Adversarial examples for malware detection

Kathrin Grosse; Nicolas Papernot; Praveen Manoharan; Michael Backes; Patrick McDaniel

doi:10.1007/978-3-319-66399-9_4

Adversarial examples for malware detection

Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, Patrick McDaniel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

327 Scopus citations

Abstract

Machine learning models are known to lack robustness against inputs crafted by an adversary. Such adversarial examples can, for instance, be derived from regular inputs by introducing minor—yet carefully selected—perturbations. In this work, we expand on existing adversarial example crafting algorithms to construct a highly-effective attack that uses adversarial examples against malware detection models. To this end, we identify and overcome key challenges that prevent existing algorithms from being applied against malware detection: our approach operates in discrete and often binary input domains, whereas previous work operated only in continuous and differentiable domains. In addition, our technique guarantees the malware functionality of the adversarially manipulated program. In our evaluation, we train a neural network for malware detection on the DREBIN data set and achieve classification performance matching state-of-the-art from the literature. Using the augmented adversarial crafting algorithm we then manage to mislead this classifier for 63% of all malware samples. We also present a detailed evaluation of defensive mechanisms previously introduced in the computer vision contexts, including distillation and adversarial training, which show promising results.

Original language	English (US)
Title of host publication	Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
Editors	Simon N. Foley, Dieter Gollmann, Einar Snekkenes
Publisher	Springer Verlag
Pages	62-79
Number of pages	18
ISBN (Print)	9783319663982
DOIs	https://doi.org/10.1007/978-3-319-66399-9_4
State	Published - 2017
Event	22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway Duration: Sep 11 2017 → Sep 15 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10493 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	22nd European Symposium on Research in Computer Security, ESORICS 2017
Country/Territory	Norway
City	Oslo
Period	9/11/17 → 9/15/17

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-66399-9_4

Cite this

Grosse, K., Papernot, N., Manoharan, P., Backes, M., & McDaniel, P. (2017). Adversarial examples for malware detection. In S. N. Foley, D. Gollmann, & E. Snekkenes (Eds.), Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings (pp. 62-79). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-66399-9_4

Grosse, Kathrin ; Papernot, Nicolas ; Manoharan, Praveen et al. / Adversarial examples for malware detection. Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. editor / Simon N. Foley ; Dieter Gollmann ; Einar Snekkenes. Springer Verlag, 2017. pp. 62-79 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{1e882f77dcb649b4aa4146efd6a07693,

title = "Adversarial examples for malware detection",

abstract = "Machine learning models are known to lack robustness against inputs crafted by an adversary. Such adversarial examples can, for instance, be derived from regular inputs by introducing minor—yet carefully selected—perturbations. In this work, we expand on existing adversarial example crafting algorithms to construct a highly-effective attack that uses adversarial examples against malware detection models. To this end, we identify and overcome key challenges that prevent existing algorithms from being applied against malware detection: our approach operates in discrete and often binary input domains, whereas previous work operated only in continuous and differentiable domains. In addition, our technique guarantees the malware functionality of the adversarially manipulated program. In our evaluation, we train a neural network for malware detection on the DREBIN data set and achieve classification performance matching state-of-the-art from the literature. Using the augmented adversarial crafting algorithm we then manage to mislead this classifier for 63% of all malware samples. We also present a detailed evaluation of defensive mechanisms previously introduced in the computer vision contexts, including distillation and adversarial training, which show promising results.",

author = "Kathrin Grosse and Nicolas Papernot and Praveen Manoharan and Michael Backes and Patrick McDaniel",

note = "Funding Information: Acknowledgments. Nicolas Papernot is supported by a Google PhD Fellowship in Security. The research leading to these results has received funding from the European Research Council under the European Union{\textquoteright}s Seventh Framework Programme (FP/2007-2013)/ERC Grant Agreement no. 610150. This work was further partially supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0344). This research was also sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes not with standing any copyright notation here on. Publisher Copyright: {\textcopyright} 2017, Springer International Publishing AG.; 22nd European Symposium on Research in Computer Security, ESORICS 2017 ; Conference date: 11-09-2017 Through 15-09-2017",

year = "2017",

doi = "10.1007/978-3-319-66399-9_4",

language = "English (US)",

isbn = "9783319663982",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "62--79",

editor = "Foley, {Simon N.} and Dieter Gollmann and Einar Snekkenes",

booktitle = "Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings",

address = "Germany",

}

Grosse, K, Papernot, N, Manoharan, P, Backes, M & McDaniel, P 2017, Adversarial examples for malware detection. in SN Foley, D Gollmann & E Snekkenes (eds), Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10493 LNCS, Springer Verlag, pp. 62-79, 22nd European Symposium on Research in Computer Security, ESORICS 2017, Oslo, Norway, 9/11/17. https://doi.org/10.1007/978-3-319-66399-9_4

Adversarial examples for malware detection. / Grosse, Kathrin; Papernot, Nicolas; Manoharan, Praveen et al.
Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. ed. / Simon N. Foley; Dieter Gollmann; Einar Snekkenes. Springer Verlag, 2017. p. 62-79 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10493 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Adversarial examples for malware detection

AU - Grosse, Kathrin

AU - Papernot, Nicolas

AU - Manoharan, Praveen

AU - Backes, Michael

AU - McDaniel, Patrick

N1 - Funding Information: Acknowledgments. Nicolas Papernot is supported by a Google PhD Fellowship in Security. The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013)/ERC Grant Agreement no. 610150. This work was further partially supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0344). This research was also sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes not with standing any copyright notation here on. Publisher Copyright: © 2017, Springer International Publishing AG.

PY - 2017

Y1 - 2017

N2 - Machine learning models are known to lack robustness against inputs crafted by an adversary. Such adversarial examples can, for instance, be derived from regular inputs by introducing minor—yet carefully selected—perturbations. In this work, we expand on existing adversarial example crafting algorithms to construct a highly-effective attack that uses adversarial examples against malware detection models. To this end, we identify and overcome key challenges that prevent existing algorithms from being applied against malware detection: our approach operates in discrete and often binary input domains, whereas previous work operated only in continuous and differentiable domains. In addition, our technique guarantees the malware functionality of the adversarially manipulated program. In our evaluation, we train a neural network for malware detection on the DREBIN data set and achieve classification performance matching state-of-the-art from the literature. Using the augmented adversarial crafting algorithm we then manage to mislead this classifier for 63% of all malware samples. We also present a detailed evaluation of defensive mechanisms previously introduced in the computer vision contexts, including distillation and adversarial training, which show promising results.

AB - Machine learning models are known to lack robustness against inputs crafted by an adversary. Such adversarial examples can, for instance, be derived from regular inputs by introducing minor—yet carefully selected—perturbations. In this work, we expand on existing adversarial example crafting algorithms to construct a highly-effective attack that uses adversarial examples against malware detection models. To this end, we identify and overcome key challenges that prevent existing algorithms from being applied against malware detection: our approach operates in discrete and often binary input domains, whereas previous work operated only in continuous and differentiable domains. In addition, our technique guarantees the malware functionality of the adversarially manipulated program. In our evaluation, we train a neural network for malware detection on the DREBIN data set and achieve classification performance matching state-of-the-art from the literature. Using the augmented adversarial crafting algorithm we then manage to mislead this classifier for 63% of all malware samples. We also present a detailed evaluation of defensive mechanisms previously introduced in the computer vision contexts, including distillation and adversarial training, which show promising results.

UR - http://www.scopus.com/inward/record.url?scp=85029485845&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85029485845&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-66399-9_4

DO - 10.1007/978-3-319-66399-9_4

M3 - Conference contribution

AN - SCOPUS:85029485845

SN - 9783319663982

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 62

EP - 79

BT - Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings

A2 - Foley, Simon N.

A2 - Gollmann, Dieter

A2 - Snekkenes, Einar

PB - Springer Verlag

T2 - 22nd European Symposium on Research in Computer Security, ESORICS 2017

Y2 - 11 September 2017 through 15 September 2017

ER -

Grosse K, Papernot N, Manoharan P, Backes M, McDaniel P. Adversarial examples for malware detection. In Foley SN, Gollmann D, Snekkenes E, editors, Computer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings. Springer Verlag. 2017. p. 62-79. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-66399-9_4

Adversarial examples for malware detection

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this