Maximilian Bachl
ABSTRACT
Interest in poisoning attacks and backdoors recently resurfaced for Deep Learning (DL) applications. Several successful defense mechanisms have been recently proposed for Convolutional Neural Networks (CNNs), for example in the context of autonomous driving. We show that visualization approaches can aid in identifying a backdoor independent of the used classifier. Surprisingly, we find that common defense mechanisms fail utterly to remove backdoors in DL for Intrusion Detection Systems (IDSs). Finally, we devise pruning-based approaches to remove backdoors for Decision Trees (DTs) and Random Forests (RFs) and demonstrate their effectiveness for two different network security datasets.
- D. W. Apley and J. Zhu. 2016. Visualizing the Effects of Predictor Variables in Black Box Supervised Learning Models. arXiv:1612.08468 [stat] (Dec. 2016). arXiv: 1612.08468.Google Scholar
- B. Biggio, I. Corona, G. Fumera, G. Giacinto, and F. Roli. 2011. Bagging classifiers for fighting poisoning attacks in adversarial environments. In 10th Int'l Workshop on Multiple Classifier Systems, volume 6713 of LNCS. Springer, Naples, Italy, 350--359.Google Scholar
- H. Chen, H. Zhang, D. Boning, and C.-J. Hsieh. 2019. Robust Decision Trees Against Adversarial Examples. In Proceedings of the 36th International Conference on Machine Learning. PMLR, Long Beach, CA, 1122--1131.Google Scholar
- F. Erlacher and F. Dressler. 2018. How to Test an IDS?: GENESIDS: An Automated System for Generating Attack Traffic. In Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity (WTMC '18). ACM, New York, NY, USA, 46--51. https://doi.org/10.1145/3229598.3229601 event-place: Budapest, Hungary.Google Scholar
- F. Esposito, D. Malerba, G. Semeraro, and J. Kay. 1997. A comparative analysis of methods for pruning decision trees. IEEE Transactions on Pattern Analysis and Machine Intelligence 19, 5 (May 1997), 476--491.Google ScholarDigital Library
- J. H. Friedman. 2001. Greedy Function Approximation: A Gradient Boosting Machine. The Annals of Statistics 29, 5 (2001), 1189--1232.Google ScholarCross Ref
- T. Gu, B. Dolan-Gavitt, and S. Garg. 2017. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. arXiv:1708.06733 [cs] (Aug. 2017). arXiv: 1708.06733.Google Scholar
- K. Liu, B. Dolan-Gavitt, and S. Garg. 2018. Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks. arXiv:1805.12185 [cs] (May 2018). arXiv: 1805.12185.Google Scholar
- F. Meghdouri, T. Zseby, and F. Iglesias. 2018. Analysis of Lightweight Feature Vectors for Attack Detection in Network Traffic. Applied Sciences 8, 11 (Nov. 2018), 2196.Google ScholarCross Ref
- N. Moustafa and J. Slay. 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In 2015 Military Communications and Information Systems Conference (MilCIS). 1--6.Google Scholar
- A. Paszke, S. Gross, S. Chintala, et al. 2017. Automatic differentiation in PyTorch. (2017), 4.Google Scholar
- F. Pedregosa, G. Varoquaux, A. Gramfort, et al. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (Oct. 2011), 2825--2830.Google ScholarDigital Library
- P. Russu, A. Demontis, B. Biggio, G. Fumera, and F. Roli. 2016. Secure Kernel Machines against Evasion Attacks. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security - ALSec '16. ACM Press, Vienna, Austria, 59--69.Google Scholar
- I. Sharafaldin, A. Habibi Lashkari, and A. A. Ghorbani. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy. SCITEPRESS, Funchal, Madeira, Portugal, 108--116.Google Scholar
- J. Sietsma. 1988. Neural net pruning-why and how. In Proceedings of the International Conference on Neural Networks. IEEE, San Diego, CA, 325--333.Google ScholarCross Ref
- G. Vormayr. 2019. go-flows. https://github.com/CN-TU/go-flows Commit 0816e6.Google Scholar
- Wikipedia. 2019. Convolutional neural network. https://en.wikipedia.org/w/index.php?title=Convolutional_neural_network&oldid=921208341 Page Version ID: 921208341.Google Scholar
- N. Williams, S. Zander, and G. Armitage. 2006. A Preliminary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Classification. SIGCOMM Comput. Commun. Rev. 36, 5 (Oct. 2006), 5--16.Google ScholarDigital Library
- J. Yosinski, J. Clune, Y. Bengio, and H. Lipson. 2014. How transferable are features in deep neural networks? In Advances in Neural Information Processing Systems 27. MIT Press, 3320--3328.Google Scholar
Index Terms
- Walling up Backdoors in Intrusion Detection Systems
Recommendations
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Quantitative intrusion intensity assessment for intrusion detection systems
One of the main problems of existing approaches in anomaly detection in intrusion detection system (IDS) is that IDSs provide only binary detection result: intrusion (attack) or normal. If some attack data or normal data is belonged to boundary, they ...
Securing Collaborative Intrusion Detection Systems
One threat to collaborative intrusion detection systems (CIDSs) is statistic-poisoning attacks. In these attacks, adversaries inject incorrect security sensor reports to the system's repository to corrupt the published attack statistics. A novel, robust ...
Reviews
Shyamkumar T Iyer
Intrusion detection systems (IDSs) detect anomalies in a network. However, backdoors instated for profit, political gain, and/or other reasons can be hard to detect and may introduce security vulnerabilities. IDSs are generally built using multilayer perceptrons (MLPs). Much research is needed to detect backdoors in such a system. The authors' research is based on two methods: (1) An analysis of backdoors using visual tools and techniques; and (2) An analysis of techniques like pruning and fine-tuning. The authors theorize that, while such methods have been discussed for convolutional neural networks (CNNs), similar research is inadequate in detecting backdoors in traditional MLPs, decision trees (DTs), and random forests (RFs). To design an experimental setup, the authors design an RF and MLP model with backdoors using PyTorch. They visualize the model using partial dependence plots (PDPs) and accumulated local effects (ALE) plots, and look for regions that suggest the behavior of the model under investigation (MuI) is unexplainable or counterintuitive. They also study the effect of techniques like pruning and fine-tuning on their model via design validation and test datasets. With their experimentation, the authors recommend PDP and ALE plots to analyze questionable decisions. They show ways to detect unnecessary features hinting toward a backdoor. The authors also show that pruning and fine-tuning techniques popular with CNNs are inefficient at removing backdoors from their experimental MLP models. However, their experiments show that DTs and RFs can benefit from a validation set. The results show that validation sets as a pruning mechanism can reduce backdoor efficacy without reducing classifier detection effectiveness. In summary, this paper provides good commentary on backdoors and highlights the need to devise new ways to detect them.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments