Feature Conservation in Adversarial Classifier Evasion: A Case Study

Machine learning is widely used in security applications, particularly in the form of statistical classification aimed at distinguishing benign from malicious entities. Recent research has shown that such classifiers are often vulnerable to evasion attacks, whereby adversaries change behavior to be categorized as benign while preserving malicious functionality. Research into evasion attacks has followed two paradigms: attacks in problem space, where the actual malicious instance is modified, and attacks in feature space, where the attack is abstracted into modifying numerical features of an instance to evade a classifier. In contrast, research into designing evasion-robust classifiers generally relies on feature space attack models. We make several contributions to address this gap, using PDF malware detection as a case study. First, we present a systematic retraining procedure which uses an automated problem space attack generator to design a more robust PDF malware detector. Second, we demonstrate that replacing problem space attacks with feature space attacks dramatically reduces the robustness of the resulting classifier, severely undermining feature space defense methods to date. Third, we demonstrate the existence of conserved (or invariant) features, and show how these can be leveraged to design evasionrobust classifiers that are nearly as effective, and far more efficient, than those relying on the problem space attack. Finally, we present a general approach for identifying conserved features.

[1]  Fabio Roli,et al.  Secure Kernel Machines against Evasion Attacks , 2016, AISec@CCS.

[2]  J. Doug Tygar,et al.  Evasion and Hardening of Tree Ensemble Classifiers , 2015, ICML.

[3]  Fabio Roli,et al.  Security Evaluation of Pattern Classifiers under Attack , 2014, IEEE Transactions on Knowledge and Data Engineering.

[4]  Patrick D. McDaniel,et al.  Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples , 2016, ArXiv.

[5]  Ling Huang,et al.  Query Strategies for Evading Convex-Inducing Classifiers , 2010, J. Mach. Learn. Res..

[6]  Ling Huang,et al.  Classifier Evasion: Models and Open Problems , 2010, PSDML.

[7]  Christopher Meek,et al.  Adversarial learning , 2005, KDD '05.

[8]  Bhavani M. Thuraisingham,et al.  Adversarial support vector machine learning , 2012, KDD.

[9]  Patrick D. McDaniel,et al.  Adversarial Perturbations Against Deep Neural Networks for Malware Classification , 2016, ArXiv.

[10]  Alexander J. Smola,et al.  Convex Learning with Invariances , 2007, NIPS.

[11]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[12]  Xiaojin Zhu,et al.  Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners , 2015, AAAI.

[13]  Ling Huang,et al.  Near-Optimal Evasion of Convex-Inducing Classifiers , 2010, AISTATS.

[14]  Pedro M. Domingos,et al.  Adversarial classification , 2004, KDD.

[15]  Blaine Nelson,et al.  Can machine learning be secure? , 2006, ASIACCS '06.

[16]  Yevgeniy Vorobeychik,et al.  Optimal randomized classification in adversarial settings , 2014, AAMAS.

[17]  Shie Mannor,et al.  Robust Regression and Lasso , 2008, IEEE Transactions on Information Theory.

[18]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[19]  Pavel Laskov,et al.  Hidost: a static machine-learning-based detector of malicious files , 2016, EURASIP J. Inf. Secur..

[20]  Pavel Laskov,et al.  Practical Evasion of a Learning-Based Classifier: A Case Study , 2014, 2014 IEEE Symposium on Security and Privacy.

[21]  Christos H. Papadimitriou,et al.  Strategic Classification , 2015, ITCS.

[22]  Yevgeniy Vorobeychik,et al.  Feature Cross-Substitution in Adversarial Classification , 2014, NIPS.

[23]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[24]  Yanjun Qi,et al.  Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers , 2016, NDSS.

[25]  M. Elhefnawi,et al.  Identification of novel conserved functional motifs across most Influenza A viral strains , 2011, Virology Journal.

[26]  Tobias Scheffer,et al.  Static prediction games for adversarial learning problems , 2012, J. Mach. Learn. Res..

[27]  Pavel Laskov,et al.  Detection of Malicious PDF Files Based on Hierarchical Document Structure , 2013, NDSS.

[28]  Patrick P. K. Chan,et al.  Adversarial Feature Selection Against Evasion Attacks , 2016, IEEE Transactions on Cybernetics.

[29]  Dale Schuurmans,et al.  Learning with a Strong Adversary , 2015, ArXiv.

[30]  Giorgio Giacinto,et al.  Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection , 2013, ASIA CCS '13.

[31]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[32]  Lujo Bauer,et al.  Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition , 2016, CCS.

[33]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[34]  Yevgeniy Vorobeychik,et al.  A General Retraining Framework for Scalable Adversarial Classification , 2016, ArXiv.

[35]  Tobias Scheffer,et al.  Stackelberg games for adversarial prediction problems , 2011, KDD.

[36]  Shie Mannor,et al.  Robustness and Regularization of Support Vector Machines , 2008, J. Mach. Learn. Res..