adversarial defeating perceptual ad blocking with
play

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial - PowerPoint PPT Presentation

Sep 01, 2022 •108 likes •415 views

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

  1. Today’s Story: How I got my first Death Threat ?

  2. AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramèr October 8 th 2019 Joint work with Pascal Dupré, Gili Rusak, Giancarlo Pellegrino and Dan Boneh

  3. The Future of Ad-Blocking? easylist.txt …markup… …URLs… ??? This is an ad Human distinguishability of ads > Legal requirement (U.S. FTC, EU E-Commerce) > Industry self-regulation on ad-disclosure 3

  4. Towards Computer Vision for Ad-Blocking Why not detect ad-disclosures programmatically? § > New arms race on HTML obfuscation > E.g., Facebook vs uBlockOrigin: https://github.com/uBlockOrigin/uAssets/issues/3367 - 1 year, 253 comments , and counting... 4

  5. Perceptual Ad-Blocking Ad Highlighter [Storey et al., 2017] § > Visually detects ad-disclosures > Traditional computer vision techniques > Simplified version in Adblock Plus Sentinel by Adblock Plus § > Locates ads in Facebook screenshots using neural networks Percival by Brave [Din et al., 2019] § > Neural network embedded in Chromium’s rendering pipeline 5

  6. Perceptual Ad-Blocking Ad Highlighter by Storey et al. § > Visually detects ad-disclosures > Traditional Computer Vision techniques > Simplified version implementable in Adblock Plus Sentinel by Adblock Plus § > Locates ads in Facebook screenshots using neural networks > Not yet deployed 6

  7. How Secure is Perceptual Ad-Blocking? … so that Tom’s post Jerry uploads gets blocked malicious content … 7

  8. Outline Perceptual ad-blockers: how they work § Attacking perceptual ad-blockers § Why defending is hard § 8

  9. Outline Perceptual ad-blockers: how they work § Attacking perceptual ad-blockers § Why defending is hard § 9

  10. How does a Perceptual Ad-Blocker Work? Ad Disclosure https://www.example.com Ad Classifier Classifier Data Collection and Training Classification Action Page Segmentation Template matching, OCR, DNNs, Object detector networks Ø Element-based (e.g., find all <img> tags) [Storey et al. 2017] Ø Frame-based (segment rendered webpage into “frames” as in Percival) Ø Page-based (unsegmented screenshots à-la-Sentinel) 10

  11. Building a Page-Based Ad-Blocker We trained a neural network to detect ads on news websites from all G20 nations Video taken from 5 websites not used during training 11

  12. Outline Perceptual ad-blockers: how they work § Attacking perceptual ad-blockers § Why defending is hard § 12

  13. The Current State of ML ML works well on average ≠ ML works well on adversarial data * *as long as there is no adversary 13

  14. Adversarial Examples Szegedy et al., 2014 Goodfellow et al., 2015 𝜁 ≈ 2 255 ⁄ How? § > Training ⟹ “tweak model parameters such that 𝑔( ) = 𝑞𝑏𝑜𝑒𝑏 ” > Attacking ⟹ “tweak input pixels such that 𝑔( ) = 𝑕𝑗𝑐𝑐𝑝𝑜 ” 14

  15. Adversarial Examples: A Pervasive Phenomenon (Athalye et al. 2018) (Kurakin et al. 2016) (Sharif et al. 2016) (Carlini et al. 2016, (Eykholt et al. 2017) Cisse et al. 2017, (Eykholt et al. 2018) Carlini & Wagner 2018) 15

  16. (Meaningful) Defenses 16

  17. Adversarial Examples for Page-Based Perceptual Ad-Blockers 17

  18. Ad-Block Evasion Goal: Make ads unrecognizable by ad-blocker § Adversary = Website publisher § Other adversaries exist (e.g., Ad-Network) § 18

  19. Evasion: Universal Transparent Overlay § Web publisher perturbs every rendered pixel Use HTML tiling to minimize perturbation size (20 KB) Ø 100% success rate on 20 webpages not used to create the overlay Ø The attack is universal: the overlay is computed once and works for all (or most) websites Ø Attack can be made more stealthy without relying on CSS 19

  20. Ad-Block Detection Goal: Trigger ad-blocker on “honeypot” content § > Detect ad-blocking in client-side JavaScript or on server > Applicability of these attacks depends on ad-blocker type Adversary = Website publisher § > Use client-side JavaScript to detect DOM changes 20

  21. Detection: Perturb fixed page layout Publisher adds honeypot in page-region with fixed layout § > E.g., page header original With honeypot header 21

  22. New Threats: Privilege Abuse Ad-block evasion & detection is a well-known arms race. But there’s more! § … so that Tom’s post gets blocked Jerry uploads malicious content … What happened? Object detector model generates box predictions from full page inputs Ø Content from one user can affect predictions anywhere on page Ø Model’s segmentation is not aligned with web-security boundaries Ø 22

  23. Outline Perceptual ad-blockers: how they work § Attacking perceptual ad-blockers § Why defending is hard § 23

  24. A Challenging Threat Model Ø Adversary has white-box access to ad-blocker Ø Adversary can exploit False Negatives and False Positives in classification pipeline The ad-blocker must defend Ø Adversary prepares attacks offline ó against attacks in real-time in the user’s browser Ø Adversary can take part in crowd-sourced data collection for training the ad-blocker 24

  25. Defense Strategy 1: Obfuscate the Model Attacks are easy if the adversary has access to the ML model § > Solution: hide model from adversary? Idea 1: Obfuscate the ad-blocker? § > It isn’t hard to create adversarial examples for black-box classifiers Idea 2: Randomize the ad-blocker? § (3) Action (1) Page Segme > Deploy different models - Adversarial examples that work against multiple models > Randomly change page before classifying - Adversarial examples robust to random transformations 25

  26. Defense Strategy 2: Anticipate and Adapt If ad-blocker is attacked (evasion or detection), § collect adversarial samples and re-train the model > Or train on adversarial examples proactively This is called Adversarial Training (Szegedy’14) § > New arms-race: The adversary finds new attacks and ad-blocker re-trains > Mounting a new attack is much easier than updating the model > On-going research: so far the adversary always wins! 26

  27. Adversarial Training: Current state of affairs Confer some robustness to a specific type of perturbation § > CIFAR10: 99% clean accuracy 50% accuracy at l ∞ = 8/255 > ImageNet: 85% clean accuracy 45% at l 2 = 255 (1 px change) What about multiple perturbations? (with Dan Boneh, NeurIPS 2019) § > Lose 5-20% accuracy points when training against two perturbation types > We show provable tradeoffs in robustness for natural statistical models 27

  28. Defense Strategy 3: Simplify the Problem Storey et al: recognize ad-disclosures § > Simpler computer vision problem than full-page ad-detection > Light-weight and mature techniques (OCR, perceptual hashing, SIFT) Adversarial Examples still exist § 28

  29. Take Away Emulating human detection of ads could be the end-game for ad-blockers § But very hard with current computer vision techniques § > Resisting adversarial examples is a challenging open problem Perceptual ad-blockers have to survive a strong threat model § > Similar attack for non-Web ad-blockers (e.g., Adblock Radio) https://github.com/ftramer/ad-versarial Ø Train a page-based ad-blocker Download pre-trained models Ø http://arxiv.org/abs/1811.03194 Ø Attack demos https://twitter.com/florian_tramer 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks

Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks

Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks February 22nd 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking? easylist.txt

315 views • 28 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
Adversarial Decision-Making Brian J. Stankiewicz University of Texas, Austin Department Of

Adversarial Decision-Making Brian J. Stankiewicz University of Texas, Austin Department Of

Introduction Empirical Studies Future Directions/Ideas Summary &amp; Conclusions Adversarial Decision-Making Brian J. Stankiewicz University of Texas, Austin Department Of Psychology &amp; Center for Perceptual Systems &amp; Consortium for

588 views • 37 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Why blocking? What is blocking? Blocking in

626 views • 14 slides
Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

ST 516 Experimental Statistics for Engineers II Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs under homogeneous conditions; e.g. raw material comes in limited batches; we want to carry out runs

487 views • 23 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Implementing blocking Using vmc blocking

210 views • 8 slides
Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1 , Cristian Grecu 2 , Lorena Anghel 1 1 TIMA Laboratory, CNRS-UJF-INP, Grenoble, France 2 SoC Laboratory, University of British Columbia, Vancouver,

700 views • 23 slides
ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

Consumer Cases Brought under Rule 23(b)(3) STRATEGIES FOR DEFEATING CLASS CERTIFICATION By Thomas A. Dye and Dean A. Morande A lawsuit founded defeating succeed in class tainable. consumer A class definition fails if it is on to ever even

502 views • 4 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 ,

Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 ,

Window blocking issues and maximum blocking time Delay Aware Packet Scheduling Conclusion Delay Aware Packet Scheduling (DAPS) and receivers buffer blocking in CMT-SCTP Nicolas KUHN 1 , 2 , Golam SARWAR 2 , Emmanuel LOCHIN 1 , Roksana BORELI

555 views • 13 slides
Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba AliMe X-Lab Outline GAN Definition and formulation Saddle point optimization Vanishing gradient Alternative objective for Generator

516 views • 25 slides
Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable

Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable

Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable Models Instead Cynthia Rudin, Duke University Presenters : Sreya Dutta Roy, Ziqian Lin 1 Overview Introduction Explainable ML Vs

1.04k views • 39 slides
Search for stop decays to charm + LSP at CMS Zhenbin

Search for stop decays to charm + LSP at CMS Zhenbin

Search for stop decays to charm + LSP at CMS Zhenbin Wu University of Illinois at Chicago for the CMS collabora:on CHARM2015 Zhenbin Wu 1

377 views • 22 slides
Invest in the future: build for the web! Soledad Penads @supersole 1 of 61 20/06/2014 12:56

Invest in the future: build for the web! Soledad Penads @supersole 1 of 61 20/06/2014 12:56

Invest in the future, build for the web! http://localhost:8000/#1 Invest in the future: build for the web! Soledad Penads @supersole 1 of 61 20/06/2014 12:56 Invest in the future, build for the web! http://localhost:8000/#1 Apps

991 views • 61 slides
Section 19.1 Version Spaces CS4811 - Artificial Intelligence Nilufer Onder Department of

Section 19.1 Version Spaces CS4811 - Artificial Intelligence Nilufer Onder Department of

Section 19.1 Version Spaces CS4811 - Artificial Intelligence Nilufer Onder Department of Computer Science Michigan Technological University Outline Version spaces Inductive learning Supervised learning Example with playing cards

384 views • 35 slides
CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1:

CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1:

CSCE 790 Computer Systems Security Introduction Professor Qiang Zeng Spring 2020 Story 1: Morris the first worm in history CSCE 790 Computer Systems Security 2 Story 2: Malware, Stuxnet , took down Irans nuclear facilities

344 views • 30 slides
Earthquake Damage Workshop/Training on Earthquake Vulnerability and Multi-Hazard Risk Assessment:

Earthquake Damage Workshop/Training on Earthquake Vulnerability and Multi-Hazard Risk Assessment:

Earthquake Damage Workshop/Training on Earthquake Vulnerability and Multi-Hazard Risk Assessment: Geospatial Tools for Rehabilitation and Reconstruction Efforts Siefko Slob INTERNATIONAL INSTITUTE FOR GEO-INFORMATION SCIENCE AND EARTH

563 views • 54 slides
School Page 29 7 All boundaries are approximate Application Number : RE/15/00972/CON 7

School Page 29 7 All boundaries are approximate Application Number : RE/15/00972/CON 7

Application Number : RE/15/00972/CON 2012-13 Aerial Photos Aerial 1 : Land at St Josephs Catholic Primary School Page 29 7 All boundaries are approximate Application Number : RE/15/00972/CON 7 2012-13 Aerial Photos Aerial 2 : Land at St

797 views • 10 slides
1. Progress so far 2. Community and Faith 9 th Community Forum New Covenant Church, 506-510 Old

1. Progress so far 2. Community and Faith 9 th Community Forum New Covenant Church, 506-510 Old

Old Kent Road Area Action Plan 1. Progress so far 2. Community and Faith 9 th Community Forum New Covenant Church, 506-510 Old Kent Road, SE1 5BA Background Old Kent Road identified in the London Plan as an Opportunity Area Southwark

1.35k views • 24 slides

More recommend