Background: Machine learning-based security detection models have become prevalent in modern malware and intrusion detection systems. However, previous studies show that such models are susceptible to adversarial evasion attacks. In this type of attack, inputs (i.e., adversarial examples) are specially crafted by intelligent malicious adversaries, with the aim of being misclassified by existing state-of-the-art models (e.g., deep neural networks). Once the attackers can fool a classifier to think that a malicious input is actually benign, they can render a machine learning-based malware or intrusion detection system ineffective. Goal: To help security practitioners and researchers build a more robust model against non-adaptive, white-box, and non-targeted adversarial evasion attacks through the idea of an ensemble model. Method: We propose an approach called Omni, the main idea of which is to explore methods that create an ensemble of "unexpected models"; i.e., models whose control hyperparameters have a large distance to the hyperparameters of an adversary's target model, with which we then make an optimized weighted ensemble prediction. Result: In studies with five types of adversarial evasion attacks (FGSM, BIM, JSMA, DeepFooland Carlini-Wagner) on five security datasets (NSL-KDD, CIC-IDS-2017, CSE-CIC-IDS2018, CICAnd-Mal2017, and the Contagio PDF dataset), we show Omni is a promising approach as a defense strategy against adversarial attacks when compared with other baseline treatments. Conclusion: When employing ensemble defense against adversarial evasion attacks, we suggest creating an ensemble with unexpected models that are distant from the attacker's expected model (i.e., target model) through methods such as hyperparameter optimization.
翻译:在现代恶意软件和入侵探测系统中,基于机器学习的安全检测模型已经流行于现代恶意软件和入侵探测系统中。然而,先前的研究显示,这类模型很容易成为对抗性规避攻击。在这类攻击中,投入(即对抗性实例)是智能恶意对手特制的,目的是被现有最先进的模型(例如深神经网络)错误地分类。一旦攻击者可以欺骗一个分类者,认为恶意输入实际上是无害的,它们可以使机器学习性恶意软件或入侵探测系统无效。目标:帮助安全从业者和研究人员建立一个更强大的模型,防止非适应性、白箱和非定向对抗性对抗性报复性规避攻击。方法:我们提出一个叫做Omni的方法,其主要想法是探索创建“不理想模型”的方法;即,如果攻击性输入超常识仪时,它们使超常识仪与超常识度目标模型有很长的距离,我们随后对非适应性超常识、白箱和非目标性防御攻击进行更强的模型。 方法:我们用最优化的CIM-M-M-M-M-M-D-S 预测五种S