CN115130098A - Dynamic backdoor attack method for malicious software detection deep learning model - Google Patents
Dynamic backdoor attack method for malicious software detection deep learning model Download PDFInfo
- Publication number
- CN115130098A CN115130098A CN202210741803.7A CN202210741803A CN115130098A CN 115130098 A CN115130098 A CN 115130098A CN 202210741803 A CN202210741803 A CN 202210741803A CN 115130098 A CN115130098 A CN 115130098A
- Authority
- CN
- China
- Prior art keywords
- attack
- model
- trigger
- neural network
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The invention provides a dynamic backdoor attack method for a deep learning model aiming at malicious software detection, which comprises the following steps of: step S1: constructing a deep neural network model for detecting malicious software: taking an API calling sequence of an original program and a corresponding label thereof as a training set, and finishing training of a deep neural network model for constructing malicious software detection under supervision and learning; step S2: using a class activation mapping tool in deep learning to find a sequence mode highly related to a given target classification label, and calculating a most effective characteristic subsequence to serve as the content of a trigger mode; obtaining a trigger value through the most frequent and neutral calculation, and calculating the optimal position for inserting the trigger; step S3: and combining a back door attack theory to generate a back door attack sample backsuors set, and performing supervised learning training and attack. The problems that the existing countersample used for model training is insufficient in attacking force and poor in model robustness and the like are solved.
Description
Technical Field
The invention belongs to the technical field of malicious software detection, and particularly relates to a dynamic backdoor attack method for a malicious software detection deep learning model.
Background
In recent years, with the continuous development of the internet and the continuous expansion of the application range, a large amount of software is designed and developed by people, but the software is likely to contain different types of malicious software such as viruses, trojans, adware, lemonades, worms and the like. The occurrence of malicious software causes serious potential safety hazard, and serious consequences such as Lesox virus attack, privacy information leakage, invasion of user interests and privacy and the like are caused. On one hand, network security technicians continuously promote and optimize the malicious software detection technology; on the other hand, malware producers are also constantly changing and hiding malware in order to make malware evade security detection (i.e., killing). With the huge amount of malicious software and the emergence of malicious software in various emerging applications (such as the internet of things), the detection efficiency by adopting a traditional characteristic-based mode is low, and the existing requirements cannot be met. With the rapid development of deep learning technology, the intelligent and automatic technology of machine learning is adopted to realize the detection and classification of malicious software, which is the focus of the industry and academia in recent years.
The relevant technology for detecting the malicious software in the network security is evolved for many times, but with the continuous evolution of the technology of an attacker, the efficient and safe detection is still an important task in the field of network space security. In the early stage, signature-based detection methods are mainly applied, and most of the methods depend on the manual feature extraction and detection of experts. Signatures (signatures) are mostly a collection of program important attributes, such as: program name, byte opcode, text string, etc. The detection method based on the signature has high experience dependence degree on experts and low analysis efficiency. Subsequently, a method of detecting an abnormal behavior at the time of program runtime by putting the program in a "Sandbox" (Sandbox) is proposed. The sandbox is a virtual system program, a suspicious program is operated in the sandbox, the operation flow of the suspicious program is monitored, and when abnormal characteristic behaviors occur in the operating program, the suspicious program can be judged to be malicious software. Cuckoo sandboxes, as currently mainstream, are widely used for program behavior analysis.
Compared with the traditional malicious software detection method, the method has the advantages that supervised machine learning is realized by collecting a large number of malicious software data sets with known labels, dynamic and static characteristics are fused, a corresponding detection model is established, and intelligent, automatic and efficient malicious software detection can be realized. Therefore, detecting malicious behavior in a network using machine learning, especially deep learning techniques, has become the focus of current research and applications. With the continuous development of hardware technology and algorithm, Deep learning, which is a part of Machine learning, has gained more attention in recent years, and a Deep Neural Network (DNN) model has the advantages of high efficiency, high accuracy, good generalization effect and the like compared with traditional Machine learning algorithms such as Naive Bayes (Naive Bayes), Support Vector Machines (SVM), logistic regression (logistic regression) and the like.
Although significant results have been achieved with deep learning-based malware detection techniques, relevant studies have also shown that: the classifier and the feature module in the deep learning system are automatically learned, neural network interpretability (interpretivity) is used as a gray area, and no deep analysis and understanding exists at present. Furthermore, a great deal of counterattack proposed by utilizing the deep learning model vulnerability is rapidly proposed, so that the application and the safety of the deep neural network model in the core task are seriously threatened. However, at present, there are few robust and safe malware detection deep learning models designed and implemented from the attack resisting perspective, and the existing attack resisting samples for model training are insufficient in attack force and poor in model robustness.
Disclosure of Invention
The invention aims to provide a dynamic backdoor attack method for a deep learning model for malicious software detection, and aims to solve the problems that the existing countersample attack force for model training is insufficient, the robustness of the model is poor and the like.
In order to solve the technical problems, the invention adopts the technical scheme that the dynamic backdoor attack method for detecting the deep learning model aiming at the malicious software comprises the following steps:
step S1: constructing a deep neural network model for detecting malicious software: the API calling sequence of an original program and a corresponding label are used as a training set, and training of a deep neural network model for constructing the malicious software detection is completed under supervised learning;
step S2: using a class activation mapping tool in deep learning to find a sequence mode highly related to a given target classification label, and calculating a most effective characteristic subsequence to be used as the content of a trigger mode; obtaining a trigger value through the most frequent and neutral calculation, and calculating the optimal position for inserting the trigger;
step S3: and combining a back door attack theory to generate a back door attack sample backsuors set, and performing supervised learning training and attack.
Further, the deep neural network model in step S1 includes: the device comprises an input layer, three hidden layers and an output layer, and is provided with a global average pooling layer, wherein the global average pooling layer is positioned between the last hidden layer and the output layer; the activation function in the hidden layer is a ReLU function, the output layer uses a logsoftmax function, and the corresponding class labels of the neurons in the output layer are benign software and malicious software.
Further, in step S1, a loss function of the deep neural network model is defined as L (θ, x, y), where x and y represent a feature representation and a label of the executable file, respectively, and θ represents a parameter; through the mostOptimal model parameters
Adjusting parameters theta and D of the neural network model to represent a training set,
a range of values representing the parameter is shown,
representing the desired function.
Further, the specific calculation method of the most effective feature subsequence in step S2 is as follows: by the formula
Calculating a given subsequence x i The importance of the C classification label is scored, and the highest score is taken to obtain the most effective characteristic subsequence CAM score (x i ,c i ) (ii) a Wherein the content of the first and second substances,
representing the output of the kth neuron in the average pooling layer;
representing a weight value, c, of the kth neuron in the output layer corresponding to the c-th class label i Representing the target label.
Further, the value of the trigger in the step S2 is represented as:
wherein the content of the first and second substances,
representing the value of the trigger calculated by the median;
representing passing through the most frequentA frequently calculated trigger value; in the above formula, Max (·) represents the most frequent subsequence observed in the output vector space; c. C i Is a target label; critical value t is mean (CAM) score (x i ,c i ) Mean () represents all CAMs score (x i ,c i ) D represents the training set; the position greater than the critical value t is the optimum position for inserting the trigger.
Further, the step S3 specifically includes:
s31: constructing a back door attack sample according to the trigger insertion position and the trigger value acquired in the step S2, and recording the back door attack sample as back doors;
s32: selecting part of clean samples from the original data set, replacing the clean samples with corresponding part of samples in backdoor attack samples backdoors, and recording the samples as a poisoning training set;
s33: and (5) retraining the model by taking the poisoning data set as the input of the original deep neural network model, and outputting to obtain a final attack result.
Further, the back door attack samples backdoors in step S3 are obtained by:
s3.1: setting an initial input sample quantity batch _ size and deep neural network training cycle times epoch according to the environment;
s3.2: carrying out random initialization on the model parameters, and constructing a model structure of the deep neural network;
s3.3: selecting a ReLU function as an activation function in the deep neural network;
s3.4: selecting
As a formula for calculating the gradient;
s3.5: selecting a training subset D' from the training data set of the data set D;
s3.6: performing a training step of the neural network using the data set D';
s3.7: putting the D' into a model to obtain a global average layer G and an output layer output vector C;
s3.8: performing dot product operation on G and C to obtain vector CAM score ;
S3.9: computing vector CAM score And finding the position and corresponding value greater than the median;
s3.10: calculating the trigger value after the corresponding value greater than the median is calculated according to the most frequent and median statistics;
s3.11: inserting the trigger value at a location greater than a median value;
s3.12: and finally, generating dynamic back door attack samples backdoors.
The invention has the beneficial effects that:
1. according to the invention, based on the extraction of the importance subsequence and the corresponding value by the CAM deep neural network, an effective back door attack sample is generated from an original data set by utilizing a vulnerability of deep learning in the detection of the malicious software detection model, and finally, the effective escape rate is achieved, and meanwhile, the back door attack sample has higher escape rate than the traditional anti-attack sample.
2. According to the method, the vulnerability cause is analyzed during model detection through machine learning interpretability, a trigger hiding mode is added, the dependency of a backdoor attack method on a target model is reduced, and the generalization capability of the attack is improved.
3. According to the method for generating the backdoor attack samples of the malicious software detection model, the escape rate of the backdoor malicious software samples to the detection model is verified from multiple aspects such as the length of a backdoor trigger, the degree of sample disturbance and the number of poisoning samples, the interpretability of the detection model, the internal relation between malicious software characteristics and the backdoor trigger are deeply explored, and the research of the robustness mechanism of the auxiliary model is deepened.
4. The method disclosed by the invention integrates the rear door attack visual angle, and the robust and safe malicious software detection deep learning model has important application value and research value.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a backdoor attack method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a deep neural network for generating a backdoor attack sample trigger pattern according to an embodiment of the present invention.
Fig. 3 is a diagram of an internal implementation structure of a single node of the deep neural network according to the embodiment of the present invention.
FIG. 4 is a diagram of an example of a bytes file in hexadecimal representation of a sample malicious code in accordance with an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to better explain the technical scheme of the invention, firstly, the principle of the malware detection model for generating the backdoor attack sample is briefly explained.
In order to realize classification and detection of malicious software (Malware). Firstly, a deep neural network model for detecting malicious software is constructed, and by combining the trend of which the current deep neural network is dominant and the representative characteristics of the malicious software, the embodiment of the invention mainly adopts the MalConv convolutional neural network constructed based on the API calling sequence of the malicious software. Meanwhile, in order to widely verify the effectiveness of the backdoor attack method in the embodiment of the invention, two new malware detection models improved based on MalConv are adopted, including AvastConv and MalConvGCG. Based on the three malware detection models, using the marked original API call sequence as a training set D of the deep neural network model, and defining a loss function L (theta, x, y) of the deep neural network model to measure the performance of the model, and obtaining the optimal model parameters through training the model, wherein the optimal model parameters are as follows:
secondly, in order to design a general backdoor attack algorithm aiming at the malware detection deep neural network model, a CAM-based neural network (class activation mapping-based deep neural network), namely CAM-DNN, is designed. Based on the CAM-DNN model, a sequence mode highly related to a given target classification label can be found, and further the sequence mode can be used as a trigger mode (trigger patterns) of backdoor attacks.
Thirdly, with the development of interpretability in deep learning, the interpretability of the neural network becomes readable gradually, but is easy to be attacked by malicious intent, and a CAM + GAP (global average pooling) method is used for obtaining an importance subsequence and a corresponding numerical value of the trained model, so that a backdoor inserting position and a trigger value of efficient attack can be obtained.
And then, generating a back door attack sample set through the back door inserting position of the attack and the value of the trigger on the basis of the original data set, and selecting a certain proportion of samples from the original data set to perform corresponding back door attack sample replacement by combining a back door attack theory to form a new poisoning data set.
Finally, carrying out classification training in an original malicious software detection MalConv model by using a new poisoning data set, carrying out attack verification on the trained poisoning MalConv model by using a poisoning test set, carrying out classification performance comparison on the trained poisoning MalConv model and the clean MalConv model by using a clean test set, and testing the performance of backdoor attack, namely: it must be ensured that the model has a constant accuracy of detection of clean samples (samples without adding a back-gate trigger pattern) and correctly predicts as a predetermined class all back-gate samples with added trigger patterns.
Example 1
A novel dynamic backdoor attack method of a malicious software detection model comprises the following steps:
the method comprises the following steps: constructing a deep neural network model M for detecting malicious software: the API calling sequence of an original program and a corresponding label are used as a training set D, and training of a deep neural network model for constructing the malicious software detection is completed under supervised learning;
step two: using a class-activated mapping (CAM) tool in deep learning to find a sequence mode highly related to a given target classification label, and calculating the most effective characteristic subsequence to be used as the content of a trigger mode;
step three: using a class activation mapping tool in deep learning, acquiring a trigger value (value) by a calculation mode of integrating multiple indexes such as most frequent indexes, neutral indexes and the like, and calculating an optimal position (trigger insertion place) of an insertion trigger mode;
step four: through two and three steps and the combination of a back door attack theory (a small amount of toxic samples), a back door attack sample backsdors set is generated, and supervised learning training and attack are carried out.
Further, in the second and third steps, the technologies used include universal Deep Neural Network (DNN), Class Activation Mapping (CAM), Global Average Pooling (GAP) for malware detection.
The fourth step specifically comprises:
s1: constructing a back door attack sample according to the insertion position L obtained in the second step and the third step and the trigger value V of the insertion position L, and recording the back door attack sample as back doors;
s2: selecting a certain proportion of clean samples from an original data set D, replacing the clean samples with corresponding partial backdoor attack samples in backdoors, and recording the samples as a poisoning training set X;
s3: the final attack effect can be obtained by outputting the poisoning data set X as an input to a MalConv model (which may be replaced by an AvastConv or MalConvGCG model).
In some embodiments, the backdoor attack samples backdoors obtained in step four are calculated using the following method:
s1.1: setting an initial input sample quantity batch _ size and deep neural network training cycle times epoch according to the environment;
s1.2: carrying out random initialization on the model parameters, and constructing a model structure of the deep neural network;
s1.3: selecting a ReLU as an activation function in a deep neural network;
s1.4: selecting ^ LogSoftmax as a calculation formula of the gradient;
s1.5: selecting a training subset D' from the training data set of the data set D;
s1.6: a training step of the neural network using a small data set D';
s1.7: putting the D' into a model to obtain a global average layer G and a Softmax layer output vector C;
s1.8: performing dot product operation on G and C to obtain vector CAM score ;
S1.9: computing vector CAM score And finding the position and corresponding value greater than the median;
s1.10: calculating a trigger value V of a corresponding value larger than the median value according to a multi-index comprehensive calculation mode of most frequent and median statistics and the like;
s1.11: inserting a trigger value V at a position greater than a median value;
s1.12: and finally, generating a dynamic back door attack sample.
Example 2
The invention is based on a deep neural network (CAM-DNN) based on CAM, and carries out median calculation by searching an importance subsequence and a corresponding numerical value of an original sample at a corresponding label to obtain a trigger value and generate a backdoor sample, and carries out effective backdoor attack on a classification model by combining a backdoor attack theory so as to improve the escape rate of a countersample to a detection model.
As shown in fig. 1, the method for generating a backdoor attack sample of a malware detection model includes the following specific steps:
s101: data arrangement:
and (3) using the API calling sequence of the original program and the corresponding label as a training set D, and completing the detection and classification tasks of the malicious software under the condition of supervised learning. The feature representation and the tag of the executable file are denoted by x and y, respectively. Since the features of the dataset are binary, the executable file for each binary feature vector may be represented by [0,1 ]]x=[x 1 ,...,x m ]E x, and x is {0, 1} m Wherein x is i Is a binary value, indicating whether the ith feature is present or not, and represents the classification label with Y e Y ═ 0,1, where benign and malicious software are represented by 0 and 1, respectively.
S102: CAM-based neural network training:
by passing
Adjusting the parameters theta of the neural network model to fully learn the program samples in the training set D, formula
A range of values representing a parameter is shown,
representing the expectation function. Defining a loss function L (theta, x, y) to measure the quality of model performance and model the deep neural network problem of malware detection, and finally finding the optimal model parameter theta * 。
Based on the optimization objective function, the deep neural network structure for generating malware countermeasure samples carrying back-door triggers of the present invention is shown in fig. 2. The fully-connected neural network model structure comprises three layers (an input layer, three hidden layers and an output layer). With a single node structure in each layer as shown in figure 3.
The fully-connected deep neural network with an excessively complex structure is composed of a perceptron model, so that the fully-connected deep neural network can be used for solving the problems that the existing deep neural network is not complex in structure and the existing deep neural network is not complex in structure
Tables as perceptron modelsIn one embodiment, w is a weight, b is an offset value, i represents the number of layers in the neural network, and z represents the final prediction. The relu (rectified linear unit) activation function may be defined as:
and z as an input to the activation function.
The forward feedback propagation process in the deep neural network takes the input of the upper layer as the output of the next layer, and the output of the j-th neuron of the L layer can be expressed as
Where σ (-) represents the activation function. Likewise, the output of the L layer can be represented as a L =σ(z L )=σ(w L a L-1 +b L ). And in order to better shrink the value range of the data and enable the probability distribution value of the output result to be 0 or 1, the output layer uses a logsoftmax function, and a mathematical expression obtained by differentiating the logsoftmax function is used for back propagation.
The invention uses a CAM-based neural network to construct a classifier of malware, and the model comprises the following components: the input layer, the output layer and three hidden layers. The ReLU function acts as an activation function in the hidden layer and configures a Global Average Pooling (GAP) layer to learn regions in a given input sample that play an important role in classification. The output layer uses the logsoftmax function, and the neuron in the output layer has corresponding classification labels of benign software and malicious software respectively.
In order to find out the importance subsequence of the data in the model, a maximum average pooling layer is added between the last hidden layer and the output layer to build the CAM-DNN model. The core idea is to use the output vectors of the original samples in the maximum average pooling layer and the output layer to perform dot product operation to obtain the malware importance subsequence and the corresponding numerical value. S201: calculating an importance subsequence of the target-oriented label;
for each given input sample x i (subsequences) are extracted with the same length K, and byte K is taken to be 50,000. For a givenClass label c, output of kth neuron in GAP layer
The feature space calculated by the GAP layer is:
the weighted value of the kth neuron corresponding to the c classification label in the output layer is defined as
The final feature space is then:
the feature space x of the c-th class label finally calculated in CAM-DNN i Vector CAM for e.X (where X represents the set of all input samples) score Is defined as:
wherein, the CAM score (x i And c) denotes a given subsequence x i The importance score (import score) of the c-th category label.
According to the method, for a given attack target label c, the highest score is selected to obtain the most effective characteristic subsequence which is further used as the content of the trigger mode and used for generating an effective backdoor attack trigger mode.
S301: a CAM-DNN based back-gate trigger mode calculation;
and calculating the optimal trigger mode and value on the basis of calculating the most effective characteristic subsequence. Subsequence CAM calculated to represent the most significant features given a set of data score (x i ,c i ) To target label c i In betweenThe "degree" of the distance, defining a threshold t, and when the CAM is score >t indicates that the selected subsequence is close enough to the feature space of the given target tag to be a candidate for trigger mode. However, there may be cases where multiple subsequences meet the requirements, for which it must be guaranteed that the value of t is reasonable. Here, the median length of all possible candidate subsequences is selected as the optimal setting of t, that is:
t=median(CAM score (x i ,c i ))
wherein mean (-) represents all CAMs score (x i ,c i ) Is greater than t, the position where the trigger is inserted is the best position.
Then, a valid trigger value can be calculated according to the following formula:
where Max (·) represents the most frequent subsequence observed in the output vector space, and n is the number of subsequences.
To ensure that the resulting trigger patterns do not "favor" any prediction class, it must be ensured that the "distances" from the feature space to the different target result spaces are similar. Therefore, a method of taking the median is reasonable. Finally, the trigger values are generated by solving an optimization objective function of:
through the above process, a backdoor attack poisoning sample trigger value with a higher escape rate can be obtained. And the method can be used for backdoor attack of the malicious software classification model after being slightly modified, and is not described herein again.
S401: calculating the insertion position of a rear door trigger;
based on the calculation of the optimal trigger pattern, it is necessary to calculate the optimal trigger pattern for each sampleFinds the best position to insert the trigger pattern. Define Index (x) i ,c i ) To satisfy the attacker requirement (given target tag class c) i ) And can be inserted into the coordinate position of the trigger pattern. Q is defined as the length of the available trigger pattern calculated. Define p as inserting a flip-flop pattern into Index (x) i ,c i ) The length of the inserted subsequence as allowed by the position. Then, according to the above definition, all available triggers that can be used to generate a backdoor attack sample can be expressed as:
subsequently, the function that generated the poisoned back door attack sample is defined as:
F(x i ,c i ,p,q,trigger)=replace(Index(x i ,c i ),p,q,trigger),(x i ,c i )∈D
wherein, the function place () represents the process of replacing the original content with the trigger pattern at a given location, and the implementation of the function is closely related to three parameters, including: the coordinates of the feature vector, the magnitude of the "degree" of the trigger perturbation, and the length of the intervening trigger pattern.
In this way, a set D of a number of poisoning samples is generated by inserting a trigger pattern into a number of clean samples p . In order to add the poisoned sample to the original clean training sample set D, a hyper-parameter s is set for controlling the specific gravity of the poisoned sample. Finally, the set of training samples is:
D t ={D p ∪(1-s)D}
s501: selecting a training subset D' from the training data set of the data set D;
s502: inputting an original sample D' into a trained CAM-DNN model;
s503: putting the D' into a model to obtain a global average layer G and a Softmax layer output vector C;
s504: inserting a trigger into the place (·);
s505: finally, a dynamic backdoor attack sample set D is generated p ;
S601: by attacking the generated backgate with a sample set D t Putting as input into the original malware detection model MalConv (also including AvastConv and MalConvGCG) retraining the model can guarantee that the model cannot be judged as malware (successful escape). But the decision class of the model for a clean sample remains unchanged. Finally, the effect of a back door attack is achieved, i.e. the performance and performance of the model is consistent with that of a model that is not attacked by poisoning unless the input samples carry a back door of the trigger pattern.
S602: the backdoor attack method has low dependency on a target model and high universality. That is, all generated backdoor attack malware samples, can achieve successful escape in any model among MalConv, AvastConv, and MalConvGCG.
The deep learning model for detecting the malicious software is widely used and has high detection accuracy and precision. The deep learning malware detection model is based on characteristics of a malware gray map, an API (application program interface) calling sequence, an OpCode operating code sequence and the like. The invention is directed to a deep neural network model constructed based on a malware binary sequence, in particular to an industry-recognized MalConv model. Therefore, the backdoor attack method has higher performance and higher application value.
The technical effect of the back door attack designed by the invention is different from the traditional counter attack facing to the deep neural network. The model mainly represented after the attack has high concealment. The invention relates to a deep neural network model for detecting malicious software, which has the innovation that:
(1) traditional counterattack the traditional counterattack has the intuitive effect to achieve of reducing the accuracy (accuracy) of the deep neural network; the technical effect of the present invention is that the accuracy on normal "clean" samples remains unchanged, and samples with the set back-gate trigger mode are classified into categories set by the attacker.
(2) The back door attack sample generated by the invention can ensure that the program functionality of the back door attack sample is kept unchanged by ensuring that the inserted trigger mode is an effective software (comprising malicious software and normal software) code fragment while realizing the attack success rate. Whereas the effective countermeasure samples generated by conventional counterattack usually destroy the integrity of the malware.
(3) The method has higher mobility (transfer ability) to the malicious software detection model based on the deep neural network, namely can be used on the common various malicious software detection deep neural networks. Most of the traditional counterattack is oriented to a specific target model, and the migration is low.
(4) When the invention calculates the rear door trigger, the flexible trigger setting is realized, which comprises the following steps: optimizing the length of the trigger, optimizing the insertion position of the trigger and optimizing the mode of the trigger.
In order to better illustrate the technical effect of the invention, the invention is experimentally verified by adopting a specific example and compared with the technical effect of the existing algorithm. This experiment collected ten thousand data sets, including 5000 open source VirusShare malicious samples and 5000 benign samples, which contained malicious code sample test sets and malicious code sample training set classification labels.
Shown in fig. 4 is a hexadecimal representation of a malicious code sample (with the PE header removed). Each malware sample in the original training set has a corresponding classification label, and there are 4 classification labels, which respectively correspond to 4 malware families (Family), as shown in table 1, these 4 classes of malware also represent the malware that is mainstream in the current network. For other types of lesser variety, they are discarded in the present invention in view of the lesser variety.
In order to detect the attack model independence (i.e. mobility) of the algorithm, we simultaneously perform experiments on three models of MalConv, AvastConv and MalConvGCG of backdoor attacks, and it can be seen from table 1 that the attack accuracy rates of the three models are good. The back door attack samples generated based on the trigger values calculated by the median are used. And the original performance on the model is reduced by more than 5.7% only at most while high attack rate is generated, and the original performance result is shown in table 2.
TABLE 1 comparison of attack accuracy for three attacked models
TABLE 2 comparison of the original Performance on three models of Back-door attack MalConv, AvastConv, MalConvGCG
From table 1, it can be seen that the attack algorithm can play a certain attack role on all three classification models, and meanwhile, the backdoor attack algorithm is proved to have certain mobility. The test results shown in table 2 are the original performance of the model after attack compared with the original model, and it can be seen that the original performance of the MalConv and MalConvGCG models after backdoor attack has a larger fluctuation range, but the original performance is maintained at least above 5.7%. In contrast, the original performance of the AvastConv model is relatively stable, and from the viewpoint of model architecture, the number of nerve layers of the AvastConv is relatively large, so that the influence caused by backgate attack can be relieved.
In conclusion, the backdoor attack sample generated by the invention is adopted to carry out malware detection evasion, and compared with the traditional evasion detection method, the backdoor attack sample has better performance, higher escape rate and lower attack cost, and the success rate of malware attack is obviously improved on the basis of not obviously reducing the original performance of the model. Meanwhile, the enhancement of the backdoor sample can also assist in the research of the robustness mechanism of the model, and train a better and safer malicious software detection model.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (7)
1. A dynamic backdoor attack method for a deep learning model for malicious software detection is characterized by comprising the following steps:
step S1: constructing a deep neural network model for detecting malicious software: the API calling sequence of an original program and a corresponding label are used as a training set, and training of a deep neural network model for constructing the malicious software detection is completed under supervised learning;
step S2: using a class activation mapping tool in deep learning to find a sequence mode highly related to a given target classification label, and calculating a most effective characteristic subsequence to be used as the content of a trigger mode; obtaining a trigger value through the most frequent and neutral calculation, and calculating the optimal position for inserting the trigger;
step S3: and (4) combining a back door attack theory to generate a back door attack sample backdoors set, and performing supervised learning training and attack.
2. The method for detecting the dynamic backdoor attack of the deep learning model for the malware according to claim 1, wherein the deep neural network model in the step S1 includes: the system comprises an input layer, three hidden layers and an output layer, and is provided with a global average pooling layer which is positioned between the last hidden layer and the output layer; the activation function in the hidden layer is a ReLU function, the output layer uses a logsoftmax function, and the corresponding class labels of the neurons in the output layer are benign software and malicious software.
3. The method for dynamic backdoor attack on deep learning model for malware detection according to claim 1, wherein in step S1, the loss function of the deep neural network model is defined as L (θ, x, y), where x and y represent the feature representation and label of the executable file, respectively, and θ represents a parameter; by optimizing model parameters
Adjusting parameters theta and D of the neural network model to represent a training set,
a range of values representing the parameter is shown,
representing the desired function.
4. The method for dynamic backdoor attack on the deep learning model for malware detection according to claim 1, wherein the specific calculation method of the most effective feature subsequence in step S2 is: by the formula
Calculating a given subsequence x i Scoring the importance of the c classification label, and taking the highest score to obtain the most effective characteristic subsequence CAM score (x i ,c i ) (ii) a Wherein the content of the first and second substances,
representing the output of the kth neuron in the average pooling layer;
representing a weight value, c, of the kth neuron in the output layer corresponding to the c-th class label i Representing the target label.
5. The method for detecting the dynamic backdoor attack of the deep learning model against the malware according to claim 1 or 4, wherein the value of the trigger in the step S2 is represented as:
wherein the content of the first and second substances,
representing the value of the trigger calculated by the median;
represents the most frequently calculated trigger value; in the above formula, Max (·) represents the most frequent subsequence observed in the output vector space; c. C i Is a target label; threshold value t means mean (CAM) score (x i ,c i ) Mean () represents all CAMs score (x i ,c i ) D represents the training set; the position greater than the critical value t is the optimum position for inserting the trigger.
6. The method for dynamic backdoor attack on the deep learning model for malware detection according to claim 1, wherein the step S3 specifically includes:
s31: constructing a back door attack sample according to the trigger insertion position and the trigger value acquired in the step S2, and recording the back door attack sample as back doors;
s32: selecting part of clean samples from the original data set, replacing the clean samples with corresponding part of samples in backdoor attack samples backdoors, and recording the samples as a poisoning training set;
s33: and (5) retraining the model by taking the poisoning data set as the input of the original deep neural network model, and outputting to obtain a final attack result.
7. The method for dynamic back-door attack on deep learning model for malware detection according to claim 1 or 6, wherein the back-door attack samples backdoors in step S3 are obtained by:
s3.1: setting an initial input sample quantity batch _ size and deep neural network training cycle times epoch according to the environment;
s3.2: carrying out random initialization on the model parameters, and constructing a model structure of the deep neural network;
s3.3: selecting a ReLU function as an activation function in the deep neural network;
s3.4: selecting
As a formula for gradient calculation;
s3.5: selecting a training subset D' from the training data set of the data set D;
s3.6: performing a training step of the neural network using the data set D';
s3.7: putting the D' into a model to obtain a global average layer G and an output layer output vector C;
s3.8: performing dot product operation on G and C to obtain vector CAM score ;
S3.9: compute vector CAM score And finding the position and corresponding value greater than the median;
s3.10: calculating the trigger value after the corresponding value greater than the median is subjected to comprehensive calculation according to the most frequent and median statistics;
s3.11: inserting the trigger value at a location greater than a median value;
s3.12: and finally, generating dynamic back door attack samples backdoors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210741803.7A CN115130098A (en) | 2022-06-27 | 2022-06-27 | Dynamic backdoor attack method for malicious software detection deep learning model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210741803.7A CN115130098A (en) | 2022-06-27 | 2022-06-27 | Dynamic backdoor attack method for malicious software detection deep learning model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115130098A true CN115130098A (en) | 2022-09-30 |
Family
ID=83379579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210741803.7A Pending CN115130098A (en) | 2022-06-27 | 2022-06-27 | Dynamic backdoor attack method for malicious software detection deep learning model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115130098A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115938530A (en) * | 2023-01-09 | 2023-04-07 | 人工智能与数字经济广东省实验室(广州) | Intelligent medical image diagnosis opinion automatic generation method for resisting backdoor attack |
| CN116155535A (en) * | 2022-11-30 | 2023-05-23 | 云南电网有限责任公司 | Dynamic defense mechanism method and device based on power grid acquisition terminal service |
| CN116527373A (en) * | 2023-05-18 | 2023-08-01 | 清华大学 | Back door attack method and device for malicious URL detection system |
| CN117093997A (en) * | 2023-10-20 | 2023-11-21 | 广东省科技基础条件平台中心 | Code countermeasure sample generation method based on stable multi-arm slot machine |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989438A (en) * | 2021-02-18 | 2021-06-18 | 上海海洋大学 | Detection and identification method for backdoor attack of privacy protection neural network model |
| US20210256125A1 (en) * | 2019-05-29 | 2021-08-19 | Anomalee Inc. | Post-Training Detection and Identification of Backdoor-Poisoning Attacks |
| CN114139155A (en) * | 2021-11-30 | 2022-03-04 | 云南大学 | Malicious software detection model and generation method of enhanced countermeasure sample thereof |
| US20220164447A1 (en) * | 2020-11-20 | 2022-05-26 | Foundaton of Soongsil University-Industry Cooperation | Mobile application malicious behavior pattern detection method based on api call graph extraction and recording medium and device for performing the same |
-
2022
- 2022-06-27 CN CN202210741803.7A patent/CN115130098A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210256125A1 (en) * | 2019-05-29 | 2021-08-19 | Anomalee Inc. | Post-Training Detection and Identification of Backdoor-Poisoning Attacks |
| US20220164447A1 (en) * | 2020-11-20 | 2022-05-26 | Foundaton of Soongsil University-Industry Cooperation | Mobile application malicious behavior pattern detection method based on api call graph extraction and recording medium and device for performing the same |
| CN112989438A (en) * | 2021-02-18 | 2021-06-18 | 上海海洋大学 | Detection and identification method for backdoor attack of privacy protection neural network model |
| CN114139155A (en) * | 2021-11-30 | 2022-03-04 | 云南大学 | Malicious software detection model and generation method of enhanced countermeasure sample thereof |
Non-Patent Citations (1)
| Title |
|---|
| 蔡小辉: "《基于深度神经网络的图像对抗攻击算法研究》" * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116155535A (en) * | 2022-11-30 | 2023-05-23 | 云南电网有限责任公司 | Dynamic defense mechanism method and device based on power grid acquisition terminal service |
| CN115938530A (en) * | 2023-01-09 | 2023-04-07 | 人工智能与数字经济广东省实验室(广州) | Intelligent medical image diagnosis opinion automatic generation method for resisting backdoor attack |
| CN115938530B (en) * | 2023-01-09 | 2023-07-07 | 人工智能与数字经济广东省实验室(广州) | Automatic generation method of intelligent medical image diagnosis opinion resistant to back door attack |
| CN116527373A (en) * | 2023-05-18 | 2023-08-01 | 清华大学 | Back door attack method and device for malicious URL detection system |
| CN116527373B (en) * | 2023-05-18 | 2023-10-20 | 清华大学 | Back door attack method and device for malicious URL detection system |
| CN117093997A (en) * | 2023-10-20 | 2023-11-21 | 广东省科技基础条件平台中心 | Code countermeasure sample generation method based on stable multi-arm slot machine |
| CN117093997B (en) * | 2023-10-20 | 2024-02-20 | 广东省科技基础条件平台中心 | Code countermeasure sample generation method based on stable multi-arm slot machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Classification of ransomware families with machine learning based onN-gram of opcodes | |
| Vasan et al. | Image-Based malware classification using ensemble of CNN architectures (IMCEC) | |
| Zhong et al. | A multi-level deep learning system for malware detection | |
| Darem et al. | Visualization and deep-learning-based malware variant detection using OpCode-level features | |
| Rosenberg et al. | Defense methods against adversarial examples for recurrent neural networks | |
| CN115130098A (en) | Dynamic backdoor attack method for malicious software detection deep learning model | |
| Xue et al. | Malware classification using probability scoring and machine learning | |
| Agrawal et al. | Attention in recurrent neural networks for ransomware detection | |
| Jian et al. | A novel framework for image-based malware detection with a deep neural network | |
| Liu et al. | ATMPA: attacking machine learning-based malware visualization detection methods via adversarial examples | |
| CN114139155A (en) | Malicious software detection model and generation method of enhanced countermeasure sample thereof | |
| Yang et al. | Transferable graph backdoor attack | |
| Omer et al. | A novel optimized probabilistic neural network approach for intrusion detection and categorization | |
| Pfeffer et al. | Artificial intelligence based malware analysis | |
| Heinrich et al. | Fool me Once, shame on You, Fool me Twice, shame on me: a Taxonomy of Attack and de-Fense Patterns for AI Security. | |
| Bountakas et al. | Defense strategies for adversarial machine learning: A survey | |
| Khorshidpour et al. | Learning a secure classifier against evasion attack | |
| CA3205712A1 (en) | Machine learning methods and systems for determining file risk using content disarm and reconstruction analysis | |
| Fuyong et al. | Run-time malware detection based on positive selection | |
| Valenza et al. | WAF-A-MoLE: An adversarial tool for assessing ML-based WAFs | |
| Rathore et al. | Are Malware Detection Classifiers Adversarially Vulnerable to Actor-Critic based Evasion Attacks? | |
| Eshak Magdy et al. | A Comparative study of intrusion detection systems applied to NSL-KDD Dataset | |
| Sourav et al. | Deep learning based android malware detection framework | |
| YILMAZ | Malware classification with using deep learning | |
| Chen et al. | VMCTE: Visualization-Based Malware Classification Using Transfer and Ensemble Learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |