Visible to the public Attack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Detection Models

TitleAttack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Detection Models
Publication TypeConference Paper
Year of Publication2018
AuthorsStokes, J. W., Wang, D., Marinescu, M., Marino, M., Bussone, B.
Conference NameMILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)
ISBN Number978-1-5386-7185-6
Keywordsadversarial attacks, adversarial learning, adversarial learning-based attacks, adversarial neural malware detection models, anti-malware companies, anti-malware engine, classification algorithm, computer security, crafting adversarial samples, Deep Learning, deep learning classification systems, deep learning-based systems, dynamic analysis-based, Dynamic Malware Classification, Engines, Human Behavior, invasive software, Jacobian matrices, learning (artificial intelligence), Malware, malware analysis, malware classification accuracy, malware detection, Metrics, Neural networks, pattern classification, program diagnostics, pubcrawl, Resiliency, static analysis-based malware classifiers, Training

Recently researchers have proposed using deep learning-based systems for malware detection. Unfortunately, all deep learning classification systems are vulnerable to adversarial learning-based attacks, or adversarial attacks, where miscreants can avoid detection by the classification algorithm with very few perturbations of the input data. Previous work has studied adversarial attacks against static analysis-based malware classifiers which only classify the content of the unknown file without execution. However, since the majority of malware is either packed or encrypted, malware classification based on static analysis often fails to detect these types of files. To overcome this limitation, anti-malware companies typically perform dynamic analysis by emulating each file in the anti-malware engine or performing in-depth scanning in a virtual machine. These strategies allow the analysis of the malware after unpacking or decryption. In this work, we study different strategies of crafting adversarial samples for dynamic analysis. These strategies operate on sparse, binary inputs in contrast to continuous inputs such as pixels in images. We then study the effects of two, previously proposed defensive mechanisms against crafted adversarial samples including the distillation and ensemble defenses. We also propose and evaluate the weight decay defense. Experiments show that with these three defenses, the number of successfully crafted adversarial samples is reduced compared to an unprotected baseline system. In particular, the ensemble defense is the most resilient to adversarial attacks. Importantly, none of the defenses significantly reduce the classification accuracy for detecting malware. Finally, we show that while adding additional hidden layers to neural models does not significantly improve the malware classification accuracy, it does significantly increase the classifier's robustness to adversarial attacks.

Citation Keystokes_attack_2018