AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
A er analyzing deep neural networks susceptibility to adversarial samples, we discover that the current defense mechanisms are limited and, more importantly, cannot provide theoretical guarantees of robustness against adversarial sampled-based a acks

Adversary Resistant Deep Neural Networks with an Application to Malware Detection

KDD, pp.1145-1153, (2017)

引用127|浏览130
EI
下载 PDF 全文
引用
微博一下

摘要

Outside the highly publicized victories in the game of Go, there have been numerous successful applications of deep learning in the fields of information retrieval, computer vision, and speech recognition. In cybersecurity, an increasing number of companies have begun exploring the use of deep learning (DL) in a variety of security tasks ...更多

代码

数据

0
简介
  • Approaches have been introduced that range from signature-based solutions that compare an unidenti ed piece of code to known malware to sandboxing solutions that execute a le within a virtual environment so as to determine whether the le is malicious or not.
  • Recent research has demonstrated that malware detection approaches based on deep neural networks (DNNs) can recognize abstract complex pa erns from a large amount of malware samples.
  • Given a target DNN, the authors refer to adversarial samples that are generated from other di erent DNN models but still maintain their a ack e cacy against the target as cross-model adversarial samples
重点内容
  • Malware detection has evolved sigi cantly over the past
  • Given the observation and analysis above, going beyond concealing the adversarial space, we argue that an adversary-resistant deep neural networks (DNNs) model needs to be robust against adversarial samples generated from its best approximation
  • In light of this argument, this paper presents a new adversary-resistant DNN that increases the di culty in nding its blind spots and ”immunizes” itself against adversarial samples generated from its best approximation
  • With certain perturbations added to the data samples, Table 3 rst shows that the standard DNN model exhibits poor resistance when classifying adversarial samples
  • We proposed a simple method for constructing deep neural network models that are robust to adversarial samples
  • Using our proposed Random Feature Nulli cation, we have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs. is implies that our proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples
方法
  • The authors thoroughly analyze the limited resistance provided by existing defense techniques introduced in Section 3.
  • According to [13, 20, 24], existing defense techniques can be generalized as training a standard DNN with various regularization terms.
  • With certain perturbations added to the data samples, Table 3 rst shows that the standard DNN model exhibits poor resistance when classifying adversarial samples.
  • Is strengthens the previous analysis in Section 4
  • These mechanisms have been shown to provide certain resistance to already seen adversarial samples and so-called ‘cross-model’ adversarial samples 6, they are even more vulnerable to more speci cally cra ed adversarial samples
结果
  • The authors examine the generality of the proposed method by applying it to the MNIST and CIFAR-10 image recognition tasks.
  • It should be noted that, since the malware samples are highly sparse in the feature space, the authors test the method with nulli cation rate varies in a wide range from 10% to 50%.
  • With respect to classi cation accuracy, the proposed method demonstrates roughly similar performance at various nulli cation rates.
  • Based on this result, the authors adopted 50% as the feature nulli cation rate in the experiments to follow
结论
  • The authors proposed a simple method for constructing deep neural network models that are robust to adversarial samples.
  • Using the proposed Random Feature Nulli cation, the authors have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs.
  • Is implies that the proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples.
  • Using the proposed Random Feature Nulli cation, the authors have shown that it is impossible for an a acker to cra a speci cally designed adversarial sample that can force a DNN to misclassify its inputs. is implies that the proposed technology does not su er, as previous methods do, from a acks that rely on generating model-speci c adversarial samples.
表格
  • Table1: Sample of manipulated features in malware dataset where each row feature contains a sequence of two events where the events happened in the same order as displayed
  • Table2: Classi cation accuracy vs. model resistance with various feature nulli cation rates on a malware dataset
  • Table3: Classi cation accuracy vs. model resistance of different learning methods on the malware dataset. Dropout rates are 50% and feature nulli cation rates are 80%. ‘Adv
  • Table4: Classi cation accuracy vs. model resistance with various feature nulli cation rates on MNIST and CIFAR-10
  • Table5: Classi cation accuracy vs. model resistance with di erent learning methods, under di erent φ, for both MNIST and CIFAR-10. In this table, dropout rates and feature nulli cation rates are set 50% for both datasets
  • Table6: e hyper parameters of MNIST models. Note that standard DNN stands for DNN trained without any regularization
  • Table7: e hyper parameters of Malware models
  • Table8: e hyper parameters of CIFAR-10 models, in this experiment we use CNN instead of standard DNN
  • Table9: e network structure of CIFAR-10 models
Download tables as Excel
相关工作
  • In order to defend against adversarial samples, recent research has mainly focused on two di erent approaches – data augmentation and model complexity enhancement. In this section, we summarize these techniques and discuss their limitations as follows.

    3.1 Data Augmentation

    To resolve the issue of “blind spots” (a more informal name given to adversarial samples), many methods which could be considered as sophisticated forms of data augmentation3 have been proposed (e.g. [9, 11, 20]). In principle, these methods expand the training set by combining known samples with potential blind spots, the process of which is called adversarial training [9]. Here, we analyze the limitations of data augmentation mechanisms and argue that these limitations also apply to adversarial training methods.

    Given the high dimensionality of data distributions that a DNN typically learns from, the input space is generally too broad to be fully explored [9]. is implies that, for each DNN model, there could also be an adversarial space carrying an in nite amount of blind spots. erefore, data augmentation based approaches must face the challenge of covering these very large spaces. Since adversarial training is a form of data augmentation, such a tactic cannot possibly hope to cover an in nite space.
基金
  • We gratefully acknowledge partial support from the National Science Foundation
研究对象与分析
benign so ware samples: 14399
WINDOWS FILE:Execute:[system]\slc.dll, WINDOWS FILE:Execute:[system]\cryptsp.dll WINDOWS FILE:Execute:[system]\wersvc.dll, WINDOWS FILE:Execute:[system]\faultrep.dll WINDOWS FILE:Execute:[system]\imm32.dll, WINDOWS FILE:Execute:[system]\wer.dll WINDOWS FILE:Execute:[system]\ntmarta.dll, WINDOWS FILE:Execute:[system]\apphelp.dll WINDOWS FILE:Execute:[system]\faultrep.dll, WINDOWS FILE:Execute:[system]\imm32.dll. 0, indicating a benign program. e dataset is split into 26,078 training examples, with 14,399 benign so ware samples and 11,679 malicious so ware samples, and 6,000 testing samples, with 3,000 benign so ware samples and 3,000 malicious so ware samples. e task is to classify whether a given sample is benign or malicious. Adversarial perturbation for malware samples can be computed according to Equation (1)

samples: 60000
Note that the nulli cation rate hyper-parameter p is simply an expectation (see detail in Section 4), while the other hyper parameter σ is set to be 0.05. digits, ranging from 0 to 9. e dataset is split into a training set of 60,000 samples and a test set of 10,000 samples. e CIFAR-10 dataset consists of 60,000 images, divided into 10 classes. e training split contains 50,000 samples while the test split contains 10,000 samples

samples: 50000
digits, ranging from 0 to 9. e dataset is split into a training set of 60,000 samples and a test set of 10,000 samples. e CIFAR-10 dataset consists of 60,000 images, divided into 10 classes. e training split contains 50,000 samples while the test split contains 10,000 samples. Since the samples of CIFAR-10 dataset are color images, each image is made up of 32×32 pixels where each pixel is represented by three color channels (i.e., RGB)

引用论文
  • Hyrum Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially-Tuned Domain Generation and Detection. arXiv:1610.01969 [cs.CR]
    Findings
  • Ma Wol Andrew Davis. 2015. h ps://www.blackhat.com/docs/us-15/materials/
    Findings
  • Marco Barreno, Blaine Nelson, Anthony D. Joseph, and J. D. Tygar. 2010. e Security of Machine Learning. Mach. Learn. 81, 2 (Nov. 2010), 121–148.
    Google ScholarFindings
  • Konstantin Berlin, David Slater, and Joshua Saxe. 2015. Malicious behavior detection using windows audit logs. In Proceedings of the 8th ACM Workshop on
    Google ScholarLocate open access versionFindings
  • Ran Bi. 201Deep Learning can be easily fooled. h p://www.kdnuggets.com/ 2015/01/deep- learning- can- be- easily- fooled.html.
    Findings
  • Ba ista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Srndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion A acks against
    Google ScholarFindings
  • BIZETY 2016. h ps://www.bizety.com/2016/02/05/
    Findings
  • George Dahl, Jack W. Stokes, Li Deng, and Dong Yu. 2013. Large-Scale Malware Classi cation Using Random Projections and Neural Networks. In Proceedings
    Google ScholarLocate open access versionFindings
  • Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
    Findings
  • Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, and Patrick McDaniel. 2016. Adversarial Perturbations Against Deep Neural Networks for Malware Classi cation. arXiv preprint arXiv:1606.04435 (2016).
    Findings
  • Shixiang Gu and Luca Rigazio. 2014. Towards deep neural network architectures robust to adversarial examples. arXiv:1412.5068 [cs] (2014).
    Findings
  • Mike James. 2014. h p://www.i-programmer.info/news/105-arti cial-intelligence/
    Findings
  • D.K. Kang, J. Zhang, A. Silvescu, and V. Honavar. 2005. Multinomial event model based abstraction for sequence and text classi cation. Abstraction, Reformulation and Approximation (2005), 901–901.
    Google ScholarLocate open access versionFindings
  • Will Knight. 2015. Antivirus at Mimics the Brain Could Catch h ps://www.technologyreview.com/s/542971/
    Findings
  • Alex Krizhevsky and Geo rey Hinton. 2009. Learning multiple layers of features from tiny images. (2009).
    Google ScholarFindings
  • Yann LeCun, Corinna Cortes, and Christopher JC Burges. 1998. e MNIST database of handwri en digits. (1998).
    Google ScholarFindings
  • Cade Metz. 2015. h ps://www.wired.com/2015/11/
    Findings
  • MIT Technology Review 2016. Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds em. MIT Technology Review.
    Google ScholarLocate open access versionFindings
  • Linda Musthaler. 2016. How to use deep learning AI to detect and prevent malware and APTs in real-time.
    Google ScholarFindings
  • Alexander G. Ororbia II, C. Lee Giles, and Daniel Kifer. 2016. Unifying Adversarial Training Algorithms with Flexible Deep Data Gradient Regularization. arXiv:1601.07213 [cs] (2016).
    Findings
  • Nicolas Papernot, Patrick McDaniel, Somesh Jha, Ma Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016. e limitations of deep learning in adversarial se ings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P).
    Google ScholarLocate open access versionFindings
  • Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami.
    Google ScholarFindings
  • 2015. Distillation as a defense to adversarial perturbations against deep neural networks. arXiv preprint arXiv:1511.04508 (2015).
    Findings
  • [23] Joshua Saxe and Konstantin Berlin. 2015. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. CoRR (2015).
    Google ScholarLocate open access versionFindings
  • [24] Nitish Srivastava, Geo rey E Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: a simple way to prevent neural networks from over ing. Journal of Machine Learning Research 15, 1 (2014), 1929–1958.
    Google ScholarLocate open access versionFindings
  • [25] Nedim Srndic and Pavel Laskov. 2014. Practical Evasion of a Learning-Based Classi er: A Case Study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy.
    Google ScholarLocate open access versionFindings
  • [26] Symantec 2016. Internet Security reat Report. Symantec. h ps://www.symantec. com/content/dam/symantec/docs/reports/istr- 21- 2016- en.pdf.
    Locate open access versionFindings
  • [27] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations.
    Google ScholarLocate open access versionFindings
  • [28] Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid-Sec: Deep Learning in Android Malware Detection. In Proceedings of the 2014 ACM
    Google ScholarLocate open access versionFindings
0
您的评分 :

暂无评分

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn