Summary of Pbp: Post-training Backdoor Purification For Malware Classifiers, by Dung Thuy Nguyen et al.
PBP: Post-training Backdoor Purification for Malware Classifiers
by Dung Thuy Nguyen, Ngoc N. Tran, Taylor T. Johnson, Kevin Leach
First submitted to arxiv on: 4 Dec 2024
Categories
- Main: Machine Learning (cs.LG)
- Secondary: Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR)
GrooveSquid.com Paper Summaries
GrooveSquid.com’s goal is to make artificial intelligence research accessible by summarizing AI papers in simpler terms. Each summary below covers the same AI paper, written at different levels of difficulty. The medium difficulty and low difficulty versions are original summaries written by GrooveSquid.com, while the high difficulty version is the paper’s original abstract. Feel free to learn from the version that suits you best!
| Summary difficulty | Written by | Summary |
|---|---|---|
| High | Paper authors | High Difficulty Summary Read the original abstract here |
| Medium | GrooveSquid.com (original content) | Medium Difficulty Summary This paper addresses the growing threat of backdoor poisoning attacks on machine learning (ML) malware classifiers. Adversaries can inject malicious samples into public repositories, contaminating training data and potentially misclassifying malware by the ML model. Current countermeasures focus on detecting poisoned samples by leveraging disagreements among ensemble models. However, these methods are not suitable for scenarios where Machine Learning-as-a-Service (MLaaS) is used or when users aim to remove backdoors from a trained model. The authors introduce PBP, a post-training defense that mitigates various types of backdoor embeddings without assuming specific embedding mechanisms. PBP regulates the statistics of batch normalization layers to guide a backdoored model to perform similarly to a clean one. Experiments on two datasets and attack configurations demonstrate substantial advantages over state-of-the-art methods. The approach requires only 1% of training data, achieving a 100-fold improvement over baseline methods. |
| Low | GrooveSquid.com (original content) | Low Difficulty Summary This paper is about making sure machine learning models are safe from bad guys who try to trick them. Right now, people can easily make fake malware samples and put them in public places where they can be used to train the models. This makes it hard for the models to correctly identify real malware. The authors of this paper came up with a new way to fix this problem after a model has already been trained. Their method looks at how the model is working and makes sure it’s not being tricked by the bad guys. They tested their method on different types of fake samples and showed that it works really well, even when only using a small part of the training data. |
Keywords
» Artificial intelligence » Batch normalization » Embedding » Machine learning
