TY - GEN
T1 - Countermeasures Against Backdoor Attacks Towards Malware Detectors
AU - Narisada, Shintaro
AU - Matsumoto, Yuki
AU - Hidano, Seira
AU - Uchibayashi, Toshihiro
AU - Suganuma, Takuo
AU - Hiji, Masahiro
AU - Kiyomoto, Shinsaku
N1 - Publisher Copyright:
© 2021, Springer Nature Switzerland AG.
PY - 2021
Y1 - 2021
N2 - Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.
AB - Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.
UR - http://www.scopus.com/inward/record.url?scp=85121905171&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85121905171&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-92548-2_16
DO - 10.1007/978-3-030-92548-2_16
M3 - Conference contribution
AN - SCOPUS:85121905171
SN - 9783030925475
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 295
EP - 314
BT - Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings
A2 - Conti, Mauro
A2 - Stevens, Marc
A2 - Krenn, Stephan
PB - Springer Science and Business Media Deutschland GmbH
T2 - 20th International Conference on Cryptology and Network Security, CANS 2021
Y2 - 13 December 2021 through 15 December 2021
ER -