li-anoveladversarialexample-2021.pdf (1.07 MB)
A novel adversarial example detection method for malicious PDFs using multiple mutated classifiers
conference contribution
posted on 2021-10-01, 00:00 authored by C Liu, C Lou, M Yu, S M Yiu, K P Chow, Gang LiGang Li, J Jiang, W HuangPDF malware remains as a major hacking technique. To distinguish malicious PDFs from massive PDF files poses a challenge to forensic investigation. Machine learning has become a mainstream technology for malicious PDF document detection either to help analysts in a forensic investigation or to prevent a system being attacked. However, adversarial attacks against malicious document classifiers have emerged. Crafted adversarial example based on precision manipulation may be easily misclassified. This poses a major threat to many detectors based on machine learning techniques. Various analysis or detection techniques have been available for specific attacks. The challenge from adversarial attacks is still not yet completely resolved. A major reason is that most of the detection methods are tailor-made for existing adversarial examples only. In this paper, based on an interesting observation that most of these adversarial examples were designed on specific models, we propose a novel approach to generate a group of mutated cross-model classifiers such that adversarial examples cannot pass all classifiers easily. Based on a Prediction Inversion Rate (PIR), we can effectively identify adversarial example from benign documents. Our mutated group of classifiers enhances the power of prediction inconsistency using multiple models and eliminate the effect of transferability (a technique to make the same adversarial example work for multiple models) because of the mutation. Our experiments show that we are better than all existing state-of-the-art detection methods.
History
Event
Digital forensic research workshop Asia Pacific. Conference (1st : 2021 : Virtual Event)Volume
38Issue
SupplementPagination
1 - 8Publisher
ElsevierLocation
Virtual EventPlace of publication
Amsterdam, The NetherlandsPublisher DOI
Link to full text
Start date
2021-01-27End date
2021-01-29ISSN
2666-2825eISSN
2666-2817Language
engPublication classification
E1 Full written paper - refereedTitle of proceedings
DFRWS 2021 APAC : Proceedings of the First Annual Asia Pacific Digital Forensic Research Workshop ConferenceUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC