Countermeasures Against Backdoor Attacks Towards Malware Detectors

Shintaro Narisada; Yuki Matsumoto; Seira Hidano; Toshihiro Uchibayashi; Takuo Suganuma; Masahiro Hiji; Shinsaku Kiyomoto

doi:10.1007/978-3-030-92548-2_16

Countermeasures Against Backdoor Attacks Towards Malware Detectors

Shintaro Narisada, Yuki Matsumoto, Seira Hidano, Toshihiro Uchibayashi, Takuo Suganuma, Masahiro Hiji, Shinsaku Kiyomoto

Section of Applied Data Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.

Original language	English
Title of host publication	Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings
Editors	Mauro Conti, Marc Stevens, Stephan Krenn
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	295-314
Number of pages	20
ISBN (Print)	9783030925475
DOIs	https://doi.org/10.1007/978-3-030-92548-2_16
Publication status	Published - 2021
Event	20th International Conference on Cryptology and Network Security, CANS 2021 - Virtual, Online Duration: Dec 13 2021 → Dec 15 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13099 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th International Conference on Cryptology and Network Security, CANS 2021
City	Virtual, Online
Period	12/13/21 → 12/15/21

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-92548-2_16

Cite this

Narisada, S., Matsumoto, Y., Hidano, S., Uchibayashi, T., Suganuma, T., Hiji, M., & Kiyomoto, S. (2021). Countermeasures Against Backdoor Attacks Towards Malware Detectors. In M. Conti, M. Stevens, & S. Krenn (Eds.), Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings (pp. 295-314). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13099 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-92548-2_16

Countermeasures Against Backdoor Attacks Towards Malware Detectors. / Narisada, Shintaro; Matsumoto, Yuki; Hidano, Seira et al.
Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings. ed. / Mauro Conti; Marc Stevens; Stephan Krenn. Springer Science and Business Media Deutschland GmbH, 2021. p. 295-314 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13099 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Narisada, S, Matsumoto, Y, Hidano, S, Uchibayashi, T, Suganuma, T, Hiji, M & Kiyomoto, S 2021, Countermeasures Against Backdoor Attacks Towards Malware Detectors. in M Conti, M Stevens & S Krenn (eds), Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13099 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 295-314, 20th International Conference on Cryptology and Network Security, CANS 2021, Virtual, Online, 12/13/21. https://doi.org/10.1007/978-3-030-92548-2_16

Narisada S, Matsumoto Y, Hidano S, Uchibayashi T, Suganuma T, Hiji M et al. Countermeasures Against Backdoor Attacks Towards Malware Detectors. In Conti M, Stevens M, Krenn S, editors, Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 295-314. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-92548-2_16

Narisada, Shintaro ; Matsumoto, Yuki ; Hidano, Seira et al. / Countermeasures Against Backdoor Attacks Towards Malware Detectors. Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings. editor / Mauro Conti ; Marc Stevens ; Stephan Krenn. Springer Science and Business Media Deutschland GmbH, 2021. pp. 295-314 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{20ffbdde873b4252871e44cad6fc2113,

title = "Countermeasures Against Backdoor Attacks Towards Malware Detectors",

abstract = "Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.",

author = "Shintaro Narisada and Yuki Matsumoto and Seira Hidano and Toshihiro Uchibayashi and Takuo Suganuma and Masahiro Hiji and Shinsaku Kiyomoto",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 20th International Conference on Cryptology and Network Security, CANS 2021 ; Conference date: 13-12-2021 Through 15-12-2021",

year = "2021",

doi = "10.1007/978-3-030-92548-2_16",

language = "English",

isbn = "9783030925475",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "295--314",

editor = "Mauro Conti and Marc Stevens and Stephan Krenn",

booktitle = "Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings",

address = "Germany",

}

TY - GEN

T1 - Countermeasures Against Backdoor Attacks Towards Malware Detectors

AU - Narisada, Shintaro

AU - Matsumoto, Yuki

AU - Hidano, Seira

AU - Uchibayashi, Toshihiro

AU - Suganuma, Takuo

AU - Hiji, Masahiro

AU - Kiyomoto, Shinsaku

PY - 2021

Y1 - 2021

N2 - Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.

AB - Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.

UR - http://www.scopus.com/inward/record.url?scp=85121905171&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85121905171&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-92548-2_16

DO - 10.1007/978-3-030-92548-2_16

M3 - Conference contribution

AN - SCOPUS:85121905171

SN - 9783030925475

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 295

EP - 314

BT - Cryptology and Network Security - 20th International Conference, CANS 2021, Proceedings

A2 - Conti, Mauro

A2 - Stevens, Marc

A2 - Krenn, Stephan

PB - Springer Science and Business Media Deutschland GmbH

T2 - 20th International Conference on Cryptology and Network Security, CANS 2021

Y2 - 13 December 2021 through 15 December 2021

ER -

Countermeasures Against Backdoor Attacks Towards Malware Detectors

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this