• Like
  • Save
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"

  • 768 views
Published

 

Published in Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
768
On SlideShare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Poisoning attacks against support vector machinesBattista Biggio (1), Blaine Nelson (2), Pavel Laskov (2) (1) Pattern Recognition and Applications Group Department of Electrical and Electronic Engineering (DIEE) University of Cagliari, Italy (2) Cognitive Systems Group Wilhelm Schickard Institute for Computer Science University of Tuebingen, Germany
  • 2. Machine learning in adversarial settings• Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics• Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network outbound trafficJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 2
  • 3. Machine learning in adversarial settings• Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics• Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network poisoning attack outbound trafficJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 3
  • 4. Poisoning attack against SVMsProblem setting• Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set• Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error = 0.039 xcJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 4
  • 5. Poisoning attack against SVMsProblem setting• Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set• Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error as a function of xc xcJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 5
  • 6. Our approach• To maximize the hinge loss on a validation set hinge loss: max(0,-g) max L(xc ) = " (1 ! yk fxc (xk ))+ xc k 1 !gk (xc ) yf(x) 1• Gradient ascent xc = xc + t " #L(xc ) ! dgk !L(xc ) = " # dx k: gk <0 c dgk % d$ j ( db dQkc = # Qkj + yk + $ c , where Q = yyT ! K dxc j & dxc *) dxc dxc How does the SVM solution change during a single update of xc?June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 6
  • 7. A trick from incremental SVM• Assumption. No structural change occurs during a single update of xc – Karush-Kuhn-Tucker conditions must hold before and after the update yi f (xi ) ! 1 = 0, 0 < " i < C d! iS: margin vectors = 0, i "R # E dxc gi dgi R: reserve vectors gi > 0, ! i = 0 = 0, i "S dxc dh h = $ y j! j = 0 % =0 j dxc " db % $ dx " 0 (1 " 0 % yT % $ $ c =$ s $ dQsc E: error vectors gi < 0, ! i = C $ d! s # ys Qss & $ dx $ dxc # & # c&June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 7
  • 8. Our approach dgk " d! j % db dQkc = ) $ Qkj + yk dx + dx ! c dxc j (S # dxc & c c dgk $ dQsc dQkc !L(xc ) = " # = # & Mk + ) *c k: gk <0 dxc k: gk <0 % dxc dxc ( The gradient now only depends on the derivative of the kernel function! 1 +. "1 ( 0) M k = " -Qks Qss " ,, T + yk, T / , + = ys Qss ys and , = Qss ys T "1 "1June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 8
  • 9. Poisoning attack algorithmLinear kernel (0) xc xc (0) xc dQkc d = yk yc K(xk , xc ) = yk yc ! xk dxc dxc xcJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 9
  • 10. Poisoning attack algorithmRBF kernel (0) xc xc dQkc = yk yc ! K(xk , xc ) ! " ! (xk # xc ) (0) xc dxc xcJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 10
  • 11. Experiments on the MNIST digit dataSingle-point attack• Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 (0) xc xcJune 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 11
  • 12. Experiments on the MNIST digit dataMultiple-point attack• Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 12
  • 13. Conclusions and future work• SVM may be very vulnerable to poisoning (worst-case scenario)• What if we assume more realistic scenarios? – Effectiveness with surrogate data• How to improve robustness to poisoning?• Find us at the poster session (#12) – 17:40, Informatics Forum (IF) Thanks for your attention!June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 13