Countermeasures Against Backdoor Attacks Towards Malware Detectors

Shintaro Narisada, Yuki Matsumoto, Seira Hidano, Toshihiro Uchibayashi, Takuo Suganuma, Masahiro Hiji, Shinsaku Kiyomoto

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Citations (Scopus)


Attacks on machine learning systems have been systematized as adversarial machine learning, and a variety of attack algorithms have been studied until today. In the malware classification problem, several papers have suggested the possibility of real-world attacks against machine learning-based malware classification models. A data poisoning attack is an attack technique in which an attacker mixes poisoned data into the training data, and the model learns from the poisoned training data to cause misclassification of specific (or unspecified) data. Although various poisoning attacks that inject poison into the feature space of malware classification models have been proposed, Severi et al. proposed the first backdoor poisoning attack in the input space towards malware detectors by injecting poison into the actual binary files in the data accumulation phase. They achieved an attack success rate of more than 90% by adding only 1% of the poison data to approximately 2% of the entire features with a backdoor. To the best of our knowledge, no fundamental countermeasure against these attacks has been proposed. In this paper, we propose the first countermeasure based on autoencoders in a realistic threat model such that a defender is available for the contaminated training data only. We replaced all potentially attackable dimensions with surrogate data generated by autoencoders instead of using autoencoders as anomaly detectors. The results of our experiments show that we succeeded in significantly reducing the attack success rate while maintaining the high prediction accuracy of the clean data using replacement with the autoencoder. Our results suggest a new possibility of autoencoders as a countermeasure against poisoning attacks.

Original languageEnglish
Title of host publicationCryptology and Network Security - 20th International Conference, CANS 2021, Proceedings
EditorsMauro Conti, Marc Stevens, Stephan Krenn
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages20
ISBN (Print)9783030925475
Publication statusPublished - 2021
Event20th International Conference on Cryptology and Network Security, CANS 2021 - Virtual, Online
Duration: 2021 Dec 132021 Dec 15

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13099 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference20th International Conference on Cryptology and Network Security, CANS 2021
CityVirtual, Online


  • Autoencoder
  • Backdoor poisoning attack
  • Malware detection


Dive into the research topics of 'Countermeasures Against Backdoor Attacks Towards Malware Detectors'. Together they form a unique fingerprint.

Cite this