Reconstruction Attack through Classifier Analysis

Gambs, Sébastien; Gmati, Ahmed; Hurfin, Michel

doi:10.1007/978-3-642-31540-4_21

Cited by 14 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is done iteratively by sampling data points and using membership inference attacks to reconstruct the training data used by the target Neural Network. In data reconstruction attack, an adversary uses a generative adversarial network to reconstruct training data samples from target model by finding the approximate training data distribution [30] [10]. Either of the two approaches can be used to reconstruct the dataset and it is a one time operation done during the setup phase of the attack as described in Section VI.…”

Section: Threat Modelmentioning

confidence: 99%

Stealing Neural Networks via Timing Side Channels

Duddu,

Samanta,

Rao

et al. 2018

Preprint

View full text Add to dashboard Cite

Deep learning is gaining importance in many applications. However, Neural Networks face several security and privacy threats. This is particularly significant in the scenarios where Cloud infrastructures deploy a service with Neural Network models at the back end. Here, an adversary can extract the Neural Network parameters, infer the regularization hyperparameter, identify if a data point was part of the training data, and generate effective transferable adversarial examples to evade classifiers. This paper shows how a Neural Network model is susceptible to timing side channel attack. In this paper, a black box Neural Network extraction attack is proposed by exploiting the timing side channels to infer the depth of the network. Although, constructing an equivalent architecture is a complex search problem, it is shown how Reinforcement Learning based optimisation can efficiently reduce the search space and reconstruct optimal substitute architecture close to the target model. The proposed approach has been tested with VGG architectures on CIFAR10 data set. It is observed that it is possible to reconstruct substitute models with test accuracy close to the target models and the proposed approach is scalable and independent of type of Neural Network architectures.

show abstract

Section: Threat Modelmentioning

confidence: 99%

Stealing Neural Networks via Timing Side Channels

Duddu,

Samanta,

Rao

et al. 2018

Preprint

View full text Add to dashboard Cite

show abstract

“…Interpretable models enhance transparency but can inadvertently disclose information about their training data. Gambs et al [56] uses such data leakage to probabilistically reconstruct a decision tree's training set. The uncertainty within this reconstruction can be measured to determine how much information the model leaks.…”

Section: Causes Of Reconstruction Attacksmentioning

confidence: 99%

“…If a value D 𝑖,𝑘 within 𝑉 𝑘 has all the probability mass (i.e., 𝑃 (D 𝑖,𝑘 = 𝑣 𝑖,𝑘 ) = 1), it's deterministic. Conversely, a probabilistic dataset encompasses some uncertainty about attribute values.• Probabilistic Reconstruction Attacks: Earlier research[56] proposes a method for constructing a probabilistic dataset D 𝐷𝑇 from the structure of a trained decision tree 𝐷𝑇 . This probabilistic dataset reflects the decision tree's implicit knowledge about its training dataset D 𝑂𝑟𝑖𝑔 .…”

mentioning

confidence: 99%

From the Editors and Nguyen Tat Thanh University

Nguyen¹,

Nguyên²

2019

Vietnam J. Comp. Sci.

View full text Add to dashboard Cite

Let H = n 1 , n 2 , n 3 be a numerical semigroup. Let H be the interval completion of H, namely the semigroup generated by the interval n 1 , n 1 +1, . . . , n 3 . Let K be a field and K[H] the semigroup ring generated by H. Let I * H be the defining ideal of the tangent cone of K[H]. In this paper, we describe the defining equations of I * H . From that, we establish the Herzog-Stamate conjecture for monomial space curves stating that β i (I * H ) ≤ β i (I * H ) for all i, where β i (I * H ) and β i (I * H ) are the ith Betti numbers of I * H and I * H respectively.

show abstract

“…As shown in the work of Hamlen et al, 18 an IDS decision tree can be recovered this way by exploiting public interfaces of an IDS and building the decision tree by feeding it with many samples and examining their classifications. Reconstruction attacks such as the one described in the previous work 28 for a C4.5 decision tree could also be used for this purpose.…”

Section: Problem Descriptionmentioning

confidence: 99%

“…As shown in the work of Hamlen et al, an IDS decision tree can be recovered this way by exploiting public interfaces of an IDS and building the decision tree by feeding it with many samples and examining their classifications. Reconstruction attacks such as the one described in the previous work for a C4.5 decision tree could also be used for this purpose. This assumption that the IDS classifier can be reconstructed is common in several papers on this subject (eg, in the literature), as well as in cryptography (Kerckhoffs's principle).…”

Section: Problem Descriptionmentioning

confidence: 99%

Bypassing system calls–based intrusion detection systems

Rosenberg

Gudes

2016

Concurrency and Computation

View full text Add to dashboard Cite

Machine learning augments today's intrusion detection system (IDS) capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS' classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS on the basis of various classifiers using system calls, executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. We also present transformations to the classifier's input, to prevent this camouflageand a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.

show abstract

Reconstruction Attack through Classifier Analysis

Cited by 14 publications

References 10 publications

Stealing Neural Networks via Timing Side Channels

Stealing Neural Networks via Timing Side Channels

From the Editors and Nguyen Tat Thanh University

Bypassing system calls–based intrusion detection systems

Contact Info

Product

Resources

About