Adversary Resistant Deep Neural Networks with an Application to Malware Detection

Wang, Qinglong; Guo, Wenbo; Zhang, Kaixuan; Ororbia, Alexander G.; Xing, Xinyu; Li, Xue; Giles, C. Lee

doi:10.1145/3097983.3098158

Cited by 138 publications

(102 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It also "services" multiple active learning objectives. As seen later (and also earlier, in [91]), randomization plays an important role more generally in some defensive schemes against adversarial attacks.…”

Section: Defenses Against Classifier-degrading Dp Attackssupporting

confidence: 54%

“…Moreover, irrespective of whether detection is truly "easier", this argument (that detection is essentially a subset of robust classification) is not made in many of the robust classification defense papers -it is simply assumed that the only objective of interest is to defeat the attack by correctly classifying in the face of it. Attack detection is not even considered in [23], [91], [72], [52], [100]. By contrast, in Section IV, we will give much stronger arguments for the intrinsic value in making detection inferences and will point out that, in some scenarios, when an attack is present, making robust classification inferences in fact has no utility.…”

Section: B Anomaly Detection (Ad) Of Ttesmentioning

confidence: 99%

“…a) Feature Obfuscation: This approach alters features so as to hopefully destroy the attack pattern. For example, [91] considers DNNs for digit recognition and malware detection. They randomly nullify (zero) input features, both during training and testing/inference.…”

Section: A Robust Classification Approaches For Ttesmentioning

confidence: 99%

“…This may "eliminate" perturbed features in a test-time pattern. However, for the malware domain, the features as defined in [91] are binary ∈ {0, 1}. Thus, nullifying (zeroing) does not necessarily alter a feature's original value (if it is already zero).…”

Section: A Robust Classification Approaches For Ttesmentioning

confidence: 99%

See 3 more Smart Citations

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

2020

View full text Add to dashboard Cite

With the wide deployment of machine learning (ML) based systems for a variety of applications including medical, military, automotive, genomic, as well as multimedia and social networking, there is great potential for damage from adversarial learning (AL) attacks. In this paper, we provide a contemporary survey of AL, focused particularly on defenses against attacks on deep neural network classifiers. After introducing relevant terminology and the goals and range of possible knowledge of both attackers and defenders, we survey recent work on test-time evasion (TTE), data poisoning (DP), backdoor DP, and reverse engineering (RE) attacks and particularly defenses against same. In so doing, we distinguish robust classification from anomaly detection (AD), unsupervised from supervised, and statistical hypothesis-based defenses from ones that do not have an explicit null (no attack) hypothesis. We also consider several scenarios for detecting backdoors. We provide a technical assessment for reviewed works, including identifying any issues/limitations, required hyperparameters, needed computational complexity, as well as the performance measures evaluated and the obtained quality. We then dig deeper, providing novel insights that challenge conventional AL wisdom and that target unresolved issues, including: 1) robust classification versus AD as a defense strategy; 2) the belief that attack success increases with attack strength, which ignores susceptibility to AD; 3) small perturbations for test-time evasion attacks: a fallacy or a requirement?; 4) validity of the universal assumption that a TTE attacker knows the ground-truth class for the example to be attacked; 5) black, grey, or white box attacks as the standard for defense evaluation; 6) susceptibility of query-based RE to an AD defense. We also discuss attacks on the privacy of training data. We then present benchmark comparisons of several defenses against TTE, RE, and backdoor DP attacks on images. The paper concludes with a discussion of continuing research directions, including the supreme challenge of detecting attacks whose goal is not to alter classification decisions, but rather simply to embed, without detection, "fake news" or other false content. Index Termstest-time-evasion, data poisoning, backdoor, reverse engineering, deep neural networks, anomaly detection, robust classification, black box, white box, targeted attacks, transferability, membership inference attack The authors are with the

show abstract

Section: Defenses Against Classifier-degrading Dp Attackssupporting

confidence: 54%

Section: B Anomaly Detection (Ad) Of Ttesmentioning

confidence: 99%

Section: A Robust Classification Approaches For Ttesmentioning

confidence: 99%

Section: A Robust Classification Approaches For Ttesmentioning

confidence: 99%

See 2 more Smart Citations

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

2020

View full text Add to dashboard Cite

show abstract

“…Wang et al in [36] proposed an adversary resistant technique to obstruct attackers from constructing impactful adversarial samples. They called this adversarial resistant technique "random feature nullification" and is described as follows: For each batch of inputs denoted by X ∈ R n×m , where n is the number of samples and m is the feature vector size, random feature nullification performs element-wise multiplication of X with a randomly generated mask matrix I p ∈ R n×m , where its elements are only 1 or 0.…”

Section: Random Feature Nullificationmentioning

confidence: 99%

Stochastic Substitute Training

Hashemi¹,

Cusack²,

Keller³

2018

Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

It has been shown that adversaries can craft example inputs to neural networks which are similar to legitimate inputs but have been created to purposely cause the neural network to misclassify the input. These adversarial examples are crafted, for example, by calculating gradients of a carefully defined loss function with respect to the input. As a countermeasure, some researchers have tried to design robust models by blocking or obfuscating gradients, even in white-box settings. Another line of research proposes introducing a separate detector to attempt to detect adversarial examples. This approach also makes use of gradient obfuscation techniques, for example, to prevent the adversary from trying to fool the detector. In this paper, we introduce stochastic substitute training, a gray-box approach that can craft adversarial examples for defenses which obfuscate gradients. For those defenses that have tried to make models more robust, with our technique, an adversary can craft adversarial examples with no knowledge of the defense. For defenses that attempt to detect the adversarial examples, with our technique, an adversary only needs very limited information about the defense to craft adversarial examples. We demonstrate our technique by applying it against two defenses which make models more robust and two defenses which detect adversarial examples.

show abstract

Application of Deep Reinforcement Learning in Adversarial Malware Detection

Manju,

Rana

2024

Deep Reinforcement Learning and Its Industrial Use Cases

View full text Add to dashboard Cite

Adversary Resistant Deep Neural Networks with an Application to Malware Detection

Cited by 138 publications

References 18 publications

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

Stochastic Substitute Training

Application of Deep Reinforcement Learning in Adversarial Malware Detection

Contact Info

Product

Resources

About