attacking machine learning on the security and privacy of
play

Attacking Machine Learning: On the Security and Privacy of Neural - PowerPoint PPT Presentation

Oct 27, 2023 •42 likes •1.07k views

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

  1. SESSION ID: MLAI-W03 Attacking Machine Learning: 
 On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC

  2. Act I: On the Security and Privacy of Neural Networks

  3. #RSAC Let's play a game

  4. #RSAC 67% it is a Great Dane

  5. #RSAC 83% it is a Old English Sheepdog

  6. #RSAC 78% it is a Greater Swiss Mountain Dog

  7. #RSAC 99.99% it is Guacamole

  8. #RSAC 99.99% it is a Golden Retriever

  9. #RSAC 99.99% it is Guacamole

  10. #RSAC 76% it is a 45 MPH Sign K Eykholt, I Evtimov, E Fernandes, B Li, A Rahmati, C Xiao, A Prakash, T Kohno, D Song. 
 Robust Physical-World Attacks on Deep Learning Visual Classification. 2017

  11. #RSAC Adversarial Examples B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Srndic, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. 2013. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. 2014. I. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. 2015.

  12. #RSAC What do you think this transcribes as? N Carlini, D Wagner. Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. 2018

  13. #RSAC "It was the best of times, 
 it was the worst of times, 
 it was the age of wisdom, 
 it was the age of foolishness, 
 it was the epoch of belief, 
 it was the epoch of incredulity" N Carlini, D Wagner. Audio Adversarial Examples: Targeted Attacks on Speech-to-Text. 2018

  14. #RSAC N Carlini, P Mishra, T Vaidya, Y Zhang, M Sherr, C Shields, D Wagner, W Zhou. Hidden Voice Commands. 2016

  15. Constructing Adversarial Examples

  16. #RSAC [0.9, 
 0.1]

  17. #RSAC [0.9, 
 0.1]

  18. #RSAC [0.89, 
 0.11]

  19. #RSAC [0.89, 
 0.11]

  20. #RSAC [0.89, 
 0.11]

  21. #RSAC [0.91, 
 0.09]

  22. #RSAC [0.89, 
 0.11]

  23. #RSAC [0.48, 
 0.52]

  24. #RSAC This does work ... ... but we have calculus !

  25. #RSAC

  26. #RSAC + .001 ✕ = adversarial DOG CAT perturbation I. J. Goodfellow, J. Shlens and C. Szegedy. Explaining and harnessing adversarial examples. 2015

  27. #RSAC What if we don't have direct access to the model?

  28. #RSAC A Ilyas, L Engstrom, A Athalye, J Lin. Black-box Adversarial Attacks with Limited Queries and Information. 2018

  29. #RSAC A Ilyas, L Engstrom, A Athalye, J Lin. Black-box Adversarial Attacks with Limited Queries and Information. 2018

  30. #RSAC Generating adversarial examples is simple and practical

  31. Defending against Adversarial Examples

  32. #RSAC Case Study: ICLR 2018 Defenses A Athalye, N Carlini, D Wagner. Obfuscated Gradients Give a False 
 Sense of Security: Circumventing Defenses to Adversarial Examples. 2018

  34. #RSAC

  35. #RSAC 2 Out of scope 4 7

  36. #RSAC 2 Out of scope 4 Correct Defenses 7

  37. #RSAC 2 Out of scope 4 Broken Defenses Correct Defenses 7

  42. #RSAC The Last Hope: Adversarial Training A Madry, A Makelov, L Schmidt, D Tsipras, A Vladu. Towards Deep Learning Models Resistant to Adversarial Attacks. 2018

  43. #RSAC Caveats Requires small images (32x32) Only effective for tiny perturbations Training is 10-50x slower And even still, only works half of the time

  44. #RSAC Current neural networks appear consistently vulnerable to evasion attacks

  45. #RSAC First reason to not use 
 machine learning: Lack of robustness

  46. Act II: On the Security and Privacy of Neural Networks

  47. #RSAC What are the privacy problems? Privacy of what? Training Data

  48. #RSAC 1. Train 2. Predict Obama

  49. #RSAC 1. Train 2. Extract Person 7 M. Fredrikson, S. Jha, T. Ristenpart. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. 2015.

  50. #RSAC 1. Train 2. Predict "What are you" "doing" N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks 2018

  51. #RSAC 1. Train 2. Extract Nicholas's 123-45-6789 SSN is N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks 2018

  52. #RSAC

  53. #RSAC

  54. #RSAC

  55. #RSAC

  56. Extracting Training Data From Neural Networks

  57. #RSAC 1. Train 2. Predict P( ; ) = y

  58. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 000-00-0000

  59. #RSAC What is ... My SSN is 
 P( ; ) = 0.02 000-00-0001

  60. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 000-00-0002

  61. #RSAC What is ... My SSN is 
 P( ; ) = 0.00 123-45-6788

  62. #RSAC What is ... My SSN is 
 P( ; ) = 0.32 123-45-6789

  63. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 123-45-6790

  64. #RSAC What is ... My SSN is 
 P( ; ) = 0.00 999-99-9998

  65. #RSAC What is ... My SSN is 
 P( ; ) = 0.01 999-99-9999

  66. #RSAC The answer (probably) is My SSN is 
 P( ; ) = 0.32 123-45-6789

  67. #RSAC But that takes millions of queries!

  68. #RSAC Presenter’s Company Logo – replace or delete on master slide

  69. Testing with Exposure

  70. #RSAC Choose Between ... Model A Model B Accuracy: 96% Accuracy: 92%

  71. #RSAC Choose Between ... Model A Model B Accuracy: 96% 
 Accuracy: 92% High Memorization No Memorization

  72. #RSAC Exposure -based Testing Methodology N Carlini, C Liu, J Kos, Ú Erlingsson, D Song. The Secret Sharer: 
 Evaluating and Testing Unintended Memorization in Neural Networks. 2018

  73. #RSAC If a model memorizes completely random canaries , it probably also is memorizing other training data

  74. #RSAC 1. Train = "correct horse battery staple" 2. Predict P( ; ) = y

  75. #RSAC 1. Train = "correct horse battery staple" 2. Predict P( ; ) = 0.1

  76. #RSAC 1. Train 2. Predict P( ; ) =

  77. #RSAC 1. Train 2. Predict P( ; ) = 0.6

  78. #RSAC 1. Train 2. Predict P( ; ) = 0.1

  79. #RSAC Exposure: Probability that the canary is more likely than another (similar) candidate

  80. #RSAC Inserted Canary Other Candidate P( ; ) expected P( ; )

  81. #RSAC 1. Generate canary 2. Insert into training data 3. Train model 4. Compute exposure of 
 (compare likelihood to other candidates)

  82. #RSAC

  83. Provable Defenses with Differential Privacy

  84. #RSAC But first, what is Differential Privacy ?

  85. #RSAC ? A B

  86. #RSAC Differentially Private Stochastic Gradient Descent M Abadi, A Chu, I Goodfellow, H B McMahan, I Mironov, K Talwar, L Zhang. Deep Learning with Differential Privacy. 2016

  87. #RSAC

  88. #RSAC The math may be scary ... Applying differential privacy is easy https://github.com/tensorflow/privacy

  89. #RSAC The math may be scary ... Applying differential privacy is easy optimizer = tf.train.GradientDescentOptimizer()

  90. #RSAC The math may be scary ... Applying differential privacy is easy dp_optimizer_class = dp_optimizer.make_optimizer_class( tf.train.GradientDescentOptimizer) optimizer = dp_optimizer_class() https://github.com/tensorflow/privacy

  91. #RSAC Exposure confirms differential privacy is effective

  92. #RSAC Second reason to not use 
 machine learning: Training Data Privacy

  93. Act III: Conclusions

  94. #RSAC First reason to not use 
 machine learning: Lack of robustness

  95. #RSAC

  96. #RSAC Second reason to not use 
 machine learning: Training Data Privacy

  97. #RSAC

  98. #RSAC When using ML, always investigate potential concerns for both Security and Privacy

  99. #RSAC Next Steps On the privacy side ... Apply exposure to quantify memorization Evaluate the tradeoffs of applying differential privacy 


  100. #RSAC Next Steps On the privacy side ... Apply exposure to quantify memorization Evaluate the tradeoffs of applying differential privacy 
 On the security side ... Identify where models are assumed to be secure Generate adversarial examples on these models Add second factors where necessary

Recommend

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and

Storage, Security, and Privacy in the age of ML Aleatha Parker-Wood, Ph.D. Machine Learning and Privacy Lead, Humu Who am I? Storage systems Ph.D. from UCSC Post-doc in a databases group Joined Symantec Research Labs.

286 views • 25 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University & Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for Machine Learning Graphics Adopted from The New York Times Privacy Project 2 Famous incidents - Anonymization - A Face Is Exposed for AOL

1.03k views • 7 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu Tell us your: Name (how you like to be called) Position (MS / PhD) and year Research Interests What do you expect from this

563 views • 34 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine

Machine Learning and Differential Privacy Maria-Florina Balcan 04/22/2015 Learning and Privacy To do machine learning, we need data. What if the data contains sensitive information? medical data, web search query data, salary data,

725 views • 15 slides
How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The

How to build privacy and security into deep learning models Yishay Carmiel @YishayCarmiel The evolution of AI AI has evolved a lot over the last few years Speech Recognition Computer Vision Machine Translation Natural Language Processing

939 views • 54 slides
in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This

Security (and Privacy) in Machine Learning Nicholas Carlini University of California, Berkeley (now Google Brain) This talk: neural networks Machine learning is amazing But there's a catch Understandability This talk: Discuss security

892 views • 55 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a

Privacy in Machine Learning Fatemehsadat Mireshghallah WiMLDS NeurIPS19 Meet-up Why is privacy a concern in ML? Patient History Genetic Data Search History Famous incidents - Anonymization - A Face Is Exposed for AOL Searcher No.

1.51k views • 17 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan

Privacy Advances in Machine Learning Systems Katharine Jarmul OReilly AI London kjamistan When did consumers become concerned about privacy and computing? From Understanding Privacy Concerns (1992) A 1990 Louis Harris survey commissioned

443 views • 30 slides
Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity

Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity

Machine Learning for Compressive Privacy S.Y. Y. K Kung Prince ceton Un Univer ersi sity Machine Learning for Compressive Privacy Professor S.Y. Kung Email: kung@princeton.edu References: `Kernel Method and Machine

1.79k views • 142 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso

When foes are friends adversarial examples as protective technologies Carmela Troncoso @carmelatroncoso Security and Privacy Engineering Lab The machine learning revolution 2 Machine Learning ) Definition (Wikipedia) Machine learning [...]

965 views • 58 slides
Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial

Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial

Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial Nave-Bayes Classifier Dominik Herrmann , Hannes Federrath Rolf Wendolsky University of Regensburg, Germany JonDos GmbH Motivation To Whom It May

901 views • 34 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Privacy-Aware Machine Learning Systems Borja Balle Data is the New Oil The Economist, May 2017

Privacy-Aware Machine Learning Systems Borja Balle Data is the New Oil The Economist, May 2017

Privacy-Aware Machine Learning Systems Borja Balle Data is the New Oil The Economist, May 2017 The Importance of (Data) Privacy 4.5.2016 Official Journal of the European Union L 119/1 EN Universal declaration of human rights

605 views • 36 slides
Governance for Artificial Intelligence/ Machine Learning Akbar Siddiqui Technical Director

Governance for Artificial Intelligence/ Machine Learning Akbar Siddiqui Technical Director

10/7/2019 1 Governance for Artificial Intelligence/ Machine Learning Akbar Siddiqui Technical Director Civil Liberties, Privacy, and Transparency Office National Security Agency 2 1 10/7/2019 The N SA Mission The National Security

488 views • 9 slides
Enhancing Privacy in Machine Learning Mathias Humbert INSA Toulouse/CNRS Toulouse, January 22,

Enhancing Privacy in Machine Learning Mathias Humbert INSA Toulouse/CNRS Toulouse, January 22,

Enhancing Privacy in Machine Learning Mathias Humbert INSA Toulouse/CNRS Toulouse, January 22, 2019 Enhancing Privacy in Machine Learning data ML What ML? What data? What threat? Mathias Humbert - Enhancing Privacy in Machine Learning

1.04k views • 51 slides

More recommend