a tour of machine learning security
play

A Tour of Machine Learning Security Florian Tramr Intel, Santa - PowerPoint PPT Presentation

Dec 05, 2022 •188 likes •539 views

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including

  1. A Tour of Machine Learning Security Florian Tramèr Intel, Santa Clara, CA August 30 th 2018

  2. The Deep Learning Revolution First they came for images…

  3. The Deep Learning Revolution And then everything else…

  4. The ML Revolution Including things that likely won’t work… 4

  5. What does this mean for privacy & security? Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning Blockchain ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware Adapted from (Goodfellow 2018) 5

  6. This talk: security of deployed models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 6

  7. Stealing ML Models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 7

  8. Machine Learning as a Service Goal 2: Model Confidentiality • Model/Data Monetization • Sensitive Data Model f Training API Prediction API input classification Data Black Box Goal 1: Rich Prediction APIs $$$ per query • Highly Available • High-Precision Results 8

  9. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Applications: 1) Undermine pay-for-prediction pricing model 2) ”White-box” attacks: › Infer private training data › Model evasion (adversarial examples) 9

  10. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Isn’t this “just No! Prediction APIs Machine Learning”? return fine-grained information that makes extracting much easier than learning 10

  11. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon 11

  12. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (Milli et al. 2018) 12

  13. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (Milli et al. 2018) Labeling function Humans, real-world Query f(x) on any input x data collection => No need for labeled data => Queries can be adaptive 13

  14. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte 14

  15. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) 15

  16. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) Neural Large models required - Distillation (Hinton et al.) Networks “The more data the better” Make smaller copy of model from confidence scores - Extraction from hard labels No quantitative analysis for (Papernot et al., T et al.) large neural nets yet 16

  17. Takeaways • A “learnable” function cannot be private • Prediction APIs expose fine-grained information that facilitate model stealing • Unclear how effective model stealing is for large-scale models 17

  18. Evading ML Models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 18

  19. ML models make surprising mistakes + . 007 ⇥ = Pretty sure this I’m certain this is a panda is a gibbon (Szegedy et al. 2013, Goodfellow et al. 2015) 19

  20. Where are the defenses? • Adversarial training Prevent “all/most Szegedy et al. 2013, Goodfellow et al. 2015, attacks” for a Kurakin et al. 2016, T et al. 2017, Madry et al. 2017, Kannan et al. 2018 given norm ball • Convex relaxations with provable guarantees Raghunathan et al. 2018, Kolter & Wong 2018, Sinha et al. 2018 • A lot of broken defenses… 20

  21. Do we have a realistic threat model? (no…) Current approach: 1. Fix a ”toy” attack model (e.g., some l ∞ ball) 2. Directly optimize over the robustness measure Þ Defenses do not generalize to other attack models Þ Defenses are meaningless for applied security What do we want? • Model is “always correct” (sure, why not?) • Model has blind spots that are “hard to find” • “Non-information-theoretic” notions of robustness? • CAPTCHA threat model is interesting to think about 21

  22. A DVERSARIAL EXAMPLES ARE HERE TO STAY ! For many things that humans can do “robustly”, ML will fail miserably! 22

  23. A case study on ad blocking Ad blocking is a “cat & mouse” game 1. Ad blockers build crowd-sourced filter lists 2. Ad providers switch origins / DOM structure 3. Rinse & repeat (4?) Content provider (e.g., Cloudflare) hosts the ads 23

  24. A case study on ad blocking New method: perceptual ad-blocking (Storey et al. 2017) • Industry/legal trend: ads have to be clearly indicated to humans If humans can detect ads, so can ML! ”[…] we deliberately ignore all signals invisible to humans , including URLs and markup. Instead we consider visual and behavioral information. […] We expect perceptual ad blocking to be less prone to an "arms race. " (Storey et al. 2017) 24

  25. How to detect ads? 1. “DOM based” • Look for specific ad-cues in the DOM • E.g., fuzzy hashing, OCR (Storey et al. 2017) 2. Machine Learning on full page content • Sentinel approach: train object detector (YOLO) on annotated screenshots 25

  26. What’s the threat model for perceptual ad-blockers? Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, Ad aliquet vitae, dignissim eget, sollicitudin molestie, blocker Vivamus vehicula leo a Ad justo. Quisque nec augue. Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 26

  27. What’s the threat model for perceptual ad-blockers? 1. False Negatives Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, Ad aliquet vitae, dignissim eget, sollicitudin molestie, blocker Vivamus vehicula leo a Ad justo. Quisque nec augue. Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 27

  28. What’s the threat model for perceptual ad-blockers? 2. False Positives (“DOS”, or ad-blocker detection) Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, Ad aliquet vitae, dignissim eget, sollicitudin molestie, blocker Vivamus vehicula leo a Ad justo. Quisque nec augue. Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 28

  29. What’s the threat model for perceptual ad-blockers? 3. Resource exhaustion (for DOM-based techniques) Content Webpage provider Ad blocker Ad Vivamus vehicula leo a justo. Quisque nec augue. network Morbi mauris wisi, aliquet vitae, dignissim eget, sollicitudin molestie, 29

  30. What’s the threat model for perceptual ad-blockers? Pretty much the worst possible! 1. Ad blocker is white-box (browser extension) Þ Alternative would be a privacy & bandwidth nightmare 2. Ad blocker operates on (large) digital images Þ Or can exhaust resources by injecting many small elements 3. Ad blocker needs to resist adversarial false positives and false negatives Þ Perturb ads to evade ad blocker Þ Discover ad-blocker by embedding false-negatives Þ Punish ad-block users by perturbing benign content 4. Updating is more expensive than attacking 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th 2018 The Deep Learning

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th 2018 The Deep Learning

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including things that likely

971 views • 45 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics to cover 1. Logistic regression 2. Word embeddings 3. t-SNE 4. Deep Networks (and some transfer learning) 5. Hidden Markov Models for sequence

1k views • 60 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam Robot Helicopter Netflix Playing Go Google http://ai.stanford.edu/ ang/courses.html Reading cheques LeCun et al. 1990 MNIST:

433 views • 42 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty Scholar Founder and Co-Director, Center for Machine-Integrated & Security (MICS) University of California San Diego Big data and automation

998 views • 54 slides
for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

Machine Learning for Security and Security for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper, Mark Raugas, Nathan Hilliard, Sean Robinson, Sam Kaplan* Andy Brown*, Aaron Tuor, Nick Knowles*, Ryan

756 views • 39 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby Breckon School of Engineering and Computing Sciences Durham University www.durham.ac.uk/toby.breckon/mltutorial/ toby.breckon@durham.ac.uk BMVA

1.44k views • 108 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of Bonjour India, the Institut franais en Inde is pleased to present The Future Tour - a series of thematic rendezvous between scientists, academics,

270 views • 5 slides
in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

Security (and Privacy) in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This talk: neural networks Machine learning is amazing But there's a catch Understandability This talk: Discuss security

892 views • 55 slides
CS378 - Mobile Computing Sensing and Sensors Sensors "I should have paid more attention

CS378 - Mobile Computing Sensing and Sensors Sensors "I should have paid more attention

CS378 - Mobile Computing Sensing and Sensors Sensors "I should have paid more attention in Physics 51" Most devices have built in sensors to measure and monitor motion orientation (aka position) environmental

605 views • 26 slides
Accelerating Checkpoint Operation by Node-Level Write Aggregation on Multicore Systems Xiangyong

Accelerating Checkpoint Operation by Node-Level Write Aggregation on Multicore Systems Xiangyong

Accelerating Checkpoint Operation by Node-Level Write Aggregation on Multicore Systems Xiangyong Ouyang, Karthik Gopalakrishnan and Dhabaleswar K. (DK) Panda Department of Computer Science & Engineering The Ohio State University Outline

500 views • 30 slides
MINING VIRTUAL UNIVERSES IN A RELATIONAL DATABASE With examples from the (milli-)Millennium Run

MINING VIRTUAL UNIVERSES IN A RELATIONAL DATABASE With examples from the (milli-)Millennium Run

MINING VIRTUAL UNIVERSES IN A RELATIONAL DATABASE With examples from the (milli-)Millennium Run Database(s) Gerard Lemson MPA Garching, Germany 1 ISSAC 2012 SDSC, San Diego, USA Matts categorization of questions Questions: Phrase

866 views • 71 slides
Why Time Synchronization? Event Ordering Low Duty Cycle Networking Time Division

Why Time Synchronization? Event Ordering Low Duty Cycle Networking Time Division

Low-Power Clock Synchronization using Electromagnetic Energy Radiating from AC Power Lines Energy Radiating from AC Power Lines (Apply Directly Where it Hertz ) Anthony Rowe, Vikram Gupta, Raj Rajkumar Electrical and Computer Engineering

498 views • 17 slides
LBNE Alfons Weber University of Oxford STFC/RAL LBNE European Collaborators UK Italy

LBNE Alfons Weber University of Oxford STFC/RAL LBNE European Collaborators UK Italy

Europe in LBNE LBNE Alfons Weber University of Oxford STFC/RAL LBNE European Collaborators UK Italy University of Cambridge Catania Group University of Lancaster Gran Sasso University of Liverpool Gran Sasso

312 views • 14 slides
Model-Based Explainable AI for Safe and Trusted Human-Autonomy Teaming Daniele Magazzeni

Model-Based Explainable AI for Safe and Trusted Human-Autonomy Teaming Daniele Magazzeni

Model-Based Explainable AI for Safe and Trusted Human-Autonomy Teaming Daniele Magazzeni @DanMagazzeni Trusted Autonomous Systems Hub To facilitate co-creation with industrial partners, patents, spin out, joint big grant proposals, engagement

1k views • 84 slides
No signal yet: The elusive birefringence of the vacuum, and whether gravitational wave detectors

No signal yet: The elusive birefringence of the vacuum, and whether gravitational wave detectors

No signal yet: The elusive birefringence of the vacuum, and whether gravitational wave detectors may help Hartmut Grote Hartmut Grote AEI Hannover AEI Hannover CaJAGWR, CaJAGWR, Caltech Caltech 24. Feb. 2015 Horror Vacui? Otto Von

525 views • 48 slides
Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street

Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street

Overview Implementation Core bench: micro-benchmarking for OCaml Christopher S. Hardin and Roshan P. James Jane Street September 24, 2013, OUD Workshop Christopher S. Hardin and Roshan P. James Core bench: micro-benchmarking for OCaml

539 views • 16 slides

More recommend