基于硬件防御恶意软件的检测器抵御对抗性攻击（CS CR）---刘持诚

基于硬件防御恶意软件的检测器抵御对抗性攻击（CS CR）

在物联网时代，过去十年来，恶意软件呈指数级增长。传统反病毒软件对现代复杂的恶意软件的打击效果不佳。为了应对这一挑战，研究人员提出了利用硬件辅助的恶意软件检测方案（HMD），他们利用硬件性能计数器（HPCs）进行恶意软件检测。HPCs 被用来训练一组机器学习（ML）分类器，而这些分类器又被用来区分良性程序和恶意软件。最近，人们设计出了对抗性攻击，通过使用对抗性样本预测器在HPC 痕迹中引入扰动，对特定 HPC 的程序进行误分类。这些攻击的设计基本假设是攻击者知道被用来检测恶意软件的 HPC。由于现代的处理器由数百个 HPC 组成，因此只限制在其中少数几个 HPC 上进行恶意软件检测这一行为有助于攻击者。在本文中，我们提出了一种移动目标防御（Moving target defense，MTD），通过设计多个在不同 HPCs 集上训练的ML分类器，来应对这种对抗性攻击。MTD 随机选择一个分类器，从而混淆攻击者对 HPCs 或被应用分类器的数量。我们建立了一个分析模型，证明攻击者猜出 MTD 的完美 HPC 分类器组合的概率非常低（对于一个有20个 HPC 的系统来说，在10^{-1864} 的范围内）。我们的实验结果证明，所提出的防御方法能够将通过对抗性样本生成器修改后的 HPC 痕迹的分类精度提高31.5%，恢复到接近完美（99.4%）的原始精度。

原文题目：Defending Hardware-based Malware Detectors against Adversarial Attacks

原文：In the era of Internet of Things (IoT), Malware has been proliferating exponentially over the past decade. Traditional anti-virus software are ineffective against modern complex Malware. In order to address this challenge, researchers have proposed Hardware-assisted Malware Detection (HMD) using Hardware Performance Counters (HPCs). The HPCs are used to train a set of Machine learning (ML) classifiers, which in turn, are used to distinguish benign programs from Malware. Recently, adversarial attacks have been designed by introducing perturbations in the HPC traces using an adversarial sample predictor to misclassify a program for specific HPCs. These attacks are designed with the basic assumption that the attacker is aware of the HPCs being used to detect Malware. Since modern processors consist of hundreds of HPCs, restricting to only a few of them for Malware detection aids the attacker. In this paper, we propose a Moving target defense (MTD) for this adversarial attack by designing multiple ML classifiers trained on different sets of HPCs. The MTD randomly selects a classifier; thus, confusing the attacker about the HPCs or the number of classifiers applied. We have developed an analytical model which proves that the probability of an attacker to guess the perfect HPC-classifier combination for MTD is extremely low (in the range of 10^{-1864} for a system with 20 HPCs). Our experimental results prove that the proposed defense is able to improve the classification accuracy of HPC traces that have been modified through an adversarial sample generator by up to 31.5%, for a near perfect (99.4%) restoration of the original accuracy.

原文作者：Abraham Peedikayil Kuruvila, Shamik Kundu, Kanad Basu

原文地址：https://arxiv.org/abs/2005.03644