The invention generally relates to classifiers, and more particularly to building classifiers against evasion attacks.
Users are able to conveniently download software on their computing and mobile devices. Depending on the source of the software, users associate a general level of trust. The software may require the user to provide permission for certain functions of an application to operate. Users may not be aware of the permissions and access they are allowing applications to have. Various algorithms can be used to provide protection against harmful programs. However, attackers continue to provide programs to manipulate the user's devices or access the user's information. This type of program is known as malware. There may be a need to build more robust classifiers to detect harmful applications.
According to an embodiment, a system for building robust classifiers against evasion attacks is shown. The system includes a storage medium, the storage medium being coupled to a processor, where the processor is configured to receive an application; identify one or more features of the application; determine a first confidence score for a first version of the application including a first set of features and determining a second confidence score for a second version of the application including a second set of features, wherein the first set of features is different than the second set of features; determine a difference between the first confidence score and the second confidence score; compare the difference with a convergence threshold; based on the comparison, determine whether the first confidence score exceeds a confidence score threshold; and generate a report based on determining the first confidence score exceeds the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include a second set of features that include one less feature than the first set of features.
In addition to one or more of the features described herein, or as an alternative, further embodiments include identifying one or more features that ranks one or more features of the application.
In addition to one or more of the features described herein, or as an alternative, further embodiments include removing one or more features from a version of the application based at least in part on the ranking.
In addition to one or more of the features described herein, or as an alternative, further embodiments include determining the difference is less than the convergence threshold, the first confidence score is compared with the confidence score threshold; and generating the report based on the first confidence score exceeding the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include determining the difference is greater than the convergence threshold, the processor is configured to determine a third version of the application by removing one feature of the one or more features from the second version of the application; determine a third confidence score of the third version of the application; determine a difference between the second confidence score and the third confidence score; compare the difference with the convergence threshold; based on the comparison, determine whether the second confidence score exceeds the confidence score threshold; and generate the report based on determining the second confidence score exceeds the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include a processor that is further configured to determine a subsequent version by removing a feature of the identified features from a previous version, wherein the subsequent version includes a set of features with one less feature than a set of features for the previous version based at least in part on comparing a difference of a confidence score with a convergence threshold; determine a difference between a confidence score of the subsequent version and the previous version; and incrementally remove another feature until the difference between the confidence score of the subsequent version and the previous version until the difference exceeds the convergence threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include a report that includes at least one of the one or more features, a type of malware, or permission information for the application.
In another embodiment, a method for building robust classifiers against evasion attacks is shown. The method includes receiving, by a processor, an application; identifying one or more features of the application; determining a first confidence score for a first version of the application including a first set of features and determining a second confidence score for a second version of the application including a second set of features, wherein the first set of features is different than the second set of features; determining a difference between the first confidence score and the second confidence score; comparing the difference with a convergence threshold; based on the comparison, determining whether the first confidence score exceeds a confidence score threshold; and generating a report based on determining the first confidence score exceeds the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include a second set of features that include one less feature than the first set of features.
In addition to one or more of the features described herein, or as an alternative, further embodiments include identifying the one or more features further includes ranking the one or more features of the application.
In addition to one or more of the features described herein, or as an alternative, further embodiments include removing the one or more features from the application based at least in part on the ranking.
In addition to one or more of the features described herein, or as an alternative, further embodiments include responsive to determining the difference is greater than the convergence threshold, the first confidence score is compared with the confidence score threshold; and generating the report based on the first confidence score exceeding the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include responsive to determining the difference is greater than the convergence threshold, determining a third version of the application by removing one feature of the one or more features from the second version of the application; determining a third confidence score of the third version of the application; determining a difference between the second confidence score and the third confidence score; comparing the difference with the convergence threshold; based on the comparison, determining whether the second confidence score exceeds the confidence score threshold; and generating the report based on determining the second confidence score exceeds the confidence score threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include determining a subsequent version by removing a feature of the identified features from a previous version, wherein the subsequent version includes a set of features with one less feature than a set of features for the previous version based at least in part on comparing a difference of a confidence score with a convergence threshold; determining a difference between a confidence score of the subsequent version and the previous version; and incrementally removing another feature until the difference between the confidence score of the subsequent version and the previous version until the difference exceeds the convergence threshold.
In addition to one or more of the features described herein, or as an alternative, further embodiments include a report that includes at least one of the one or more features, a type of malware, or permission information for the application.
Technical effects of embodiments of the present disclosure include building a robust classifier against evasion attacks by identifying features of malicious/benign applications and the impact to the sensitivity of the classifier.
The foregoing features and elements may be combined in various combinations without exclusivity, unless expressly indicated otherwise. These features and elements as well as the operation thereof will become more apparent in light of the following description and the accompanying drawings. It should be understood, however, that the following description and drawings are intended to be illustrative and explanatory in nature and non-limiting.
The present disclosure is illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements.
The following descriptions should not be considered limiting in any way. With reference to the accompanying drawings, like elements are numbered alike:
Harmful programs and applications exist that can expose a user's personal information. For example, malware is a program that is executed in an attempt to gain access to unauthorized data or manipulate a program or device. In today's environment, many systems use various techniques to identify malware and prevent the installation of malicious programs on a user's device. One technique includes using classifiers to train machine-learning algorithms to predict whether an application is harmful or not. However, attackers have been creating subtle changes to the programs that may be undetected by the classifier of a security or program detection/defender functions. Machine-learning algorithms are trained on a set of features extracted from labeled samples or classes and the algorithm or mode is automatically learned to differentiate between the classes, hence called the classifier.
Issues may arise when the classifiers of the security programs learn from incorrectly classified application data, where the characteristics of the malicious programs are undetected and used to refine the classifier. Therefore, the reliability of the classifier is reduced with every misclassification of a program as malware. Attackers strategically add features to the application to attempt to confuse the machine-learning in to incorrectly classifying the malware as benign (not harmful). Because the techniques described herein analyze the impact of each feature on the sensitivity of the classifier, there is a less of a chance for misclassifying harmful applications as benign.
The techniques described herein determine feature sensitivity of an application based on an adversarial safe algorithm. The obtained sensitivity information is then used to predict whether an application is actually malicious or benign which improves the reliability of the classifier. The techniques described herein include sequencing/ranking the features of an application based on its importance; incrementally removing each feature to measure the sensitivity of the classifier; measuring the magnitude of the sensitivity and the feature removal is continued until a convergence of the magnitude of the sensitivity is observed; and using the sensitivity information to predict if the application is actually malicious or benign.
Referring to
In embodiments, the processing system 100 includes a graphics processing unit 30. Graphics processing unit 30 is a specialized electronic circuit designed to manipulate and alter memory to accelerate the creation of images in a frame buffer intended for output to a display. In general, graphics processing unit 30 is very efficient at manipulating computer graphics and image processing, and has a highly parallel structure that makes it more effective than general-purpose CPUs for algorithms where processing of large blocks of data is done in parallel.
Thus, as configured in
Now turning to
The system 200 receives data at receiver 210 representing information such as an application 240, image, etc. In addition, the receiver 210 can receive data from one or more sources to be processed by the system 200. The received data is provided to the processing module 220. The processing module 220 is configured to identify the benign-only features of the received application.
In a non-limiting example, if the received application or data is an image of a dog and the attacker wants the machine-learning algorithm to identify the dog as a bird, the attacker can add features to the dog to confuse the machine-learning algorithm. This type of attack is known as an evasion attack. In one or more embodiments, other features can be collected by the machine-learning algorithm to identify patterns of Internet usage, support functionalities, file access, and others to make a prediction of whether the application is benign. It should be understood that other features can be used in the machine-learning algorithm to determine if the received application is malicious. The processing module 220 analyzes the image to determine the features of the image. For example, the benign features of a bird can include features such as the beak, wings, eyes, and feet/claws. The importance of each feature in identifying the bird as a bird can be ranked. In a non-limiting example, the bird's wings may be ranked first, then followed by the beak, feet/claws, and eyes. The ranking of the features can be determined using explainable artificial intelligence (XAI). The XAI analyzes the classifier to determine what features are used by the classifier to determine whether a feature is malicious or benign, or in the example, what features are used to determine an image of an animal is a dog or a bird.
The attacker may incrementally add features to the dog in an attempt to have the classifier determine the dog is a bird. Similarly, more benign features will be added to the malware or other types of malicious code in an attempt to have the classifier identify the code as benign and not harmful. For example, adding the wings and the beak to an image of a dog increases the chance of a classifier incorrectly identifying the dog as a bird. The techniques described herein can identify the features and reduce the chances for misclassification.
The processing module 220 includes a first version of the application and a second version of the application. The confidence score Ci is determined for the first version of the application containing the set of features, and the confidence score Ci-1 is determined for a second version of the application containing the set of features minus the ith feature. By removing the ith feature, the magnitude of the sensitivity of the ith feature on the classifier can be determined.
A delta between the confidence scores Ci and Ci-1 is determined and in the event the delta is greater than a convergence threshold, the algorithm continues to remove the next feature from the previous version of the application, calculates the confidence score between the previous version and the subsequent version, determines a delta between the previous version and the subsequent version to compare to the convergence threshold. The method continues to remove the next highest ranked feature from the previous version to form a subsequent version until the delta between the confidence score between the previous version and subsequent version is below the convergence threshold. When the delta is below the convergence threshold, this indicates the ith feature has minimal impact on the algorithm and therefore the application is not determined as not being malicious.
The process repeats the cycle until the convergence threshold is greater than the delta between the ith confidence score and the ith-1 confidence score. In one or more embodiments, the convergence threshold can be configured according to a default value or configured by an operator.
After the program has converged (the delta is below the convergence threshold), the confidence score Ci of the latest version of the application is determined. In the event the confidence score for the algorithm exceeds a confidence score threshold, such as a confidence score threshold of 95, the application is reported as malicious. In one or more embodiments, the processing module 220 generates a report 250, and the transmitter 230 is configured to send the report and/or notification to one or more destinations. The notification can include an alert. In one or more embodiments, the notification can include the features that were analyzed and determined to be malicious. In other embodiments, the notifications can include the type of malicious software such as ransomware, Trojan, or another type of virus etc. In addition, the level of permissioning can be included in the notification. For example, the permissioning can indicate levels including a suspicious level, over-privileged level, etc. It should be understood that the other levels can be used and provided in the report 250. If the confidence score Ci does not exceed the confidence score threshold, it is not necessary for the report 250 to be generated, but in an alternative embodiment, the report 250 can be generated and provided to the user.
In
At block 308, the method 300 provides for determining a first confidence score for a first version of the application including a first set of features and determining a second confidence score for a second version of the application including a second set of features, wherein the first set of features is different than the second set of features. The second version of the application is determined by removing the highest ranking feature from the set of features for the application.
At block 310, the method 300 provides for determining a difference between the first confidence score and the second confidence score. The confidence score can be determined by known techniques. At block 312, the method 300 provides for comparing the difference with a convergence threshold. In the event the difference between the first and second confidence score is greater than the convergence threshold, another feature is removed from the second version of the application to form a third version or subsequent version of the application. After the feature is removed from the previous version, a confidence score of the previous version and the subsequent version is determined. Next, the difference between the confidence score of the previous version and the subsequent version is compared to the convergence threshold. If the difference is greater than the convergence threshold, the next feature is removed from the latest version of the application and the process is repeated until the last feature is removed from the application or until the difference between the confidence scores does not exceed the convergence threshold.
Otherwise, in the event the difference between the first and second confidence scores is less than the convergence threshold, the confidence score of the first version is returned. At block 314, the method 300 provides for based on the comparison, determining if the first confidence score exceeds a confidence score threshold. At block 316, the method 300 provides for generating a report based on determining the first confidence score exceeds the confidence score threshold. The confidence score is compared to the confidence score threshold and a report is generated if the confidence score threshold is exceeded. The report can include various types of information including the features and permissions that are used by the application, the report can further classify the type of malware such as ransomware, Trojan, etc. The method 300 ends at block 318.
Referring now to
The techniques described herein improve the classifiers of machine-learning algorithms by ensuring they are safe from perturbations and exposing the malicious nature of the applications. The techniques described herein also provide for understanding the importance of each feature (benign and malicious) of the application used for decision making and how each benign feature perturbation can affect the decision boundary. Finally, the techniques described herein improve the overall reliability of the classifier of the machine-learning algorithm.
A detailed description of one or more embodiments of the disclosed apparatus and method are presented herein by way of exemplification and not limitation with reference to the Figures.
The term “about” is intended to include the degree of error associated with measurement of the particular quantity based upon the equipment available at the time of filing the application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, element components, and/or groups thereof.
While the present disclosure has been described with reference to an exemplary embodiment or embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the present disclosure. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the present disclosure without departing from the essential scope thereof. Therefore, it is intended that the present disclosure not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this present disclosure, but that the present disclosure will include all embodiments falling within the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
201811041945 | Nov 2018 | IN | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2019/058697 | 10/30/2019 | WO |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2020/096826 | 5/14/2020 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
7127106 | Neil | Oct 2006 | B1 |
8959633 | Dokey | Feb 2015 | B1 |
9324070 | Bekmann | Apr 2016 | B1 |
9894045 | Mao | Feb 2018 | B1 |
10015185 | Kolman | Jul 2018 | B1 |
10027692 | Hay | Jul 2018 | B2 |
10122742 | Oprea | Nov 2018 | B1 |
10192052 | Singh | Jan 2019 | B1 |
10270769 | Jevans | Apr 2019 | B2 |
10824541 | Kongara | Nov 2020 | B1 |
10880322 | Jakobsson | Dec 2020 | B1 |
11087334 | McEachern | Aug 2021 | B1 |
11605093 | Cervantez | Mar 2023 | B1 |
11704589 | Sohoney | Jul 2023 | B1 |
20050097339 | Wiley | May 2005 | A1 |
20060168574 | Giannini | Jul 2006 | A1 |
20090290764 | Fiebrink | Nov 2009 | A1 |
20100131452 | Fitzmaurice | May 2010 | A1 |
20110028138 | Davies-Moore | Feb 2011 | A1 |
20130111422 | Reed | May 2013 | A1 |
20140258784 | Tepus | Sep 2014 | A1 |
20150127406 | Hoen, IV | May 2015 | A1 |
20150193618 | Takano | Jul 2015 | A1 |
20150213376 | Ideses | Jul 2015 | A1 |
20150365437 | Bell, Jr. | Dec 2015 | A1 |
20150370446 | Zhang | Dec 2015 | A1 |
20160004627 | Farchi | Jan 2016 | A1 |
20160065608 | Futty | Mar 2016 | A1 |
20160078362 | Christodorescu | Mar 2016 | A1 |
20160335286 | Desineni | Nov 2016 | A1 |
20170046510 | Chen | Feb 2017 | A1 |
20170154182 | Ferrara et al. | Jun 2017 | A1 |
20170230417 | Amar | Aug 2017 | A1 |
20170308807 | Hauth | Oct 2017 | A1 |
20170318038 | Shehory | Nov 2017 | A1 |
20170357814 | Mahaffey | Dec 2017 | A1 |
20170372066 | Deng | Dec 2017 | A1 |
20180004507 | Aijaz | Jan 2018 | A1 |
20180107924 | Benson | Apr 2018 | A1 |
20180139227 | Martin | May 2018 | A1 |
20180218145 | Hussain | Aug 2018 | A1 |
20180247335 | Tang | Aug 2018 | A1 |
20180253551 | Chalmandrier-Perna | Sep 2018 | A1 |
20180358001 | Amid | Dec 2018 | A1 |
20190005549 | Goldshtein | Jan 2019 | A1 |
20190042953 | Duesterwald | Feb 2019 | A1 |
20190065259 | Venkata Naga Ravi | Feb 2019 | A1 |
20190156191 | Cordes | May 2019 | A1 |
20190163544 | Ekambaram | May 2019 | A1 |
20190188614 | Ferranti | Jun 2019 | A1 |
20190310929 | Wright | Oct 2019 | A1 |
20190340462 | Pao | Nov 2019 | A1 |
20190370345 | Katukuri | Dec 2019 | A1 |
20200019393 | Vichare | Jan 2020 | A1 |
20200026865 | Hulick, Jr. | Jan 2020 | A1 |
20200051695 | Sevenster | Feb 2020 | A1 |
20200053108 | Cili | Feb 2020 | A1 |
20200057850 | Kraus | Feb 2020 | A1 |
20200110870 | Girdhar | Apr 2020 | A1 |
20200110905 | O'Cleirigh | Apr 2020 | A1 |
20200134009 | Zhao | Apr 2020 | A1 |
Number | Date | Country |
---|---|---|
104598825 | May 2015 | CN |
Entry |
---|
Anonymous, “Attacking Machine Learning with Adversarial Examples”, Publication Date: Feb. 24, 2017, Retrieved from https://blog.openai.com/adversarialexampleresearch/, 9 pages. |
Bhagoji et al., “Enhancing robustness of Machine Learning Systems via Data Transformations”, Princeton University, Publication Date: Aug. 15, 2017, Retrieved from https://www.princeton.edu/˜dcullina/docs/enhancing-robustness.pdf, 15 pages. |
Demontis et al., “Yes, Machine Learning Can be More Secure! A Case Study on Android Malware Detection” IEEE, Apr. 2017, 4 pages. |
Eykholt et al., “Robust Physical-World Attacks on Deep Learning Visual Classification”, CVPR 2018, 11 pages. |
Goodfellow et al., “Making Machine Learning Robust Against Adversarial Inputs”, Communications of the ACM, Jul. 2018, vol. 61, No. 7, 13 pages. |
He et al., “AppFA: A Novel Approach to Detect Malicious Android Applications on the Network”, Security and Communication Networks, vol. 2018, Publication Date: Apr. 17, 2018, 12 pages. |
International Search Report and Written Opinion for Application No. PCT/US2019/058697; International Filing Date: Oct. 30, 2019; dated Feb. 3, 2020; 12 pages. |
Onwuzurike et al., “MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Vision)”, Publication Date: Nov. 20, 2017, Retrieved from https://arxiv.org/pdf/1711.07477.pdf, 22 pages. |
Peck, “Robustness of Classifiers to Adversarial Perturbations”, Ghent University—Faculty of Sciences Department of Applied Mathematics, Computer Science and Statistics, May 2017, 97 pages. |
Rajesh V. et al., “Droidswan: Detecting Malicious Android Application Based on Static Feature Analysis”, Computer Science & Information Technology (CS & IT), 2015, Retrieved from DOI : 10.5121/csit.2015.51315, 16 pages. |
Schmidt et al., “Monitoring Smartphones for Anomaly Detection”, Mobile Networks and Applications, Publication Date: Nov. 13, 2008, vol. 14, Issue 1, 14 pages. |
Serban et al., “Adversarial Examples—A Complete Charactersation of the Phenomenon”, Feb. 2019, 56 pages. |
Suarez-Tangil et al., “DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware”, Publication Date: Mar. 22-24, 2017, Retreived http://dx.doi.org/10.1145/3029806.3029825, 12 pages. |
Sun et al., “Contaminant Removal for Android Malware Detection Systems”, Publication Date: Nov. 14, 2017, Retrieved from https://arxiv.org/pdf/1711.02715.pdf, 10 pages. |
Wang et al., “Mlifdect: Android Malware Detection Based on Parallel Machine Learning and Information Fusion” Security and Communication Networks, vol. 2017, Publication Date: Aug. 28, 2017, 16 pages. |
Yang et al., “AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context”, Publication Date: Apr. 15, 2015, Retrieved from http://weiyang3.web.engr.illinois.edu/ICSE15.pdf, 11 pages. |
Number | Date | Country | |
---|---|---|---|
20210256121 A1 | Aug 2021 | US |