SlideShare a Scribd company logo

Adversarial ML - Part 2.pdf

K
KSChidanandKumarJSSS

This document discusses adversarial machine learning attacks. It begins by reminding the reader about evasion attacks, which aim to find model weaknesses at test time, and poisoning attacks, which compromise the training process. It then discusses evasion attacks in more detail, including the use of adversarial examples and real-world attacks. The document outlines different types of evasion attacks and formulations. It also discusses adversarial training as a potential mitigation technique, as well as universal adversarial perturbations. The document presents experimental results showing that perlin noise attacks can outperform other attacks and that adversarial training is not fully effective. It concludes by emphasizing the need to understand vulnerabilities in machine learning systems and develop effective defenses and testing methodologies.

Engineering
1 of 30
Download to read offline
Adversarial Machine Learning (Part 2) Luis Muñoz-González l.munoz@imperial.ac.uk 20th December 2018 https://rissgroup.org
Reminder… Evasion Attacks: • Attacks at test time. • The attacker aims to find the blind spots and weaknesses of the ML system to evade it. Poisoning Attacks: • Compromise data collection. • The attacker subverts the learning process. • Degrades the performance of the system. • Can facilitate future evasion. 2
Evasion Attacks 3 a.k.a. Adversarial Examples • C. Szegedy et al. “Intriguing Properties of Neural Networks.” arXiv preprint, 2013. • I. Goodfellow, J. Shlens, C. Szegedy. “Expalining and Harnessing Adversarial Examples.” ICLR 2015.
Evasion Attacks 4 • K. Eykholt et al. “Robust Physical World Attacks on Deep Learning Visual Classification.” CCVPR, pp. 1625- 1634, 2018. • G.F. Elsayed et al. “Adversarial Examples that Fool both Computer Vision and Time-Limited Humans.” Arxiv pre-print arxiv:1802.08195v3, 2018.
V. Kuleshov et al. “Adversarial Examples for Natural Language Classification Problems.” 2018. 5
Evasion Attacks in the Wild 6
Evasion Attacks 7 http://www.cleverhans.io/security/privacy/ml/2016/12/15/breaking-things-is-easy.html
Enabling Black-Box Attacks… 8 Again… Transferability Successful attacks against one machine learning system are often successful against similar ones. We can craft effective black-box attacks with: • Surrogate models • Surrogate datasets Nicolas Papernot, Patrick McDaniel, Ian Goodfellow. “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples.” ArXiv preprint arXiv:1605.07277, 2016.
Types of Evasion Attacks 9 Indiscriminate Targeted
Types of Evasion Attacks (formulation) 10 Different formulations have been proposed in the research literature: • Minimum distance attack strategies: • Attacks with budget constraints: • Approximations (Fast Gradient Sign Method):
Adversarial Training 11 • Re-train the network including adversarial examples in the training dataset. • Can help to partially mitigate the problem. • But you can’t characterise all possible adversarial regions. Approaches: • min-max training: • Ensemble adversarial training: include adversarial examples from different machine learning models. Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. “Towards Deep Learning Models Resistant to Adversarial Attacks.” ICLR, 2018.
Universal Adversarial Perturbations 12 S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. “Universal Adversarial Perturbations” CCVPR, pp. 86–94, 2017.
Adversarial Examples with Procedural Noise 13 K.T. Co, L. Muñoz-González, E.C. Lupu. “Procedural Noise Adversarial Examples for Black-box Attacks on Deep Neural Networks.” arXiv preprint, 2018. ‘analog clock’ (28.53%) ‘barbell’ (29.84%) ‘fire truck’ (92.21%) ‘wall clock’ (18.32%)
Perlin Noise 14 • Developed to produce natural-looking textures for computer graphics. • Relies on pseudo-random gradients to generate the noise patterns. • It’s simple and easy to use. • Different noise patterns can be generated according to a Noise Generating Function. • Reduced number of parameters to control the appearance of the noise patterns (4 in our case). • We use greyscale colour-map.
Attack Formulation 15 classifier’s predicted label for sample . n-th highest probability score for sample . Perlin noise generating function parametrized by . maximum perturbation allowed (according to some norm). maximum number of queries.
Attack Formulation 16 • We use Bayesian optimization for black-box optimization of the parameters: • Matérn 5/2 covariance function for the Gaussian Process. • Expected Improvement as acquisition function. • Enables black-box attacks aiming to reduce the number of queries.
Experimental Results 17 • ImageNet dataset (1,000 classes). • Top 1 and Top 5 evasion attacks. • Adversarial training is not effective against Perlin noise attacks.
Experimental Results 18 • Perlin noise attack just requires a reduced number of queries (compared to existing black-box attacks).
Experimental Results 19 • Perlin noise perturbations have “universal properties”: the same perturbation can be used to misclassify many samples at the same time. Random perturbations Optimized perturbations
Experimental Results 20 Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. • Perlin noise attack outperforms both (state-of-the-art) white and black-box attacks against ImageNet. • The attack also shows that adversarial training is not really effective against adversarial examples when the attacker changes the perspective of the attack.
Mitigation of Evasion Attacks through Feature Selection 21 Z. Bao, L. Muñoz-González, E.C. Lupu. “Mitigation of Evasion Attacks through Embedded Feature Selection.” IEEE Trans. on Cybernetics (under review), 2018.
Mitigation of Evasion Attacks through Feature Selection 22 • Related work claimed that feature selection makes algorithms less secure against evasion attacks: • F. Zhang, P.P. Chan, B. Biggio, D.S. Yeung, F. Roli. “Adversarial Feature Selection against Evasion Attacks.” IEEE Transactions on Cybernetics, vol. 46, no. 3, pp. 766– 777, 2016. • B. Biggio, G. Fumera, F. Roli. “Security Evaluation of Pattern Classifiers under Attack.” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 4, pp. 984–996, 2014. • F. Wang, W. Liu, S. Chawla, “On Sparse Feature Attacks in Adversarial Learning.” International Conference on Data Mining, pp. 1013–1018, 2014.
Mitigation of Evasion Attacks through Feature Selection 23 • Effects of embedded feature selection with Lasso in the security of the machine learning system. Lasso: Training Cost + ʎ |w|
But… Is Feature Selection more Secure? 24
But… Is Feature Selection more Secure? 25 Normalised perturbation: depending on the norm for the attacker’s constraints.
Trade-off Accuracy vs Security 26 Security defined as a function of the average (normalized) distortion of the adversarial examples:
Statistical Analysis of Adversarial Examples 27 We used Maximum Mean Discrepancy (MDD) to measure the distance between genuine and adversarial examples: As proposed in: K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel. “On the Statistical Detection of Adversarial Examples.” ArXiv preprint: arXiv:1702.06280, 2017. In our case we used a normalized linear kernel (doesn’t make assumptions about the underlying data distribution):
Statistical Analysis of Adversarial Examples 28 • Adversarial examples are easier to detect when using reduced feature sets.
Conclusion 29 • Machine Learning systems are vulnerable: • Poisoning attacks (training time). • Evasion attacks (test time). • We need to understand the vulnerabilities: • Worst-case attacks. • Realistic attacker models. • Look at the whole system pipeline. • We need to understand how we can defend against these vulnerabilities: • Some defences have already been proposed but sometimes are not effective if the attacker targets the defensive algorithm itself. • Quite an open research problem. • But… How can we test the security of machine learning systems? • We need new design and testing methodologies. • Analysis of worst-case scenarios. • Verification vs testing.
30 Thank you! Contact: Luis Muñoz-González l.munoz@imperial.ac.uk https://www.imperial.ac.uk/people/l.munoz-gonzalez www.rissgroup.org

Recommended

Adversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdfAdversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdf
KSChidanandKumarJSSS
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
anant90
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
adversarial robustness through local linearization
adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
taeseon ryu
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using Graphs
Ram Shankar Siva Kumar
 
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
Konstantinos Demertzis
 
AI model security and robustness
AI model security and robustnessAI model security and robustness
AI model security and robustness
Rajib Biswas
 

Recommended

Adversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdfAdversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdf
KSChidanandKumarJSSS
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
anant90
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
adversarial robustness through local linearization
adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
taeseon ryu
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using Graphs
Ram Shankar Siva Kumar
 
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
Konstantinos Demertzis
 
AI model security and robustness
AI model security and robustnessAI model security and robustness
AI model security and robustness
Rajib Biswas
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense
Ram Shankar Siva Kumar
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune SystemsInspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune Systems
Julie Greensmith
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Pluribus One
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
Ram Shankar Siva Kumar
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Pluribus One
 
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
The Statistical and Applied Mathematical Sciences Institute
 
Dnasec
DnasecDnasec
Dnasec
Zied Houaneb
 
Self-learning systems for cyber security
Self-learning systems for cyber securitySelf-learning systems for cyber security
Self-learning systems for cyber security
Kim Hammar
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
Andrea Montemaggio
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
Kim Hammar
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith Jones, PhD
 
MultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detectionMultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detection
Aboul Ella Hassanien
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
A survey of random forest based methods for
A survey of random forest based methods forA survey of random forest based methods for
A survey of random forest based methods for
Nikhil Sharma
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
Tejaswini Jitta
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 
Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
MeetupDataScienceRoma
 

More Related Content

What's hot

Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense
Ram Shankar Siva Kumar
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune SystemsInspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune Systems
Julie Greensmith
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Pluribus One
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
Ram Shankar Siva Kumar
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Pluribus One
 
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
The Statistical and Applied Mathematical Sciences Institute
 
Dnasec
DnasecDnasec
Dnasec
Zied Houaneb
 
Self-learning systems for cyber security
Self-learning systems for cyber securitySelf-learning systems for cyber security
Self-learning systems for cyber security
Kim Hammar
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
Andrea Montemaggio
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
Kim Hammar
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith Jones, PhD
 
MultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detectionMultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detection
Aboul Ella Hassanien
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
A survey of random forest based methods for
A survey of random forest based methods forA survey of random forest based methods for
A survey of random forest based methods for
Nikhil Sharma
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
Tejaswini Jitta
 

What's hot (20)

Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune SystemsInspiration to Application: A Tutorial on Artificial Immune Systems
Inspiration to Application: A Tutorial on Artificial Immune Systems
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
 
Dnasec
DnasecDnasec
Dnasec
 
Self-learning systems for cyber security
Self-learning systems for cyber securitySelf-learning systems for cyber security
Self-learning systems for cyber security
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
 
MultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detectionMultiAgent artificial immune system for network intrusion detection
MultiAgent artificial immune system for network intrusion detection
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
A survey of random forest based methods for
A survey of random forest based methods forA survey of random forest based methods for
A survey of random forest based methods for
 
Artificial immune system
Artificial immune systemArtificial immune system
Artificial immune system
 

Similar to Adversarial ML - Part 2.pdf

Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 
Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
MeetupDataScienceRoma
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdf
MichelleHoogenhout
 
Adversarial ml
Adversarial mlAdversarial ml
Adversarial ml
JunfeiWang1
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
Sri Ram
 
Security of Machine Learning
Security of Machine LearningSecurity of Machine Learning
Security of Machine Learning
Institute of Contemporary Sciences
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
Flavio Clesio
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
Michael Roytman
 
algorithmic-decisions, fairness, machine learning, provenance, transparency
algorithmic-decisions, fairness, machine learning, provenance, transparencyalgorithmic-decisions, fairness, machine learning, provenance, transparency
algorithmic-decisions, fairness, machine learning, provenance, transparency
Paolo Missier
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
CSCJournals
 
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-PatternsIEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
Gui Padua
 
slides_security_and_privacy_in_machine_learning.pptx
slides_security_and_privacy_in_machine_learning.pptxslides_security_and_privacy_in_machine_learning.pptx
slides_security_and_privacy_in_machine_learning.pptx
ssuserabf73f
 
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
DataScienceConferenc1
 
Universal Adversarial Perturbation
Universal Adversarial PerturbationUniversal Adversarial Perturbation
Universal Adversarial Perturbation
Hyunwoo Kim
 
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
jzadeh
 
Adversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptxAdversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptx
Prerana Khatiwada
 
Robustness of compressed CNNs
Robustness of compressed CNNsRobustness of compressed CNNs
Robustness of compressed CNNs
Kaushalya Madhawa
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadler
Kim Hammar
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine Learning
Bobby Filar
 

Similar to Adversarial ML - Part 2.pdf (20)

Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
 
Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdf
 
Adversarial ml
Adversarial mlAdversarial ml
Adversarial ml
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
 
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
Towards Evaluating the Robustness of Deep Intrusion Detection Models in Adver...
 
Security of Machine Learning
Security of Machine LearningSecurity of Machine Learning
Security of Machine Learning
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
 
algorithmic-decisions, fairness, machine learning, provenance, transparency
algorithmic-decisions, fairness, machine learning, provenance, transparencyalgorithmic-decisions, fairness, machine learning, provenance, transparency
algorithmic-decisions, fairness, machine learning, provenance, transparency
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
 
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-PatternsIEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
IEEE ICPC 2017 - Studying the Prevalence of Exception Handling Anti-Patterns
 
slides_security_and_privacy_in_machine_learning.pptx
slides_security_and_privacy_in_machine_learning.pptxslides_security_and_privacy_in_machine_learning.pptx
slides_security_and_privacy_in_machine_learning.pptx
 
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
 
Universal Adversarial Perturbation
Universal Adversarial PerturbationUniversal Adversarial Perturbation
Universal Adversarial Perturbation
 
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
 
Adversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptxAdversarial Training is all you Need.pptx
Adversarial Training is all you Need.pptx
 
Robustness of compressed CNNs
Robustness of compressed CNNsRobustness of compressed CNNs
Robustness of compressed CNNs
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadler
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine Learning
 

More from KSChidanandKumarJSSS

12_applications.pdf
12_applications.pdf12_applications.pdf
12_applications.pdf
KSChidanandKumarJSSS
 
16_graphical_models.pdf
16_graphical_models.pdf16_graphical_models.pdf
16_graphical_models.pdf
KSChidanandKumarJSSS
 
10_rnn.pdf
10_rnn.pdf10_rnn.pdf
10_rnn.pdf
KSChidanandKumarJSSS
 
15_representation.pdf
15_representation.pdf15_representation.pdf
15_representation.pdf
KSChidanandKumarJSSS
 
14_autoencoders.pdf
14_autoencoders.pdf14_autoencoders.pdf
14_autoencoders.pdf
KSChidanandKumarJSSS
 
17_monte_carlo.pdf
17_monte_carlo.pdf17_monte_carlo.pdf
17_monte_carlo.pdf
KSChidanandKumarJSSS
 
18_partition.pdf
18_partition.pdf18_partition.pdf
18_partition.pdf
KSChidanandKumarJSSS
 
8803-09-lec16.pdf
8803-09-lec16.pdf8803-09-lec16.pdf
8803-09-lec16.pdf
KSChidanandKumarJSSS
 
13_linear_factors.pdf
13_linear_factors.pdf13_linear_factors.pdf
13_linear_factors.pdf
KSChidanandKumarJSSS
 

More from KSChidanandKumarJSSS (9)

12_applications.pdf
12_applications.pdf12_applications.pdf
12_applications.pdf
 
16_graphical_models.pdf
16_graphical_models.pdf16_graphical_models.pdf
16_graphical_models.pdf
 
10_rnn.pdf
10_rnn.pdf10_rnn.pdf
10_rnn.pdf
 
15_representation.pdf
15_representation.pdf15_representation.pdf
15_representation.pdf
 
14_autoencoders.pdf
14_autoencoders.pdf14_autoencoders.pdf
14_autoencoders.pdf
 
17_monte_carlo.pdf
17_monte_carlo.pdf17_monte_carlo.pdf
17_monte_carlo.pdf
 
18_partition.pdf
18_partition.pdf18_partition.pdf
18_partition.pdf
 
8803-09-lec16.pdf
8803-09-lec16.pdf8803-09-lec16.pdf
8803-09-lec16.pdf
 
13_linear_factors.pdf
13_linear_factors.pdf13_linear_factors.pdf
13_linear_factors.pdf
 

Recently uploaded

A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
nooriasukmaningtyas
 
Low power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniquesLow power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniques
nooriasukmaningtyas
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
MIGUELANGEL966976
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
RadiNasr
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
insn4465
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
Wearable antenna for antenna applications
Wearable antenna for antenna applicationsWearable antenna for antenna applications
Wearable antenna for antenna applications
Madhumitha Jayaram
 
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
gerogepatton
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
rpskprasana
 
New techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdfNew techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdf
wisnuprabawa3
 
Series of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.pptSeries of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.ppt
PauloRodrigues104553
 
2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt
PuktoonEngr
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
heavyhaig
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
anoopmanoharan2
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
mahammadsalmanmech
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 

Recently uploaded (20)

A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
 
Low power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniquesLow power architecture of logic gates using adiabatic techniques
Low power architecture of logic gates using adiabatic techniques
 
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdfBPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
BPV-GUI-01-Guide-for-ASME-Review-Teams-(General)-10-10-2023.pdf
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
Wearable antenna for antenna applications
Wearable antenna for antenna applicationsWearable antenna for antenna applications
Wearable antenna for antenna applications
 
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
 
New techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdfNew techniques for characterising damage in rock slopes.pdf
New techniques for characterising damage in rock slopes.pdf
 
Series of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.pptSeries of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.ppt
 
2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt
 
Technical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prismsTechnical Drawings introduction to drawing of prisms
Technical Drawings introduction to drawing of prisms
 
PPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testingPPT on GRP pipes manufacturing and testing
PPT on GRP pipes manufacturing and testing
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 

Adversarial ML - Part 2.pdf

  • 1. Adversarial Machine Learning (Part 2) Luis Muñoz-González l.munoz@imperial.ac.uk 20th December 2018 https://rissgroup.org
  • 2. Reminder… Evasion Attacks: • Attacks at test time. • The attacker aims to find the blind spots and weaknesses of the ML system to evade it. Poisoning Attacks: • Compromise data collection. • The attacker subverts the learning process. • Degrades the performance of the system. • Can facilitate future evasion. 2
  • 3. Evasion Attacks 3 a.k.a. Adversarial Examples • C. Szegedy et al. “Intriguing Properties of Neural Networks.” arXiv preprint, 2013. • I. Goodfellow, J. Shlens, C. Szegedy. “Expalining and Harnessing Adversarial Examples.” ICLR 2015.
  • 4. Evasion Attacks 4 • K. Eykholt et al. “Robust Physical World Attacks on Deep Learning Visual Classification.” CCVPR, pp. 1625- 1634, 2018. • G.F. Elsayed et al. “Adversarial Examples that Fool both Computer Vision and Time-Limited Humans.” Arxiv pre-print arxiv:1802.08195v3, 2018.
  • 5. V. Kuleshov et al. “Adversarial Examples for Natural Language Classification Problems.” 2018. 5
  • 6. Evasion Attacks in the Wild 6
  • 8. Enabling Black-Box Attacks… 8 Again… Transferability Successful attacks against one machine learning system are often successful against similar ones. We can craft effective black-box attacks with: • Surrogate models • Surrogate datasets Nicolas Papernot, Patrick McDaniel, Ian Goodfellow. “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples.” ArXiv preprint arXiv:1605.07277, 2016.
  • 9. Types of Evasion Attacks 9 Indiscriminate Targeted
  • 10. Types of Evasion Attacks (formulation) 10 Different formulations have been proposed in the research literature: • Minimum distance attack strategies: • Attacks with budget constraints: • Approximations (Fast Gradient Sign Method):
  • 11. Adversarial Training 11 • Re-train the network including adversarial examples in the training dataset. • Can help to partially mitigate the problem. • But you can’t characterise all possible adversarial regions. Approaches: • min-max training: • Ensemble adversarial training: include adversarial examples from different machine learning models. Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. “Towards Deep Learning Models Resistant to Adversarial Attacks.” ICLR, 2018.
  • 12. Universal Adversarial Perturbations 12 S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. “Universal Adversarial Perturbations” CCVPR, pp. 86–94, 2017.
  • 13. Adversarial Examples with Procedural Noise 13 K.T. Co, L. Muñoz-González, E.C. Lupu. “Procedural Noise Adversarial Examples for Black-box Attacks on Deep Neural Networks.” arXiv preprint, 2018. ‘analog clock’ (28.53%) ‘barbell’ (29.84%) ‘fire truck’ (92.21%) ‘wall clock’ (18.32%)
  • 14. Perlin Noise 14 • Developed to produce natural-looking textures for computer graphics. • Relies on pseudo-random gradients to generate the noise patterns. • It’s simple and easy to use. • Different noise patterns can be generated according to a Noise Generating Function. • Reduced number of parameters to control the appearance of the noise patterns (4 in our case). • We use greyscale colour-map.
  • 15. Attack Formulation 15 classifier’s predicted label for sample . n-th highest probability score for sample . Perlin noise generating function parametrized by . maximum perturbation allowed (according to some norm). maximum number of queries.
  • 16. Attack Formulation 16 • We use Bayesian optimization for black-box optimization of the parameters: • Matérn 5/2 covariance function for the Gaussian Process. • Expected Improvement as acquisition function. • Enables black-box attacks aiming to reduce the number of queries.
  • 17. Experimental Results 17 • ImageNet dataset (1,000 classes). • Top 1 and Top 5 evasion attacks. • Adversarial training is not effective against Perlin noise attacks.
  • 18. Experimental Results 18 • Perlin noise attack just requires a reduced number of queries (compared to existing black-box attacks).
  • 19. Experimental Results 19 • Perlin noise perturbations have “universal properties”: the same perturbation can be used to misclassify many samples at the same time. Random perturbations Optimized perturbations
  • 20. Experimental Results 20 Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. • Perlin noise attack outperforms both (state-of-the-art) white and black-box attacks against ImageNet. • The attack also shows that adversarial training is not really effective against adversarial examples when the attacker changes the perspective of the attack.
  • 21. Mitigation of Evasion Attacks through Feature Selection 21 Z. Bao, L. Muñoz-González, E.C. Lupu. “Mitigation of Evasion Attacks through Embedded Feature Selection.” IEEE Trans. on Cybernetics (under review), 2018.
  • 22. Mitigation of Evasion Attacks through Feature Selection 22 • Related work claimed that feature selection makes algorithms less secure against evasion attacks: • F. Zhang, P.P. Chan, B. Biggio, D.S. Yeung, F. Roli. “Adversarial Feature Selection against Evasion Attacks.” IEEE Transactions on Cybernetics, vol. 46, no. 3, pp. 766– 777, 2016. • B. Biggio, G. Fumera, F. Roli. “Security Evaluation of Pattern Classifiers under Attack.” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 4, pp. 984–996, 2014. • F. Wang, W. Liu, S. Chawla, “On Sparse Feature Attacks in Adversarial Learning.” International Conference on Data Mining, pp. 1013–1018, 2014.
  • 23. Mitigation of Evasion Attacks through Feature Selection 23 • Effects of embedded feature selection with Lasso in the security of the machine learning system. Lasso: Training Cost + ʎ |w|
  • 24. But… Is Feature Selection more Secure? 24
  • 25. But… Is Feature Selection more Secure? 25 Normalised perturbation: depending on the norm for the attacker’s constraints.
  • 26. Trade-off Accuracy vs Security 26 Security defined as a function of the average (normalized) distortion of the adversarial examples:
  • 27. Statistical Analysis of Adversarial Examples 27 We used Maximum Mean Discrepancy (MDD) to measure the distance between genuine and adversarial examples: As proposed in: K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel. “On the Statistical Detection of Adversarial Examples.” ArXiv preprint: arXiv:1702.06280, 2017. In our case we used a normalized linear kernel (doesn’t make assumptions about the underlying data distribution):
  • 28. Statistical Analysis of Adversarial Examples 28 • Adversarial examples are easier to detect when using reduced feature sets.
  • 29. Conclusion 29 • Machine Learning systems are vulnerable: • Poisoning attacks (training time). • Evasion attacks (test time). • We need to understand the vulnerabilities: • Worst-case attacks. • Realistic attacker models. • Look at the whole system pipeline. • We need to understand how we can defend against these vulnerabilities: • Some defences have already been proposed but sometimes are not effective if the attacker targets the defensive algorithm itself. • Quite an open research problem. • But… How can we test the security of machine learning systems? • We need new design and testing methodologies. • Analysis of worst-case scenarios. • Verification vs testing.
  • 30. 30 Thank you! Contact: Luis Muñoz-González l.munoz@imperial.ac.uk https://www.imperial.ac.uk/people/l.munoz-gonzalez www.rissgroup.org