SlideShare a Scribd company logo

Black-Box attacks against Neural Networks - technical project report

Roberto Falconi
Roberto Falconi

This document summarizes a technical report on practical black-box attacks against machine learning. It describes how the authors implemented black-box attacks against deep neural network classifiers without any knowledge of the model's architecture or parameters. The attack strategy involves training a substitute model using synthetic inputs generated from the target model's outputs, then crafting adversarial examples using the substitute model that are misclassified by the target model. The authors validated the attacks on MNIST and CIFAR classifiers using two different attack techniques and also tested attacks on a locally trained dataset. Defenses such as adversarial training and defensive distillation were discussed.

Software
1 of 11
Download to read offline
Sapienza – University of Rome MSc in Engineering in Computer Science Neural Networks, AY 2018/19 Submitted to Prof. A. Uncini S. Clinciu – R. Falconi Practical Black-Box Attacks against Machine Learning
0. Summary 1. Introduction................................................................................................................................3 2. How to run the code..................................................................................................................3 3. Deep Neural Networks.............................................................................................................4 4. Threat model ..............................................................................................................................4 5. Black Box attack strategy ..........................................................................................................5 6. Attack validation........................................................................................................................7 7. Generalization of the attack......................................................................................................9 8. Defense strategies ......................................................................................................................9 9. Conclusions...............................................................................................................................10 10. References.............................................................................................................................11
1. Introduction This is the technical report for the Neural Networks course by Professor A. Uncini. The report is about Practical Black-Box Attacks against Machine Learning, scientific paper by N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik and A. Swami. The work is done by students S. Clinciu and R. Falconi, while studying at MSc in Engineering in Computer Science, at Sapienza University of Rome. The paper’s goal is to proclaim a demonstration that black box attacks against deep neural networks (DNN) classifiers are practical for real-world adversaries with no knowledge about the model. Achievement is to implement the discussed algorithm assuming the adversary has no information about the structure or parameters of the DNN, and the defender does not have access to any large training dataset. The threat model thus corresponds to the real-world scenario of users interacting with classifiers hosted remotely by a third-party keeping the model internals secret. In fact, authors of the paper instantiate attacks against classifiers automatically trained by Amazon and Google. They gained the access to them only after training is completed. Thus, they provide the first correctly blinded experiments concerning adversarial examples as a security risk. It shows that black-box attack is applicable to many remote systems taking decisions based on ML, because it combines three key properties: the capabilities required are limited to observing output class labels, the number of labels queried is limited, and the approach applies and scales to different ML classifier types, in addition to state-of-the-art DNNs. 2. How to run the code To run the code is very easy, everything needed is to: a. Clone the GitHub repository using the command ‘git clone https://github.com/RobertoFalconi/BlackBoxAttackDNN’ b. Access the repository with ‘cd BlackBoxAttackDNN’ c. Use the command ‘pip3 install <framework name> to import each required library d. Run FGSM strategy with ‘python FastGradientSignMethods’ or JSMA strategy with the code ‘python JacobianSaliencyMapApproach’. Tested on Python 3.7.3 64-bit edition and NVIDIA 425.31 drivers, using a GeForce RTX 2080.
3. Deep Neural Networks To fully understands the threat model and the attack it is good to provide some preliminary information. As reported in the paper, Deep Neural Networks (DNN), is a ML technique that uses a hierarchical composition of n parametric function to model an input 𝑥̅. Each function 𝑓𝑖 for 𝑖 ∈ 1, … , 𝑛 is modeled using a layer of neurons, elementary calculating units applying an activation function to the preceding layer’s weighted representation of the input to generate a new representation. Each layer is parameterized by a weight vector. Such weights hold the knowledge of DNN model F and are evaluated during its training phase. 𝐹(𝑥̅) = 𝑓𝑛 (𝜃 𝑛, 𝑓𝑛−1 (𝜃 𝑛−1, … , 𝑓2(𝜃2, 𝑓1(𝜃1, 𝑥̅)))) The training phase of a DNN F learns values for its parameters 𝜃 𝐹 = {𝜃1, … , 𝜃 𝑛}. During the test phase, the DNN is deployed with a fixed set of parameters 𝜃 𝐹 to make predictions on inputs unseen during training. 4. Threat model In our work, the adversary pursues to force a classifier to misclassify inputs in any class dissimilar from their right class. In order to accomplish our project, considering a weak adversary with access to the DNN output only. The opponent has no information of the architectural selections made to design the DNN, which include the number, type and size of layers, nor the training data used to learn the DNN’s parameters. Such attacks are referred to as black box, where adversaries don’t need to know internal details of a system to compromise it. The targeted model is a scenario where an attacker is targeting a multiclass DNN classifier. Its outputs probability vectors, where each vector component encodes the DNN’s belief of the input being part of one of the predefined classes. The ongoing example of a DNN classifying images, as shown in the following picture. Such DNNs can be used to classify handwritten digits into classes associated with digits from 0 to 9, images of objects in a fixed number of categories, or images of traffic signs into classes identifying its type (STOP, yield, ...). The adversarial capabilities refer to the only capability of the adversary accessing the label O(x) for any input x by querying oracle O. the output label O(x) is the index of the class assigned the largest probability by the DNN:
𝑂̅(𝑥̅) = arg 𝑚𝑎𝑥 𝑗 ∈ 0 … 𝑁 − 1 𝑂𝑗(𝑥̅) Where 𝑂𝑗(𝑥̅) is the j-th component of the probability vector 𝑂(𝑥̅) output by DNN 𝑂. Accessing labels 𝑂̅ produced by the DNN 𝑂 is the only capability assumed in our threat model. It is impossible to access to the oracle internals or training data. In order to produce a minimally altered version of any input 𝑥̅, named adversarial sample, denoted 𝑥̅∗ , misclassified by oracle 𝑂: 𝑂̅(𝑥̅∗) ≠ 𝑂̅(𝑥̅). This corresponds to an attack on the oracle’s output integrity. Adversarial samples solve the following optimization problem: 𝑥̅∗ = 𝑥̅ + arg min{𝑧̅: 𝑂̅(𝑥̅ + 𝑧̅) ≠ 𝑂̅(𝑥̅)} = 𝑥̅ + 𝛿 𝑥̅ Examples of adversarial samples can be found in the following figure. 5. Black Box attack strategy We are going to implement a Black Box attack following the papers strategy. The adversary wants to craft inputs misclassified by the ML model using the sole capability of accessing the label 𝑂̅(𝑥̅) assigned by classifier for any chosen input 𝑥̅. The strategy is to learn a substitute for the target model using a dataset generated by the adversary and labeled by observing the oracle output. Then, adversarial examples are crafted using this substitute. It is expected the target DNN to misclassify them due to transferability between architectures. Usually, ML need large training sets for training. For instance, attackers can consider models trained with several tens of thousands of labeled examples. This makes attacks based on this paradigm unfeasible for adversaries without large labeled datasets. In this paper, the authors show black-box attacks can be accomplished at a much lower cost, without labeling an independent training set. In our approach, to enable the adversary to train a substitute model without a real labeled dataset, it is required to use the target DNN as an oracle to construct a synthetic dataset.
Authors propose the following two strategies: substitute model training and adversarial sample crafting. Substitute model training: attacker interrogates oracle with synthetic inputs selected by a Jacobian based heuristic to build a model F approximating the oracle model O’s decision boundaries. Training a substitute model F approximating oracle O is challenging because we must: (1) select an architecture for our substitute without knowledge of the targeted oracle’s architecture, and (2) limit the number of queries made to the oracle in order to ensure that the approach is tractable. The approach, illustrated in Figure 3, overcomes these challenges mainly by introducing a synthetic data generation technique, the Jacobian-based Dataset Augmentation. Adversarial sample crafting: attacker substitutes the network F to craft adversarial samples, which are then misclassified by oracle O due to the transferability of adversarial samples. Once the adversary trained a substitute DNN, it uses it to craft adversarial samples. In our project, we provided an overview of two approaches discussed in the paper, namely the Goodfellow et al. algorithm (also known as Fast Gradient Sign Method or FGSM) and the Papernot et al. algorithm (also known as Jacobian-based Saliency Map Attack or JSMA). Both share a similar intuition of evaluating model’s sensitivity to input modification to select small perturbation achieving misclassification goal. Goodfellow gives a model F with an associated cost function 𝑐(𝐹, 𝑥̅, 𝑦), the adversary crafts an adversarial sample 𝑥∗̅̅̅ = 𝑥̅ + 𝛿 𝑥̅ for a given legitimate sample 𝑥̅ by computing the following perturbation: 𝛿 𝑥̅ = 𝜖 𝑠𝑔𝑛(∇ 𝑥̅ 𝑐(𝐹, 𝑥̅, 𝑦)) where the perturbation sgn is the sign of the model’s cost function gradient, computed with respect to 𝑥̅ using sample 𝑥̅ and label y as inputs.
Figure 1: example of FGSM Papernot algorithm is suitable for source-target misclassification attacks where adversaries seek to take samples from any legitimate source class to any chosen target class. Misclassification attacks are a special case of source-target misclassifications, where the target class can be any class different from the legitimate source class. Given model F, the adversary crafts an adversarial sample 𝑥̅∗ = 𝑥̅ + 𝛿 𝑥̅ for a given legitimate sample 𝑥̅ by adding a perturbation 𝛿 𝑥̅ to a subset of the input components 𝑥̅𝑖. Both the algorithms have benefits and drawbacks, because the Goodfellow one is suitable for fast crafting of many adversarial samples with quite large perturbations thus potentially easier to detect, while the Papernot one tends to reduce perturbations in exchange of a greater computing cost. 6. Attack validation To validate the attack, we tried it against different classifiers and using also different types of attack. We first made an FGSM attack to target DNN trained using MNIST dataset, then we made another attack against a DNN trained with CIFAR dataset, both attacks have the goal to misclassify most of adversarial examples crafted with a perturbation not affecting human recognition. Finally, we repeat both the attack using a JSMA type of attack. The MNIST database (Modified National Institute of Standards and Technology database) is a large database of handwritten digits that is commonly used for training various image processing systems, it is widely used for training and testing in the field of machine learning. The CIFAR dataset (Canadian Institute For Advanced Research) is a collection of images that are commonly used to train machine learning and computer vision algorithms. The CIFAR dataset contains 60,000 32x32 color images in 10 different classes. The 10 different classes represent airplanes, cars, birds, cats, deer, dogs, frogs, horses, ships, and trucks. There are 6,000 images of each class.
Both MNIST and CIFAR are two of the most widely used datasets for machine learning research. In the end, we made another two attacks, FGSM and JSMA, to a local trained dataset composed by pictures and photos of real world, in order to make better the idea of the effects for real world elements and subjects, instead of using MNIST and CIFAR datasets only. Our goal is to verify whether these samples are also misclassified by the oracle or not. Therefore, the transferability of adversarial samples refers to the oracle misclassification rate of adversarial samples crafted using the substitute DNN.
7. Generalization of the attack Substitutes and oracles take in cause were learned with DNNs, but the attack bounds its applicability to other ML systems. For examples, substitutes can also be learned with logistic regression and the attack generalizes to additional ML models. 8. Defense strategies According to the paper of Practical Black-Box Attacks against Machine Learning which we based our work on, the two types of defense strategies are: (1) reactive where one seeks to detect adversarial examples, and (2) proactive where one makes the model itself more robust.
Adversarial training. The attack is not more easily detectable than a classic adversarial example attack. Oracle queries may be distributed among a set of colluding users, and as such remain hard to detect, but defender may increase the attacker’s cost by training models with higher input dimensionality or modeling complexity. Indeed, the authors experimental results indicate that these two factors increase the number of queries required to train substitutes: black-box attack based on transfer from a substitute model overcomes gradient masking defenses. Defensive distillation. It is a defense which make models robust in a small neighborhood of the training manifold perform gradient masking: they smooth the decision surface and reduce gradients used by adversarial crafting in small neighborhoods. However, using a substitute and our black-box approach evades these defenses, as the substitute model is not trained to be robust to the said small perturbations. 9. Conclusions Defending against finite perturbations is a more promising avenue for future work than defending against infinitesimal perturbations. Our implementation reflects what the paper is about. The authors show a work based on a novel substitute training algorithm using synthetic data generation, to craft adversarial examples misclassified by black-box DNNs. Our work is a significant step towards relaxing strong assumptions about adversarial capabilities made by previous attacks.
10. References 1. Alexey Kurakin, Ian J. Goodfellow, Samy Bengio. Adversarial Examples in the physical world. [Online] 2017. https://arxiv.org/pdf/1607.02533.pdf. 2. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, Ananthram Swami. Practical Black-Box Attacks against Machine Learning. [Online] 2017. https://arxiv.org/pdf/1602.02697.pdf. 3. Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy. Explaining and harnessing adversarial examples. [Online] 2015. https://arxiv.org/pdf/1412.6572.pdf. 4. Anish Athalye, Nicholas Carlini, David Wagner. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. [Online] 2018. https://arxiv.org/pdf/1802.00420v4.pdf. 5. Papernot, Nicolas. Gradient Masking in Machine Learning. [Online] https://seclab.stanford.edu/AdvML2017/slides/17-09-aro-aml.pdf. 6. Goodfellow, Ian and Papernot, Nicolas. Is attacking machine learning easier than defending it? [Online] http://www.cleverhans.io/security/privacy/ml/2017/02/15/why- attacking-machine-learning-is-easier-than-defending-it.html.

Recommended

Black-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentationBlack-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentation
Roberto Falconi
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
Jason Papapanagiotakis
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Class
ClassClass
Class
KanwalBloach
 
A recommender system for generalizing and refining code templates
A recommender system for generalizing and refining code templatesA recommender system for generalizing and refining code templates
A recommender system for generalizing and refining code templates
Coen De Roover
 
TBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program RepairTBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program Repair
Dongsun Kim
 
C++ Interview Questions
C++ Interview QuestionsC++ Interview Questions
C++ Interview Questions
Kaushik Raghupathi
 
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Coen De Roover
 

Recommended

Black-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentationBlack-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentation
Roberto Falconi
 
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
414351_Iason_Papapanagiotakis-bousy_Iason_Papapanagiotakis_Thesis_2360661_357...
Jason Papapanagiotakis
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Class
ClassClass
Class
KanwalBloach
 
A recommender system for generalizing and refining code templates
A recommender system for generalizing and refining code templatesA recommender system for generalizing and refining code templates
A recommender system for generalizing and refining code templates
Coen De Roover
 
TBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program RepairTBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program Repair
Dongsun Kim
 
C++ Interview Questions
C++ Interview QuestionsC++ Interview Questions
C++ Interview Questions
Kaushik Raghupathi
 
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Multi-dimensional exploration of API usage - ICPC13 - 21-05-13
Coen De Roover
 
C++ programing lanuage
C++ programing lanuageC++ programing lanuage
C++ programing lanuage
Nimai Chand Das
 
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
Coen De Roover
 
Automatic binary deobfuscation
Automatic binary deobfuscationAutomatic binary deobfuscation
Automatic binary deobfuscation
UltraUploader
 
Generating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural NetworksGenerating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural Networks
Jonathan Mugan
 
String Analysis for JavaScript Programs
String Analysis for JavaScript ProgramsString Analysis for JavaScript Programs
String Analysis for JavaScript Programs
Serena King
 
Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01
Cheng Feng
 
Crypto cameraready(1) (2)
Crypto cameraready(1) (2)Crypto cameraready(1) (2)
Crypto cameraready(1) (2)
Stefan Dziembowski
 
ICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code DescriptionsICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code Descriptions
Sebastiano Panichella
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
Dongsun Kim
 
Pointers In C
Pointers In CPointers In C
Pointers In C
Sriram Raj
 
Dot net programming concept
Dot net programming conceptDot net programming concept
Dot net programming concept
sandeshjadhav28
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
Dongsun Kim
 
Machine Learning presentation.
Machine Learning presentation.Machine Learning presentation.
Machine Learning presentation.
butest
 
Tcs NQTExam technical questions
Tcs NQTExam technical questionsTcs NQTExam technical questions
Tcs NQTExam technical questions
AniketBhandare2
 
Advanced programming topics asma
Advanced programming topics asmaAdvanced programming topics asma
Advanced programming topics asma
AbdullahJana
 
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic BindingChapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Atit Patumvan
 
Intake 38 2
Intake 38 2Intake 38 2
Intake 38 2
Mahmoud Ouf
 
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Coen De Roover
 
Jdk1.5 Features
Jdk1.5 FeaturesJdk1.5 Features
Jdk1.5 Features
india_mani
 
C programming part4
C programming part4C programming part4
C programming part4
Keroles karam khalil
 
Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
MeetupDataScienceRoma
 
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
IJNSA Journal
 

More Related Content

What's hot

C++ programing lanuage
C++ programing lanuageC++ programing lanuage
C++ programing lanuage
Nimai Chand Das
 
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
Coen De Roover
 
Automatic binary deobfuscation
Automatic binary deobfuscationAutomatic binary deobfuscation
Automatic binary deobfuscation
UltraUploader
 
Generating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural NetworksGenerating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural Networks
Jonathan Mugan
 
String Analysis for JavaScript Programs
String Analysis for JavaScript ProgramsString Analysis for JavaScript Programs
String Analysis for JavaScript Programs
Serena King
 
Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01
Cheng Feng
 
Crypto cameraready(1) (2)
Crypto cameraready(1) (2)Crypto cameraready(1) (2)
Crypto cameraready(1) (2)
Stefan Dziembowski
 
ICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code DescriptionsICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code Descriptions
Sebastiano Panichella
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
Dongsun Kim
 
Pointers In C
Pointers In CPointers In C
Pointers In C
Sriram Raj
 
Dot net programming concept
Dot net programming conceptDot net programming concept
Dot net programming concept
sandeshjadhav28
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
Dongsun Kim
 
Machine Learning presentation.
Machine Learning presentation.Machine Learning presentation.
Machine Learning presentation.
butest
 
Tcs NQTExam technical questions
Tcs NQTExam technical questionsTcs NQTExam technical questions
Tcs NQTExam technical questions
AniketBhandare2
 
Advanced programming topics asma
Advanced programming topics asmaAdvanced programming topics asma
Advanced programming topics asma
AbdullahJana
 
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic BindingChapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Atit Patumvan
 
Intake 38 2
Intake 38 2Intake 38 2
Intake 38 2
Mahmoud Ouf
 
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Coen De Roover
 
Jdk1.5 Features
Jdk1.5 FeaturesJdk1.5 Features
Jdk1.5 Features
india_mani
 
C programming part4
C programming part4C programming part4
C programming part4
Keroles karam khalil
 

What's hot (20)

C++ programing lanuage
C++ programing lanuageC++ programing lanuage
C++ programing lanuage
 
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
A Logic Meta-Programming Foundation for Example-Driven Pattern Detection in O...
 
Automatic binary deobfuscation
Automatic binary deobfuscationAutomatic binary deobfuscation
Automatic binary deobfuscation
 
Generating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural NetworksGenerating Natural-Language Text with Neural Networks
Generating Natural-Language Text with Neural Networks
 
String Analysis for JavaScript Programs
String Analysis for JavaScript ProgramsString Analysis for JavaScript Programs
String Analysis for JavaScript Programs
 
Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01Epsrcws08 campbell kbm_01
Epsrcws08 campbell kbm_01
 
Crypto cameraready(1) (2)
Crypto cameraready(1) (2)Crypto cameraready(1) (2)
Crypto cameraready(1) (2)
 
ICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code DescriptionsICPC 2012 - Mining Source Code Descriptions
ICPC 2012 - Mining Source Code Descriptions
 
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program RepairLSRepair: Live Search of Fix Ingredients for Automated Program Repair
LSRepair: Live Search of Fix Ingredients for Automated Program Repair
 
Pointers In C
Pointers In CPointers In C
Pointers In C
 
Dot net programming concept
Dot net programming conceptDot net programming concept
Dot net programming concept
 
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
You Cannot Fix What You Cannot Find! --- An Investigation of Fault Localizati...
 
Machine Learning presentation.
Machine Learning presentation.Machine Learning presentation.
Machine Learning presentation.
 
Tcs NQTExam technical questions
Tcs NQTExam technical questionsTcs NQTExam technical questions
Tcs NQTExam technical questions
 
Advanced programming topics asma
Advanced programming topics asmaAdvanced programming topics asma
Advanced programming topics asma
 
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic BindingChapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
Chapter 9 : Polymorphism, Dynamic Typing, and Dynamic Binding
 
Intake 38 2
Intake 38 2Intake 38 2
Intake 38 2
 
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...Applicative Logic Meta-Programming as the foundation for Template-based Progr...
Applicative Logic Meta-Programming as the foundation for Template-based Progr...
 
Jdk1.5 Features
Jdk1.5 FeaturesJdk1.5 Features
Jdk1.5 Features
 
C programming part4
C programming part4C programming part4
C programming part4
 

Similar to Black-Box attacks against Neural Networks - technical project report

Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
MeetupDataScienceRoma
 
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
IJNSA Journal
 
An ann approach for network
An ann approach for networkAn ann approach for network
An ann approach for network
IJNSA Journal
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
IJNSA Journal
 
maxbox starter60 machine learning
maxbox starter60 machine learningmaxbox starter60 machine learning
maxbox starter60 machine learning
Max Kleiner
 
1st review android malware.pptx
1st review android malware.pptx1st review android malware.pptx
1st review android malware.pptx
Nambiraju
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
IJNSA Journal
 
Two methods for optimising cognitive model parameters
Two methods for optimising cognitive model parametersTwo methods for optimising cognitive model parameters
Two methods for optimising cognitive model parameters
University of Huddersfield
 
Citython presentation
Citython presentationCitython presentation
Citython presentation
Ankit Tewari
 
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
wajrcs
 
Intrusion Detection System for Classification of Attacks with Cross Validation
Intrusion Detection System for Classification of Attacks with Cross ValidationIntrusion Detection System for Classification of Attacks with Cross Validation
Intrusion Detection System for Classification of Attacks with Cross Validation
inventionjournals
 
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAPMESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
ijccmsjournal
 
Message Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic MapMessage Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic Map
ijccmsjournal
 
SWE-6 TESTING.pptx
SWE-6 TESTING.pptxSWE-6 TESTING.pptx
SWE-6 TESTING.pptx
prashant821809
 
Attacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense StrategyAttacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense Strategy
Sivaranjanikumar1
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
Aleksandr Yampolskiy
 
Machine learning in science and industry — day 1
Machine learning in science and industry — day 1Machine learning in science and industry — day 1
Machine learning in science and industry — day 1
arogozhnikov
 
Cse cpl manual-2016
Cse cpl manual-2016Cse cpl manual-2016
Cse cpl manual-2016
Rajendra khatana
 
On the Usage of Chained Codes in Cryptography
On the Usage of Chained Codes in CryptographyOn the Usage of Chained Codes in Cryptography
On the Usage of Chained Codes in Cryptography
CSCJournals
 
Safety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdfSafety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdf
Polytechnique Montréal
 

Similar to Black-Box attacks against Neural Networks - technical project report (20)

Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)Adversarial examples in deep learning (Gregory Chatel)
Adversarial examples in deep learning (Gregory Chatel)
 
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
AN ANN APPROACH FOR NETWORK INTRUSION DETECTION USING ENTROPY BASED FEATURE S...
 
An ann approach for network
An ann approach for networkAn ann approach for network
An ann approach for network
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
 
maxbox starter60 machine learning
maxbox starter60 machine learningmaxbox starter60 machine learning
maxbox starter60 machine learning
 
1st review android malware.pptx
1st review android malware.pptx1st review android malware.pptx
1st review android malware.pptx
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
 
Two methods for optimising cognitive model parameters
Two methods for optimising cognitive model parametersTwo methods for optimising cognitive model parameters
Two methods for optimising cognitive model parameters
 
Citython presentation
Citython presentationCitython presentation
Citython presentation
 
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
A Fairness-aware Machine Learning Interface for End-to-end Discrimination Dis...
 
Intrusion Detection System for Classification of Attacks with Cross Validation
Intrusion Detection System for Classification of Attacks with Cross ValidationIntrusion Detection System for Classification of Attacks with Cross Validation
Intrusion Detection System for Classification of Attacks with Cross Validation
 
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAPMESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAP
 
Message Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic MapMessage Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic Map
 
SWE-6 TESTING.pptx
SWE-6 TESTING.pptxSWE-6 TESTING.pptx
SWE-6 TESTING.pptx
 
Attacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense StrategyAttacks on Victim Model! A Defense Strategy
Attacks on Victim Model! A Defense Strategy
 
Towards a theory of data entangelement
Towards a theory of data entangelementTowards a theory of data entangelement
Towards a theory of data entangelement
 
Machine learning in science and industry — day 1
Machine learning in science and industry — day 1Machine learning in science and industry — day 1
Machine learning in science and industry — day 1
 
Cse cpl manual-2016
Cse cpl manual-2016Cse cpl manual-2016
Cse cpl manual-2016
 
On the Usage of Chained Codes in Cryptography
On the Usage of Chained Codes in CryptographyOn the Usage of Chained Codes in Cryptography
On the Usage of Chained Codes in Cryptography
 
Safety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdfSafety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdf
 

More from Roberto Falconi

River Trail: A Path to Parallelism in JavaScript
River Trail: A Path to Parallelism in JavaScriptRiver Trail: A Path to Parallelism in JavaScript
River Trail: A Path to Parallelism in JavaScript
Roberto Falconi
 
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWSBiometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Roberto Falconi
 
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWSBiometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Roberto Falconi
 
SUOMI - UCD approach to build an IoT smart guide for spa
SUOMI - UCD approach to build an IoT smart guide for spaSUOMI - UCD approach to build an IoT smart guide for spa
SUOMI - UCD approach to build an IoT smart guide for spa
Roberto Falconi
 
Kalypso: She who hides. Encryption and decryption web app.
Kalypso: She who hides. Encryption and decryption web app.Kalypso: She who hides. Encryption and decryption web app.
Kalypso: She who hides. Encryption and decryption web app.
Roberto Falconi
 
Game ratings predictor
Game ratings predictorGame ratings predictor
Game ratings predictor
Roberto Falconi
 
Bb 8 run - a star wars video game
Bb 8 run - a star wars video gameBb 8 run - a star wars video game
Bb 8 run - a star wars video game
Roberto Falconi
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Roberto Falconi
 
Venice boats classification
Venice boats classificationVenice boats classification
Venice boats classification
Roberto Falconi
 
Visual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in ItalyVisual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in Italy
Roberto Falconi
 
Visual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in ItalyVisual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in Italy
Roberto Falconi
 
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
Roberto Falconi
 
BB8 RUN - A Star Wars video game
BB8 RUN - A Star Wars video gameBB8 RUN - A Star Wars video game
BB8 RUN - A Star Wars video game
Roberto Falconi
 
Game Ratings Predictor - machine learning software to predict video games co...
Game Ratings Predictor - machine learning software to predict video games co...Game Ratings Predictor - machine learning software to predict video games co...
Game Ratings Predictor - machine learning software to predict video games co...
Roberto Falconi
 
House Temperature Monitoring using AWS IoT And Raspberry Pi
House Temperature Monitoring using AWS IoT And Raspberry PiHouse Temperature Monitoring using AWS IoT And Raspberry Pi
House Temperature Monitoring using AWS IoT And Raspberry Pi
Roberto Falconi
 

More from Roberto Falconi (15)

River Trail: A Path to Parallelism in JavaScript
River Trail: A Path to Parallelism in JavaScriptRiver Trail: A Path to Parallelism in JavaScript
River Trail: A Path to Parallelism in JavaScript
 
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWSBiometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
 
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWSBiometric Systems - Automate Video Streaming Analysis with Azure and AWS
Biometric Systems - Automate Video Streaming Analysis with Azure and AWS
 
SUOMI - UCD approach to build an IoT smart guide for spa
SUOMI - UCD approach to build an IoT smart guide for spaSUOMI - UCD approach to build an IoT smart guide for spa
SUOMI - UCD approach to build an IoT smart guide for spa
 
Kalypso: She who hides. Encryption and decryption web app.
Kalypso: She who hides. Encryption and decryption web app.Kalypso: She who hides. Encryption and decryption web app.
Kalypso: She who hides. Encryption and decryption web app.
 
Game ratings predictor
Game ratings predictorGame ratings predictor
Game ratings predictor
 
Bb 8 run - a star wars video game
Bb 8 run - a star wars video gameBb 8 run - a star wars video game
Bb 8 run - a star wars video game
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Venice boats classification
Venice boats classificationVenice boats classification
Venice boats classification
 
Visual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in ItalyVisual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in Italy
 
Visual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in ItalyVisual Analytics: Traffic Collisions in Italy
Visual Analytics: Traffic Collisions in Italy
 
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
SUOMI - Web and mobile app for spa users, using STM32 IoT, Microsoft Azure Cl...
 
BB8 RUN - A Star Wars video game
BB8 RUN - A Star Wars video gameBB8 RUN - A Star Wars video game
BB8 RUN - A Star Wars video game
 
Game Ratings Predictor - machine learning software to predict video games co...
Game Ratings Predictor - machine learning software to predict video games co...Game Ratings Predictor - machine learning software to predict video games co...
Game Ratings Predictor - machine learning software to predict video games co...
 
House Temperature Monitoring using AWS IoT And Raspberry Pi
House Temperature Monitoring using AWS IoT And Raspberry PiHouse Temperature Monitoring using AWS IoT And Raspberry Pi
House Temperature Monitoring using AWS IoT And Raspberry Pi
 

Recently uploaded

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 

Recently uploaded (20)

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 

Black-Box attacks against Neural Networks - technical project report

  • 1. Sapienza – University of Rome MSc in Engineering in Computer Science Neural Networks, AY 2018/19 Submitted to Prof. A. Uncini S. Clinciu – R. Falconi Practical Black-Box Attacks against Machine Learning
  • 2. 0. Summary 1. Introduction................................................................................................................................3 2. How to run the code..................................................................................................................3 3. Deep Neural Networks.............................................................................................................4 4. Threat model ..............................................................................................................................4 5. Black Box attack strategy ..........................................................................................................5 6. Attack validation........................................................................................................................7 7. Generalization of the attack......................................................................................................9 8. Defense strategies ......................................................................................................................9 9. Conclusions...............................................................................................................................10 10. References.............................................................................................................................11
  • 3. 1. Introduction This is the technical report for the Neural Networks course by Professor A. Uncini. The report is about Practical Black-Box Attacks against Machine Learning, scientific paper by N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik and A. Swami. The work is done by students S. Clinciu and R. Falconi, while studying at MSc in Engineering in Computer Science, at Sapienza University of Rome. The paper’s goal is to proclaim a demonstration that black box attacks against deep neural networks (DNN) classifiers are practical for real-world adversaries with no knowledge about the model. Achievement is to implement the discussed algorithm assuming the adversary has no information about the structure or parameters of the DNN, and the defender does not have access to any large training dataset. The threat model thus corresponds to the real-world scenario of users interacting with classifiers hosted remotely by a third-party keeping the model internals secret. In fact, authors of the paper instantiate attacks against classifiers automatically trained by Amazon and Google. They gained the access to them only after training is completed. Thus, they provide the first correctly blinded experiments concerning adversarial examples as a security risk. It shows that black-box attack is applicable to many remote systems taking decisions based on ML, because it combines three key properties: the capabilities required are limited to observing output class labels, the number of labels queried is limited, and the approach applies and scales to different ML classifier types, in addition to state-of-the-art DNNs. 2. How to run the code To run the code is very easy, everything needed is to: a. Clone the GitHub repository using the command ‘git clone https://github.com/RobertoFalconi/BlackBoxAttackDNN’ b. Access the repository with ‘cd BlackBoxAttackDNN’ c. Use the command ‘pip3 install <framework name> to import each required library d. Run FGSM strategy with ‘python FastGradientSignMethods’ or JSMA strategy with the code ‘python JacobianSaliencyMapApproach’. Tested on Python 3.7.3 64-bit edition and NVIDIA 425.31 drivers, using a GeForce RTX 2080.
  • 4. 3. Deep Neural Networks To fully understands the threat model and the attack it is good to provide some preliminary information. As reported in the paper, Deep Neural Networks (DNN), is a ML technique that uses a hierarchical composition of n parametric function to model an input 𝑥̅. Each function 𝑓𝑖 for 𝑖 ∈ 1, … , 𝑛 is modeled using a layer of neurons, elementary calculating units applying an activation function to the preceding layer’s weighted representation of the input to generate a new representation. Each layer is parameterized by a weight vector. Such weights hold the knowledge of DNN model F and are evaluated during its training phase. 𝐹(𝑥̅) = 𝑓𝑛 (𝜃 𝑛, 𝑓𝑛−1 (𝜃 𝑛−1, … , 𝑓2(𝜃2, 𝑓1(𝜃1, 𝑥̅)))) The training phase of a DNN F learns values for its parameters 𝜃 𝐹 = {𝜃1, … , 𝜃 𝑛}. During the test phase, the DNN is deployed with a fixed set of parameters 𝜃 𝐹 to make predictions on inputs unseen during training. 4. Threat model In our work, the adversary pursues to force a classifier to misclassify inputs in any class dissimilar from their right class. In order to accomplish our project, considering a weak adversary with access to the DNN output only. The opponent has no information of the architectural selections made to design the DNN, which include the number, type and size of layers, nor the training data used to learn the DNN’s parameters. Such attacks are referred to as black box, where adversaries don’t need to know internal details of a system to compromise it. The targeted model is a scenario where an attacker is targeting a multiclass DNN classifier. Its outputs probability vectors, where each vector component encodes the DNN’s belief of the input being part of one of the predefined classes. The ongoing example of a DNN classifying images, as shown in the following picture. Such DNNs can be used to classify handwritten digits into classes associated with digits from 0 to 9, images of objects in a fixed number of categories, or images of traffic signs into classes identifying its type (STOP, yield, ...). The adversarial capabilities refer to the only capability of the adversary accessing the label O(x) for any input x by querying oracle O. the output label O(x) is the index of the class assigned the largest probability by the DNN:
  • 5. 𝑂̅(𝑥̅) = arg 𝑚𝑎𝑥 𝑗 ∈ 0 … 𝑁 − 1 𝑂𝑗(𝑥̅) Where 𝑂𝑗(𝑥̅) is the j-th component of the probability vector 𝑂(𝑥̅) output by DNN 𝑂. Accessing labels 𝑂̅ produced by the DNN 𝑂 is the only capability assumed in our threat model. It is impossible to access to the oracle internals or training data. In order to produce a minimally altered version of any input 𝑥̅, named adversarial sample, denoted 𝑥̅∗ , misclassified by oracle 𝑂: 𝑂̅(𝑥̅∗) ≠ 𝑂̅(𝑥̅). This corresponds to an attack on the oracle’s output integrity. Adversarial samples solve the following optimization problem: 𝑥̅∗ = 𝑥̅ + arg min{𝑧̅: 𝑂̅(𝑥̅ + 𝑧̅) ≠ 𝑂̅(𝑥̅)} = 𝑥̅ + 𝛿 𝑥̅ Examples of adversarial samples can be found in the following figure. 5. Black Box attack strategy We are going to implement a Black Box attack following the papers strategy. The adversary wants to craft inputs misclassified by the ML model using the sole capability of accessing the label 𝑂̅(𝑥̅) assigned by classifier for any chosen input 𝑥̅. The strategy is to learn a substitute for the target model using a dataset generated by the adversary and labeled by observing the oracle output. Then, adversarial examples are crafted using this substitute. It is expected the target DNN to misclassify them due to transferability between architectures. Usually, ML need large training sets for training. For instance, attackers can consider models trained with several tens of thousands of labeled examples. This makes attacks based on this paradigm unfeasible for adversaries without large labeled datasets. In this paper, the authors show black-box attacks can be accomplished at a much lower cost, without labeling an independent training set. In our approach, to enable the adversary to train a substitute model without a real labeled dataset, it is required to use the target DNN as an oracle to construct a synthetic dataset.
  • 6. Authors propose the following two strategies: substitute model training and adversarial sample crafting. Substitute model training: attacker interrogates oracle with synthetic inputs selected by a Jacobian based heuristic to build a model F approximating the oracle model O’s decision boundaries. Training a substitute model F approximating oracle O is challenging because we must: (1) select an architecture for our substitute without knowledge of the targeted oracle’s architecture, and (2) limit the number of queries made to the oracle in order to ensure that the approach is tractable. The approach, illustrated in Figure 3, overcomes these challenges mainly by introducing a synthetic data generation technique, the Jacobian-based Dataset Augmentation. Adversarial sample crafting: attacker substitutes the network F to craft adversarial samples, which are then misclassified by oracle O due to the transferability of adversarial samples. Once the adversary trained a substitute DNN, it uses it to craft adversarial samples. In our project, we provided an overview of two approaches discussed in the paper, namely the Goodfellow et al. algorithm (also known as Fast Gradient Sign Method or FGSM) and the Papernot et al. algorithm (also known as Jacobian-based Saliency Map Attack or JSMA). Both share a similar intuition of evaluating model’s sensitivity to input modification to select small perturbation achieving misclassification goal. Goodfellow gives a model F with an associated cost function 𝑐(𝐹, 𝑥̅, 𝑦), the adversary crafts an adversarial sample 𝑥∗̅̅̅ = 𝑥̅ + 𝛿 𝑥̅ for a given legitimate sample 𝑥̅ by computing the following perturbation: 𝛿 𝑥̅ = 𝜖 𝑠𝑔𝑛(∇ 𝑥̅ 𝑐(𝐹, 𝑥̅, 𝑦)) where the perturbation sgn is the sign of the model’s cost function gradient, computed with respect to 𝑥̅ using sample 𝑥̅ and label y as inputs.
  • 7. Figure 1: example of FGSM Papernot algorithm is suitable for source-target misclassification attacks where adversaries seek to take samples from any legitimate source class to any chosen target class. Misclassification attacks are a special case of source-target misclassifications, where the target class can be any class different from the legitimate source class. Given model F, the adversary crafts an adversarial sample 𝑥̅∗ = 𝑥̅ + 𝛿 𝑥̅ for a given legitimate sample 𝑥̅ by adding a perturbation 𝛿 𝑥̅ to a subset of the input components 𝑥̅𝑖. Both the algorithms have benefits and drawbacks, because the Goodfellow one is suitable for fast crafting of many adversarial samples with quite large perturbations thus potentially easier to detect, while the Papernot one tends to reduce perturbations in exchange of a greater computing cost. 6. Attack validation To validate the attack, we tried it against different classifiers and using also different types of attack. We first made an FGSM attack to target DNN trained using MNIST dataset, then we made another attack against a DNN trained with CIFAR dataset, both attacks have the goal to misclassify most of adversarial examples crafted with a perturbation not affecting human recognition. Finally, we repeat both the attack using a JSMA type of attack. The MNIST database (Modified National Institute of Standards and Technology database) is a large database of handwritten digits that is commonly used for training various image processing systems, it is widely used for training and testing in the field of machine learning. The CIFAR dataset (Canadian Institute For Advanced Research) is a collection of images that are commonly used to train machine learning and computer vision algorithms. The CIFAR dataset contains 60,000 32x32 color images in 10 different classes. The 10 different classes represent airplanes, cars, birds, cats, deer, dogs, frogs, horses, ships, and trucks. There are 6,000 images of each class.
  • 8. Both MNIST and CIFAR are two of the most widely used datasets for machine learning research. In the end, we made another two attacks, FGSM and JSMA, to a local trained dataset composed by pictures and photos of real world, in order to make better the idea of the effects for real world elements and subjects, instead of using MNIST and CIFAR datasets only. Our goal is to verify whether these samples are also misclassified by the oracle or not. Therefore, the transferability of adversarial samples refers to the oracle misclassification rate of adversarial samples crafted using the substitute DNN.
  • 9. 7. Generalization of the attack Substitutes and oracles take in cause were learned with DNNs, but the attack bounds its applicability to other ML systems. For examples, substitutes can also be learned with logistic regression and the attack generalizes to additional ML models. 8. Defense strategies According to the paper of Practical Black-Box Attacks against Machine Learning which we based our work on, the two types of defense strategies are: (1) reactive where one seeks to detect adversarial examples, and (2) proactive where one makes the model itself more robust.
  • 10. Adversarial training. The attack is not more easily detectable than a classic adversarial example attack. Oracle queries may be distributed among a set of colluding users, and as such remain hard to detect, but defender may increase the attacker’s cost by training models with higher input dimensionality or modeling complexity. Indeed, the authors experimental results indicate that these two factors increase the number of queries required to train substitutes: black-box attack based on transfer from a substitute model overcomes gradient masking defenses. Defensive distillation. It is a defense which make models robust in a small neighborhood of the training manifold perform gradient masking: they smooth the decision surface and reduce gradients used by adversarial crafting in small neighborhoods. However, using a substitute and our black-box approach evades these defenses, as the substitute model is not trained to be robust to the said small perturbations. 9. Conclusions Defending against finite perturbations is a more promising avenue for future work than defending against infinitesimal perturbations. Our implementation reflects what the paper is about. The authors show a work based on a novel substitute training algorithm using synthetic data generation, to craft adversarial examples misclassified by black-box DNNs. Our work is a significant step towards relaxing strong assumptions about adversarial capabilities made by previous attacks.
  • 11. 10. References 1. Alexey Kurakin, Ian J. Goodfellow, Samy Bengio. Adversarial Examples in the physical world. [Online] 2017. https://arxiv.org/pdf/1607.02533.pdf. 2. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, Ananthram Swami. Practical Black-Box Attacks against Machine Learning. [Online] 2017. https://arxiv.org/pdf/1602.02697.pdf. 3. Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy. Explaining and harnessing adversarial examples. [Online] 2015. https://arxiv.org/pdf/1412.6572.pdf. 4. Anish Athalye, Nicholas Carlini, David Wagner. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. [Online] 2018. https://arxiv.org/pdf/1802.00420v4.pdf. 5. Papernot, Nicolas. Gradient Masking in Machine Learning. [Online] https://seclab.stanford.edu/AdvML2017/slides/17-09-aro-aml.pdf. 6. Goodfellow, Ian and Papernot, Nicolas. Is attacking machine learning easier than defending it? [Online] http://www.cleverhans.io/security/privacy/ml/2017/02/15/why- attacking-machine-learning-is-easier-than-defending-it.html.