Intriguing Properties of Adversarial ML Attacks in the Problem Space

Pierazzi, Fabio; Pendlebury, Feargus; Cortellazzi, Jacopo; Cavallaro, Lorenzo

doi:10.1109/sp40000.2020.00073

Cited by 191 publications

(197 citation statements)

References 48 publications

Supporting

Mentioning

197

Contrasting

Order By: Relevance

“…It is extremely challenging for the malware classifier to differentiate between malware that is trying to read a non-existent registry key as an added adversarial no-op and a benign application functionality, e.g., trying to find a registry key containing information from previous runs and creating it if it doesn't exist (for instance, during the first run of the application). This makes our problem-space attack robust to preprocessing [38].…”

Section: Methodology 31 Attacking Api Call-based Malware Classifiersmentioning

confidence: 99%

“…This is due to the fact that adversarial training is less effective against random attacks like ours, because a different stochastic adversarial sequence is generated every time, making it challenging for the classifier to generalize from one adversarial sequence to another. More effective RNN defense methods, including domain specific methods, e.g., systems that measure CPU usage [35], contain irregular API call subsequences [27] (such as the no-op API calls used in this paper), or otherwise assess the plausibility of our attack [38], in order to detect adversarial examples, will be a part of our future work.…”

Section: Defenses and Mitigation Techniquesmentioning

confidence: 99%

“…We develop an end-to-end attack [40,41] (a.k.a, problem-space attack [38]) by recrafting the malware behavior so it can evade detection by such machine learning malware classifiers while minimizing the amount of queries to the malware classifier (meaning that the attack is query-efficient).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Rosenberg

Shabtai

Elovici

et al. 2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Section: Methodology 31 Attacking Api Call-based Malware Classifiersmentioning

confidence: 99%

Section: Defenses and Mitigation Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Rosenberg

Shabtai

Elovici

et al. 2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

“…Depending on the different levels of knowledge held by an attacker, attack scenarios can be categorized into three different classes: white-box (i.e., perfect knowledge), gray-box (i.e., limited knowledge) and black-box (i.e., zero knowledge) [32], [33]. The less information available to an attacker, the closer the attack scenario is to black-box.…”

Section: A Threat Modelmentioning

confidence: 99%

Learn2Evade: Learning-Based Generative Model for Evading PDF Malware Classifiers

Bae

Lee

Kim

et al. 2021

IEEE Trans. Artif. Intell.

View full text Add to dashboard Cite

Recent research has shown that a small perturbation to an input may forcibly change the prediction of a machine learning (ML) model. Such variants are commonly referred to as adversarial examples. Early studies have focused mostly on ML models for image processing and expanded to other applications, including those for malware classification. In this paper, we focus on the problem of finding adversarial examples against ML-based PDF malware classifiers. We deem that our problem is more challenging than those against ML models for image processing because of the highly complex data structure of PDF and of an additional constraint that the generated PDF should exhibit malicious behavior. To resolve our problem, we propose a variant of generative adversarial networks (GANs) that generate evasive variant PDF malware (without any crash), which can be classified as benign by various existing classifiers yet maintaining the original malicious behavior. Our model exploits the target classifier as the second discriminator to rapidly generate an evasive variant PDF with our new feature selection process that includes unique features extracted from malicious PDF files. We evaluate our technique against three representative PDF malware classifiers (Hidost'13, Hidost'16, and further examine its effectiveness with AntiVirus engines from VirusTotal.

show abstract

“…Cylance's PROTECT anti-malware engine which deploys DL models has been recently evaded by adversarial attacks [38]. Thus, ML based malware detectors are under the constant threat of adversarial attacks [39][40][41][42][43][44][45]. This demands for the development of robust and secure learning models to be deployed in malware detectors which can withstand the adaptive adversarial attacks [46][47][48][49][50][51][52].…”

Section: Introductionmentioning

confidence: 99%

A Review on Android Malware: Attacks, Countermeasures and Challenges Ahead

Selvaganapathy

Sadasivam

Ravi

2021

JCSANDM

View full text Add to dashboard Cite

Smartphones usage have become ubiquitous in modern life serving as a double-edged sword with opportunities and challenges in it. Along with the benefits, smartphones also have high exposure to malware. Malware has progressively penetrated thereby causing more turbulence. Malware authors have become increasingly sophisticated and are able to evade detection by anti-malware engines. This has led to a constant arms race between malware authors and malware defenders. This survey converges on Android malware and covers a walkthrough of the various obfuscation attacks deployed during malware analysis phase along with the myriad of adversarial attacks operated at malware detection phase. The review also unscrambles the difficulties currently faced in deploying an on-device, lightweight malware detector. It sheds spotlight for researchers to perceive the current state of the art techniques available to fend off malware along with suggestions on possible future directions

show abstract

Intriguing Properties of Adversarial ML Attacks in the Problem Space

Cited by 191 publications

References 48 publications

Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Query-Efficient Black-Box Attack Against Sequence-Based Malware Classifiers

Learn2Evade: Learning-Based Generative Model for Evading PDF Malware Classifiers

A Review on Android Malware: Attacks, Countermeasures and Challenges Ahead

Contact Info

Product

Resources

About