Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Classifiers Under Attack

David Evans
November 03, 2016
Research
0
2.8k

Classifiers Under Attack

Presentation at O'Reilly Security
New York, 2 November 2016

http://conferences.oreilly.com/security/network-data-security-ny/public/schedule/detail/53176

David Evans

November 03, 2016
Tweet

More Decks by David Evans

See All by David Evans
FOSAD Trustworthy Machine Learning: Class 2
evansuva
1
2.2k
FOSAD Trustworthy Machine Learning: Class 2
evansuva
1
2.2k
FOSAD Trustworthy Machine Learning: Class 1
evansuva
1
2.4k
Evaluating Differentially Private Machine Learning in Practice
evansuva
0
1.7k
Class 27: Cryptocurrency
evansuva
1
3.3k
Class 24: Privacy
evansuva
0
550
Class 18: Hardness of Auctions
evansuva
0
520
Class 17: Algorithmic Mechanism Design
evansuva
0
600
Class 16: Auctions with Integrity
evansuva
0
600

Other Decks in Research

See All in Research
note #買ってよかったものレポート2022 / Best to Buy 2022
noteinc
1
820
小1にルービックキューブを教えてみた 〜群論スポーツの教育とパターン認知〜
itakigawa
0
200
様々なCPUアーキテクチャにおけるROP攻撃 / CSEC100
yumulab
0
120
Open science for health data, applying the scikit-learn recipe?
gaelvaroquaux
0
150
Synthetic Control Method(合成コントロール法)1
masakat0
1
490
Phishing Hunging Operations (PHOps)
tatsui
0
2.1k
Federated Learning Tutorial (IBIS 2022)
osx
2
2.4k
ランダムフォレストによる因果推論と最近の展開
tomoshige_n
10
5.8k
Compositional Evaluation on Japanese Textual Entailment and Similarity (JSICK:構成的推論・類似度データセットSICK日本語版の紹介)
verypluming
2
470
SummerCake_pdf.pdf
lyh125
0
350
ABEMAにおけるサムネイル検証とOPE活用
ebisawahayata
2
1k
最適輸送が遅すぎる(スライス法による解法)
joisino
2
1.1k

Featured

See All Featured
Three Pipe Problems
jasonvnalue
89
9k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Building Your Own Lightsaber
phodgson
96
4.9k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Support Driven Design
roundedbygravity
88
8.9k
Automating Front-end Workflow
addyosmani
1351
200k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.2k
Making Projects Easy
brettharned
102
4.9k
Code Reviewing Like a Champion
maltzj
508
38k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k

Transcript

  1. Classifiers Under Attack
    David Evans
    University of Virginia
    [email protected]
    evadeML.org
    work with Weilin Xu and Yanjun Qi

    View Slide

  2. Machine Learning is Solving All Our Problems!
    2
    Fake
    Spam
    IDS
    Malware
    Fake Accounts


    View Slide

  3. Machine Learning is Eating the World
    3
    Data
    Scientist
    Security
    Expert
    ?

    View Slide

  4. Assumption: Training Data is Representative
    4
    Labelled
    Training Data
    ML
    Algorithm
    Feature
    Extraction
    Vectors
    Deployment
    Malicious / Benign
    Operational Data
    Trained Classifier
    Training
    (Supervised Learning)

    View Slide

  5. Reality: Adversary Adapts
    ACM CCS 2016
    Actual images
    Recognized faces

    View Slide

  6. Case study:
    Evading PDF Malware Classifiers

    View Slide

  7. Malware Classifiers in Practice
    Goal: Automatically simulate adaptive
    adversary against generic classifier
    Purpose: Understand classifier robustness
    Build better classifiers (?)

    View Slide

  8. 0
    20
    40
    60
    80
    100
    120
    140
    2006
    2007
    2008
    2009
    2010
    2011
    2012
    2013
    2014
    2015
    2016 (1/4)
    Vulnerabilities reported in
    Adobe Acrobat Reader
    Source: http://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/year-2016/Adobe-Acrobat-Reader.html

    View Slide

  9. High-Value Exploits:
    MiniDuke
    Source: https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf

    View Slide

  10. PDF Malware
    1
    0
    Exploits CVE- 2007-5659 buffer overflow

    View Slide

  11. PDF Malware Classifiers
    PDFrate
    [ACSA 2012]
    Hidost16
    [JIS 2016]
    Hidost13
    [NDSS 2013]
    Random Forest Random Forest
    Support Vector Machine

    View Slide

  12. Random Forest
    x
    y w
    0 1 z
    1
    0 1
    r
    q
    0
    z
    0
    0
    y
    0 1
    Generate many random
    decision trees
    Train independently
    Select best trees
    Vote on result

    View Slide

  13. PDF Malware Classifiers
    PDFrate
    [ACSA 2012]
    Hidost16
    [JIS 2016]
    Hidost13
    [NDSS 2013]
    Random Forest Random Forest
    Support Vector Machine
    Features
    Object counts,
    lengths,
    positions,
    etc.
    Object structural paths
    Very robust against “strongest
    conceivable mimicry attack”.

    View Slide

  14. Classifier Performance
    14
    PDFrate* Hidost
    Accuracy 0.9976 0.9996
    False Negative
    Rate
    0.0000 0.0056
    * Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

    View Slide

  15. Classifier Performance
    15
    PDFrate* Hidost
    Accuracy 0.9976 0.9996
    False Negative
    Rate
    0.0000 0.0056
    Adversarial
    False Negative
    Rate
    1.0000 1.0000
    * Mimicus [Oakland ’14], an open source reimplementation of PDFrate.

    View Slide

  16. Automatically Evading Classifiers

    View Slide

  17. Variants
    Automated Classifier Evasion
    Using Genetic Programming
    17
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants




    Found
    Evasive?

    View Slide

  18. Variants
    Goal: Find Evasive Variant
    18
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants




    Found
    Evasive?
    Evasive variant:
    Benign
    Simulated attacker’s goal: find a variant that is classified
    as benign, but exhibits the same malicious behavior.

    View Slide

  19. PDF Structure
    1
    9

    View Slide

  20. Malicious Seed
    20
    Clone
    Malicious PDF
    Modified
    Parser
    0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    Parser is “robust” version of pdfrw:
    - Handles ungrammatical PDFs
    - Ignores inconsistencies, etc.
    Malware often malformed

    View Slide

  21. Variants
    Generating Variants
    21
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants




    View Slide

  22. Variants
    Generating Variants
    22
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants
    Variants
    Variants
    Select
    Variants




    0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    Select random node

    View Slide

  23. Variants
    Generating Variants
    23
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants




    Variants
    Variants
    Select
    Variants




    Select random node
    0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    Random transform: delete, insert, replace

    View Slide

  24. Variants
    Generating Variants
    24
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Variants
    Select
    Variants




    Variants
    Variants
    Select
    Variants




    Nodes from
    Benign PDFs
    128
    546
    7
    63
    Select random node
    0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    Random transform: delete, insert, replace
    128

    View Slide

  25. Next Generation
    Selecting Promising Variants
    25
    Clone
    Benign PDFs
    Malicious PDF
    Mutation
    Variants
    Generated Variants
    Select
    Variants




    View Slide

  26. Selecting Promising Variants
    26
    Clone
    Generated Variants
    Select
    Variants




    Clone
    Variants
    Fitness Function
    Candidate Variant
    ($%&'()
    , '(&++
    )
    Score
    Malicious
    Benign PDFs
    Malicious PDF
    Variants
    Benign PDFs
    Malicious PDF
    Variants
    Oracle
    Variant 0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    128
    Oracle
    Target Classifier

    View Slide

  27. Oracle
    Execute candidate in
    vulnerable Adobe Reader
    in virtual environment
    Behavioral signature: only
    considered malicious if
    signature matches
    https://github.com/cuckoosandbox
    Simulated network: INetSim
    HTTP_URL + HOST
    extracted from API traces

    View Slide

  28. Fitness Function
    28
    Assumes lost malicious behavior will not be recovered
    = 0
    .5 − classifier_score if oracle = "malicious"
    −∞ otherwise
    classifier_score ≥ 0.5: labeled malicious

    View Slide

  29. Experimental Results

    View Slide

  30. 30
    Original Malicious Seeds
    Evading PDFrate
    Malicious Label Threshold

    View Slide

  31. 31
    Original Malicious Seeds
    Evading PDFrate
    Discovered Evasive Variants 100%
    success rate
    ∼130 hours on
    typical desktop

    View Slide

  32. 32
    Evading
    Hidost2013
    100%
    success rate
    ∼46 hours on
    typical desktop
    Original Malicious Seeds
    Discovered Evasive Variants

    View Slide

  33. Evading
    Hidost2016

    View Slide

  34. Evading
    Hidost2016
    100%
    success rate
    ∼14 hours on
    typical desktop

    View Slide

  35. PDFRate
    Hidost
    Seeds Evaded

    View Slide

  36. PDFRate
    Hidost
    Seeds Evaded
    Simple
    transformations
    often worked

    View Slide

  37. PDFRate
    Seeds Evaded
    (insert, /Root/Pages/Kids,
    3:/Root/Pages/Kids/4/Kids/5/)
    Inserting new pages works on 162/500 seeds
    Training malware often had no/little content

    View Slide

  38. Hidost
    Seeds Evaded
    (delete,
    /Root/OpenAction/JS/Length)
    Deleting object worked on 1 seed
    No impact on malicious behavior

    View Slide

  39. PDFRate
    Hidost
    Seeds Evaded
    Some seeds required
    complex transformations

    View Slide

  40. Complex Transformations
    Insert: Threads, ViewerPreferences/Direction, Metadata,
    Metadata/Length, Metadata/Subtype, Metadata/Type,
    OpenAction/Contents, OpenAction/Contents/Filter,
    OpenAction/Contents/Length, Pages/MediaBox
    Delete: AcroForm, Names/JavaSCript/Names/S,
    AcroForm/DR/Encoding/PDFDocEncoding,
    AcroForm/DR/Encoding/PDFDocEncoding/Differences,
    AcroForm/DR/Encoding/PDFDocEncoding/Type, Pages/Rotate,
    AcroForm/Fields, AcroForm/DA, Outlines/Type, Outlines,
    Outlines/Count, Pages/Resources/ProcSet, Pages/Resources
    85-step mutation trace evading Hidost
    Effective for 198/500 seeds

    View Slide

  41. Practical, Inexpensive
    Less than 1 week to
    find evasive variants
    for all 500 seeds,
    running on single
    desktop PC

    View Slide

  42. Possible Defenses

    View Slide

  43. Adjust threshold?
    Hidost16 results

    View Slide

  44. Adjust threshold?
    Hidost16 results
    Variants found with
    threshold = 0.25
    Variants found with
    threshold = 0.50

    View Slide

  45. Adjust threshold?
    PDFRate results
    Variants found with
    threshold = 0.25
    Variants found with
    threshold = 0.50

    View Slide

  46. Retraining Classifier
    Labelled
    Training Data
    ML
    Algorithm
    Feature
    Extraction
    Vectors
    Deployment
    Malicious / Benign
    Operational Data
    Trained Classifier
    Training
    (Supervised Learning)

    View Slide

  47. Labelled
    Training Data
    ML
    Algorithm
    Feature
    Extraction
    Vectors
    Training
    (Supervised Learning)
    Clone




    EvadeML

    View Slide

  48. Labelled
    Training Data
    ML
    Algorithm
    Feature
    Extraction
    Vectors
    Training
    (Supervised Learning)
    Clone




    EvadeML
    Deployment

    View Slide

  49. (Probably) Doesn’t Work
    Original
    (Hidost 2016)
    Retrained
    (without new benign)
    Retrained
    (with new benign)
    Accuracy on Test Set 0.9983 0.9983 0.9983
    False negatives
    on 250 non-training seeds
    12 1 2
    False positive rate
    (on benign samples)
    0.0% 77% 0.0%
    Evasion rate 100% 49% 100%
    more experiments in progress...

    View Slide

  50. Hide the Classifier?
    “Security through Obscurity”
    Clone
    Generated Variants
    Select
    Variants




    Clone
    Variants
    Fitness Function
    Candidate Variant
    ($%&'()
    , '(&++
    )
    Score
    Benign PDFs
    Malicious PDF
    Variants
    Benign PDFs
    Malicious PDF
    Variants
    Oracle
    Variant 0
    /JavaScript
    eval(‘…’);
    /Root
    /Catalog
    /Pages
    128
    Oracle
    Target Classifier

    View Slide

  51. Cross-Evasion Effects
    PDF Malware
    Seeds
    Hidost 13
    Evasive
    PDF Malware
    (against Hidost)
    Automated Evasion
    PDFrate
    2/500 Evasive
    (0.4% Success)
    Potentially Good News?

    View Slide

  52. Cross-Evasion Effects
    PDF Malware
    Seeds
    Hidost 13
    Evasive
    PDF Malware
    (against Hidost)
    Automated Evasion
    PDFrate
    387/500 Evasive
    (77.4% Success)

    View Slide

  53. Cross-Evasion Effects
    PDF Malware
    Seeds
    Hidost 13
    Evasive
    PDF Malware
    (against Hidost)
    Automated Evasion
    6/500 Evasive
    (0.6% Success)

    View Slide

  54. Evading Gmail’s Classifier
    54
    Evasion rate on Gmail: 179/380 (47.1%)
    for javascript in pdf.all_js:
    javascript.append_code("var oreilly=1;“)
    if pdf.get_size() < 7050000:
    pdf.add_padding(7050000 – pdf.get_size())

    View Slide

  55. Fundamental Problem
    Classifier features are not intrinsic to malicious behavior
    Adversary can modify
    those features
    Artifacts of
    training data
    Heuristic search can find evasive variants automatically

    View Slide

  56. Conclusion
    For source code, technical paper: EvadeML.org
    If you are developing or using malware classifiers,
    we want to work with you to test them for
    evadability: [email protected]
    Adversaries adapt, classifiers
    cannot rely on superficial features

    View Slide

  57. David Evans
    [email protected]
    EvadeML.org

    View Slide