Intrusion Detection Systems (IDS) enhanced with Machine Learning (ML) have demonstrated the capacity to efficiently build a prototype of "normal" cyber behaviors in order to detect cyber threats' activity with greater accuracy than traditional rule-based IDS. Because these are largely black boxes, their acceptance requires proof of robustness to stealthy adversaries. Since it is impossible to build a baseline from activity completely clean of that of malicious cyber actors (outside of controlled experiments), the training data for deployed models will be poisoned with examples of activity that analysts would want to be alerted about. We train an autoencoder-based anomaly detection system on network activity with various proportions of malicious activity mixed in and demonstrate that they are robust to this sort of poisoning.
翻译:通过机械学习(ML)加强了入侵探测系统(IDS ), 证明有能力高效率地建立“正常”网络行为原型,以便比传统的有章可循的IDS更精确地检测网络威胁活动。 由于这些是黑箱,因此接受这些系统需要证明对隐形对手的坚固性。 由于不可能从完全清除恶意网络行为者的活动(除受控实验外)建立基线,因此,部署模型的培训数据将有毒,例如分析人员希望得到提醒的活动。 我们训练一个基于自动编码器的异常现象探测系统,了解网络活动以及各种类型的恶意活动,并表明它们对于此类中毒非常活跃。