Evading Classifiers by Morphing in the Dark

Learning-based systems have been shown to be vulnerable to evasion through adversarial data manipulation. These attacks have been studied under assumptions that the adversary has certain knowledge of either the target model internals, its training dataset or at least classification scores it assigns to input samples. In this paper, we investigate a much more constrained and realistic attack scenario wherein the target classifier is minimally exposed to the adversary, revealing on its final classification decision (e.g., reject or accept an input sample). Moreover, the adversary can only manipulate malicious samples using a blackbox morpher. That is, the adversary has to evade the target classifier by morphing malicious samples "in the dark". We present a scoring mechanism that can assign a real-value score which reflects evasion progress to each sample based on the limited information available. Leveraging on such scoring mechanism, we propose an evasion method -- EvadeHC -- and evaluate it against two PDF malware detectors, namely PDFRate and Hidost. The experimental evaluation demonstrates that the proposed evasion attacks are effective, attaining $100\%$ evasion rate on the evaluation dataset. Interestingly, EvadeHC outperforms the known classifier evasion technique that operates based on classification scores output by the classifiers. Although our evaluations are conducted on PDF malware classifier, the proposed approaches are domain-agnostic and is of wider application to other learning-based systems

Systematic {\em ab initio} study of the phase diagram of epitaxially strained SrTiO3_3

We use density-functional theory with the local-density approximation to study the structural and ferroelectric properties of SrTiO$_3$ under misfit strains. Both the antiferrodistortive (AFD) and ferroelectric (FE) instabilities are considered. The rotation of the oxygen octahedra and the movement of the atoms are fully relaxed within the constraint of a fixed in-plane lattice constant. We find a rich misfit strain-induced phase transition sequence and is obtained only when the AFD distortion is taken into account. We also find that compressive misfit strains induce ferroelectricity in the tetragonal low temperature phase only whilst tensile strains induce ferroelectricity in the orthorhombic phases only. The calculated FE polarization for both the tetragonal and orthorhombic phases increases monotonically with the magnitude of the strains. The AFD rotation angle of the oxygen octahedra in the tetragonal phase increases dramatically as the misfit strain goes from the tensile to compressive strain region whilst it decreases slightly in the orthorhombic (FO4) phase. This reveals why the polarization in the epitaxially strained SrTiO$_3$ would be larger when the tensile strain is applied, since the AFD distortion is found to reduce the FE instability and even to completely suppress it in the small strain region. Finally, our analysis of the average polar distortion and the charge density distribution suggests that both the Ti-O and Sr-O layers contribute significantly to the FE polarization