Research Team Status

• Names of researchers and position 
  (e.g. Research Scientist, PostDoc, Student (Undergrad/Masters/PhD))
  • Dung Thuy "Judy" Nguyen, PhD student
  • Kailani "Cai" Lemieux-Mack , PhD student
  • Yifan Zhang, PhD student
  • Jiliang "Eric" Li, undergraduate student
  • Lana Cartailler, undergraduate student
     
• Any new collaborations with other universities/researchers?
  • We are working on cooperating with ASU regarding their pwn.college setup to combine improvements in reverse engineering techniques.  
  • Following our previously-reported discussion with Noah Tobin and Jessica Inman at Georgia Tech, we have incorporated their suggestions into our MalMixer approach.  Specifically, we added another dataset (MOTIF, which is a family-labeled variant of the EMBER dataset) to validate the approach.
  • Dr. Johnson presented a tutorial on the malware classifier robustness verification at DSN'24, then visited Monash University, establishing contacts and potential collaborations with several researchers in Australia. Dr. Johnson continues to organize VNN-COMP, where currently 10 teams are analyzed neural network verification with their verification tools for the 2024 iteration.

Project Goals

• What is the current project goal?
  • The current quarter has focused on expanding our previous evaluation of MalMixer to incorporate datasets suggested by collaborators and the security community.  Moreover, we have expanded the analysis to include assessments of obfuscated malware (for which is also achieves state-of-the-art classification accuracy) and relating to temporal concept drift (to determine its effectiveness as new families of malware emerge).  We have also begun developing techniques for purifying malware classifiers that have been affected by data poisoning attacks. 
  • In addition, we are using neural network verification methods to quantify robustness and coverage of malware classifiers, specifically on several benchmark malware datasets, to provide the community with guidance about how to design, annotate, and employ malware datasets when building classifiers. 
• How does the current goal factor into the long-term goal of the project?
  • Our overall goal is to improve the robustness and verifiability of neural networks designed to detect and categorize malware.  MalMixer provides guidance for how to augment malware datasets to improve overall model performance and robustness.  Our backdoor purification technique improves model resilience against increasingly-popular data poisoning attacks.  Meanwhile, our investigation of robustness metrics and neural network verification techniques is faced with addressing major scalability barriers.  Our combined efforts are contributing to our long-term vision of improving neural network robustness, especially for malware classification.

Accomplishments

• Address whether project milestones were met. If milestones were not met, explain why, and what are the next steps.
  • We are on track with respect to milestones:
    • MalMixer is a technique for developing novel plausible malware samples in the feature space that demonstrably improve classification performance, both binary- and family-level, and in low-resource settings.
    • Our backdoor purification technique is further aiding neural network robustness and verification by ensuring that data poisoning attacks have a reduced impact on the performance of neural malware classifiers. 
       
• What is the contribution to foundational cybersecurity research? Was there something discovered or confirmed?
  • This quarter, we have developed an initial technique for purifying malware classifiers that have been subjected to data poisoning attacks.  By finding neurons in a neural network whose output weights are sensitive to the presence or absence of a malicious trigger, we can mask and fine-tune those neurons to remove the malicious changes induced by the backdoor.  Our approach, Post-training Backdoor Jettisoning, is a two-step process that (a) identifies affected neurons by applying Gaussian noise as input and tracking the weights of those neurons to reveal those that are potentially affected by a backdoor, and (b) fine-tunes the model to eliminate the impact of the backdoor.   This technique allows "blurring" the effect of data poisoning attacks by leveraging an insight about neuron activation distribution shifts in the presence of such attacks. 
• Impact of research
  • Internal to the university (coursework/curriculum)
    • Malware classifier neural network verification integrated into CS6315: Automated Verification during Spring 2024. 
  • External to the university (transition to industry/government (local/federal); patents, start-ups, software, etc.)
    • DSN 2024 Tutorial on malware classifier robustness. 
    • VNN-COMP competition involving 10 teams administered through Monash University. 
    • NNV tool: https://github.com/verivital/nnv
  • Any acknowledgements, awards, or references in media?
    • None to report. 

Publications and presentations

• Add publication reference in the publications section below. An authors copy or final should be added in the report file(s) section. This is for NSA's review only.
• Optionally, upload technical presentation slides that may go into greater detail. For NSA's review only.