Deep learning-based malware detection systems are vulnerable to adversarial EXEmples - carefully-crafted malicious programs that evade detection with minimal perturbation. As such, the community is dedicating effort to develop mechanisms to defend against adversarial EXEmples. However, current randomized smoothing-based defenses are still vulnerable to attacks that inject blocks of adversarial content. In this paper, we introduce a certifiable defense against patch attacks that guarantees, for a given executable and an adversarial patch size, no adversarial EXEmple exist. Our method is inspired by (de)randomized smoothing which provides deterministic robustness certificates. During training, a base classifier is trained using subsets of continguous bytes. At inference time, our defense splits the executable into non-overlapping chunks, classifies each chunk independently, and computes the final prediction through majority voting to minimize the influence of injected content. Furthermore, we introduce a preprocessing step that fixes the size of the sections and headers to a multiple of the chunk size. As a consequence, the injected content is confined to an integer number of chunks without tampering the other chunks containing the real bytes of the input examples, allowing us to extend our certified robustness guarantees to content insertion attacks. We perform an extensive ablation study, by comparing our defense with randomized smoothing-based defenses against a plethora of content manipulation attacks and neural network architectures. Results show that our method exhibits unmatched robustness against strong content-insertion attacks, outperforming randomized smoothing-based defenses in the literature.

翻译：深度学习恶意软件检测系统易受对抗性EXEmples攻击——通过最小扰动逃避检测的精心构造恶意程序。为此，学术界正致力于开发对抗EXEmples的防御机制。然而，现有基于随机平滑的防御仍难以抵御注入对抗性内容块的攻击。本文提出一种针对补丁攻击的可认证防御方法，该方法能为给定可执行文件和对抗补丁大小保证不存在对抗性EXEmples。本方法受（去）随机平滑启发，可提供确定性鲁棒性认证。训练阶段，基础分类器通过连续字节子集进行训练；推理时，防御机制将可执行文件分割为不重叠的数据块，独立分类各数据块，并通过多数投票确定最终预测结果以最小化注入内容的影响。此外，我们引入预处理步骤，将各节区和头部大小固定为数据块大小的整数倍。由此，注入内容被限制为整数个数据块，不会篡改包含原始输入真实字节的其他数据块，从而将认证鲁棒性保障扩展至内容插入攻击。通过大量消融实验，我们将本方法与多种基于随机平滑的防御方案在不同内容操纵攻击和神经网络架构下进行对比。结果表明，本方法在抵御强内容插入攻击时展现出无与伦比的鲁棒性，性能优于现有文献中基于随机平滑的防御方案。