Feature-space Bayesian adversarial learning improved malware detector robustness
AUTHORs: 
Bao Gia Doan, Shuiqiao Yang, Paul Montague, Olivier De Vel, Tamas Abraham, 
Seyit Camtepe, 
Salil S. Kanhere, Ehsan Abbasnejad, Damith C. RanasingheAuthors Info & Claims
Bao Gia Doan, Shuiqiao Yang, Paul Montague, Olivier De Vel, Tamas Abraham, Seyit Camtepe, Salil S. Kanhere, Ehsan Abbasnejad, Damith C. RanasingheAuthors Info & ClaimsArticle No.: 1658, Pages 14783 - 14791
Abstract
We present a new algorithm to train a robust malware detector. Malware is a prolific problem and malware detectors are a front-line defense. Modern detectors rely on machine learning algorithms. Now, the adversarial objective is to devise alterations to the malware code to decrease the chance of being detected whilst preserving the functionality and realism of the malware. Adversarial learning is effective in improving robustness but generating functional and realistic adversarial malware samples is non-trivial. Because: i) in contrast to tasks capable of using gradient-based feedback, adversarial learning in a domain without a differentiable mapping function from the problem space (malware code inputs) to the feature space is hard; and ii) it is difficult to ensure the adversarial malware is realistic and functional. This presents a challenge for developing scalable adversarial machine learning algorithms for large datasets at a production or commercial scale to realize robust malware detectors. We propose an alternative; perform adversarial learning in the feature space in contrast to the problem space. We prove the projection of perturbed, yet valid malware, in the problem space into feature space will always be a subset of adversarials generated in the feature space. Hence, by generating a robust network against featurespace adversarial examples, we inherently achieve robustness against problem-space adversarial examples. We formulate a Bayesian adversarial learning objective that captures the distribution of models for improved robustness. To explain the robustness of the Bayesian adversarial learning algorithm, we prove that our learning method bounds the difference between the adversarial risk and empirical risk and improves robustness. We show that Bayesian neural networks (BNNs) achieve state-of-the-art results; especially in the False Positive Rate (FPR) regime. Adversarially trained BNNs achieve state-of-the-art robustness. Notably, adversarially trained BNNs are robust against stronger attacks with larger attack budgets by a margin of up to 15% on a recent production-scale malware dataset of more than 20 million samples. Importantly, our efforts create a benchmark for future defenses in the malware domain.
References
[1]
Al-Dujaili, A.; Huang, A.; Hemberg, E.; and O'Reilly, U.-M. 2018. Adversarial deep learning for robust detection of binary encoded malware. In IEEE Security and Privacy Workshops (SPW).
[2]
Anderson, H. S.; and Roth, P. 2018. Ember: an open dataset for training static PE malware machine learning models. arXiv preprint arXiv:1804.04637.
[3]
Anderson, R.; Barton, C.; Böhme, R.; Clayton, R.; Ganán, C.; Grasso, T.; Levi, M.; Moore, T.; and Vasek, M. 2019. Measuring the changing cost of cybercrime. In Workshop on the Economics of Information Security (WEIS).
[4]
Arp, D.; Spreitzenbarth, M.; Hubner, M.; Gascon, H.; Rieck, K.; and Siemens, C. 2014. Drebin: Effective and explainable detection of android malware in your pocket. In Network and Distributed System Security Symposium (NDSS).
[5]
Athalye, A.; Carlini, N.; and Wagner, D. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning (ICML).
[6]
Athalye, A.; Engstrom, L.; Ilyas, A.; and Kwok, K. 2018. Synthesizing robust adversarial examples. In International Conference on Machine Learning (ICLR).
[7]
Backes, M.; and Nauman, M. 2017. LUNA: Quantifying and Leveraging Uncertainty in Android Malware Analysis through Bayesian Machine Learning. In IEEE European Symposium on Security and Privacy (Euro S&P).
[8]
Biggio, B.; Corona, I.; Maiorca, D.; Nelson, B.; Šrndić, N.; Laskov, P.; Giacinto, G.; and Roli, F. 2013. Evasion attacks against machine learning at test time. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases (ECML PKDD).
[9]
Biggio, B.; Fumera, G.; and Roli, F. 2013. Security evaluation of pattern classifiers under attack. IEEE Transactions on Knowledge and Data Engineering, 26(4): 984-996.
[10]
Biggio, B.; and Roli, F. 2018. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, 84: 317-331.
[11]
Breiman, L. 1996. Bagging predictors. Machine learning, 24(2): 123-140.
[12]
Carbone, G.; Wicker, M.; Laurenti, L.; Patane, A.; Bortolussi, L.; and Sanguinetti, G. 2020. Robustness of Bayesian Neural Networks to Gradient-Based Attacks. In Advances in Neural Information Processing Systems (NeurIPS).
[13]
Carlini, N.; Jagielski, M.; and Mironov, I. 2020. Cryptanalytic extraction of neural network models. In CRYPTO.
[14]
Carlini, N.; and Wagner, D. 2017. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (S&P).
[15]
Chen, Y.; Wang, S.; She, D.; and Jana, S. 2020. On training robust PDF malware classifiers. In USENIX Security Symposium.
[16]
DEFCON. 2019. Machine Learning Static Evasion Competition. https://www.elastic.co/blog/machine-learning-static-evasion-competition. Accessed: 2022-08-09.
[17]
Demetrio, L.; Biggio, B.; Lagorio, G.; Roli, F.; and Armando, A. 2021. Functionality-preserving black-box optimization of adversarial windows malware. IEEE Transactions on Information Forensics and Security, 16: 3469-3478.
[18]
Doan, B. G.; Abbasnejad, E. M.; Shi, J. Q.; and Ranasinghe, D. 2022. Bayesian Learning with Information Gain Provably Bounds Risk for a Robust Adversarial Defense. In International Conference on Machine Learning (ICML).
[19]
Eddy, M.; and Perlroth, N. 2020. https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html. Accessed: 2022-12-01.
[20]
Erdemir, E.; Bickford, J.; Melis, L.; and Aydore, S. 2021. Adversarial robustness with non-uniform perturbations. In Advances in Neural Information Processing Systems (NeurIPS).
[21]
Fischer, M.; Balunovic, M.; Drachsler-Cohen, D.; Gehr, T.; Zhang, C.; and Vechev, M. 2019. Dl2: Training and querying neural networks with logic. In International Conference on Machine Learning (ICML).
[22]
Fleshman, W. 2019. Evading Machine Learning Malware Classifiers. https://towardsdatascience.com/evading-machine-learning-malware-classifiers-ce52dabdb713. Accessed: 2022-08-09.
[23]
Goodfellow, I. J.; Shlens, J.; and Szegedy, C. 2015. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations (ICLR).
[24]
Grosse, K.; Papernot, N.; Manoharan, P.; Backes, M.; and McDaniel, P. 2016. Adversarial perturbations against deep neural networks for malware classification. arXiv preprint arXiv:1606.04435.
[25]
Grosse, K.; Papernot, N.; Manoharan, P.; Backes, M.; and McDaniel, P. 2017. Adversarial examples for malware detection. In European Symposium on Research in Computer Security (ESORICS).
[26]
Harang, R.; and Rudd, E. M. 2020. SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection. arXiv preprint arXiv:2012.07634.
[27]
Hu, W.; and Tan, Y. 2017. Generating adversarial malware examples for black-box attacks based on GAN. arXiv preprint arXiv:1702.05983.
[28]
Izmailov, P.; Vikram, S.; Hoffman, M. D.; and Wilson, A. G. 2021. What Are Bayesian Neural Network Posteriors Really Like? In International Conference on Machine Learning (ICML).
[29]
Jacobs, R. A.; Jordan, M. I.; Nowlan, S. J.; and Hinton, G. E. 1991. Adaptive mixtures of local experts. Neural computation, 3(1): 79-87.
[30]
KasperskyLab. 2020. The number of new malicious files detected every day increases by 5.2% to 360,000 in 2020. https://www.kaspersky.com/about/press-releases/2020_the-number-of-new-malicious-files-detected-every-day-increases-by-52-to-360000-in-2020. Accessed: 2022-04-01.
[31]
Kolosnjaji, B.; Demontis, A.; Biggio, B.; Maiorca, D.; Giacinto, G.; Eckert, C.; and Roli, F. 2018. Adversarial malware binaries: Evading deep learning for malware detection in executables. In European Signal Processing Conference (EUSIPCO).
[32]
Krčál, M.; Švec, O.; Bálek, M.; and Jašek, O. 2018. Deep convolutional malware classifiers can learn from raw executables and labels only. In International Conference on Learning Representations (ICLR) Workshop.
[33]
Kreuk, F.; Barak, A.; Aviv-Reuven, S.; Baruch, M.; Pinkas, B.; and Keshet, J. 2018. Deceiving end-to-end deep learning malware detectors using adversarial examples. arXiv preprint arXiv:1802.04528.
[34]
Lee, G.-H.; Yuan, Y.; Chang, S.; and Jaakkola, T. 2019. Tight certificates of adversarial robustness for randomly smoothed classifiers. In Advances in Neural Information Processing Systems (NeurIPS).
[35]
Liu, Q.; and Wang, D. 2016. Stein Variational Gradient Descent: A General Purpose Bayesian Inference Algorithm. Advances in Neural Information Processing Systems (NIPS).
[36]
Liu, X.; Li, Y.; Chongruo, W.; and Cho-Jui, H. 2019. ADV-BNN: Improved Adversarial Defense Through Robust Bayesian Neural Network. In International Conference on Learning Representations (ICLR).
[37]
MacKay, D. J. 1992. A practical Bayesian framework for backpropagation networks. Neural computation, 4(3): 448-472.
[38]
Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; and Vladu, A. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR).
[39]
Mantovani, A.; Aonzo, S.; Ugarte-Pedrero, X.; Merlo, A.; and Balzarotti, D. 2020. Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem. In Network and Distributed System Security Symposium (NDSS).
[40]
Nguyen, A. T.; Raff, E.; Nicholas, C.; and Holt, J. 2021. Leveraging Uncertainty for Improved Static Malware Detection Under Extreme False Positive Constraints. In International Joint Conferences on Artificial Intelligence (IJCAI) Workshop.
[41]
Peng, H.; Gates, C.; Sarma, B.; Li, N.; Qi, Y.; Potharaju, R.; Nita-Rotaru, C.; and Molloy, I. 2012. Using probabilistic generative models for ranking risks of android apps. In ACM Conference on Computer and Communications Security (CCS).
[42]
Pierazzi, F.; Pendlebury, F.; Cortellazzi, J.; and Cavallaro, L. 2020. Intriguing properties of adversarial ml attacks in the problem space. In IEEE Symposium on Security and Privacy (S&P).
[43]
Quiring, E.; Maier, A.; and Rieck, K. 2019. Misleading authorship attribution of source code using adversarial learning. In USENIX Security Symposium.
[44]
Raff, E.; Barker, J.; Sylvester, J.; Brandon, R.; Catanzaro, B.; and Nicholas, C. K. 2018. Malware detection by eating a whole exe. In AAAI Conference on Artificial Intelligence Workshop.
[45]
Raff, E.; Fleshman, W.; Zak, R.; Anderson, H. S.; Filar, B.; and McLean, M. 2021. Classifying sequences of extreme length with constant memory applied to malware detection. In AAAI Conference on Artificial Intelligence.
[46]
Ritter, H.; Botev, A.; and Barber, D. 2018. A scalable laplace approximation for neural networks. In International Conference on Learning Representations (ICLR).
[47]
Rolnick, D.; and Kording, K. 2020. Reverse-engineering deep ReLU networks. In International Conference on Machine Learning (ICML).
[48]
Saxe, J.; and Berlin, K. 2015. Deep neural network based malware detection using two dimensional binary program features. In International Conference on Malicious and Unwanted Software (MALWARE).
[49]
Schultz, M. G.; Eskin, E.; Zadok, F.; and Stolfo, S. J. 2001. Data mining methods for detection of new malicious executables. In IEEE Symposium on Security and Privacy (S&P).
[50]
Suciu, O.; Coull, S. E.; and Johns, J. 2019. Exploring adversarial examples in malware detection. In IEEE Security and Privacy Workshops (SPW).
[51]
Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; and Fergus, R. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199.
[52]
Tramèr, F.; Zhang, F.; Juels, A.; Reiter, M. K.; and Ristenpart, T. 2016. Stealing machine learning models via prediction apis. In USENIX Security Symposium.
[53]
Wang, B.; Jia, J.; Cao, X.; and Gong, N. Z. 2021. Certified robustness of graph neural networks against adversarial structural perturbation. In ACM SIGKDD Conference on Knowledge Discovery & Data Mining (KDD).
[54]
Wicker, M.; Laurenti, L.; Patane, A.; Chen, Z.; Zhang, Z.; and Kwiatkowska, M. 2021. Bayesian Inference with Certifiable Adversarial Robustness. In International Conference on Artificial Intelligence and Statistics (AISTATS).
[55]
Wolpert, D. H. 1992. Stacked generalization. Neural networks, 5(2): 241-259.
[56]
Xu, W.; Qi, Y.; and Evans, D. 2016. Automatically evading classifiers. In Network and Distributed System Security Symposium (NDSS).
[57]
Ye, N.; and Zhu, Z. 2018. Bayesian adversarial learning. In Advances in Neural Information Processing Systems (NeurIPS).
[58]
Zimmermann, R. S. 2019. Comment on "Adv-BNN: Improved Adversarial Defense through Robust Bayesian Neural Network". arXiv preprint arXiv:1907.00895.
Recommendations
A novel method for improving the robustness of deep learning-based malware detectors against adversarial attacks
AbstractMalware is constantly evolving with rising concern for cyberspace. Deep learning-based malware detectors are being used as a potential solution. However, these detectors are vulnerable to adversarial attacks. The adversarial attacks manipulate ...
Graphical abstractDisplay Omitted
Highlights- An approach to combining adversarial attacks is proposed to analyse the robustness of malware detectors against attacks.
- Ten adversarial attacks are created to generate binary-encoded malicious samples, including the proposed combined ...
Malware Detection in Adversarial Settings: Exploiting Feature Evolutions and Confusions in Android Apps
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceExisting techniques on adversarial malware generation employ feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: feasibility of these attacks is unknown. The ...
Adversarial attacks against Windows PE malware detection: A survey of the state-of-the-art
AbstractMalware has been one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against ever-increasing and ever-evolving malware, tremendous efforts have been made to propose a ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 Association for the Advancement of Artificial Intelligence.
Sponsors
- Association for the Advancement of Artificial Intelligence
Publisher
AAAI Press
Publication History
Published: 07 February 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Oct 2024