敌对攻击环境下基于移动目标防御的算法稳健性增强方法

doi:10.11959/j.issn.2096-109x.2020052

网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (4): 67-76.doi: 10.11959/j.issn.2096-109x.2020052

敌对攻击环境下基于移动目标防御的算法稳健性增强方法

何康^1,²,祝跃飞^1,²(),刘龙^1,²,芦斌^1,²,刘彬^1,²

¹ 信息工程大学网络空间安全学院，河南郑州450001
² 数学工程与先进计算国家重点实验室，河南郑州 450001

修回日期:2020-02-04 出版日期:2020-08-15 发布日期:2020-08-13
作者简介:何康（1992- ），男，山东济宁人，信息工程大学博士生，主要研究方向为网络空间安全|祝跃飞（1962- ），男，河南郑州人，信息工程大学教授、博士生导师，主要研究方向为入侵检测、密码学、信息安全|刘龙（1983- ），男，河南郑州人，信息工程大学讲师，主要研究方向为入侵检测和信息安全|芦斌（1983- ），男，河南郑州人，信息工程大学副教授，主要研究方向为信息安全、机器学习和网络分析|刘彬（1981- ），女，河南郑州人，信息工程大学副教授，主要研究方向为网络安全
基金资助:
国家重点研发计划基金(2016YFB0801505);国家重点研发计划前沿科技创新专项基金(2019QY1305)

Improve the robustness of algorithm under adversarial environment by moving target defense

Kang HE^1,²,Yuefei ZHU^1,²(),Long LIU^1,²,Bin LU^1,²,Bin LIU^1,²

¹ Cyberspace Security Institute,Information Engineering University,Zhengzhou 450001,China
² State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China

Revised:2020-02-04 Online:2020-08-15 Published:2020-08-13
Supported by:
The National Key R＆D Program of China(2016YFB0801505);Cutting-edge Science and Technology Innovation Project of the Key R＆D Program of China(2019QY1305)

摘要/Abstract

摘要：

传统的机器学习模型工作在良性环境中，通常假设训练数据和测试数据是同分布的，但在恶意文档检测等领域该假设被打破。敌人通过修改测试样本对分类算法展开攻击，使精巧构造的恶意样本能够逃过机器学习算法的检测。为了提高机器学习算法的安全性，提出了基于移动目标防御技术的算法稳健性增强方法。实验证明，该方法通过在算法模型、特征选择、结果输出等阶段的动态变换，能够有效抵御攻击者对检测算法的逃逸攻击。

关键词: 机器学习, 算法稳健性, 移动目标防御, 动态变换

Abstract:

Traditional machine learning models works in peace environment,assuming that training data and test data share the same distribution.However,the hypothesis does not hold in areas like malicious document detection.The enemy attacks the classification algorithm by modifying the test samples so that the well-constructed malicious samples can escape the detection by machine learning models.To improve the security of machine learning algorithms,moving target defense (MTD) based method was proposed to enhance the robustness.Experimental results show that the proposed method could effectively resist the evasion attack to detection algorithm by dynamic transformation in the stages of algorithm model,feature selection and result output.

Key words: machine learning, algorithm robustness, moving target defense, dynamic transformation

中图分类号:

TP301.6

何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76.

Kang HE,Yuefei ZHU,Long LIU,Bin LU,Bin LIU. Improve the robustness of algorithm under adversarial environment by moving target defense[J]. Chinese Journal of Network and Information Security, 2020, 6(4): 67-76.

图/表 8

图1

图2

表1

表2

表3

使用不同特征的SVM模型对敌对样本的检测率　Table 3 Detection rates of adversarial samples by SVM models with different features"

对抗样本集序号											模型序号
对抗样本集序号	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20
1	0.63%	0.92%	64.25%	98.71%	86.20%	96.94%	99.26%	16.80%	81.92%	82.97%	98.58%	42.92%	88.12%	66.15%	87.73%	82.44%	27.42%	90.58%	4.82%	76.49%
2	1.20%	1.19%	55.81%	98.72%	86.08%	98.30%	99.25%	15.59%	72.96%	92.00%	95.59%	89.12%	15.16%	66.11%	27.89%	82.45%	90.40%	90.58%	71.14%	76.86%
3	99.36%	80.36%	22.58%	98.72%	85.23%	85.72%	37.44%	41.57%	82.80%	87.12%	35.45%	87.06%	33.73%	65.93%	54.76%	82.45%	89.79%	90.58%	83.68%	77.92%
4	99.28%	91.3%	55.32%	1.20%	86.81%	98.36%	1.23%	18.07%	82.80%	86.82%	97.62%	89.12%	81.85%	66.15%	87.20%	82.37%	1.80%	90.58%	75.90%	76.53%
5	20.88%	22.07%	56.72%	98.75%	18.31%	98.54%	99.26%	26.24%	82.11%	96.67%	99.19%	89.12%	80.40%	65.86%	87.66%	52.94%	97.92%	90.58%	73.63%	78.96%
6	99.36%	91.36%	50.28%	98.75%	86.75%	2.29%	2.88%	30.69%	88.04%	85.54%	98.59%	89.12%	88.12%	66.15%	87.73%	82.58%	89.82%	84.39%	83.68%	87.02%
7	99.36%	91.28%	18.63%	53.83%	86.81%	1.77%	0.73%	89.76%	82.74%	88.66%	89.90%	89.07%	89.43%	62.30%	87.43%	82.37%	89.81%	90.58%	75.84%	84.65%
8	2.91%	5.43%	6.48%	13.98%	84.57%	84.96%	99.26%	2.83%	82.37%	86.87%	99.19%	7.50%	23.09%	66.15%	87.21%	82.45%	5.50%	90.58%	71.34%	78.91%
9	22.09%	22.16%	63.89%	98.75%	85.46%	99.30%	98.81%	28.62%	18.44%	89.44%	22.22%	85.98%	76.36%	65.89%	86.28%	82.16%	21.88%	30.14%	77.60%	77.78%
10	8.04%	98.81%	64.16%	98.72%	88.16%	99.50%	99.26%	58.65%	82.80%	7.50%	15.48%	87.34%	23.47%	66.15%	87.8%	82.45%	10.25%	84.79%	71.94%	76.8%
11	99.36%	98.06%	3.59%	98.72%	86.81%	97.55%	84.87%	97.10%	81.92%	8.12%	0.79%	89.12%	8.34%	66.15%	87.73%	82.45%	90.35%	90.58%	75.92%	75.79%
12	10.83%	92.09%	17.79%	98.75%	86.81%	98.42%	99.26%	17.24%	72.42%	18.70%	99.19%	9.66%	88.12%	65.86%	86.58%	82.45%	90.00%	90.58%	83.68%	76.19%
13	99.36%	13.28%	13.45%	98.81%	86.17%	98.30%	99.82%	62.91%	82.04%	78.19%	12.00%	89.12%	10.60%	66.15%	25.4%	82.45%	89.8%	90.58%	72.45%	84.63%
14	99.36%	93.83%	57.98%	98.75%	89.49%	98.36%	33.55%	45.58%	82.75%	92.03%	99.19%	88.77%	88.12%	22.23%	87.52%	82.41%	90.4%	90.58%	75.18%	84.65%
15	99.36%	85.32%	58.91%	98.72%	86.77%	98.30%	98.79%	60.57%	52.80%	78.32%	99.19%	86.25%	19.99%	66.12%	10.96%	82.37%	89.97%	90.58%	64.67%	24.30%
16	99.36%	98.81%	63.94%	98.72%	88.42%	99.12%	98.87%	92.33%	82.67%	91.16%	99.19%	89.12%	88.12%	66.12%	87.38%	30.14%	89.90%	90.58%	83.68%	79.58%
17	99.28%	98.81%	32.43%	16.31%	87.28%	93.77%	98.79%	24.54%	82.68%	86.01%	98.68%	84.54%	79.17%	66.15%	87.62%	82.45%	8.65%	90.58%	76.62%	77.24%
18	99.36%	92.8%	57.21%	98.75%	86.80%	89.80%	99.26%	91.24%	22.64%	82.91%	98.75%	89.12%	88.12%	65.89%	87.72%	82.55%	89.85%	20.00%	77.65%	84.61%
19	16.61%	90.47%	63.84%	98.71%	86.19%	97.70%	17.03%	62.08%	82.78%	23.27%	90.78%	89.12%	74.98%	64.20%	80.34%	82.45%	89.81%	90.58%	13.83%	77.17%
20	99.28%	92.35%	15.26%	98.71%	86.80%	99.47%	99.26%	24.51%	82.53%	26.54%	90.51%	84.28%	88.12%	66.15%	30.19%	82.25%	89.51%	90.58%	89.60%	13.03%

表3

表4

图3

图4

参考文献 22

[1]	JIANG H , NAGRA J , AHAMMAD P . Sok:applying machine learning in security-a survey[J]. arXiv preprint arXiv:1611.03186, 2016
[2]	PITROPAKIS N , PANAOUSIS E , GIANNETSOS T ,et al. A taxonomy and survey of attacks against machine learning[J]. Computer Science Review, 2019,34100199.
[3]	张东, 张尧, 刘刚 ,等. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017,3(7): 25-32.
	ZHANG D , ZHANG Y , LIU G ,et al. Research on host malcode detection using machine learning[J]. Chinese Journal of Network and Information Security, 2017,3(7): 25-32.
[4]	张骁敏, 刘静, 庄俊玺 ,等. 基于权限与行为的 Android 恶意软件检测研究[J]. 网络与信息安全学报, 2017,3(3): 51-57.
	ZHANG X M , LIU J , ZHUANG J X ,et al. Research on Android malware detection based on permission and behavior[J]. Chinese Journal of Network and Information Security, 2017,3(3): 51-57.
[5]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv preprint arXiv:1312.6199, 2013
[6]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv:1412.6572, 2014
[7]	ZHANG G , YAN C , JI X ,et al. Dolphinattack:inaudible voice commands[C]// The 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 103-117.
[8]	GROSSE K , PAPERNOT N , MANOHARAN P ,et al. Adversarial perturbations against deep neural networks for malware classification[J]. arXiv preprint arXiv:1606.04435, 2016
[9]	CHEN S , XUE M , FAN L ,et al. Automated poisoning attacks and defenses in malware detection systems:an adversarial machine learning approach[J]. Computers ＆ Security, 2018,73: 326-344.
[10]	PAPERNOT N , MCDANIEL P , WU X ,et al. Distillation as a defense to adversarial perturbations against deep neural networks[C]// 2016 IEEE Symposium on Security and Privacy (SP). 2016: 582-597.
[11]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// 2017 IEEE Symposium on Security and Privacy (SP). 2017: 39-57.
[12]	蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987.
	CAI G L , WANG B S , WANG T Z ,et al. Research and development of moving target defense technology[J]. Journal of Computer Research and Development, 2016,53(5): 968-987.
[13]	EVANS D,NGUYEN-TUONG A , KNIGHT J . Effectiveness of moving target defenses[M]// Moving Target Defense. 2011: 29-48.
[14]	JAFARIAN J H , AL-SHAER E , DUAN Q . Openflow random host mutation:transparent moving target defense using software defined networking[C]// The First Workshop on Hot Topics in Software Defined Networks. 2012: 127-132.
[15]	SENGUPTA S , CHAKRABORTI T , KAMBHAMPATI S . MTDeep:boosting the security of deep neural nets against adversarial attacks with moving target defense[C]// Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence. 2018.
[16]	LEI C , MA D H , ZHANG H Q . Optimal strategy selection for moving target defense based on Markov game[J]. IEEE Access, 2017,5: 156-169.
[17]	ROY A , CHHABRA A , KAMHOUA C A ,et al. A moving target defense against adversarial machine learning[C]// The 4th ACM/IEEE Symposium on Edge Computing. 2019: 383-388.
[18]	李亚龙, 陈勤, 张旻 . 基于博弈论的移动目标最优防御策略研究[J]. 计算机工程与应用, 2019,55(19): 141-146.
	LI Y L , CHEN Q , ZHANG M . Research on optimal defense strategy of moving targets based on game theory[J]. Computer Engineering and Applications, 2019,55(19): 141-146.
[19]	KANTCHELIAN A , TYGAR J D , JOSEPH A . Evasion and hardening of tree ensemble classifiers[C]// International Conference on Machine Learning. 2016: 2387-2396.
[20]	NISSIM N , COHEN A , GLEZER C ,et al. Detection of malicious PDF files and directions for enhancements:a state-of-the art survey[J]. Computers ＆ Security, 2015,48: 246-266.
[21]	CHEN P Y , ZHANG H , SHARMA Y ,et al. Zoo:zeroth order optimization based black-box attacks to deep neural networks without training substitute models[C]// The 10th ACM Workshop on Artificial Intelligence and Security. 2017: 15-26.
[22]	MU?OZ-GONZáLEZ L , BIGGIO B , DEMONTIS A ,et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]// The 10th ACM Workshop on Artificial Intelligence and Security. 2017: 27-38.

样本集	支持向量机	决策树	逻辑回归
Mal	97.98%	99.97%	98.54%
Ben	99.94%	99.87%	99.86%
S_adv	0.00%	96.98%	56.00%
D_adv	6.57%	0.00%	93.04%
L_adv	16.63%	97.44%	0.00%

敌对攻击环境下基于移动目标防御的算法稳健性增强方法

Improve the robustness of algorithm under adversarial environment by moving target defense

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 22

相关文章 15

Metrics

推荐阅读 0

模型	准确率	模型	准确率
1	99.36%	11	99.19%
2	98.81%	12	89.12%
3	84.30%	13	88.12%
4	98.75%	14	86.15%
5	86.81%	15	87.72%
6	98.30%	16	82.45%
7	99.26%	17	90.40%
8	97.10%	18	90.58%
9	82.80%	19	83.68%
10	91.95%	20	84.65%

分类	标签为恶意	标签为良性
恶意	10 961	0
良性	25	8 969

[1]	夏锐琪, 李曼曼, 陈少真. 基于机器学习的分组密码结构识别[J]. 网络与信息安全学报, 2023, 9(3): 79-89.
[2]	韦南, 殷丽华, 宁洪, 方滨兴. 本科“机器学习”课程教学改革初探[J]. 网络与信息安全学报, 2022, 8(4): 182-189.
[3]	黄诚, 孙明旭, 段仁语, 吴苏晟, 陈斌. 面向项目版本差异性的漏洞识别技术研究[J]. 网络与信息安全学报, 2022, 8(1): 52-62.
[4]	何威振, 陈福才, 牛杰, 谭晶磊, 霍树民, 程国振. 面向网络层的动态跳变技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 44-55.
[5]	曾威, 扈红超, 李凌书, 霍树民. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104.
[6]	王滨, 陈靓, 钱亚冠, 郭艳凯, 邵琦琦, 王佳敏. 面向对抗样本攻击的移动目标防御[J]. 网络与信息安全学报, 2021, 7(1): 113-120.
[7]	张颖君,刘尚奇,杨牧,张海霞,黄克振. 基于日志的异常检测技术综述[J]. 网络与信息安全学报, 2020, 6(6): 1-12.
[8]	付溪,李晖,赵兴文. 网络钓鱼识别研究综述[J]. 网络与信息安全学报, 2020, 6(5): 1-10.
[9]	袁福祥,刘粉林,刘翀,刘琰,罗向阳. MLAR：面向IP定位的大规模网络别名解析[J]. 网络与信息安全学报, 2020, 6(4): 77-94.
[10]	骆子铭,许书彬,刘晓东. 基于机器学习的TLS恶意加密流量检测方案[J]. 网络与信息安全学报, 2020, 6(1): 77-83.
[11]	黄伟,刘存才,祁思博. 针对设备端口链路的LSTM网络流量预测与链路拥塞方案[J]. 网络与信息安全学报, 2019, 5(6): 50-57.
[12]	宋蕾, 马春光, 段广晗. 机器学习安全及隐私保护研究进展[J]. 网络与信息安全学报, 2018, 4(8): 1-11.
[13]	谭晶磊, 张红旗, 雷程, 刘小虎, 王硕. 面向SDN的移动目标防御技术研究进展[J]. 网络与信息安全学报, 2018, 4(7): 1-12.
[14]	明拓思宇, 陈鸿昶. 文本摘要研究进展与趋势[J]. 网络与信息安全学报, 2018, 4(6): 1-10.
[15]	周余阳, 程光, 郭春生. 基于贝叶斯攻击图的网络攻击面风险评估方法[J]. 网络与信息安全学报, 2018, 4(6): 11-22.