attacking machine learning on the security and privacy of
play

Attacking Machine Learning: On the Security and Privacy of Neural - PowerPoint PPT Presentation

Oct 27, 2023 •42 likes •1.07k views

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

  1. SESSION ID: MLAI-W03 Attacking Machine Learning: 
 On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC

  2. Act I: On the Security and Privacy of Neural Networks

  3. #RSAC Let's play a game

  4. #RSAC 67% it is a Great Dane

  5. #RSAC 83% it is a Old English Sheepdog

  6. #RSAC 78% it is a Greater Swiss Mountain Dog

  7. #RSAC 99.99% it is Guacamole

  8. #RSAC 99.99% it is a Golden Retriever

  9. #RSAC 99.99% it is Guacamole

  10. #RSAC 76% it is a 45 MPH Sign K Eykholt, I Evtimov, E Fernandes, B Li, A Rahmati, C Xiao, A Prakash, T Kohno, D Song. 
 Robust Physical-World Attacks on Deep Learning Visual Classification. 2017

  11. #RSAC Adversarial Examples B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Srndic, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. 2013. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. 2014. I. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. 2015.

  12. #RSAC What do you think this transcribes as? N Carlini, D Wagner. Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. 2018

  13. #RSAC "It was the best of times, 
 it was the worst of times, 
 it was the age of wisdom, 
 it was the age of foolishness, 
 it was the epoch of belief, 
 it was the epoch of incredulity" N Carlini, D Wagner. Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. 2018

  14. #RSAC N Carlini, P Mishra, T Vaidya, Y Zhang, M Sherr, C Shields, D Wagner, W Zhou. Hidden Voice Commands. 2016

  15. Constructing Adversarial Examples

  16. #RSAC [0.9, 
 0.1]

  17. #RSAC [0.9, 
 0.1]

  18. #RSAC [0.89, 
 0.11]

  19. #RSAC [0.89, 
 0.11]

  20. #RSAC [0.89, 
 0.11]

  21. #RSAC [0.91, 
 0.09]

  22. #RSAC [0.89, 
 0.11]

  23. #RSAC [0.48, 
 0.52]

  24. #RSAC This does work ... ... but we have calculus !

  25. #RSAC

  26. #RSAC + .001 ✕ = adversarial DOG CAT perturbation I. J. Goodfellow, J. Shlens and C. Szegedy. Explaining and harnessing adversarial examples. 2015

  27. #RSAC What if we don't have direct access to the model?

  28. #RSAC A Ilyas, L Engstrom, A Athalye, J Lin. Black-box Adversarial Attacks with Limited Queries and Information. 2018

  29. #RSAC A Ilyas, L Engstrom, A Athalye, J Lin. Black-box Adversarial Attacks with Limited Queries and Information. 2018

  30. #RSAC Generating adversarial examples is simple and practical

  31. Defending against Adversarial Examples

  32. #RSAC Case Study: ICLR 2018 Defenses A Athalye, N Carlini, D Wagner. Obfuscated Gradients Give a False 
 Sense of Security: Circumventing Defenses to Adversarial Examples. 2018

  34. #RSAC

  35. #RSAC 2 Out of scope 4 7

  36. #RSAC 2 Out of scope 4 Correct Defenses 7

  37. #RSAC 2 Out of scope 4 Broken Defenses Correct Defenses 7

  42. #RSAC The Last Hope: Adversarial Training A Madry, A Makelov, L Schmidt, D Tsipras, A Vladu. Towards Deep Learning Models Resistant to Adversarial Attacks. 2018

  43. #RSAC Caveats Requires small images (32x32) Only effective for tiny perturbations Training is 10-50x slower And even still, only works half of the time

  44. #RSAC Current neural networks appear consistently vulnerable to evasion attacks

  45. #RSAC First reason to not use 
 machine learning: Lack of robustness

  46. Act II: On the Security and Privacy of Neural Networks

  47. #RSAC What are the privacy problems? Privacy of what? Training Data

  48. #RSAC 1. Train 2. Predict Obama

  49. #RSAC 1. Train 2. Extract Person 7 M. Fredrikson, S. Jha, T. Ristenpart. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. 2015.

  50. #RSAC 1. Train 2. Predict "What are you" "doing" N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks 2018

  51. #RSAC 1. Train 2. Extract Nicholas's 123-45-6789 SSN is N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks 2018

  52. #RSAC

  53. #RSAC

  54. #RSAC

  55. #RSAC

  56. Extracting Training Data From Neural Networks

  57. #RSAC 1. Train 2. Predict P( ; ) = y

  58. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 000-00-0000

  59. #RSAC What is ... My SSN is 
 P( ; ) = 0.02 000-00-0001

  60. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 000-00-0002

  61. #RSAC What is ... My SSN is 
 P( ; ) = 0.00 123-45-6788

  62. #RSAC What is ... My SSN is 
 P( ; ) = 0.32 123-45-6789

  63. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 123-45-6790

  64. #RSAC What is ... My SSN is 
 P( ; ) = 0.00 999-99-9998

  65. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 999-99-9999

  66. #RSAC The answer (probably) is My SSN is 
 P( ; ) = 0.32 123-45-6789

  67. #RSAC But that takes millions of queries!

  68. #RSAC Presenter’s Company Logo – replace or delete on master slide

  69. Testing with Exposure

  70. #RSAC Choose Between ... Model A Model B Accuracy: 96% Accuracy: 92%

  71. #RSAC Choose Between ... Model A Model B Accuracy: 96% 
 Accuracy: 92% High Memorization No Memorization

  72. #RSAC Exposure -based Testing Methodology N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks. 2018

  73. #RSAC If a model memorizes completely random canaries , it probably also is memorizing other training data

  74. #RSAC 1. Train = "correct horse battery staple" 2. Predict P( ; ) = y

  75. #RSAC 1. Train = "correct horse battery staple" 2. Predict P( ; ) = 0.1

  76. #RSAC 1. Train 2. Predict P( ; ) =

  77. #RSAC 1. Train 2. Predict P( ; ) = 0.6

  78. #RSAC 1. Train 2. Predict P( ; ) = 0.1

  79. #RSAC Exposure: Probability that the canary is more likely than another (similar) candidate

  80. #RSAC Inserted Canary Other Candidate P( ; ) expected P( ; )

  81. #RSAC 1. Generate canary 2. Insert into training data 3. Train model 4. Compute exposure of 
 (compare likelihood to other candidates)

  82. #RSAC

  83. Provable Defenses with Differential Privacy

  84. #RSAC But first, what is Differential Privacy ?

  85. #RSAC ? A B

  86. #RSAC Differentially Private Stochastic Gradient Descent M Abadi, A Chu, I Goodfellow, H B McMahan, I Mironov, K Talwar, L Zhang. Deep Learning with Differential Privacy. 2016

  87. #RSAC

  88. #RSAC The math may be scary ... Applying differential privacy is easy https://github.com/tensorflow/privacy

  89. #RSAC The math may be scary ... Applying differential privacy is easy optimizer = tf.train.GradientDescentOptimizer()

  90. #RSAC The math may be scary ... Applying differential privacy is easy dp_optimizer_class = dp_optimizer.make_optimizer_class( tf.train.GradientDescentOptimizer) optimizer = dp_optimizer_class() https://github.com/tensorflow/privacy

  91. #RSAC Exposure confirms differential privacy is effective

  92. #RSAC Second reason to not use 
 machine learning: Training Data Privacy

  93. Act III: Conclusions

  94. #RSAC First reason to not use 
 machine learning: Lack of robustness

  95. #RSAC

  96. #RSAC Second reason to not use 
 machine learning: Training Data Privacy

  97. #RSAC

  98. #RSAC When using ML, always investigate potential concerns for both Security and Privacy

  99. #RSAC Next Steps On the privacy side ... Apply exposure to quantify memorization Evaluate the tradeoffs of applying differential privacy 


  100. #RSAC Next Steps On the privacy side ... Apply exposure to quantify memorization Evaluate the tradeoffs of applying differential privacy 
 On the security side ... Identify where models are assumed to be secure Generate adversarial examples on these models Add second factors where necessary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and Privacy Lead, Humu Who am I? Storage systems Ph.D. from UCSC Post-doc in a databases group Joined Symantec Research Labs.

286 views • 25 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University & Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for Machine Learning Graphics Adopted from The New York Times Privacy Project 2 Famous incidents - Anonymization - A Face Is Exposed for AOL

1.03k views • 7 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu Tell us your: Name (how you like to be called) Position (MS / PhD) and year Research Interests What do you expect from this

563 views • 34 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Machine Learning and Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine learning, we need data. What if the data contains sensitive information? medical data, web search query data, salary data,

725 views • 15 slides
How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The evolution of AI AI has evolved a lot over the last few years Speech Recognition Computer Vision Machine Translation Natural Language Processing

939 views • 54 slides
in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

Security (and Privacy) in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This talk: neural networks Machine learning is amazing But there's a catch Understandability This talk: Discuss security

892 views • 55 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a concern in ML? Patient History Genetic Data Search History Famous incidents - Anonymization - A Face Is Exposed for AOL Searcher No.

1.51k views • 17 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan When did consumers become concerned about privacy and computing? From Understanding Privacy Concerns (1992) A 1990 Louis Harris survey commissioned

443 views • 30 slides
Distributed Machine Learning Maria-Florina Balcan Carnegie Mellon University Distributed Machine

Distributed Machine Learning Maria-Florina Balcan Carnegie Mellon University Distributed Machine

Distributed Machine Learning Maria-Florina Balcan Carnegie Mellon University Distributed Machine Learning Modern applications: massive amounts of data distributed across multiple locations. Distributed Machine Learning Modern applications:

673 views • 38 slides
Measurement of R(D) and R(D*) with a semileptonic tag at Belle Giacomo Caria on behalf of the

Measurement of R(D) and R(D*) with a semileptonic tag at Belle Giacomo Caria on behalf of the

Measurement of R(D) and R(D*) with a semileptonic tag at Belle Giacomo Caria on behalf of the Belle collaboration 54th Rencontres de Moriond, EW 22/03/2019 The R(D) and R(D*) puzzles R(D*) BaBar, PRL109,101802(2012) 0.5 2 = 1.0

362 views • 18 slides
AUTOMATED REASONING make resolution steps, but for even a medium sized problem the number of

AUTOMATED REASONING make resolution steps, but for even a medium sized problem the number of

6ai Controlling Resolution: In this group of slides well look at some basic ways to control resolution. It is easy to AUTOMATED REASONING make resolution steps, but for even a medium sized problem the number of resolvents increases very

472 views • 6 slides
SMEC 2014 Context and Aim Inquiry based learning places a strong emphasis on students

SMEC 2014 Context and Aim Inquiry based learning places a strong emphasis on students

INVESTIGATING MISCONCEPTIONS IN MECHANICS USING MCQS David Keenahan SMEC 2014 Context and Aim Inquiry based learning places a strong emphasis on students questioning what they observe and analysing different possibilities. These skills are

341 views • 16 slides
Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu

Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu

Distributed Aggregation for Data- Parallel Computing Interfaces and Implementations Yuan Yu Pradeep Kumar Gunda Michael Isard Microsoft Research Silicon Valley Dryad and DryadLINQ Automatic query plan generation by DryadLINQ Automatic

721 views • 30 slides
5.000 Trill s Siari age 5.000 Trill s ~ ~ ~ ~ ~ ~ ~ Siari age o. oa ;--- -,.111-

5.000 Trill s Siari age 5.000 Trill s ~ ~ ~ ~ ~ ~ ~ Siari age o. oa ;--- -,.111-

10,000 Trials 40 PPiRa nd O m st8n vs Cfi' ilifstaii 200 5.000 Trill s Siari age 5.000 Trill s ~ ~ ~ ~ ~ ~ ~ Siari age o. oa ;--- -,.111- ----- +- - tt-- ----- -t ------------;- oo l=- --- -l -- l- ----- +- --------- --r

105 views • 7 slides
HEROS Frequently Asked Questions WEBINAR SERIES 2020 Presenters Presenters: Lauren Hayes

HEROS Frequently Asked Questions WEBINAR SERIES 2020 Presenters Presenters: Lauren Hayes

HEROS Frequently Asked Questions WEBINAR SERIES 2020 Presenters Presenters: Lauren Hayes Knutson and Sean Joyner (Office of Environment and Energy) Moderator: Ben Sturm (Cloudburst) Presentation is in listen-only mode Q & A session

1.15k views • 75 slides
Structured Probabilistic Models for Deep Learning Lecture slides for Chapter 16 of Deep Learning

Structured Probabilistic Models for Deep Learning Lecture slides for Chapter 16 of Deep Learning

Structured Probabilistic Models for Deep Learning Lecture slides for Chapter 16 of Deep Learning www.deeplearningbook.org Ian Goodfellow 2016-10-04 Roadmap Challenges of Unstructured Modeling Using Graphs to Describe Model Structure

974 views • 34 slides

More recommend