Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/149470
|
Title: | 程式預測預訓練模型的攻擊與防禦研究 Natural Attack and Defense for Pre-trained Models of Code Analysis |
Authors: | 黃舜硯 Huang, Shun-Yen |
Contributors: | 郁方 Yu, Fang 黃舜硯 Huang, Shun-Yen |
Keywords: | 預訓練模型 自然攻擊 側錄 CodeBERT Natural Attack Profile |
Date: | 2024 |
Issue Date: | 2024-02-01 10:56:56 (UTC+8) |
Abstract: | 預訓練程式碼分析模型透過惡意程式碼偵測等應用徹底改變了軟體工程。然而,它們的有效性受到了對抗性攻擊的威脅,例如 ALERT,它透過巧妙地修改輸入來操縱模型輸出。這篇論文提出了一種基於側錄的方法來識別針對 CodeBERT 的 ALERT 攻擊。我們利用動態程式追蹤來捕獲模型在處理原始樣本和對抗性樣本時的內部行為。這些追蹤記錄捕獲了關於函式調用的詳細資訊,包括它們的呼叫次數、返回值和執行時間。透過仔細比較這些追蹤記錄,我們希望識別出 ALERT攻擊的存在與否。
此外,我們利用神經網路進行訓練。該神經網路的訓練集分別正常的程式及惡意程式,其中正常有被攻擊及沒被攻擊過的,惡意程式亦然。我們訓練結果如下:在正常程式程式資料集中,兩種模型提取屬性實現了 62% 和 72.2% 的準確率,在惡意程式資料集中,兩種模型提取屬性實現了 70% 和 89.1% 的準確率,在混合程式資料集中,兩種模型提取屬性實現了 69.3% 和 71.6% 的準確率。這些發現證明了基於效能分析的技術在預訓練程式碼模型中偵測對抗性攻擊的潛力。這項研究為進一步探索和改進這些方法開闢了道路,最終有助於預訓練模型在關鍵軟體工程任務中的彈性提升。 Pre-trained code analysis models have revolutionized software engineering with applications like malicious code detection. However, their effectiveness is threatened by adversarial attacks like ALERT, which subtly alter inputs to manipulate model outputs. This paper presents a novel tracing-based approach to identify ALERT attacks targeting CodeBERT. We leverage dynamic program tracing to capture the model's internal behavior while processing both original and adversarial samples. These traces capture detailed information about function calls, including their counts, return values, and execution times. By meticulously comparing these traces, we aim to identify characteristic patterns indicative of ALERT manipulations, revealing the attack's presence.
Further, we explore the use of a neural network trained on profiled data categorized as normal, malicious, and mixed. Our investigation yielded promising results: two key model attributes derived from the traces achieved an accuracy of 62% and 72.2% on normal code, 70% and 89.1% on malicious code, and 69.3% and 71.6% on the combined dataset. These findings demonstrate the potential of profiling-based techniques for detecting adversarial attacks in pre-trained code models. This research opens avenues for further exploration and refinement of such methods, ultimately contributing to the resilience of pre-trained models in critical software engineering tasks. |
Reference: | [1] Z. Feng, D. Guo, D. Tang, N. Duan, X. Feng, M. Gong, L. Shou, B. Qin, T. Liu, D. Jiang, and M. Zhou, “CodeBERT: A pre-trained model for programming and natural languages,” in Findings of the Association for Computational Linguistics: EMNLP 2020. Online: Association for Computational Linguistics, Nov. 2020, pp. 1536–1547. [Online]. Available: https://aclanthology.org/2020.findings-emnlp.139 [2] B. Zhang and M. Becker, “Variability code analysis using the vital tool,” in Proceedings of the 6th International Workshop on Feature- Oriented Software Development, ser. FOSD ’14. New York, NY, USA: Association for Computing Machinery, 2014, p. 17–22. [Online]. Available: https://doi.org/10.1145/2660190.2662113 [3] T. Kamiya, “Introducing parameter sensitivity to dynamic code-clone anal- ysis methods,” in 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 3, 2016, pp. 19–20. [4] K. Cho, B. van Merrienboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk, and Y. Bengio, “Learning phrase representations us- ing rnn encoder-decoder for statistical machine translation,” 2014, cite arxiv:1406.1078Comment: EMNLP 2014. [Online]. Available: http://arxiv.org/abs/1406.1078 [5] U. Alon, O. Levy, and E. Yahav, “code2seq: Generating se- quences from structured representations of code,” in International Conference on Learning Representations, 2019. [Online]. Available: https://openreview.net/forum?id=H1gKYo09tX [6] K. Clark, M.-T. Luong, Q. V. Le, and C. D. Manning, “Electra: Pre-training text encoders as discriminators rather than generators,” in International Conference on Learning Representations, 2020. [Online]. Available: https://openreview.net/forum?id=r1xMH1BtvB [7] Z. Yang, J. Shi, J. He, and D. Lo, “Natural attack for pre-trained models of code,” in Proceedings of the 44th International Conference on Software Engineering, ser. ICSE ’22. New York, NY, USA: Association for Computing Machinery, 2022, p. 1482–1493. [Online]. Available: https://doi.org/10.1145/3510003.3510146 [8] Z. Dai, S. Liu, Q. Li, and K. Tang, “Saliency attack: Towards imperceptible black-box adversarial attack,” ACM Trans. Intell. Syst. Technol., vol. 14, no. 3, apr 2023. [Online]. Available: https://doi.org/10.1145/3582563 [9] H. Hussain, T. Duricic, E. Lex, D. Helic, M. Strohmaier, and R. Kern, “Structack: Structure-based adversarial attacks on graph neural networks,” in Proceedings of the 32nd ACM Conference on Hypertext and Social Media, ser. HT ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 111–120. [Online]. Available: https://doi.org/10.1145/3465336.3475110 [10] D. Z ̈ugner, O. Borchert, A. Akbarnejad, and S. G ̈unnemann, “Adversarial attacks on graph neural networks: Perturbations and their patterns,” ACM Trans. Knowl. Discov. Data, vol. 14, no. 5, jun 2020. [Online]. Available: https://doi.org/10.1145/3394520 [11] T. Sonnekalb, B. Gruner, C.-A. Brust, and P. M ̈ader, “Generalizability of code clone detection on codebert,” in Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, ser. ASE ’22. New York, NY, USA: Association for Computing Machinery, 2023. [Online]. Available: https://doi.org/10.1145/3551349.3561165 [12] X. Meng, J. M. Anderson, J. Mellor-Crummey, M. W. Krentel, B. P. Miller, and S. Milakovi ́c, “Parallel binary code analysis,” in Proceedings of the 26th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, ser. PPoPP ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 76–89. [Online]. Available: https://doi.org/10.1145/3437801.3441604 [13] J. Obert and T. Loffredo, “Efficient binary static code data flow analy- sis using unsupervised learning,” in 2021 4th International Conference on Artificial Intelligence for Industries (AI4I), 2021, pp. 89–90. [14] S. Sargsyan, V. Vardanyan, H. Aslanyan, M. Harutunyan, M. Mehrabyan, K. Sargsyan, H. Hovahannisyan, H. Movsisyan, J. Hakobyan, and S. Kur- mangaleev, “Genes isp: code analysis platform,” in 2020 Ivannikov Ispras Open Conference (ISPRAS), 2020, pp. 35–39. [15] Q. Ashfaq, R. Khan, and S. Farooq, “A comparative analysis of static code analysis tools that check java code adherence to java coding standards,” in 2019 2nd International Conference on Communication, Computing and Digital systems (C-CODE), 2019, pp. 98–103. [16] R. Paramitha and Y. D. W. Asnar, “Static code analysis tool for laravel framework based web application,” in 2021 International Conference on Data and Software Engineering (ICoDSE), 2021, pp. 1–6. [17] J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “BERT: Pre-training of deep bidirectional transformers for language understanding,” in Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Minneapolis, Minnesota: Association for Computational Linguistics, Jun. 2019, pp. 4171–4186. [Online]. Available: https://aclanthology.org/N19-1423 [18] T. B. Brown, B. Mann, N. Ryder, M. Subbiah, J. Kaplan, P. Dhariwal, A. Neelakantan, P. Shyam, G. Sastry, A. Askell, S. Agarwal, A. Herbert- Voss, G. Krueger, T. Henighan, R. Child, A. Ramesh, D. M. Ziegler, J. Wu, C. Winter, C. Hesse, M. Chen, E. Sigler, M. Litwin, S. Gray, B. Chess, J. Clark, C. Berner, S. McCandlish, A. Radford, I. Sutskever, and D. Amodei, “Language models are few-shot learners,” in Proceedings of the 34th International Conference on Neural Information Processing Systems, ser. NIPS’20. Red Hook, NY, USA: Curran Associates Inc., 2020. [19] S. Black, L. Gao, P. Wang, C. Leahy, and S. Biderman, “GPT-Neo: Large scale autoregressive language modeling with meshtensorflow,” Oct. 2021. [Online]. Available: https://doi.org/10.5281/zenodo.5551208 [20] C. Raffel, N. Shazeer, A. Roberts, K. Lee, S. Narang, M. Matena, Y. Zhou, W. Li, and P. J. Liu, “Exploring the limits of transfer learning with a unified text-to-text transformer,” J. Mach. Learn. Res., vol. 21, no. 1, jan 2020. [21] M. Lewis, Y. Liu, N. Goyal, M. Ghazvininejad, A. Mohamed, O. Levy, V. Stoyanov, and L. Zettlemoyer, “BART: Denoising sequence-to- sequence pre-training for natural language generation, translation, and comprehension,” in Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics. Online: Association for Computational Linguistics, Jul. 2020, pp. 7871–7880. [Online]. Available: https://aclanthology.org/2020.acl-main.703 [22] M. A. Umer, C. M. Ahmed, M. T. Jilani, and A. P. Mathur, “Attack rules: An adversarial approach to generate attacks for industrial control systems using machine learning,” in Proceedings of the 2th Workshop on CPSIoT Security and Privacy, ser. CPSIoTSec ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 35–40. [Online]. Available: https://doi.org/10.1145/3462633.3483976 [23] J. Mu, B. Wang, Q. Li, K. Sun, M. Xu, and Z. Liu, “A hard label black-box adversarial attack against graph neural networks,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 108–125. [Online]. Available: https://doi.org/10.1145/3460120.3484796 [24] B. Wang and N. Z. Gong, “Attacking graph-based classification via manipulating the graph structure,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’19. New York, NY, USA: Association for Computing Machinery, 2019, p. 2023–2040. [Online]. Available: https://doi.org/10.1145/3319535.3354206 [25] X. Lin, C. Zhou, H. Yang, J. Wu, H. Wang, Y. Cao, and B. Wang, “Ex- ploratory adversarial attacks on graph neural networks,” in 2020 IEEE International Conference on Data Mining (ICDM), 2020, pp. 1136–1141. [26] C. Guo, “An overview of adversarial sample attacks and defenses for graph neural networks,” in 2021 International Conference on Intelligent Comput- ing, Automation and Applications (ICAA), 2021, pp. 252–260. [27] Y. Xu, X. Wei, P. Dai, and X. Cao, “A2sc: Adversarial attacks on subspace clustering,” ACM Trans. Multimedia Comput. Commun. Appl., mar 2023, just Accepted. [Online]. Available: https://doi.org/10.1145/3587097 [28] S. Zhou, C. Liu, D. Ye, T. Zhu, W. Zhou, and P. S. Yu, “Adversarial attacks and defenses in deep learning: From a perspective of cybersecurity,” ACM Comput. Surv., vol. 55, no. 8, dec 2022. [Online]. Available: https://doi.org/10.1145/3547330 [29] M. D’Ambros, M. Lanza, and R. Robbes, “Evaluating defect prediction approaches: A benchmark and an extensive comparison,” Empirical Softw. Engg., vol. 17, no. 4–5, p. 531–577, aug 2012. [Online]. Available: https://doi.org/10.1007/s10664-011-9173-9 [30] T. Hall, S. Beecham, D. Bowes, D. Gray, and S. Counsell, “A systematic literature review on fault prediction performance in software engineering,” IEEE Trans. Softw. Eng., vol. 38, no. 6, p. 1276–1304, nov 2012. [Online]. Available: https://doi.org/10.1109/TSE.2011.103 [31] X. Yang, D. Lo, X. Xia, Y. Zhang, and J. Sun, “Deep learning for just-in-time defect prediction,” in Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security, ser. QRS ’15. USA: IEEE Computer Society, 2015, p. 17–26. [Online]. Available: https://doi.org/10.1109/QRS.2015.14 [32] S. Wang, T. Liu, and L. Tan, “Automatically learning semantic features for defect prediction,” in Proceedings of the 38th International Conference on Software Engineering, ser. ICSE ’16. New York, NY, USA: Association for Computing Machinery, 2016, p. 297–308. [Online]. Available: https://doi.org/10.1145/2884781.2884804 [33] Y. Shin and L. Williams, “An empirical model to predict security vulnerabilities using code complexity metrics,” in Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ser. ESEM ’08. New York, NY, USA: Association for Computing Machinery, 2008, p. 315–317. [Online]. Available: https://doi.org/10.1145/1414004.1414065 [34] I. Chowdhury and M. Zulkernine, “Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities,” Journal of Systems Architecture, vol. 57, no. 3, pp. 294–313, 2011, special Issue on Security and Dependability Assurance of Software Architectures. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1383762110000615 [35] Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, “Evaluating com- plexity, code churn, and developer activity metrics as indicators of software vulnerabilities,” IEEE Transactions on Software Engineering, vol. 37, no. 6, pp. 772–787, 2011. [36] G. Apruzzese, M. Andreolini, L. Ferretti, M. Marchetti, and M. Colajanni, “Modeling realistic adversarial attacks against network intrusion detection systems,” Digital Threats, vol. 3, no. 3, feb 2022. [Online]. Available: https://doi.org/10.1145/3469659 [37] B. Li, J. Xu, S. Wu, S. Ding, J. Li, and F. Huang, “Detecting adversarial patch attacks through global-local consistency,” in Proceedings of the 1st In- ternational Workshop on Adversarial Learning for Multimedia, ser. ADVM ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 35–41. [Online]. Available: https://doi.org/10.1145/3475724.3483606 [38] J. Chen, H. Xu, J. Wang, Q. Xuan, and X. Zhang, “Adversarial detection on graph structured data,” in Proceedings of the 2020 Workshop on Privacy-Preserving Machine Learning in Practice, ser. PPMLP’20. New York, NY, USA: Association for Computing Machinery, 2020, p. 37–41. [Online]. Available: https://doi.org/10.1145/3411501.3419424 [39] C. Ferrari, F. Becattini, L. Galteri, and A. D. Bimbo, “(compress and restore)n: A robust defense against adversarial attacks on image classification,” ACM Trans. Multimedia Comput. Commun. Appl., vol. 19, no. 1s, jan 2023. [Online]. Available: https://doi.org/10.1145/3524619 [40] N. Liu, M. Du, R. Guo, H. Liu, and X. Hu, “Adversarial attacks and defenses: An interpretation perspective,” SIGKDD Explor. Newsl., vol. 23, no. 1, p. 86–99, may 2021. [Online]. Available: https://doi.org/10.1145/3468507.3468519 [41] A. Pattanaik, Z. Tang, S. Liu, G. Bommannan, and G. Chowdhary, “Ro- bust deep reinforcement learning with adversarial attacks,” in Proceedings of the 17th International Conference on Autonomous Agents and MultiA- gent Systems, ser. AAMAS ’18. Richland, SC: International Foundation for Autonomous Agents and Multiagent Systems, 2018, p. 2040–2042. [42] I. Rosenberg, A. Shabtai, Y. Elovici, and L. Rokach, “Adversarial machine learning attacks and defense methods in the cyber security domain,” ACM Comput. Surv., vol. 54, no. 5, may 2021. [Online]. Available: https://doi.org/10.1145/3453158 [43] C. Zhang, Z. Wang, R. Mangal, M. Fredrikson, L. Jia, and C. Pasareanu, “Transfer attacks and defenses for large language models on coding tasks,” 2023. [44] C. D. Manning, P. Raghavan, and H. Sch ̈utze, Introduction to Information Retrieval. Cambridge, UK: Cambridge University Press, 2008. [Online]. Available: http://nlp.stanford.edu/IR-book/information- retrieval-book.html [45] A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, L. Kaiser, and I. Polosukhin, “Attention is all you need,” in Advances in Neural Information Processing Systems, 2017, pp. 5998–6008. [46] R. Agarwal, “Explaining bert simply using sketches,” Apr 2021. [Online]. Available: https://mlwhiz.medium.com/explaining-bert-simply- using-sketches-ba30f6f0c8cb [47] K. Clark, M.-T. Luong, Q. V. Le, and C. D. Manning, “Electra: Pre-training text encoders as discriminators rather than generators,” in 47 International Conference on Learning Representations, 2020. [Online]. Available: https://openreview.net/forum?id=r1xMH1BtvB [48] Y. Zhou, S. Liu, J. Siow, X. Du, and Y. Liu, Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks. Red Hook, NY, USA: Curran Associates Inc., 2019. [49] P. He, B. Li, X. Liu, J. Chen, and Y. Ma, “An empirical study on software defect prediction with a simplified metric set,” Information and Software Technology, vol. 59, pp. 170–190, mar 2015. [Online]. Available: https://doi.org/10.10162Fj.infsof.2014.11.006 [50] J. Demˇsar, T. Curk, A. Erjavec, ˇCrt Gorup, T. Hoˇcevar, M. Milutinoviˇc, M. Moˇzina, M. Polajnar, M. Toplak, A. Stariˇc, M. ˇStajdohar, L. Umek, L. ˇZagar, J. ˇZbontar, M. ˇZitnik, and B. Zupan, “Orange: Data mining toolbox in python,” Journal of Machine Learning Research, vol. 14, pp. 2349–2353, 2013. [Online]. Available: http://jmlr.org/papers/v14/demsar13a.html |
Description: | 碩士 國立政治大學 資訊管理學系 110356040 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0110356040 |
Data Type: | thesis |
Appears in Collections: | [資訊管理學系] 學位論文
|
Files in This Item:
File |
Description |
Size | Format | |
604001.pdf | | 4058Kb | Adobe PDF | 0 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|