Countermeasures Against Backdoor Attacks Towards Malware Detectors

Shintaro Narisada, Yuki Matsumoto, Seira Hidano, Toshihiro Uchibayashi, Takuo Suganuma, Masahiro Hiji, Shinsaku Kiyomoto

研究成果: 書籍/レポート タイプへの寄稿会議への寄与

2 被引用数 (Scopus)


Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.

ホスト出版物のタイトルCryptology and Network Security - 20th International Conference, CANS 2021, Proceedings
編集者Mauro Conti, Marc Stevens, Stephan Krenn
出版社Springer Science and Business Media Deutschland GmbH
出版ステータス出版済み - 2021
イベント20th International Conference on Cryptology and Network Security, CANS 2021 - Virtual, Online
継続期間: 12月 13 202112月 15 2021


名前Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
13099 LNCS


会議20th International Conference on Cryptology and Network Security, CANS 2021
CityVirtual, Online

!!!All Science Journal Classification (ASJC) codes

  • 理論的コンピュータサイエンス
  • コンピュータ サイエンス(全般)


「Countermeasures Against Backdoor Attacks Towards Malware Detectors」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。