SlideShare a Scribd company logo

DEF CON 27 - ARIEL ADVERSARIEL HERBERT VOSS - don't red team ai like a chump

Felipe Prado
Felipe Prado

DEF CON 27 - ARIEL ADVERSARIEL HERBERT VOSS - don't red team ai like a chump

Technology
1 of 40
Download to read offline
Don’t Red Team AI like a Chump Ariel Herbert-Voss @adversariel
Intro • Who am I? • What is this talk?
A story about hacking an AI system IRL + +
Key points in this talk (in case you zone out) • Focus on the threat model • Go for the jugular feature extraction process • Think about the data supply chain
What is an AI system? • AI is a class of algorithms that we use to extract actionable information from data • AI is not new and the hype is real • In this talk, AI == ML AI Machine learning Deep learning
What is an AI system?
What is an AI system? data
What is an AI system? data prediction
What is an AI system? data prediction
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters data poisoning
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters data poisoning
Adversarial examples adversarial example data point DOG FRIED CHICKEN (arbitrary) feature dimension 1 (arbitrary)featuredimension2 target data point [Biggio et al, 2018]
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters backdoored function
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters model inversion
Model inversion Image of Bill: *exists in training data set* Recovered image [Fredrikson et al, 2015]
Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters model theft
Model theft data target model stolen model original predictions similar predictions [Tramèr et al, 2016]
How to design an attack for an AI system 1. What model are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
Fooling AI-powered video surveillance • Common system components • Detection: on-premises algorithm that checks each still image to see if there is a face for it to forward to the recognition system • Recognition: off-site look-up of flagged images using a data base of known faces camera detection system recognition system
Fooling AI-powered video surveillance 1. What model are you attacking? YOLO v2 2. Where do the data come from? video frames 3. Where do the predictions go? stored as set of flagged frames
Fooling AI-powered video surveillance [Thys et al, 2019]
Fooling AI-powered video surveillance [Brown et al, 2017]
Fooling AI-powered video surveillance [Thys et al, 2019]
AI red teaming is out of whack • Red teaming AI is often conflated with the academic discipline of adversarial machine learning Cool ways to attack an AI model with math == adversarial ML Evaluate the security of an AI system == red teaming AI
Adversarial ML attack tree goal: make the object detector ignore person minimize specific class likelihood minimize “objectyness” likelihood minimize both Fooling AI-powered video surveillance
AI red team attack tree goal: make the object detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network play looping footage get access to facial detection AI software minimize specific class likelihood minimize "objectyness" likelihood minimize both Fooling AI-powered video surveillance
AI red team attack tree goal: make the object detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network play looping footage get access to facial detection AI software minimize specific class likelihood minimize "objectyness" likelihood minimize both Fooling AI-powered video surveillance
Adversarial ML attack tree goal: make self- driving car think a lane is not a lane generate adversarial example Breaking self-driving car lane detection
AI red team attack tree goal: make self- driving car think a lane is not a lane dump a salt line on the road put stickers on the road get physical access to car get access to lane detection system generate adversarial example Breaking self-driving car lane detection
Adversarial ML attack tree goal: make self- driving car think a lane is not a lane dump a salt line on the road put stickers on the road get physical access to car get access to lane detection system generate adversarial example Breaking self-driving car lane detection
How to design an attack for an AI system 1. What model are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
How to design an attack for an AI system 1. What model system are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
How to design an attack for an AI system 1. What system are you attacking? 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output?
How to design an attack for an AI system 1. What system are you attacking? 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output? 3. What is the threat model?
How to design an attack for an AI system 1. What system are you attacking? camera detection system recognition system
How to design an attack for an AI system 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output? feature extraction camera detection system recognition system decision making
How to design an attack for an AI system 3. What is the threat model? goal: make the face detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network DDoS the network play looping footage move camera get access to facial detection AI system get access to training procedure poison data set force backdoored function use scene statistics to generate adversarial example minimize specific class likelihood minimize "objectyness" likelihood minimize both
Tl;dw • Go for the jugular feature extraction process • Think about the data supply chain • Focus on the threat model
For more information (and math!) Feel free to reach out via Twitter (@adversariel) and/or grab a beer with me :) • Attacks: • Tencent Keen Security Lab, 2019 - https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Au topilot.pdf • [Biggio et al, 2018] - https://pralab.diee.unica.it/sites/default/files/biggio18-pr.pdf • [Fredrikson et al, 2015] - https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf • [Tramèr et al, 2016] - https://arxiv.org/pdf/1609.02943.pdf • [Thys et al, 2019] - https://arxiv.org/pdf/1904.08653.pdf • [Brown et al, 2017] - https://arxiv.org/pdf/1712.09665.pdf • Threat modeling: • Schneier, 1999 - https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Recommended

AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityAI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityTasnim Alasali
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Blackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityBlackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityShauryaGupta38
 
AI cybersecurity
AI cybersecurityAI cybersecurity
AI cybersecurityShauryaGupta38
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTrupti Shiralkar, CISSP
 
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python”
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python” Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python”
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python” Lviv Startup Club
 

Recommended

AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityAI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityTasnim Alasali
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Blackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityBlackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityShauryaGupta38
 
AI cybersecurity
AI cybersecurityAI cybersecurity
AI cybersecurityShauryaGupta38
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTrupti Shiralkar, CISSP
 
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python”
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python” Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python”
Borys Rybak “Azure Machine Learning Studio & Azure Workbench & R + Python” Lviv Startup Club
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox Animesh Singh
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defenseDATA SECURITY SOLUTIONS
 
AI for Everyone: Master the Basics
AI for Everyone: Master the BasicsAI for Everyone: Master the Basics
AI for Everyone: Master the BasicsStutty Srivastava
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingKeith Brooks
 
What is Ethical Hacking?
What is Ethical Hacking? What is Ethical Hacking?
What is Ethical Hacking? Dignitas Digital Pvt. Ltd.
 
Hacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesHacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesGTKlondike
 
Say "Hi!" to Your New Boss
Say "Hi!" to Your New BossSay "Hi!" to Your New Boss
Say "Hi!" to Your New BossAndreas Dewes
 
Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Ivo Andreev
 
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...Edge AI and Vision Alliance
 
I Dunderstn
I DunderstnI Dunderstn
I Dunderstnhajaanwar
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stackMinhaz A V
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019anant90
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitRam Shankar Siva Kumar
 
Machine learning
Machine learningMachine learning
Machine learningMarlen Franto
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Ieee itmsb20
Ieee itmsb20Ieee itmsb20
Ieee itmsb20Juan Carlos Olivares Rojas
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsAdam Shostack
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DEF CON 27 - ARIEL ADVERSARIEL HERBERT VOSS - don't red team ai like a chump

Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox Animesh Singh
 
AI for Everyone: Master the Basics
AI for Everyone: Master the BasicsAI for Everyone: Master the Basics
AI for Everyone: Master the BasicsStutty Srivastava
 
Hacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesHacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesGTKlondike
 
Say "Hi!" to Your New Boss
Say "Hi!" to Your New BossSay "Hi!" to Your New Boss
Say "Hi!" to Your New BossAndreas Dewes
 
Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Ivo Andreev
 
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...Edge AI and Vision Alliance
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stackMinhaz A V
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019anant90
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitRam Shankar Siva Kumar
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsAdam Shostack
 

Similar to DEF CON 27 - ARIEL ADVERSARIEL HERBERT VOSS - don't red team ai like a chump (20)

Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox Defend against adversarial AI using Adversarial Robustness Toolbox
Defend against adversarial AI using Adversarial Robustness Toolbox
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
AI for Everyone: Master the Basics
AI for Everyone: Master the BasicsAI for Everyone: Master the Basics
AI for Everyone: Master the Basics
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
What is Ethical Hacking?
What is Ethical Hacking? What is Ethical Hacking?
What is Ethical Hacking?
 
Hacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering AdversariesHacking with Skynet - How AI is Empowering Adversaries
Hacking with Skynet - How AI is Empowering Adversaries
 
Say "Hi!" to Your New Boss
Say "Hi!" to Your New BossSay "Hi!" to Your New Boss
Say "Hi!" to Your New Boss
 
Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2Cybersecurity and Generative AI - for Good and Bad vol.2
Cybersecurity and Generative AI - for Good and Bad vol.2
 
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
“Responsible AI: Tools and Frameworks for Developing AI Solutions,” a Present...
 
I Dunderstn
I DunderstnI Dunderstn
I Dunderstn
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
 
Machine learning
Machine learningMachine learning
Machine learning
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Ieee itmsb20
Ieee itmsb20Ieee itmsb20
Ieee itmsb20
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

DEF CON 27 - ARIEL ADVERSARIEL HERBERT VOSS - don't red team ai like a chump

  • 1. Don’t Red Team AI like a Chump Ariel Herbert-Voss @adversariel
  • 2. Intro • Who am I? • What is this talk?
  • 3. A story about hacking an AI system IRL + +
  • 4. Key points in this talk (in case you zone out) • Focus on the threat model • Go for the jugular feature extraction process • Think about the data supply chain
  • 5. What is an AI system? • AI is a class of algorithms that we use to extract actionable information from data • AI is not new and the hype is real • In this talk, AI == ML AI Machine learning Deep learning
  • 6. What is an AI system?
  • 7. What is an AI system? data
  • 8. What is an AI system? data prediction
  • 9. What is an AI system? data prediction
  • 10. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters
  • 11. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters data poisoning
  • 12. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters data poisoning
  • 13. Adversarial examples adversarial example data point DOG FRIED CHICKEN (arbitrary) feature dimension 1 (arbitrary)featuredimension2 target data point [Biggio et al, 2018]
  • 14. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters backdoored function
  • 15. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters model inversion
  • 16. Model inversion Image of Bill: *exists in training data set* Recovered image [Fredrikson et al, 2015]
  • 17. Parts of an AI system we can exploit • Data • Training/testing sets • Deployed environment data • Model • Algorithm • Parameters model theft
  • 18. Model theft data target model stolen model original predictions similar predictions [Tramèr et al, 2016]
  • 19. How to design an attack for an AI system 1. What model are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
  • 20. Fooling AI-powered video surveillance • Common system components • Detection: on-premises algorithm that checks each still image to see if there is a face for it to forward to the recognition system • Recognition: off-site look-up of flagged images using a data base of known faces camera detection system recognition system
  • 21. Fooling AI-powered video surveillance 1. What model are you attacking? YOLO v2 2. Where do the data come from? video frames 3. Where do the predictions go? stored as set of flagged frames
  • 22. Fooling AI-powered video surveillance [Thys et al, 2019]
  • 23. Fooling AI-powered video surveillance [Brown et al, 2017]
  • 24. Fooling AI-powered video surveillance [Thys et al, 2019]
  • 25. AI red teaming is out of whack • Red teaming AI is often conflated with the academic discipline of adversarial machine learning Cool ways to attack an AI model with math == adversarial ML Evaluate the security of an AI system == red teaming AI
  • 26. Adversarial ML attack tree goal: make the object detector ignore person minimize specific class likelihood minimize “objectyness” likelihood minimize both Fooling AI-powered video surveillance
  • 27. AI red team attack tree goal: make the object detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network play looping footage get access to facial detection AI software minimize specific class likelihood minimize "objectyness" likelihood minimize both Fooling AI-powered video surveillance
  • 28. AI red team attack tree goal: make the object detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network play looping footage get access to facial detection AI software minimize specific class likelihood minimize "objectyness" likelihood minimize both Fooling AI-powered video surveillance
  • 29. Adversarial ML attack tree goal: make self- driving car think a lane is not a lane generate adversarial example Breaking self-driving car lane detection
  • 30. AI red team attack tree goal: make self- driving car think a lane is not a lane dump a salt line on the road put stickers on the road get physical access to car get access to lane detection system generate adversarial example Breaking self-driving car lane detection
  • 31. Adversarial ML attack tree goal: make self- driving car think a lane is not a lane dump a salt line on the road put stickers on the road get physical access to car get access to lane detection system generate adversarial example Breaking self-driving car lane detection
  • 32. How to design an attack for an AI system 1. What model are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
  • 33. How to design an attack for an AI system 1. What model system are you attacking? 2. Where do the data come from? 3. Where do the predictions go?
  • 34. How to design an attack for an AI system 1. What system are you attacking? 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output?
  • 35. How to design an attack for an AI system 1. What system are you attacking? 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output? 3. What is the threat model?
  • 36. How to design an attack for an AI system 1. What system are you attacking? camera detection system recognition system
  • 37. How to design an attack for an AI system 2. What is the data processing pipeline? i. Where do the data come from? ii. What is the data representation? iii. What is the output? feature extraction camera detection system recognition system decision making
  • 38. How to design an attack for an AI system 3. What is the threat model? goal: make the face detector ignore person get physical control of the camera put a sticker over the camera remove the power source move the camera to a different location get access to the camera network DDoS the network play looping footage move camera get access to facial detection AI system get access to training procedure poison data set force backdoored function use scene statistics to generate adversarial example minimize specific class likelihood minimize "objectyness" likelihood minimize both
  • 39. Tl;dw • Go for the jugular feature extraction process • Think about the data supply chain • Focus on the threat model
  • 40. For more information (and math!) Feel free to reach out via Twitter (@adversariel) and/or grab a beer with me :) • Attacks: • Tencent Keen Security Lab, 2019 - https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Au topilot.pdf • [Biggio et al, 2018] - https://pralab.diee.unica.it/sites/default/files/biggio18-pr.pdf • [Fredrikson et al, 2015] - https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf • [Tramèr et al, 2016] - https://arxiv.org/pdf/1609.02943.pdf • [Thys et al, 2019] - https://arxiv.org/pdf/1904.08653.pdf • [Brown et al, 2017] - https://arxiv.org/pdf/1712.09665.pdf • Threat modeling: • Schneier, 1999 - https://www.schneier.com/academic/archives/1999/12/attack_trees.html