Adding Robustness to Support Vector Machines Against Adversarial Reverse Engineering

Alabdulmohsin, Ibrahim; Gao, Xin; Zhang, Xiangliang

doi:10.1145/2661829.2662047

Cited by 32 publications

(51 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[61], which feeds a DNN classifier's deep layers as features to a supervised detector, is more successful. The best results reported for this supervised method in detecting CW on CIFAR-10 were 81% true positive rate (TPR) at a false positive rate (FPR) of 28% [16] 3 . Later we will demonstrate an unsupervised AD which significantly exceeds these results.…”

Section: B Anomaly Detection (Ad) Of Ttesmentioning

confidence: 99%

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

2020

View full text Add to dashboard Cite

With the wide deployment of machine learning (ML) based systems for a variety of applications including medical, military, automotive, genomic, as well as multimedia and social networking, there is great potential for damage from adversarial learning (AL) attacks. In this paper, we provide a contemporary survey of AL, focused particularly on defenses against attacks on deep neural network classifiers. After introducing relevant terminology and the goals and range of possible knowledge of both attackers and defenders, we survey recent work on test-time evasion (TTE), data poisoning (DP), backdoor DP, and reverse engineering (RE) attacks and particularly defenses against same. In so doing, we distinguish robust classification from anomaly detection (AD), unsupervised from supervised, and statistical hypothesis-based defenses from ones that do not have an explicit null (no attack) hypothesis. We also consider several scenarios for detecting backdoors. We provide a technical assessment for reviewed works, including identifying any issues/limitations, required hyperparameters, needed computational complexity, as well as the performance measures evaluated and the obtained quality. We then dig deeper, providing novel insights that challenge conventional AL wisdom and that target unresolved issues, including: 1) robust classification versus AD as a defense strategy; 2) the belief that attack success increases with attack strength, which ignores susceptibility to AD; 3) small perturbations for test-time evasion attacks: a fallacy or a requirement?; 4) validity of the universal assumption that a TTE attacker knows the ground-truth class for the example to be attacked; 5) black, grey, or white box attacks as the standard for defense evaluation; 6) susceptibility of query-based RE to an AD defense. We also discuss attacks on the privacy of training data. We then present benchmark comparisons of several defenses against TTE, RE, and backdoor DP attacks on images. The paper concludes with a discussion of continuing research directions, including the supreme challenge of detecting attacks whose goal is not to alter classification decisions, but rather simply to embed, without detection, "fake news" or other false content. Index Termstest-time-evasion, data poisoning, backdoor, reverse engineering, deep neural networks, anomaly detection, robust classification, black box, white box, targeted attacks, transferability, membership inference attack The authors are with the

show abstract

Section: B Anomaly Detection (Ad) Of Ttesmentioning

confidence: 99%

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

2020

View full text Add to dashboard Cite

show abstract

“…In [26], genetic programming was used as a model independent reverse engineering tool, assuming that the training data is known. The idea of reverse engineering was linked to that of active learning in [3].Here, the robustness of Support Vector Machines (SVM) classifiers, to reverse engineering, was tested using active learning techniques of random sampling, uncertainty sampling and selective sampling.…”

Section: Related Work On Exploratory Attacks On Machine Learning Basementioning

confidence: 99%

“…These attacks aim to directly reverse engineer the classification boundary, so as to better understand the classification landscape, which can then be leveraged to launch large scale evasion attacks on the black box C. Reverse engineering could be a goal in itself, as it provides information about features importance to the classification task, or it could be a first step to launching an evasion or availability attack [3]. A reverse engineering attack, if done effectively, can avoid detection and can make retraining more difficult on the part of the defender.…”

Section: The Reverse Engineering(re) Attackmentioning

confidence: 99%

“…The Big Data revolution has fueled the development of scalable and practical machine learning systems, which has in turn led to their widespread adaptation and popularity. The domain of cybersecurity has also recognized the need for a data driven solution [1,2,4,6,27] , owing to the increased scale and sophistication of attacks in recent times 3 . Although the use of machine learning techniques has found early success in many cybersecurity applications (such as spam filtering [11], CAPTCHA systems [10], and intrusion detection [6]), its own vulnerabilities have mostly been overlooked.…”

Section: Introductionmentioning

confidence: 99%

“…Using the same channels as a client user these attacks can masquerade as regular data samples, posing a risk to any deployed machine learning model. Mimicry attacks [22], spoofing [2] and reverse engineering [3] are all forms of exploratory attacks. Exploratory attacks cause the training and testing data distributions to drift, leading to non-stationarity and subsequent degradation in the predictive power of a classifier [11].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

‘Security Theater’: On the Vulnerability of Classifiers to Exploratory Attacks

Sethi

Kantardzic

Ryu³

2017

Intelligence and Security Informatics

View full text Add to dashboard Cite

The increasing scale and sophistication of cyber-attacks has led to the adoption of machine learning based classification techniques, at the core of cybersecurity systems. These techniques promise scale and accuracy, which traditional rule/signature based methods cannot. However, classifiers operating in adversarial domains are vulnerable to evasion attacks by an adversary, who is capable of learning the behavior of the system by employing intelligently crafted probes. Classification accuracy in such domains provides a false sense of security, as detection can easily be evaded by carefully perturbing the input samples. In this paper, a generic data driven framework is presented, to analyze the vulnerability of classification systems to black box probing based attacks. The framework uses an exploration-exploitation based strategy, to understand an adversary's point of view of the attack-defense cycle. The adversary assumes a black box model of the defender's classifier and can launch indiscriminate attacks on it, without information of the defender's model type, training data or the domain of application. Experimental evaluation on 10 real world datasets demonstrates that even models having high perceived accuracy (>90%), by a defender, can be effectively circumvented with a high evasion rate (>95%, on average). The detailed attack algorithms, adversarial model and empirical evaluation, serve as a background for developing secure machine learning based systems.

show abstract

A dynamic‐adversarial mining approach to the security of machine learning

Sethi

Kantardzic

Lyu

et al. 2018

WIREs Data Min & Knowl

View full text Add to dashboard Cite

Operating in a dynamic real‐world environment requires a forward thinking and adversarial aware design for classifiers beyond fitting the model to the training data. In such scenarios, it is necessary to make classifiers such that they are: (a) harder to evade, (b) easier to detect changes in the data distribution over time, and (c) be able to retrain and recover from model degradation. While most works in the security of machine learning have concentrated on the evasion resistance problem (a), there is little work in the areas of reacting to attacks (b) and (c). Additionally, while streaming data research concentrates on the ability to react to changes to the data distribution, they often take an adversarial agnostic view of the security problem. This makes them vulnerable to adversarial activity, which is aimed toward evading the concept drift detection mechanism itself. In this paper, we analyze the security of machine learning from a dynamic and adversarial aware perspective. The existing techniques of restrictive one‐class classifier models, complex learning‐based ensemble models, and randomization‐based ensemble models are shown to be myopic as they approach security as a static task. These methodologies are ill suited for a dynamic environment, as they leak excessive information to an adversary who can subsequently launch attacks which are indistinguishable from the benign data. Based on empirical vulnerability analysis against a sophisticated adversary, a novel feature importance hiding approach for classifier design is proposed. The proposed design ensures that future attacks on classifiers can be detected and recovered from. The proposed work provides motivation, by serving as a blueprint, for future work in the area of dynamic‐adversarial mining, which combines lessons learned from streaming data mining, adversarial learning, and cybersecurity. This article is categorized under: Technologies > Machine Learning Technologies > Classification Fundamental Concepts of Data and Knowledge > Motivation and Emergence of Data Mining

show abstract

Adding Robustness to Support Vector Machines Against Adversarial Reverse Engineering

Cited by 32 publications

References 45 publications

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

Adversarial Learning Targeting Deep Neural Network Classification: A Comprehensive Review of Defenses Against Attacks

‘Security Theater’: On the Vulnerability of Classifiers to Exploratory Attacks

A dynamic‐adversarial mining approach to the security of machine learning

Contact Info

Product

Resources

About