provably secure machine learning
play

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial - PowerPoint PPT Presentation

Feb 25, 2024 •211 likes •738 views

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

  1. Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017

  2. Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and defense Proofs break the arms race, provide absolute security • for a given threat model... 1

  3. Example: Adversarial Test Images 2

  4. Example: Adversarial Test Images [Szegedy et al., 2014]: first discovers adversarial examples [Goodfellow, Shlens, Szegedy, 2015]: Fast Gradient Sign Method (FGSM) + adversarial training [Papernot et al., 2015]: defensive distillation [Carlini and Wagner, 2016]: distillation is not secure [Papernot et al., 2017]: FGSM + distillation only make attacks harder to find [Carlini and Wagner, 2017]: all detection strategies fail [Madry et al., 2017]: a secure network, finally?? 2

  5. Example: Adversarial Test Images [Szegedy et al., 2014]: first discovers adversarial examples [Goodfellow, Shlens, Szegedy, 2015]: Fast Gradient Sign Method (FGSM) + adversarial training [Papernot et al., 2015]: defensive distillation [Carlini and Wagner, 2016]: distillation is not secure [Papernot et al., 2017]: FGSM + distillation only make attacks harder to find [Carlini and Wagner, 2017]: all detection strategies fail [Madry et al., 2017]: a secure network, finally?? 1 proof = 3 years of research 2

  6. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design 3

  7. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design Hard to analyze, limited levers 3

  8. Formal Verification is Hard • Traditional software: designed to be secure • ML systems: learned organically from data, no explicit design Hard to analyze, limited levers Other challenges: • adversary has access to sensitive parts of system • unclear what spec should be (car doesn’t crash?) 3

  9. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 4

  10. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 4

  11. Test-time Attacks Adversarial examples: Can we prove no adversarial examples exist? 5

  12. Formal Goal Goal Given a classifier f : R d → { 1 , . . . , k } , and an input x , show that there is no x ′ with f ( x ) � = f ( x ′ ) and � x − x ′ � ≤ ǫ . • Norm: ℓ ∞ -norm: � x � = max d j =1 | x j | • Classifier: f is a neural network 6

  13. [Katz, Barrett, Dill, Julian, Kochenderfer 2017] Approach 1: Reluplex Assume f is a ReLU network: layers x (1) , . . . , x ( L ) , with x ( l +1) = max( a ( l ) · x ( l ) , 0) i i Want to bound maximum change in output x ( L ) . Can write as an integer-linear program (ILP) : y = max( x, 0) ⇐ ⇒ x ≤ y ≤ x + b · M, 0 ≤ y ≤ (1 − b ) · M, b ∈ { 0 , 1 } Check robustness on 300-node networks • time ranges from 1s to 4h (median 3m-4m) 7

  14. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. 8

  15. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. Every quadratic program can be relaxed to a semi-definite program 8

  16. [Raghunathan, S., Liang] Approach 2: Relax and Dualize Still assume f is ReLU Can write as a non-convex quadratic program instead. Every quadratic program can be relaxed to a semi-definite program Advantages: • always polynomial-time • duality: get differentiable upper bounds • can train against upper bound to generate robust networks 8

  17. Results 9

  18. Results 9

  19. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 10

  20. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all 11

  21. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all Huge issue in practice... 11

  22. Training-time attacks Attack system by manipulating training data: data poisoning Traditional security: keep attacker away from important parts of system Data poisoning: attacker has access to most important part of all Huge issue in practice... How can we keep adversary from subverting the model? 11

  23. Formal Setting Adversarial game: • Start with clean dataset D c = { x 1 , . . . , x n } • Adversary adds ǫn bad points D p • Learner trains model on D = D c ∪D p , outputs model θ and incurs loss L ( θ ) Learner’s goal: ensure L ( θ ) is low no matter what adversary does • under a priori assumptions, • or for a specific dataset D c . 12

  24. Formal Setting Adversarial game: • Start with clean dataset D c = { x 1 , . . . , x n } • Adversary adds ǫn bad points D p • Learner trains model on D = D c ∪D p , outputs model θ and incurs loss L ( θ ) Learner’s goal: ensure L ( θ ) is low no matter what adversary does • under a priori assumptions, • or for a specific dataset D c . In high dimensions, most algorithms fail! 12

  25. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . 13

  26. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  27. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  28. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  29. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  30. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). 13

  31. [Charikar, S., Valiant 2017] Learning from Untrusted Data A priori assumption: covariance of data is bounded by σ . Theorem: as long as we have a small number of “verified” points, can be robust to any fraction of adversaries (even e.g. 90%). Growing literature: 15+ papers since 2016 [DKKLMS16/17, LRV16, SVC16, DKS16/17, CSV17, SCV17, L17, DBS17, KKP17, S17, MV17] 13

  32. What about certifying a specific algorithm on a specific data set? 14

  33. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  34. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  35. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  36. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  37. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  38. [S., Koh, and Liang 2017] Certified Defenses for Data Poisoning 15

  39. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F 16

  40. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F (Very) NP-hard in general 16

  41. Impact on training loss Worst-case impact is solution to bi-level optimization problem : θ, D p L (ˆ θ ) subject to ˆ maximize ˆ θ = argmin θ � x ∈D c ∪D p ℓ ( θ ; x ) , D p ⊆ F (Very) NP-hard in general Key insight: approximate test loss by train loss, can then upper bound via a saddle point problem (tractable) • automatically generates a nearly optimal attack 16

  42. Results 17

  43. Results 17

  44. Results 17

  45. What To Prove? • Security against test-time attacks • Security against training-time attacks • Lack of implementation bugs 18

  46. 19

  47. 19

  48. [Selsam and Liang 2017] Developing Bug-Free ML Systems 20

  49. [Cai, Shin, and Song 2017] Provable Generalization via Recursion 21

  50. Summary Formal verification can be used in many contexts: • test-time attacks • training-time attacks • implementation bugs • checking generalization High-level ideas: • cast as optimization problem : rich set of tools • train/optimize against certificate • re-design system to be amenable to proof 22

Recommend

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London Outline of the Talk Hierarchical Key Assignment Schemes Definition of

802 views • 48 slides
ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany Tracking in the Advertising World Today

744 views • 35 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a ard 1 Daniel Escudero 1 Tore Frederiksen 2 Marcel Keller 3 Peter Scholl 1 Ivan Damg Nikolaj Volgushev 2 May 19, 2019 1 Aarhus University, Denmark 2

711 views • 32 slides
Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2

Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2

Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2 Zheng Zhao 1 Bei Yu 3 Yier Jin 2 David Z. Pan 1 1 Electrical and Computer Engineering, University of Texas at Austin 2 Electrical and Computer

683 views • 35 slides
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

1.76k views • 77 slides
Plug-and-Play Methods Provably Converge with Properly Trained Denoisers Ernest K. Ryu 1 Sicheng

Plug-and-Play Methods Provably Converge with Properly Trained Denoisers Ernest K. Ryu 1 Sicheng

Plug-and-Play Methods Provably Converge with Properly Trained Denoisers Ernest K. Ryu 1 Sicheng Wang 2 Jialin Liu 1 Xiaohan Chen 2 Zhangyang Wang 2 Wotao Yin 1 2019 International Conference on Machine Learning 1 UCLA Mathematics 2 Texas A&M

1.26k views • 50 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

559 views • 17 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum Computing; Is there anything else worth working on? ISCA, 2002 Avi Mendelson Technion, Israel avi.mendelson@technion.ac.il Agenda Intro and motivation

525 views • 18 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

401 views • 26 slides
State-of-the-art Machine Learning based Modeling Attacks Phuong Ha Nguyen, Durga P. Sahoo, Kaleel

State-of-the-art Machine Learning based Modeling Attacks Phuong Ha Nguyen, Durga P. Sahoo, Kaleel

The Interpose PUF (iPUF): Secure PUF Design against State-of-the-art Machine Learning based Modeling Attacks Phuong Ha Nguyen, Durga P. Sahoo, Kaleel Mahmood, Chenglu Jin, Ulrich Rhrmair and Marten van Dijk Secure Computation Laboratory

635 views • 59 slides

More recommend