Title | Data Sanitization Approach to Mitigate Clean-Label Attacks Against Malware Detection Systems |
Publication Type | Conference Paper |
Year of Publication | 2022 |
Authors | Ho, Samson, Reddy, Achyut, Venkatesan, Sridhar, Izmailov, Rauf, Chadha, Ritu, Oprea, Alina |
Conference Name | MILCOM 2022 - 2022 IEEE Military Communications Conference (MILCOM) |
Keywords | adversarial learning, ART, composability, compositionality, data integrity, Data Sanitization, Intrusion detection, machine learning, Malware, military communication, Neural networks, pubcrawl, resilience, Resiliency, Sensitivity, telecommunication traffic, Training, Watermarking |
Abstract | Machine learning (ML) models are increasingly being used in the development of Malware Detection Systems. Existing research in this area primarily focuses on developing new architectures and feature representation techniques to improve the accuracy of the model. However, recent studies have shown that existing state-of-the art techniques are vulnerable to adversarial machine learning (AML) attacks. Among those, data poisoning attacks have been identified as a top concern for ML practitioners. A recent study on clean-label poisoning attacks in which an adversary intentionally crafts training samples in order for the model to learn a backdoor watermark was shown to degrade the performance of state-of-the-art classifiers. Defenses against such poisoning attacks have been largely under-explored. We investigate a recently proposed clean-label poisoning attack and leverage an ensemble-based Nested Training technique to remove most of the poisoned samples from a poisoned training dataset. Our technique leverages the relatively large sensitivity of poisoned samples to feature noise that disproportionately affects the accuracy of a backdoored model. In particular, we show that for two state-of-the art architectures trained on the EMBER dataset affected by the clean-label attack, the Nested Training approach improves the accuracy of backdoor malware samples from 3.42% to 93.2%. We also show that samples produced by the clean-label attack often successfully evade malware classification even when the classifier is not poisoned during training. However, even in such scenarios, our Nested Training technique can mitigate the effect of such clean-label-based evasion attacks by recovering the model's accuracy of malware detection from 3.57% to 93.2%. |
Notes | ISSN: 2155-7586 |
DOI | 10.1109/MILCOM55135.2022.10017768 |
Citation Key | ho_data_2022 |