How to apply secml_malware to my multiclass malconv classifier？

[q642936448]

Hi @zangobot , I am using the malconv to deal with the malware family classification problem. It's a Multi-classification tasks so I modify the malconv's last fc layer's out_features dimension and I train the malconv from scratch. If I want to apply secml_malware library to attack the multiclass malconv, what should I do?

Thanks in advance :)

[zangobot]

Hello!

First, thank you for using my library! :)
The implementation might be a bit longer than I expected (as I naively only coded binary classification attacks):

• modify the c_discretized_bytes_evasion to take also the y_target class of your attack, and edit the infer_step and loss_function_gradient to also consider the class you want
• edit the _run in c_end2end_evasion, precisely where it computes the confidence of the target class
• edit the same things for the c_fast_gradient_sign_evasion if you want also to enable FGSM to be multiclass.

For black-box approaches, the process is similar, you would need to include the target class.
If you manage to do this, you can also consider creating a pull request for the project!

Otherwise, I'll schedule the feature, and I'll code in the meantime.

Let me know if this helped!

[q642936448]

Your reply helps a lot!

I'am doing the implementation now. It looks like a hard job due to my poor coding skill (: .

But I will try my best. If I encounter problems, I will contact you.

Thank you so much!

[akul-goyal]

When modifying c_fast_gradient_sign_evasion for multilevel, do we need to keep the binary cross entropy or change it to a regular cross entropy loss? And if so, would we want to only want to turn on the bit that corresponds to the target class and leave the rest of the classes as zeros?

[zangobot]

Well, it depends on which loss function you want to use.
CE Loss is one, but of course it can be customized at will.
I did not have time to work on this, but I might prioritize the implementation of this feature soon.

[akul-goyal]

I am happy to help with this if you need it. I am just wondering what is the best way to keep the semantics of attacks the same. If I was to use BCE, would I need change line 48 of c_fast_gradient_sign_evasion.py such that it would be malware_class = torch.ones(y.shape) and malware_class[target_y] = 0 or malware_class = torch.zeros(y.shape) and malware_class[target_y] = 1?

[zangobot]

The semantics do not change, it is just the loss function that varies the loss landscape of the attack.
I don't have much time to review that part now, the only thing is that the malware class is labelled as 1, and the goodware class as 0.
But, for the multiclass is different, as you have the different families. So the code must be changed accordingly.

[akul-goyal]

ah ok. I will wait for you to make the needed changes then. I appreciate your help!