BlueHat v18 || Protecting the protector, hardening machine learning defenses against adversarial attacks
1 like371 views
The document discusses the strategies and models used by Windows Defender to enhance threat detection through machine learning, emphasizing the importance of ensemble models in defending against adversarial attacks. It details the methods for monitoring, classifying, and mitigating potential threats, alongside the challenges faced during implementation, including managing false positives. Additionally, it highlights the critical role of feature diversity and continuous monitoring in improving the accuracy and effectiveness of malware detection solutions.
BlueHat v18 || Protecting the protector, hardening machine learning defenses against adversarial attacks
- 1. Jugal Parikh, Senior Data Scientist Holly Stewart, Principal Research Manager Randy Treit, Senior Researcher
- 6. W i n d o w s D e f e n d e r E n d p o i n t P r o t e c t i o n E n d p o i n t P r o t e c t i o n Blocks low reputation web downloads Blocks malicious websites W i n d o w s D e f e n d e r E n d p o i n t D e t e c t i o n a n d R e s p o n s e D e t e c t i o n a n d R e m e d i a t i o n After execution - Windows Defender ATP monitors for post-breach signals After execution - Windows Defender Hexadite can reverse damage Blocks malicious programs and content (scripts, docs, etc.) W i n d o w s D e f e n d e r S m a r t S c r e e n Monitors behaviors and terminates bad processes Introduction ML Primer Adversarial Attacks Ensemble Model Development and Testing Results
- 7. T h r e a t P r e d i c t R e s e a r c h T e a m Cloud Client O u r f o c u s : U s e m a c h i n e l e a r n i n g t o b l o c k a t t a c k s f o r W i n d o w s D e f e n d e r A T P
- 8. Introduction ML Primer Adversarial Attacks Ensemble Model Development and Testing Results
- 9. UNKNOWN UNKNOWNSEXPERTS→ LABELS→ ML→ PREDICTIONS ANOMALY DETECTION SUPERVISED UNSUPERVISED
- 10. EXPERTS→ LABELS→ ML→ PREDICTIONS SUPERVISED
- 16. No private brute forcing Minimal client performance impact
- 17. Introduction ML Primer Adversarial Attacks Ensemble Model Development and Testing Results
- 18. Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
- 19. Immunity from antimalware automation attacks
- 20. Synthetic traffic designed to quickly gain reputation on a digital certificate Targeted Windows 8 Originally surfaced as a high percentage of traffic that wasn’t classified Low-volume and unsigned file attacks were also identified during investigation 30% 40% 50% 60% 70% 80% 90% 100% 2/15 2/17 2/19 2/21 2/23 2/25 2/27 2/29 3/2 3/4 3/6 3/8 3/10 3/12 3/14 Percent Classified Traffic Win10 Win8 Win7
- 21. Attackers guessed major features (time, traffic, digital certificate) Team developed complementary models with additional features that filtered fake traffic out of telemetry Combination of models removed attack traffic from training data 60% 65% 70% 75% 80% 85% 90% 95% 100% 2/7/2017 2/12/2017 2/17/2017 2/22/2017 2/27/2017 3/4/2017 3/9/2017 3/14/2017 3/19/2017 3/24/2017 3/29/2017 4/3/2017 4/8/2017 4/13/2017 4/18/2017 4/23/2017 4/28/2017 5/3/2017 Percent Classified with and without Complementary Models
- 22. Research on adversarial attacks against deep learning classifiers Showed that an ensemble of classifiers helped defend against the attacks tested in the paper See more at: Attack and Defense of Dynamic Analysis-Based, Adversarial Neural Malware Classification Models Jack W. Stokes, De Wang, Mady Marinescu, Marc Marino, Brian Bussone https://arxiv.org/abs/1712.05919 Introduction ML Primer Adversarial Attacks Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
- 23. Ensemble Model Development and Testing Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
- 24. 1 1 Wolpert, David H. "Stacked generalization." Neural networks 5.2 (1992): 241-259.
- 25. Dealing with: Active adversarial attempts Volatility in data distribution/ Covariate Shift Noisy environment Scale: Petabytes of threat Intelligence daily Evaluate: ~2.3 Billion global queries everyday
- 26. Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
- 27. Different feature sets
- 28. Process and installation ProcessName ParentProcess TriggeringSignal TriggeringFile Download IP and URL Parent/child relationships Machine attributes Partial and Fuzzy hashes ClusterHash ImportHash Fuzzy hashes Full File Content Header Footer Raw file content File properties File Geometry FileSize FileMetaData …. Signer info Issuer Publisher Signer Behavioral Connection IP System changes API calls Process injection Locale Locale setting Geographical location Behavioral and contextual attributes Static file attributes OS version Processor Security settings Features - Highly dimensional data Researcher Expertise 10k+ researcher attributes 100k+ static attributes 10k+ behavioral attributes Feature Set Training Algorithms Training Data Sets Optimization Settings
- 29. Different feature sets Different training algorithms and data sets
- 30. Feature Set Learner # of Features PE Properties Fast Tree Ensemble 10K+ features Researcher Expertise Boosted Tree Ensemble 190K+ features Behavioral Boosted Tree Ensemble 6M+ features Fuzzy Hash 1 Random Forest 512+ features Fuzzy Hash 2 SDCA 10M+ features Static, Dynamic and Contextual Averaged Perceptron 16M+ features Researcher Expertise, Fuzzy Hash Averaged Perceptron 12M+ features File Emulation DNN 150K+ features File Detonation DNN 10M+ features Feature Set Training Algorithms Training Data Sets Optimization Settings
- 31. Different feature sets Different training algorithms and data sets Different optimization settings based on threat scenarios
- 32. Training Cadence: Classifiers: Malware Clean Potentially unwanted software File type (js, vbs, pdf, PE, etc) Target: Commercial or consumer? Organization specific Feature Set Training Algorithms Training Data Sets Optimization Settings
- 35. Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
- 37. Model Selection LightGBM !!! Averaged Perceptron !!! Logistic Regression!!! Fast Tree !!! XGBoost !!! DNN !!!
- 39. Supervised Training Optimization Evaluation Train Validate Test
- 40. LightGBM
- 43. Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
- 44. Model evaluated on time-split test set Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 2,177 | 21,182 | 0.0932 negative || 14,004 |2,097,228 | 0.9934 ||====================== Precision || 0.1345 | 0.9900 | OVERALL ACCURACY: 0.9835 Uncalibrated model evaluated on 60 mins real world data Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811
- 45. Ensemble ML Primer Diversity Requirements Developing the Model Testing the Model
- 46. Information from the label inadvertently works its way into the training features Causes an overly optimistic assessment of generalization performance Filtering features that correlate to the training labels Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 703,140 | 59,131 | 0.9224 negative || 2,1030 |8,013,623 | 0.9974 ||====================== Precision || 0.9710 | 0.9927 | OVERALL ACCURACY: 0.9811 Confusion table ||====================== PREDICTED || positive | negative | Recall TRUTH ||====================== positive || 625,324 | 136,947 | 0.8203 negative || 29,540 |8,005,113 | 0.9963 ||====================== Precision || 0.9549 | 0.9832 | OVERALL ACCURACY: 0.9668 With some data leaks Filtering known data leaks
- 47. Not all Base Classifiers classify every threat scenario What you can do: Retain each instance (don’t toss them) Adding Boolean features indicating which classifiers returned a value Cross Join between features Model Probability Verdict FileEmulation1 N/A Unknown FileDetonation N/A Unknown FuzzyHash1 N/A Unknown FuzzyHash2 0.014020299 Clean CloudClassifier1 N/A Unknown CloudClassifier2 N/A Unknown CloudClassifier3 N/A Unknown CloudClassifier4 N/A Unknown CloudClassifier5 N/A Unknown CloudClassifier6 N/A Unknown . . . . . . . . . ResearcherExpertise 0.07285905 Clean PEPropertiesClassifier N/A Unknown FileMetaDataClassifier1 N/A Unknown FileMetaDataClassifier2 N/A Unknown FileMetaDataClassifier3 N/A Unknown BehavioralClassifier1 N/A Unknown BehavioralClassifier2 N/A Unknown Stacked Ensemble 0.92 Malware
- 48. Adding K-means distance for each instance from the centroid of each cluster as an input feature
- 49. Control # training samples Control ratio of clean/malware (label distribution) Continuous monitoring of incoming telemetry to catch anomalies/ outliers before training Time
- 52. Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
- 54. Ratio of number of instances perturbed Flipping top 2 Feature Values
- 55. Machine attributes Dynamic and contextual attributes Static file attributes Example: Averaged perceptron model with > .90 probability = 0.0001% false positive rate Cloud Client
- 56. Supervised Training Adding Rogue Features
- 57. # of Random Classifiers False Positive Rate True Positive Rate 0 0.8746% 96.1824% 2 0.8834% 96.1222% 4 0.8912% 96.0385% 6 0.8939% 95.8932% 8 0.8974% 95.8462% 10 0.9131% 95.8462% The classifier can detect these random noises and the performance drop is negligible.
- 59. Cloud Client # of instances Label distribution Label sources Model gates Model monitoring Overall block monitoring Anomaly alerts Update features Identify feature evasion Unsupervised learning
- 60. Introduction ML Primer Adversarial Attacks Ensemble Model Development and Testing ResultsEnsemble Model Development and Testing
- 61. Other Cloud Blocks 88% Ensemble Blocks 12% Archive 4% Documents and macros 8% Other (1k+ types) PE File 68% Shortcut 11% Signed PE File 3% VBS 3%
- 62. malware clean
- 63. Filters out noisy signals from an occasionally underperforming model Increases predictive power with easy interpretability Adds resilience against attacks on individual models
- 65. Small-scale attack in Central and Western Canada Most targets reached within 5 ½ hours 73% of targets were commercial
- 67. Model Probability Verdict PDFClassifier - Unknown NonPEClassifier - Unknown CloudModel3 0.06 Clean? FuzzyHash1 0.07 Clean? FuzzyHash2 0.08 Clean? ResearchExpertise 0.99 Malware Ensemble1 0.27 ~Sketchy Ensemble2 0.84 Sketchy! Ensemble3 0.91 Malware Client Cloud
- 69. Model Probability Verdict FuzzyHash2 0.06 Clean? Ensemble1 0.27 ~Sketchy JsModel 0.52 Sketchy! ResearchExpertise 0.64 Sketchy! Ensemble3 0.91 Malware Client Cloud vNSAml.js
- 71. Daewoo Chong (Windows Defender ATP Research) Christian Seifert (Windows Defender ATP Research) Allan Sepillo (Windows Defender ATP Research) Bhavna Soman (Windows Defender ATP Research) Jay Stokes (Microsoft Research) Maria Vlachopoulou (Windows Defender ATP Research) Samuel Wakasugui (Windows Defender ATP Research)
- 72. Today’s presentation All data and charts, unless otherwise noted, is from Microsoft. Blog: https://aka.ms/hardening-ML Upcoming conference presentations Virus Bulletin 2018 (Montreal): Starving malware authors through dynamic classification Karishma Sanghvi (Microsoft), Joe Blackbird (Microsoft) Blog Posts and Other References Antivirus evolved Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses How artificial intelligence stopped an Emotet outbreak Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign Machine Learning vs. Social Engineering Whitepaper: The Evolution of Malware Prevention
- 73. Client-based machine learning is susceptible to brute force attacks After you deploy, ensure you have monitors to alert on potential tampering Consider the various vectors of attack, identify most likely vectors, then test them Build a diverse set of complementary models, then add an ensemble layer