Certified defenses are a recent development in adversarial machine learning (ML), which aim to rigorously guarantee the robustness of ML models to adversarial perturbations. A large body of work studies certified defenses in computer vision, where $\ell_p$ norm-bounded evasion attacks are adopted as a tractable threat model. However, this threat model has known limitations in vision, and is not applicable to other domains -- e.g., where inputs may be discrete or subject to complex constraints. Motivated by this gap, we study certified defenses for malware detection, a domain where attacks against ML-based systems are a real and current threat. We consider static malware detection systems that operate on byte-level data. Our certified defense is based on the approach of randomized smoothing which we adapt by: (1) replacing the standard Gaussian randomization scheme with a novel deletion randomization scheme that operates on bytes or chunks of an executable; and (2) deriving a certificate that measures robustness to evasion attacks in terms of generalized edit distance. To assess the size of robustness certificates that are achievable while maintaining high accuracy, we conduct experiments on malware datasets using a popular convolutional malware detection model, MalConv. We are able to accurately classify 91% of the inputs while being certifiably robust to any adversarial perturbations of edit distance 128 bytes or less. By comparison, an existing certification of up to 128 bytes of substitutions (without insertions or deletions) achieves an accuracy of 78%. In addition, given that robustness certificates are conservative, we evaluate practical robustness to several recently published evasion attacks and, in some cases, find robustness beyond certified guarantees.
翻译:可认证防御是对抗性机器学习领域的最新发展,旨在严格保证机器学习模型对对抗性扰动的鲁棒性。大量研究在计算机视觉领域探讨可认证防御,其中采用ℓp范数有界规避攻击作为可处理的威胁模型。然而,该威胁模型在视觉领域存在已知局限性,且不适用于其他领域——例如输入可能为离散或受复杂约束的场景。基于这一研究空白,我们针对恶意软件检测这一领域研究可认证防御——在该领域中,基于机器学习系统的攻击是真实且当前存在的威胁。我们考虑在字节级数据上运行的静态恶意软件检测系统。我们的可认证防御基于随机平滑方法,并通过以下方式对其改进:(1)将标准高斯随机化方案替换为新型删除随机化方案,该方案对可执行文件的字节或代码块进行操作;(2)推导出基于广义编辑距离度量规避攻击鲁棒性的证书。为评估在保持高准确率前提下可实现鲁棒性证书的规模,我们使用流行的卷积恶意软件检测模型MalConv在恶意软件数据集上进行实验。我们能够准确分类91%的输入样本,同时保证对编辑距离不超过128字节的任何对抗性扰动具有可认证鲁棒性。相比之下,现有针对最多128字节替换(不含插入或删除)的认证方案仅达到78%的准确率。此外,鉴于鲁棒性证书具有保守性,我们评估了模型对近期多种规避攻击的实际鲁棒性,并在某些情况下发现其鲁棒性超越了可认证保证的范围。