SlideShare une entreprise Scribd logo

Adversarial Learning_Rupam Bhattacharya

Télécharger en tant que PPTX, PDF
Rupam Bhattacharya
Rupam Bhattacharya
1  sur  30
Adversarial Learning Rupam Bhattacharya A Seminar on Adversarial and Secure Machine Learning Summer Semester 2015
What is Adversarial Learning? • What is spam filtering? • What is intrusion detection? • What is terrorism detection? • What would these have to do with classification in particular?
Defining Adversarial Learning • Adversarial machine learning is a research field that lies at the intersection of machine learning and computer security. It aims to enable the safe adoption of machine learning techniques in adversarial settings like spam filtering, malware detection and biometric recognition.
Motivation for the presentation • Previous works- unrealistic assumption- attacker has perfect knowledge of the classifier. • Introduction of the adversarial classifier reverse engineering (ACRE) learning problem • Presentation of efficient algorithms for reverse engineering linear classifiers and the role of active experimentation in adversarial attacks.
Exploring the Problems - I • As classifiers become more widely deployed, adversaries are actively modifying their behavior to avoid detection. • For example: senders of junk email
Exploring the Problems – II • Dalvi et al. – Anticipation of attacks by computation of the adversary’s optimal strategy. Adversary has perfect knowledge of classifier. • Unfortunately, rarely true in practice. Adversaries must learn about the classifier using prior knowledge, observation and experimentation.
The Underlying Solution • Exploring the role of active experimentation in adversarial attacks. • Identification of high-quality instances by adversaries that are not labeled malicious with a reasonable (polynomial) number of queries. • Treating the problem as adversarial classifier reverse engineering (ACRE) learning problem
Introducing the Learning Problems- I • Active Learning Problem: Semi-supervised machine learning in which a learning algorithm is able to interactively query the user to obtain the desired outputs at new data points. For example: YOU • Setup: Given existing knowledge, want to choose where to collect more data – Access to cheap unlabelled points – Make a query to obtain expensive label – Want to find labels that are “informative” • Output: Classifier / predictor trained on less labeled data
Introducing the Learning Problems- II • PAC Model: Task of successful learning of an unknown target concept should entail obtaining, with high probability, a hypothesis, that is a good approximation of it. Algorithm: • Alg is given sample S = {(x,y)} presumed to be drawn from some distribution D over instance space X, labeled by some target function f. • Alg does optimization over S to produce some hypothesis h. • Goal is for h to be close to f over D. • Allow failure with small prob d (to allow for chance that S is not representative).
Introducing the Learning Problems- III • ACRE Problem: Task of learning sufficient information about a classifier to construct adversarial attacks. • We would discuss the algorithms in the following slides.
Defining the Problem X1 X2 x X1 X2 x + - X1 X2 Instance space Classifier Adversarial cost function c(x): X  {+,} c  C, concept class (e.g., linear classifier) X = {X1, X2, …, Xn} Each Xi is a feature (e.g., a word) Instances, x  X (e.g., emails) a(x): X  R a  A (e.g., more legible spam is better)
Adversarial Classification Reverse Engineering (ACRE) • Task: Minimize a(x) subject to c(x) =  • Given: X1 X2 ? ?? ? ? ? ? ? - + –Full knowledge of a(x) –One positive and one negative instance, x+ and x –A polynomial number of membership queries Within a factor of k
Adversarial Classification Reverse Engineering (ACRE) + - Adversary’s Task: Minimize a(x) subject to c(x) =  Problem: The adversary doesn’t know c(x)!
How is ACRE different? • The ACRE learning problem differs significantly from both the probably approximately correct (PAC) model of learning and active learning in that the goal is not to learn the entire decision surface, there is no assumed distribution governing the instances and success is measured relative to a cost model for the adversary.
What we assume The adversary: • Can issue membership queries to the classifier for arbitrary instances • Has access to an adversarial cost function a(x) that maps instances to non-negative real numbers. • Provided with one positive instance, x+, and one negative instance, x−.
Linear Classifiers with Continuous features  ACRE learnable within a factor of (1+) under linear cost functions  Proof sketch  Only need to change the highest weight/cost feature  We can efficiently find this feature using line searches in each dimension X1 X2 xa
Linear Classifiers with Boolean features • Harder problem: can’t do line searches • ACRE learnable within a factor of 2 if adversary has unit cost per change: xa x- wi wj wk wl wm c(x)
Continuous Features – Theorem I • Let c be a continuous linear classifier with vector of weights w, such that the magnitude of the ratio between two non-zero weights is never less than δ(lower bound). Given positive and negative instances x+ and x−, we can find each weight within a factor of 1+ using a polynomial number of queries.
Continuous Features – Algorithm I
Continuous Features – Theorem II • Linear classifiers with continuous features are ACRE (1 + )-learnable under linear cost functions.
Continuous Features – Algorithm II
Boolean Features – Theorems • In a linear classifier with Boolean features, determining if a sign witness exists for a given feature is NP-complete. • Boolean linear classifiers are ACRE 2- learnable under uniform linear cost functions.
Boolean Features – Algorithm III
Adaptation of ACRE Algorithm - I Classifier Configuration: Two Linear Classifiers: • A naïve Bayes model • A maximum entropy (maxent) model. Adversary Configuration: • Adversaries were english words from dictionary which were classified into feature lists as Dict, Freq, and Rand.
Adaptation of ACRE Algorithm - II Iteratively reduce the cost in two ways: 1. Remove any unnecessary change: O(n) 2. Replace any two changes with one: O(n3) xa y wi wj wk wl c(x) wm x- xa y’ wi wj wk wl c(x) wp
Experimental Results
Conclusion ACRE Learning: • Determines whether an adversary can efficiently learn enough about a classifier to minimize the cost of defeating it. • Algorithm performed quite well in spam filtering, easily exceeding the worst-case bounds.
Future Work - I • There is possibility to add different types of classifiers, cost functions, and even learning scenarios and understanding which scenarios can be hard. • Under what conditions is ACRE learning robust to noisy classifiers? • What can be learned from passive observation alone, for domains where issuing any test queries would be prohibitively expensive? • If the adversary does not know which features make up the instance space, when can they be inferred?
Future Work - II • Can a similar framework be applied to relational problems, e.g. to reverse engineering collective classification? • Moving beyond classification, under what circumstances can adversaries reverse engineer regression functions, such as car insurance rates? • How do such techniques fare against a changing classifier, such as a frequently retrained spam filter? • Will the knowledge to defeat a classifier today be of any use tomorrow?
Adversarial Learning_Rupam Bhattacharya

Recommandé

Causative Adversarial Learning
Causative Adversarial LearningCausative Adversarial Learning
Causative Adversarial LearningDavid Dao
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksPluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
 
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...GeekPwn Keen
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019anant90
 
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Kishor Datta Gupta
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Kishor Datta Gupta
 

Recommandé

Causative Adversarial Learning
Causative Adversarial LearningCausative Adversarial Learning
Causative Adversarial LearningDavid Dao
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksPluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
 
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...GeekPwn Keen
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019anant90
 
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Kishor Datta Gupta
 
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...
Robust Filtering Schemes for Machine Learning Systems to Defend Adversarial A...Kishor Datta Gupta
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)butest
 
Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)Kishor Datta Gupta
 
Machine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsMachine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsClarence Chio
 
AI model security and robustness
AI model security and robustnessAI model security and robustness
AI model security and robustnessRajib Biswas
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBobby Filar
 
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...Bobby Filar
 
An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...Sebastian Raschka
 
Slides ppt
Slides pptSlides ppt
Slides pptbutest
 
Who is responsible for adversarial defense
Who is responsible for adversarial defenseWho is responsible for adversarial defense
Who is responsible for adversarial defenseKishor Datta Gupta
 
An introduction to Machine Learning
An introduction to Machine LearningAn introduction to Machine Learning
An introduction to Machine Learningbutest
 
Policy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detectionPolicy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detectionKishor Datta Gupta
 
Introduction to-machine-learning
Introduction to-machine-learningIntroduction to-machine-learning
Introduction to-machine-learningBabu Priyavrat
 
Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine LearningLior Rokach
 
Machine Learning
Machine LearningMachine Learning
Machine LearningGirish Khanzode
 
[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程台灣資料科學年會
 
Artificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningArtificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningSujit Pal
 
Semi-Supervised Learning
Semi-Supervised LearningSemi-Supervised Learning
Semi-Supervised LearningLukas Tencer
 
ppt
pptppt
pptbutest
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
Machine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent MicroworldsMachine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent Microworldsbutest
 
Online Machine Learning: introduction and examples
Online Machine Learning: introduction and examplesOnline Machine Learning: introduction and examples
Online Machine Learning: introduction and examplesFelipe
 

Contenu connexe

Tendances

Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)butest
 
Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)Kishor Datta Gupta
 
Machine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsMachine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsClarence Chio
 
AI model security and robustness
AI model security and robustnessAI model security and robustness
AI model security and robustnessRajib Biswas
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBobby Filar
 
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...Bobby Filar
 
An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...Sebastian Raschka
 
Slides ppt
Slides pptSlides ppt
Slides pptbutest
 
Who is responsible for adversarial defense
Who is responsible for adversarial defenseWho is responsible for adversarial defense
Who is responsible for adversarial defenseKishor Datta Gupta
 
An introduction to Machine Learning
An introduction to Machine LearningAn introduction to Machine Learning
An introduction to Machine Learningbutest
 
Policy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detectionPolicy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detectionKishor Datta Gupta
 
Introduction to-machine-learning
Introduction to-machine-learningIntroduction to-machine-learning
Introduction to-machine-learningBabu Priyavrat
 
Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine LearningLior Rokach
 
[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程台灣資料科學年會
 
Artificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningArtificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningSujit Pal
 
Semi-Supervised Learning
Semi-Supervised LearningSemi-Supervised Learning
Semi-Supervised LearningLukas Tencer
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 

Tendances (20)

Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)Keyboards, Privacy, and Sensor Webs (Part II)
Keyboards, Privacy, and Sensor Webs (Part II)
 
Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)Adversarial Input Detection Using Image Processing Techniques (IPT)
Adversarial Input Detection Using Image Processing Techniques (IPT)
 
Machine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsMachine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning Systems
 
AI model security and robustness
AI model security and robustnessAI model security and robustness
AI model security and robustness
 
Bringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine LearningBringing Red vs. Blue to Machine Learning
Bringing Red vs. Blue to Machine Learning
 
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
TreeHuggr: Discovering Where Tree-based Classifiers are Vulnerable to Adversa...
 
An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...An Introduction to Supervised Machine Learning and Pattern Classification: Th...
An Introduction to Supervised Machine Learning and Pattern Classification: Th...
 
Slides ppt
Slides pptSlides ppt
Slides ppt
 
Who is responsible for adversarial defense
Who is responsible for adversarial defenseWho is responsible for adversarial defense
Who is responsible for adversarial defense
 
An introduction to Machine Learning
An introduction to Machine LearningAn introduction to Machine Learning
An introduction to Machine Learning
 
Policy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detectionPolicy Based reinforcement Learning for time series Anomaly detection
Policy Based reinforcement Learning for time series Anomaly detection
 
Introduction to-machine-learning
Introduction to-machine-learningIntroduction to-machine-learning
Introduction to-machine-learning
 
Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine Learning
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
 
[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程[系列活動] Machine Learning 機器學習課程
[系列活動] Machine Learning 機器學習課程
 
Artificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep LearningArtificial Intelligence, Machine Learning and Deep Learning
Artificial Intelligence, Machine Learning and Deep Learning
 
Semi-Supervised Learning
Semi-Supervised LearningSemi-Supervised Learning
Semi-Supervised Learning
 
ppt
pptppt
ppt
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 

En vedette

Machine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent MicroworldsMachine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent Microworldsbutest
 
Online Machine Learning: introduction and examples
Online Machine Learning: introduction and examplesOnline Machine Learning: introduction and examples
Online Machine Learning: introduction and examplesFelipe
 
应届毕业生胜任素质问卷调查
应届毕业生胜任素质问卷调查应届毕业生胜任素质问卷调查
应届毕业生胜任素质问卷调查dxw8448
 
Database Comparison: Social Behavior of the Great White Shark
Database Comparison: Social Behavior of the Great White SharkDatabase Comparison: Social Behavior of the Great White Shark
Database Comparison: Social Behavior of the Great White SharkAileen Marshall
 
Brain NECSTwork - FPGA because
Brain NECSTwork - FPGA becauseBrain NECSTwork - FPGA because
Brain NECSTwork - FPGA becauseBrain NECSTwork
 
Herramientas de comunicación en línea
Herramientas de comunicación en líneaHerramientas de comunicación en línea
Herramientas de comunicación en líneaMarisol Bolaños
 
Don't Stop Believing Says Michelle Lin
Don't Stop Believing Says Michelle LinDon't Stop Believing Says Michelle Lin
Don't Stop Believing Says Michelle LinZillionDesigns
 
Using Social Media2
Using Social Media2Using Social Media2
Using Social Media2Jane Hart
 
Representing Chemicals Digitally: An overview of Cheminformatics
Representing Chemicals Digitally: An overview of CheminformaticsRepresenting Chemicals Digitally: An overview of Cheminformatics
Representing Chemicals Digitally: An overview of CheminformaticsJames Jeffryes
 
Content is Currency - FinanceConnect 2015
Content is Currency - FinanceConnect 2015Content is Currency - FinanceConnect 2015
Content is Currency - FinanceConnect 2015LinkedIn India
 
Everyone has a story
Everyone has a storyEveryone has a story
Everyone has a storyshepatte
 
The Trouble With Tribbles: How LOLcats Ate Our Engagement
The Trouble With Tribbles: How LOLcats Ate Our EngagementThe Trouble With Tribbles: How LOLcats Ate Our Engagement
The Trouble With Tribbles: How LOLcats Ate Our EngagementJeffrey Stevens
 
A importância da colaboração na Web 2.0
A importância da colaboração na Web 2.0A importância da colaboração na Web 2.0
A importância da colaboração na Web 2.0UTFPR
 
Droidcon Paris: The new Android SDK
Droidcon Paris: The new Android SDKDroidcon Paris: The new Android SDK
Droidcon Paris: The new Android SDKPayPal
 
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They Are
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They AreMoving Beyond The Newsletter: Using Technology To Meet Parents Where They Are
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They AreChris Wejr
 
Distributed Online Machine Learning Framework for Big Data
Distributed Online Machine Learning Framework for Big DataDistributed Online Machine Learning Framework for Big Data
Distributed Online Machine Learning Framework for Big DataJubatusOfficial
 
Housing, the 2015 General Election and Beyond: 10 Key Themes
Housing, the 2015 General Election and Beyond: 10 Key ThemesHousing, the 2015 General Election and Beyond: 10 Key Themes
Housing, the 2015 General Election and Beyond: 10 Key ThemesIpsos UK
 

En vedette (18)

Machine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent MicroworldsMachine Learning for Adversarial Agent Microworlds
Machine Learning for Adversarial Agent Microworlds
 
Online Machine Learning: introduction and examples
Online Machine Learning: introduction and examplesOnline Machine Learning: introduction and examples
Online Machine Learning: introduction and examples
 
应届毕业生胜任素质问卷调查
应届毕业生胜任素质问卷调查应届毕业生胜任素质问卷调查
应届毕业生胜任素质问卷调查
 
Database Comparison: Social Behavior of the Great White Shark
Database Comparison: Social Behavior of the Great White SharkDatabase Comparison: Social Behavior of the Great White Shark
Database Comparison: Social Behavior of the Great White Shark
 
Brain NECSTwork - FPGA because
Brain NECSTwork - FPGA becauseBrain NECSTwork - FPGA because
Brain NECSTwork - FPGA because
 
Herramientas de comunicación en línea
Herramientas de comunicación en líneaHerramientas de comunicación en línea
Herramientas de comunicación en línea
 
Don't Stop Believing Says Michelle Lin
Don't Stop Believing Says Michelle LinDon't Stop Believing Says Michelle Lin
Don't Stop Believing Says Michelle Lin
 
Using Social Media2
Using Social Media2Using Social Media2
Using Social Media2
 
Itil
ItilItil
Itil
 
Representing Chemicals Digitally: An overview of Cheminformatics
Representing Chemicals Digitally: An overview of CheminformaticsRepresenting Chemicals Digitally: An overview of Cheminformatics
Representing Chemicals Digitally: An overview of Cheminformatics
 
Content is Currency - FinanceConnect 2015
Content is Currency - FinanceConnect 2015Content is Currency - FinanceConnect 2015
Content is Currency - FinanceConnect 2015
 
Everyone has a story
Everyone has a storyEveryone has a story
Everyone has a story
 
The Trouble With Tribbles: How LOLcats Ate Our Engagement
The Trouble With Tribbles: How LOLcats Ate Our EngagementThe Trouble With Tribbles: How LOLcats Ate Our Engagement
The Trouble With Tribbles: How LOLcats Ate Our Engagement
 
A importância da colaboração na Web 2.0
A importância da colaboração na Web 2.0A importância da colaboração na Web 2.0
A importância da colaboração na Web 2.0
 
Droidcon Paris: The new Android SDK
Droidcon Paris: The new Android SDKDroidcon Paris: The new Android SDK
Droidcon Paris: The new Android SDK
 
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They Are
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They AreMoving Beyond The Newsletter: Using Technology To Meet Parents Where They Are
Moving Beyond The Newsletter: Using Technology To Meet Parents Where They Are
 
Distributed Online Machine Learning Framework for Big Data
Distributed Online Machine Learning Framework for Big DataDistributed Online Machine Learning Framework for Big Data
Distributed Online Machine Learning Framework for Big Data
 
Housing, the 2015 General Election and Beyond: 10 Key Themes
Housing, the 2015 General Election and Beyond: 10 Key ThemesHousing, the 2015 General Election and Beyond: 10 Key Themes
Housing, the 2015 General Election and Beyond: 10 Key Themes
 

Similaire à Adversarial Learning_Rupam Bhattacharya

Nearest neighbour algorithm
Nearest neighbour algorithmNearest neighbour algorithm
Nearest neighbour algorithmAnmitas1
 
Supervised learning
Supervised learningSupervised learning
Supervised learningJohnson Ubah
 
Unsupervised Learning: Clustering
Unsupervised Learning: Clustering Unsupervised Learning: Clustering
Unsupervised Learning: Clustering Experfy
 
sentiment analysis using support vector machine
sentiment analysis using support vector machinesentiment analysis using support vector machine
sentiment analysis using support vector machineShital Andhale
 
Black-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentationBlack-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentationRoberto Falconi
 
Survey of Recommendation Systems
Survey of Recommendation SystemsSurvey of Recommendation Systems
Survey of Recommendation Systemsyoualab
 
Machine Learning workshop by GDSC Amity University Chhattisgarh
Machine Learning workshop by GDSC Amity University ChhattisgarhMachine Learning workshop by GDSC Amity University Chhattisgarh
Machine Learning workshop by GDSC Amity University ChhattisgarhPoorabpatel
 
CounterFactual Explanations.pdf
CounterFactual Explanations.pdfCounterFactual Explanations.pdf
CounterFactual Explanations.pdfBong-Ho Lee
 
Text Classification with Lucene/Solr, Apache Hadoop and LibSVM
Text Classification with Lucene/Solr, Apache Hadoop and LibSVMText Classification with Lucene/Solr, Apache Hadoop and LibSVM
Text Classification with Lucene/Solr, Apache Hadoop and LibSVMlucenerevolution
 
Keynote at IWLS 2017
Keynote at IWLS 2017Keynote at IWLS 2017
Keynote at IWLS 2017Manish Pandey
 
Machine learning and linear regression programming
Machine learning and linear regression programmingMachine learning and linear regression programming
Machine learning and linear regression programmingSoumya Mukherjee
 
Introdution and designing a learning system
Introdution and designing a learning systemIntrodution and designing a learning system
Introdution and designing a learning systemswapnac12
 
Design and Analysis Algorithms.pdf
Design and Analysis Algorithms.pdfDesign and Analysis Algorithms.pdf
Design and Analysis Algorithms.pdfHarshNagda5
 

Similaire à Adversarial Learning_Rupam Bhattacharya (20)

lecture_16.pptx
lecture_16.pptxlecture_16.pptx
lecture_16.pptx
 
Nearest neighbour algorithm
Nearest neighbour algorithmNearest neighbour algorithm
Nearest neighbour algorithm
 
Supervised learning
Supervised learningSupervised learning
Supervised learning
 
lec10svm.ppt
lec10svm.pptlec10svm.ppt
lec10svm.ppt
 
Unsupervised Learning: Clustering
Unsupervised Learning: Clustering Unsupervised Learning: Clustering
Unsupervised Learning: Clustering
 
sentiment analysis using support vector machine
sentiment analysis using support vector machinesentiment analysis using support vector machine
sentiment analysis using support vector machine
 
Optimization
OptimizationOptimization
Optimization
 
Black-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentationBlack-Box attacks against Neural Networks - technical project presentation
Black-Box attacks against Neural Networks - technical project presentation
 
Survey of Recommendation Systems
Survey of Recommendation SystemsSurvey of Recommendation Systems
Survey of Recommendation Systems
 
lec10svm.ppt
lec10svm.pptlec10svm.ppt
lec10svm.ppt
 
Svm ms
Svm msSvm ms
Svm ms
 
lec10svm.ppt
lec10svm.pptlec10svm.ppt
lec10svm.ppt
 
Machine Learning workshop by GDSC Amity University Chhattisgarh
Machine Learning workshop by GDSC Amity University ChhattisgarhMachine Learning workshop by GDSC Amity University Chhattisgarh
Machine Learning workshop by GDSC Amity University Chhattisgarh
 
CounterFactual Explanations.pdf
CounterFactual Explanations.pdfCounterFactual Explanations.pdf
CounterFactual Explanations.pdf
 
Machine learning
Machine learningMachine learning
Machine learning
 
Text Classification with Lucene/Solr, Apache Hadoop and LibSVM
Text Classification with Lucene/Solr, Apache Hadoop and LibSVMText Classification with Lucene/Solr, Apache Hadoop and LibSVM
Text Classification with Lucene/Solr, Apache Hadoop and LibSVM
 
Keynote at IWLS 2017
Keynote at IWLS 2017Keynote at IWLS 2017
Keynote at IWLS 2017
 
Machine learning and linear regression programming
Machine learning and linear regression programmingMachine learning and linear regression programming
Machine learning and linear regression programming
 
Introdution and designing a learning system
Introdution and designing a learning systemIntrodution and designing a learning system
Introdution and designing a learning system
 
Design and Analysis Algorithms.pdf
Design and Analysis Algorithms.pdfDesign and Analysis Algorithms.pdf
Design and Analysis Algorithms.pdf
 

Adversarial Learning_Rupam Bhattacharya

  • 1. Adversarial Learning Rupam Bhattacharya A Seminar on Adversarial and Secure Machine Learning Summer Semester 2015
  • 2. What is Adversarial Learning? • What is spam filtering? • What is intrusion detection? • What is terrorism detection? • What would these have to do with classification in particular?
  • 3. Defining Adversarial Learning • Adversarial machine learning is a research field that lies at the intersection of machine learning and computer security. It aims to enable the safe adoption of machine learning techniques in adversarial settings like spam filtering, malware detection and biometric recognition.
  • 4. Motivation for the presentation • Previous works- unrealistic assumption- attacker has perfect knowledge of the classifier. • Introduction of the adversarial classifier reverse engineering (ACRE) learning problem • Presentation of efficient algorithms for reverse engineering linear classifiers and the role of active experimentation in adversarial attacks.
  • 5. Exploring the Problems - I • As classifiers become more widely deployed, adversaries are actively modifying their behavior to avoid detection. • For example: senders of junk email
  • 6. Exploring the Problems – II • Dalvi et al. – Anticipation of attacks by computation of the adversary’s optimal strategy. Adversary has perfect knowledge of classifier. • Unfortunately, rarely true in practice. Adversaries must learn about the classifier using prior knowledge, observation and experimentation.
  • 7. The Underlying Solution • Exploring the role of active experimentation in adversarial attacks. • Identification of high-quality instances by adversaries that are not labeled malicious with a reasonable (polynomial) number of queries. • Treating the problem as adversarial classifier reverse engineering (ACRE) learning problem
  • 8. Introducing the Learning Problems- I • Active Learning Problem: Semi-supervised machine learning in which a learning algorithm is able to interactively query the user to obtain the desired outputs at new data points. For example: YOU • Setup: Given existing knowledge, want to choose where to collect more data – Access to cheap unlabelled points – Make a query to obtain expensive label – Want to find labels that are “informative” • Output: Classifier / predictor trained on less labeled data
  • 9. Introducing the Learning Problems- II • PAC Model: Task of successful learning of an unknown target concept should entail obtaining, with high probability, a hypothesis, that is a good approximation of it. Algorithm: • Alg is given sample S = {(x,y)} presumed to be drawn from some distribution D over instance space X, labeled by some target function f. • Alg does optimization over S to produce some hypothesis h. • Goal is for h to be close to f over D. • Allow failure with small prob d (to allow for chance that S is not representative).
  • 10. Introducing the Learning Problems- III • ACRE Problem: Task of learning sufficient information about a classifier to construct adversarial attacks. • We would discuss the algorithms in the following slides.
  • 11. Defining the Problem X1 X2 x X1 X2 x + - X1 X2 Instance space Classifier Adversarial cost function c(x): X  {+,} c  C, concept class (e.g., linear classifier) X = {X1, X2, …, Xn} Each Xi is a feature (e.g., a word) Instances, x  X (e.g., emails) a(x): X  R a  A (e.g., more legible spam is better)
  • 12. Adversarial Classification Reverse Engineering (ACRE) • Task: Minimize a(x) subject to c(x) =  • Given: X1 X2 ? ?? ? ? ? ? ? - + –Full knowledge of a(x) –One positive and one negative instance, x+ and x –A polynomial number of membership queries Within a factor of k
  • 13. Adversarial Classification Reverse Engineering (ACRE) + - Adversary’s Task: Minimize a(x) subject to c(x) =  Problem: The adversary doesn’t know c(x)!
  • 14. How is ACRE different? • The ACRE learning problem differs significantly from both the probably approximately correct (PAC) model of learning and active learning in that the goal is not to learn the entire decision surface, there is no assumed distribution governing the instances and success is measured relative to a cost model for the adversary.
  • 15. What we assume The adversary: • Can issue membership queries to the classifier for arbitrary instances • Has access to an adversarial cost function a(x) that maps instances to non-negative real numbers. • Provided with one positive instance, x+, and one negative instance, x−.
  • 16. Linear Classifiers with Continuous features  ACRE learnable within a factor of (1+) under linear cost functions  Proof sketch  Only need to change the highest weight/cost feature  We can efficiently find this feature using line searches in each dimension X1 X2 xa
  • 17. Linear Classifiers with Boolean features • Harder problem: can’t do line searches • ACRE learnable within a factor of 2 if adversary has unit cost per change: xa x- wi wj wk wl wm c(x)
  • 18. Continuous Features – Theorem I • Let c be a continuous linear classifier with vector of weights w, such that the magnitude of the ratio between two non-zero weights is never less than δ(lower bound). Given positive and negative instances x+ and x−, we can find each weight within a factor of 1+ using a polynomial number of queries.
  • 19. Continuous Features – Algorithm I
  • 20. Continuous Features – Theorem II • Linear classifiers with continuous features are ACRE (1 + )-learnable under linear cost functions.
  • 21. Continuous Features – Algorithm II
  • 22. Boolean Features – Theorems • In a linear classifier with Boolean features, determining if a sign witness exists for a given feature is NP-complete. • Boolean linear classifiers are ACRE 2- learnable under uniform linear cost functions.
  • 23. Boolean Features – Algorithm III
  • 24. Adaptation of ACRE Algorithm - I Classifier Configuration: Two Linear Classifiers: • A naïve Bayes model • A maximum entropy (maxent) model. Adversary Configuration: • Adversaries were english words from dictionary which were classified into feature lists as Dict, Freq, and Rand.
  • 25. Adaptation of ACRE Algorithm - II Iteratively reduce the cost in two ways: 1. Remove any unnecessary change: O(n) 2. Replace any two changes with one: O(n3) xa y wi wj wk wl c(x) wm x- xa y’ wi wj wk wl c(x) wp
  • 27. Conclusion ACRE Learning: • Determines whether an adversary can efficiently learn enough about a classifier to minimize the cost of defeating it. • Algorithm performed quite well in spam filtering, easily exceeding the worst-case bounds.
  • 28. Future Work - I • There is possibility to add different types of classifiers, cost functions, and even learning scenarios and understanding which scenarios can be hard. • Under what conditions is ACRE learning robust to noisy classifiers? • What can be learned from passive observation alone, for domains where issuing any test queries would be prohibitively expensive? • If the adversary does not know which features make up the instance space, when can they be inferred?
  • 29. Future Work - II • Can a similar framework be applied to relational problems, e.g. to reverse engineering collective classification? • Moving beyond classification, under what circumstances can adversaries reverse engineer regression functions, such as car insurance rates? • How do such techniques fare against a changing classifier, such as a frequently retrained spam filter? • Will the knowledge to defeat a classifier today be of any use tomorrow?