ai and security lessons challenges future directions
play

AI and Security: Lessons, Challenges & Future Directions Dawn - PowerPoint PPT Presentation

AI and Security: Lessons, Challenges & Future Directions Dawn Song UC Berkeley AlphaGo: Winning over World Champion Source: David Silver Achieving Human-Level Performance on ImageNet Classification Source: Kaiming He Deep Learning


  1. AI and Security: Lessons, Challenges & Future Directions Dawn Song UC Berkeley

  2. AlphaGo: Winning over World Champion Source: David Silver

  3. Achieving Human-Level Performance on ImageNet Classification Source: Kaiming He

  4. Deep Learning Powering Everyday Products theverge.com pcmag.com

  5. Attacks are increasing in scale & sophistication

  6. Massive DDoS Caused by IoT Devices Botnet of over 400,000 Mirai bots over 160 countries • Security cameras/webcams/baby monitors • Home routers • • One of the biggest DDoS attacks • Over 1Tbps combined attack traffic source: Incpasula Geographical distribution of Mirai bots in recent DDoS attack

  7. WannaCry: One of the Largest Ransomware Breakout • Used EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. • Infected over 200,000 machines across 150 countries in a few days • Ask for bitcoin payment to unlock encrypted files

  8. Biggest Data Breaches Of the 21st Century Equifax (2017) 143000000 Adult Friend Finder (2016) 412200000 Anthem (2015) 78800000 eBay (2014) 145000000 JP Morgan Chase (2014) 76000000 Home Depot (2014) 56000000 Yahoo (2013) 3000000000 Target Stores (2013) 110000000 Adobe (2013) 38000000 US Office of Personnel Management (2012) 22000000 Sony's Playstation Network (2011) 77000000 RSA Security (2011) 40000000 Heartland Payment Systems (2008) 134000000 TJX Companies, Inc (2006) 94000000 0 750 1,500 2,250 3,000 Millions Source: csoonline.com

  9. Attacks Entering New Landscape Ukrain power outage by cyber attack Millions of dollars lost in targeted impacted over 250,000 customers attacks in SWIFT banking system

  10. How will (in)security impact 
 the deployment of AI? Security AI How will the rise of AI 
 alter the security landscape?

  11. IoT devices are plagued with vulnerabilities from third-party code

  12. Deep learning for vulnerability detection in IoT Devices Firmware Raw Feature (dissembler) Files Extraction Code Graph Cosine Similarity Vulnerability Code Graph Function Neural Network-based Graph Embedding for Cross-Platform Binary Code Search [XLFSSY, ACM Computer and Communication Symposium 2017]

  13. Deep learning for vulnerability detection in IoT Devices Training time: Identified vulnerabilities Previous work: > 1 week among top 50: Our approach: < 30 mins Previous work: 10/50 Our approach: 42/50 Serving time (per function): Previous work: a few mins Our work: a few milliseconds 10,000 times faster

  14. AI Enables Stronger Security Capabilities • Automatic vulnerability detection & patching • Automatic agents for attack detection, analysis, & defense

  15. One fundamental weakness of cyber systems is humans 80+% of penetrations and hacks start with a social engineering attack 70+% of nation state attacks [FBI, 2011/Verizon 2014]

  16. AI Enables Chatbot for Phishing Detection Phishing Detection Chatbot for booking flights, Chatbot for social engineering attack finding restaurants detection & defense

  17. AI Enables Stronger Security Capabilities • Automatic vulnerability detection & patching • Automatic agents for attack detection, analysis, & defense • Automatic verification of software security

  18. AI Agents to Prove Theorems & Verify Programs Automatic Theorem Proving Deep Reinforcement Learning for Program Verification Agent Learning to Play Go

  19. 
 
 
 Enabler • AI enables new security capabilities • Security enables better AI 
 Integrity: produces intended/correct results 
 (adversarial machine learning) 
 Security AI Confidentiality/Privacy: does not leak users’ sensitive data 
 (secure, privacy-preserving machine learning) 
 Preventing misuse of AI Enabler

  20. AI and Security: AI in the presence of attacker Important to • History has shown attacker always follows footsteps of new consider the technology development (or sometimes even leads it) 
 presence of • The stake is even higher with AI attacker • As AI controls more and more systems, attacker will have higher & higher incentives • As AI becomes more and more capable, the consequence of misuse by attacker will become more and more severe

  21. 
 AI and Security: AI in the presence of attacker • Attack AI Cause the learning system to not produce intended/correct results • Cause learning system to produce targeted outcome designed by attacker • Learn sensitive information about individuals • • Need security in learning systems 
 • Misuse AI Misuse AI to attack other systems • Find vulnerabilities in other systems; Devise attacks • • Need security in other systems

  22. Deep Learning Systems Are Easily Fooled ostrich Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. Intriguing properties of neural networks. ICLR 2014.

  23. STOP Signs in Berkeley

  24. Adversarial Examples in Physical World Adversarial examples in physical world remain effective under different viewing distances, angles, other conditions Lab Test Summary (Stationary) Target Class: Speed Limit 45 Misclassify Camo Subtle Poster Camo Art Subtle Poster Camo Graffiti Art Evtimov, Ivan, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song. “Robust Physical-World Attacks on Machine Learning Models.” arXiv preprint arXiv:1707.08945 (2017).

  25. Drive-by Test Adversarial examples in physical world & remain effective under different viewing distances, angles, other conditions

  26. Adversarial Examples Are Prevalent in Deep Learning Systems

  27. Adversarial Examples Prevalent in Deep Learning Systems • Most existing work on adversarial examples: • Image classification task • Target model is known • Our investigation on adversarial examples: Deep Generative Blackbox Reinforcement Models Attacks Learning Weaker Threat Models (Target model is unknown) VisualQA/ New Attack Image-to-code Methods Other tasks and model classes Provide more diversity of attacks

  28. Generative models ● VAE-like models (VAE, VAE-GAN) use an intermediate latent representation ● An encoder : maps a high-dimensional input into lower- dimensional latent representation z . ● A decoder: maps the latent representation back to a high-dimensional reconstruction.

  29. Adversarial Examples in Generative Models ● An example attack scenario: ● Generative model used as a compression scheme ● Attacker’s goal: for the decompressor to reconstruct a different image from the one that the compressor sees.

  30. Adversarial Examples for VAE-GAN in MNIST Target Image Original images Reconstruction of original images Adversarial examples Reconstruction of adversarial examples Jernej Kos, Ian Fischer, Dawn Song: Adversarial Examples for Generative Models

  31. Adversarial Examples for VAE-GAN in SVHN Target Image Original images Reconstruction of original images Adversarial examples Reconstruction of adversarial examples Jernej Kos, Ian Fischer, Dawn Song: Adversarial Examples for Generative Models

  32. Adversarial Examples for VAE-GAN in SVHN Target Image Original images Reconstruction of original images Adversarial examples Reconstruction of adversarial examples Jernej Kos, Ian Fischer, Dawn Song: Adversarial Examples for Generative Models

  33. Visual Question & Answer (VQA) Multimodal Compact Bilinear Pooling for Visual Question Answering and Visual Grounding, Fukui et al., https://arxiv.org/abs/1606.01847

  34. Answer: VQA Q: Where is Runway Mode the plane? l Benign image VQA Fooling VQA Sky Mode Target: Sky l Adversarial example

  35. Answer: VQA Q: How many 1 Mode cats are there? l Benign image VQA Fooling VQA 2 Mode Target: 2 l Adversarial example

  36. Adversarial Examples Fooling Deep Reinforcement Learning Agents Score Original Frames with Original Frames No. of steps Adversarial Perturbation Jernej Kos and Dawn Song: Delving into adversarial attacks on deep policies [ICLR Workshop 2017].

  37. A General Framework for Black-box attacks • Zero-Query Attack (Previous methods) • Random perturbation • Difference of means • Transferability-based attack • Practical Black-Box Attacks against Machine Learning [Papernot et al. 2016] • Ensemble transferability-based attack [ Yanpei Liu, Xinyun Chen, Chang Liu, Dawn Song: Delving into Transferable Adversarial Examples and Black-box Attacks, ICLR 2017] • Query Based Attack (new method) • Finite difference gradient estimation • Query reduced gradient estimation • Results: similar effectiveness to whitebox attack • A general active query game model 


  38. Black-box Attack on Clarifai Adversarial example, classified Original image, classified as as “safe” with a confidence of “drug” with a confidence of 0.99 0.96 The Gradient-Estimation black-box attack on Clarifai’s Content Moderation Model

  39. Numerous Defenses Proposed Ensemble Normalization Distributional detection Detection PCA detection Secondary classification Stochastic Generative Training process Prevention Architecture Retrain Pre-process input

Recommend


More recommend