Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Huang, Alex; Al-Dujaili, Abdullah; Hemberg, Erik; O’Reilly, Una-May

doi:10.48550/arxiv.1801.02950

Cited by 11 publications

(11 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we briefly describe the problem of hardening machine learning malware detectors (binary classifiers) via adversarial learning and the setup used to train them. We adopt the notation and setup used in [Al-Dujaili et al, 2018].…”

Section: Formal Backgroundmentioning

confidence: 99%

“…( 2) involves an inner nonconcave maximization problem and an outer non-convex minimization problem. Al-Dujaili et al [2018] proposed a set [0,0,0] [1,1,1] [1,0,0] [1,1,0…”

Section: Formal Backgroundmentioning

confidence: 99%

“…Note that other established parsing tools can be used (e.g., [Carrera, 2018]) and we leave investigating different parsers for future work. The models were trained as described in [Al-Dujaili et al, 2018].…”

Section: Formal Backgroundmentioning

confidence: 99%

“…In this section, we describe visualization tools that help elucidate blind spots and the robustness of hardened models. We demonstrate these tools on the four adversarially hardened models described in [Al-Dujaili et al, 2018] in addition to the naturally trained model. The models are denoted by their inner maximizer (adversarial generation) methods: dFGSM k , rFGSM k , BGA k , BCA k , and Natural, respectively.…”

Section: Visualizing Adversarially Hardened Modelsmentioning

confidence: 99%

“…This allows us to answer the general question of whether the flatness/sharpness association holds for robust generalization. 1 In considering input space interpretation, rather than parameter interpretation, blind spot coverage, a scalar value computed during training, has been reported for NN models that have been trained with natural and adversarially generated samples in the binary input space [Al-Dujaili et al, 2018]. A blind spot is, informally, a region in the input space where there is a lack of training examples.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

On Visual Hallmarks of Robustness to Adversarial Malware

Huang¹,

Al-Dujaili²,

Hemberg³

et al. 2018

Preprint

Self Cite

View full text Add to dashboard Cite

A central challenge of adversarial learning is to interpret the resulting hardened model. In this contribution, we ask how robust generalization can be visually discerned and whether a concise view of the interactions between a hardened decision map and input samples is possible. We first provide a means of visually comparing a hardened model's loss behavior with respect to the adversarial variants generated during training versus loss behavior with respect to adversarial variants generated from other sources. This allows us to confirm that the association of observed flatness of a loss landscape with generalization that is seen with naturally trained models extends to adversarially hardened models and robust generalization. To complement these means of interpreting model parameter robustness we also use self-organizing maps to provide a visual means of superimposing adversarial and natural variants on a model's decision space, thus allowing the model's global robustness to be comprehensively examined.

show abstract

Section: Formal Backgroundmentioning

confidence: 99%

“…( 2) involves an inner nonconcave maximization problem and an outer non-convex minimization problem. Al-Dujaili et al [2018] proposed a set [0,0,0] [1,1,1] [1,0,0] [1,1,0…”

Section: Formal Backgroundmentioning

confidence: 99%

Section: Formal Backgroundmentioning

confidence: 99%

Section: Visualizing Adversarially Hardened Modelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

On Visual Hallmarks of Robustness to Adversarial Malware

Huang¹,

Al-Dujaili²,

Hemberg³

et al. 2018

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Using GANs to Improve the Accuracy of Machine Learning Models for Malware Detection

Simion

Bălan

Gavriluţ

2022

Intelligent Data Engineering and Automated Learning – IDEAL 2022

View full text Add to dashboard Cite

Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection

Zhang

Liu

Choi

et al. 2023

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Attackers can easily avoid traditional detection methods by reordering the malware code or inserting useless code. To address the costs of reverse engineering and signature extraction, the advanced research on malware detection focuses on using neural networks to learn malicious behaviors with static and dynamic features. The advantage of those approaches is they can achieve high detection accuracy and shorten the time between a malware report and deployed detection. However, deep learning-based malware detection models are vulnerable to a hack from adversarial samples. The attackers' goal is to generate imperceptible perturbations to the original samples and evade detection. In the context of malware, the generated samples should have one more important character: it should not change the malicious behaviors of the original code. So the original features can not be removed and changed.In this paper, we proposed a reinforcement learning based attack to deceive graph based malware detection models. Inspired by obfuscation techniques, the central idea of the proposed attack is to sequentially inject semantic Nops, which will not change the program's functionality, into CFGs(Control Flow Graph). Specifically, the Semantics-preserving Reinforcement Learning(SRL) Attack is to learn a RL agent to iteratively select the semantic Nops and insert them into basic blocks of the CFGs. Variants of obfuscation methods, hill-climbing methods and gradient based algorithms are proposed: 1) Semantics-preserving Random Insertion(SRI) Attack: randomly inserting semantic Nops into basic blocks.; 2) Semanticspreserving Accumulated Insertion(SAI) Attack: declining certain random transformation according to the probability of the target class; 3) Semantics-preserving Gradient based Insertion(SGI) Attack: applying transformation on the original CFG in the direction of the gradient. We use real-world Windows programs to show that a family of Graph Neural Network models are vulnerable to these attacks. The best evasion rate of the benchmark attacks are 97% on the basic GCN model and 96% on DGCNN model. The SRL attack can achieve 100% on both models.

show abstract

Adversarial Deep Learning for Robust Detection of Binary Encoded Malware

Cited by 11 publications

References 0 publications

On Visual Hallmarks of Robustness to Adversarial Malware

On Visual Hallmarks of Robustness to Adversarial Malware

Using GANs to Improve the Accuracy of Machine Learning Models for Malware Detection

Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection

Contact Info

Product

Resources

About