Rising Stars 2020:

Yizheng Chen

Postdoctoral Researcher

Columbia University

PhD '17 Georgia Institute of Technology

Areas of Interest

  • Security


Certified Robustness Properties for Security Classifiers


Machine learning has shown impressive results in detecting malware, spam, phishing, and many types of online fraud. Though almost perfect accuracies are demonstrated in many research work, machine learning models are highly vulnerable to poisoning and evasion attacks. Such weaknesses severely limit the reliable application of machine learning in security-relevant applications. For example, even the PDF malware classifiers from major vendors such as Gmail can be trivially evaded by appending benign pages from a machine learning textbook to the malware.

I have proposed to train certifiable robustness properties for security classifiers against evasion attacks. If we can make the classifier robust against building block attacks, we can raise the bar for more sophisticated attacks to succeed. I used certifiable training technique to train PDF malware classifiers with robustness properties, by utilizing security domain knowledge about building block attack operations. To generate PDF malware variants, the attacker needs to preserve the syntax of the PDF file format, while mutating a seed malware guided by different classifier feedback and optimization algorithms. Thus, in the PDF tree structure, adversarial malware variants are different from the seed malware by a number of subtrees. I designed a new distance metric in the subtree distance, and used that to define certifiable robustness properties for PDF classifiers. Satisfying these properties can eliminate classes of attackers for a classifier, including unknown attackers. My models can achieve high verified robust accuracy for different robustness properties, while maintaining high accuracy and low false positive rate. My results showed that a robust model trained with only two building block robustness properties at subtree distance one can already substantially increase the robustness against unbounded attackers, who are not restricted by the robustness properties. In particular, compared to the baseline model, the state-of-the-art and new adaptive evolutionary attackers need up to 10 times more feature changes and 21 times more PDF manipulations to evade my robust model.


Yizheng Chen is a Postdoctoral Researcher at Columbia University. She received her Ph.D. degree in Computer Science from Georgia Institute of Technology. She is interested in designing and implementing secure machine learning systems, and applying machine learning to solve security problems.

Personal home page