Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX312 views

Protecting the Protector, Hardening Machine Learning Defenses Against Adversarial Attacks

The document provides an overview of Windows Defender's endpoint protection capabilities, highlighting features such as blocking low-reputation downloads and detecting malicious activity through machine learning models. It emphasizes the development of ensemble models to counter adversarial attacks, focusing on their efficiency in classifying threats and improving predictive power. Additionally, it addresses challenges in model training and the importance of maintaining robust defenses against various attack vectors.

Embed presentation

Download as PDF, PPTX
Jugal Parikh, Senior Data Scientist Holly Stewart, Principal Research Manager Randy Treit, Senior Researcher
W i n d o w s D e f e n d e r E n d p o i n t P r o t e c t i o n E n d p o i n t P r o t e c t i o n Blocks low reputation web downloads Blocks malicious websites W i n d o w s D e f e n d e r E n d p o i n t D e t e c t i o n a n d R e s p o n s e D e t e c t i o n a n d R e m e d i a t i o n After execution - Windows Defender ATP monitors for post-breach signals After execution - Windows Defender Hexadite can reverse damage Blocks malicious programs and content (scripts, docs, etc.) W i n d o w s D e f e n d e r S m a r t S c r e e n Monitors behaviors and terminates bad processes Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing Results
T h r e a t P r e d i c t R e s e a r c h T e a m Cloud Client O u r f o c u s : U s e m a c h i n e l e a r n i n g t o b l o c k a t t a c k s f o r W i n d o w s D e f e n d e r A T P
Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing Results
UNKNOWN UNKNOWNSEXPERTS→ LABELS→ ML→ PREDICTIONS ANOMALY DETECTION SUPERVISED UNSUPERVISED
EXPERTS→ LABELS→ ML→ PREDICTIONS SUPERVISED
Pro: Disconnected protection Con: Silent adversarial brute force attacks
No private brute forcing Minimal client performance impact
Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing Results
Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
Immunity from antimalware automation attacks
 Synthetic traffic designed to quickly gain reputation on a digital certificate  Targeted Windows 8  Originally surfaced as a high percentage of traffic that wasn’t classified  Low-volume and unsigned file attacks were also identified during investigation 30% 40% 50% 60% 70% 80% 90% 100% 2/15 2/17 2/19 2/21 2/23 2/25 2/27 2/29 3/2 3/4 3/6 3/8 3/10 3/12 3/14 Percent Classified Traffic Win10 Win8 Win7
 Attackers guessed major features (time, traffic, digital certificate)  Team developed complementary models with additional features that filtered fake traffic out of telemetry  Combination of models removed attack traffic from training data 60% 65% 70% 75% 80% 85% 90% 95% 100% 2/7/2017 2/12/2017 2/17/2017 2/22/2017 2/27/2017 3/4/2017 3/9/2017 3/14/2017 3/19/2017 3/24/2017 3/29/2017 4/3/2017 4/8/2017 4/13/2017 4/18/2017 4/23/2017 4/28/2017 5/3/2017 Percent Classified with and without Complementary Models
 Research on adversarial attacks against deep learning classifiers  Showed that an ensemble of classifiers helped defend against the attacks tested in the paper  See more at: Attack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Classification Models Jack W. Stokes, De Wang, Mady Marinescu, Marc Marino, Brian Bussone https://arxiv.org/abs/1712.05919 Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
Ensemble Model Development and Testing Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
1 1 Wolpert, David H. "Stacked generalization." Neural networks 5.2 (1992): 241-259.
Dealing with:  Active adversarial  Volatility/ Covariate Shift  Noisy environment Scale:  Petabytes of threat Intelligence daily Evaluate:  ~2.3 Billion global queries everyday
Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
1. Different feature sets 2. Different training algorithms 3. Different training data sets 4. Different optimization settings
Process and installation ProcessName ParentProcess TriggeringSignal TriggeringFile Download IP and URL Parent/child relationships Machine attributes Partial and Fuzzy hashes ClusterHash ImportHash Fuzzy hashes Full File Content Header Footer Raw file content File properties File Geometry FileSize FileMetaData …. Signer info Issuer Publisher Signer Behavioral Connection IP System changes API calls Process injection Locale Locale setting Geographical location Behavioral and contextual attributes Static file attributes OS version Processor Security settings Features - Highly dimensional data Researcher Expertise 10k+ researcher attributes 100k+ static attributes 10k+ behavioral attributes Feature Set Training Algorithms Training Data Sets Optimization Settings
Feature Set Learner # of Features PE Properties Fast Tree Ensemble 10K+ features Researcher Expertise Boosted Tree Ensemble 190K+ features Behavioral Boosted Tree Ensemble 6M+ features Fuzzy Hash 1 Random Forest 512+ features Fuzzy Hash 2 SDCA 10M+ features Static, Dynamic and Contextual Averaged Perceptron 16M+ features Researcher Expertise, Fuzzy Hash Averaged Perceptron 12M+ features File Emulation DNN 150K+ features File Detonation DNN 10M+ features Feature Set Training Algorithms Training Data Sets Optimization Settings
Training Cadence: Classifiers:  Malware  Clean  PUA  Enterprise specific  File Type specific Feature Set Training Algorithms Training Data Sets Optimization Settings
Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
1. Boolean Stacking 2. Linear/ Logistic Stacking
Boolean Stacking 1 Binary Output 1 Model Probabilities Logistic Stacking
Model Selection LightGBM !!! Averaged Perceptron !!! Logistic Regression!!! Fast Tree !!! XGBoost !!! DNN !!!
Train Time Validate Test
Supervised Training Optimization Evaluation Train Validate Test
Model evaluated on time-split test set Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 2,177 | 21,182 | 0.0932 negative || 14,004 |2,097,228 | 0.9934 ||====================== Precision || 0.1345 | 0.9900 | OVERALL ACCURACY: 0.9835 Model evaluated on Live Data for 60 mins without any calibrations Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811
Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
 Information from the target inadvertently works its way into the model-checking mechanism  Causes an overly optimistic assessment of generalization performance  Filtering features that directly correlate to the training labels Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811 Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 625,324 | 136,947 | 0.8203 negative || 29,540 |8,005,113 | 0.9963 ||====================== Precision || 0.9549 | 0.9832 | OVERALL ACCURACY: 0.9668 With some data leaks Filtering known data leaks
 Not all Base Classifiers classify every threat scenario  What you can do:  Retaining the instance but..  Adding Boolean features indicating what features were missing  Cross Join between features  Interpretable models Model Probability Verdict FileEmulation1 N/A Unknown FileDetonation N/A Unknown FuzzyHash1 N/A Unknown FuzzyHash2 0.014020299 Clean CloudClassifier1 N/A Unknown CloudClassifier2 N/A Unknown CloudClassifier3 N/A Unknown CloudClassifier4 N/A Unknown CloudClassifier5 N/A Unknown CloudClassifier6 N/A Unknown . . . . . . . . . ResearcherExpertise 0.07285905 Clean PEPropertiesClassifier N/A Unknown FileMetaDataClassifier1 N/A Unknown FileMetaDataClassifier2 N/A Unknown FileMetaDataClassifier3 N/A Unknown BehavioralClassifier1 N/A Unknown BehavioralClassifier2 N/A Unknown Stacked Ensemble 0.92 Malware
 Adding K-means distance for each instance from the centroid of each cluster as an input feature
 Maintaining a fixed label distribution for training  Continuous monitoring of incoming telemetry to catch anomalies/ outliers before training Time
evaluate on Cloud Client
Supervised Training Evaluation
Ratio of number of instances perturbed The classifier is robust to one of the classifiers being compromised at 1% FPR.
train Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
Supervised Training Adding Rogue Features
# of Random Classifiers False Positive Rate True Positive Rate 0 0.8746% 96.1824% 2 0.8834% 96.1222% 4 0.8912% 96.0385% 6 0.8939% 95.8932% 8 0.8974% 95.8462% 10 0.9131% 95.8462% The classifier can detect these random noises and the performance drop is negligible.
Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
Ratio of number of instances perturbed Flipping top 2 Feature Values
Cloud Client # of Instances Data Distribution Bias Anomalies Metrics Requirements Continuous Monitoring Overall Blocks Telemetry Relevant features Threat Landscape Ensemble Model Development and Testing Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
Other Cloud Blocks 88% Ensemble Blocks 12% Archive 4% Documents and macros 8% Other (1k+ types) PE File 68% Shortcut 11% Signed PE File 3% VBS 3%
malware clean
Filters out noisy signals from an occasionally underperforming model Increases predictive power with easy interpretability Adds resilience against attacks on individual models
 Small-scale attack in Central and Western Canada  Most targets reached within 5 ½ hours  73% of targets were commercial businesses
Model Probability Verdict PDFClassifier - Unknown NonPEClassifier - Unknown CloudModel3 0.06 Clean? FuzzyHash1 0.07 Clean? FuzzyHash2 0.08 Clean? ResearchExpertise 0.99 Malware Ensemble1 0.27 ~Sketchy Ensemble2 0.84 Sketchy! Ensemble3 0.91 Malware Client Cloud
Model Probability Verdict FuzzyHash2 0.06 Clean? Ensemble1 0.27 ~Sketchy JsModel 0.52 Sketchy! ResearchExpertise 0.64 Sketchy! Ensemble3 0.91 Malware Client Cloud vNSAml.js
 Daewoo Chong (Windows Defender ATP Research)  Christian Seifert (Windows Defender ATP Research)  Allan Sepillo (Windows Defender ATP Research)  Bhavna Soman (Windows Defender ATP Research)  Jay Stokes (Microsoft Research)  Maria Vlachopoulou (Windows Defender ATP Research)  Samuel Wakasugui (Windows Defender ATP Research)
Today’s presentation All data and charts, unless otherwise noted, is from Microsoft. Preso: https://www.blackhat.com/us-18/briefings/schedule/index.html#protecting-the-protector-hardening-machine-learning-defenses- against-adversarial-attacks-11669 Blog: https://aka.ms/hardening-ML Upcoming conference presentations Virus Bulletin 2018 (Montreal): Starving malware authors through dynamic classification Karishma Sanghvi (Microsoft), Joe Blackbird (Microsoft) Blog Posts and Other References Antivirus evolved Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses How artificial intelligence stopped an Emotet outbreak Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign Machine Learning vs. Social Engineering Whitepaper: The Evolution of Malware Prevention
Client-based machine learning is susceptible to brute force attacks After you deploy, ensure you have monitors to alert on potential tampering Consider the various vectors of attack, identify most likely vectors, then test them Build a diverse set of complementary models, then add an ensemble layer
adversarialml@microsoft.com

More Related Content

PDF
Self-defending software: Automatically patching errors in deployed software ...
bySung Kim
 
PDF
Automated Vulnerability Testing Using Machine Learning and Metaheuristic Search
byLionel Briand
 
PDF
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
byChakkrit (Kla) Tantithamthavorn
 
DOC
Testing survey by_directions
byTao He
 
PPTX
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
bySung Kim
 
PPTX
A software fault localization technique based on program mutations
byTao He
 
PDF
Automated parameter optimization should be included in future 
defect predict...
byChakkrit (Kla) Tantithamthavorn
 
PDF
Interactive fault localization leveraging simple user feedback - by Liang Gong
byLiang Gong
 
Self-defending software: Automatically patching errors in deployed software ...
bySung Kim
 
Automated Vulnerability Testing Using Machine Learning and Metaheuristic Search
byLionel Briand
 
The Impact of Mislabelling on the Performance and Interpretation of Defect Pr...
byChakkrit (Kla) Tantithamthavorn
 
Testing survey by_directions
byTao He
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
bySung Kim
 
A software fault localization technique based on program mutations
byTao He
 
Automated parameter optimization should be included in future 
defect predict...
byChakkrit (Kla) Tantithamthavorn
 
Interactive fault localization leveraging simple user feedback - by Liang Gong
byLiang Gong
 

What's hot

PDF
Software Analytics In Action: A Hands-on Tutorial on Mining, Analyzing, Model...
byChakkrit (Kla) Tantithamthavorn
 
PDF
A survey of fault prediction using machine learning algorithms
byAhmed Magdy Ezzeldin, MSc.
 
PPT
Promise 2011: "An Iterative Semi-supervised Approach to Software Fault Predic...
byCS, NcState
 
PDF
Multi-Objective Cross-Project Defect Prediction
bySebastiano Panichella
 
PPTX
52 - The Impact of Test Ownership and Team Structure on the Reliability and E...
byESEM 2014
 
PDF
Diversity Maximization Speedup for Fault Localization
byLiang Gong
 
PDF
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
byPluribus One
 
PDF
Icsoc12 tooldemo.ppt
byPtidej Team
 
PDF
Design For Testability
byGiovanni Asproni
 
PPTX
Benchmarking with JMH (riviera dev 2017)
byNenad Bogojevic
 
PDF
Avc rem 201211_en
byAnatoliy Tkachev
 
PDF
ISTQB Advance Material
byMandar Kharkar
 
PDF
Ssbse12b.ppt
byPtidej Team
 
PDF
Practical Guide To Software System Testing
byvladimir zaremba
 
PDF
Final Exam Solutions Fall02
byRadu_Negulescu
 
PPTX
Timing Tool Test Effectiveness for WCET Analysis Tools
byMike Towers
 
Software Analytics In Action: A Hands-on Tutorial on Mining, Analyzing, Model...
byChakkrit (Kla) Tantithamthavorn
 
A survey of fault prediction using machine learning algorithms
byAhmed Magdy Ezzeldin, MSc.
 
Promise 2011: "An Iterative Semi-supervised Approach to Software Fault Predic...
byCS, NcState
 
Multi-Objective Cross-Project Defect Prediction
bySebastiano Panichella
 
52 - The Impact of Test Ownership and Team Structure on the Reliability and E...
byESEM 2014
 
Diversity Maximization Speedup for Fault Localization
byLiang Gong
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
byPluribus One
 
Icsoc12 tooldemo.ppt
byPtidej Team
 
Design For Testability
byGiovanni Asproni
 
Benchmarking with JMH (riviera dev 2017)
byNenad Bogojevic
 
Avc rem 201211_en
byAnatoliy Tkachev
 
ISTQB Advance Material
byMandar Kharkar
 
Ssbse12b.ppt
byPtidej Team
 
Practical Guide To Software System Testing
byvladimir zaremba
 
Final Exam Solutions Fall02
byRadu_Negulescu
 
Timing Tool Test Effectiveness for WCET Analysis Tools
byMike Towers
 

Similar to Protecting the Protector, Hardening Machine Learning Defenses Against Adversarial Attacks

PDF
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
byBlueHat Security Conference
 
PDF
Deep Dive Into Deep Learning : How AI is Powering the Future of Endpoint Secu...
byDigital Transformation EXPO Event Series
 
PDF
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
byBlueHat Security Conference
 
PDF
Adversarial machine learning for av software
byjunseok seo
 
PPTX
Defend against adversarial AI using Adversarial Robustness Toolbox
byAnimesh Singh
 
PPTX
Application of Machine Learning in Cybersecurity
byPratap Dangeti
 
PDF
Bringing Red vs. Blue to Machine Learning
byBobby Filar
 
PDF
Machine Learning in Malware Detection
byKaspersky
 
PPTX
rsec2a-2016-jheaton-morning
byJeff Heaton
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
PPTX
.NET Fest 2017. Игорь Кочетов. Классификация результатов тестирования произво...
byNETFest
 
PPTX
Machine learning in computer security
byKishor Datta Gupta
 
PDF
Machine Learning Workshop, TSEC 2020
bySiddharth Adelkar
 
PPTX
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
bySri Ram
 
PDF
AI & ML in Cyber Security - Why Algorithms Are Dangerous
byRaffael Marty
 
PPTX
Machine-Learning-Overview a statistical approach
byAjit Ghodke
 
PPTX
Foutse_Khomh.pptx
byFoutse Khomh
 
PDF
stackconf 2021 | Data Driven Security
byNETWAYS
 
PDF
Ensembles of Many Diverse Weak Defenses can be Strong: Defending Deep Neural ...
byPooyan Jamshidi
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
byBlueHat Security Conference
 
Deep Dive Into Deep Learning : How AI is Powering the Future of Endpoint Secu...
byDigital Transformation EXPO Event Series
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
byBlueHat Security Conference
 
Adversarial machine learning for av software
byjunseok seo
 
Defend against adversarial AI using Adversarial Robustness Toolbox
byAnimesh Singh
 
Application of Machine Learning in Cybersecurity
byPratap Dangeti
 
Bringing Red vs. Blue to Machine Learning
byBobby Filar
 
Machine Learning in Malware Detection
byKaspersky
 
rsec2a-2016-jheaton-morning
byJeff Heaton
 
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
.NET Fest 2017. Игорь Кочетов. Классификация результатов тестирования произво...
byNETFest
 
Machine learning in computer security
byKishor Datta Gupta
 
Machine Learning Workshop, TSEC 2020
bySiddharth Adelkar
 
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
bySri Ram
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
byRaffael Marty
 
Machine-Learning-Overview a statistical approach
byAjit Ghodke
 
Foutse_Khomh.pptx
byFoutse Khomh
 
stackconf 2021 | Data Driven Security
byNETWAYS
 
Ensembles of Many Diverse Weak Defenses can be Strong: Defending Deep Neural ...
byPooyan Jamshidi
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
final.pdf
byomarbishtawi04
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
final.pdf
byomarbishtawi04
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Workflow and decision Automation with Flowable
bychakib ch
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 

Protecting the Protector, Hardening Machine Learning Defenses Against Adversarial Attacks

  • 1.
    Jugal Parikh, SeniorData Scientist Holly Stewart, Principal Research Manager Randy Treit, Senior Researcher
  • 4.
    W i nd o w s D e f e n d e r E n d p o i n t P r o t e c t i o n E n d p o i n t P r o t e c t i o n Blocks low reputation web downloads Blocks malicious websites W i n d o w s D e f e n d e r E n d p o i n t D e t e c t i o n a n d R e s p o n s e D e t e c t i o n a n d R e m e d i a t i o n After execution - Windows Defender ATP monitors for post-breach signals After execution - Windows Defender Hexadite can reverse damage Blocks malicious programs and content (scripts, docs, etc.) W i n d o w s D e f e n d e r S m a r t S c r e e n Monitors behaviors and terminates bad processes Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing Results
  • 5.
    T h re a t P r e d i c t R e s e a r c h T e a m Cloud Client O u r f o c u s : U s e m a c h i n e l e a r n i n g t o b l o c k a t t a c k s f o r W i n d o w s D e f e n d e r A T P
  • 6.
    Introduction ML PrimerAdversarial Examples Ensemble Model Development and Testing Results
  • 7.
    UNKNOWN UNKNOWNSEXPERTS→ LABELS→ML→ PREDICTIONS ANOMALY DETECTION SUPERVISED UNSUPERVISED
  • 8.
    EXPERTS→ LABELS→ ML→PREDICTIONS SUPERVISED
  • 10.
  • 11.
    No private brute forcing Minimalclient performance impact
  • 12.
    Introduction ML PrimerAdversarial Examples Ensemble Model Development and Testing Results
  • 13.
    Machine attributes Dynamic and contextual attributes Static file attributes Example:Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
  • 14.
    Immunity from antimalwareautomation attacks
  • 15.
     Synthetic trafficdesigned to quickly gain reputation on a digital certificate  Targeted Windows 8  Originally surfaced as a high percentage of traffic that wasn’t classified  Low-volume and unsigned file attacks were also identified during investigation 30% 40% 50% 60% 70% 80% 90% 100% 2/15 2/17 2/19 2/21 2/23 2/25 2/27 2/29 3/2 3/4 3/6 3/8 3/10 3/12 3/14 Percent Classified Traffic Win10 Win8 Win7
  • 16.
     Attackers guessedmajor features (time, traffic, digital certificate)  Team developed complementary models with additional features that filtered fake traffic out of telemetry  Combination of models removed attack traffic from training data 60% 65% 70% 75% 80% 85% 90% 95% 100% 2/7/2017 2/12/2017 2/17/2017 2/22/2017 2/27/2017 3/4/2017 3/9/2017 3/14/2017 3/19/2017 3/24/2017 3/29/2017 4/3/2017 4/8/2017 4/13/2017 4/18/2017 4/23/2017 4/28/2017 5/3/2017 Percent Classified with and without Complementary Models
  • 17.
     Research onadversarial attacks against deep learning classifiers  Showed that an ensemble of classifiers helped defend against the attacks tested in the paper  See more at: Attack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Classification Models Jack W. Stokes, De Wang, Mady Marinescu, Marc Marino, Brian Bussone https://arxiv.org/abs/1712.05919 Introduction ML Primer Adversarial Examples Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
  • 18.
    Ensemble Model Developmentand Testing Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
  • 19.
    1 1 Wolpert, David H."Stacked generalization." Neural networks 5.2 (1992): 241-259.
  • 20.
    Dealing with:  Activeadversarial  Volatility/ Covariate Shift  Noisy environment Scale:  Petabytes of threat Intelligence daily Evaluate:  ~2.3 Billion global queries everyday
  • 21.
    Ensemble ML PrimerDiversity Requirements Developing the Model Testing the Model
  • 22.
    1. Different featuresets 2. Different training algorithms 3. Different training data sets 4. Different optimization settings
  • 23.
    Process and installation ProcessName ParentProcess TriggeringSignal TriggeringFile DownloadIP and URL Parent/child relationships Machine attributes Partial and Fuzzy hashes ClusterHash ImportHash Fuzzy hashes Full File Content Header Footer Raw file content File properties File Geometry FileSize FileMetaData …. Signer info Issuer Publisher Signer Behavioral Connection IP System changes API calls Process injection Locale Locale setting Geographical location Behavioral and contextual attributes Static file attributes OS version Processor Security settings Features - Highly dimensional data Researcher Expertise 10k+ researcher attributes 100k+ static attributes 10k+ behavioral attributes Feature Set Training Algorithms Training Data Sets Optimization Settings
  • 24.
    Feature Set Learner# of Features PE Properties Fast Tree Ensemble 10K+ features Researcher Expertise Boosted Tree Ensemble 190K+ features Behavioral Boosted Tree Ensemble 6M+ features Fuzzy Hash 1 Random Forest 512+ features Fuzzy Hash 2 SDCA 10M+ features Static, Dynamic and Contextual Averaged Perceptron 16M+ features Researcher Expertise, Fuzzy Hash Averaged Perceptron 12M+ features File Emulation DNN 150K+ features File Detonation DNN 10M+ features Feature Set Training Algorithms Training Data Sets Optimization Settings
  • 25.
    Training Cadence: Classifiers: Malware  Clean  PUA  Enterprise specific  File Type specific Feature Set Training Algorithms Training Data Sets Optimization Settings
  • 27.
    Ensemble ML PrimerDiversity Requirements Developing the Model Testing the Model
  • 28.
    1. Boolean Stacking 2.Linear/ Logistic Stacking
  • 29.
  • 30.
    Model Selection LightGBM !!! Averaged Perceptron!!! Logistic Regression!!! Fast Tree !!! XGBoost !!! DNN !!!
  • 31.
  • 32.
    Supervised Training OptimizationEvaluation Train Validate Test
  • 36.
    Model evaluated ontime-split test set Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 2,177 | 21,182 | 0.0932 negative || 14,004 |2,097,228 | 0.9934 ||====================== Precision || 0.1345 | 0.9900 | OVERALL ACCURACY: 0.9835 Model evaluated on Live Data for 60 mins without any calibrations Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811
  • 37.
    Ensemble ML PrimerDiversity Requirements Developing the Model Testing the Model
  • 38.
     Information fromthe target inadvertently works its way into the model-checking mechanism  Causes an overly optimistic assessment of generalization performance  Filtering features that directly correlate to the training labels Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811 Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 625,324 | 136,947 | 0.8203 negative || 29,540 |8,005,113 | 0.9963 ||====================== Precision || 0.9549 | 0.9832 | OVERALL ACCURACY: 0.9668 With some data leaks Filtering known data leaks
  • 39.
     Not allBase Classifiers classify every threat scenario  What you can do:  Retaining the instance but..  Adding Boolean features indicating what features were missing  Cross Join between features  Interpretable models Model Probability Verdict FileEmulation1 N/A Unknown FileDetonation N/A Unknown FuzzyHash1 N/A Unknown FuzzyHash2 0.014020299 Clean CloudClassifier1 N/A Unknown CloudClassifier2 N/A Unknown CloudClassifier3 N/A Unknown CloudClassifier4 N/A Unknown CloudClassifier5 N/A Unknown CloudClassifier6 N/A Unknown . . . . . . . . . ResearcherExpertise 0.07285905 Clean PEPropertiesClassifier N/A Unknown FileMetaDataClassifier1 N/A Unknown FileMetaDataClassifier2 N/A Unknown FileMetaDataClassifier3 N/A Unknown BehavioralClassifier1 N/A Unknown BehavioralClassifier2 N/A Unknown Stacked Ensemble 0.92 Malware
  • 40.
     Adding K-meansdistance for each instance from the centroid of each cluster as an input feature
  • 41.
     Maintaining afixed label distribution for training  Continuous monitoring of incoming telemetry to catch anomalies/ outliers before training Time
  • 43.
  • 44.
  • 45.
    Ratio of numberof instances perturbed The classifier is robust to one of the classifiers being compromised at 1% FPR.
  • 46.
    train Machine attributes Dynamic and contextual attributes Static file attributes Example:Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
  • 47.
  • 48.
    # of Random Classifiers False PositiveRate True Positive Rate 0 0.8746% 96.1824% 2 0.8834% 96.1222% 4 0.8912% 96.0385% 6 0.8939% 95.8932% 8 0.8974% 95.8462% 10 0.9131% 95.8462% The classifier can detect these random noises and the performance drop is negligible.
  • 49.
    Machine attributes Dynamic and contextual attributes Static file attributes Example:Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
  • 51.
    Ratio of numberof instances perturbed Flipping top 2 Feature Values
  • 53.
    Cloud Client # of Instances DataDistribution Bias Anomalies Metrics Requirements Continuous Monitoring Overall Blocks Telemetry Relevant features Threat Landscape Ensemble Model Development and Testing Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
  • 54.
    Introduction ML PrimerAdversarial Examples Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
  • 55.
    Other Cloud Blocks 88% Ensemble Blocks 12% Archive 4% Documentsand macros 8% Other (1k+ types) PE File 68% Shortcut 11% Signed PE File 3% VBS 3%
  • 56.
  • 57.
    Filters out noisysignals from an occasionally underperforming model Increases predictive power with easy interpretability Adds resilience against attacks on individual models
  • 59.
     Small-scale attackin Central and Western Canada  Most targets reached within 5 ½ hours  73% of targets were commercial businesses
  • 61.
    Model Probability Verdict PDFClassifier- Unknown NonPEClassifier - Unknown CloudModel3 0.06 Clean? FuzzyHash1 0.07 Clean? FuzzyHash2 0.08 Clean? ResearchExpertise 0.99 Malware Ensemble1 0.27 ~Sketchy Ensemble2 0.84 Sketchy! Ensemble3 0.91 Malware Client Cloud
  • 63.
    Model Probability Verdict FuzzyHash20.06 Clean? Ensemble1 0.27 ~Sketchy JsModel 0.52 Sketchy! ResearchExpertise 0.64 Sketchy! Ensemble3 0.91 Malware Client Cloud vNSAml.js
  • 65.
     Daewoo Chong(Windows Defender ATP Research)  Christian Seifert (Windows Defender ATP Research)  Allan Sepillo (Windows Defender ATP Research)  Bhavna Soman (Windows Defender ATP Research)  Jay Stokes (Microsoft Research)  Maria Vlachopoulou (Windows Defender ATP Research)  Samuel Wakasugui (Windows Defender ATP Research)
  • 66.
    Today’s presentation All dataand charts, unless otherwise noted, is from Microsoft. Preso: https://www.blackhat.com/us-18/briefings/schedule/index.html#protecting-the-protector-hardening-machine-learning-defenses- against-adversarial-attacks-11669 Blog: https://aka.ms/hardening-ML Upcoming conference presentations Virus Bulletin 2018 (Montreal): Starving malware authors through dynamic classification Karishma Sanghvi (Microsoft), Joe Blackbird (Microsoft) Blog Posts and Other References Antivirus evolved Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses How artificial intelligence stopped an Emotet outbreak Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign Machine Learning vs. Social Engineering Whitepaper: The Evolution of Malware Prevention
  • 67.
    Client-based machine learningis susceptible to brute force attacks After you deploy, ensure you have monitors to alert on potential tampering Consider the various vectors of attack, identify most likely vectors, then test them Build a diverse set of complementary models, then add an ensemble layer
  • 68.