernot, Patrick McDaniel, Somesh Jha, Ma Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016. e limitations of deep learning in adversarial se ings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P).
- Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami.
- 2015. Distillation as a defense to adversarial perturbations against deep neural networks. arXiv preprint arXiv:1511.04508 (2015).
-  Joshua Saxe and Konstantin Berlin. 2015. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. CoRR (2015).
-  Nitish Srivastava, Geo rey E Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: a simple way to prevent neural networks from over ing. Journal of Machine Learning Research 15, 1 (2014), 1929–1958.
-  Nedim Srndic and Pavel Laskov. 2014. Practical Evasion of a Learning-Based Classi er: A Case Study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy.
-  Symantec 2016. Internet Security reat Report. Symantec. h ps://www.symantec. com/content/dam/symantec/docs/reports/istr- 21- 2016- en.pdf.
-  Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations.
-  Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid-Sec: Deep Learning in Android Malware Detection. In Proceedings of the 2014 ACM