An Empirical Study on the Effectiveness of Adversarial Examples in Malware Detection

Antivirus vendors and the research community employ Machine Learning(ML)or Deep Learning(DL)-based static analysis techniques for efficient identification of new threats,given the continual emergence of novel malware variants.On the other hand,numerous researchers have reported that Adversarial Examples(AEs),generated by manipulating previously detected malware,can successfully evade ML/DL-based classifiers.Commercial antivirus systems,in particular,have been identified as vulnerable to such AEs.This paper firstly focuses on conducting black-box attacks to circumvent ML/DL-based malware classifiers.Our attack method utilizes seven different perturbations,including Overlay Append,Section Append,and Break Checksum,capitalizing on the ambiguities present in the PE format,as previously employed in evasion attack research.By directly applying the perturbation techniques to PE binaries,our attack method eliminates the need to grapple with the problem-feature space dilemma,a persistent challenge in many evasion attack studies.Being a black-box attack,our method can generate AEs that successfully evade both DL-based and ML-based classifiers.Also,AEs generated by the attack method retain their executability and malicious behavior,eliminating the need for functionality verification.Through thorogh evaluations,we confirmed that the attack method achieves an evasion rate of 65.6%against well-known ML-based malware detectors and can reach a remarkable 99%evasion rate against well-known DL-based malware detectors.Furthermore,our AEs demonstrated the capability to bypass detection by 17%of vendors out of the 64 on VirusTotal(VT).In addition,we propose a defensive approach that utilizes Trend Locality Sensitive Hashing(TLSH)to construct a similarity-based defense model.Through several experiments on the approach,we verified that our defense model can effectively counter AEs generated by the perturbation techniques.In conclusion,our defense model alleviates the limitation of the most promising defense method,adversarial training,which is only effective against the AEs that are included in the training classifiers.

An Intelligent Secure Adversarial Examples Detection Scheme in Heterogeneous Complex Environments

Image-denoising techniques are widely used to defend against Adversarial Examples(AEs).However,denoising alone cannot completely eliminate adversarial perturbations.The remaining perturbations tend to amplify as they propagate through deeper layers of the network,leading to misclassifications.Moreover,image denoising compromises the classification accuracy of original examples.To address these challenges in AE defense through image denoising,this paper proposes a novel AE detection technique.The proposed technique combines multiple traditional image-denoising algorithms and Convolutional Neural Network(CNN)network structures.The used detector model integrates the classification results of different models as the input to the detector and calculates the final output of the detector based on a machine-learning voting algorithm.By analyzing the discrepancy between predictions made by the model on original examples and denoised examples,AEs are detected effectively.This technique reduces computational overhead without modifying the model structure or parameters,effectively avoiding the error amplification caused by denoising.The proposed approach demonstrates excellent detection performance against mainstream AE attacks.Experimental results show outstanding detection performance in well-known AE attacks,including Fast Gradient Sign Method(FGSM),Basic Iteration Method(BIM),DeepFool,and Carlini&Wagner(C&W),achieving a 94%success rate in FGSM detection,while only reducing the accuracy of clean examples by 4%.

Defending Adversarial Examples by a Clipped Residual U-Net Model

Deep learning-based systems have succeeded in many computer vision tasks.However,it is found that the latest study indicates that these systems are in danger in the presence of adversarial attacks.These attacks can quickly spoil deep learning models,e.g.,different convolutional neural networks(CNNs),used in various computer vision tasks from image classification to object detection.The adversarial examples are carefully designed by injecting a slight perturbation into the clean images.The proposed CRU-Net defense model is inspired by state-of-the-art defense mechanisms such as MagNet defense,Generative Adversarial Net-work Defense,Deep Regret Analytic Generative Adversarial Networks Defense,Deep Denoising Sparse Autoencoder Defense,and Condtional Generattive Adversarial Network Defense.We have experimentally proved that our approach is better than previous defensive techniques.Our proposed CRU-Net model maps the adversarial image examples into clean images by eliminating the adversarial perturbation.The proposed defensive approach is based on residual and U-Net learning.Many experiments are done on the datasets MNIST and CIFAR10 to prove that our proposed CRU-Net defense model prevents adversarial example attacks in WhiteBox and BlackBox settings and improves the robustness of the deep learning algorithms especially in the computer visionfield.We have also reported similarity(SSIM and PSNR)between the original and restored clean image examples by the proposed CRU-Net defense model.

A new method of constructing adversarial examplesfor quantum variational circuits

A quantum variational circuit is a quantum machine learning model similar to a neural network.A crafted adversarial example can lead to incorrect results for the model.Using adversarial examples to train the model will greatly improve its robustness.The existing method is to use automatic differentials or finite difference to obtain a gradient and use it to construct adversarial examples.This paper proposes an innovative method for constructing adversarial examples of quantum variational circuits.In this method,the gradient can be obtained by measuring the expected value of a quantum bit respectively in a series quantum circuit.This method can be used to construct the adversarial examples for a quantum variational circuit classifier.The implementation results prove the effectiveness of the proposed method.Compared with the existing method,our method requires fewer resources and is more efficient.

Adversarial Examples Protect Your Privacy on Speech Enhancement System

Speech is easily leaked imperceptibly.When people use their phones,the personal voice assistant is constantly listening and waiting to be activated.Private content in speech may be maliciously extracted through automatic speech recognition(ASR)technology by some applications on phone devices.To guarantee that the recognized speech content is accurate,speech enhancement technology is used to denoise the input speech.Speech enhancement technology has developed rapidly along with deep neural networks(DNNs),but adversarial examples can cause DNNs to fail.Considering that the vulnerability of DNN can be used to protect the privacy in speech.In this work,we propose an adversarial method to degrade speech enhancement systems,which can prevent the malicious extraction of private information in speech.Experimental results show that the generated enhanced adversarial examples can be removed most content of the target speech or replaced with target speech content by speech enhancement.The word error rate(WER)between the enhanced original example and enhanced adversarial example recognition result can reach 89.0%.WER of target attack between enhanced adversarial example and target example is low at 33.75%.The adversarial perturbation in the adversarial example can bring much more change than itself.The rate of difference between two enhanced examples and adversarial perturbation can reach more than 1.4430.Meanwhile,the transferability between different speech enhancement models is also investigated.The low transferability of the method can be used to ensure the content in the adversarial example is not damaged,the useful information can be extracted by the friendly ASR.This work can prevent the malicious extraction of speech.

A Survey on Adversarial Examples in Deep Learning

Adversarial examples are hot topics in the field of security in deep learning.The feature,generation methods,attack and defense methods of the adversarial examples are focuses of the current research on adversarial examples.This article explains the key technologies and theories of adversarial examples from the concept of adversarial examples,the occurrences of the adversarial examples,the attacking methods of adversarial examples.This article lists the possible reasons for the adversarial examples.This article also analyzes several typical generation methods of adversarial examples in detail:Limited-memory BFGS(L-BFGS),Fast Gradient Sign Method(FGSM),Basic Iterative Method(BIM),Iterative Least-likely Class Method(LLC),etc.Furthermore,in the perspective of the attack methods and reasons of the adversarial examples,the main defense techniques for the adversarial examples are listed:preprocessing,regularization and adversarial training method,distillation method,etc.,which application scenarios and deficiencies of different defense measures are pointed out.This article further discusses the application of adversarial examples which currently is mainly used in adversarial evaluation and adversarial training.Finally,the overall research direction of the adversarial examples is prospected to completely solve the adversarial attack problem.There are still a lot of practical and theoretical problems that need to be solved.Finding out the characteristics of the adversarial examples,giving a mathematical description of its practical application prospects,exploring the universal method of adversarial example generation and the generation mechanism of the adversarial examples are the main research directions of the adversarial examples in the future.

基于CAE-GAN的滚动轴承故障诊断方法

由于滚动轴承故障样本获取困难,导致训练样本分布往往呈现极强的不平衡性,严重影响轴承智能故障诊断的准确率。针对滚动轴承训练样本不平衡的问题,提出一种基于约束式自编码器-生成对抗网络(constrained autoencoder-generative adversarial network, CAE-GAN)的故障诊断方法,通过增强故障样本特征以提高诊断模型的精度。首先结合自编码器和生成对抗网络,构建一种基于编码-解码-判别结构的网络模型,以提高生成器捕捉真实样本分布的能力;为进一步提高生成样本的质量,提出一种基于距离约束的方法以限制不同类别样本之间的距离,从而避免生成样本全部来自同一类型。通过滚动轴承故障诊断试验证明了该方法能有效提高生成样本的质量,解决样本不平衡问题,轴承故障诊断准确率较其他方法有明显提高。

Instance Reweighting Adversarial Training Based on Confused Label

Reweighting adversarial examples during training plays an essential role in improving the robustness of neural networks,which lies in the fact that examples closer to the decision boundaries are much more vulnerable to being attacked and should be given larger weights.The probability margin(PM)method is a promising approach to continuously and path-independently mea-suring such closeness between the example and decision boundary.However,the performance of PM is limited due to the fact that PM fails to effectively distinguish the examples having only one misclassified category and the ones with multiple misclassified categories,where the latter is closer to multi-classification decision boundaries and is supported to be more critical in our observation.To tackle this problem,this paper proposed an improved PM criterion,called confused-label-based PM(CL-PM),to measure the closeness mentioned above and reweight adversarial examples during training.Specifi-cally,a confused label(CL)is defined as the label whose prediction probability is greater than that of the ground truth label given a specific adversarial example.Instead of considering the discrepancy between the probability of the true label and the probability of the most misclassified label as the PM method does,we evaluate the closeness by accumulating the probability differences of all the CLs and ground truth label.CL-PM shares a negative correlation with data vulnerability:data with larger/smaller CL-PM is safer/riskier and should have a smaller/larger weight.Experiments demonstrated that CL-PM is more reliable in indicating the closeness regarding multiple misclassified categories,and reweighting adversarial training based on CL-PM outperformed state-of-the-art counterparts.

结合对抗训练和特征混合的孪生网络防御模型

神经网络模型容易受到对抗样本攻击。针对当前防御方法侧重改进模型结构或模型仅使用对抗训练方法导致防御类型单一且损害模型分类能力、效率低下的问题,提出结合对抗训练和特征混合训练孪生神经网络模型(SS-ResNet18)的方法。该方法通过线性插值混合训练集样本数据,使用残差注意力模块搭建孪生网络模型,将PGD对抗样本和正常样本输入不同分支网络进行训练。在特征空间互换相邻样本部分输入特征以增强网络抗干扰能力,结合对抗损失和分类损失作为网络整体损失函数并对其进行标签平滑。在CIFAR-10和SVHN数据集上进行实验,该方法在白盒攻击下表现出优异的防御性能,黑盒攻击下模型对PGD、JSMA等对抗样本的防御成功率均在80%以上;同时,SS-ResNet18模型时间花销仅为子空间对抗训练方法的二分之一。实验结果表明,SS-ResNet18模型能防御多种对抗样本攻击,与现有防御方法相比,其鲁棒性强且训练耗时较短。

基于引导扩散模型的自然对抗补丁生成方法

近年来,物理世界中的对抗补丁攻击因其对深度学习模型安全的影响而引起了广泛关注.现有的工作主要集中在生成在物理世界中攻击性能良好的对抗补丁,没有考虑到对抗补丁图案与自然图像的差别,因此生成的对抗补丁往往不自然且容易被观察者发现.为了解决这个问题,本文提出了一种基于引导的扩散模型的自然对抗补丁生成方法.具体而言,本文通过解析目标检测器的输出构建预测对抗补丁攻击成功率的预测器,利用该预测器的梯度作为条件引导预训练的扩散模型的逆扩散过程,从而生成自然度更高且保持高攻击成功率的对抗补丁.本文在数字世界和物理世界中进行了广泛的实验,评估了对抗补丁针对各种目标检测模型的攻击效果以及对抗补丁的自然度.实验结果表明,通过将所构建的攻击成功率预测器与扩散模型相结合,本文的方法能够生成比现有方案更自然的对抗补丁,同时保持攻击性能.

基于损失平滑的对抗样本攻击方法

深度神经网络(DNNs)容易受到对抗样本的攻击,现有基于动量的对抗样本生成方法虽然可以达到接近100%的白盒攻击成功率,但是在攻击其他模型时效果仍不理想,黑盒攻击成功率较低。针对此,提出一种基于损失平滑的对抗样本攻击方法来提高对抗样本的可迁移性。在每一步计算梯度的迭代过程中,不直接使用当前梯度,而是使用局部平均梯度来累积动量,以此来抑制损失函数曲面存在的局部振荡现象,从而稳定更新方向,逃离局部极值点。在ImageNet数据集上的大量实验结果表明:所提方法与现有基于动量的方法相比,在单个模型攻击实验中的平均黑盒攻击成功率分别提升了38.07%和27.77%,在集成模型攻击实验中的平均黑盒攻击成功率分别提升了32.50%和28.63%。

S-JSMA:一种低扰动冗余的快速JSMA对抗样本生成方法

基于深度学习神经网络模型的技术被广泛应用在计算机视觉、自然语言处理等领域。然而,研究人员发现,神经网络模型自身存在着显著的安全隐患,例如,容易遭到对抗样本的攻击。研究针对图像分类的对抗样本相关技术能帮助人们认识到神经网络模型的脆弱性,进而推动相关模型的安全加固机制研究。针对JSMA方法存在高时间开销与扰动冗余的问题,提出了一种低扰动冗余的快速JSMA对抗样本生成方法S-JSMA。该方法使用单步操作替代迭代操作以简化JSMA的算法流程,并使用简易扰动取代JSMA中基于显著图的扰动,从而极大地降低了对抗样本生成的时间开销和扰动冗余。基于MNIST数据集的实验结果表明,相较于JSMA和FGSM方法,S-JSMA能在显著短的时间内取得较好的攻击效果。

基于Transformer和GAN的对抗样本生成算法

对抗攻击与防御是计算机安全领域的一个热门研究方向。针对现有基于梯度的对抗样本生成方法可视质量差、基于优化的方法生成效率低的问题,提出基于Transformer和生成对抗网络(GAN)的对抗样本生成算法Trans-GAN。首先利用Transformer强大的视觉表征能力,将其作为重构网络,用于接收干净图像并生成攻击噪声;其次将Transformer重构网络作为生成器,与基于深度卷积网络的鉴别器相结合组成GAN网络架构,提高生成图像的真实性并保证训练的稳定性,同时提出改进的注意力机制Targeted Self-Attention,在训练网络时引入目标标签作为先验知识,指导网络模型学习生成具有特定攻击目标的对抗扰动;最后利用跳转连接将对抗噪声施加在干净样本上,形成对抗样本,攻击目标分类网络。实验结果表明:Trans-GAN算法针对MNIST数据集中2种模型的攻击成功率都达到99.9%以上,针对CIFAR10数据集中2种模型的攻击成功率分别达到96.36%和98.47%,优于目前先进的基于生成式的对抗样本生成方法;相比快速梯度符号法和投影梯度下降法,Trans-GAN算法生成的对抗噪声扰动量更小,形成的对抗样本更加自然,满足人类视觉不易分辨的要求。

图像对抗样本检测综述

深度神经网络是人工智能领域的一项重要技术,它被广泛应用于各种图像分类任务.但是,现有的研究表明深度神经网络存在安全漏洞,容易受到对抗样本的攻击,而目前并没有研究针对图像对抗样本检测进行体系化分析.为了提高深度神经网络的安全性,针对现有的研究工作,全面地介绍图像分类领域的对抗样本检测方法.首先根据检测器的构建方式将检测方法分为有监督检测与无监督检测,然后根据其检测原理进行子类划分.最后总结对抗样本检测领域存在的问题,在泛化性和轻量化等方面提出建议与展望,旨在为人工智能安全研究提供帮助.

基于可攻击空间假设的陷阱式集成对抗防御网络

如今,深度神经网络在各个领域取得了广泛的应用.然而研究表明,深度神经网络容易受到对抗样本的攻击,严重威胁着深度神经网络的应用和发展.现有的对抗防御方法大多需要以牺牲部分原始分类精度为代价,且强依赖于已有生成的对抗样本所提供的信息,无法兼顾防御的效力与效率.因此基于流形学习,从特征空间的角度提出可攻击空间对抗样本成因假设,并据此提出一种陷阱式集成对抗防御网络Trap-Net. Trap-Net在原始模型的基础上向训练数据添加陷阱类数据,使用陷阱式平滑损失函数建立目标数据类别与陷阱数据类别间的诱导关系以生成陷阱式网络.针对原始分类精度损失问题,利用集成学习的方式集成多个陷阱式网络以在不损失原始分类精度的同时,扩大陷阱类标签于特征空间所定义的靶标可攻击空间.最终, Trap-Net通过探测输入数据是否命中靶标可攻击空间以判断数据是否为对抗样本.基于MNIST、K-MNIST、F-MNIST、CIFAR-10和CIFAR-100数据集的实验表明, Trap-Net可在不损失干净样本分类精确度的同时具有很强的对抗样本防御泛化性,且实验结果验证可攻击空间对抗成因假设.在低扰动的白盒攻击场景中, Trap-Net对对抗样本的探测率高达85%以上.在高扰动的白盒攻击和黑盒攻击场景中, Trap-Net对对抗样本的探测率几乎高达100%.与其他探测式对抗防御方法相比, Trap-Net对白盒和黑盒对抗攻击皆有很强的防御效力.为对抗环境下深度神经网络提供一种高效的鲁棒性优化方法.

基于掩码语言模型的中文BERT攻击方法

对抗文本是一种能够使深度学习分类器作出错误判断的恶意样本,敌手通过向原始文本中加入人类难以察觉的微小扰动制作出能欺骗目标模型的对抗文本.研究对抗文本生成方法,能对深度神经网络的鲁棒性进行评价,并助力于模型后续的鲁棒性提升工作.当前针对中文文本设计的对抗文本生成方法中,很少有方法将鲁棒性较强的中文BERT模型作为目标模型进行攻击.面向中文文本分类任务,提出一种针对中文BERT的攻击方法Chinese BERT Tricker.该方法使用一种汉字级词语重要性打分方法——重要汉字定位法;同时基于掩码语言模型设计一种包含两类策略的适用于中文的词语级扰动方法实现对重要词语的替换.实验表明,针对文本分类任务,所提方法在两个真实数据集上均能使中文BERT模型的分类准确率大幅下降至40%以下,且其多种攻击性能明显强于其他基线方法.

基于双曲正切和矩的免疫防御

对抗样本的发现与研究证实了深度神经网络的脆弱性.如果不对对抗样本的生成加以约束,那么触手可及的图像将不再安全并随时可能对不鲁棒的深度神经网络构成威胁.然而,现有的对抗防御主要旨在防止对抗样本成功攻击深度神经网络,而不是防止对抗样本的生成.因此,本文提出了一种新颖的对抗防御机制,该机制被称为免疫防御.免疫防御通过主动地在原始图像上添加难以察觉的扰动使得攻击者无法针对该图像制作出有效的对抗样本,从而同时保护了图像和深度神经网络.这种良性的扰动被称为免疫扰动,添加了免疫扰动的图像被称为免疫样本.在白盒免疫防御中,本文提出了双曲正切免疫防御(Hyperbolic Tangent Immune Defense,HTID)以制作高分类准确率、高防御性能和高视觉质量的白盒免疫样本;在黑盒免疫防御中,提出了基于矩的免疫防御(Moment-based Immune Defense,MID)以提升免疫样本的可迁移性,从而确保免疫样本对未知对抗攻击的防御性能.此外,本文还提出了免疫率以更加准确地衡量免疫样本的防御性能.在CIFAR-10、MNIST、STL-10和Caltech-256数据集上的大量实验表明,HTID和MID制作的免疫样本具有高分类准确率,在Inception-v3、ResNet-50、LeNet-5和Model C上的准确率均达到了100.0%,比原始准确率平均高出10.5%.制作的免疫样本同时具有高视觉质量,其SSIM最低为0.822,最高为0.900.实验也表明MID有着比HTID更高的可迁移性,MID在四个数据集上针对AdvGAN制作的免疫样本防御其他11种对抗攻击的平均免疫率分别为62.1%、52.1%、56.8%和48.7%,这比HTID高出15.0%、10.8%、17.5%和15.7%.

三维点云目标识别对抗攻击研究综述

当前,人工智能系统在诸多领域都取得了巨大的成功,其中深度学习技术发挥了关键作用。然而,尽管深度神经网络具有强大的推理识别能力,但是依然容易受到对抗样本的攻击,表现出了脆弱性。对抗样本是经过特殊设计的输入数据,能够攻击并误导深度学习模型的输出。随着激光雷达等3维传感器的快速发展,使用深度学习技术解决3维领域的各种智能任务也越来越受到重视。采用深度学习技术处理3维点云数据的人工智能系统的安全性和鲁棒性至关重要,如基于深度学习的自动驾驶3维目标检测与识别技术。为了分析3维点云对抗样本对深度神经网络的攻击方式,揭示3维对抗样本对深度神经网络的干扰机制,该文总结了基于3维点云深度神经网络模型的对抗攻击方法的研究进展。首先,介绍了对抗攻击的基本原理和实现方法,然后,总结并分析了3维点云的数字域对抗攻击和物理域对抗攻击,最后,讨论了3维点云对抗攻击面临的挑战和未来的研究方向。

可添加量不受限的对抗样本

基于灰度图像和深度学习的恶意软件检测方法具有无需特征工程和检测精度高的特点,通过对抗样本能够欺骗该类检测方法。然而当前大部分研究所生成的对抗样本难以在不破坏原文件功能完整性的情况下大幅度降低该类检测方法对其的判别准确性。在分析可移植可执行(PE)文件的结构以及加载机制的基础上,提出一种不破坏PE文件原有功能且可添加量不受限的字节码攻击方法(BAUAA)。BAUAA通过在PE文件中分散于各区段之后且不会载入内存的“区段附加空间”添加字节码来生成对抗样本,并且由于该空间具有可添加量不受限的特点,可使得生成的对抗样本所转化的灰度图像在尺寸和纹理上发生变化,从而能够影响基于灰度图像和深度学习的恶意软件检测方法对其的判别准确性。实验结果表明,基于灰度图像和深度学习的恶意软件检测方法判别BAUAA所生成对抗样本的准确率明显低于其判别非对抗样本的准确率。为避免在现实中滥用BAUAA,提出一种针对性的对抗样本检测方法。

基于帧结构的语音对抗样本重点区域扰动分析

目前针对语音识别模型的对抗攻击主要是在整条语音上添加噪声,扰动范围大且引入了高频噪声.现有研究在一定程度上缩小了扰动范围,但由于语音对抗攻击需要在每帧添加扰动实现对转录结果的控制,限制了扰动范围的进一步降低.针对此问题,从帧结构的角度研究了语音识别系统中的特征提取流程,发现分帧和加窗处理决定了帧结构中重点区域的分布,即帧内各采样点上添加扰动的重要性受采样点所处位置的影响.首先,根据对输入特征的扰动分析结果进行区域划分;然后,为了量化这些采样点对求解对抗样本的重要性,提出了对抗样本空间度量方法和相应的评价指标,并设计了在帧内不同区间上添加扰动的交叉实验,进而确定了扰动添加的重点区域;最后,在多个模型上进行了广泛的实验,表明了在重点区域添加对抗扰动能够缩小扰动范围,为高质量语音对抗样本的生成提出新的角度.