SlideShare a Scribd company logo

Vulnerabilities of machine learning infrastructure

Download as PPTX, PDF
S
Sergey Gordeychik

The boom of artificial intelligence brought to the market a set of impressive solutions both on hardware and software sides. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns. The speaker will present results of hands-on vulnerability research of different components of AI infrastructure, including NVIDIA DGX GPU servers, ML frameworks, such as PyTorch, Keras, and TensorFlow, data processing pipelines and specific applications, including medical imaging and face recognition–powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.

Software
1 of 104
1 Vulnerabilities of Machine Learning Infrastructure Sergey Gordeychik serg.gordey@gmail.com http://scada.sl @scadasl
Sergey Gordeychik  AI and Cybersecurity Executive • Abu Dhabi, UAE  Visiting Professor, Cyber Security • Harbour.Space University, Barcelona, Spain  Bandleader, www.GradeZero.band  Cyber-physical troublemaker • SCADA Strangelove, HackingOdyssey • www.scada.sl, @scadasl  Ex… • Deputy CTO, Kaspersky Lab • CTO, Positive Technologies • Gartner recognized products and services  Program Chair, PHDays Conference • www.phdays.com, Moscow 2
Disclaimer Please note, that this talk is by Sergey and Hacking Odyssey group. We don't speak for our employers. All the opinions and information here are of our responsibility. So, mistakes and bad jokes are all OUR responsibilities. 3https://github.com/sdnewhophttps://scada.sl/ Hacking Odyssey Group Sergey Gordeychik Anton Nikolaev Denis Kolegov Maria Nedyak Roman Palkin Hacking Odyssey Projects Grinder Framewrok AISec DICOM Sec SD-WAN New Hop
4
5 PWN? Adversarial example anyone?
6 Adversarial example?
7
8
9
10
11 Hacking as usual… https://slideplayer.com/slide/4378533/
12 Spherical AI traveling in a vacuum?
13 What is Cyber? What is Cybersecurity?
14 Cybersecurity goals? HOLY CIA TRINITY
15 OT/ICS/SCADA Security?! SCADA Security Basics: Integrity Trumps Availability, ISA/IEC 62443-2-1 standards (formerly ISA-99) https://www.tofinosecurity.com/blog/scada-security-basics-integrity-trumps-availability Marina Krotofil, Damn Vulnerable Chemical Process https://fahrplan.events.ccc.de/congress/2014/Fahrplan/system/attachments/2560/original/31CC_ 2014_Krotofil.pdf
16 Machine Learning and AI? AI security
17 Upside down? https://giphy.com/explore/upside-down
18 https://giphy.com/gifs/movie-trailer-minions-yoJC2k4dPDRSInYfjq
19 James Mickens, Harvard University, USENIX Security '18-Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? https://www.youtube.com/watch?v=ajGX7odA87k
20 Mission-centric Cybersecurity Gapanovich, Rozenberg, Gordeychik, Signalling cyber security: the need for a mission-centric approach https://www.railjournal.com/in_depth/signalling-cyber-security-the-need-for-a-mission-centric-approach a process that ensures control object operation with no dangerous failures or damage, but with a set economic efficiency and reliability under adversarial anthropogenic information influence
21 But what about?... dangerous failures? economic efficiency? reliability level?
22
23 But what about?... dangerous failures? economic efficiency? reliability level? Build the Threat Model First!
24 AI Threat Model Li, K. (n.d.). Reverse Engineering AI Models.
25 But what about?... Cloud AUC/ROC Privacy IP protection Federative learning Insane androids?… 25 AI security
26 NCC Group, Building safer machine learning https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/building-safer-machine-learning-systems-a-threat-model/
27 What is AI Infrastructure?
28 You should scan all these Internets for AI
29 Grinder Framework github.com/sdnewhop/grinder
AIFinger Project The goals of the project is to provide tools and results of passive and active fingerprinting of Machine Learning Frameworks and Applications using a common Threat Intelligence approach and to answer the following questions:  How to detect ML backend systems on the Internet and Enterprise network?  Are ML apps secure at Internet scale?  What is ML apps security level in a general sense at the present time?  How long does it take to patch vulnerabilities, apply security updates to the ML backend systems deployed on the Internet? sdnewhop.github.io/AISec/ github.com/sdnewhop/AISec Contributors: ● Sergey Gordeychik ● Anton Nikolaev ● Denis Kolegov ● Maria Nedyak
AIFinger Project Coverage  Frameworks ○ TensorFlow ○ NVIDIA DIGITS ○ Caffe ○ TensorBoard ○ Tensorflow.js ○ brain.js ○ Predict.js ○ ml5.js ○ Keras.js ○ Figue.js ○ Natural.js ○ neataptic.js ○ ml.js ○ Clusterfck.js ○ Neuro.js ○ Deeplearn.js ○ Convnet.js ○ Synaptic.js ○ Apache mxnet  Databases with ML Content ○ Elasticsearch with ML data ○ MongoDB with ML data ○ Docker API with ML data  Databases ○ Elasticsearch ○ Kibana (Elasticsearch Visualization Plugin) ○ Gitlab ○ Samba ○ Rsync ○ Riak ○ Redis ○ Redmon (Redis Web UI) ○ Cassandra ○ Memcached ○ MongoDB ○ PostgreSQL ○ MySQL ○ Docker API ○ CouchDB  Job and Message Queues ○ Alibaba Group Holding AI Inference ○ Apache Kafka Consumer Offset Monitor ○ Apache Kafka Manager ○ Apache Kafka Message Broker ○ RabbitMQ Message Broker ○ Celery Distributed Task Queue ○ Gearman Job Queue Monitor  Interactive Voice Response (IVR) ○ ResponsiveVoice.JS ○ Inference Solutions  Speech Recognition ○ Speech.js ○ dictate.js ○ p5.speech.js ○ artyom.js ○ SpeechKITT ○ annyang Measuring Artificial Intelligence and Machine Learning Implementation Security on the Internet https://www.researchgate.net/publication/337771481_Measuring_Artificial_Intelligence_and_Machine_Learning_Implementation_Security_on_the_Internet
32 Results (April 2020) http://www.scada.sl/2020/04/ai-internet-census-april-2020.html
33 Databases
34 Dockers
35 NVIDIA DIGITS  Training logs  Datasets  Model design
36 Tensorboard  …  Everything  + vulns The TensorFlow server is meant for internal communication only. It is not built for use in an untrusted network. Totally more than 120 results
Kubeflow
June 2020 https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a- security-risk/ Large scale campaign against Kubernetes and Kuberflow clusters that abused exposed Kubernetes dashboards for deploying cryptocurrency miner observed deployment of a suspect image from a public repository on many different clusters. The image is ddsfdfsaadfs/dfsdf:99. By inspecting the image’s layers, we can see that this image runs an XMRIG miner:
39 To find a ML Server in the Internet?
40 GPGPU?
41 Crypto currency on GPGPU in 2019? https://www.zoomeye.org/searchResult?q=%2Bport%3A%225555%22%20%2Bservice%3A%22http%22%20NVIDIA
42 DGX-1  8 Tesla V100-32GB  TFLOPS (deep learning) 1000  CUDA Cores 40,960  Tensor Cores 5,120  $130,000  Good hashcat rate :) NetNTLMv2: 28912.2 MH/s MD5: 450.0 GH/s SHA-256: 59971.8 MH/s MS Office 2013: 163.5 kH/s bcrypt $2*$, Blowfish (Unix): 434.2 kH/s https://hashcat.net/forum/thread-6972.html
43 Other things?
44 SNMPWALK
45 Ok, let’s scan! Nmap scan report for X.X.X.X Host is up (0.010s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0) 80/tcp open http lighttpd 427/tcp open svrloc? 443/tcp open ssl/http lighttpd 623/udp open ipmi 554/tcp filtered rtsp 1723/tcp filtered pptp 5120/tcp open barracuda-bbs? 5988/tcp open wbem-http? 5989/tcp open ssl/wbem-https?
46 CVE-2013-4786 - 2019
47 Use c0mp13x passwords!
48 I have only one question! http://www.demotivation.us/i-have-only-one-question-1267735.html Why it still enabled by default in 2020? What do you need a helmet for? How the complex password will help?!!
49 Strange certificate Issued by Quanta Computers Inc? 128 bytes (1024) RSA key?.. Issued 17 of April 2017… Same serial over the Internet!!!
51 Find and decode firmware Google for Quanta Computers BMC firmware binwalk 7-zip Voilà
52 Grep the cert and keys TLS services on BMC uses RSA 1024 with weak cyphers, default Diffie- Hellman primitives. The private/public keys are hardcoded in firmware and are the same for many instances of Quanta Computers BMC, including NVIDIA DGX-1. Public and private keys can be found unencrypted in Firmware. This allow passively decrypt network communications without MITM conditions.
53 Other greps? NetNTLMv2: 28912.2 MH/s MD5: 450.0 GH/s SHA-256: 59971.8 MH/s MS Office 2013: 163.5 kH/s bcrypt $2*$, Blowfish (Unix): 434.2 kH/s Can we use DGX to bruteforce DGX password hash?!
54 Or just ask Google?!
55 IPMI passwords /conf/BMC1/IPMIConfig.dat
56Looks like encryption
57 …and decryption BlowFish without IV is used as implemented in libblowfish.so.2.5.0 Hint:
58 Lesson learned • Please don’t use one way hashing with salt. Use plaintext or reversible encryption. • Password encryption key should be hardcoded and stored in same folder as a user database. • It is important to keep it like the product name. • Store it in several places across the filesystem for resilience.
59 Hardcoded RC4 Key in JViewer-SOC • JViewer-SOC (KVM and IPMI applet) use RC4 cipher with a hardcoded key for traffic encryption. • In the JViewer-SOC java applet com.ami.kvm.jviewer.soc.video package contains Decoder • class. • This class defines DecodeKeys constant which is equal to “fedcba9876543210”. • Constant is used to initialize RC4 key scheduling (expansion) algorithm. This allows an attacker to bypass security features, decrypt traffic and extract sensitive information.
60 Insecure random number generator in RAKP/AES • JSOL.jar/com/ami/jsol/common/Util.java defines functions random4ByteArray and random16ByteArray. • The Random function from java.util.Random class is used. • These functions are used within RAKP crypto protocol implementation. • According to the specification of the RAKP it is based on Bellare-Rogaway protocols . • The issue is that the 1 protocols require random numbers in cryptographically sense. The same function is used to generate IV for AES encryption in the processEncryption function of IPMISession class.
61 CSRF is not an issue…. A vulnerability to Cross-Site Request Forgery (CSRF) attack was found in the Nvidia BMC Web Service. It allows an attacker to force an authenticated user to execute the API endpoints within the web application. There is a list of internal queries which require active session authentication and don’t require CSRF token. /rpc/ getsessiontoken .asp /rpc/ getrole.asp /rpc/ getadvisercfg.asp /rpc/ getvmediacfg.asp /rpc/ flash_browserclosed.asp /rpc/ getvideoinfo.asp /rpc/ getsessiontoken.asp /rpc/ getrole.asp /rpc/ downloadvideo.asp /rpc/ restarthttps.asp /rpc/ getvmediacfg.asp /rpc/ getadvisercfg.asp
62 Unrestricted SingImage key upload SingImage upload feature in DGX-1 BMC accept any correct RSA 1024 public key without any verification. This key is used to verify firmware signature. SignImage upload routine, implemented in libifc.so.2.42.0 WebValidateSignImageKey function accept any correct RSA 1024 public key without any verification of authenticity of the key and store it in the /conf/public.pem. CheckImageSign function implemented in libipmimsghndlr.so use public.pem to verify firmware signature.
63 Unrestricted File Upload through CSRF Web-server handler libmodhapi.so defines stripped function at 0x8BE0 address. This function is being called when an authorized user sends POST request to /page/file_upload.html . If a POST request is multipart/form-data this function checks for file argument and if its name doesn’t end with a ‘/’ symbol¨ looks up for a file path in the hardcoded fille-argument-name-to- file-path mapping. However if the argument name ends with ‘/’¨ file is being saved at the file system defined as file argument name filename. Thus it is possible to upload custom files and overwrite existing ones with user-defined absolute path. Example attack vector - overwrite ./shadow or ./passwd file in the “/conf/” folder to create/modify users and/or replace default shell to get remote root access via ssh. Vulnerability can be exploited via CSRF.
64 Attack
65 List of fixes AISec-NV-2019-01 - Hardcoded admin user (CVE-2020-11483) AISec-NV-2019-03 - SNMP with well-known community strings enabled by default (CVE-2020-11489) AISec-NV-2019-04 - Hardcoded RSA keys and self-signed certificate for TLS (CVE-2020-11487) AISec-NV-2019-10 - Insecure random number generator in RAKP/AES (CVE-2020-11616) AISec-NV-2019-11 - Hardcoded RC4 Key in JViewer-SOC (CVE-2020-11615) AISec-NV-2019-15 – Internal methods are vulnerable to CSRF attack (CVE-2020-11485) AISec-NV-2019-16 – Unrestricted File Upload through CSRF (CVE-2020-11486) AISec-NV-2019-17 – Hardcoded IMPI passwords encryption key (CVE-2020-11484) AISec-NV-2019-18 – Unrestricted SingImage key upload (CVE-2020-11488) Credits: Sergey Gordeychik, Maria Nedyak, Denis Kolegov, Roman Palkin
66 Other things?
67 Any bugs there? We don’t know yet
68 Disclosure timeline Tue, 3 Sep 2019, 16:42 – Initial submission Thu, 19 Sep 2019, 00:40– List of internet-faced DGXs collected by Grinder Sun, 22 Sep 2019, 23:05 – Ack and workaround discussion Sat, 5 Oct 2019, 19:50 – Remote root submission Tue 17 Dec 2019, 21:00 – Call with Alex Matrosov to discuss soooo responsible disclosure Feb 2020 – COVID 19 outbreak, cancellation of PHDays and OFFZONE April – Aug 2020 – GradeZero Rock’n’roll Tue, 25 Aug, 21:10 – Failed fix (QA issues) Now – Fixes, Initial disclosure @CodeBlue 2020 Kudos to Alex, Shawn, NVIDIA PSIRT
69 Supply chain is a pain Megarac SP (DGX-1) Quanta Computer Inc. IBM (BMC Advanced System Management) Lenovo (ThinkServer Management Module) Hewlett Packard Enterprise Megarac Mikrobits (Mikrotik) Megarac SP-X (DGX-2) Netapp ASRockRack IPMI ASUS ASMB9-iKVM DEPO Computers TYAN Motherboard Gigabyte IPMI Motherboards Gooxi BMC
70 Takeaways • Big Thing doesn’t mean good security • Good AI researches are bad cybersec pro • All vulnerabilities are important • Supply chain is a pain • Things are better with Grinder 
71 Infection of the AI models http://www.scada.sl/2019/11/malign-machine-learning-models-and-bad.html
More parameters -> Longer train
Pre-trained model workflow 1. Model interface (some wrapper, cli, etc.) .py / .sh / etc 2. Download the weights in some form 3. Run the model .pb / .h5 / .pth .json / .yml /.csv
Distribution •~ 2k repos on github •~ 100 repos on gitlab •~ 500 models on https://modelzoo.co/
Documentation Whole model Weights only PyTorch model (.pth)
Reality Whole model Weights only
Step 1. Find an existing model 78
Step 2. Infect it! Overwrite the magic number `Classic` Pickle payload Python code to execute on load Shell code to run on load 79
Python Pickle Injection  Pickle is a python package used to 'serialize' an object to string format and store them to or load from a file.  Pickle is a simple stack language, which means pickle has a variable stack. • Every time it finished 'deserializing' an object it stores it on the stack. • Every time it reaches a '.' while 'deserializing', it pop a variable from the stack.  Besides, pickle has a temporary memo, like a clipboard.  'p0', 'p1' means put the top obj on the stack to memo and refer it as '0' or '1'  'g0', 'g1' act as get obj '0' or '1'  Pickle has two packages: pickle and cPickle, they have some specific differences like different methods, but most of the case they act in the same way. http://xhyumiracle.com/python-pickle-injection/
Step 3. Upload it Link to our malicious file 81
•Just one command to run from anywhere! •torch.hub.load(“ChickenDuo/top”, “model”) 82
83
Cross-platform -> Another approach 84
Serialization Save d Mode l Grap h File (.pb) Variable s Asset s Constants and static Logi c
Custom serialization •Protobuf format (.pb) •~1300 operations (math, conditionals, statistics, etc.) •Only TWO of them were found dangerous •WriteFile (any text, any file) •ReadFile (any file) 18 Looks like Google is aware of them
Graph serialization Resul t Tens o r Some ops Payload > result? Resu lt Tens o r Some ops Payload ops Tru e Fals e
Code Read the existing graph and rename the “ending” tensor Execute func to determine which route to take (tensor or tensor) Write it all back
Wrapper Check if file exists Append our payload to a file
Wrapper Check if file exists Append our payload to a file
Keras model Serialization Save d Mode l Keras with h5 Weights onlyModel from config 92
Serialization with topology - Only Keras layers (Functional model) - … has a Lambda layer, which serialize custom python function with marshal (https://github.com/keras- team/keras/blob/master/k eras/layers/core.py#L566) - No warning on launching third-party models! © keras.io
Example 94
Timeo Danaos et dona ferentes https://github.com/pytorch/pytorch/issues/31875 `torch.load()` uses ``pickle`` module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source, or that could have been tampered with. **Only load data you trust**.
96 Hacking Medical Imaging http://www.scada.sl/2020/07/hacking-odyssey-at-hitblockdown002.html
https://www.nbcnews.com/now/video/controversial-tech-company-pitches-facial-recognition-to-track-covid-19-82638917537
Face recognition  170 000 cameras across the city  Face recognition system based on FindFace technology  The current face recognition system operates on the "black lists" (criminals, missed people)  The system does not compare all people caught in the camera with all residents of Moscow!
Let’s check it out! • Segmentation dons not works • Or works, but with poor accuracy • Questions • The presence of a biometric DB • The relevance of the biometric DB • Biometric attacks • Use of masks, etc. • False positive handling https://www.betafaceapi.com/
Biometric DB White List (anyone you can) • Upload photos via the app Blacklist (not allowed) • Register when a COVID is detected • Other citizens ??? Where to get? How to compare with the person?
Biometrics attacks  Presentation attack (liveness)  Morphing attack  Сv dazzle  Aging effect
Jan Krissler, “Ich sehe, also bin ich ... Du”  https://www.youtube.com/watch?v=VVxL9ymiyAU&t=1590
103 Small ad https://harbour.space/cyber-security/courses/cybersecurity-of-machine-learning-and-artificial-intelligence https://aftershock.news/?q=node/792241&full
104 What can we do? For Researchers AI Cybersecurity is Green Field From SDN to Model Privacy, from Secure SDL to Adversarial Robustness For Enterprises Don’t trust AI if adversarial “input” is possible AI IS NOT spherical model traveling in a vacuum! For Governments Centralize data and annotation Force vendors to follow security best practices from the beginning Detect and control AI-based abuses
Vulnerabilities of machine learning infrastructure

Recommended

Automated Vulnerability Testing Using Machine Learning and Metaheuristic Search
Automated Vulnerability Testing Using Machine Learning and Metaheuristic SearchAutomated Vulnerability Testing Using Machine Learning and Metaheuristic Search
Automated Vulnerability Testing Using Machine Learning and Metaheuristic SearchLionel Briand
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attackMohammad Reza Mousavinasr
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 

Recommended

Automated Vulnerability Testing Using Machine Learning and Metaheuristic Search
Automated Vulnerability Testing Using Machine Learning and Metaheuristic SearchAutomated Vulnerability Testing Using Machine Learning and Metaheuristic Search
Automated Vulnerability Testing Using Machine Learning and Metaheuristic SearchLionel Briand
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attackMohammad Reza Mousavinasr
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Introduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesIntroduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesvodQA
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
unified threat management by Nisha Menon K
unified threat management by Nisha Menon K unified threat management by Nisha Menon K
unified threat management by Nisha Menon KNisha Menon K
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Cyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKCyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKEyesOpen Association
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbingarizonainfotech
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of viewS.E. CTS CERT-GOV-MD
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 

More Related Content

What's hot

Introduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesIntroduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesvodQA
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
unified threat management by Nisha Menon K
unified threat management by Nisha Menon K unified threat management by Nisha Menon K
unified threat management by Nisha Menon KNisha Menon K
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Cyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKCyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKEyesOpen Association
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumerationleminhvuong
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of viewS.E. CTS CERT-GOV-MD
 

What's hot (20)

Introduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesIntroduction to Security Vulnerabilities
Introduction to Security Vulnerabilities
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
unified threat management by Nisha Menon K
unified threat management by Nisha Menon K unified threat management by Nisha Menon K
unified threat management by Nisha Menon K
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Botnets
BotnetsBotnets
Botnets
 
Cyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CKCyber attaques APT avec le framework MITRE ATT&CK
Cyber attaques APT avec le framework MITRE ATT&CK
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Banner grabbing
Banner grabbingBanner grabbing
Banner grabbing
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of view
 

Similar to Vulnerabilities of machine learning infrastructure

[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Jamie Coleman
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Java on the GPU: Where are we now?
Java on the GPU: Where are we now?Java on the GPU: Where are we now?
Java on the GPU: Where are we now?Dmitry Alexandrov
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Mario-Leander Reimer
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 

Similar to Vulnerabilities of machine learning infrastructure (20)

[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Java on the GPU: Where are we now?
Java on the GPU: Where are we now?Java on the GPU: Where are we now?
Java on the GPU: Where are we now?
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101Secure JEE Architecture and Programming 101
Secure JEE Architecture and Programming 101
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 

More from Sergey Gordeychik

MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousSergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsSergey Gordeychik
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSergey Gordeychik
 

More from Sergey Gordeychik (11)

MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Recently uploaded

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 

Recently uploaded (20)

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 

Vulnerabilities of machine learning infrastructure

  • 1. 1 Vulnerabilities of Machine Learning Infrastructure Sergey Gordeychik serg.gordey@gmail.com http://scada.sl @scadasl
  • 2. Sergey Gordeychik  AI and Cybersecurity Executive • Abu Dhabi, UAE  Visiting Professor, Cyber Security • Harbour.Space University, Barcelona, Spain  Bandleader, www.GradeZero.band  Cyber-physical troublemaker • SCADA Strangelove, HackingOdyssey • www.scada.sl, @scadasl  Ex… • Deputy CTO, Kaspersky Lab • CTO, Positive Technologies • Gartner recognized products and services  Program Chair, PHDays Conference • www.phdays.com, Moscow 2
  • 3. Disclaimer Please note, that this talk is by Sergey and Hacking Odyssey group. We don't speak for our employers. All the opinions and information here are of our responsibility. So, mistakes and bad jokes are all OUR responsibilities. 3https://github.com/sdnewhophttps://scada.sl/ Hacking Odyssey Group Sergey Gordeychik Anton Nikolaev Denis Kolegov Maria Nedyak Roman Palkin Hacking Odyssey Projects Grinder Framewrok AISec DICOM Sec SD-WAN New Hop
  • 4. 4
  • 7. 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 13. 13 What is Cyber? What is Cybersecurity?
  • 15. 15 OT/ICS/SCADA Security?! SCADA Security Basics: Integrity Trumps Availability, ISA/IEC 62443-2-1 standards (formerly ISA-99) https://www.tofinosecurity.com/blog/scada-security-basics-integrity-trumps-availability Marina Krotofil, Damn Vulnerable Chemical Process https://fahrplan.events.ccc.de/congress/2014/Fahrplan/system/attachments/2560/original/31CC_ 2014_Krotofil.pdf
  • 16. 16 Machine Learning and AI? AI security
  • 19. 19 James Mickens, Harvard University, USENIX Security '18-Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? https://www.youtube.com/watch?v=ajGX7odA87k
  • 20. 20 Mission-centric Cybersecurity Gapanovich, Rozenberg, Gordeychik, Signalling cyber security: the need for a mission-centric approach https://www.railjournal.com/in_depth/signalling-cyber-security-the-need-for-a-mission-centric-approach a process that ensures control object operation with no dangerous failures or damage, but with a set economic efficiency and reliability under adversarial anthropogenic information influence
  • 21. 21 But what about?... dangerous failures? economic efficiency? reliability level?
  • 22. 22
  • 23. 23 But what about?... dangerous failures? economic efficiency? reliability level? Build the Threat Model First!
  • 24. 24 AI Threat Model Li, K. (n.d.). Reverse Engineering AI Models.
  • 25. 25 But what about?... Cloud AUC/ROC Privacy IP protection Federative learning Insane androids?… 25 AI security
  • 26. 26 NCC Group, Building safer machine learning https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/building-safer-machine-learning-systems-a-threat-model/
  • 30. AIFinger Project The goals of the project is to provide tools and results of passive and active fingerprinting of Machine Learning Frameworks and Applications using a common Threat Intelligence approach and to answer the following questions:  How to detect ML backend systems on the Internet and Enterprise network?  Are ML apps secure at Internet scale?  What is ML apps security level in a general sense at the present time?  How long does it take to patch vulnerabilities, apply security updates to the ML backend systems deployed on the Internet? sdnewhop.github.io/AISec/ github.com/sdnewhop/AISec Contributors: ● Sergey Gordeychik ● Anton Nikolaev ● Denis Kolegov ● Maria Nedyak
  • 31. AIFinger Project Coverage  Frameworks ○ TensorFlow ○ NVIDIA DIGITS ○ Caffe ○ TensorBoard ○ Tensorflow.js ○ brain.js ○ Predict.js ○ ml5.js ○ Keras.js ○ Figue.js ○ Natural.js ○ neataptic.js ○ ml.js ○ Clusterfck.js ○ Neuro.js ○ Deeplearn.js ○ Convnet.js ○ Synaptic.js ○ Apache mxnet  Databases with ML Content ○ Elasticsearch with ML data ○ MongoDB with ML data ○ Docker API with ML data  Databases ○ Elasticsearch ○ Kibana (Elasticsearch Visualization Plugin) ○ Gitlab ○ Samba ○ Rsync ○ Riak ○ Redis ○ Redmon (Redis Web UI) ○ Cassandra ○ Memcached ○ MongoDB ○ PostgreSQL ○ MySQL ○ Docker API ○ CouchDB  Job and Message Queues ○ Alibaba Group Holding AI Inference ○ Apache Kafka Consumer Offset Monitor ○ Apache Kafka Manager ○ Apache Kafka Message Broker ○ RabbitMQ Message Broker ○ Celery Distributed Task Queue ○ Gearman Job Queue Monitor  Interactive Voice Response (IVR) ○ ResponsiveVoice.JS ○ Inference Solutions  Speech Recognition ○ Speech.js ○ dictate.js ○ p5.speech.js ○ artyom.js ○ SpeechKITT ○ annyang Measuring Artificial Intelligence and Machine Learning Implementation Security on the Internet https://www.researchgate.net/publication/337771481_Measuring_Artificial_Intelligence_and_Machine_Learning_Implementation_Security_on_the_Internet
  • 35. 35 NVIDIA DIGITS  Training logs  Datasets  Model design
  • 36. 36 Tensorboard  …  Everything  + vulns The TensorFlow server is meant for internal communication only. It is not built for use in an untrusted network. Totally more than 120 results
  • 38. June 2020 https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a- security-risk/ Large scale campaign against Kubernetes and Kuberflow clusters that abused exposed Kubernetes dashboards for deploying cryptocurrency miner observed deployment of a suspect image from a public repository on many different clusters. The image is ddsfdfsaadfs/dfsdf:99. By inspecting the image’s layers, we can see that this image runs an XMRIG miner:
  • 39. 39 To find a ML Server in the Internet?
  • 41. 41 Crypto currency on GPGPU in 2019? https://www.zoomeye.org/searchResult?q=%2Bport%3A%225555%22%20%2Bservice%3A%22http%22%20NVIDIA
  • 42. 42 DGX-1  8 Tesla V100-32GB  TFLOPS (deep learning) 1000  CUDA Cores 40,960  Tensor Cores 5,120  $130,000  Good hashcat rate :) NetNTLMv2: 28912.2 MH/s MD5: 450.0 GH/s SHA-256: 59971.8 MH/s MS Office 2013: 163.5 kH/s bcrypt $2*$, Blowfish (Unix): 434.2 kH/s https://hashcat.net/forum/thread-6972.html
  • 45. 45 Ok, let’s scan! Nmap scan report for X.X.X.X Host is up (0.010s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0) 80/tcp open http lighttpd 427/tcp open svrloc? 443/tcp open ssl/http lighttpd 623/udp open ipmi 554/tcp filtered rtsp 1723/tcp filtered pptp 5120/tcp open barracuda-bbs? 5988/tcp open wbem-http? 5989/tcp open ssl/wbem-https?
  • 48. 48 I have only one question! http://www.demotivation.us/i-have-only-one-question-1267735.html Why it still enabled by default in 2020? What do you need a helmet for? How the complex password will help?!!
  • 49. 49 Strange certificate Issued by Quanta Computers Inc? 128 bytes (1024) RSA key?.. Issued 17 of April 2017… Same serial over the Internet!!!
  • 50. 51 Find and decode firmware Google for Quanta Computers BMC firmware binwalk 7-zip Voilà
  • 51. 52 Grep the cert and keys TLS services on BMC uses RSA 1024 with weak cyphers, default Diffie- Hellman primitives. The private/public keys are hardcoded in firmware and are the same for many instances of Quanta Computers BMC, including NVIDIA DGX-1. Public and private keys can be found unencrypted in Firmware. This allow passively decrypt network communications without MITM conditions.
  • 52. 53 Other greps? NetNTLMv2: 28912.2 MH/s MD5: 450.0 GH/s SHA-256: 59971.8 MH/s MS Office 2013: 163.5 kH/s bcrypt $2*$, Blowfish (Unix): 434.2 kH/s Can we use DGX to bruteforce DGX password hash?!
  • 53. 54 Or just ask Google?!
  • 56. 57 …and decryption BlowFish without IV is used as implemented in libblowfish.so.2.5.0 Hint:
  • 57. 58 Lesson learned • Please don’t use one way hashing with salt. Use plaintext or reversible encryption. • Password encryption key should be hardcoded and stored in same folder as a user database. • It is important to keep it like the product name. • Store it in several places across the filesystem for resilience.
  • 58. 59 Hardcoded RC4 Key in JViewer-SOC • JViewer-SOC (KVM and IPMI applet) use RC4 cipher with a hardcoded key for traffic encryption. • In the JViewer-SOC java applet com.ami.kvm.jviewer.soc.video package contains Decoder • class. • This class defines DecodeKeys constant which is equal to “fedcba9876543210”. • Constant is used to initialize RC4 key scheduling (expansion) algorithm. This allows an attacker to bypass security features, decrypt traffic and extract sensitive information.
  • 59. 60 Insecure random number generator in RAKP/AES • JSOL.jar/com/ami/jsol/common/Util.java defines functions random4ByteArray and random16ByteArray. • The Random function from java.util.Random class is used. • These functions are used within RAKP crypto protocol implementation. • According to the specification of the RAKP it is based on Bellare-Rogaway protocols . • The issue is that the 1 protocols require random numbers in cryptographically sense. The same function is used to generate IV for AES encryption in the processEncryption function of IPMISession class.
  • 60. 61 CSRF is not an issue…. A vulnerability to Cross-Site Request Forgery (CSRF) attack was found in the Nvidia BMC Web Service. It allows an attacker to force an authenticated user to execute the API endpoints within the web application. There is a list of internal queries which require active session authentication and don’t require CSRF token. /rpc/ getsessiontoken .asp /rpc/ getrole.asp /rpc/ getadvisercfg.asp /rpc/ getvmediacfg.asp /rpc/ flash_browserclosed.asp /rpc/ getvideoinfo.asp /rpc/ getsessiontoken.asp /rpc/ getrole.asp /rpc/ downloadvideo.asp /rpc/ restarthttps.asp /rpc/ getvmediacfg.asp /rpc/ getadvisercfg.asp
  • 61. 62 Unrestricted SingImage key upload SingImage upload feature in DGX-1 BMC accept any correct RSA 1024 public key without any verification. This key is used to verify firmware signature. SignImage upload routine, implemented in libifc.so.2.42.0 WebValidateSignImageKey function accept any correct RSA 1024 public key without any verification of authenticity of the key and store it in the /conf/public.pem. CheckImageSign function implemented in libipmimsghndlr.so use public.pem to verify firmware signature.
  • 62. 63 Unrestricted File Upload through CSRF Web-server handler libmodhapi.so defines stripped function at 0x8BE0 address. This function is being called when an authorized user sends POST request to /page/file_upload.html . If a POST request is multipart/form-data this function checks for file argument and if its name doesn’t end with a ‘/’ symbol¨ looks up for a file path in the hardcoded fille-argument-name-to- file-path mapping. However if the argument name ends with ‘/’¨ file is being saved at the file system defined as file argument name filename. Thus it is possible to upload custom files and overwrite existing ones with user-defined absolute path. Example attack vector - overwrite ./shadow or ./passwd file in the “/conf/” folder to create/modify users and/or replace default shell to get remote root access via ssh. Vulnerability can be exploited via CSRF.
  • 64. 65 List of fixes AISec-NV-2019-01 - Hardcoded admin user (CVE-2020-11483) AISec-NV-2019-03 - SNMP with well-known community strings enabled by default (CVE-2020-11489) AISec-NV-2019-04 - Hardcoded RSA keys and self-signed certificate for TLS (CVE-2020-11487) AISec-NV-2019-10 - Insecure random number generator in RAKP/AES (CVE-2020-11616) AISec-NV-2019-11 - Hardcoded RC4 Key in JViewer-SOC (CVE-2020-11615) AISec-NV-2019-15 – Internal methods are vulnerable to CSRF attack (CVE-2020-11485) AISec-NV-2019-16 – Unrestricted File Upload through CSRF (CVE-2020-11486) AISec-NV-2019-17 – Hardcoded IMPI passwords encryption key (CVE-2020-11484) AISec-NV-2019-18 – Unrestricted SingImage key upload (CVE-2020-11488) Credits: Sergey Gordeychik, Maria Nedyak, Denis Kolegov, Roman Palkin
  • 66. 67 Any bugs there? We don’t know yet
  • 67. 68 Disclosure timeline Tue, 3 Sep 2019, 16:42 – Initial submission Thu, 19 Sep 2019, 00:40– List of internet-faced DGXs collected by Grinder Sun, 22 Sep 2019, 23:05 – Ack and workaround discussion Sat, 5 Oct 2019, 19:50 – Remote root submission Tue 17 Dec 2019, 21:00 – Call with Alex Matrosov to discuss soooo responsible disclosure Feb 2020 – COVID 19 outbreak, cancellation of PHDays and OFFZONE April – Aug 2020 – GradeZero Rock’n’roll Tue, 25 Aug, 21:10 – Failed fix (QA issues) Now – Fixes, Initial disclosure @CodeBlue 2020 Kudos to Alex, Shawn, NVIDIA PSIRT
  • 68. 69 Supply chain is a pain Megarac SP (DGX-1) Quanta Computer Inc. IBM (BMC Advanced System Management) Lenovo (ThinkServer Management Module) Hewlett Packard Enterprise Megarac Mikrobits (Mikrotik) Megarac SP-X (DGX-2) Netapp ASRockRack IPMI ASUS ASMB9-iKVM DEPO Computers TYAN Motherboard Gigabyte IPMI Motherboards Gooxi BMC
  • 69. 70 Takeaways • Big Thing doesn’t mean good security • Good AI researches are bad cybersec pro • All vulnerabilities are important • Supply chain is a pain • Things are better with Grinder 
  • 70. 71 Infection of the AI models http://www.scada.sl/2019/11/malign-machine-learning-models-and-bad.html
  • 71. More parameters -> Longer train
  • 72. Pre-trained model workflow 1. Model interface (some wrapper, cli, etc.) .py / .sh / etc 2. Download the weights in some form 3. Run the model .pb / .h5 / .pth .json / .yml /.csv
  • 73. Distribution •~ 2k repos on github •~ 100 repos on gitlab •~ 500 models on https://modelzoo.co/
  • 74.
  • 75. Documentation Whole model Weights only PyTorch model (.pth)
  • 77. Step 1. Find an existing model 78
  • 78. Step 2. Infect it! Overwrite the magic number `Classic` Pickle payload Python code to execute on load Shell code to run on load 79
  • 79. Python Pickle Injection  Pickle is a python package used to 'serialize' an object to string format and store them to or load from a file.  Pickle is a simple stack language, which means pickle has a variable stack. • Every time it finished 'deserializing' an object it stores it on the stack. • Every time it reaches a '.' while 'deserializing', it pop a variable from the stack.  Besides, pickle has a temporary memo, like a clipboard.  'p0', 'p1' means put the top obj on the stack to memo and refer it as '0' or '1'  'g0', 'g1' act as get obj '0' or '1'  Pickle has two packages: pickle and cPickle, they have some specific differences like different methods, but most of the case they act in the same way. http://xhyumiracle.com/python-pickle-injection/
  • 80. Step 3. Upload it Link to our malicious file 81
  • 81. •Just one command to run from anywhere! •torch.hub.load(“ChickenDuo/top”, “model”) 82
  • 82. 83
  • 85. Custom serialization •Protobuf format (.pb) •~1300 operations (math, conditionals, statistics, etc.) •Only TWO of them were found dangerous •WriteFile (any text, any file) •ReadFile (any file) 18 Looks like Google is aware of them
  • 87. Code Read the existing graph and rename the “ending” tensor Execute func to determine which route to take (tensor or tensor) Write it all back
  • 88. Wrapper Check if file exists Append our payload to a file
  • 89. Wrapper Check if file exists Append our payload to a file
  • 90.
  • 91. Keras model Serialization Save d Mode l Keras with h5 Weights onlyModel from config 92
  • 92. Serialization with topology - Only Keras layers (Functional model) - … has a Lambda layer, which serialize custom python function with marshal (https://github.com/keras- team/keras/blob/master/k eras/layers/core.py#L566) - No warning on launching third-party models! © keras.io
  • 94. Timeo Danaos et dona ferentes https://github.com/pytorch/pytorch/issues/31875 `torch.load()` uses ``pickle`` module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source, or that could have been tampered with. **Only load data you trust**.
  • 97. Face recognition  170 000 cameras across the city  Face recognition system based on FindFace technology  The current face recognition system operates on the "black lists" (criminals, missed people)  The system does not compare all people caught in the camera with all residents of Moscow!
  • 98. Let’s check it out! • Segmentation dons not works • Or works, but with poor accuracy • Questions • The presence of a biometric DB • The relevance of the biometric DB • Biometric attacks • Use of masks, etc. • False positive handling https://www.betafaceapi.com/
  • 99. Biometric DB White List (anyone you can) • Upload photos via the app Blacklist (not allowed) • Register when a COVID is detected • Other citizens ??? Where to get? How to compare with the person?
  • 100. Biometrics attacks  Presentation attack (liveness)  Morphing attack  Сv dazzle  Aging effect
  • 101. Jan Krissler, “Ich sehe, also bin ich ... Du”  https://www.youtube.com/watch?v=VVxL9ymiyAU&t=1590
  • 103. 104 What can we do? For Researchers AI Cybersecurity is Green Field From SDN to Model Privacy, from Secure SDL to Adversarial Robustness For Enterprises Don’t trust AI if adversarial “input” is possible AI IS NOT spherical model traveling in a vacuum! For Governments Centralize data and annotation Force vendors to follow security best practices from the beginning Detect and control AI-based abuses