provably secure machine learning
play

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial - PowerPoint PPT Presentation

Feb 25, 2024 •211 likes •738 views

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

  1. Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017

  2. Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and defense Proofs break the arms race, provide absolute security • for a given threat model... 1

  3. Example: Adversarial Test Images 2

  4. Example: Adversarial Test Images [Szegedy et al., 2014]: first discovers adversarial examples [Goodfellow, Shlens, Szegedy, 2015]: Fast Gradient Sign Method (FGSM) + adversarial training [Papernot et al., 2015]: defensive distillation [Carlini and Wagner, 2016]: distillation is not secure [Papernot et al., 2017]: FGSM + distillation only make attacks harder to find [Carlini and Wagner, 2017]: all detection strategies fail [Madry et al., 2017]: a secure network, finally?? 2

  5. Example: Adversarial Test Images [Szegedy et al., 2014]: first discovers adversarial examples [Goodfellow, Shlens, Szegedy, 2015]: Fast Gradient Sign Method (FGSM) + adversarial training [Papernot et al., 2015]: defensive distillation [Carlini and Wagner, 2016]: distillation is not secure [Papernot et al., 2017]: FGSM + distillation only make attacks harder to find [Carlini and Wagner, 2017]: all detection strategies fail [Madry et al., 2017]: a secure network, finally?? 1 proof = 3 years of research 2

  6. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design 3

  7. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design Hard to analyze, limited levers 3

  8. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design Hard to analyze, limited levers Other challenges: • adversary has access to sensitive parts of system • unclear what spec should be (car doesn’t crash?) 3

  9. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 4

  10. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 4

  11. Test-time Attacks Adversarial examples: Can we prove no adversarial examples exist? 5

  12. Formal Goal Goal Given a classifier f : R d → { 1 , . . . , k } , and an input x , show that there is no x ′ with f ( x ) � = f ( x ′ ) and � x − x ′ � ≤ ǫ . • Norm: ℓ ∞ -norm: � x � = max d j =1 | x j | • Classifier: f is a neural network 6

  13. [Katz, Barrett, Dill, Julian, Kochenderfer 2017] Approach 1: Reluplex Assume f is a ReLU network: layers x (1) , . . . , x ( L ) , with x ( l +1) = max( a ( l ) · x ( l ) , 0) i i Want to bound maximum change in output x ( L ) . Can write as an integer-linear program (ILP) : y = max( x, 0) ⇐ ⇒ x ≤ y ≤ x + b · M, 0 ≤ y ≤ (1 − b ) · M, b ∈ { 0 , 1 } Check robustness on 300-node networks • time ranges from 1s to 4h (median 3m-4m) 7

  14. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. 8

  15. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. Every quadratic program can be relaxed to a semi-definite program 8

  16. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. Every quadratic program can be relaxed to a semi-definite program Advantages: • always polynomial-time • duality: get differentiable upper bounds • can train against upper bound to generate robust networks 8

  17. Results 9

  18. Results 9

  19. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 10

  20. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all 11

  21. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all Huge issue in practice... 11

  22. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all Huge issue in practice... How can we keep adversary from subverting the model? 11

  23. Formal Setting Adversarial game: • Start with clean dataset D c = { x 1 , . . . , x n } • Adversary adds ǫn bad points D p • Learner trains model on D = D c ∪D p , outputs model θ and incurs loss L ( θ ) Learner’s goal: ensure L ( θ ) is low no matter what adversary does • under a priori assumptions, • or for a specific dataset D c . 12

  24. Formal Setting Adversarial game: • Start with clean dataset D c = { x 1 , . . . , x n } • Adversary adds ǫn bad points D p • Learner trains model on D = D c ∪D p , outputs model θ and incurs loss L ( θ ) Learner’s goal: ensure L ( θ ) is low no matter what adversary does • under a priori assumptions, • or for a specific dataset D c . In high dimensions, most algorithms fail! 12

  25. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . 13

  26. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  27. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  28. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  29. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  30. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  31. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). Growing literature: 15+ papers since 2016 [DKKLMS16/17, LRV16, SVC16, DKS16/17, CSV17, SCV17, L17, DBS17, KKP17, S17, MV17] 13

  32. What about certifying a specific algorithm on a specific data set? 14

  33. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  34. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  35. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  36. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  37. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  38. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  39. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F 16

  40. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F (Very) NP-hard in general 16

  41. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F (Very) NP-hard in general Key insight: approximate test loss by train loss, can then upper bound via a saddle point problem (tractable) • automatically generates a nearly optimal attack 16

  42. Results 17

  43. Results 17

  44. Results 17

  45. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 18

  46. 19

  47. 19

  48. [Selsam and Liang 2017] Developing Bug-Free ML Systems 20

  49. [Cai, Shin, and Song 2017] Provable Generalization via Recursion 21

  50. Summary Formal verification can be used in many contexts: • test-time attacks • training-time attacks • implementation bugs • checking generalization High-level ideas: • cast as optimization problem : rich set of tools • train/optimize against certificate • re-design system to be amenable to proof 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London Outline of the Talk Hierarchical Key Assignment Schemes Definition of

802 views • 48 slides
ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany Tracking in the Advertising World Today

744 views • 35 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a ard 1 Daniel Escudero 1 Tore Frederiksen 2 Marcel Keller 3 Peter Scholl 1 Ivan Damg Nikolaj Volgushev 2 May 19, 2019 1 Aarhus University, Denmark 2

711 views • 32 slides
Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2

Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2

Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2 Zheng Zhao 1 Bei Yu 3 Yier Jin 2 David Z. Pan 1 1 Electrical and Computer Engineering, University of Texas at Austin 2 Electrical and Computer

683 views • 35 slides
CSE 127: Introduction to Security Deian Stefan UCSD Winter 2020 Lecture 1 Course staff

CSE 127: Introduction to Security Deian Stefan UCSD Winter 2020 Lecture 1 Course staff

CSE 127: Introduction to Security Deian Stefan UCSD Winter 2020 Lecture 1 Course staff Instructor: Deian Stefan deian@cs.ucsd.edu Lecture: Mon & Wed 5-6:20pm Center 109 Discussion: Fri 2-2:50pm Center 216 Office Hours: Wed

628 views • 49 slides
A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and

296 views • 14 slides
Web Architecture 253 Privacy & Security who's this guy? columbia university school of

Web Architecture 253 Privacy & Security who's this guy? columbia university school of

Web Architecture 253 Web Architecture 253 Web Architecture 253 Privacy & Security who's this guy? columbia university school of engineering and applied science bs in computer science 1999 who's this guy? 13+ years writing software and

878 views • 63 slides
Resilience in Information Stewardship Christos Ioannidis, David Pym, Julian Williams, and Iat

Resilience in Information Stewardship Christos Ioannidis, David Pym, Julian Williams, and Iat

Resilience in Information Stewardship Christos Ioannidis, David Pym, Julian Williams, and Iat Gheyas -WEIS 2014 - PENNSYLVANIA STATE UNIVERSITY 23 June 2014 (IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 1 / 33 Resilience in

446 views • 32 slides
CS615 - Aspects of System Administration System Security Department of Computer Science Stevens

CS615 - Aspects of System Administration System Security Department of Computer Science Stevens

CS765 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration System Security Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu

921 views • 76 slides
Cybersecurity Research Needs Vendor Perspective Bryan Owen PE, OSIsoft LLC cred-c.org | 1

Cybersecurity Research Needs Vendor Perspective Bryan Owen PE, OSIsoft LLC cred-c.org | 1

Cybersecurity Research Needs Vendor Perspective Bryan Owen PE, OSIsoft LLC cred-c.org | 1 Beliefs Awareness and training are fundamental We need to advance defensive skills Cyber defense is a team sport We need collaborative approaches

650 views • 9 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
50+ corporate relationships live on BPO We were able to share shipping documents with BNPP

50+ corporate relationships live on BPO We were able to share shipping documents with BNPP

50+ corporate relationships live on BPO We were able to share shipping documents with BNPP electronically and in a matter of hours we received confirmation that they were fine. In terms of ease of working, its very positive, and we

445 views • 5 slides

More recommend