shallow security on the creation of adversarial variants
play

Shallow Security: on the Creation of Adversarial Variants to Evade - PowerPoint PPT Presentation

Aug 17, 2022 •523 likes •1.12k views

REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrcio Ceschin Marcus

  1. REVERSING AND OFFENSIVE-ORIENTED TRENDS SYMPOSIUM 2019 (ROOTS) 28TH TO 29TH NOVEMBER 2019, VIENNA, AUSTRIA Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors Fabrício Ceschin Marcus Botacin Heitor Murilo Gomes Federal University of Paraná, BR Federal University of Paraná, BR University of Waikato, NZ @fabriciojoc @MarcusBotacin www.heitorgomes.com Luiz S. Oliveira André Grégio Federal University of Paraná, BR Federal University of Paraná, BR www.inf.ufpr.br/lesoliveira @abedgregio 1 1

  2. Who am I? Background Research Interests Computer Science Bachelor (Federal Machine Learning applied to ● ● University of Paraná, Brazil, 2015). Security. ● Machine Learning Researcher (Since ● Machine Learning applications: 2015). ○ Data Streams. Computer Science Master (Federal Concept Drift. ● ○ University of Paraná, Brazil, 2017). ○ Adversarial Machine Learning. ● Computer Science PhD Candidate (Federal University of Paraná, Brazil). 2 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  3. Introduction Motivation, the problem, initial concepts and our work. 3

  4. The Problem ● Malware Detection: growing research field. ○ Evolving threats. State-of-the-art: machine learning-based ● approaches. ○ Malware classification in families; ○ Malware detection; ○ Dense volume of data (data stream). Arms Race: attackers VS defenders. ● ○ Both of them have access to ML. 4 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  5. The Problem ● Defenders: developing new classification models to overcome new attacks. Attackers: generating malware variants to exploit the drawbacks of ● ML-based approaches. ● Adversarial Machine Learning: techniques that attempt to fool models by generating malicious inputs. Making a sample from a certain class being classified as another one. ○ ○ Serious problems for some scenarios, like malware detection . 5 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  6. Adversarial Examples 6 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  7. Adversarial Examples ● Image Classification: adversarial image should be similar to the original one and yet be classified as being from another class. Malware Detection: adversarial malware should ● behave the same and yet be classified as goodware . ● Challenge: automatically generating a fully functional adversarial malware may be difficult. ○ Any modification can make it behave different or not work. 7 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  8. Our Work: How did everything start? ● Machine Learning Static Evasion Competition: modify fifty malicious binaries to evade up to three open source malware models. ● Modified malware samples must retain their original functionality . The prize: NVIDIA Titan-RTX. ● 8 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  9. Our Work: What did we do? ● We bypassed all the three models creating modified versions of the 50 samples originally provided by the organizers. Implemented an automatic exploitation method to create these samples. ● Adversarial samples also bypassed real anti-viruses as well. ● ● Objective: investigate models robustness against adversarial samples. ● Results: models have severe weaknesses so that they can be easily bypassed by attackers motivated to exploit real systems. ○ Insights that we consider important to be shared with the community. 9 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  10. The Challenge Rules, dataset and models. 10

  11. The Challenge: How did it work? Fifty binaries are classified by three ● distinct ML models. ● Each bypassed model for each binary accounts for one point ( 150 points in total). All binaries are executed on a ● sandboxed environment and must produce the same Indicators of Compromise as the original ones. Our team figured among the ● top-scorer participants. ○ Second position! 11 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  12. Dataset: Original Malware Samples ● Fifty PE (Portable Executable) samples of varied malware families for Microsoft Windows. Diversified approaches to ○ bypass sample’s detection. ● VirusTotal & AVClass: 21 malware families. ● Real malware samples executed in sandboxed environments. 12 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  13. Corvus: Our Malware Analysis Platform 13 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  14. Corvus: Report Example 14 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  15. Machine Learning Models: LightGBM ● Gradient boosting decision tree using a feature matrix as input. Hashing trick and histograms ● Goodware Malware based on binary files characteristics (PE header Feature information, file size, Output Input Classification Extraction timestamp, imported libraries, strings, etc). 15 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  16. Machine Learning Models: MalConv ● End-to-end deep learning model using raw bytes as input. Representation of the input using an ● Goodware Malware 8-dimensional embedding (autoencoder). Feature Extraction ● Gated 1D convolution layer, followed by Input Output + Classification a fully connected layer of 128 units. Softmax output for each class. ● 16 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  17. Machine Learning Models: Non-Negative MalConv ● Identical structure to MalConv. ● Only non-negative weights: force the model to look only for malicious Goodware Malware evidences rather than looking for both malicious and benign ones. Feature Extraction Input Output + Classification 17 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  18. Dataset used to Train the Models ● Ember 2018 dataset. ● Benchmark for researchers. 1.1M Portable Executable (PE) ● binary files: ○ 900K training samples; 200K testing samples. ○ ● Open Source dataset: ○ https://github.com/ endgameinc/ember 18 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  19. Corvus: Classifying Samples Submitted Using Machine Learning Models 19 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  20. Biased Models? ● How does these models perform when classifying files of a pristine Windows installation? Raw data: high False Positive Rate (FPR) when handling benign data. ● False Positive Rate (FPR) FileType MalConv Non-Neg. MalConv LightGBM EXEs 71.21% 87.72% 0.00% DLLs 56.40% 80.55% 0.00% 20 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  21. Model’s Weaknesses Series of experiments to identify model’s weaknesses. 21

  22. Appending Random Data ● Generating growing chunks of random data, up to the limit of 5MB defined by the challenge. ○ MalConv, based on raw data, is more susceptible to this strategy. ○ Severe for chunks greater than 1MB. ○ Some features and models might be more robust than others. ○ Non-Neg. MalConv and LightGBM were not so affected. 22 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  23. Appending Goodware Strings ● Retrieving strings presented by goodware files and appending them to malware binaries. ● All models are significantly affected when 10K+ strings are appended. ● Result holds true even for the model that also considers PE data (LightGBM), which was more robust in the previous experiment. 23 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  24. Changing Binary Headers ● Replacing header fields of malware binaries with values from a goodware. Version numbers and checksums. ○ ● Decision took by Microsoft when implementing loader: ignores fields. Bypassed only six samples. ● Model based on PE features learned ● other characteristics than header values. 24 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

  25. Packing and Unpacking samples with UPX ● UPX compresses entire PE into other PE sections, changing the external PE binary’s aspect. Evaluated by packing and unpacking the provided binary samples. ● Classifiers easily bypassed when appending strings to UPX- extracted ● payloads, but not when directly appended to the UPX- packed payloads. ● Bias against UPX packer: any UPX-packed file is considered malicious. Evaluation: randomly picking 150 UPX-packed and 150 non-packed ● samples from malshare database and classified them. 25 Introduction The Challenge Model’s Weaknesses Automatic Exploitation Discussion Conclusion

Recommend

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Creation of Adversarial Accounting Records to Attack Financial Statement Audits A research

Creation of Adversarial Accounting Records to Attack Financial Statement Audits A research

University of St. Gallen Creation of Adversarial Accounting Records to Attack Financial Statement Audits A research collaboration between the HSG, DFKI and PwC NVIDIAs GPU Technology Conference March, 20 th 2019 M. Schreyer 1,2 , T. Sattarov

1.07k views • 58 slides
Adversarial AI in Cyber Security WHO AM I

Adversarial AI in Cyber Security WHO AM I

Adversarial AI in Cyber Security WHO AM I Join Trend Micro on 2009 Infra Developer Threat Researcher Machine Learning Researcher Join XGen ML project on 2015 Now leading

686 views • 35 slides
Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A

Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A

ITU-T Workshop on Security, Seoul Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A Case Study for User Identification --- 14 May 2002 Tsutomu Matsumoto Graduate School of Environment and Information

619 views • 33 slides
Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource

Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource

Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource Allocation David Ros Insua, Royal Academy Cesar Gil, U. Rey Juan Carlos Jess Ros, IBM Research YH COST Smart Cities Wshop Paris, September

507 views • 22 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future

Defense Against the Dark Arts: An overview of adversarial example security research and future research directions Ian Goodfellow, Sta ff Research Scientist, Google Brain 1st IEEE Deep Learning and Security Workshop, May 24, 2018 This document

726 views • 36 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

540 views • 50 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

1.13k views • 67 slides
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan

Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan

Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B),

448 views • 31 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
Shrinking and Exploring David Evans University of Virginia Adversarial Search Spaces ARO

Shrinking and Exploring David Evans University of Virginia Adversarial Search Spaces ARO

evadeML. L.org Shrinking and Exploring David Evans University of Virginia Adversarial Search Spaces ARO Workshop on Adversarial Learning Stanford, 14 Sept 2017 Weilin Xu Yanjun Qi Machine Learning is Eating Computer Science 1 Security

552 views • 54 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
A D V E R S A R I A L A P P R O A C H T O I M P R O V E D E T E C T I O N C A P A B I L I T I

A D V E R S A R I A L A P P R O A C H T O I M P R O V E D E T E C T I O N C A P A B I L I T I

A D V E R S A R I A L A P P R O A C H T O I M P R O V E D E T E C T I O N C A P A B I L I T I E S Massimo Bozza Ethical Hacker Senior Security Engineer @maxbozza Pietro Romano Principal Security Engineer @tribal_sec AGENDA Adversarial

714 views • 57 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea GRASTA 2014 Joint work with Hans Bodlaender, Vincent Kreuzen, Stefan Kratsch and Seongmin Ok 1 / 22 On the variants

756 views • 31 slides
On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK (pbo@dcs.qmul.ac.uk) (Joint work with Mart n Escard o) Domains IX, Brighton 22 September 2008 On Variants of

744 views • 27 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides

More recommend