Stronger targeted poisoning attacks against malware detection

Shintaro Narisada; Shoichiro Sasaki; Seira Hidano; Toshihiro Uchibayashi; Takuo Suganuma; Masahiro Hiji; Shinsaku Kiyomoto

doi:10.1007/978-3-030-65411-5_4

Stronger targeted poisoning attacks against malware detection

Shintaro Narisada, Shoichiro Sasaki, Seira Hidano, Toshihiro Uchibayashi, Takuo Suganuma, Masahiro Hiji, Shinsaku Kiyomoto

Section of Applied Data Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

Abstract

Attacks on machine learning systems such as malware detectors and recommendation systems are becoming a major threat. Data poisoning attacks are the primary method used; they inject a small amount of poisoning points into a training set of the machine learning model, aiming to degrade the overall accuracy of the model. Targeted data poisoning is a variant of data poisoning attacks that injects malicious data into the model to cause a misclassification of the targeted input data while keeping almost the same overall accuracy as the unpoisoned model. Sasaki et al. first applied targeted data poisoning to malware detection and proposed an algorithm to generate poisoning points to misclassify targeted malware as goodware. Their algorithm achieved 85 % an attack success rate by adding 15 % poisoning points for malware dataset with continuous variables while restricting the increase in the test error on nontargeted data to at most 10 %. In this paper, we consider common defensive methods called data sanitization defenses, against targeted data poisoning and propose a defense-aware attack algorithm. Moreover, we propose a stronger targeted poisoning algorithm based on the theoretical analysis of the optimal attack strategy proposed by Steinhardt et al. The computational cost of our algorithm is much less than that of existing targeted poisoning algorithms. As a result, our new algorithm achieves a 91 % attack success rate for malware dataset with continuous variables by adding the same 15 % poisoning points and is approximately 10³ times faster in terms of the computational time needed to generate poison data than Sasaki’s algorithm.

Original language	English
Title of host publication	Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings
Editors	Stephan Krenn, Haya Shulman, Serge Vaudenay
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	65-84
Number of pages	20
ISBN (Print)	9783030654108
DOIs	https://doi.org/10.1007/978-3-030-65411-5_4
Publication status	Published - 2020
Event	19th International Conference on Cryptology and Network Security, CANS 2020 - Vienna, Austria Duration: Dec 14 2020 → Dec 16 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12579 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	19th International Conference on Cryptology and Network Security, CANS 2020
Country/Territory	Austria
City	Vienna
Period	12/14/20 → 12/16/20

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-65411-5_4

Cite this

Narisada, S., Sasaki, S., Hidano, S., Uchibayashi, T., Suganuma, T., Hiji, M., & Kiyomoto, S. (2020). Stronger targeted poisoning attacks against malware detection. In S. Krenn, H. Shulman, & S. Vaudenay (Eds.), Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings (pp. 65-84). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12579 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-65411-5_4

Stronger targeted poisoning attacks against malware detection. / Narisada, Shintaro; Sasaki, Shoichiro; Hidano, Seira et al.
Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. ed. / Stephan Krenn; Haya Shulman; Serge Vaudenay. Springer Science and Business Media Deutschland GmbH, 2020. p. 65-84 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12579 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Narisada, S, Sasaki, S, Hidano, S, Uchibayashi, T, Suganuma, T, Hiji, M & Kiyomoto, S 2020, Stronger targeted poisoning attacks against malware detection. in S Krenn, H Shulman & S Vaudenay (eds), Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12579 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 65-84, 19th International Conference on Cryptology and Network Security, CANS 2020, Vienna, Austria, 12/14/20. https://doi.org/10.1007/978-3-030-65411-5_4

Narisada S, Sasaki S, Hidano S, Uchibayashi T, Suganuma T, Hiji M et al. Stronger targeted poisoning attacks against malware detection. In Krenn S, Shulman H, Vaudenay S, editors, Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. Springer Science and Business Media Deutschland GmbH. 2020. p. 65-84. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-65411-5_4

Narisada, Shintaro ; Sasaki, Shoichiro ; Hidano, Seira et al. / Stronger targeted poisoning attacks against malware detection. Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. editor / Stephan Krenn ; Haya Shulman ; Serge Vaudenay. Springer Science and Business Media Deutschland GmbH, 2020. pp. 65-84 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{0c0838932a854db3b180798c8173c513,

title = "Stronger targeted poisoning attacks against malware detection",

abstract = "Attacks on machine learning systems such as malware detectors and recommendation systems are becoming a major threat. Data poisoning attacks are the primary method used; they inject a small amount of poisoning points into a training set of the machine learning model, aiming to degrade the overall accuracy of the model. Targeted data poisoning is a variant of data poisoning attacks that injects malicious data into the model to cause a misclassification of the targeted input data while keeping almost the same overall accuracy as the unpoisoned model. Sasaki et al. first applied targeted data poisoning to malware detection and proposed an algorithm to generate poisoning points to misclassify targeted malware as goodware. Their algorithm achieved 85 % an attack success rate by adding 15 % poisoning points for malware dataset with continuous variables while restricting the increase in the test error on nontargeted data to at most 10 %. In this paper, we consider common defensive methods called data sanitization defenses, against targeted data poisoning and propose a defense-aware attack algorithm. Moreover, we propose a stronger targeted poisoning algorithm based on the theoretical analysis of the optimal attack strategy proposed by Steinhardt et al. The computational cost of our algorithm is much less than that of existing targeted poisoning algorithms. As a result, our new algorithm achieves a 91 % attack success rate for malware dataset with continuous variables by adding the same 15 % poisoning points and is approximately 103 times faster in terms of the computational time needed to generate poison data than Sasaki{\textquoteright}s algorithm.",

author = "Shintaro Narisada and Shoichiro Sasaki and Seira Hidano and Toshihiro Uchibayashi and Takuo Suganuma and Masahiro Hiji and Shinsaku Kiyomoto",

note = "Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2020.; 19th International Conference on Cryptology and Network Security, CANS 2020 ; Conference date: 14-12-2020 Through 16-12-2020",

year = "2020",

doi = "10.1007/978-3-030-65411-5_4",

language = "English",

isbn = "9783030654108",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "65--84",

editor = "Stephan Krenn and Haya Shulman and Serge Vaudenay",

booktitle = "Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings",

address = "Germany",

}

TY - GEN

T1 - Stronger targeted poisoning attacks against malware detection

AU - Narisada, Shintaro

AU - Sasaki, Shoichiro

AU - Hidano, Seira

AU - Uchibayashi, Toshihiro

AU - Suganuma, Takuo

AU - Hiji, Masahiro

AU - Kiyomoto, Shinsaku

PY - 2020

Y1 - 2020

N2 - Attacks on machine learning systems such as malware detectors and recommendation systems are becoming a major threat. Data poisoning attacks are the primary method used; they inject a small amount of poisoning points into a training set of the machine learning model, aiming to degrade the overall accuracy of the model. Targeted data poisoning is a variant of data poisoning attacks that injects malicious data into the model to cause a misclassification of the targeted input data while keeping almost the same overall accuracy as the unpoisoned model. Sasaki et al. first applied targeted data poisoning to malware detection and proposed an algorithm to generate poisoning points to misclassify targeted malware as goodware. Their algorithm achieved 85 % an attack success rate by adding 15 % poisoning points for malware dataset with continuous variables while restricting the increase in the test error on nontargeted data to at most 10 %. In this paper, we consider common defensive methods called data sanitization defenses, against targeted data poisoning and propose a defense-aware attack algorithm. Moreover, we propose a stronger targeted poisoning algorithm based on the theoretical analysis of the optimal attack strategy proposed by Steinhardt et al. The computational cost of our algorithm is much less than that of existing targeted poisoning algorithms. As a result, our new algorithm achieves a 91 % attack success rate for malware dataset with continuous variables by adding the same 15 % poisoning points and is approximately 103 times faster in terms of the computational time needed to generate poison data than Sasaki’s algorithm.

AB - Attacks on machine learning systems such as malware detectors and recommendation systems are becoming a major threat. Data poisoning attacks are the primary method used; they inject a small amount of poisoning points into a training set of the machine learning model, aiming to degrade the overall accuracy of the model. Targeted data poisoning is a variant of data poisoning attacks that injects malicious data into the model to cause a misclassification of the targeted input data while keeping almost the same overall accuracy as the unpoisoned model. Sasaki et al. first applied targeted data poisoning to malware detection and proposed an algorithm to generate poisoning points to misclassify targeted malware as goodware. Their algorithm achieved 85 % an attack success rate by adding 15 % poisoning points for malware dataset with continuous variables while restricting the increase in the test error on nontargeted data to at most 10 %. In this paper, we consider common defensive methods called data sanitization defenses, against targeted data poisoning and propose a defense-aware attack algorithm. Moreover, we propose a stronger targeted poisoning algorithm based on the theoretical analysis of the optimal attack strategy proposed by Steinhardt et al. The computational cost of our algorithm is much less than that of existing targeted poisoning algorithms. As a result, our new algorithm achieves a 91 % attack success rate for malware dataset with continuous variables by adding the same 15 % poisoning points and is approximately 103 times faster in terms of the computational time needed to generate poison data than Sasaki’s algorithm.

UR - http://www.scopus.com/inward/record.url?scp=85098241781&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85098241781&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-65411-5_4

DO - 10.1007/978-3-030-65411-5_4

M3 - Conference contribution

AN - SCOPUS:85098241781

SN - 9783030654108

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 65

EP - 84

BT - Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings

A2 - Krenn, Stephan

A2 - Shulman, Haya

A2 - Vaudenay, Serge

PB - Springer Science and Business Media Deutschland GmbH

T2 - 19th International Conference on Cryptology and Network Security, CANS 2020

Y2 - 14 December 2020 through 16 December 2020

ER -

Stronger targeted poisoning attacks against malware detection

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this