a tour of machine learning security
play

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th - PowerPoint PPT Presentation

Oct 21, 2023 •507 likes •971 views

A Tour of Machine Learning Security Florian Tramr CISPA August 6 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including things that likely

  1. A Tour of Machine Learning Security Florian Tramèr CISPA August 6 th 2018

  2. The Deep Learning Revolution First they came for images…

  3. The Deep Learning Revolution And then everything else…

  4. The ML Revolution Including things that likely won’t work… 4

  5. What does this mean for privacy & security? Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning Blockchain ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware Adapted from (Goodfellow 2018) 5

  6. This talk: security of deployed models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 6

  7. Stealing ML Models Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 7

  8. Machine Learning as a Service Goal 2: Model Confidentiality • Model/Data Monetization • Sensitive Data Model f Training API Prediction API input classification Data Black Box Goal 1: Rich Prediction APIs $$$ per query • Highly Available • High-Precision Results 8

  9. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Applications: 1) Undermine pay-for-prediction pricing model 2) ”White-box” attacks: › Infer private training data › Model evasion (adversarial examples) 9

  10. Model Extraction Goal: Adversarial client learns close approximation of f using as few queries as possible x Data Attack Model f f’ f(x) Isn’t this “just No! Prediction APIs Machine Learning”? return fine-grained information that makes extracting much easier than learning 10

  11. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon 11

  12. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (for interpretability) 12

  13. Learning vs Extraction Learning f(x) Extracting f(x) Function to learn Noisy real-world “Simple” deterministic function f(x) phenomenon Available labels hard labels Depending on API: (e.g., “cat”, “dog”, …) - Hard labels - Soft labels (class probas) - Gradients (Milli et al.) Labeling function Humans, real-world Query f(x) on any input x data collection => No need for labeled data => Queries can be adaptive 13

  14. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte 14

  15. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) 15

  16. Learning vs Extraction for specific models Learning f(x) Extracting f(x) Logistic |Data| ≈ 10 * |Features| - Hard labels only: (Loyd & Meek) Regression - With confidences: simple system of equations ( T et al.) |Data| = |Features| + cte Decision - NP-hard in general “Differential testing” algorithm to Trees - polytime for Boolean trees recover the full tree ( T et al.) (Kushilevitz & Mansour) Neural Large models required - Distillation (Hinton et al.) Networks “The more data the better” Make smaller copy of model from confidence scores - Extraction from hard labels No quantitative analysis for (Papernot et al., T et al.) large neural nets yet 16

  17. Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 17

  18. Trusted execution of ML: 3 motivating scenarios 1. Cloud ML APIs Data Privacy Integrity - Model “downgrade” - Disparate impact - Other malicious tampering 18

  19. Trusted execution of ML: 3 motivating scenarios 2. Federated Learning Integrity Data privacy Poison model updates 19

  20. Trusted execution of ML: 3 motivating scenarios 3. Trojaned hardware (Verifiable ASICs model, Wahby et al.) Integrity 20

  21. Solutions Cryptography / Statistics 1. Outsourced ML : FHE, MPC, (ZK) proof systems 2. Federated learning : robust statistics? 3. Trojaned hardware : some root of trust is needed Trusted Execution Environments (TEEs) 1. Outsourced ML : secure enclaves 2. Federated learning : trusted sensors + secure enclaves 3. Trojaned hardware: fully trusted (but possibly slow) hardware

  22. Trusted Execution: At what cost? • Trusted ASICs (Wahby et al.): ~10 8 � worse than SOTA • Intel SGX: VGG16 Inference 400 350 350 300 Paging at Images / sec 250 ~90MB 200 150 100 50 1 0 GPU SGX GPU: Nvidia TITAN XP SGX: Intel Core i7-6700 Skylake Single Core @ 3.40GHz https://medium.com/@danny_harnik/impressions-of-intel-sgx-performance-22442093595a

  23. “How do we efficiently leverage TEEs for secure machine learning computations?” Idea: outsource work to collocated , faster but untrusted device and verify results x TEE F(x), proof Computations Gap between trusted Privacy and untrusted device Verifiable ASICs Arithmetic circuits ~ 8 orders of magnitude No (Wahby et al., 2016) (GKR protocol) Slalom DNN inference ~ 1-2 orders “Yes” Not in this talk

  24. Bottlenecks in deep neural networks non linear stuff (cheap) MATRIX MULTIPLICATION ~ 97% VGG16 Inference on 1 CPU core

  25. Outsourcing matrix multiplication: Freivald’s algorithm X ∈ " n ⨉ n , W ∈ " n ⨉ n Input: DNN weights. Fixed at inference time Direct Compute: Z = X * W ≈ n 3 multiplications or O(n 2.81 ) with Strassen Outsource + Verify: • Sample r ← " n uniformly at random • Check: Z * r = X * (W * r) • Complexity: ≈ 3n 2 multiplications • Soundness: 1 / | " | (boost by repeating)

  26. Freivald variants for arbitrary linear operators Linear operator: z = F(x) = x * A Matrix of size |x| × |z| Vector of size |z| Vector of size |x| • Batched verification Z = F ( [x 1 … x B ] ) = [ F(x 1 ) … F(x B ) ] ⇒ Complexity = B*cost(F) Freivald: r * Z = F ( r * [x 1 … x B ] ) ⇒ Complexity = B*(|x|+|z|) + cost(F) • With precomputation Precompute A’ = A * r = ( ∇ x F)(r) Freivald: z * r = x * A’ ⇒ Complexity = |x|+|z| 2 inner products!

  27. Slalom Summary Slalom TEE X 1 Z 1 = X 1 * W 1 1. Freivald check for (X 1 , W 1 , Z 1 ) 2. X 2 = σ(Z 1 ) X 2 Z 2 = X 2 * W 2 Arbitrary non-linearity … 27

  28. Design and Evaluation TEE • TEE: Intel SGX ”Desktop” CPU (single thread) • Untrusted device: Nvidia Tesla GPU • Port of the Eigen linear algebra C++ library to SGX (used in e.g., TensorFlow) • No simulation mode! VGG16 MobileNet 25 120 97.1 19.6 100 20 Images / sec 80 15 60 10 40 30 15.9 5 20 1.7 1 0 0 Compute Verify Verify with Compute Verify Verify with preproc preproc 28

  29. Crypto, Trusted hardware Differential privacy Privacy & integrity Data inference Outsourced learning Model theft Test outputs Training data Data poisoning ??? dog cat bird Robust statistics Adversarial examples Outsourced inference Test data Privacy & integrity Crypto, Trusted hardware 29

  30. ML models make surprising mistakes + . 007 ⇥ = Pretty sure this I’m certain this is a panda is a gibbon (Szegedy et al. 2013, Goodfellow et al. 2015) 30

  31. Where are the defenses? • Adversarial training Prevent “all/most Szegedy et al. 2013, Goodfellow et al. 2015, attacks” for a Kurakin et al. 2016, T et al. 2017, Madry et al. 2017, Kannan et al. 2018 given norm ball • Convex relaxations with provable guarantees Raghunathan et al. 2018, Kolter & Wong 2018, Sinha et al. 2018 • A lot of broken defenses… 31

  32. Do we have a realistic threat model? (no…) Current approach: 1. Fix a ”toy” attack model (e.g., some l ∞ ball) 2. Directly optimize over the robustness measure Þ Defenses do not generalize to other attack models Þ Defenses are meaningless for applied security What do we want? • Model is “always correct” (sure, why not?) • Model has blind spots that are “hard to find” • “Non-information-theoretic” notions of robustness? • CAPTCHA threat model is interesting to think about 32

Recommend

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The

A Tour of Machine Learning Security Florian Tramr Intel, Santa Clara, CA August 30 th 2018 The Deep Learning Revolution First they came for images The Deep Learning Revolution And then everything else The ML Revolution Including

539 views • 34 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics to cover 1. Logistic regression 2. Word embeddings 3. t-SNE 4. Deep Networks (and some transfer learning) 5. Hidden Markov Models for sequence

1k views • 60 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam

A Tour of Machine Learning Mich` ele Sebag TAO Dec. 5th, 2011 Examples Cheques Spam Robot Helicopter Netflix Playing Go Google http://ai.stanford.edu/ ang/courses.html Reading cheques LeCun et al. 1990 MNIST:

433 views • 42 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty

Machine Learning and Embedded Security Farinaz Koushanfar Professor and Henry Booker Faculty Scholar Founder and Co-Director, Center for Machine-Integrated & Security (MICS) University of California San Diego Big data and automation

998 views • 54 slides
for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper,

Machine Learning for Security and Security for Machine Learning Nicole Nichols** Pacific Northwest National Lab Co-Authors: Rob Jasper, Mark Raugas, Nathan Hilliard, Sean Robinson, Sam Kaplan* Andy Brown*, Aaron Tuor, Nick Knowles*, Ryan

756 views • 39 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby

Machine Learning for Computer Vision a whirlwind tour of key concepts for the uninitiated Toby Breckon School of Engineering and Computing Sciences Durham University www.durham.ac.uk/toby.breckon/mltutorial/ toby.breckon@durham.ac.uk BMVA

1.44k views • 108 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of

THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR THE FUTURE TOUR Under the framework of Bonjour India, the Institut franais en Inde is pleased to present The Future Tour - a series of thematic rendezvous between scientists, academics,

270 views • 5 slides
in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

Security (and Privacy) in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This talk: neural networks Machine learning is amazing But there's a catch Understandability This talk: Discuss security

892 views • 55 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University & Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

1/22/19 CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine Learning? A Simple Task: Recognize Obama How do you program a computer to Recognize faces? Recommend movies? Decide which web

581 views • 5 slides
Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their performance We use machine learning in situations where it is very challenging (or impossible) to define the rules by hand: e.g. face detection

1.04k views • 28 slides
Speeding Up Machine Learning Development with MLflow Hien Luu Agenda Unique Challenges in ML

Speeding Up Machine Learning Development with MLflow Hien Luu Agenda Unique Challenges in ML

Speeding Up Machine Learning Development with MLflow Hien Luu Agenda Unique Challenges in ML Development Process Machine Learning Platform Tour Introduction to MLflow Demo ML Development Process Overview Hidden Technical Debt in

837 views • 47 slides
Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Introduction to Machine Learning 1 / 12 Outline 1 Nearest Neighbor Prediction 2 Complexity Considerations 3 The Voronoi Diagram 4 Overfitting

564 views • 12 slides
1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

What is Learning? Herbert Simon: Learning is any process by which a system improves performance from CS 391L: Machine Learning experience. Introduction What is the task? Classification Problem solving / planning /

603 views • 6 slides
MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

JACOPO DI IORIO, MATTEO FONTANA, DANIELE OCCHIUTO, CLAUDIA VOLPETTI MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING STATISTICAL LEARNING Separate evolutions, but with shared methodologies MERGE

565 views • 55 slides
The bits the whirlwind tour left out ... BMVA Summer School 2016 extra background slides

The bits the whirlwind tour left out ... BMVA Summer School 2016 extra background slides

The bits the whirlwind tour left out ... BMVA Summer School 2016 extra background slides (from teaching material at Durham University) BMVA Summer School 2016 Machine Learning Extra : 1 Machine Learning Definition: A computer

645 views • 42 slides

More recommend