Deep learning technology has made great achievements in the field of image.
In order to defend against malware attacks, researchers have proposed many
Windows malware detection models based on deep learning. However, deep learning
models are vulnerable to adversarial example attacks. Malware can generate
adversarial malware with the same malicious function to attack the malware
detection model and evade detection of the model. Currently, many adversarial
defense studies have been proposed, but existing adversarial defense studies
are based on image sample and cannot be directly applied to malware sample.
Therefore, this paper proposes an adversarial malware defense method based on
adversarial training. This method uses preprocessing to defend simple
adversarial examples to reduce the difficulty of adversarial training.
Moreover, this method improves the adversarial defense capability of the model
through adversarial training. We experimented with three attack methods in two
sets of datasets, and the results show that the method in this paper can
improve the adversarial defense capability of the model without reducing the
accuracy of the model.

本文提出了一种基于对抗训练的对抗恶意软件防御方法，通过对预处理的简单对抗样本进行防御，提高了模型的对抗防御能力，在两组数据集的三种攻击方法中表现良好，且不影响模型准确性。

ATWM: 对抗训练防御对抗恶意软件

ATWM: Defense against adversarial malware based on adversarial training

The vulnerability of deep neural network models to adversarial example
attacks is a practical challenge in many artificial intelligence applications.
A recent line of work shows that the use of randomization in adversarial
training is the key to find optimal strategies against adversarial example
attacks. However, in a fully randomized setting where both the defender and the
attacker can use randomized strategies, there are no efficient algorithm for
finding such an optimal strategy. To fill the gap, we propose the first
algorithm of its kind, called FRAT, which models the problem with a new
infinite-dimensional continuous-time flow on probability distribution spaces.
FRAT maintains a lightweight mixture of models for the defender, with
flexibility to efficiently update mixing weights and model parameters at each
iteration. Furthermore, FRAT utilizes lightweight sampling subroutines to
construct a random strategy for the attacker. We prove that the continuous-time
limit of FRAT converges to a mixed Nash equilibria in a zero-sum game formed by
a defender and an attacker. Experimental results also demonstrate the
efficiency of FRAT on CIFAR-10 and CIFAR-100 datasets.

本研究提出了一种基于新的概率分布空间的无限维连续时间流的算法 FRAT，利用游戏论模型中的混合纳什均衡来解决对抗样本攻击的优化策略问题，其模型灵活，能够高效更新权重和参数，并利用轻量级的采样子程序快速构建一个袭击者的随机策略，实验结果表明 FRAT 算法在 CIFAR-10 和 CIFAR-100 数据集上的效率。

对抗样本博弈中最优随机策略研究

Towards Optimal Randomized Strategies in Adversarial Example Game

Image compression-based approaches for defending against the
adversarial-example attacks, which threaten the safety use of deep neural
networks (DNN), have been investigated recently. However, prior works mainly
rely on directly tuning parameters like compression rate, to blindly reduce
image features, thereby lacking guarantee on both defense efficiency (i.e.
accuracy of polluted images) and classification accuracy of benign images,
after applying defense methods. To overcome these limitations, we propose a
JPEG-based defensive compression framework, namely "feature distillation", to
effectively rectify adversarial examples without impacting classification
accuracy on benign data. Our framework significantly escalates the defense
efficiency with marginal accuracy reduction using a two-step method: First, we
maximize malicious features filtering of adversarial input perturbations by
developing defensive quantization in frequency domain of JPEG compression or
decompression, guided by a semi-analytical method; Second, we suppress the
distortions of benign features to restore classification accuracy through a
DNN-oriented quantization refine process. Our experimental results show that
proposed "feature distillation" can significantly surpass the latest
input-transformation based mitigations such as Quilting and TV Minimization in
three aspects, including defense efficiency (improve classification accuracy
from $\sim20\%$ to $\sim90\%$ on adversarial examples), accuracy of benign
images after defense ($\le1\%$ accuracy degradation), and processing time per
image ($\sim259\times$ Speedup). Moreover, our solution can also provide the
best defense efficiency ($\sim60\%$ accuracy) against the recent adaptive
attack with least accuracy reduction ($\sim1\%$) on benign images when compared
with other input-transformation based defense methods.

本文介绍一种通过 JPEG 压缩技术的特征蒸馏方法来防御深度神经网络的对抗攻击，能够有效修正对抗样本，同时不影响正常图像分类准确性。实验结果表明，此方法在准确性、可用性和处理速度方面均有所提升。