You are here

Approaches to Counter Machine Learning



OBJECTIVE: Utilize machine learning techniques to make inferences on the training set of another machine learning classifier, in order to manipulate inputs to generate desired outputs to harden network security applications. 

DESCRIPTION: Recent research has demonstrated an ability to utilize machine learning techniques in a manner to cause other models to leak information about the individual data sets they were trained on. It is proposed to extend this technique to Cyber defensive cases, in order to better understand and harden machine learning based network security solutions, such as Intrusion Prevention/Detection Systems (IPS/IDS). Utilizing a machine learning algorithm in an adversarial manner against a system already trained with a specific data set, it is possible to glean information on the original training set by manipulating inputs provided to the system and observing its reported outputs. It is the intention of this SBIR to evaluate the feasibility and commercial viability of techniques that could be easily adapted to test and evaluate the robustness of an already trained model, particularly one in which the internal classifier parameters are unknown. 

PHASE I: Evaluation of various machine learning networking security solutions and their implementations. An example is the open source project, Stratosphere. Evaluation of machine learning concepts, methods, and existing research applicable to this attack surface will aid in the eventual goal of an implementation of machine learning system concept(s) against a given IPS/IDS system to demonstrate manipulation of data inputs to generate specific responses from the classification system. 

PHASE II: Verification and validation of machine learning technique against additional IPS/IDS systems and surrogates. Enhancements to technique for real-time traffic manipulation to allow for dynamic triggers against an IPS/IDS in a specific manner. Demonstration of technique effectiveness from both inside and outside of a protected network. 

PHASE III: Extension of technique beyond network security. Potential commercialization options include, but are not limited to: - Use technique to validate robustness of machine learning algorithms to inference attacks - Technique applicability to keyword manipulation to guard against advanced tracking mechanisms to enhance security and privacy - Masking “honeypot” networks by manipulating traffic to appear already compromised - Utilizing technique to validate effectiveness of other classifiers’ ability to handle malicious or targeted junk data Military transition paths for network security applications of this concept include Product Manager elements and product lines within PEO IEW&S, PM EW&C. Elements of this SBIR would directly feed into established, planned, and already transitioned I2WD mission funded efforts relating to Cyber security, awareness, and understanding. Aspects of Phase III deliverables will support situational understanding and modeling of Cyber assets and defensive techniques. It is expected that, if successful, this SBIR will transition directly to elements within PM EW&C, as part of long-term and ongoing product line support. Commercially, a successful implementation of this SBIR in Phase III would aid in heightened Cyber defensive and penetration testing techniques, providing Internet Service Providers (ISPs), cloud-based architecture providers, and other Cyber security research organizations a robust validation method. Specific transition partners, operational use cases, and military applications are classified. Generic descriptions and high-level transition paths are provided to provide unclassified clarification as much as possible. 


1: R. Shokri, et al. "Membership Inference Attacks Against Machine Learning Models". 38th IEEE Symposium on Security and Privacy. 2017.

2:  N. Carlini, D. Wagner. "Towards Evaluating the Robustness of Neural Networks". 38th IEEE Symposium on Security and Privacy. 2017.

3:  Stratosphere IPS Project. Accessed June 7, 2017. [Online]

4:  H. Yang, et al. "How to Learn Klingon Without Dictionary: Detection and Measurement of Black Keywords Used by Underground Economy". 38th IEEE Symposium on Security and Privacy. 2017.

5:  R. Sommer, V. Paxson. "Outside the Closed World: On Using Machine Learning for Network Intrusion Detection". 2010 IEEE Symposium on Security and Privacy.

6:  S. Mukkamala, et al. "Intrusion detection using neural networks and support vector machines". Proceedings of the 2002 International Joint Conference on Neural Networks. 2002.

7:  W. Lee, S. Stolfo. "Data Mining Approaches for Intrusion Detection". 7th USENIX Security Symposium. 1998.

8:  C. Tsai, et al. "Intrusion detection by machine learning: A review". Expert Systems with Applications. Vol. 36, Iss. 10. pp. 11994-12000. December 2009.

9:  D. Tsai, et al. "A hybrid intelligent intrusion detection system to recognize novel attacks". IEEE 37th Annual 2003 International Carnahan Conference on Security Technology. 2003.

KEYWORDS: Machine Learning, Cyber, Network Security, Intrusion Prevention System, IPS, Intrusion Detection System, IDS, Neural Networks, Behavioral Modeling 


Mr. Stephen Raio 

(443) 861-0571 

Metin Ahiskali 

(443) 861-0549 

US Flag An Official Website of the United States Government