a tour of machine learning security
play

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th - PowerPoint PPT Presentation

Oct 21, 2023 •507 likes •971 views

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including things that likely

  1. A Tour of Machine Learning Security Florian Tramèr CISPA August 6 th 2018

  2. The Deep Learning Revolution First they came for images…

  3. The Deep Learning Revolution And then everything else…

  4. The ML Revolution Including things that likely won’t work… 4

  5. What does this mean for privacy & security? Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning Blockchain ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware Adapted from (Goodfellow 2018) 5

  6. This talk: security of deployed models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 6

  7. Stealing ML Models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 7

  8. Machine Learning as a Service Goal 2: Model Confidentiality • Model/Data Monetization • Sensitive Data Model f Training API Prediction API input classification Data Black Box Goal 1: Rich Prediction APIs $$$ per query • Highly Available • High-Precision Results 8

  9. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Applications: 1) Undermine pay-for-prediction pricing model 2) ”White-box” attacks: › Infer private training data › Model evasion (adversarial examples) 9

  10. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Isn’t this “just No! Prediction APIs Machine Learning”? return fine-grained information that makes extracting much easier than learning 10

  11. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon 11

  12. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (for interpretability) 12

  13. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (Milli et al.) Labeling function Humans, real-world Query f(x) on any input x data collection => No need for labeled data => Queries can be adaptive 13

  14. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte 14

  15. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) 15

  16. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) Neural Large models required - Distillation (Hinton et al.) Networks “The more data the better” Make smaller copy of model from confidence scores - Extraction from hard labels No quantitative analysis for (Papernot et al., T et al.) large neural nets yet 16

  17. Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 17

  18. Trusted execution of ML: 3 motivating scenarios 1. Cloud ML APIs Data Privacy Integrity - Model “downgrade” - Disparate impact - Other malicious tampering 18

  19. Trusted execution of ML: 3 motivating scenarios 2. Federated Learning Integrity Data privacy Poison model updates 19

  20. Trusted execution of ML: 3 motivating scenarios 3. Trojaned hardware (Verifiable ASICs model, Wahby et al.) Integrity 20

  21. Solutions Cryptography / Statistics 1. Outsourced ML : FHE, MPC, (ZK) proof systems 2. Federated learning : robust statistics? 3. Trojaned hardware : some root of trust is needed Trusted Execution Environments (TEEs) 1. Outsourced ML : secure enclaves 2. Federated learning : trusted sensors + secure enclaves 3. Trojaned hardware: fully trusted (but possibly slow) hardware

  22. Trusted Execution: At what cost? • Trusted ASICs (Wahby et al.): ~10 8 � worse than SOTA • Intel SGX: VGG16 Inference 400 350 350 300 Paging at Images / sec 250 ~90MB 200 150 100 50 1 0 GPU SGX GPU: Nvidia TITAN XP SGX: Intel Core i7-6700 Skylake Single Core @ 3.40GHz https://medium.com/@danny_harnik/impressions-of-intel-sgx-performance-22442093595a

  23. “How do we efficiently leverage TEEs for secure machine learning computations?” Idea: outsource work to collocated , faster but untrusted device and verify results x TEE F(x), proof Computations Gap between trusted Privacy and untrusted device Verifiable ASICs Arithmetic circuits ~ 8 orders of magnitude No (Wahby et al., 2016) (GKR protocol) Slalom DNN inference ~ 1-2 orders “Yes” Not in this talk

  24. Bottlenecks in deep neural networks non linear stuff (cheap) MATRIX MULTIPLICATION ~ 97% VGG16 Inference on 1 CPU core

  25. Outsourcing matrix multiplication: Freivald’s algorithm X ∈ " n ⨉ n , W ∈ " n ⨉ n Input: DNN weights. Fixed at inference time Direct Compute: Z = X * W ≈ n 3 multiplications or O(n 2.81 ) with Strassen Outsource + Verify: • Sample r ← " n uniformly at random • Check: Z * r = X * (W * r) • Complexity: ≈ 3n 2 multiplications • Soundness: 1 / | " | (boost by repeating)

  26. Freivald variants for arbitrary linear operators Linear operator: z = F(x) = x * A Matrix of size |x| × |z| Vector of size |z| Vector of size |x| • Batched verification Z = F ( [x 1 … x B ] ) = [ F(x 1 ) … F(x B ) ] ⇒ Complexity = B*cost(F) Freivald: r * Z = F ( r * [x 1 … x B ] ) ⇒ Complexity = B*(|x|+|z|) + cost(F) • With precomputation Precompute A’ = A * r = ( ∇ x F)(r) Freivald: z * r = x * A’ ⇒ Complexity = |x|+|z| 2 inner products!

  27. Slalom Summary Slalom TEE X 1 Z 1 = X 1 * W 1 1. Freivald check for (X 1 , W 1 , Z 1 ) 2. X 2 = σ(Z 1 ) X 2 Z 2 = X 2 * W 2 Arbitrary non-linearity … 27

  28. Design and Evaluation TEE • TEE: Intel SGX ”Desktop” CPU (single thread) • Untrusted device: Nvidia Tesla GPU • Port of the Eigen linear algebra C++ library to SGX (used in e.g., TensorFlow) • No simulation mode! VGG16 MobileNet 25 120 97.1 19.6 100 20 Images / sec 80 15 60 10 40 30 15.9 5 20 1.7 1 0 0 Compute Verify Verify with Compute Verify Verify with preproc preproc 28

  29. Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 29

  30. ML models make surprising mistakes + . 007 ⇥ = Pretty sure this I’m certain this is a panda is a gibbon (Szegedy et al. 2013, Goodfellow et al. 2015) 30

  31. Where are the defenses? • Adversarial training Prevent “all/most Szegedy et al. 2013, Goodfellow et al. 2015, attacks” for a Kurakin et al. 2016, T et al. 2017, Madry et al. 2017, Kannan et al. 2018 given norm ball • Convex relaxations with provable guarantees Raghunathan et al. 2018, Kolter & Wong 2018, Sinha et al. 2018 • A lot of broken defenses… 31

  32. Do we have a realistic threat model? (no…) Current approach: 1. Fix a ”toy” attack model (e.g., some l ∞ ball) 2. Directly optimize over the robustness measure Þ Defenses do not generalize to other attack models Þ Defenses are meaningless for applied security What do we want? • Model is “always correct” (sure, why not?) • Model has blind spots that are “hard to find” • “Non-information-theoretic” notions of robustness? • CAPTCHA threat model is interesting to think about 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including

539 views • 34 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics to cover 1. Logistic regression 2. Word embeddings 3. t-SNE 4. Deep Networks (and some transfer learning) 5. Hidden Markov Models for sequence

1k views • 60 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam Robot Helicopter Netflix Playing Go Google http://ai.stanford.edu/ ang/courses.html Reading cheques LeCun et al. 1990 MNIST:

433 views • 42 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty Scholar Founder and Co-Director, Center for Machine-Integrated & Security (MICS) University of California San Diego Big data and automation

998 views • 54 slides
for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

Machine Learning for Security and Security for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper, Mark Raugas, Nathan Hilliard, Sean Robinson, Sam Kaplan* Andy Brown*, Aaron Tuor, Nick Knowles*, Ryan

756 views • 39 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby Breckon School of Engineering and Computing Sciences Durham University www.durham.ac.uk/toby.breckon/mltutorial/ toby.breckon@durham.ac.uk BMVA

1.44k views • 108 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of Bonjour India, the Institut franais en Inde is pleased to present The Future Tour - a series of thematic rendezvous between scientists, academics,

270 views • 5 slides
in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

Security (and Privacy) in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This talk: neural networks Machine learning is amazing But there's a catch Understandability This talk: Discuss security

892 views • 55 slides
Advanced Database Management Systems Distributed DBMS:Introduction and Architectures Alvaro A A

Advanced Database Management Systems Distributed DBMS:Introduction and Architectures Alvaro A A

Advanced Database Management Systems Distributed DBMS:Introduction and Architectures Alvaro A A Fernandes School of Computer Science, University of Manchester AAAF (School of CS, Manchester) Advanced DBMSs 2011-2012 1 / 121 Outline

1.35k views • 121 slides
Closed-Loop Impulse Control of Oscillating Systems A. N. Daryin and A. B. Kurzhanski Moscow

Closed-Loop Impulse Control of Oscillating Systems A. N. Daryin and A. B. Kurzhanski Moscow

Closed-Loop Impulse Control of Oscillating Systems A. N. Daryin and A. B. Kurzhanski Moscow State (Lomonosov) University Faculty of Computational Mathematics and Cybernetics Periodic Control Systems, 2007 Outline Problem 1 Dynamic

654 views • 29 slides
Suppression of superkicks in BBH inspiral U. Sperhake Institute of Space Sciences CSIC-IEEC

Suppression of superkicks in BBH inspiral U. Sperhake Institute of Space Sciences CSIC-IEEC

Suppression of superkicks in BBH inspiral U. Sperhake Institute of Space Sciences CSIC-IEEC Barcelona Pizza Seminar, Bellaterra, 3 rd November 2011 E. Berti, M. Kesden U. Sperhake (CSIC-IEEC) Suppression of superkicks in BBH inspiral

457 views • 20 slides
Towards Scalable Real-Time Entity Resolution using a Similarity-Aware Inverted Index Approach

Towards Scalable Real-Time Entity Resolution using a Similarity-Aware Inverted Index Approach

Towards Scalable Real-Time Entity Resolution using a Similarity-Aware Inverted Index Approach Peter Christen 1 and Ross Gayler 2 1 Department of Computer Science, ANU College of Engineering and Computer Science, The Australian National

541 views • 20 slides
Mi Michael hael Liao ao Advisor : Andy Wu Graduate Institute of Electronics Engineering

Mi Michael hael Liao ao Advisor : Andy Wu Graduate Institute of Electronics Engineering

Next Generation Mobile Communication Channel State Information (CSI) Acquisition for mmWave MIMO Systems Mi Michael hael Liao ao Advisor : Andy Wu Graduate Institute of Electronics Engineering National Taiwan University Taipei, Taiwan

435 views • 18 slides
Using Simulation to Support Multi-Criteria Decision Analysis Peer-Olaf Siebers EM SIM SIG

Using Simulation to Support Multi-Criteria Decision Analysis Peer-Olaf Siebers EM SIM SIG

Using Simulation to Support Multi-Criteria Decision Analysis Peer-Olaf Siebers EM SIM SIG Presentation 01/11/2012 peer-olaf.siebers@nottingham.ac.uk 1 Content Part 1 My Academic Life Part 2 Using Simulation to Support

509 views • 39 slides
Wireless Communication Systems @CS.NCTU Lecture 12: mmWave Lecturer: Kate Ching-Ju Lin (

Wireless Communication Systems @CS.NCTU Lecture 12: mmWave Lecturer: Kate Ching-Ju Lin (

Wireless Communication Systems @CS.NCTU Lecture 12: mmWave Lecturer: Kate Ching-Ju Lin ( ) 1 Millimeter Wave Bands Huge amount of available bandwidth ( =C/f) 2 mmWave Wireless Applications 5G Cellular Networks Wireless Data

395 views • 17 slides
School of ITEE Thesis (Coursework) Library workshop CRICOS code 00025B UQ Library

School of ITEE Thesis (Coursework) Library workshop CRICOS code 00025B UQ Library

School of ITEE Thesis (Coursework) Library workshop CRICOS code 00025B UQ Library Objectives Find relevant literature for your annotated bibliography/literature review. These resources will inform your report. Cite these sources

596 views • 34 slides

More recommend