Qinglong Wang
ABSTRACT
Outside the highly publicized victories in the game of Go, there have been numerous successful applications of deep learning in the fields of information retrieval, computer vision, and speech recognition. In cybersecurity, an increasing number of companies have begun exploring the use of deep learning (DL) in a variety of security tasks with malware detection among the more popular. These companies claim that deep neural networks (DNNs) could help turn the tide in the war against malware infection. However, DNNs are vulnerable to adversarial samples, a shortcoming that plagues most, if not all, statistical and machine learning models. Recent research has demonstrated that those with malicious intent can easily circumvent deep learning-powered malware detection by exploiting this weakness.
To address this problem, previous work developed defense mechanisms that are based on augmenting training data or enhancing model complexity. However, after analyzing DNN susceptibility to adversarial samples, we discover that the current defense mechanisms are limited and, more importantly, cannot provide theoretical guarantees of robustness against adversarial sampled-based attacks. As such, we propose a new adversary resistant technique that obstructs attackers from constructing impactful adversarial samples by randomly nullifying features within data vectors. Our proposed technique is evaluated on a real world dataset with 14,679 malware variants and 17,399 benign programs. We theoretically validate the robustness of our technique, and empirically show that our technique significantly boosts DNN robustness to adversarial samples while maintaining high accuracy in classification. To demonstrate the general applicability of our proposed method, we also conduct experiments using the MNIST and CIFAR-10 datasets, widely used in image recognition research.
- Hyrum Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially-Tuned Domain Generation and Detection. arXiv:1610.01969 [cs.CR] (2016).Google Scholar
- Matt Wolff Andrew Davis. 2015. Deep Learning on Dis- assembly. https://www.blackhat.com/docs/us-15/materials/ us-15-Davis-Deep-Learning-On-Disassembly.pdf.Google Scholar
- Marco Barreno, Blaine Nelson, Anthony D. Joseph, and J. D. Tygar. 2010. The Security of Machine Learning. Mach. Learn. 81, 2 (Nov. 2010), 121--148. Google ScholarDigital Library
- Konstantin Berlin, David Slater, and Joshua Saxe. 2015. Malicious behavior detection using windows audit logs. In Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security. ACM, 35--44. Google ScholarDigital Library
- Ran Bi. 2015. Deep Learning can be easily fooled. http://www.kdnuggets.com/ 2015/01/deep-learning-can-be-easily-fooled.html.Google Scholar
- Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Srndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion Attacks against Machine Learning at Test Time.. In ECML/PKDD (3). Google ScholarDigital Library
- BIZETY 2016. Deep Learning Neural Nets Are Effective Against AI Malware. BIZETY. https://www.bizety.com/2016/02/05/ deep-learning-neural-nets-are-effective-against-ai-malware/.Google Scholar
- George Dahl, Jack W. Stokes, Li Deng, and Dong Yu. 2013. Large-Scale Malware Classification Using Random Projections and Neural Networks. In Proceedings IEEE Conference on Acoustics, Speech, and Signal Processing. Google ScholarCross Ref
- Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).Google Scholar
- Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, and Patrick McDaniel. 2016. Adversarial Perturbations Against Deep Neural Networks for Malware Classification. arXiv preprint arXiv:1606.04435 (2016).Google Scholar
- Shixiang Gu and Luca Rigazio. 2014. Towards deep neural network architectures robust to adversarial examples. arXiv:1412.5068 [cs] (2014).Google Scholar
- Mike James. 2014. The Flaw Lurking In Every Deep Neural Net . http://www.i-programmer.info/news/105-artificial-intelligence/ 7352-the-flaw-lurking-in-every-deep-neural-net.html.Google Scholar
- D.K. Kang, J. Zhang, A. Silvescu, and V. Honavar. 2005. Multinomial event model based abstraction for sequence and text classification. Abstraction, Reformulation and Approximation (2005), 901--901.Google Scholar
- Will Knight. 2015. Antivirus that Mimics the Brain Could Catch More Malware. https://www.technologyreview.com/s/542971/ antivirus-that-mimics-the-brain-could-catch-more-malware/.Google Scholar
- Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. (2009).Google Scholar
- Yann LeCun, Corinna Cortes, and Christopher JC Burges. 1998. The MNIST database of handwritten digits. (1998).Google Scholar
- Cade Metz. 2015. Baidu, the Chinese Google, Is Teaching AI to Spot Malware. https://www.wired.com/2015/11/ baidu-the-chinese-google-is-teaching-ai-to-spot-malware/.Google Scholar
- MIT Technology Review 2016. Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds them. MIT Technology Review.Google Scholar
- Linda Musthaler. 2016. How to use deep learning AI to detect and prevent malware and APTs in real-time.Google Scholar
- Alexander G. Ororbia II, C. Lee Giles, and Daniel Kifer. 2016. Unifying Adversarial Training Algorithms with Flexible Deep Data Gradient Regularization. arXiv:1601.07213 [cs] (2016).Google Scholar
- Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016. The limitations of deep learning in adversarial settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372--387.Google ScholarCross Ref
- Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2015. Distillation as a defense to adversarial perturbations against deep neural networks. arXiv preprint arXiv:1511.04508 (2015).Google Scholar
- Joshua Saxe and Konstantin Berlin. 2015. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. CoRR (2015).Google Scholar
- Nitish Srivastava, Geoffrey E Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: a simple way to prevent neural networks from overfitting. Journal of Machine Learning Research 15, 1 (2014), 1929--1958.Google ScholarDigital Library
- Nedim Srndic and Pavel Laskov. 2014. Practical Evasion of a Learning-Based Classifier: A Case Study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy . Google ScholarDigital Library
- Symantec 2016. Internet Security Threat Report. Symantec. https://www.symantec. com/content/dam/symantec/docs/reports/istr-21--2016-en.pdf.Google Scholar
- Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations.Google Scholar
- Zhenlong Yuan, Yongqiang Lu, Zhaoguo Wang, and Yibo Xue. 2014. Droid-Sec: Deep Learning in Android Malware Detection. In Proceedings of the 2014 ACM Conference on SIGCOMM (SIGCOMM '14) Google ScholarDigital Library
Index Terms
- Adversary Resistant Deep Neural Networks with an Application to Malware Detection
Recommendations
Compression-resistant backdoor attack against deep neural networks
AbstractIn recent years, a number of backdoor attacks against deep neural networks (DNN) have been proposed. In this paper, we reveal that backdoor attacks are vulnerable to image compressions, as backdoor instances used to trigger backdoor attacks are ...
Deep Neural Networks for Automatic Android Malware Detection
ASONAM '17: Proceedings of the 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 2017Because of the explosive growth of Android malware and due to the severity of its damages, the detection of Android malware has become an increasing important topic in cybersecurity. Currently, the major defense against Android malware is commercial ...
Detecting backdoor in deep neural networks via intentional adversarial perturbations
AbstractRecent researches show that deep learning model is susceptible to backdoor attacks. Many defenses against backdoor attacks have been proposed. However, existing defense works require high computational overhead or backdoor attack ...
Comments