search

pralab / secml_malware

Create adversarial attacks against machine learning Windows malware detectors
https://secml-malware.readthedocs.io/
GNU General Public License v3.0
203 stars 46 forks source link

Differences Between WhiteBox Attacks #35

Closed akul-goyal closed 2 years ago

akul-goyal commented 2 years ago

Hi,

There are four padding attacks implemented in the library that add in bytes: c_padding_evasion, c_kreuk_evasion, c_fast_gradient_sign_evasion, c_suciu_evasion. I know that c_kreuk_evasion uses c_fast_gradient_sign_evasion when no indexes_to_perturb is given. But c_suciu_evasion doesn't seem to have its own _run() function, instead it calls c_kreuk_evasion. Are c_kreuk_evasion and c_suciu_evasion doing the same thing? Additionally, if I wanted to find indexes_to_perturb outside the ones calculated by c_kreuk_evasion is that possible?

zangobot commented 2 years ago

Hello

I think the best thing is reading the technical details of the paper. Both attacks use padding and slack, but refer to the papers for further information!

akul-goyal commented 2 years ago

Hi,

I was wondering about them from an implementation level. There is no run() function associated with c_suciu_evasion in this codebase

zangobot commented 2 years ago

Yes, because it inherits the one from the super class, and it is called with different combination of hyper parameters to apply the attack proposed by Suciu et al.

akul-goyal commented 2 years ago

Are the hyperparameters you referring to the epsilon, threshold, and p_norm? Because these are the two initializations where those parameters are the same:

I am feeding in how_many_padding_bytes=2048, epsilon=1.0 to both algorithms (I got those numbers from the tutorial).

kreuk:

 def __init__(
            self,
            end2end_model: CClassifierEnd2EndMalware,
            how_many_padding_bytes: int,
            epsilon: float,
            iterations: int = 100,
            is_debug: bool = False,
            threshold: float = 0.5,
            p_norm: float = np.infty,
            compute_slack: bool = True,
            store_checkpoints : int = None
    ):

suciu:

def __init__(
            self,
            end2end_model: CClassifierEnd2EndMalware,
            how_many_padding_bytes: int,
            epsilon: float,
            is_debug: bool = False,
            threshold: float = 0.5,
            compute_slack: bool = True
    ):
        super(CSuciuEvasion, self).__init__(
            end2end_model=end2end_model,
            how_many_padding_bytes=how_many_padding_bytes,
            epsilon=epsilon,
            iterations=1,
            is_debug=is_debug,
            threshold=threshold,
            p_norm=np.infty,
            compute_slack=compute_slack
        )

The only different is iterations (100 for Kreuk and 1 for suciu)

zangobot commented 2 years ago

Because the attack from Kreuk is iterative, while the one from Suciu is not.

akul-goyal commented 2 years ago

I am sorry but I am confused. If I run Suciu for more iterations, it produces the same adversarial attack as Kreuk. If I let it run for a single iteration, it doesn't successfully evade the classifier. Moreover, running Kreuk for a single iteration is the same as running Suciu for a single iteration

zangobot commented 2 years ago

Yes, it is exactly as you said. Suciu is FGSM, while Kreuk is Iterative FGSM.