SlideShare a Scribd company logo

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"

Pluribus One
Pluribus One
EducationTechnology
1 of 13
Poisoning attacks against support vector machines Battista Biggio (1), Blaine Nelson (2), Pavel Laskov (2) (1) Pattern Recognition and Applications Group Department of Electrical and Electronic Engineering (DIEE) University of Cagliari, Italy (2) Cognitive Systems Group Wilhelm Schickard Institute for Computer Science University of Tuebingen, Germany
Machine learning in adversarial settings • Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics • Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network outbound traffic June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 2
Machine learning in adversarial settings • Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics • Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network poisoning attack outbound traffic June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 3
Poisoning attack against SVMs Problem setting • Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set • Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error = 0.039 xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 4
Poisoning attack against SVMs Problem setting • Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set • Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error as a function of xc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 5
Our approach • To maximize the hinge loss on a validation set hinge loss: max(0,-g) max L(xc ) = " (1 ! yk fxc (xk ))+ xc k 1 !gk (xc ) yf(x) 1 • Gradient ascent xc = xc + t " #L(xc ) ! dgk !L(xc ) = " # dx k: gk <0 c dgk % d$ j ( db dQkc = # ' Qkj + yk + $ c , where Q = yyT ! K dxc j & dxc *) dxc dxc How does the SVM solution change during a single update of xc? June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 6
A trick from incremental SVM • Assumption. No structural change occurs during a single update of xc – Karush-Kuhn-Tucker conditions must hold before and after the update yi f (xi ) ! 1 = 0, 0 < " i < C d! i S: margin vectors = 0, i "R # E dxc gi dgi R: reserve vectors gi > 0, ! i = 0 = 0, i "S dxc dh h = $ y j! j = 0 % =0 j dxc " db % $ dx ' " 0 (1 " 0 % yT % $ ' $ c '=$ s ' $ dQsc ' E: error vectors gi < 0, ! i = C $ d! s ' # ys Qss & $ dx ' $ dxc ' # & # c& June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 7
Our approach dgk " d! j % db dQkc = ) $ Qkj ' + yk dx + dx ! c dxc j (S # dxc & c c dgk $ dQsc dQkc ' !L(xc ) = " # = # & Mk + ) *c k: gk <0 dxc k: gk <0 % dxc dxc ( The gradient now only depends on the derivative of the kernel function! 1 +. "1 ( 0) M k = " -Qks Qss " ,, T + yk, T / , + = ys Qss ys and , = Qss ys T "1 "1 June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 8
Poisoning attack algorithm Linear kernel (0) xc xc (0) xc dQkc d = yk yc K(xk , xc ) = yk yc ! xk dxc dxc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 9
Poisoning attack algorithm RBF kernel (0) xc xc dQkc = yk yc ! K(xk , xc ) ! " ! (xk # xc ) (0) xc dxc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 10
Experiments on the MNIST digit data Single-point attack • Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 (0) xc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 11
Experiments on the MNIST digit data Multiple-point attack • Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 12
Conclusions and future work • SVM may be very vulnerable to poisoning (worst-case scenario) • What if we assume more realistic scenarios? – Effectiveness with surrogate data • How to improve robustness to poisoning? • Find us at the poster session (#12) – 17:40, Informatics Forum (IF) Thanks for your attention! June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 13

Recommended

Machine learning
Machine learningMachine learning
Machine learning
Shailja Tripathi
 
Sharpness-aware minimization (SAM)
Sharpness-aware minimization (SAM)Sharpness-aware minimization (SAM)
Sharpness-aware minimization (SAM)
Sangwoo Mo
 
End to-end semi-supervised object detection with soft teacher ver.1.0
End to-end semi-supervised object detection with soft teacher ver.1.0End to-end semi-supervised object detection with soft teacher ver.1.0
End to-end semi-supervised object detection with soft teacher ver.1.0
taeseon ryu
 
遺伝的アルゴリズムによるNクイーン問題の解法
遺伝的アルゴリズムによるNクイーン問題の解法遺伝的アルゴリズムによるNクイーン問題の解法
遺伝的アルゴリズムによるNクイーン問題の解法
Akihito Nagai
 
Recursive Neural Networks
Recursive Neural NetworksRecursive Neural Networks
Recursive Neural Networks
Sangwoo Mo
 
Tutorial SIAM Data Mining 2012
Tutorial SIAM Data Mining 2012Tutorial SIAM Data Mining 2012
Tutorial SIAM Data Mining 2012
Jiayu Zhou
 
GANs and Applications
GANs and ApplicationsGANs and Applications
GANs and Applications
Hoang Nguyen
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Information Security Awareness Group
 

Recommended

Machine learning
Machine learningMachine learning
Machine learning
Shailja Tripathi
 
Sharpness-aware minimization (SAM)
Sharpness-aware minimization (SAM)Sharpness-aware minimization (SAM)
Sharpness-aware minimization (SAM)
Sangwoo Mo
 
End to-end semi-supervised object detection with soft teacher ver.1.0
End to-end semi-supervised object detection with soft teacher ver.1.0End to-end semi-supervised object detection with soft teacher ver.1.0
End to-end semi-supervised object detection with soft teacher ver.1.0
taeseon ryu
 
遺伝的アルゴリズムによるNクイーン問題の解法
遺伝的アルゴリズムによるNクイーン問題の解法遺伝的アルゴリズムによるNクイーン問題の解法
遺伝的アルゴリズムによるNクイーン問題の解法
Akihito Nagai
 
Recursive Neural Networks
Recursive Neural NetworksRecursive Neural Networks
Recursive Neural Networks
Sangwoo Mo
 
Tutorial SIAM Data Mining 2012
Tutorial SIAM Data Mining 2012Tutorial SIAM Data Mining 2012
Tutorial SIAM Data Mining 2012
Jiayu Zhou
 
GANs and Applications
GANs and ApplicationsGANs and Applications
GANs and Applications
Hoang Nguyen
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Information Security Awareness Group
 
VAE-type Deep Generative Models
VAE-type Deep Generative ModelsVAE-type Deep Generative Models
VAE-type Deep Generative Models
Kenta Oono
 
Learning Theory 101 ...and Towards Learning the Flat Minima
Learning Theory 101 ...and Towards Learning the Flat MinimaLearning Theory 101 ...and Towards Learning the Flat Minima
Learning Theory 101 ...and Towards Learning the Flat Minima
Sangwoo Mo
 
Bayesian Model-Agnostic Meta-Learning
Bayesian Model-Agnostic Meta-LearningBayesian Model-Agnostic Meta-Learning
Bayesian Model-Agnostic Meta-Learning
Sangwoo Mo
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice Cryptography
Priyanka Aash
 
Lecture 1 graphical models
Lecture 1 graphical modelsLecture 1 graphical models
Lecture 1 graphical models
Duy Tung Pham
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
Multimodal Deep Learning
Multimodal Deep LearningMultimodal Deep Learning
Multimodal Deep Learning
Universitat Politècnica de Catalunya
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
Constantine Karbaliotis
 
Introduction to Diffusion Models
Introduction to Diffusion ModelsIntroduction to Diffusion Models
Introduction to Diffusion Models
Sangwoo Mo
 
Deep Feed Forward Neural Networks and Regularization
Deep Feed Forward Neural Networks and RegularizationDeep Feed Forward Neural Networks and Regularization
Deep Feed Forward Neural Networks and Regularization
Yan Xu
 
Explicit Density Models
Explicit Density ModelsExplicit Density Models
Explicit Density Models
Sangwoo Mo
 
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs) A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
Thomas da Silva Paula
 
Introduction to Generative Adversarial Networks
Introduction to Generative Adversarial NetworksIntroduction to Generative Adversarial Networks
Introduction to Generative Adversarial Networks
BennoG1
 
ML Visuals.pptx
ML Visuals.pptxML Visuals.pptx
ML Visuals.pptx
LiuMingJian
 
Basic Generative Adversarial Networks
Basic Generative Adversarial NetworksBasic Generative Adversarial Networks
Basic Generative Adversarial Networks
Dong Heon Cho
 
Machine learning of structured outputs
Machine learning of structured outputsMachine learning of structured outputs
Machine learning of structured outputs
zukun
 
0728 論文紹介第三回
0728 論文紹介第三回0728 論文紹介第三回
0728 論文紹介第三回
Kohei Wakamatsu
 
GAN - Theory and Applications
GAN - Theory and ApplicationsGAN - Theory and Applications
GAN - Theory and Applications
Emanuele Ghelfi
 
[DL輪読会]Deep Learning 第17章 モンテカルロ法
[DL輪読会]Deep Learning 第17章 モンテカルロ法[DL輪読会]Deep Learning 第17章 モンテカルロ法
[DL輪読会]Deep Learning 第17章 モンテカルロ法
Deep Learning JP
 
Bayesian Deep Learning
Bayesian Deep LearningBayesian Deep Learning
Bayesian Deep Learning
RayKim51
 
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 

More Related Content

What's hot

Lecture 1 graphical models
Lecture 1 graphical modelsLecture 1 graphical models
Lecture 1 graphical models
Duy Tung Pham
 
Machine learning of structured outputs
Machine learning of structured outputsMachine learning of structured outputs
Machine learning of structured outputs
zukun
 

What's hot (20)

VAE-type Deep Generative Models
VAE-type Deep Generative ModelsVAE-type Deep Generative Models
VAE-type Deep Generative Models
 
Learning Theory 101 ...and Towards Learning the Flat Minima
Learning Theory 101 ...and Towards Learning the Flat MinimaLearning Theory 101 ...and Towards Learning the Flat Minima
Learning Theory 101 ...and Towards Learning the Flat Minima
 
Bayesian Model-Agnostic Meta-Learning
Bayesian Model-Agnostic Meta-LearningBayesian Model-Agnostic Meta-Learning
Bayesian Model-Agnostic Meta-Learning
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice Cryptography
 
Lecture 1 graphical models
Lecture 1 graphical modelsLecture 1 graphical models
Lecture 1 graphical models
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
 
Multimodal Deep Learning
Multimodal Deep LearningMultimodal Deep Learning
Multimodal Deep Learning
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Introduction to Diffusion Models
Introduction to Diffusion ModelsIntroduction to Diffusion Models
Introduction to Diffusion Models
 
Deep Feed Forward Neural Networks and Regularization
Deep Feed Forward Neural Networks and RegularizationDeep Feed Forward Neural Networks and Regularization
Deep Feed Forward Neural Networks and Regularization
 
Explicit Density Models
Explicit Density ModelsExplicit Density Models
Explicit Density Models
 
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs) A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
A (Very) Gentle Introduction to Generative Adversarial Networks (a.k.a GANs)
 
Introduction to Generative Adversarial Networks
Introduction to Generative Adversarial NetworksIntroduction to Generative Adversarial Networks
Introduction to Generative Adversarial Networks
 
ML Visuals.pptx
ML Visuals.pptxML Visuals.pptx
ML Visuals.pptx
 
Basic Generative Adversarial Networks
Basic Generative Adversarial NetworksBasic Generative Adversarial Networks
Basic Generative Adversarial Networks
 
Machine learning of structured outputs
Machine learning of structured outputsMachine learning of structured outputs
Machine learning of structured outputs
 
0728 論文紹介第三回
0728 論文紹介第三回0728 論文紹介第三回
0728 論文紹介第三回
 
GAN - Theory and Applications
GAN - Theory and ApplicationsGAN - Theory and Applications
GAN - Theory and Applications
 
[DL輪読会]Deep Learning 第17章 モンテカルロ法
[DL輪読会]Deep Learning 第17章 モンテカルロ法[DL輪読会]Deep Learning 第17章 モンテカルロ法
[DL輪読会]Deep Learning 第17章 モンテカルロ法
 
Bayesian Deep Learning
Bayesian Deep LearningBayesian Deep Learning
Bayesian Deep Learning
 

Viewers also liked

Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Pluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Pluribus One
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 

Viewers also liked (20)

Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
 
Causative Adversarial Learning
Causative Adversarial LearningCausative Adversarial Learning
Causative Adversarial Learning
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Making neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionMaking neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursion
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial Settings
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 

Similar to Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"

2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression
Alexander Decker
 
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
Mohammad Khajenejad
 
Lecture11
Lecture11Lecture11
Lecture11
Bo Li
 
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTGROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
Krishbathija
 

Similar to Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines" (13)

2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression
 
2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression2.[9 17]comparative analysis between dct & dwt techniques of image compression
2.[9 17]comparative analysis between dct & dwt techniques of image compression
 
Social Network Analysis
Social Network AnalysisSocial Network Analysis
Social Network Analysis
 
YSC 2013
YSC 2013YSC 2013
YSC 2013
 
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
Distributed Resilient Interval Observers for Bounded-Error LTI Systems Subjec...
 
Lecture11
Lecture11Lecture11
Lecture11
 
Introduction to Functional Programming with Scheme
Introduction to Functional Programming with SchemeIntroduction to Functional Programming with Scheme
Introduction to Functional Programming with Scheme
 
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPTGROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
GROUP03_AMAK:ERROR DETECTION AND CORRECTION PPT
 
[系列活動] 手把手的深度學習實務
[系列活動] 手把手的深度學習實務[系列活動] 手把手的深度學習實務
[系列活動] 手把手的深度學習實務
 
icacis2012.pptx
icacis2012.pptxicacis2012.pptx
icacis2012.pptx
 
icacis2012.pdf
icacis2012.pdficacis2012.pdf
icacis2012.pdf
 
Automatically Defined Functions for Learning Classifier Systems
Automatically Defined Functions for Learning Classifier SystemsAutomatically Defined Functions for Learning Classifier Systems
Automatically Defined Functions for Learning Classifier Systems
 
Dec10 tuesday conversation_idelarcor
Dec10 tuesday conversation_idelarcorDec10 tuesday conversation_idelarcor
Dec10 tuesday conversation_idelarcor
 

More from Pluribus One

Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
Pluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
Pluribus One
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...
Pluribus One
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environments
Pluribus One
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 Poster
Pluribus One
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011
Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Pluribus One
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011
Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern Analysis
Pluribus One
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011
Pluribus One
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Pluribus One
 
Wiamis2010 poster
Wiamis2010 posterWiamis2010 poster
Wiamis2010 poster
Pluribus One
 

More from Pluribus One (18)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environments
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 Poster
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern Analysis
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
 
Wiamis2010 poster
Wiamis2010 posterWiamis2010 poster
Wiamis2010 poster
 

Recently uploaded

Recently uploaded (20)

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food Additives
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptx
 
Play hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of PlayPlay hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of Play
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"

  • 1. Poisoning attacks against support vector machines Battista Biggio (1), Blaine Nelson (2), Pavel Laskov (2) (1) Pattern Recognition and Applications Group Department of Electrical and Electronic Engineering (DIEE) University of Cagliari, Italy (2) Cognitive Systems Group Wilhelm Schickard Institute for Computer Science University of Tuebingen, Germany
  • 2. Machine learning in adversarial settings • Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics • Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network outbound traffic June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 2
  • 3. Machine learning in adversarial settings • Machine learning in computer security – spam filtering, network intrusion detection, malware detection, biometrics • Malicious adversaries aim to mislead the system IDS Tr inbound traffic Network poisoning attack outbound traffic June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 3
  • 4. Poisoning attack against SVMs Problem setting • Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set • Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error = 0.039 xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 4
  • 5. Poisoning attack against SVMs Problem setting • Goal. To maximize the classification error (DoS attack) by injecting an attack point xc into the training set • Main assumption. Perfect knowledge / worst-case scenario classification error = 0.022 classification error as a function of xc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 5
  • 6. Our approach • To maximize the hinge loss on a validation set hinge loss: max(0,-g) max L(xc ) = " (1 ! yk fxc (xk ))+ xc k 1 !gk (xc ) yf(x) 1 • Gradient ascent xc = xc + t " #L(xc ) ! dgk !L(xc ) = " # dx k: gk <0 c dgk % d$ j ( db dQkc = # ' Qkj + yk + $ c , where Q = yyT ! K dxc j & dxc *) dxc dxc How does the SVM solution change during a single update of xc? June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 6
  • 7. A trick from incremental SVM • Assumption. No structural change occurs during a single update of xc – Karush-Kuhn-Tucker conditions must hold before and after the update yi f (xi ) ! 1 = 0, 0 < " i < C d! i S: margin vectors = 0, i "R # E dxc gi dgi R: reserve vectors gi > 0, ! i = 0 = 0, i "S dxc dh h = $ y j! j = 0 % =0 j dxc " db % $ dx ' " 0 (1 " 0 % yT % $ ' $ c '=$ s ' $ dQsc ' E: error vectors gi < 0, ! i = C $ d! s ' # ys Qss & $ dx ' $ dxc ' # & # c& June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 7
  • 8. Our approach dgk " d! j % db dQkc = ) $ Qkj ' + yk dx + dx ! c dxc j (S # dxc & c c dgk $ dQsc dQkc ' !L(xc ) = " # = # & Mk + ) *c k: gk <0 dxc k: gk <0 % dxc dxc ( The gradient now only depends on the derivative of the kernel function! 1 +. "1 ( 0) M k = " -Qks Qss " ,, T + yk, T / , + = ys Qss ys and , = Qss ys T "1 "1 June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 8
  • 9. Poisoning attack algorithm Linear kernel (0) xc xc (0) xc dQkc d = yk yc K(xk , xc ) = yk yc ! xk dxc dxc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 9
  • 10. Poisoning attack algorithm RBF kernel (0) xc xc dQkc = yk yc ! K(xk , xc ) ! " ! (xk # xc ) (0) xc dxc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 10
  • 11. Experiments on the MNIST digit data Single-point attack • Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 (0) xc xc June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 11
  • 12. Experiments on the MNIST digit data Multiple-point attack • Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 12
  • 13. Conclusions and future work • SVM may be very vulnerable to poisoning (worst-case scenario) • What if we assume more realistic scenarios? – Effectiveness with surrogate data • How to improve robustness to poisoning? • Find us at the poster session (#12) – 17:40, Informatics Forum (IF) Thanks for your attention! June 28th, 2012 Poisoning attacks against SVMs - ICML 2012 - B. Biggio 13