Researches On Defense Strategy Against Evasion Attacks

Pattern recognition and machine learning techniques achieved satisfying performance on many security applications; for example, spam filtering, intrusion and malware detection. However, an adversary who manipulates the samples to mislead the decision of a classifier may exist in these security applications. In adversarial environments, since the assumption which the training set and testing set follow the same distribution is violated, so the machine learning techniques may not be effective. Evasion attack, which camouflages the malicious samples to evade the detection in test phase, is a common type of attacks in adversarial environments. As a result, how to exploit the vulnerability of classifiers and design robust classifiers against evasion attacks become important issues. In this thesis, we investigate the existing problems of the evasion attack and its countermeasures. The major contributions are as follows:1. Feature selection is necessary in many security applications such as spam filtering and biometric identity recognition, but only few researches investigate how to select features in adversarial environments. A preliminary result is that the security of a classifier to evasion may be even worsened by the application of feature selection. The first major contribution of this thesis is to investigate deeply whether the security of the classifier will be decreased after we do feature selection. We first discuss whether the traditional feature selection methods are still effective in the adversarial environments, and then we propose a novel adversary-aware feature selection model which considers the generalization ability and the security of the classifier simultaneously.2. Most of previous robust learning algorithms assume all malicious samples are attacked.Although this assumption improves the security of a classifier, the generalization ability on untainted malicious samples is sacrificed. Moreover, an adversary may not manipulate all the malicious samples in practical. Therefore, a robust model which considers the evasion attack with only some attack malicious samples is provided. As the number of attacked malicious samples can be determined according to different scenarios, a better tradeoff between the security and the generalization is achieved.3. There is no method to estimate the strength of the evasion attack. A parameter estimation method of evasion attacks is proposed for the worst-case attack and the adversary obtains the completed information of the classifier by using the historical samples. By calculating the data complexity of given dataset, the parameters including attack ratio and attack strength are estimated. One of the applications of this parameter estimation model is to increase the performance of the robustness learning algorithm proposed in(2).4. A malicious sample may not be reasonably evaded by existing evasion attack algorithms in some scenario, i.e. the attacked malicious sample moved far away from the legitimate samples due to the searching of gradient descent. Although adding the term of kernel density estimation(KDE) can solve the problem, the computational complexity increases dramatically. A new algorithm of the evasion attack is proposed. It guarantees every sample can be evaded with a small computational complexity.5. Many studies have shown that multiple classifier systems(MCSs) are more robust than single classifiers to evasion attacks for linear classifiers. However, the robustness of MCSs for non-linear classifiers has not been investigated. We generalized the robustness study from linear classifiers to non-linear classifiers.