New data poison attacks on machine learning classifiers for mobile exfiltration

TL;DR

This paper introduces two novel label-flipping data poisoning attacks on machine learning classifiers used for mobile exfiltration malware detection, demonstrating their effectiveness across multiple models and emphasizing the need for robust defense mechanisms.

Contribution

Proposes two new label-flipping poisoning attacks on malware detection classifiers, showing their model-agnostic nature and impact on accuracy and misclassification rates.

Findings

Attacks successfully corrupted various classifiers including Logistic Regression and Random Forest.

Random and targeted label-flipping attacks significantly reduce model accuracy.

The study highlights the importance of developing defense techniques against poisoning attacks.

Abstract

Most recent studies have shown several vulnerabilities to attacks with the potential to jeopardize the integrity of the model, opening in a few recent years a new window of opportunity in terms of cyber-security. The main interest of this paper is directed towards data poisoning attacks involving label-flipping, this kind of attacks occur during the training phase, being the aim of the attacker to compromise the integrity of the targeted machine learning model by drastically reducing the overall accuracy of the model and/or achieving the missclassification of determined samples. This paper is conducted with intention of proposing two new kinds of data poisoning attacks based on label-flipping, the targeted of the attack is represented by a variety of machine learning classifiers dedicated for malware detection using mobile exfiltration data. With that, the proposed attacks are proven to be model-agnostic, having successfully corrupted a wide variety of machine learning models; Logistic Regression, Decision Tree, Random Forest and KNN are some examples. The first attack is performs label-flipping actions randomly while the second attacks performs label flipping only one of the 2 classes in particular. The effects of each attack are analyzed in further detail with special emphasis on the accuracy drop and the misclassification rate. Finally, this paper pursuits further research direction by suggesting the development of a defense technique that could promise a feasible detection and/or mitigation mechanisms; such technique should be capable of conferring a certain level of robustness to a target model against potential attackers.