Stronger targeted poisoning attacks against malware detection

Shintaro Narisada, Shoichiro Sasaki, Seira Hidano, Toshihiro Uchibayashi, Takuo Suganuma, Masahiro Hiji, Shinsaku Kiyomoto

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Citations (Scopus)


Attacks on machine learning systems such as malware detectors and recommendation systems are becoming a major threat. Data poisoning attacks are the primary method used; they inject a small amount of poisoning points into a training set of the machine learning model, aiming to degrade the overall accuracy of the model. Targeted data poisoning is a variant of data poisoning attacks that injects malicious data into the model to cause a misclassification of the targeted input data while keeping almost the same overall accuracy as the unpoisoned model. Sasaki et al. first applied targeted data poisoning to malware detection and proposed an algorithm to generate poisoning points to misclassify targeted malware as goodware. Their algorithm achieved 85 % an attack success rate by adding 15 % poisoning points for malware dataset with continuous variables while restricting the increase in the test error on nontargeted data to at most 10 %. In this paper, we consider common defensive methods called data sanitization defenses, against targeted data poisoning and propose a defense-aware attack algorithm. Moreover, we propose a stronger targeted poisoning algorithm based on the theoretical analysis of the optimal attack strategy proposed by Steinhardt et al. The computational cost of our algorithm is much less than that of existing targeted poisoning algorithms. As a result, our new algorithm achieves a 91 % attack success rate for malware dataset with continuous variables by adding the same 15 % poisoning points and is approximately 103 times faster in terms of the computational time needed to generate poison data than Sasaki’s algorithm.

Original languageEnglish
Title of host publicationCryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings
EditorsStephan Krenn, Haya Shulman, Serge Vaudenay
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages20
ISBN (Print)9783030654108
Publication statusPublished - 2020
Event19th International Conference on Cryptology and Network Security, CANS 2020 - Vienna, Austria
Duration: 2020 Dec 142020 Dec 16

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12579 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference19th International Conference on Cryptology and Network Security, CANS 2020


  • Data sanitization
  • Malware detection
  • Targeted data poisoning attack


Dive into the research topics of 'Stronger targeted poisoning attacks against malware detection'. Together they form a unique fingerprint.

Cite this