wild patterns ten years after the rise of adversarial
play

Wild Patterns: Ten Years After the Rise of Adversarial Machine - PowerPoint PPT Presentation

May 16, 2023 •187 likes •850 views

Pattern Recognition University of and Applications Lab Cagliari, Italy Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides from this talk are inspired from the tutorial I prepared with Fabio Roli on

  1. Pattern Recognition University of and Applications Lab Cagliari, Italy Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning Battista Biggio * Slides from this talk are inspired from the tutorial I prepared with Fabio Roli on such topic. https://www.pluribus-one.it/sec-ml/wild-patterns/ Winter School on Quantitative Systems Biology: Learning and Artificial Intelligence, Nov. 15-16, Trieste, Italy

  2. Countering Evasion Attacks What is the rule? The rule is protect yourself at all times (from the movie “Million dollar baby”, 2004) 93

  3. Security Measures against Evasion Attacks $ ∑ & max min ||* + ||,- ℓ(0 & , 2 $ 3 & + * & ) 1. Reduce sensitivity to input changes with robust optimization – Adversarial Training / Regularization bounded perturbation! SVM-RBF (no reject) SVM-RBF (higher rejection rate) 1 1 2. Introduce rejection / detection of adversarial examples 0 0 1 1 1 0 1 1 0 1 @biggiobattista http://pralab.diee.unica.it 94

  4. Countering Evasion: Reducing Sensitivity to Input Changes with Robust Optimization 95

  5. Reducing Input Sensitivity via Robust Optimization Robust optimization (a.k.a. adversarial training ) • min ||* + || , -. ∑ 0 ℓ 1 0 , " max # 3 0 + * 0 # bounded perturbation! Robustness and regularization (Xu et al., JMLR 2009) • – under linearity of ℓ and " # , equivalent to robust optimization ∑ 5 ℓ 1 0 , " min # 3 0 + 6||7 3 "|| 8 # dual norm of the perturbation ||7 3 "|| 8 = ||#|| 8 @biggiobattista http://pralab.diee.unica.it 96

  6. Results on Adversarial Android Malware Infinity-norm regularization is the optimal regularizer against sparse evasion attacks • – Sparse evasion attacks penalize | " | # promoting the manipulation of only few features ∑ ( ) Sec-SVM min w , b w ∞ + C max 0,1 − y i f ( x i ) , w ∞ = max i = 1,..., d w i i Experiments on Android Malware Why? It bounds the maximum weight absolute values! Absolute weight values |$| in descending order @biggiobattista http://pralab.diee.unica.it 97 [Demontis, Biggio et al., Yes, ML Can Be More Secure!..., IEEE TDSC 2017]

  7. Adversarial Training and Regularization Adversarial training can also be seen as a form of regularization, which penalizes the (dual) • norm of the input gradients ! |# $ ℓ | & Known as double backprop or gradient/Jacobian regularization • – see, e.g., Simon-Gabriel et al., Adversarial vulnerability of neural networks increases with input dimension, ArXiv 2018 ; and Lyu et al., A unified gradient regularization family for adversarial examples, ICDM 2015. g (') with adversarial training Take-home message: the net effect of these techniques is to make the prediction function of the classifier smoother ' ' ’ @biggiobattista http://pralab.diee.unica.it 98

  8. Ineffective Defenses: Obfuscated Gradients Work by Carlini & Wagner (SP’ 17) and Athalye et al. (ICML ‘18) has shown that • – some recently-proposed defenses rely on obfuscated / masked gradients, and – they can be circumvented Obfuscated gradients do not ... but substitute g (") g (") allow the models and/or correct smoothing can execution of correctly reveal gradient-based meaningful attacks... input gradients! " " ’ " " ’ @biggiobattista http://pralab.diee.unica.it 99

  9. Countering Evasion: Detecting & Rejecting Adversarial Examples 100

  10. Detecting & Rejecting Adversarial Examples Adversarial examples tend to occur in blind spots • – Regions far from training data that are anyway assigned to ‘legitimate’ classes blind-spot evasion rejection of adversarial examples through (not even required to enclosing of legitimate classes mimic the target class) @biggiobattista http://pralab.diee.unica.it 101

  11. Detecting & Rejecting Adversarial Examples input perturbation (Euclidean distance) @biggiobattista http://pralab.diee.unica.it 102 [Melis, Biggio et al., Is Deep Learning Safe for Robot Vision? ICCVW ViPAR 2017]

  12. Why Rejection (in Representation Space) Is Not Enough? @biggiobattista [S. Sabour at al., ICLR 2016] http://pralab.diee.unica.it 103

  13. Why Rejection (in Representation Space) Is Not Enough? Slide credit: David Evans, DLS 2018 - https://www.cs.virginia.edu/~evans/talks/dls2018/ @biggiobattista http://pralab.diee.unica.it 104

  14. Adversarial Examples against Machine Learning Web Demo https://sec-ml.pluribus-one.it/demo 105

  15. Poisoning Machine Learning 106

  16. Poisoning Machine Learning x x x x x x x x x x x x x 1 x x x x x x x x x x x x x 2 x x x x ... x x x x x x x d classifier generalizes well training data pre-processing and classifier learning on test data (with labels) feature extraction w start x start SPAM +2 bang bang +1 portfolio start 1 Start 2007 +1 portfolio winner bang 1 with a bang ! +1 winner year 1 portfolio Make WBFS +1 year ... 1 winner YOUR ... ... university 1 PORTFOLIO ’s year -3 university campus first winner ... ... -4 campus of the year 0 university ... 0 campus @biggiobattista http://pralab.diee.unica.it 107

  17. Poisoning Machine Learning x x x x x x x x x x x x x 1 x x x x x x x x x x x x x 2 x x x x ... x x x x x x x d x x x ... to maximize error corrupted pre-processing and classifier learning on test data training data feature extraction is compromised... w SPAM x start +2 Start 2007 bang +1 start 1 with a bang ! +1 portfolio bang 1 Make WBFS +1 winner 1 portfolio YOUR +1 year 1 winner PORTFOLIO ’s ... 1 ... year first winner poisoning +1 university ... ... of the year +1 data 1 campus university ... 1 university campus campus ... @biggiobattista http://pralab.diee.unica.it 108

  18. Poisoning Attacks against Machine Learning Goal : to maximize classification error • Knowledge: perfect / white-box attack • Capability: injecting poisoning samples into TR • Strategy: find an optimal attack point x c in TR that maximizes classification error • classification error = 0.022 classification error = 0.039 classification error as a function of x c x c x c @biggiobattista http://pralab.diee.unica.it 109 [Biggio, Nelson, Laskov. Poisoning attacks against SVMs. ICML, 2012]

  19. Poisoning is a Bilevel Optimization Problem Attacker’s objective • – to maximize generalization error on untainted data, w.r.t. poisoning point x c & ' ()* , , ∗ Loss estimated on validation data max (no attack points!) $ % s. t. , ∗ = argmin 6 ℒ ' 89 ∪ ; < , = < , , Algorithm is trained on surrogate data (including the attack point) Poisoning problem against (linear) SVMs: • B max(0,1 − = ? , ∗ ; ? ) max > $ % ?@A s. t. , ∗ = argmin H,I A J H K H + C ∑ O@A P max(0,1 − = O , ; O ) + C max(0,1 − = < , ; < ) [Biggio, Nelson, Laskov. Poisoning attacks against SVMs. ICML, 2012] [Xiao, Biggio, Roli et al., Is feature selection secure against training data poisoning? ICML, 2015] @biggiobattista http://pralab.diee.unica.it 110 [Munoz-Gonzalez, Biggio, Roli et al., Towards poisoning of deep learning..., AISec 2017]

  20. Gradient-based Poisoning Attacks Gradient is not easy to compute • (0) – The training point affects the classification function x c Trick: • x c – Replace the inner learning problem with its equilibrium (KKT) conditions – This enables computing gradient in closed form Example for (kernelized) SVM • – similar derivation for Ridge, LASSO, Logistic Regression, etc. x c (0) x c [Biggio, Nelson, Laskov. Poisoning attacks against SVMs. ICML, 2012] @biggiobattista http://pralab.diee.unica.it 111 [Xiao, Biggio, Roli et al., Is feature selection secure against training data poisoning? ICML, 2015]

  21. Experiments on MNIST digits Single-point attack Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 • – ‘0’ is the malicious (attacking) class – ‘4’ is the legitimate (attacked) one (0) x c x c @biggiobattista http://pralab.diee.unica.it 112 [Biggio, Nelson, Laskov. Poisoning attacks against SVMs. ICML, 2012]

  22. Experiments on MNIST digits Multiple-point attack Linear SVM; 784 features; TR: 100; VAL: 500; TS: about 2000 • – ‘0’ is the malicious (attacking) class – ‘4’ is the legitimate (attacked) one @biggiobattista http://pralab.diee.unica.it 113 [Biggio, Nelson, Laskov. Poisoning attacks against SVMs. ICML, 2012]

  23. How about Poisoning Deep Nets? ICML 2017 Best Paper by Koh et al., “Understanding black-box predictions via Influence • Functions” has derived adversarial training examples against a DNN – they have been constructed attacking only the last layer (KKT-based attack against logistic regression) and assuming the rest of the network to be ”frozen” @biggiobattista http://pralab.diee.unica.it 114

  24. Towards Poisoning Deep Neural Networks Solving the poisoning problem without exploiting KKT conditions (back-gradient) • – Muñoz-González, Biggio, Roli et al. , AISec 2017 https://arxiv.org/abs/1708.08689 @biggiobattista http://pralab.diee.unica.it 115

  25. Countering Poisoning Attacks What is the rule? The rule is protect yourself at all times (from the movie “Million dollar baby”, 2004) 116

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modeling Heterogeneous Statistical Patterns in High- dimensional Data by Adversarial

Modeling Heterogeneous Statistical Patterns in High- dimensional Data by Adversarial

Modeling Heterogeneous Statistical Patterns in High- dimensional Data by Adversarial Distributions: An Unsupervised Generative Framework (FIRD) Han Zhang 1 Wenhao Zheng 3 Charley Chen 1 Kevin Gao 1 Yao Hu 3 Ling Huang 2 Wei Xu 1 1 Tsinghua

409 views • 30 slides
The Rise &amp; Rise of Spinal Fusion Surgery Never ask a barber if you need a haircut! (W Buffet)

The Rise &amp; Rise of Spinal Fusion Surgery Never ask a barber if you need a haircut! (W Buffet)

The Rise &amp; Rise of Spinal Fusion Surgery Never ask a barber if you need a haircut! (W Buffet) Brisbane, October 2017 INTERESTS I declare that in the past three years I have: held shares in: Nil received royalties from: Nil

730 views • 23 slides
Cells can give rise to complex systems by forming patterns of gene expression and undergoing

Cells can give rise to complex systems by forming patterns of gene expression and undergoing

Cells can give rise to complex systems by forming patterns of gene expression and undergoing cellular differentiation Cell-cell signaling mechanisms play a key role in pattern generation Early stage of development (gastrulation)

500 views • 31 slides
Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals

Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals

Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals live? Wild animals live in their natural habit, this is where they are born. They do not depend on humans. Giant Panda Bear Research

366 views • 9 slides
(PAN) at The Rise Introduction Set up five years ago by the Ambitious about Autism Schools Trust,

(PAN) at The Rise Introduction Set up five years ago by the Ambitious about Autism Schools Trust,

Consultation: Increase the Pupil Admission Number (PAN) at The Rise Introduction Set up five years ago by the Ambitious about Autism Schools Trust, the school has continued to grow and now has a vibrant learning community of over 100 pupils.

641 views • 21 slides
SOFTWARE CRAFTSMANSHIP VIA APPRENTICESHIP PATTERNS Ade Oshineye www.oshineye.com/+ 4.5 YEARS

SOFTWARE CRAFTSMANSHIP VIA APPRENTICESHIP PATTERNS Ade Oshineye www.oshineye.com/+ 4.5 YEARS

SOFTWARE CRAFTSMANSHIP VIA APPRENTICESHIP PATTERNS Ade Oshineye www.oshineye.com/+ 4.5 YEARS IN 1 MOMENT It took us 4.5 years to write the book. This is the only time Dave, me and Ward (who wrote the foreword) have ever been in the same

400 views • 26 slides
Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs

Deep Adversarial Learning for NLP 9:00 10:30 Introduction and Adversarial Training, GANs William Wang 10:30 11:00 Break - 11:00 12:15 Adversarial Examples Sameer Singh 12:15 12:30 Conclusions and Question Answering William

1.75k views • 105 slides
RISE: Educators Rise for Racial Equity Webinar 2 Inquiry and Self- awareness to RISE

RISE: Educators Rise for Racial Equity Webinar 2 Inquiry and Self- awareness to RISE

RISE: Educators Rise for Racial Equity Webinar 2 Inquiry and Self- awareness to RISE program is brought to you by.. v Barat Education Foundation and Citizen U in partnership with the Library of Congress Teaching with Primary Sources

766 views • 44 slides
Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google

Adversarial Examples and Adversarial Training Ian Goodfellow, Sta ff Research Scientist, Google Brain CS 231n, Stanford University, 2017-05-30 Overview What are adversarial examples? Why do they happen? How can they be used to

866 views • 43 slides
Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu

Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training Xi Wu xiwu@cs.wisc.edu Joint work with Uyeong Jang, Jiefeng Chen, Lingjiao Chen, and Somesh Jha July 19, 2018 Xi Wu Model Confidence and Adversarial

740 views • 9 slides
Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable

Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable

Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable September 26, 2017 1 We must develop a broad coalition of interest groups and

355 views • 18 slides
Enrollment focused questions: 1. What are the detailed enrollment patterns for the last five years

Enrollment focused questions: 1. What are the detailed enrollment patterns for the last five years

Enrollment focused questions: 1. What are the detailed enrollment patterns for the last five years and projections for the next five? By program (both undergraduate and graduate)? Locality? Ethnic group? Financial need? Send PDF documents. On a

331 views • 4 slides
Increase trust remove fraud Problem We have over the last years seen a rise in incidents

Increase trust remove fraud Problem We have over the last years seen a rise in incidents

Increase trust remove fraud Problem We have over the last years seen a rise in incidents where a .dk domain name has been used as platform for IPR violations/abuse. The abuse has been referred to as scam shops, where a web shop that

471 views • 11 slides
Design Patterns Applications Programming What is design patterns? The design patterns are

Design Patterns Applications Programming What is design patterns? The design patterns are

10/26/2011 G52APR Design Patterns Applications Programming What is design patterns? The design patterns are language- Design Patterns 1 independent strategies for solving common object-oriented design problems. Jiawei Li (Michael)

316 views • 8 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
classification of X-ray Diffraction Patterns Shreyaa Raghavan Tonio Buonassisi, Zhe Liu MIT

classification of X-ray Diffraction Patterns Shreyaa Raghavan Tonio Buonassisi, Zhe Liu MIT

Tackling Data Scarcity in Materials Research: Using Semi-supervised, Adversarial Training to Improve classification of X-ray Diffraction Patterns Shreyaa Raghavan Tonio Buonassisi, Zhe Liu MIT Photovoltaic Research Lab Contact:

435 views • 9 slides
Improving Reproducible Deep Learning Workflows with DeepDIVA M. Alberti 1 * , V. Pondenkandath 1*

Improving Reproducible Deep Learning Workflows with DeepDIVA M. Alberti 1 * , V. Pondenkandath 1*

Improving Reproducible Deep Learning Workflows with DeepDIVA M. Alberti 1 * , V. Pondenkandath 1* , L. Vgtlin 1 , M. Wrsch 12 , R. Ingold 1 , M. Liwicki 13 *Equal contribution 1 DIVA Group, University of Fribourg, Switzerland 2 IIT, FHNW

396 views • 20 slides
Numerical Simulations of the Wardle Instability Sam Falle, Department of Applied Mathematics,

Numerical Simulations of the Wardle Instability Sam Falle, Department of Applied Mathematics,

Numerical Simulations of the Wardle Instability Sam Falle, Department of Applied Mathematics, University of Leeds. Tom Hartquist, Sven van Loo, School of Physics and Astronomy, University of Leeds. Astrophysical Molecular Clouds Neutral

411 views • 25 slides
for AI and Robotics Exploration and information gathering Alessandro Farinelli Outline

for AI and Robotics Exploration and information gathering Alessandro Farinelli Outline

Statistical Filtering and Control for AI and Robotics Exploration and information gathering Alessandro Farinelli Outline POMDPs The POMDP model Finite world POMDP algorithm Point based value iteration Exploration

684 views • 65 slides
Dialogue corpora NPFL070 December 11, 2019 (NPFL070) Dialogue corpora December 11, 2019 1 /

Dialogue corpora NPFL070 December 11, 2019 (NPFL070) Dialogue corpora December 11, 2019 1 /

Dialogue corpora NPFL070 December 11, 2019 (NPFL070) Dialogue corpora December 11, 2019 1 / 26 Outline 1 Intro 2 Task oriented 3 Chit-chat 4 QA (NPFL070) Dialogue corpora December 11, 2019 2 / 26 What is dialogue Sample conversation

699 views • 26 slides
Scheduling multi-task applications on heterogeneous platforms Anne Benoit, Jean-Fran cois

Scheduling multi-task applications on heterogeneous platforms Anne Benoit, Jean-Fran cois

Framework Theoretical study Experiments Conclusion Scheduling multi-task applications on heterogeneous platforms Anne Benoit, Jean-Fran cois Pineau, Yves Robert and Fr ed eric Vivien Laboratoire de lInformatique du Parall

1.1k views • 98 slides
Context to Sequence Typical Frameworks and Applications Piji Li Department of Systems

Context to Sequence Typical Frameworks and Applications Piji Li Department of Systems

Context to Sequence Typical Frameworks and Applications Piji Li Department of Systems Engineering and Engineering Management, The Chinese University of Hong Kong FDU-CUHK, 2017 Piji Li (CUHK) Context to Sequence FDU-CUHK, 2017 1 / 59

955 views • 59 slides
Deep Learning in Computer Vision (CSC2523) Reading List Bid for papers: Tue, Jan 26, 11.59pm,

Deep Learning in Computer Vision (CSC2523) Reading List Bid for papers: Tue, Jan 26, 11.59pm,

Deep Learning in Computer Vision (CSC2523) Reading List Bid for papers: Tue, Jan 26, 11.59pm, 2016 Reviews due: every Monday (one day before class), 11.59pm 1 Bid on papers NOW Below is a list of papers well be reading in the course. You

351 views • 8 slides
Master Recherche IAC Option 2 Robotique et agents autonomes Jamal Atif Mich` ele Sebag LRI

Master Recherche IAC Option 2 Robotique et agents autonomes Jamal Atif Mich` ele Sebag LRI

Master Recherche IAC Option 2 Robotique et agents autonomes Jamal Atif Mich` ele Sebag LRI Dec. 6th, 2013 Contents WHO Jamal Atif, vision TAO, LRI Mich` ele Sebag, machine learning TAO, LRI WHAT 1. Introduction 2. Vision 3.

811 views • 55 slides

More recommend