Combinatorial Boosting of Classifiers for Moving Target Defense Against Adversarial Evasion Attacks

Adversarial evasion attacks challenge the integrity of machine learning models by creating out-of-distribution samples that are consistently misclassified by these models. While a variety of detection and mitigation approaches have been proposed, they are typically defeated by designing even more sophisticated attacks. One of the most promising group of such approaches is based on creating multiple diversified machine learning models and leveraging their ensemble properties for detection and mitigation of adversarial attacks in a dynamic "moving target'' fashion. However, an efficient implementation of such approaches imposes heavy computation cost for designing and enforcing diversity of multiple classifiers and then training a significant number of them. This paper proposes a scalable modification of dynamic ensemble approach that provides (i) a combinatorial boosting of the number of diversified classifiers which provides an exponentially expanded scope of reliable decisions for dynamic "moving target'' defense, and (ii) robust methods for fusion of ensemble decisions of the resulting classifiers and their combinations towards enhanced confidence in classification decisions in both benign and adversarial scenarios. Two versions of the approach were implemented and tested for machine learning models operating in two different modalities (network intrusion detection and color image classification). Both show significant increase of resiliency against adversarial evasion attacks with moderate to low impact on benign performance of defended machine learning model. For network modality, different versions of approach improved the benign accuracy from 98% to 100% while raising the adversarial accuracy from 0% to 90%-95%; for image modality, benign accuracy remained at the same level of 90% while the adversarial accuracy improved from 0% to about 85%.