Protecting the Protector, Hardening Machine Learning Defenses Against Adversarial Attacks

Conference:  BlackHat USA 2018



The presentation discusses the use of ensemble models in cybersecurity to improve threat detection and resilience against attacks.
  • Ensemble models are effective at filtering out noise and covering gaps in individual models
  • The use of diverse feature sets and classifiers is important for generating an effective ensemble
  • The highly polymorphic nature of the threat landscape requires constant training and updating of classifiers
  • Real-world examples illustrate the effectiveness of ensemble models in detecting and blocking threats
The presentation provides two case studies where the ensemble model was able to detect and block spear phishing and JavaScript Trojan attacks. In both cases, the local machine learning model was not strong enough to block the threat, but the ensemble model was able to identify the threat and send a response back to the client within milliseconds to block the file before it could execute.


Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Researchers have been able to successfully attack deep learning models used to classify malware to completely change their predictions by only accessing the output label of the model for the input samples fed by the attacker. Moreover, we've also seen attackers attempting to poison our training data for ML models by sending fake telemetry and trying to fool the classifier into believing that a given set of malware samples are actually benign. How do we detect and protect against such attacks? Is there a way we can make our models more robust to future attacks? We'll discuss several strategies to make machine learning models more tamper resilient. We'll compare the difficulty of tampering with cloud-based models and client-based models. We'll discuss research that shows how singular models are susceptible to tampering, and some techniques, like stacked ensemble models, can be used to make them more resilient. We also talk about the importance of diversity in base ML models and technical details on how they can be optimized to handle different threat scenarios. Lastly, we'll describe suspected tampering activity we've witnessed using protection telemetry from over half a billion computers, and whether our mitigations worked.