Malware detection has long been a stage for an ongoing arms race between malware authors and anti-virus systems. Solutions that utilize machine learning (ML) gain traction as the scale of this arms race increases. This trend, however, makes performing attacks directly on ML an attractive prospect for adversaries. We study this arms race from both perspectives in the context of MalConv, a popular convolutional neural network-based malware classifier that operates on raw bytes of files. First, we show that MalConv is vulnerable to adversarial patch attacks: appending a byte-level patch to malware files bypasses detection 94.3% of the time. Moreover, we develop a universal adversarial patch (UAP) attack where a single patch can drop the detection rate in constant time of any malware file that contains it by 80%. These patches are effective even being relatively small with respect to the original file size -- between 2%-8%. As a countermeasure, we then perform window ablation that allows us to apply de-randomized smoothing, a modern certified defense to patch attacks in vision tasks, to raw files. The resulting `smoothed-MalConv' can detect over 80% of malware that contains the universal patch and provides certified robustness up to 66%, outlining a promising step towards robust malware detection. To our knowledge, we are the first to apply universal adversarial patch attack and certified defense using ablations on byte level in the malware field.
翻译:----
恶意软件检测一直是恶意软件作者和杀毒软件系统之间持续进行的军备竞赛舞台。随着这场竞赛的规模增大,利用机器学习(ML)的解决方案受到越来越多的关注。然而,这种趋势使直接对ML进行攻击成为对手的一个有吸引力的前景。我们从恶意软件分类器MalConv的两个方面研究了这场竞赛:第一,我们展示了MalConv易受到对抗性补丁攻击的影响:在恶意软件文件中添加一个字节级补丁可以绕过94.3%的检测。此外,我们开发了一个“通用对抗性补丁(UAP)”攻击,在任何包含它的恶意软件文件中,添加一个单独的补丁可以在常数时间内使检测率下降80%。这些补丁即使相对于原始文件大小而言也很小,只占2%至8%。作为对策,我们进行窗口消融,以允许我们对原始文件应用具有平滑的抵御随机攻击特性--在视觉任务中用于补丁攻击的现代认证防御。结果,“smoothed-MalConv”可以检测到80%以上恶意软件,其中包含通用补丁,并提供高达66%的认证健壮性,为实现恶意软件检测的鲁棒性提供了良好的尝试。据我们所知,我们是首次在恶意软件领域应用通用对抗性补丁攻击和通过字节级去除来进行认证防御。