Adversarial Robustness of Deep Learning-based Malware Detectors via (De)Randomized Smoothing

Deep learning-based malware detectors have been shown to be susceptible to adversarial malware examples, i.e. malware examples that have been deliberately manipulated in order to avoid detection. In light of the vulnerability of deep learning detectors to subtle input file modifications, we propose...

ver descrição completa

Detalhes bibliográficos
Autores: Gibert Llauradó, Daniel, Zizzo, Giulio, Le, Quan, Planes Cid, Jordi
Tipo de documento: artigo
Estado:Versão publicada
Data de publicação:2024
País:España
Recursos:Varias* (Consorci de Biblioteques Universitáries de Catalunya, Centre de Serveis Científics i Acadèmics de Catalunya)
Repositório:Recercat. Dipósit de la Recerca de Catalunya
OAI Identifier:oai:recercat.cat:10459.1/465657
Acesso em linha:https://doi.org/10.1109/ACCESS.2024.3392391
https://hdl.handle.net/10459.1/465657
Access Level:Acceso aberto
Palavra-chave:Adversarial defense
(de)randomized smoothing
Evasion attacks
Machine learning
Descrição
Resumo:Deep learning-based malware detectors have been shown to be susceptible to adversarial malware examples, i.e. malware examples that have been deliberately manipulated in order to avoid detection. In light of the vulnerability of deep learning detectors to subtle input file modifications, we propose a practical defense against adversarial malware examples inspired by (de)randomized smoothing. In this work, we reduce the chances of sampling adversarial content injected by malware authors by selecting correlated subsets of bytes, rather than using Gaussian noise to randomize inputs like in the Computer Vision domain. During training, our chunk-based smoothing scheme trains a base classifier to make classifications on a subset of contiguous bytes or chunk of bytes. At test time, a large number of chunks are then classified by a base classifier and the consensus among these classifications is then reported as the final prediction. We propose two strategies to determine the location of the chunks used for classification: (1) randomly selecting the locations of the chunks and (2) selecting contiguous adjacent chunks. To showcase the effectiveness of our approach, we have trained two classifiers with our chunk-based smoothing schemes on the BODMAS dataset. Our findings reveal that the chunk-based smoothing classifiers exhibit greater resilience against adversarial malware examples generated with state-of-the-art evasion attacks, outperforming a non-smoothed classifier and a randomized smoothing-based classifier by a great margin.