limitations of threat modeling in adversarial machine
play

Limitations of Threat Modeling in Adversarial Machine Learning - PowerPoint PPT Presentation

Nov 03, 2023 •102 likes •498 views

Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramr EPFL, December 19 th 2019 Based on joint work with Jens Behrmannn, Dan Boneh, Nicholas Carlini, Pascal Dupr, Jrn-Henrik Jacobsen, Nicolas Papernot, Giancarlo

  1. Limitations of Threat Modeling in Adversarial Machine Learning Florian Tramèr EPFL, December 19 th 2019 Based on joint work with Jens Behrmannn, Dan Boneh, Nicholas Carlini, Pascal Dupré, Jörn-Henrik Jacobsen, Nicolas Papernot, Giancarlo Pellegrino, Gili Rusak

  2. The state of adversarial machine learning GANs vs Adversarial Examples Maybe we need to write 10x more papers 10000+ papers 2019 2018 2013 2014 1000+ papers Inspired by N. Carlini, “Recent Advances in Adversarial Machine Learning”, ScAINet 2019 2

  3. Adversarial examples Biggio et al., 2014 Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 88% Tabby Cat 99% Guacamole How? Training ⟹ “tweak model parameters such that 𝑔( ) = 𝑑𝑏𝑢 ” • Attacking ⟹ “tweak input pixels such that 𝑔( ) = 𝑕𝑣𝑏𝑑𝑏𝑛𝑝𝑚𝑓 ” • 3

  4. The bleak state of adversarial examples 4

  5. The bleak state of adversarial examples Most papers study a “toy” problem • Solving it is not useful per se, but maybe we’ll find new insights or techniques Going beyond this toy problem (even slightly) is hard • Overfitting to the toy problem happens and is harmful • The “non-toy” version of the problem is not actually that • relevant for computer security (except for ad-blocking) 5

  6. The bleak state of adversarial examples Most papers study a “toy” problem • Solving it is not useful per se, but maybe we’ll find new insights or techniques Going beyond this toy problem (even slightly) is hard • Overfitting to the toy problem happens and is harmful • The “non-toy” version of the problem is not actually that • relevant for computer security (except for ad-blocking) 6

  7. The standard game [Gilmer et al. 2018] Adversary is given an input x from a Adversary has some info on model data distribution (white-box, queries, data) ML Model Adversary produces adversarial example x’ Adversary wins if x’ ≈ x and defender misclassifies 7

  8. Relaxing and formalizing the game How do we define x’ ≈ x ? “Semantics” preserving, fully imperceptible? • Conservative approximations [Goodfellow et al. 2015] Consider noise that is clearly semantics-preserving • E.g., where δ ! = max δ " ≤ 𝜗 x’ x δ Robustness to this noise is necessary but not sufficient • Even this “toy” version of the game is hard, • so let’s focus on this first 8

  9. Progress on the toy game Many broken defenses [Carlini & Wagner 2017, Athalye et al. 2018] • Adversarial Training [Szegedy et al., 2014, Madry et al., 2018] • Þ For each training input ( x , y), train on worst-case adversarial input $%&'$( Loss (𝑔 𝒚 + 𝜺 , 𝑧) 𝜺 ! "# Certified Defenses • [Hein & Andriushchenko 2017, Raghunathan et al., 2018, Wong & Kolter 2018] 9

  10. Progress on the toy game Many broken defenses [Carlini & Wagner 2017, Athalye et al. 2018] • Robustness to noise of small l p norm is a “toy” problem Adversarial Training [Szegedy et al., 2014, Madry et al., 2018] • Þ For each training input ( x , y), train on worst-case adversarial input $%&'$( Loss (𝑔 𝒚 + 𝜺 , 𝑧) Solving this problem is not useful per se, 𝜺 ! "# unless it teaches us new insights Certified Defenses • [Hein & Andriushchenko 2017, Raghunathan et al., 2018, Wong & Kolter 2018] Solving this problem does not give us “secure ML” 10

  11. Outline Most papers study a “toy” problem • Solving it is not useful per se, but maybe we’ll find new insights or techniques Going beyond this toy problem (even slightly) is hard • Overfitting to the toy problem happens and is harmful • The “non-toy” version of the problem is not actually that • relevant for computer security (except for ad-blocking) 11

  12. Beyond the toy game Issue: defenses do not generalize Example: training against l ∞ -bounded noise on CIFAR10 96% 70% Engstrom et al., 2017 Accuracy Sharma & Chen, 2018 16% 9% No noise l ∞ noise l 1 noise rotation / translation Robustness to one type can increase vulnerability to others 12

  13. Robustness to more perturbation types S 2 = 𝜀: S 1 = 𝜀: 𝜀 ! ≤ 𝜁 ! 𝜀 " ≤ 𝜁 " S 3 = 𝜀: « small rotation » S = S 1 U S 2 U S 3 • Pick worst-case adversarial example from S • Train the model on that example T & Boneh, “Adversarial Training and Robustness for Multiple Perturbations”, NeurIPS 2019 13

  14. Empirical multi-perturbation robustness CIFAR10: MNIST: T & Boneh , “Adversarial Training and Robustness for Multiple Perturbations”, NeurIPS 2019 14

  15. Empirical multi-perturbation robustness CIFAR10: Current defenses scale poorly to multiple perturbations MNIST: We also prove that a robustness tradeoff is inherent for simple data distributions T & Boneh , “Adversarial Training and Robustness for Multiple Perturbations”, NeurIPS 2019 15

  16. Outline Most papers study a “toy” problem • Solving it is not useful per se, but maybe we’ll find new insights or techniques Going beyond this toy problem (even slightly) is hard • Overfitting to the toy problem happens and is harmful • The “non-toy” version of the problem is not actually that • relevant for computer security (except for ad-blocking) 16

  17. Invariance adversarial examples ∈ 0, 1 784 Highest robustness claims in the literature: 80% robust accuracy to l 0 = 30 • Certified 85% robust accuracy to l ∞ = 0.4 • natural Robustness considered l ∞ ≤ 0.4 harmful l 0 ≤ 30 Jacobsen et al., “Exploiting Excessive Invariance caused by Norm-Bounded Adversarial Robustness”, 2019 17

  18. Invariance adversarial examples ∈ 0, 1 784 Highest robustness claims in the literature: 80% robust accuracy to l 0 = 30 • We do not even know how to Certified 85% robust accuracy to l ∞ = 0.4 • set the “right” bounds for the natural toy problem Robustness considered l ∞ ≤ 0.4 harmful l 0 ≤ 30 Jacobsen et al., “Exploiting Excessive Invariance caused by Norm-Bounded Adversarial Robustness”, 2019 18

  19. Adversarial examples are hard! Most current work: small progress on the relaxed game • Moving towards the standard game is hard • Even robustness to 2-3 perturbations types is tricky • How would we even enumerate all necessary perturbations? • Over-optimizing robustness is harmful • How do we set the right bounds? • We need a formal model of perceptual similarity • But then we’ve probably solved all of computer vision anyhow... • 19

  20. Outline Most papers study a “toy” problem • Solving it is not useful per se, but maybe we’ll find new insights or techniques Going beyond this toy problem (even slightly) is hard • Overfitting to the toy problem happens and is harmful • The “non-toy” version of the problem is not actually that • relevant for computer security (except for ad-blocking) 20

  21. Recap on the standard game Adversary is given an input x from a Adversary has some info on model data distribution (white-box, queries, data) ML Model Adversary produces adversarial example x’ Adversary wins if x’ ≈ x and defender misclassifies 21

  22. Recap on the standard game Adversary is given an input x from a Adversary has some info on model data distribution (white-box, queries, data) There are very few settings ML Model where this game captures a relevant threat model Adversary produces adversarial example x’ Adversary wins if x’ ≈ x and defender misclassifies 22

  23. ML in security/safety critical environments Fool self-driving cars’ street-sign detection [Eykholt et al. 2017+ 2018 ] Evade malware detection [Grosse et al. 2018] Fool visual ad-blockers [ T et al. 2019] 23

  24. Is the standard game relevant? 24

  25. ML Model 25

  26. Is the standard game relevant? Is there an adversary? 26

  27. Adversary is given an input x from a data distribution ML Model 27

  28. Is the standard game relevant? Is there an adversary? Is average-case success important? (Adv cannot choose which inputs to attack) 28

  29. Adversary has some info on model (white-box, queries, data) ML Model 29

  30. Is the standard game relevant? Is there an adversary? Average-case success? Model access? (white-box, queries, data) 30

  31. ML Model Adversary wins if x’ ≈ x and defender misclassifies 31

  32. Is the standard game relevant? Is there an adversary? Average-case success? Access to model? Should attacks preserve semantics? (or be fully imperceptible) 32

  33. Is the standard game relevant? Is there an adversary? Average-case success? Access to model? Semantics-preserving perturbations? Unless the answer to all these questions is Yes , the standard game of adversarial examples is not the right threat model 33

  34. Where else could the game be relevant? Anti-phishing Content takedown Common theme: human-in-the-loop! (Adversary wants to fools ML without disrupting UX) 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adversarial Machine Learning: Curiosity, Benefit, or Threat? Lujo Bauer Associate Professor

Adversarial Machine Learning: Curiosity, Benefit, or Threat? Lujo Bauer Associate Professor

Adversarial Machine Learning: Curiosity, Benefit, or Threat? Lujo Bauer Associate Professor Electrical & Computer Engineering + Computer Science Director Cyber Autonomy Research Center Collaborators: Mahmood Sharif, Sruti Bhagavatula,

534 views • 35 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect

Threat Modeling and S haring S ummary Proposal to kick off Threat Modeling proj ect Multi-phase approach Initially: create Cyber Domain PIM and S TIX PS M with UML Profile for NIEM Expand to other PS M, create Threat Meta

211 views • 10 slides
Adversarial AI in Cyber Security WHO AM I

Adversarial AI in Cyber Security WHO AM I

Adversarial AI in Cyber Security WHO AM I Join Trend Micro on 2009 Infra Developer Threat Researcher Machine Learning Researcher Join XGen ML project on 2015 Now leading

686 views • 35 slides
Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling

Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling

Outline Starting synchronous lecture recording CSci 4271W More perspectives on threat modeling Development of Secure Software Systems Threat modeling: printer manager Day 7: More Threat Modeling Stephen McCamant Logistics update, incl.

564 views • 4 slides
AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS THREAT MODELING Introduction WHAT IS THREAT MODELING Structured Process Examination of a system for potential weaknesses

391 views • 28 slides
Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP

Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP

Practical Approach For Lightway Threat Modeling Automation Vitaly Davidoff CISSP , CSSLP Agenda What is Threat Modeling Existing Methodologies Problems in common solution Lightway Threat Modeling As a Code

659 views • 34 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A

Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A

Threat Modeling: Lessons from Star Wars Adam Shostack @adamshostack Agenda What is threat modeling? A simple approach to threat modeling Top 10 lessons Learning more What is threat modeling? A SIMPLE APPROACH TO THREAT

606 views • 41 slides
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning Florian Tramr November 14 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking easylist.txt markup

612 views • 23 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of

Vulnerability of machine learning models to adversarial examples Petra Vidnerov Institute of Computer Science The Czech Academy of Sciences Hora Informaticae 2016 Outline Introduction Works on adversarial examples Our work Genetic

855 views • 46 slides
Adversarial Risk Analysis for Counterterrorism Modeling Jesus Rios IBM research joint work with

Adversarial Risk Analysis for Counterterrorism Modeling Jesus Rios IBM research joint work with

Workshop on Adversarial Decision Making Adversarial Risk Analysis for Counterterrorism Modeling Jesus Rios IBM research joint work with David Rios Insua DIMACS, September 2010 1 Outline Motivation ARA framework: Predicting

1.44k views • 44 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning

Physical Adversarial Examples Alex Kurakin Ian Goodfellow Output STOP Machine Learning Training Examples Hidden units / BICYCLE features CAR PEDESTRIA N Parameters Input ImageNet (Russakovsky et al 2015) Adversarial Examples: Images

369 views • 19 slides
The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES

The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES

The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES PROGRAM CONSULTANT NC DIVISION OF SOCIAL SERVICES 1 Description of Session The presenter will summarize the current policy and practices of local

296 views • 14 slides
2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7

2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7

ACADEMIC LYCEUM INTERNATIONAL HOUSE TASHKENT 2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7 Review Intermediate control work 4 1. She ____ obsessed with rock climbing at a young age.

398 views • 7 slides
Self-directed Support Use of direct payments to employ family members module Learning

Self-directed Support Use of direct payments to employ family members module Learning

Self-directed Support Use of direct payments to employ family members module Learning Objectives Gain an understanding of whats new in relation to employing family members Gain an understanding of when a payment may or may not

524 views • 20 slides
Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About

Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About

CS380: Computer Graphics Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About the Instructor Notable recognitions Co-chairs at ACM Symp. on Interactive 3D Graphics and Games Test-of-time

758 views • 53 slides
Model Driven Security: Foundations, Tools, and Practice David Basin, Manuel Clavel, and Marina

Model Driven Security: Foundations, Tools, and Practice David Basin, Manuel Clavel, and Marina

Model Driven Security: Foundations, Tools, and Practice David Basin, Manuel Clavel, and Marina Egea ETH Zurich, IMDEA Software Institute Thursday 1st, 2011 combolog Marina Egea MDS in Practice Outline I Models Analysis. Types. 1 The

782 views • 75 slides
On coherence-sensitive observables Simon Pltzer IPPP, Department of Physics, Durham University

On coherence-sensitive observables Simon Pltzer IPPP, Department of Physics, Durham University

On coherence-sensitive observables Simon Pltzer IPPP, Department of Physics, Durham University & PPT, School of Physics and Astronomy, University of Manchester at the FCC EE Workshop | CERN, 22 November 2016 Outline Coherence in a

658 views • 10 slides
System Analysis Preliminaries Jonathan Thaler Department of Computer Science 1 / 12 Software

System Analysis Preliminaries Jonathan Thaler Department of Computer Science 1 / 12 Software

System Analysis Preliminaries Jonathan Thaler Department of Computer Science 1 / 12 Software Engineering Definition Software engineering is the systematic application of engi- neering approaches to the development of software . It is an

672 views • 12 slides
MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 2 Results and Discussion Figure 1 .

MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 2 Results and Discussion Figure 1 .

MOL2NET, 2018 , 4, http://sciforum.net/conference/mol2net-04 1 MDPI MOL2NET, International Conference Series on Multidisciplinary Sciences Antibacterial activities of triterpenes from leaves of Cissus incisa Deyani Nocedo-Mena a , Elvira Garza b

513 views • 3 slides

More recommend