Background: Machine learning-based security detection models have become
prevalent in modern malware and intrusion detection systems. However, previous
studies show that such models are susceptible to adversarial evasion attacks.
In this type of attack, inputs (i.e., adversarial examples) are specially
crafted by intelligent malicious adversaries, with the aim of being
misclassified by existing state-of-the-art models (e.g., deep neural networks).
Once the attackers can fool a classifier to think that a malicious input is
actually benign, they can render a machine learning-based malware or intrusion
detection system ineffective. Goal: To help security practitioners and
researchers build a more robust model against non-adaptive, white-box, and
non-targeted adversarial evasion attacks through the idea of an ensemble model.
Method: We propose an approach called Omni, the main idea of which is to
explore methods that create an ensemble of “unexpected models”; i.e., models
whose control hyperparameters have a large distance to the hyperparameters of
an adversary’s target model, with which we then make an optimized weighted
ensemble prediction. Result: In studies with five types of adversarial evasion
attacks (FGSM, BIM, JSMA, DeepFooland Carlini-Wagner) on five security datasets
(NSL-KDD, CIC-IDS-2017, CSE-CIC-IDS2018, CICAnd-Mal2017, and the Contagio PDF
dataset), we show Omni is a promising approach as a defense strategy against
adversarial attacks when compared with other baseline treatments. Conclusion:
When employing ensemble defense against adversarial evasion attacks, we suggest
creating an ensemble with unexpected models that are distant from the
attacker’s expected model (i.e., target model) through methods such as
hyperparameter optimization.

By admin