what s next for adversarial ml
play

What's next for adversarial ML? (and why ad-blockers should care) - PowerPoint PPT Presentation

May 26, 2023 •430 likes •703 views

What's next for adversarial ML? (and why ad-blockers should care) Florian Tramr EPFL July 9 th 2018 Joint work with Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Deep Learning Revolution First they came for images The Deep Learning

  1. What's next for adversarial ML? (and why ad-blockers should care) Florian Tramèr EPFL July 9 th 2018 Joint work with Gili Rusak, Giancarlo Pellegrino and Dan Boneh

  2. The Deep Learning Revolution First they came for images…

  3. The Deep Learning Revolution And then everything else…

  4. The ML Revolution Including things that likely won’t work… 4

  5. What does this mean for privacy & security? Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft [ T ZJRR16] Test outputs Training data Data poisoning Blockchain ??? dog cat bird Robust statistics Adversarial Examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware Þ Check out Slalom! [ T B18] Adapted from (Goodfellow 2018) 5

  6. What does this mean for privacy & security? Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft [ T ZJRR16] Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial Examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware Þ Check out Slalom! [ T B18] Adapted from (Goodfellow 2018) 6

  7. ML models make surprising mistakes + . 007 ⇥ = Pretty sure this I’m certain this is a panda is a gibbon (Szegedy et al. 2013, Goodfellow et al. 2015) 7

  8. Attacks on cyber-physical systems (Athalye et al. 2018) (Kurakin et al. 2016) (Sharif et al. 2016) (Eykholt et al. 2017) (Carlini et al. 2016, (Eykholt et al. 2018) Cisse et al. 2017) 8

  9. Where are the defenses? • Adversarial training Prevent “all/most Szegedy et al. 2013, Goodfellow et al. 2015, attacks” for a Kurakin et al. 2016, T et al. 2017, given norm ball Madry et al. 2017, Kannan et al. 2018 • Convex relaxations with provable guarantees Raghunathan et al. 2018, Kolter & Wong 2018, Sinha et al. 2018 • A lot of broken defenses… 9

  10. Do we have a realistic threat model? (no…) Current approach: 1. Fix a ”toy” attack model (e.g., some l ∞ ball) 2. Directly optimize over the robustness measure Þ Defenses do not generalize to other attack models Þ Defenses are meaningless for applied security What do we want? • Model is “always correct” (sure, why not?) • Model has blind spots that are “hard to find” • “Non-information-theoretic” notions of robustness? • CAPTCHA threat model is interesting to think about 10

  11. A DVERSARIAL EXAMPLES ARE HERE TO STAY ! For many things that humans can do “robustly”, ML will fail miserably! 11

  12. A case study on ad-blocking Ad blocking is a “cat & mouse” game 1. Ad blockers build crowd-sourced filter lists 2. Ad providers switch origins 3. Rinse & repeat (4?) Content provider (e.g., Cloudflare) hosts the ads 12

  13. A case study on ad-blocking New method: perceptual ad-blocking (Storey et al. 2017) • Industry/legal trend: ads have to be clearly indicated to humans If humans can detect ads, so can ML! ”[…] we deliberately ignore all signals invisible to humans , including URLs and markup. Instead we consider visual and behavioral information. […] We expect perceptual ad blocking to be less prone to an "arms race. " (Storey et al. 2017) 13

  14. Detecting ad logos is not trivial No strict guidelines, or only loosely followed: Fuzzy hashing + OCR (Storey et al. 2017) Þ Fuzzy hashing is very brittle (e.g., shift all pixels by 1) Þ OCR has adversarial examples (Song & Shmatikov, 2018) Unsupervised feature detector (SIFT) This talk Þ More robust method for matching object features (“keypoints”) Deep object detector (YOLO) Þ Supervised learning 14

  15. What’s the threat model for perceptual ad- blockers? Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, aliquet vitae, dignissim Ad eget, sollicitudin molestie, blocker Vivamus vehicula leo a justo. Quisque nec augue. Ad Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 15

  16. What’s the threat model for perceptual ad- blockers? Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, aliquet vitae, dignissim Ad eget, sollicitudin molestie, blocker Vivamus vehicula leo a justo. Quisque nec augue. Ad Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 16

  17. What’s the threat model for perceptual ad- blockers? Browser Content provider Webpage Vivamus vehicula leo a justo. Quisque nec augue. Morbi mauris wisi, aliquet vitae, dignissim Ad eget, sollicitudin molestie, blocker Vivamus vehicula leo a justo. Quisque nec augue. Ad Morbi mauris wisi, aliquet network vitae, dignissim eget, sollicitudin molestie, 17

  18. What’s the threat model for perceptual ad- blockers? Pretty much the worst possible! 1. Adblocker is white-box (browser extension) Þ Alternative would be a privacy & bandwidth nightmare 2. Adblocker operates on (large) digital images 3. Adblocker needs to resist adversarial examples and “DOS” attacks Þ Perturb ads to evade ad blocker Þ Punish ad-block users by perturbing benign content 4. Updating is more expensive than attacking 18

  19. An interesting contrast: CAPTCHAs Deep ML models can solve text CAPTCHAs Þ Why don’t CAPTCHAs use adversarial examples? Þ CAPTCHA ≃ adversarial example for OCR systems Model Model access Vulnerable to DOS Distribution Ad blocker White-box Yes Expensive “Black-box” No Cheap CAPTCHA (not even query access) (None) 19

  20. B REAKING P ERCEPTUAL A D -B LOCKERS WITH ADVERSARIAL E XAMPLES 20

  21. SIFT: How does it work? (I don’t know exactly either) 21

  22. Attack examples: SIFT detector original ad perturbed logo • No keypoint matches between the two logos • Attack uses standard black-box optimization Þ Gradient descent with black-box gradient estimates Þ There’s surely more efficient attacks but SIFT is complicated… 22

  23. Attack examples: SIFT Denial Of Service • Logos are similar in gray scale but not in color space • Alternative: high confidence matches for visually close —yet semantically different—objects 23

  24. Attack examples: YOLO object detector Object detector trained to recognize AdChoice logo Þ Test accuracy is >90% Þ 0% accuracy with l ∞ perturbations ≤ 8/256 Similar but simpler task than Sentinel (Adblock Plus) Þ Sentinel tries to detect ads in a whole webpage Þ For now, it breaks even on non-adversarial inputs… 24

  25. Perceptual ad-blockers without ad-indicators Hussain et al. 2017: Train a generic ad/no-ad classifier (for sentiment analysis) Þ Accuracy around 88% ! Þ 0% accuracy with l ∞ perturbations ≤ 4/256 + 0.01 ⨉ = “Ad” “No Ad” 25

  26. Conclusion Adversarial examples are here to stay • No defense can address realistic attacks • A truly robust defense likely implies a huge breakthrough in non-secure ML as well Security-sensitive ML seems hopeless if adversary has white-box model access • Ad-blocking ticks most of the “worst-case” boxes • ML is unlikely to change the ad-blocker cat & mouse game THANKS 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba

Generative Adversarial Networks, Wasserstein Distance, and Adversarial Loss Zhiyu Min Alibaba AliMe X-Lab Outline GAN Definition and formulation Saddle point optimization Vanishing gradient Alternative objective for Generator

516 views • 25 slides
Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr &

Adversarial Training and Robustness for Multiple Perturbations Poster #87 Florian Tramr & Dan Boneh NeurIPS 2019 Adversarial examples 88% Tabby Cat 99% Guacamole Szegedy et al., 2014 Goodfellow et al., 2015 Athalye, 2017 Adversarial

564 views • 23 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Security Seminar, Stanford University, 2017-01-17 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

939 views • 44 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Guest lecture for CS 294-131, UC Berkeley, 2016-10-05 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

660 views • 44 slides
Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22

Adversarial Examples and Adversarial Training Innova&ve Technology Leader program January 22 nd 2018 Florian Tramr Stanford Deep Learning is Super Smart! 2 Is it really? + . 007 = Im sure this Im certain this is a panda is

452 views • 12 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist

Adversarial Examples and Adversarial Training Ian Goodfellow, OpenAI Research Scientist Presentation at San Francisco AI Meetup, 2016-08-18 In this presentation Intriguing Properties of Neural Networks Szegedy et al, 2013

690 views • 32 slides
Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success

Adversarial Domain Adaptation and Adversarial Robustness Judy Hoffman + = Big Deep success data learning Benchmark Performance 100 95 Accuracy 90 85 Millions of Images 80 Deep models 75 Challenge to recognize 1000

1.2k views • 60 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides
Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning

Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning

Adversarial Learning Bounds for Linear Classes and Neural Nets Understanding Adversarial Learning through Rademacher Complexity Pranjal Awasthi, Natalie Frank, Mehryar Mohri Google Research & Courant Institute August 14, 2020 1 / 17

397 views • 17 slides
Security In Drupal By Snehamay & Monoj Implement Basic Securities : Use - Most updated

Security In Drupal By Snehamay & Monoj Implement Basic Securities : Use - Most updated

Security In Drupal By Snehamay & Monoj Implement Basic Securities : Use - Most updated module versions - Secure communication like SSH, sFTP, FTPS, and HTTPS - Strong Case sensitive Passwords - Secure communication like SSH, sFTP, FTPS,

472 views • 24 slides
Prior Art Search Overview Start the prior art search by selecting one or more KEYWORDS. Use

Prior Art Search Overview Start the prior art search by selecting one or more KEYWORDS. Use

Prior Art Search Overview Start the prior art search by selecting one or more KEYWORDS. Use these menus to revise & narrow the search Open similar items Example of patent review The next 8 slides illustrate how we could quickly

282 views • 25 slides
Priorities of lines 1. Visible outlines and edges 2. Hidden outlines and edges 3. Cutting planes 4.

Priorities of lines 1. Visible outlines and edges 2. Hidden outlines and edges 3. Cutting planes 4.

Priorities of lines 1. Visible outlines and edges 2. Hidden outlines and edges 3. Cutting planes 4. Center Lines and Lines of symmetry 5. Centroidal Lines Projection Lines T = D W = 1.5D + 3 R = 1.4 D

536 views • 19 slides
Achievement and experience in service of long length HV DC electrical links by insulated power

Achievement and experience in service of long length HV DC electrical links by insulated power

Latin American Workshop 2013 Latin American Workshop 2013 CE B1 CABOS ISOLADOS CE B1 CABOS ISOLADOS Achievement and experience in service of long length HV DC electrical links by insulated power cables Marco Marelli, Italy Foz do

694 views • 42 slides
Data-transformer library Michael Raskin Moscow Center for Continuous Mathematical Education

Data-transformer library Michael Raskin Moscow Center for Continuous Mathematical Education

Data-transformer library Michael Raskin Moscow Center for Continuous Mathematical Education April 2013 Michael Raskin (MCCME) Data-transformer library April 2013 1 / 16 User-visible problem: Input data is garbage Input data requirements are

654 views • 46 slides
ONLINE ACTIVISM, TECH LESSONS DAVID FIALA SPRING 2014 WICS LIGHTNING TALK BACKGROUND July

ONLINE ACTIVISM, TECH LESSONS DAVID FIALA SPRING 2014 WICS LIGHTNING TALK BACKGROUND July

ONLINE ACTIVISM, TECH LESSONS DAVID FIALA SPRING 2014 WICS LIGHTNING TALK BACKGROUND July 2013: $66 million budget cut passed by NC General Assembly Next year another 5% cut across UNC is expected (but outside the scope of this talk)

489 views • 13 slides
Safer Pass the salt 2020 Together. Open Source Collaborative Dynamic Security engine Crowd

Safer Pass the salt 2020 Together. Open Source Collaborative Dynamic Security engine Crowd

Safer Pass the salt 2020 Together. Open Source Collaborative Dynamic Security engine Crowd Sec VC deck v3.1 Rev : 28/11/2019 Why Cyber defense collaboration is the space race of our generation. Williams David Not solved, for a

523 views • 23 slides
Towards Human Interactive Proofs in the Text-Domain Richard Bergmair University of Derby in

Towards Human Interactive Proofs in the Text-Domain Richard Bergmair University of Derby in

Towards Human Interactive Proofs in the Text-Domain Richard Bergmair University of Derby in Austria and Stefan Katzenbeisser Technische Universitt Mnchen Institut fr Informatik Towards Human Interactive Proofs in the Text-Domain

572 views • 29 slides

More recommend