Realizable Universal Adversarial Perturbations for Malware

Labaca-Castro, Raphael; Muñoz-González, Luis; Pendlebury, Feargus; Rodosek, Gabi Dreo; Pierazzi, Fabio; Cavallaro, Lorenzo

doi:10.48550/arxiv.2102.06747

Cited by 4 publications

(6 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Universal Adversarial Perturbation (UAP) is one special type of adversarial attacks in which a same single perturbation can be applied over a large set of inputs for misclassifying the target model in the testing phrase. In order to generate the problemspace UAP against PE malware classifiers in the wild, Labaca-Castro et al [73] first prepare a set of available transformations (e.g., adding sections to the PE file, renaming sections, pack/unpacking, etc.) for Windows PE files, and then perform a greedy search approach to identify a short sequence of transformations as the UAP for the PE malware classifier.…”

Section: Discussionmentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

The malware has been being one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against the ever-increasing and ever-evolving threats of malware, tremendous efforts have been made to propose a variety of malware detection methods that attempt to effectively and efficiently detect malware so as to mitigate possible damages as earlier as possible. Recent studies have shown that, one the one hand, existing machine learning (ML) and deep learning (DL) techniques enable the superior detection of newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to confuse the targeted models. Basically, adversarial attacks are initially extensively studied in the domain of computer vision like image classification, and some quickly expanded to other domains, including natural language processing, audio recognition and even malware detection which is extremely critical to computers.In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. We then conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. We conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. In addition, a curated resource list of adversarial attacks and defenses for Windows PE malware detection is also available at https://github.com/ryderling/adversarial-attacks-and-defenses-for-windows-pe-malware-detection. CCS Concepts: • Security and privacy → Intrusion/anomaly detection and malware mitigation; • Theory of computation → Adversarial learning.

show abstract

Section: Discussionmentioning

confidence: 99%

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Ling¹,

Wu²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…We summarise the attacks in Table 5. L-BFGS [77] GradientDescent [78] Adversarial Sequences [79] JSMA [62] Deepfool [80] AddSent,AddOneSent [81] GAN [82] EnchantingAttack [82] StrategicAttack [64] C&W, L 0 , L 2 , L ∞ [83] FGSM,JSMA [84] Generative RNN [85] NPBO [86] GADGET [87] JSMA,FGSM,DeepFool,CW [88] FGSM [89] IDS-GAN [90] ZOO,GAN [91] One Pixel Attack [92] ManifoldApproximation [93] FGSM,BIM,PGD [94] GAN Attack [95] PWPSA [95] GA [96] One Pixel Attack [97] Opt Attack,GAN Attack [98] GAMMA [99] UAP [100] Variational Auto Encoder [101] Best-Effort Search…”

Section: Classification Schemementioning

confidence: 99%

“…Biggio et al [77] highlighted the threat from skilled adversaries with limited knowledge; more recently, gray-box attacks have received some attention: Kuppa et al [92] considered malicious users of the system with knowledge of the features and architecture of the system, recognizing that attackers may differ in their level of knowledge of the system. Labaca-Castro et al [99] used universal adversarial perturbations, showing that unprotected systems remain vulnerable even under limited knowledge scenarios. Li et al [101] considered limited knowledge attacks against cyber physical systems and successfully deployed universal adversarial perturbations where attackers have incomplete knowledge of measurements across all sensors.…”

Section: Adversarial Examples-types Of Attackmentioning

confidence: 99%

Functionality-Preserving Adversarial Machine Learning for Robust Classification in Cybersecurity and Intrusion Detection Domains: A Survey

McCarthy

Ghadafi

Andriotis

et al. 2022

JCP

View full text Add to dashboard Cite

Machine learning has become widely adopted as a strategy for dealing with a variety of cybersecurity issues, ranging from insider threat detection to intrusion and malware detection. However, by their very nature, machine learning systems can introduce vulnerabilities to a security defence whereby a learnt model is unaware of so-called adversarial examples that may intentionally result in mis-classification and therefore bypass a system. Adversarial machine learning has been a research topic for over a decade and is now an accepted but open problem. Much of the early research on adversarial examples has addressed issues related to computer vision, yet as machine learning continues to be adopted in other domains, then likewise it is important to assess the potential vulnerabilities that may occur. A key part of transferring to new domains relates to functionality-preservation, such that any crafted attack can still execute the original intended functionality when inspected by a human and/or a machine. In this literature survey, our main objective is to address the domain of adversarial machine learning attacks and examine the robustness of machine learning models in the cybersecurity and intrusion detection domains. We identify the key trends in current work observed in the literature, and explore how these relate to the research challenges that remain open for future works. Inclusion criteria were: articles related to functionality-preservation in adversarial machine learning for cybersecurity or intrusion detection with insight into robust classification. Generally, we excluded works that are not yet peer-reviewed; however, we included some significant papers that make a clear contribution to the domain. There is a risk of subjective bias in the selection of non-peer reviewed articles; however, this was mitigated by co-author review. We selected the following databases with a sizeable computer science element to search and retrieve literature: IEEE Xplore, ACM Digital Library, ScienceDirect, Scopus, SpringerLink, and Google Scholar. The literature search was conducted up to January 2022. We have striven to ensure a comprehensive coverage of the domain to the best of our knowledge. We have performed systematic searches of the literature, noting our search terms and results, and following up on all materials that appear relevant and fit within the topic domains of this review. This research was funded by the Partnership PhD scheme at the University of the West of England in collaboration with Techmodal Ltd.

show abstract

“…These attacks can take the form of adversarial patches and objects for image classification [2], person recognition [26], camera-based [7,8] and LiDAR-based object detection [3,9,10,28]. In the digital domain, UAPs have been shown to facilitate realistic attacks on perceptual ad-blockers for web pages [27] and machine learning-based malware detectors [16]. Furthermore, an attacker can utilize UAPs to perform query-efficient black-box attacks on neural networks [4,6].…”

Section: Introductionmentioning

confidence: 99%

Jacobian Regularization for Mitigating Universal Adversarial Perturbations

Co,

Rego,

Lupu

2021

Preprint

View full text Add to dashboard Cite

Universal Adversarial Perturbations (UAPs) are input perturbations that can fool a neural network on large sets of data. They are a class of attacks that represents a significant threat as they facilitate realistic, practical, and low-cost attacks on neural networks. In this work, we derive upper bounds for the effectiveness of UAPs based on norms of data-dependent Jacobians. We empirically verify that Jacobian regularization greatly increases model robustness to UAPs by up to four times whilst maintaining clean performance. Our theoretical analysis also allows us to formulate a metric for the strength of shared adversarial perturbations between pairs of inputs. We apply this metric to benchmark datasets and show that it is highly correlated with the actual observed robustness. This suggests that realistic and practical universal attacks can be reliably mitigated without sacrificing clean accuracy, which shows promise for the robustness of machine learning systems.

show abstract

Realizable Universal Adversarial Perturbations for Malware

Cited by 4 publications

References 42 publications

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Functionality-Preserving Adversarial Machine Learning for Robust Classification in Cybersecurity and Intrusion Detection Domains: A Survey

Jacobian Regularization for Mitigating Universal Adversarial Perturbations

Contact Info

Product

Resources

About