research-article

Evading Classifiers by Morphing in the Dark

Authors:

Ee-Chien ChangAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 119 - 133

https://doi.org/10.1145/3133956.3133978

Published: 30 October 2017 Publication History

Abstract

Learning-based systems have been shown to be vulnerable to evasion through adversarial data manipulation. These attacks have been studied under assumptions that the adversary has certain knowledge of either the target model internals, its training dataset or at least classification scores it assigns to input samples. In this paper, we investigate a much more constrained and realistic attack scenario wherein the target classifier is minimally exposed to the adversary, revealing only its final classification decision (e.g., reject or accept an input sample). Moreover, the adversary can only manipulate malicious samples using a blackbox morpher. That is, the adversary has to evade the targeted classifier by morphing malicious samples "in the dark". We present a scoring mechanism that can assign a real-value score which reflects evasion progress to each sample based on the limited information available. Leveraging on such scoring mechanism, we propose an evasion method -- EvadeHC? and evaluate it against two PDF malware detectors, namely PDFRate and Hidost. The experimental evaluation demonstrates that the proposed evasion attacks are effective, attaining 100% evasion rate on the evaluation dataset. Interestingly, EvadeHC outperforms the known classifier evasion techniques that operate based on classification scores output by the classifiers. Although our evaluations are conducted on PDF malware classifiers, the proposed approaches are domain agnostic and are of wider application to other learning-based systems.

Supplemental Material

MP4 File

Download
2985.16 MB

References

[1]

Marco Barreno, Blaine Nelson, Anthony D Joseph, and JD Tygar 2010. The security of machine learning. Machine Learning (2010).

[2]

Marco Barreno, Blaine Nelson, Russell Sears, Anthony D Joseph, and J Doug Tygar 2006. Can machine learning be secure?. In ASIACCS.

[3]

Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim vSrndić, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion attacks against machine learning at test time ECML-PKDD.

[4]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2009. Multiple classifier systems for adversarial classification tasks MCS.

[5]

Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389 (2012).

Digital Library

[6]

Michael Brückner, Christian Kanzow, and Tobias Scheffer. 2012. Static prediction games for adversarial learning problems. Journal of Machine Learning Research (2012).

Digital Library

[7]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious JavaScript code WWW.

[8]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).

[9]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Delving deep into rectifiers: Surpassing human-level performance on imagenet classification. In ICCV.

[10]

Adobe Systems Incorporated. 2006. PDF Reference, Sixth edition, version 1.23. (2006).

[11]

Jonathan Katz and Yehuda Lindell 2014. Introduction to modern cryptography. CRC Press.

Digital Library

[12]

Pavel Laskov and Nedim vSrndić 2011. Static detection of malicious JavaScript-bearing PDF documents ACSAC.

[13]

Kyumin Lee, James Caverlee, and Steve Webb. 2010. Uncovering social spammers: social honeypots machine learning SIGIR.

[14]

Qiming Li and Ee-Chien Chang 2002. Security of public watermarking schemes for binary sequences Information Hiding.

[15]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks against Machine Learning ASIACCS.

[16]

Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security (2011).

[17]

Karthik Selvaraj and Nino Fred Gutierres. The rise of PDF malware.

[18]

Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K Reiter 2016. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition CCS.

[19]

Reza Shokri, Marco Stronati, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models IEEE S&P.

[20]

David Silver et almbox. 2016. Mastering the game of Go with deep neural networks and tree search. Nature (2016).

[21]

Charles Smutz and Angelos Stavrou 2012. Malicious PDF detection using metadata and structural features ACSAC.

[22]

Robin Sommer and Vern Paxson 2010. Outside the closed world: On using machine learning for network intrusion detection IEEE S&P.

[23]

Nedim vSrndić and Pavel Laskov 2013. Detection of malicious pdf files based on hierarchical document structure NDSS.

[24]

Nedim vSrndić and Pavel Laskov 2014. Practical evasion of a learning-based classifier: A case study IEEE S&P.

[25]

Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato, and Lior Wolf. 2014. Deepface: Closing the gap to human-level performance in face verification CVPR.

[26]

Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart 2016. Stealing machine learning models via prediction apis USENIX Security.

[27]

Oriol Vinyals, Łukasz Kaiser, Terry Koo, Slav Petrov, Ilya Sutskever, and Geoffrey Hinton. 2015. Grammar as a foreign language. In NIPS.

[28]

Weilin Xu, Yanjun Qi, and David Evans 2016. Automatically evading classifiers. In NDSS.

[29]

Chao Yang, Robert Harkreader, and Guofei Gu. 2013. Empirical evaluation and new design for fighting evolving Twitter spammers. IEEE TIFS (2013).

Digital Library

Cited By

Indira MMohanasundaram KSaranya M(2024)A Survey of Machine Learning and Cryptography AlgorithmsInnovative Machine Learning Applications for Cryptography10.4018/979-8-3693-1642-9.ch006(105-118)Online publication date: 4-Mar-2024
https://doi.org/10.4018/979-8-3693-1642-9.ch006
Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
G SFaloutsos M(2024)MalFusion: Simple String Manipulations Confuse Malware Detection2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619782(113-121)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619782
Show More Cited By

Index Terms

Evading Classifiers by Morphing in the Dark
1. Computing methodologies
  1. Artificial intelligence
    1. Search methodologies
      1. Search with partial observations
  2. Machine learning
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Evading API Call Sequence Based Malware Classifiers
Information and Communications Security
Abstract
In this paper, we present a mimicry attack to transform malware binary, which can evade detection by API call sequence based malware classifiers. While original malware was detectable by malware classifiers, transformed malware, when run, with ...
Adv-Bot: Realistic adversarial botnet attacks against network intrusion detection systems
Abstract
Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However, many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. These ...
Cracking Classifiers for Evasion: A Case Study on the Google's Phishing Pages Filter
WWW '16: Proceedings of the 25th International Conference on World Wide Web

Various classifiers based on the machine learning techniques have been widely used in security applications. Meanwhile, they also became an attack target of adversaries. Many existing studies have paid much attention to the evasion attacks on the online ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Research Foundation Singapore

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

72
Total Citations
View Citations
938
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 31 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Indira MMohanasundaram KSaranya M(2024)A Survey of Machine Learning and Cryptography AlgorithmsInnovative Machine Learning Applications for Cryptography10.4018/979-8-3693-1642-9.ch006(105-118)Online publication date: 4-Mar-2024
https://doi.org/10.4018/979-8-3693-1642-9.ch006
Bae H(2024)Evaluation of Malware Classification Models for Heterogeneous DataSensors10.3390/s2401028824:1(288)Online publication date: 3-Jan-2024
https://doi.org/10.3390/s24010288
G SFaloutsos M(2024)MalFusion: Simple String Manipulations Confuse Malware Detection2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619782(113-121)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619782
Yan HLi XZhang WWang RLi HZhao XLi FLin X(2024)Automatic Evasion of Machine Learning-Based Network Intrusion Detection SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324758521:1(153-167)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3247585
Yu ZWang ZYu JLiu DHerbert Song HLi Z(2024)Cybersecurity of Unmanned Aerial Vehicles: A SurveyIEEE Aerospace and Electronic Systems Magazine10.1109/MAES.2023.331822639:9(182-215)Online publication date: Sep-2024
https://doi.org/10.1109/MAES.2023.3318226
Malik JMuthalagu RPawar P(2024)A Systematic Review of Adversarial Machine Learning Attacks, Defensive Controls, and TechnologiesIEEE Access10.1109/ACCESS.2024.342332312(99382-99421)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3423323
Javeed DGao TJamil Z(2023)Artificial Intelligence (AI)-based Intrusion Detection System for IoT-enabled NetworksProtecting User Privacy in Web Search Utilization10.4018/978-1-6684-6914-9.ch014(269-289)Online publication date: 3-Mar-2023
https://doi.org/10.4018/978-1-6684-6914-9.ch014
Olszewski DLu AStillman CWarren KKitroser CPascual AUkirde DButler KTraynor PMeng WJensen CCremers CKirda E(2023)"Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security ConferencesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623130(3433-3459)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623130
Mylnikov VBezzateev STretiakova Y(2023)Convolutional Neural Network Protection Problems with Input Data Modification2023 Wave Electronics and its Application in Information and Telecommunication Systems (WECONF)10.1109/WECONF57201.2023.10147980(1-6)Online publication date: 29-May-2023
https://doi.org/10.1109/WECONF57201.2023.10147980
Apruzzese GSubrahmanian V(2023)Mitigating Adversarial Gray-Box Attacks Against Phishing DetectorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321002920:5(3753-3769)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3210029
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten