The Robust Malware Detection Challenge and Greedy Random Accelerated Multi-Bit Search

Conference paper (2020)

Authors

S.E. Verwer Cyber Security - EEMCS
A. Nadeem Cyber Security - EEMCS
C.A. Hammerschmidt Cyber Security - EEMCS
L. Bliek Algorithmics - EEMCS
Abdullah Al-Dujaili Massachusetts Institute of Technology
Una-May O'Reilly Massachusetts Institute of Technology
Research Group
Cyber Security (EEMCS) (TU Delft)
Copyright: © 2020 S.E. Verwer, A. Nadeem, C.A. Hammerschmidt, L. Bliek, Abdullah Al-Dujaili, Una-May O’Reilly
DOI
help_outline
https://doi.org/10.1145/3411508.3421374
Neural Networks Discrete optimization Adversarial Learning Robust Malware Detection Adversarial malware Saddle-point optimization
More Info
expand_more

Published Date

2020

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

Training classifiers that are robust against adversarially modified examples is becoming increasingly important in practice. In the field of malware detection, adversaries modify malicious binary files to seem benign while preserving their malicious behavior. We report on the results of a recently held robust malware detection challenge. There were two tracks in which teams could participate: the attack track asked for adversarially modified malware samples and the defend track asked for trained neural network classifiers that are robust to such modifications. The teams were unaware of the attacks/defenses they had to detect/evade. Although only 9 teams participated, this unique setting allowed us to make several interesting observations. We also present the challenge winner: GRAMS, a family of novel techniques to train adversarially robust networks that preserve the intended (malicious) functionality and yield high-quality adversarial samples. These samples are used to iteratively train a robust classifier. We show that our techniques, based on discrete optimization techniques, beat purely gradient-based methods. GRAMS obtained first place in both the attack and defend tracks of the competition.