| 228 | 0 | 148 |
| 下载次数 | 被引频次 | 阅读次数 |
深度学习技术已成为恶意软件检测的核心技术之一,然而其依赖于集中式训练,需要定期更新数据库并进行重训练以应对恶意软件的不断演进。联邦学习作为一种新兴的分布式学习技术,通过在多个客户端本地训练分类模型并共享学习成果以构建全局模型,能有效保护数据隐私并适应恶意软件的多样化;但联邦学习由于其分布式的特性,易受到恶意客户端后门攻击的影响。针对上述问题,探讨了联邦学习在恶意软件检测中的脆弱性,分析了潜在的恶意攻击如标签反转攻击和模型投毒攻击,并在此基础上提出一种新型隐蔽的联邦自适应后门攻击(federated adaptive backdoor attack,FABA)策略。该攻击策略充分利用联邦学习的特性,通过在客户端与中心服务器的交互过程中不断调整触发器,确保攻击效益最大化与隐蔽性。在Virus-MNIST和Malimg数据集上的测试结果显示,所提出的方法在保持隐蔽性的同时实现了100%的攻击成功率,对干净样本的预测精度几乎无影响。此外,即使面对最新的防御机制,所提出的策略依然能保持高攻击成功率和隐蔽性。所使用的微小触发器(仅9个像素)和极低比例(3%)的恶意客户端展示了联邦学习在安全性方面的潜在风险,为未来的防御策略提供了重要参考。
Abstract:Deep learning has become one of the core technologies for malware detection. However, it relies on centralized training, requiring regular updates to databases and retraining to cope with the continuous evolution of malware. Federated learning, an emerging distributed learning technology, addresses these issues by training classification models locally on multiple clients and sharing the learning outcomes to build a global model, thus effectively protecting data privacy and adapting to diverse malware. Despite these advantages, federated learning′ s distributed nature makes it vulnerable to backdoor attacks from malicious clients. This study investigates the vulnerabilities of federated learning in malware detection and analyzes potential malicious attacks such as label flipping attacks and model poisoning attacks. Based on this analysis, a novel covert federated adaptive backdoor attack(FABA)is proposed. This attack strategy exploits the characteristics of federated learning by continuously adjusting triggers during client-server interactions to maximize attack effectiveness and concealment. Testing on the Virus-MNIST and Malimg datasets demonstrates that the proposed method achieves a 100% attack success rate while maintaining high levels of stealth, with almost no impact on the prediction accuracy of clean samples. Moreover, the proposed strategy retains high attack success rates and stealth even against the latest defense mechanisms. The use of tiny triggers(only 9pixels) and a very low proportion of malicious clients(3%) highlights the potential security risks in federated learning and provides crucial insights for future defensive strategies.
[1]VASAN D, ALAZAB M, WASSAN S, et al. IMCFN:image-based malware classification using fine-tuned convolutional neural network architecture[J]. Computer Networks,2020, 171:107138.
[2]RUDD E M, DUCAU F N, WILD C, et al. ALOHA:auxiliary loss optimization for hypothesis augmentation[C]//Proceedings of the 28th USENIX Security Symposium(USENIX Security 19), August 14-16, 2019, Santa,Clara, CA, USA. Santa:USENIX, 2019:303-320.
[3]NI S, QIAN Q, ZHANG R. Malware identification using visualization images and deep learning[J]. Computers&Security, 2018, 77:871-885.
[4]MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[C]//Proceedings of the 20th International Conference on Artificial In telligence and Statistics, April20-22, 2017, Fort Lauderdale, Florida, USA. Fort Lauderdale:Proceedings of Machine Learning Research, 2017:1273-1282.
[5]FANG W B, HE J J, LI W S, et al. Comprehensive android malware detection based on federated learning architecture[J]. IEEE Transactions on Information Forensics and Security, 2023, 18:3977-3990.
[6]REY V, SáNCHEZ SáNCHEZ P M, HUERTAS CELDRáN A, et al. Federated learning for malware detection in IoT devices[J]. Computer Networks, 2022, 204:108693.
[7]LARSEN E, MACVITTIE K, LILLY J. Virus-MNIST:machine learning baseline calculations for image classification[EB/OL].(2021-11-03)[2024-02-20]. https://doi.org/10.48550/arXiv.2111.02375.
[8]NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images:visualization and automatic classification[C]//Proceedings of the 8th International Symposium on Visualization for Cyber Security, July 20, 2011, Pittsburgh,Pennsylvania, USA. New York:Association for Computing Machinery, 2011:1-7.
[9]SOURI H, FOWL L, CHELLAPPA R, et al. Sleeper agent:scalable hidden trigger backdoors for neural networks trained from scratch[EB/OL].(2021-06-16)[2024-02-20]. https://arxiv.org/abs/2106.08970.
[10]LIU Y Q, MA S Q, AAFER Y, et al. Trojaning attack on neural networks[C]//Proceedings of the 2018 Network and Distributed System Security Symposium, February 18-21,2018, San Diego, CA, USA. Reston, VA:Internet Society,2018:23291.
[11]LI Y Z, LI Y M, WU B Y, et al. Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the2021 IEEE/CVF International Conference on Computer Vision(ICCV), October 10-17, 2021, Montreal, QC, Canada. New York:IEEE Xplore, 2021:16443-16452.
[12]BAGDASARYAN E, VEIT A, HUA Y Q, et al. How to backdoor federated learning[C]//Pro ceedings of the 23rd International Conference on Artificial Intelligence and Statistics, August 26-28, 2020, Online. Fort Lauderdale:Proceedings of Ma chine Learning Research, 2020:2938-2948.
[13]WANG H Y, SREENIVASAN K, RAJPUT S, et al. Attack of the tails:yes, you really can backdoor federated learning[EB/OL].(2020-07-09)[2024-02-20]. https://doi.org/10.48550/arXiv.2007.05084.
[14]LI Y M, JIANG Y, LI Z F, et al. Backdoor learning:a survey[J]. IEEE Transactions on Neural Networks and Learning Systems, 2022, 35(1):5-22.
[15]ZENG Y, PAN M Z, JUST H A, et al. Narcissus:a practical clean-label backdoor attack with limited information[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, November 26-30, 2023, Copenhagen, Denmark. New York:Association for Computing Machinery, 2023:771-785.
[16]SUN G, CONG Y, DONG J H, et al. Data poisoning attacks on federated machine learning[J]. IEEE Internet of Things Journal, 2022, 9(13):11365-11375.
[17]ZHANG H T, YAO Z M, ZHANG L Y, et al. Denial-ofservice or fine-grained control:towards flexible model poisoning attacks on federated learning[EB/OL].(2023-04-21)[2024-02-20]. https://doi.org/10.48550/arXiv.2304.10783.
[18]SHAFAHI A, HUANG W R, NAJIBI M, et al. Poison frogs! targeted clean-label poisoning attacks on neural networks[C]//Proceedings of the 32nd International Conference on Neural Information Processing Systems, December 3-8, 2018, Montréal, Canada. New York:Association for Computing Machinery, 2018:6106-6116.
[19]CAO X Y, GONG N Z Q. MPAF:model poisoning attacks to federated learning based on fake clients[C]//Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops(CVPRW), June 19-20, 2022, New Orleans, LA, USA. New York:IEEE Xplore, 2022:3395-3403.
[20]ZHANG Y C, FENG F, LIAO Z K, et al. Universal backdoor attack on deep neural networks for malware detection[J]. Applied Soft Computing, 2023, 143:110389.
[21]SHEJWALKAR V, HOUMANSADR A. Manipulating the Byzantine:optimizing model poisoning attacks and defenses for federated learning[C]//Proceedings of the 2021 Network and Distributed System Security Symposium, February 21-25, 2021, Virtual. Reston, VA:Internet Society, 2021:24498.
[22]HUANG S Q, LI Y J, CHEN C, et al. Multi-metrics adaptively identifies backdoors in Federated learning[C]//Proceedings of the 2023 IEEE/CVF International Conference on Computer Vision(ICCV), October 1-6, 2023,Paris, France. New York:IEEE Xplore, 2023:4629-4639.
[23]PILLUTLA K, KAKADE S M, HARCHAOUI Z. Robust aggregation for federated learning[J]. IEEE Transactions on Signal Processing, 2022, 70:1142-1154.
基本信息:
DOI:10.12194/j.ntu.20240419001
中图分类号:TP309;TP311.5;TP18
引用信息:
[1]芦星宇,曹阳.基于后门攻击的联邦学习恶意软件检测系统脆弱性分析[J].南通大学学报(自然科学版),2024,23(03):34-46.DOI:10.12194/j.ntu.20240419001.
基金信息:
国家自然科学基金青年科学基金项目(62103103); 江苏省自然科学基金青年科学基金项目(BK20210223); 江苏省应用数学科学研究中心项目(BK20233002)