Presentation is loading. Please wait.

Presentation is loading. Please wait.

Poisoning Attacks with Back-Gradient Optimization

Published bySharlene Osborne Modified over 6 years ago

Similar presentations

Presentation on theme: "Poisoning Attacks with Back-Gradient Optimization"— Presentation transcript:

1 Poisoning Attacks with Back-Gradient Optimization
Luis Muñoz-González Conference on Data Science for Cyber Security London, 25th -27th September 2017

2 Collaborators Prof Emil C Lupu Andrea Paudice Prof Fabio Roli
Vasin Wongrassamee Kenneth Co Lisa Tse Prof Fabio Roli Dr Battista Biggio Ambra Demontis

3

4 The Security of Machine Learning
Machine Learning systems can be compromised: Proliferation and sophistication of attacks and threats. Machine learning systems are one of the weakest parts in the security chain. Attackers can also use machine learning as a weapon. Adversarial Machine Learning: Security of machine learning algorithms. Understanding the weaknesses of the algorithms. Proposing more resilient techniques.

5 Threats Evasion Attacks: Attacks at test time.
The attacker aims to find the blind spots and weaknesses of the ML system to evade it. Poisoning Attacks: Compromise data collection. The attacker subverts the learning process. Degrades the performance of the system. Can facilitate future evasion.

6 Evasion Attacks P. McDaniel, N. Papernot, Z.B. Celik. “Machine Learning in Adversarial Settings.” IEEE Security & Privacy, 14(3), pp , 2016.

7 Poisoning Attacks

8 Optimal Poisoning Attacks
General formulation of the problem: The attacker aims to optimize some objective function (evaluated on a validation dataset) by introducing malicious examples in the training dataset used by the defender. The defender aims to learn the parameters of the model that optimise some objective function evaluated on the (poisoned) training dataset. The attacker’s problem can be modelled as a bi-level optimization problem:

9 Optimal Poisoning Attacks for Classification
Biggio et al. “Poisoning Attacks against Support Vector Machines.” ICML 2012. Mei and Zhu. “Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners.” AAAI 2015. Xiao et al. “Is Feature Selection Secure against Training Data Poisoning?” ICML 2015. Poisoning points are learned following a gradient ascent strategy: Applying Karush-Kuhn-Tucker conditions and the implicit function theorem: Limited to a restricted family of classifiers. Poor scalability with the number of parameters of the model.

10 Poisoning with Back-Gradient Optimization
J. Domke. “Generic Methods for Optimization-Based Modelling.” AISTATS 2012. D. Maclaurin, D.K. Duvenaud, R.P. Adams. “Gradient-based Hyperparameter Optimization through Reversible Learning.” ICML 2015.

11 Error Specific (attack red)
Types of Attacks Generic: overall classification error in the validation dataset. Specific: produce some particular errors (misclassifications) in the validation dataset. Error Specific (attack red) Clean dataset Error Generic

12 Attacks against Binary Classifiers
Datasets: Spambase: Spam filtering application (54 features) Ransomware: Malware detection (400 features) Algorithms: Adaline (ADA) Logistic Regression (LR) Multi-Layer Perceptron (MLP)

13 Attacks against Multi-class Classifiers
MNIST dataset (handwritten digit recognition) Multi-class logistic Regression Error Generic Attack Error Specific Attack (Misclassify digit 8 as 3)

14 Poisoning Deep Learning
MNIST dataset (1000 training, 2000 validation, 2000 testing) Convolutional Neural Network (CNN)*: Classification error on the clean dataset: 2.0% Classification error after adding 10 poisoning points: 4.3% CNN vs Logistic Regression *

15 Conclusion Machine learning algorithms are vulnerable to data poisoning (compromising data collection), including Deep Learning systems. Optimal Poisoning Attacks can be modelled as bi-level optimization problems. Back-Gradient optimization is efficient to compute poisoning points: Better scalability No KKT conditions required: can be applied to a broader range of algorithms This attacks can be applied to systematically test the resilience of machine learning algorithms against data poisoning: To help in the design of more robust learning systems (no Occam’s razor). To estimate worst-case performance when the system is under attack (assurance).

16 Thank you! Contact: l.munoz@imperial.ac.uk
Reference: L. Muñoz-González, B. Biggio, A. Demontis, A. Paudice, V. Wongrassamee, E.C. Lupu, F. Roli. “Towards Poisoning of Deep Learning Algorithms with Back-Gradient Optimization.” Accepted for the 10th Workshop on Artificial Intelligence and Security (AISec), 2017. (Arxiv preprint available: arXiv: )

Download ppt "Poisoning Attacks with Back-Gradient Optimization"

Similar presentations

CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.

CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.
Tiled Convolutional Neural Networks TICA Speedup Results on the CIFAR-10 dataset Motivation Pretraining with Topographic ICA References [1] Y. LeCun, L.

Tiled Convolutional Neural Networks TICA Speedup Results on the CIFAR-10 dataset Motivation Pretraining with Topographic ICA References [1] Y. LeCun, L.
On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.

On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.
Deep Belief Networks for Spam Filtering

Deep Belief Networks for Spam Filtering
Analysis of Classification-based Error Functions Mike Rimer Dr. Tony Martinez BYU Computer Science Dept. 18 March 2006.

Analysis of Classification-based Error Functions Mike Rimer Dr. Tony Martinez BYU Computer Science Dept. 18 March 2006.
Convolutional Neural Networks for Image Processing with Applications in Mobile Robotics By, Sruthi Moola.

Convolutional Neural Networks for Image Processing with Applications in Mobile Robotics By, Sruthi Moola.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Mehdi Ghayoumi Kent State University Computer Science Department Summer 2015 Exposition on Cyber Infrastructure and Big Data.

Mehdi Ghayoumi Kent State University Computer Science Department Summer 2015 Exposition on Cyber Infrastructure and Big Data.
SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.

SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.
Hurieh Khalajzadeh Mohammad Mansouri Mohammad Teshnehlab

Hurieh Khalajzadeh Mohammad Mansouri Mohammad Teshnehlab
Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security.

Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security.
From Machine Learning to Deep Learning. Topics that I will Cover (subject to some minor adjustment) Week 2: Introduction to Deep Learning Week 3: Logistic.

From Machine Learning to Deep Learning. Topics that I will Cover (subject to some minor adjustment) Week 2: Introduction to Deep Learning Week 3: Logistic.
Machine Learning Using Support Vector Machines (Paper Review) Presented to: Prof. Dr. Mohamed Batouche Prepared By: Asma B. Al-Saleh Amani A. Al-Ajlan.

Machine Learning Using Support Vector Machines (Paper Review) Presented to: Prof. Dr. Mohamed Batouche Prepared By: Asma B. Al-Saleh Amani A. Al-Ajlan.
Yang, Luyu.  Postal service for sorting mails by the postal code written on the envelop  Bank system for processing checks by reading the amount of.

Yang, Luyu.  Postal service for sorting mails by the postal code written on the envelop  Bank system for processing checks by reading the amount of.
A Novel Local Patch Framework for Fixing Supervised Learning Models Yilei Wang 1, Bingzheng Wei 2, Jun Yan 2, Yang Hu 2, Zhi-Hong Deng 1, Zheng Chen 2.

A Novel Local Patch Framework for Fixing Supervised Learning Models Yilei Wang 1, Bingzheng Wei 2, Jun Yan 2, Yang Hu 2, Zhi-Hong Deng 1, Zheng Chen 2.
Non-Bayes classifiers. Linear discriminants, neural networks.

Non-Bayes classifiers. Linear discriminants, neural networks.
GENDER AND AGE RECOGNITION FOR VIDEO ANALYTICS SOLUTION PRESENTED BY: SUBHASH REDDY JOLAPURAM.

GENDER AND AGE RECOGNITION FOR VIDEO ANALYTICS SOLUTION PRESENTED BY: SUBHASH REDDY JOLAPURAM.
Hand-written character recognition

Hand-written character recognition
NTU & MSRA Ming-Feng Tsai

NTU & MSRA Ming-Feng Tsai
Locally Linear Support Vector Machines Ľubor Ladický Philip H.S. Torr.

Locally Linear Support Vector Machines Ľubor Ladický Philip H.S. Torr.

Similar presentations

Ads by Google