Uploaded byKSChidanandKumarJSSS
109 views

Adversarial ML - Part 2.pdf

This document discusses adversarial machine learning attacks. It begins by reminding the reader about evasion attacks, which aim to find model weaknesses at test time, and poisoning attacks, which compromise the training process. It then discusses evasion attacks in more detail, including the use of adversarial examples and real-world attacks. The document outlines different types of evasion attacks and formulations. It also discusses adversarial training as a potential mitigation technique, as well as universal adversarial perturbations. The document presents experimental results showing that perlin noise attacks can outperform other attacks and that adversarial training is not fully effective. It concludes by emphasizing the need to understand vulnerabilities in machine learning systems and develop effective defenses and testing methodologies.

Embed presentation

Download to read offline
Adversarial Machine Learning (Part 2) Luis Muñoz-González l.munoz@imperial.ac.uk 20th December 2018 https://rissgroup.org
Reminder… Evasion Attacks: • Attacks at test time. • The attacker aims to find the blind spots and weaknesses of the ML system to evade it. Poisoning Attacks: • Compromise data collection. • The attacker subverts the learning process. • Degrades the performance of the system. • Can facilitate future evasion. 2
Evasion Attacks 3 a.k.a. Adversarial Examples • C. Szegedy et al. “Intriguing Properties of Neural Networks.” arXiv preprint, 2013. • I. Goodfellow, J. Shlens, C. Szegedy. “Expalining and Harnessing Adversarial Examples.” ICLR 2015.
Evasion Attacks 4 • K. Eykholt et al. “Robust Physical World Attacks on Deep Learning Visual Classification.” CCVPR, pp. 1625- 1634, 2018. • G.F. Elsayed et al. “Adversarial Examples that Fool both Computer Vision and Time-Limited Humans.” Arxiv pre-print arxiv:1802.08195v3, 2018.
V. Kuleshov et al. “Adversarial Examples for Natural Language Classification Problems.” 2018. 5
Evasion Attacks in the Wild 6
Evasion Attacks 7 http://www.cleverhans.io/security/privacy/ml/2016/12/15/breaking-things-is-easy.html
Enabling Black-Box Attacks… 8 Again… Transferability Successful attacks against one machine learning system are often successful against similar ones. We can craft effective black-box attacks with: • Surrogate models • Surrogate datasets Nicolas Papernot, Patrick McDaniel, Ian Goodfellow. “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples.” ArXiv preprint arXiv:1605.07277, 2016.
Types of Evasion Attacks 9 Indiscriminate Targeted
Types of Evasion Attacks (formulation) 10 Different formulations have been proposed in the research literature: • Minimum distance attack strategies: • Attacks with budget constraints: • Approximations (Fast Gradient Sign Method):
Adversarial Training 11 • Re-train the network including adversarial examples in the training dataset. • Can help to partially mitigate the problem. • But you can’t characterise all possible adversarial regions. Approaches: • min-max training: • Ensemble adversarial training: include adversarial examples from different machine learning models. Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. “Towards Deep Learning Models Resistant to Adversarial Attacks.” ICLR, 2018.
Universal Adversarial Perturbations 12 S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. “Universal Adversarial Perturbations” CCVPR, pp. 86–94, 2017.
Adversarial Examples with Procedural Noise 13 K.T. Co, L. Muñoz-González, E.C. Lupu. “Procedural Noise Adversarial Examples for Black-box Attacks on Deep Neural Networks.” arXiv preprint, 2018. ‘analog clock’ (28.53%) ‘barbell’ (29.84%) ‘fire truck’ (92.21%) ‘wall clock’ (18.32%)
Perlin Noise 14 • Developed to produce natural-looking textures for computer graphics. • Relies on pseudo-random gradients to generate the noise patterns. • It’s simple and easy to use. • Different noise patterns can be generated according to a Noise Generating Function. • Reduced number of parameters to control the appearance of the noise patterns (4 in our case). • We use greyscale colour-map.
Attack Formulation 15 classifier’s predicted label for sample . n-th highest probability score for sample . Perlin noise generating function parametrized by . maximum perturbation allowed (according to some norm). maximum number of queries.
Attack Formulation 16 • We use Bayesian optimization for black-box optimization of the parameters: • Matérn 5/2 covariance function for the Gaussian Process. • Expected Improvement as acquisition function. • Enables black-box attacks aiming to reduce the number of queries.
Experimental Results 17 • ImageNet dataset (1,000 classes). • Top 1 and Top 5 evasion attacks. • Adversarial training is not effective against Perlin noise attacks.
Experimental Results 18 • Perlin noise attack just requires a reduced number of queries (compared to existing black-box attacks).
Experimental Results 19 • Perlin noise perturbations have “universal properties”: the same perturbation can be used to misclassify many samples at the same time. Random perturbations Optimized perturbations
Experimental Results 20 Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. • Perlin noise attack outperforms both (state-of-the-art) white and black-box attacks against ImageNet. • The attack also shows that adversarial training is not really effective against adversarial examples when the attacker changes the perspective of the attack.
Mitigation of Evasion Attacks through Feature Selection 21 Z. Bao, L. Muñoz-González, E.C. Lupu. “Mitigation of Evasion Attacks through Embedded Feature Selection.” IEEE Trans. on Cybernetics (under review), 2018.
Mitigation of Evasion Attacks through Feature Selection 22 • Related work claimed that feature selection makes algorithms less secure against evasion attacks: • F. Zhang, P.P. Chan, B. Biggio, D.S. Yeung, F. Roli. “Adversarial Feature Selection against Evasion Attacks.” IEEE Transactions on Cybernetics, vol. 46, no. 3, pp. 766– 777, 2016. • B. Biggio, G. Fumera, F. Roli. “Security Evaluation of Pattern Classifiers under Attack.” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 4, pp. 984–996, 2014. • F. Wang, W. Liu, S. Chawla, “On Sparse Feature Attacks in Adversarial Learning.” International Conference on Data Mining, pp. 1013–1018, 2014.
Mitigation of Evasion Attacks through Feature Selection 23 • Effects of embedded feature selection with Lasso in the security of the machine learning system. Lasso: Training Cost + ʎ |w|
But… Is Feature Selection more Secure? 24
But… Is Feature Selection more Secure? 25 Normalised perturbation: depending on the norm for the attacker’s constraints.
Trade-off Accuracy vs Security 26 Security defined as a function of the average (normalized) distortion of the adversarial examples:
Statistical Analysis of Adversarial Examples 27 We used Maximum Mean Discrepancy (MDD) to measure the distance between genuine and adversarial examples: As proposed in: K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel. “On the Statistical Detection of Adversarial Examples.” ArXiv preprint: arXiv:1702.06280, 2017. In our case we used a normalized linear kernel (doesn’t make assumptions about the underlying data distribution):
Statistical Analysis of Adversarial Examples 28 • Adversarial examples are easier to detect when using reduced feature sets.
Conclusion 29 • Machine Learning systems are vulnerable: • Poisoning attacks (training time). • Evasion attacks (test time). • We need to understand the vulnerabilities: • Worst-case attacks. • Realistic attacker models. • Look at the whole system pipeline. • We need to understand how we can defend against these vulnerabilities: • Some defences have already been proposed but sometimes are not effective if the attacker targets the defensive algorithm itself. • Quite an open research problem. • But… How can we test the security of machine learning systems? • We need new design and testing methodologies. • Analysis of worst-case scenarios. • Verification vs testing.
30 Thank you! Contact: Luis Muñoz-González l.munoz@imperial.ac.uk https://www.imperial.ac.uk/people/l.munoz-gonzalez www.rissgroup.org

More Related Content

PPTX
adversarial robustness through local linearization
bytaeseon ryu
 
PDF
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
byPluribus One
 
PDF
Adversarial ML - Part 1.pdf
byKSChidanandKumarJSSS
 
PDF
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
byKonstantinos Demertzis
 
PDF
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
byanant90
 
PDF
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
byPluribus One
 
PPTX
Transforming incident Response to Intelligent Response using Graphs
byRam Shankar Siva Kumar
 
PDF
AI model security and robustness
byRajib Biswas
 
adversarial robustness through local linearization
bytaeseon ryu
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
byPluribus One
 
Adversarial ML - Part 1.pdf
byKSChidanandKumarJSSS
 
The Next Generation Cognitive Security Operations Center: Adaptive Analytic L...
byKonstantinos Demertzis
 
Mozfest 2018 session slides: Let's fool modern A.I. systems with stickers.
byanant90
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
byPluribus One
 
Transforming incident Response to Intelligent Response using Graphs
byRam Shankar Siva Kumar
 
AI model security and robustness
byRajib Biswas
 

What's hot

PDF
Robustness in deep learning
byGanesan Narayanasamy
 
PPTX
A survey of random forest based methods for
byNikhil Sharma
 
PPTX
Artificial immune system
byTejaswini Jitta
 
PDF
Self-Learning Systems for Cyber Security
byKim Hammar
 
PPTX
Infiltrate 2015 - Data Driven Offense
byRam Shankar Siva Kumar
 
PPTX
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
byKeith Jones, PhD
 
PDF
Secure Kernel Machines against Evasion Attacks
byPluribus One
 
PDF
Inspiration to Application: A Tutorial on Artificial Immune Systems
byJulie Greensmith
 
PDF
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
byPluribus One
 
PDF
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
byPluribus One
 
PPTX
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
byThe Statistical and Applied Mathematical Sciences Institute
 
PDF
Self-learning systems for cyber security
byKim Hammar
 
PPTX
MultiAgent artificial immune system for network intrusion detection
byAboul Ella Hassanien
 
PDF
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
byAndrea Montemaggio
 
PDF
Dnasec
byZied Houaneb
 
PDF
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
byPluribus One
 
PPTX
Subverting Machine Learning Detections for fun and profit
byRam Shankar Siva Kumar
 
PDF
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
byPluribus One
 
PDF
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
byPluribus One
 
PDF
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
byPluribus One
 
Robustness in deep learning
byGanesan Narayanasamy
 
A survey of random forest based methods for
byNikhil Sharma
 
Artificial immune system
byTejaswini Jitta
 
Self-Learning Systems for Cyber Security
byKim Hammar
 
Infiltrate 2015 - Data Driven Offense
byRam Shankar Siva Kumar
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
byKeith Jones, PhD
 
Secure Kernel Machines against Evasion Attacks
byPluribus One
 
Inspiration to Application: A Tutorial on Artificial Immune Systems
byJulie Greensmith
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
byPluribus One
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
byPluribus One
 
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
byThe Statistical and Applied Mathematical Sciences Institute
 
Self-learning systems for cyber security
byKim Hammar
 
MultiAgent artificial immune system for network intrusion detection
byAboul Ella Hassanien
 
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...
byAndrea Montemaggio
 
Dnasec
byZied Houaneb
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
byPluribus One
 
Subverting Machine Learning Detections for fun and profit
byRam Shankar Siva Kumar
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
byPluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
byPluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
byPluribus One
 

Similar to Adversarial ML - Part 2.pdf

PDF
Research of adversarial example on a deep neural network
byNAVER Engineering
 
PDF
Adversarial Attacks and Defenses in Deep Learning.pdf
byMichelleHoogenhout
 
PDF
Security of Machine Learning
byInstitute of Contemporary Sciences
 
PDF
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
byanant90
 
PPTX
Adversarial Machine Learning in Cybersecurity.pptx
bysilaya6647
 
PPTX
Adversarial Machine Learning in Cybersecurity.pptx
bysilaya6647
 
PDF
Adversarial ml
byJunfeiWang1
 
PDF
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
byPluribus One
 
PDF
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
byDataScienceConferenc1
 
PPTX
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
byKishor Datta Gupta
 
PPTX
Lecture_1_Introduction_to_Adversarial_Machine_Learning.pptx
byDevRaj646424
 
PDF
The evaluation for the defense of adversarial attacks
bySimossyi Funabashi
 
PPTX
adversarial robustness lecture
byMuhammadAhmedShah2
 
PDF
Robustness of Machine Learning Models Beyond Adversarial Attacks.pdf
byDaniel983829
 
PDF
aml.pdf
bySheilaAlemany
 
PPTX
What Is Adversarial Machine Learning.pptx
byMaisamAbbas14
 
PDF
Bringing Red vs. Blue to Machine Learning
byBobby Filar
 
PDF
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
byGeekPwn Keen
 
PDF
DESSERTATION 4 SEM cybersecurity ensemble approach
bySoniyaRathod5
 
PDF
Alexey kurakin-what's new in adversarial machine learning
byGeekPwn Keen
 
Research of adversarial example on a deep neural network
byNAVER Engineering
 
Adversarial Attacks and Defenses in Deep Learning.pdf
byMichelleHoogenhout
 
Security of Machine Learning
byInstitute of Contemporary Sciences
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
byanant90
 
Adversarial Machine Learning in Cybersecurity.pptx
bysilaya6647
 
Adversarial Machine Learning in Cybersecurity.pptx
bysilaya6647
 
Adversarial ml
byJunfeiWang1
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
byPluribus One
 
[DSC Europe 23] Aleksandar Tomcic - Adversarial Attacks
byDataScienceConferenc1
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
byKishor Datta Gupta
 
Lecture_1_Introduction_to_Adversarial_Machine_Learning.pptx
byDevRaj646424
 
The evaluation for the defense of adversarial attacks
bySimossyi Funabashi
 
adversarial robustness lecture
byMuhammadAhmedShah2
 
Robustness of Machine Learning Models Beyond Adversarial Attacks.pdf
byDaniel983829
 
aml.pdf
bySheilaAlemany
 
What Is Adversarial Machine Learning.pptx
byMaisamAbbas14
 
Bringing Red vs. Blue to Machine Learning
byBobby Filar
 
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
byGeekPwn Keen
 
DESSERTATION 4 SEM cybersecurity ensemble approach
bySoniyaRathod5
 
Alexey kurakin-what's new in adversarial machine learning
byGeekPwn Keen
 

More from KSChidanandKumarJSSS

PDF
12_applications.pdf
byKSChidanandKumarJSSS
 
PDF
14_autoencoders.pdf
byKSChidanandKumarJSSS
 
PDF
15_representation.pdf
byKSChidanandKumarJSSS
 
PDF
17_monte_carlo.pdf
byKSChidanandKumarJSSS
 
PDF
18_partition.pdf
byKSChidanandKumarJSSS
 
PDF
8803-09-lec16.pdf
byKSChidanandKumarJSSS
 
PDF
10_rnn.pdf
byKSChidanandKumarJSSS
 
PDF
16_graphical_models.pdf
byKSChidanandKumarJSSS
 
PDF
13_linear_factors.pdf
byKSChidanandKumarJSSS
 
12_applications.pdf
byKSChidanandKumarJSSS
 
14_autoencoders.pdf
byKSChidanandKumarJSSS
 
15_representation.pdf
byKSChidanandKumarJSSS
 
17_monte_carlo.pdf
byKSChidanandKumarJSSS
 
18_partition.pdf
byKSChidanandKumarJSSS
 
8803-09-lec16.pdf
byKSChidanandKumarJSSS
 
10_rnn.pdf
byKSChidanandKumarJSSS
 
16_graphical_models.pdf
byKSChidanandKumarJSSS
 
13_linear_factors.pdf
byKSChidanandKumarJSSS
 

Recently uploaded

PDF
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 
PPTX
CEC369 IoT P CEC369 IoT P CEC369 IoT PCEC369 IoT PCEC369 IoT P
byKesavRaj8
 
PPTX
Washing-Machine-Simulation-using-PICSimLab.pptx
byhelppolytechnic24
 
PDF
application of matrix in computer science
byankitberamath
 
PDF
Event #3_ Build a Gemini Bot, Together with GitHub_private.pdf
by3526ming
 
PDF
Advancements in Telecommunication for Disaster Management (www.kiu.ac.ug)
bypublication11
 
PPTX
Blockchain and cryptography Lecture Notes
bysanjanakumar34
 
PPTX
clustering type :hierarchical clustering.pptx
bydeepalishinkar1
 
PDF
@Regenerative braking system of DC motor
bysangamkumar993613
 
PDF
Introduction to MySQL Spatial Features and Real-World Use Cases
byVissarion Fisikopoulos
 
PDF
IPE 105 - Engineering Materials Constitution of Alloys
byMominulIslam67
 
PDF
Small Space Big Design - Amar DeXign Scape
byAmar Dexign scape
 
PDF
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
PDF
OOPCodesjavapracticalkabirpawarpptinparacticalexamination
bySvkmiot
 
PDF
Best Marketplaces to Buy Snapchat Accounts in 2025.pdf
byys3ik6l8c3ftbz
 
PDF
HEV Descriptive Questions https://www.slideshare.net/slideshow/hybrid-electr...
byDr. Gudipudi Nageswara Rao
 
PDF
ANPARA THERMAL POWER STATION[1] sangam.pdf
bysangamkumar993613
 
PPTX
waste to energy deck v.3.pptx changing garbage to electricity
byGegaGrandeza1
 
PPTX
TRANSPORTATION ENGINEERING Unit-5.1.pptx
byMood Naik
 
PPTX
Waste to Energy - G2 Ethanol.pptx to process
byGegaGrandeza1
 
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 
CEC369 IoT P CEC369 IoT P CEC369 IoT PCEC369 IoT PCEC369 IoT P
byKesavRaj8
 
Washing-Machine-Simulation-using-PICSimLab.pptx
byhelppolytechnic24
 
application of matrix in computer science
byankitberamath
 
Event #3_ Build a Gemini Bot, Together with GitHub_private.pdf
by3526ming
 
Advancements in Telecommunication for Disaster Management (www.kiu.ac.ug)
bypublication11
 
Blockchain and cryptography Lecture Notes
bysanjanakumar34
 
clustering type :hierarchical clustering.pptx
bydeepalishinkar1
 
@Regenerative braking system of DC motor
bysangamkumar993613
 
Introduction to MySQL Spatial Features and Real-World Use Cases
byVissarion Fisikopoulos
 
IPE 105 - Engineering Materials Constitution of Alloys
byMominulIslam67
 
Small Space Big Design - Amar DeXign Scape
byAmar Dexign scape
 
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
OOPCodesjavapracticalkabirpawarpptinparacticalexamination
bySvkmiot
 
Best Marketplaces to Buy Snapchat Accounts in 2025.pdf
byys3ik6l8c3ftbz
 
HEV Descriptive Questions https://www.slideshare.net/slideshow/hybrid-electr...
byDr. Gudipudi Nageswara Rao
 
ANPARA THERMAL POWER STATION[1] sangam.pdf
bysangamkumar993613
 
waste to energy deck v.3.pptx changing garbage to electricity
byGegaGrandeza1
 
TRANSPORTATION ENGINEERING Unit-5.1.pptx
byMood Naik
 
Waste to Energy - G2 Ethanol.pptx to process
byGegaGrandeza1
 

Adversarial ML - Part 2.pdf

  • 1.
    Adversarial Machine Learning (Part2) Luis Muñoz-González l.munoz@imperial.ac.uk 20th December 2018 https://rissgroup.org
  • 2.
    Reminder… Evasion Attacks: • Attacksat test time. • The attacker aims to find the blind spots and weaknesses of the ML system to evade it. Poisoning Attacks: • Compromise data collection. • The attacker subverts the learning process. • Degrades the performance of the system. • Can facilitate future evasion. 2
  • 3.
    Evasion Attacks 3 a.k.a. AdversarialExamples • C. Szegedy et al. “Intriguing Properties of Neural Networks.” arXiv preprint, 2013. • I. Goodfellow, J. Shlens, C. Szegedy. “Expalining and Harnessing Adversarial Examples.” ICLR 2015.
  • 4.
    Evasion Attacks 4 • K.Eykholt et al. “Robust Physical World Attacks on Deep Learning Visual Classification.” CCVPR, pp. 1625- 1634, 2018. • G.F. Elsayed et al. “Adversarial Examples that Fool both Computer Vision and Time-Limited Humans.” Arxiv pre-print arxiv:1802.08195v3, 2018.
  • 5.
    V. Kuleshov etal. “Adversarial Examples for Natural Language Classification Problems.” 2018. 5
  • 6.
  • 7.
  • 8.
    Enabling Black-Box Attacks… 8 Again…Transferability Successful attacks against one machine learning system are often successful against similar ones. We can craft effective black-box attacks with: • Surrogate models • Surrogate datasets Nicolas Papernot, Patrick McDaniel, Ian Goodfellow. “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples.” ArXiv preprint arXiv:1605.07277, 2016.
  • 9.
    Types of EvasionAttacks 9 Indiscriminate Targeted
  • 10.
    Types of EvasionAttacks (formulation) 10 Different formulations have been proposed in the research literature: • Minimum distance attack strategies: • Attacks with budget constraints: • Approximations (Fast Gradient Sign Method):
  • 11.
    Adversarial Training 11 • Re-trainthe network including adversarial examples in the training dataset. • Can help to partially mitigate the problem. • But you can’t characterise all possible adversarial regions. Approaches: • min-max training: • Ensemble adversarial training: include adversarial examples from different machine learning models. Florian Tramèr, Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. “Towards Deep Learning Models Resistant to Adversarial Attacks.” ICLR, 2018.
  • 12.
    Universal Adversarial Perturbations 12 S.-M.Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. “Universal Adversarial Perturbations” CCVPR, pp. 86–94, 2017.
  • 13.
    Adversarial Examples withProcedural Noise 13 K.T. Co, L. Muñoz-González, E.C. Lupu. “Procedural Noise Adversarial Examples for Black-box Attacks on Deep Neural Networks.” arXiv preprint, 2018. ‘analog clock’ (28.53%) ‘barbell’ (29.84%) ‘fire truck’ (92.21%) ‘wall clock’ (18.32%)
  • 14.
    Perlin Noise 14 • Developedto produce natural-looking textures for computer graphics. • Relies on pseudo-random gradients to generate the noise patterns. • It’s simple and easy to use. • Different noise patterns can be generated according to a Noise Generating Function. • Reduced number of parameters to control the appearance of the noise patterns (4 in our case). • We use greyscale colour-map.
  • 15.
    Attack Formulation 15 classifier’s predictedlabel for sample . n-th highest probability score for sample . Perlin noise generating function parametrized by . maximum perturbation allowed (according to some norm). maximum number of queries.
  • 16.
    Attack Formulation 16 • Weuse Bayesian optimization for black-box optimization of the parameters: • Matérn 5/2 covariance function for the Gaussian Process. • Expected Improvement as acquisition function. • Enables black-box attacks aiming to reduce the number of queries.
  • 17.
    Experimental Results 17 • ImageNetdataset (1,000 classes). • Top 1 and Top 5 evasion attacks. • Adversarial training is not effective against Perlin noise attacks.
  • 18.
    Experimental Results 18 • Perlinnoise attack just requires a reduced number of queries (compared to existing black-box attacks).
  • 19.
    Experimental Results 19 • Perlinnoise perturbations have “universal properties”: the same perturbation can be used to misclassify many samples at the same time. Random perturbations Optimized perturbations
  • 20.
    Experimental Results 20 Florian Tramèr,Alex Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. “Ensemble Adversarial Training: Attacks and Defences.” ICLR, 2018. • Perlin noise attack outperforms both (state-of-the-art) white and black-box attacks against ImageNet. • The attack also shows that adversarial training is not really effective against adversarial examples when the attacker changes the perspective of the attack.
  • 21.
    Mitigation of EvasionAttacks through Feature Selection 21 Z. Bao, L. Muñoz-González, E.C. Lupu. “Mitigation of Evasion Attacks through Embedded Feature Selection.” IEEE Trans. on Cybernetics (under review), 2018.
  • 22.
    Mitigation of EvasionAttacks through Feature Selection 22 • Related work claimed that feature selection makes algorithms less secure against evasion attacks: • F. Zhang, P.P. Chan, B. Biggio, D.S. Yeung, F. Roli. “Adversarial Feature Selection against Evasion Attacks.” IEEE Transactions on Cybernetics, vol. 46, no. 3, pp. 766– 777, 2016. • B. Biggio, G. Fumera, F. Roli. “Security Evaluation of Pattern Classifiers under Attack.” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 4, pp. 984–996, 2014. • F. Wang, W. Liu, S. Chawla, “On Sparse Feature Attacks in Adversarial Learning.” International Conference on Data Mining, pp. 1013–1018, 2014.
  • 23.
    Mitigation of EvasionAttacks through Feature Selection 23 • Effects of embedded feature selection with Lasso in the security of the machine learning system. Lasso: Training Cost + ʎ |w|
  • 24.
    But… Is FeatureSelection more Secure? 24
  • 25.
    But… Is FeatureSelection more Secure? 25 Normalised perturbation: depending on the norm for the attacker’s constraints.
  • 26.
    Trade-off Accuracy vsSecurity 26 Security defined as a function of the average (normalized) distortion of the adversarial examples:
  • 27.
    Statistical Analysis ofAdversarial Examples 27 We used Maximum Mean Discrepancy (MDD) to measure the distance between genuine and adversarial examples: As proposed in: K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel. “On the Statistical Detection of Adversarial Examples.” ArXiv preprint: arXiv:1702.06280, 2017. In our case we used a normalized linear kernel (doesn’t make assumptions about the underlying data distribution):
  • 28.
    Statistical Analysis ofAdversarial Examples 28 • Adversarial examples are easier to detect when using reduced feature sets.
  • 29.
    Conclusion 29 • Machine Learningsystems are vulnerable: • Poisoning attacks (training time). • Evasion attacks (test time). • We need to understand the vulnerabilities: • Worst-case attacks. • Realistic attacker models. • Look at the whole system pipeline. • We need to understand how we can defend against these vulnerabilities: • Some defences have already been proposed but sometimes are not effective if the attacker targets the defensive algorithm itself. • Quite an open research problem. • But… How can we test the security of machine learning systems? • We need new design and testing methodologies. • Analysis of worst-case scenarios. • Verification vs testing.
  • 30.
    30 Thank you! Contact: LuisMuñoz-González l.munoz@imperial.ac.uk https://www.imperial.ac.uk/people/l.munoz-gonzalez www.rissgroup.org