Extending Image-Based Techniques for Certifiably Robust Defense of Malware Classifiers Against Localized Adversarial Example Attacks

Abstract

The fast-evolving nature of malware calls for the development of detection tools that work on attacks that were previously unseen. MalConv, a static classifier built on a convolutional neural network, is a significant step in this direction, but is unable to provide mathematical guarantees of its accuracy on its own. In this project, techniques that defend image classifiers from localized adversarial example attacks and calculate certified accuracy are applied to malware classifiers. In particular, De-Randomized Smoothed MalConv, an existing application of an image-based technique with a small receptive field, is extended for better performance on small files in models I call DRSM2 and PCM. DRSM2 improves DRSM to better utilize its base classifiers for small inputs; PCM applies PatchCleanser, an image-based technique with a large receptive field, to malware detection. Both models outperform the original DRSM, with DRSM2 achieving higher standard and certified accuracies but PCM providing certified accuracies for big perturbation sizes that DRSM2 cannot handle.