Robust and Accurate Authorship Attribution via Program Normalization

TL;DR

This paper introduces a normalization-based framework that significantly enhances the robustness and accuracy of source code authorship attribution against adversarial attacks, addressing security vulnerabilities in deep learning approaches.

Contribution

The paper proposes the normalize-and-predict framework, providing theoretical robustness guarantees and demonstrating substantial improvements over existing methods in defending against adversarial attacks.

Findings

Improves accuracy on adversarial inputs by up to 70%.

Increases robust accuracy by 45% over adversarial training.

Runs over 40 times faster than existing robust training methods.

Abstract

Source code attribution approaches have achieved remarkable accuracy thanks to the rapid advances in deep learning. However, recent studies shed light on their vulnerability to adversarial attacks. In particular, they can be easily deceived by adversaries who attempt to either create a forgery of another author or to mask the original author. To address these emerging issues, we formulate this security challenge into a general threat model, the $\textit{relational adversary}$, that allows an arbitrary number of the semantics-preserving transformations to be applied to an input in any problem space. Our theoretical investigation shows the conditions for robustness and the trade-off between robustness and accuracy in depth. Motivated by these insights, we present a novel learning framework, $\textit{normalize-and-predict}$ ($\textit{N&P}$), that in theory guarantees the robustness of any authorship-attribution approach. We conduct an extensive evaluation of $\textit{N&P}$ in defending two of the latest authorship-attribution approaches against state-of-the-art attack methods. Our evaluation demonstrates that $\textit{N&P}$ improves the accuracy on adversarial inputs by as much as 70% over the vanilla models. More importantly, $\textit{N&P}$ also increases robust accuracy to 45% higher than adversarial training while running over 40 times faster.