Adversarial Program Synthesis
Lead Research Organisation:
Royal Holloway University of London
Department Name: Information Security
Abstract
Malware classifiers are strongly affected by concept drift: the statistical properties of new malware examples change with respect to those the classifier was trained with and the lack of i.i.d. induces decay in the performance of ML tasks over time. This has resulted in an endemic issue that permeates the security community: in these contexts, ML-driven techniques lack an unbiased evaluation in realistic settings. In malware classification and detection tasks representative of such a problem---when the i.i.d. assumption of training and testing datasets do not hold anymore---traditional ML evaluation methodologies such as k-fold cross-validation produce inflated results due to time and space inconsistencies.
Additionally, classifiers are susceptible to adversarial attacks which can be characterized as an extreme form of concept drift. Here the classifier is induced into making incorrect decisions by an attacker that alters data at train-time (poisoning) or at test-time (evasion). In malware detection, this implies that an adversarial malware object is erroneously recognized as goodware by the classifier to bypass antivirus solutions. Most research efforts on adversarial ML have focused on the image domain, where it is trivial to change pixels; the malware domain is much more challenging because program code must be altered while preserving functionality. Hence, there is no clear understanding of adversarial attacks in the malware domain. This lack of understanding hinders the design, development and evaluation of robust machine-learning based defences against future malware techniques.
This project aims to study which adversarial attacks for malware are realistic (i.e. which adversarially-generated feature vectors can be transformed into real and functioning applications), how to employ novel program analysis and machine learning techniques to defend against such threats, and how to evaluate complex defensive systems in a fair and systematic way.
Additionally, classifiers are susceptible to adversarial attacks which can be characterized as an extreme form of concept drift. Here the classifier is induced into making incorrect decisions by an attacker that alters data at train-time (poisoning) or at test-time (evasion). In malware detection, this implies that an adversarial malware object is erroneously recognized as goodware by the classifier to bypass antivirus solutions. Most research efforts on adversarial ML have focused on the image domain, where it is trivial to change pixels; the malware domain is much more challenging because program code must be altered while preserving functionality. Hence, there is no clear understanding of adversarial attacks in the malware domain. This lack of understanding hinders the design, development and evaluation of robust machine-learning based defences against future malware techniques.
This project aims to study which adversarial attacks for malware are realistic (i.e. which adversarially-generated feature vectors can be transformed into real and functioning applications), how to employ novel program analysis and machine learning techniques to defend against such threats, and how to evaluate complex defensive systems in a fair and systematic way.
Planned Impact
The most significant impact of the renewal of Royal Holloway's CDT in Cyber Security will be the production of at least 30 further PhD-level graduates. In view of the strong industry involvement in both the taught and research elements of the programme, CDT graduates are "industry-ready": through industry placements, they have exposure to real-world cyber security problems and working environments; because of the breadth of our taught programme, they gain exposure to cyber security in all its forms; through involvement of our industrial partners at all stages of the programme, the students are regularly exposed to the language and culture of industry. At the same time, they will continue to benefit from generic skills training, equipping them with a broad set of skills that will be of use in their subsequent workplaces (whether in academia, industry or government). They will also engage in PhD-level research projects that will lead to them developing deep topic-specific knowledge as well as general analytical skills.
One of the longer-term impacts of CDT research, expressed directly through research outputs, is to provide mechanisms that help to enhance confidence and trust in the on-line society for ordinary citizens, leading in turn to quality of life enhancement. CDT research has the potential of directly impacting the security of deployed system, for example helping to make the Internet a more secure place to do business. Moreover the work on the socio-technical dimensions of security and privacy also gives us the means to influence government policy to the betterment of society at large. Through the training component of the CDT, and subsequent engagement with industry, our PhD students are exposed to the widest set of cyber security issues and forced to think beyond the technical boundaries of their research. In this way, our CDT is training a generation of cyber security researchers who are equipped - philosophically as well as technically - to cope with whatever cyber security threats the future may bring. The programme equip students with skills that will enable them to understand, represent and solve complex engineering questions, skills that will have an impact in UK industry and academic long beyond the lifetime of the CDT.
One of the longer-term impacts of CDT research, expressed directly through research outputs, is to provide mechanisms that help to enhance confidence and trust in the on-line society for ordinary citizens, leading in turn to quality of life enhancement. CDT research has the potential of directly impacting the security of deployed system, for example helping to make the Internet a more secure place to do business. Moreover the work on the socio-technical dimensions of security and privacy also gives us the means to influence government policy to the betterment of society at large. Through the training component of the CDT, and subsequent engagement with industry, our PhD students are exposed to the widest set of cyber security issues and forced to think beyond the technical boundaries of their research. In this way, our CDT is training a generation of cyber security researchers who are equipped - philosophically as well as technically - to cope with whatever cyber security threats the future may bring. The programme equip students with skills that will enable them to understand, represent and solve complex engineering questions, skills that will have an impact in UK industry and academic long beyond the lifetime of the CDT.
People |
ORCID iD |
| Kenneth Paterson (Primary Supervisor) | |
| Feargus Pendlebury (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P009301/1 | 01/10/2016 | 31/12/2026 | |||
| 1811441 | Studentship | EP/P009301/1 | 01/10/2016 | 30/06/2021 | Feargus Pendlebury |
| Description | Previously, ML-based detection techniques in security have produced tantalizingly high performance figures which made it seem as though malware was a problem of the past. However, malware classifiers are strongly affected by concept drift: the statistical properties of new testing examples change with respect to those the classifier was trained with and the lack of i.i.d. induces performance decay in classification over time [1]. In TESSERACT [2] we identified and studied sources of spatial and temporal experimental bias caused by concept drift that meant the real performance was likely to be lower than reported and would degrade significantly over time. We also formalised an evaluation framework to remove sources of bias and made our scikit-learn and Keras compatible implementation open source and available to the research community to promote sound and unbiased evaluations of ML tasks in security contexts. We also developed a way of quantifying time decay through AUT---the Area Under Time---a novel metric that allows for the direct comparison of existing and future approaches in a time-aware context. However, while we now believe we can fairly measure and evaluate detectors in the presence of concept drift, solutions for delaying or resisting time decay is still very much an open problem. In Pierazzi and Pendlebury et al. [3], we show that gradient-based adversarial attacks are practical threats against real-life malware classifiers and can be automated at scale. We also formalize problem-space constraints and demonstrate new connections between the feature space and the problem space meaning that a wealth of literature focusing on the weaknesses of classifiers in the image classification domain can now be better understood and applied to security sensitive settings that require more complex problem space transformations. [1] R. Jordaney et al. Usenix Security, 2017 [2] F. Pendlebury and F. Pierazzi et al. Usenix Security, 2019 [3] F. Pierazzi and F. Pendlebury et al. IEEE Security & Privacy, 2020 |
| Exploitation Route | We have built and released TESSERACT as an open-source Python library which can be integrated with common scikit-learn and keras workflows. TESSERACT is fundamental for the correct evaluation and comparison of different solutions, in particular when considering mitigation strategies for time decay. We envision that future work on Android malware classification will use TESSERACT to produce realistic, comparable and unbiased results. Moreover, we also encourage the security community to adopt TESSERACT to evaluate the impact of temporal and spatial bias in other security domains where concept drift still needs to be quantified. Addtionally, we provided a novel formalization for adversarial ML evasion attacks in the problem-space, which includes the de?nition of a comprehensive set of constraints on available transformations, preserved semantics, robustness to preprocessing, and plausibility. This can be used to compare and contrast different attack strengths and methodologies as well as to design novel problem-space attacks to better test security-sensitive classifiers in realistic conditions. |
| Sectors | Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Security and Diplomacy |
| URL | https://s2lab.kcl.ac.uk/projects/tesseract/,https://s2lab.kcl.ac.uk/projects/intriguing/ |
| Title | Tesseract |
| Description | Tesseract is an open-source tool to evaluate the performance of machine learning classifiers in a security setting mimicking a deployment with typical data feeds over an extended period of time. In particular,Tesseract allows for a fair comparison of different classifiers in a realistic scenario, without disadvantaging any given classifier. Tesseract is available as open-source to provide the academic community with a way to report sound and comparable performance results, but also to help practitioners decide which system to deploy under specific budget constraints. |
| Type Of Technology | New/Improved Technique/Technology |
| Year Produced | 2018 |
| Impact | While Tesseract has only recently been made available to the rest of the academic community, we have received requests for the tool from numerous institutions*. We hope that uptake of the tool will greatly improve the fairness of future evaluations. * Institutions that have requested the tool: (alphabetical): ANSSI - the French Network and Information Security Agency Carnegie Mellon University, USA Deakin University, Australia Huazhong University of Science and Technology (HUST), China Institute of Technology Blanchardstown, Ireland The Interdisciplinary Center Herzliya (IDC), Israel TU Munich, Germany Universidad Carlos III de Madrid University of Cagliari University of Toronto, Canada |
| URL | https://s2lab.kcl.ac.uk/projects/tesseract/ |
| Description | Usenix Enigma |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Prof. Lorenzo Cavallaro presented our work at Usenix Enigma 2019. The tagline of Enigma is "Security and Privacy Ideas That Matter", and it acts as a dissemination conference for recent top work in information security. The intention was to spread the message of the work which is that the evaluations presented in state-of-the-art ML-based security papers are often flawed due to temporal and spatial experimental biases, and then we must be more rigorous as a community to ensure that the numbers we present are accurate. |
| Year(s) Of Engagement Activity | 2019 |
| URL | https://www.usenix.org/conference/enigma2019/presentation/cavallaro |
| Description | Workshop on Machine Learning for Cyber Security |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | We presented our work (as a talk and poster) to professors and research students from around the world at Loughborough University's Workshop on Machine Learning for Cyber Security. The intention was to communicate the message of our Usenix Security 2019 paper that investigates sources of experimental biases in the evaluations of recent state-of-the-art papers. |
| Year(s) Of Engagement Activity | 2019 |
| URL | https://s2lab.kcl.ac.uk/projects/tesseract/ |