SlideShare a Scribd company logo

Securing Neural Networks

T
Tahseen Shabab

We thoroughly enjoyed sharing some early strategies to perform security analysis on Neural Networks (Deep Learning/Machine Learning Models) at Shopify. The field is still ripe and a lot more advancements need to happen in order to build Enterprise grade scanners. Our discussion was recorded, and your comments and opinions would help drive the field forward. To the best of our knowledge, this talk is a #First of its kind on youtube. Video Link: https://lnkd.in/erP9tUE

Technology
1 of 67
Download to read offline
[TensorFuzz] Debugging Neural Networks with Coverage-Guided Fuzzing Authors: Augustus Odena, Ian Goodfellow Presentor: Tahseen Shabab Facilitators: Susan Shu, Serena McDonnell Date: 26th August, 2019 Cybersecurity AI
Tahseen Shabab Presenter CEO, Bibu Labs Susan Shu Serena McDonnell Facilitator Data Scientist, Bell Facilitator Senior Data Scientist, Delphia Speakers
We Prof Hassan Khan Chief Scientist, Bibu Labs Prof. Kate Larson Prof. Larry Smith Advisor - AI, Bibu Labs Advisor - Strategy, Bibu Labs We Are Growing!
Feb, 2019 $1.4 B Acquisition
July, 2019
Cylance Hack: Enable Dynamic Debugging Cylance Antivirus Verbose Logging Score: { -1000: Most Malicious +1000: Most Benign } Dynamic Debugging Enabled
Cylance Hack: Reverse Engineer Model 7000 Feature Vectors Neural Network Post Processing Added Filter White/Black List
Cylance Hack: Exploit Model Bias ● Researchers found bias in the model ○ A small set of features that have significant effect on outcome ● “Added Filter” uses Clusters with specific names to Whitelist files, one being a famous game ● Researchers added strings from games executable to real malicious file ● Game Over!
Have We Seen This Before?
Lawd & Meek (2005) and Wittel & WU (2004) ● Attacks against statistical spam filters ○ Add good words ○ Words the filter consider indicative of non-spam to spam ● Append words which appear often in ham emails and rarely in spam to a spam email ● Spam Filter Fooled!
Why Are These Hard To Spot?
● Traditional Software ○ Devs directly specify logic of system ● ML System ○ NN learns rules automatically ○ Developers can indirectly modify decision logic by manipulating ■ Training data ■ Feature selection ■ Models architecture ○ NN’s underlying rules are mostly unknown to developers!https://arxiv.org/pdf/1705.06640.pdf Source of Blind Spots
Adversarial Attacks
Adaptive Nature of Hackers ● Hackers Take Path of Least Resistance ● If a Patch is deployed, Hackers will take the path of least resistance Vulnerability 1 Vulnerability 2 Vulnerability 3
Data Distribution Actively Manipulated
● Hackers strategically insert attack data ● Model trains periodically ● Decision boundary is altered Data Poisoning secml.github.io
● Add Noise ● Classifier Misclassifies Object ● Model learns differently than humans Attack: Induce Specific Output “Explaining and Harnessing Adversarial Examples”, Ian Goodfellow
Submit queries, observe response ● Training Data ● Architecture ● Optimization Procedures Attack: Expose Model Attributes "Towards Reverse Engineering Black Box Neural Networks”, Seong Oh
Taxonomy of Attacks Against ML Systems Axis Attack Properties Influence Causative - influences training and test data Exploratory - Influences test data Security Violation Confidentiality - goal is to uncover training data Integrity - goal is false negatives (FNs) Availability - goal is false positives (FPs) Specificity Targeted - influence prediction of particular test instances Indiscriminate - influence predictions of all test instances Adversarial Machine Learning - Joseph, Nelson, Rubinstein and Tygar, 2019
Exploratory Attacks Against Trained Classifier ● Attacker doesn’t have access to training data ● Most known detection techniques are susceptible to blind spots ● How difficult is it for adversary to discover blind spots that is most advantageous to them?
How Can We Find these Blind Spots? https://www.theemotionmachine.com/listen-to-family-and-friends-how-to-protect-your self-from-blind-spots/
● Check erroneous corner cases ● Input: Unlabeled test input ● Objective: Generate test data to: ○ Activate large number of neurons ○ Force DNNs to behave differently ● Joint Optimization Problem: Maximize ○ Differential behaviour ○ Neuron coverage DeepXplore: White Box Testing
● Perform gradient guided local search ○ Starting: seed input ○ Find new inputs that maximize desired goal ● Similar to backpropagation, but: ○ Inputs: Variable ○ Weights: Constant DeepXplore: Example
● Bayesian Neural Network ● Adding dropout before every weight layer approximation of gaussian process ○ Both training and test ● Dropout during test ○ Different output for same input ■ [4,5,1,2,3,6] ○ Equivalent to MC sampling ○ High Variance = High uncertainty Bayesian NN: Modelling Uncertainty https://www.cs.ox.ac.uk/people/yarin.gal/web site/blog_2248.html
TensorFuzz
TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
● Instrument Program for coverage ○ Add instructions to code allowing fuzzer to detect code paths ● Feed Random Inputs into program ● Continue to mutate inputs that exercised new part of the program ○ Genetic Algorithm ● Identify bugs Coverage Guided Fuzzing (AFL)
● Aids the discovery of subtle fault conditions in the underlying code ● Security vulnerabilities are often associated with unexpected or incorrect state transitions AFL: Branch Edge Coverage AFL Documentation
● Identifies potentially interesting control flow changes, ○ Ex. A block of code being executed twice when it was normally hit only once AFL Documentation AFL: Hit Count
● Sequential bit flips with varying lengths and stepovers, ● Sequential addition and subtraction of small integers, ● Sequential insertion of known interesting integers (0, 1, INT_MAX, etc) AFL: Mutation Strategy
TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
● Verifies a function or program abides by a property ● Properties check for useful characteristics that must be seen in output Property Based Testing https://medium.com/criteo-labs/introduction-to -property-based-testing-f5236229d237
● Cover the scope of all possible inputs ○ Does not restrict the generated inputs ● Shrink the input in case of failure ○ On failure, the framework tries to reduce the input to a smaller input ● Reproducible and replayable ○ Each time it runs a property test, a seed is produced in order to be able to re-run the test again on the same datasets Advantage https://medium.com/criteo-labs/introduction-to -property-based-testing-f5236229d237
TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
Approximate Nearest Neighbor http://web.stanford.edu/class/cs369g/files/lec tures/lec16.pdf ● Nearest Neighbor ○ Given points p1,p2,...,pn, and query point q, find closest point to q among p1,...,pn ● Approximate Nearest Neighbor ○ Condition is relaxed ○ Fin pi so that ■ d(q,pi) <=c.min d(q,pj)
TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
Sadly, CGF Tools Don’t Work For Neural Networks
● Coverage Metrics ○ Lines of Code Executed ○ Which branches have been taken Traditional Software Workflow https://arxiv.org/pdf/1705.06640.pdf
● Software implementation may contain many branching statements ○ Based on architecture ○ Mostly independent of input ● Different inputs will often execute ○ same lines of code ○ same branches, ● But will produce interesting variations in behaviour Neural Network Workflow https://arxiv.org/pdf/1705.06640.pdf
How Does TensorFuzz Work?
Let's Dive In! Dio, Holy Diver
TensorFuzz 1. We interact with a TensorFlow Graph instead of instrumented Computer Program
2. Valid neural network inputs are fed instead of big array of bytes. Ex. For, if inputs are sequences of character, only allow characters that are in vocabulary extracted from the training set TensorFuzz
3. Input Chooser intelligently chooses elements from input corpus. Following heuristics is used: : Probability of choosing corpus element ck at time t tk: Time when ck was added to the corpus Intuition: Recently sampled inputs are more likely to yield useful new coverage when mutated, but advantage decays over time. TensorFuzz
4. Mutator modifies input in a controlled manner For text input, mutation occurs in accordance to following policy: Uniformly at random perform one of following operations: - Delete, Add, Subtract - Random character at random location TensorFuzz
Diving Deeper 5. Mutated inputs are fed to Neural Network. The following are extracted from NN - Set of coverage arrays - Enables computation of coverage - Set of metadata arrays - Fed as input to objective function
5.a Objective Function - Desired Outcome - Ex. Error, crash Outputted Metadata arrays is fed into Objective function, and inputs causing system to reach goal of objective function are flagged TensorFuzz
5.b Coverage Analyzer Core part of product Reading arrays from TensorFlow runtime, turning them into python objects representing coverage, checking whether that coverage is new TensorFuzz
Desired Properties of Coverage Analyzer ● Check if Neural Network is in new state ○ Enables detection of misbehaviour ● Check has to be fast ● Should work with many different computation graphs ○ Remove Manual Intervention as much as possible ● Exercising all of the coverage should be hard ○ Or else we won’t cover much of possible behaviours
Use Fast Approximate Nearest Neighbour ● Determine if two sets of NN activations are meaningfully different from each other ● Provides a coverage metric producing useful results for neural network ○ Even if underlying software implementation of the neural network does not make use of many data-dependent branches
Intuition: Coverage Analyzer Activation Activation Activation ActivationCurrent Input Old Input Delta DeltaDelta New Coverage Reached If Distance Sufficiently Large
● On New Activation Vector a. Use Approximate nearest neighbors Algorithm b. Look up nearest neighbour c. Check distance between current and nearest neighbour in Euclidean distance d. Add input to corpus if distance is greater than Lhttps://medium.com/@erikhallstrm/backpropa gation-from-the-beginning-77356edf427d Coverage Analyzer: Details
● Note: Often, good results are achieved only by looking at logits or layer before logits https://medium.com/@erikhallstrm/backpropa gation-from-the-beginning-77356edf427d Coverage Analyzer: Details
6. Mutated input is: - Add to corpus if - New coverage is achieved - Added to list of test cases if - Objective function is satisfied TensorFuzz
Break
https://www.bandt.com.au/media/facebook-manipulated-users-feeds-experiment Experiments
Experiment: Finding NaNs ● NaNs consistently cause trouble for researchers and practitioners, but they are hard to track them down ● A bad loss function is “fault injected” into a neural network ● TesnorFuzz could find NaNs substantially faster than a baseline random search
● Left: Coverage overtime for 10 different random restarts ● Right: An example of a random image that causes neural network to NaN Experiment: Finding NaNs
Experiment: Quantization Errors ● We often want to quantize neural networks ● How to test for accuracy? ● We can look at differences in test sets, but often few show up ● Instead, we can fuzz for inputs that surface differences
● Left: Coverage overtime for 10 different random restarts. Note that 3 runs fail ● Right: An example of an image correctly classified by the original neural network but incorrectly classified by the quantized network Experiment: Quantization Errors
Discussion
Discussion Points ● How do we embed security testing into the ML Solution development lifecycle? ● Can explainable inference help to detect blind spots? ● Can we use multiple classifiers in parallel to reduce the implications of an attack on a specific model?

Recommended

Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
CNIT 141: 2. Randomness
CNIT 141: 2. RandomnessCNIT 141: 2. Randomness
CNIT 141: 2. RandomnessSam Bowne
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 

Recommended

Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
CNIT 141: 2. Randomness
CNIT 141: 2. RandomnessCNIT 141: 2. Randomness
CNIT 141: 2. RandomnessSam Bowne
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуляPositive Hack Days
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsIBMGovernmentCA
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...srkedmi
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)FFRI, Inc.
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 
Software testing
Software testingSoftware testing
Software testingEnamul Haque
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 

More Related Content

What's hot

Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуляPositive Hack Days
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsIBMGovernmentCA
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...srkedmi
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)FFRI, Inc.
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 

What's hot (20)

Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)Mr201311 behavioral-based malware clustering (English)
Mr201311 behavioral-based malware clustering (English)
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense Slides
 

Similar to Securing Neural Networks

Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit TestingDmitry Vyukov
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat Security Conference
 
Network Anomaly detection based on fuzzy logic and Genetic Algorithm
Network Anomaly detection based on fuzzy logic and Genetic AlgorithmNetwork Anomaly detection based on fuzzy logic and Genetic Algorithm
Network Anomaly detection based on fuzzy logic and Genetic AlgorithmYatindra shashi
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Deep Learning: concepts and use cases (October 2018)
Deep Learning: concepts and use cases (October 2018)Deep Learning: concepts and use cases (October 2018)
Deep Learning: concepts and use cases (October 2018)Julien SIMON
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Igalia
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfMichelleHoogenhout
 
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept ExploitsSemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits星曼 陈
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
Adversarial robustness using clever hans
Adversarial robustness using clever hansAdversarial robustness using clever hans
Adversarial robustness using clever hansShrutiMishra164
 
Machine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsMachine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsClarence Chio
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013BSidesQuebec2013
 
Applications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security TestingApplications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security TestingLionel Briand
 

Similar to Securing Neural Networks (20)

Software testing
Software testingSoftware testing
Software testing
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit Testing
 
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
BlueHat v18 || Protecting the protector, hardening machine learning defenses ...
 
Network Anomaly detection based on fuzzy logic and Genetic Algorithm
Network Anomaly detection based on fuzzy logic and Genetic AlgorithmNetwork Anomaly detection based on fuzzy logic and Genetic Algorithm
Network Anomaly detection based on fuzzy logic and Genetic Algorithm
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Deep Learning: concepts and use cases (October 2018)
Deep Learning: concepts and use cases (October 2018)Deep Learning: concepts and use cases (October 2018)
Deep Learning: concepts and use cases (October 2018)
 
Metaploit
MetaploitMetaploit
Metaploit
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)Property-based testing an open-source compiler, pflua (FOSDEM 2015)
Property-based testing an open-source compiler, pflua (FOSDEM 2015)
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdf
 
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept ExploitsSemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
Adversarial robustness using clever hans
Adversarial robustness using clever hansAdversarial robustness using clever hans
Adversarial robustness using clever hans
 
Machine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning SystemsMachine Duping 101: Pwning Deep Learning Systems
Machine Duping 101: Pwning Deep Learning Systems
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
 
Applications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security TestingApplications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security Testing
 
Distributed deep learning_over_spark_20_nov_2014_ver_2.8
Distributed deep learning_over_spark_20_nov_2014_ver_2.8Distributed deep learning_over_spark_20_nov_2014_ver_2.8
Distributed deep learning_over_spark_20_nov_2014_ver_2.8
 

Recently uploaded

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Securing Neural Networks

  • 1. [TensorFuzz] Debugging Neural Networks with Coverage-Guided Fuzzing Authors: Augustus Odena, Ian Goodfellow Presentor: Tahseen Shabab Facilitators: Susan Shu, Serena McDonnell Date: 26th August, 2019 Cybersecurity AI
  • 2. Tahseen Shabab Presenter CEO, Bibu Labs Susan Shu Serena McDonnell Facilitator Data Scientist, Bell Facilitator Senior Data Scientist, Delphia Speakers
  • 3.
  • 4. We Prof Hassan Khan Chief Scientist, Bibu Labs Prof. Kate Larson Prof. Larry Smith Advisor - AI, Bibu Labs Advisor - Strategy, Bibu Labs We Are Growing!
  • 5. Feb, 2019 $1.4 B Acquisition
  • 6.
  • 8. Cylance Hack: Enable Dynamic Debugging Cylance Antivirus Verbose Logging Score: { -1000: Most Malicious +1000: Most Benign } Dynamic Debugging Enabled
  • 9. Cylance Hack: Reverse Engineer Model 7000 Feature Vectors Neural Network Post Processing Added Filter White/Black List
  • 10. Cylance Hack: Exploit Model Bias ● Researchers found bias in the model ○ A small set of features that have significant effect on outcome ● “Added Filter” uses Clusters with specific names to Whitelist files, one being a famous game ● Researchers added strings from games executable to real malicious file ● Game Over!
  • 11. Have We Seen This Before?
  • 12. Lawd & Meek (2005) and Wittel & WU (2004) ● Attacks against statistical spam filters ○ Add good words ○ Words the filter consider indicative of non-spam to spam ● Append words which appear often in ham emails and rarely in spam to a spam email ● Spam Filter Fooled!
  • 13. Why Are These Hard To Spot?
  • 14. ● Traditional Software ○ Devs directly specify logic of system ● ML System ○ NN learns rules automatically ○ Developers can indirectly modify decision logic by manipulating ■ Training data ■ Feature selection ■ Models architecture ○ NN’s underlying rules are mostly unknown to developers!https://arxiv.org/pdf/1705.06640.pdf Source of Blind Spots
  • 16. Adaptive Nature of Hackers ● Hackers Take Path of Least Resistance ● If a Patch is deployed, Hackers will take the path of least resistance Vulnerability 1 Vulnerability 2 Vulnerability 3
  • 18. ● Hackers strategically insert attack data ● Model trains periodically ● Decision boundary is altered Data Poisoning secml.github.io
  • 19.
  • 20.
  • 21. ● Add Noise ● Classifier Misclassifies Object ● Model learns differently than humans Attack: Induce Specific Output “Explaining and Harnessing Adversarial Examples”, Ian Goodfellow
  • 22. Submit queries, observe response ● Training Data ● Architecture ● Optimization Procedures Attack: Expose Model Attributes "Towards Reverse Engineering Black Box Neural Networks”, Seong Oh
  • 23. Taxonomy of Attacks Against ML Systems Axis Attack Properties Influence Causative - influences training and test data Exploratory - Influences test data Security Violation Confidentiality - goal is to uncover training data Integrity - goal is false negatives (FNs) Availability - goal is false positives (FPs) Specificity Targeted - influence prediction of particular test instances Indiscriminate - influence predictions of all test instances Adversarial Machine Learning - Joseph, Nelson, Rubinstein and Tygar, 2019
  • 24. Exploratory Attacks Against Trained Classifier ● Attacker doesn’t have access to training data ● Most known detection techniques are susceptible to blind spots ● How difficult is it for adversary to discover blind spots that is most advantageous to them?
  • 25. How Can We Find these Blind Spots? https://www.theemotionmachine.com/listen-to-family-and-friends-how-to-protect-your self-from-blind-spots/
  • 26. ● Check erroneous corner cases ● Input: Unlabeled test input ● Objective: Generate test data to: ○ Activate large number of neurons ○ Force DNNs to behave differently ● Joint Optimization Problem: Maximize ○ Differential behaviour ○ Neuron coverage DeepXplore: White Box Testing
  • 27. ● Perform gradient guided local search ○ Starting: seed input ○ Find new inputs that maximize desired goal ● Similar to backpropagation, but: ○ Inputs: Variable ○ Weights: Constant DeepXplore: Example
  • 28. ● Bayesian Neural Network ● Adding dropout before every weight layer approximation of gaussian process ○ Both training and test ● Dropout during test ○ Different output for same input ■ [4,5,1,2,3,6] ○ Equivalent to MC sampling ○ High Variance = High uncertainty Bayesian NN: Modelling Uncertainty https://www.cs.ox.ac.uk/people/yarin.gal/web site/blog_2248.html
  • 30. TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
  • 31. TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
  • 32. ● Instrument Program for coverage ○ Add instructions to code allowing fuzzer to detect code paths ● Feed Random Inputs into program ● Continue to mutate inputs that exercised new part of the program ○ Genetic Algorithm ● Identify bugs Coverage Guided Fuzzing (AFL)
  • 33. ● Aids the discovery of subtle fault conditions in the underlying code ● Security vulnerabilities are often associated with unexpected or incorrect state transitions AFL: Branch Edge Coverage AFL Documentation
  • 34. ● Identifies potentially interesting control flow changes, ○ Ex. A block of code being executed twice when it was normally hit only once AFL Documentation AFL: Hit Count
  • 35. ● Sequential bit flips with varying lengths and stepovers, ● Sequential addition and subtraction of small integers, ● Sequential insertion of known interesting integers (0, 1, INT_MAX, etc) AFL: Mutation Strategy
  • 36. TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
  • 37. ● Verifies a function or program abides by a property ● Properties check for useful characteristics that must be seen in output Property Based Testing https://medium.com/criteo-labs/introduction-to -property-based-testing-f5236229d237
  • 38. ● Cover the scope of all possible inputs ○ Does not restrict the generated inputs ● Shrink the input in case of failure ○ On failure, the framework tries to reduce the input to a smaller input ● Reproducible and replayable ○ Each time it runs a property test, a seed is produced in order to be able to re-run the test again on the same datasets Advantage https://medium.com/criteo-labs/introduction-to -property-based-testing-f5236229d237
  • 39. TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
  • 40. Approximate Nearest Neighbor http://web.stanford.edu/class/cs369g/files/lec tures/lec16.pdf ● Nearest Neighbor ○ Given points p1,p2,...,pn, and query point q, find closest point to q among p1,...,pn ● Approximate Nearest Neighbor ○ Condition is relaxed ○ Fin pi so that ■ d(q,pi) <=c.min d(q,pj)
  • 41. TensorFuzz ● Open Source Tool ● Discovers errors which occur only for rare inputs (Blind Spots) ● Key Techniques: ○ Coverage Guided Fuzzing ○ Property Based Testing ○ Approximate Nearest Neighbor
  • 42. Sadly, CGF Tools Don’t Work For Neural Networks
  • 43. ● Coverage Metrics ○ Lines of Code Executed ○ Which branches have been taken Traditional Software Workflow https://arxiv.org/pdf/1705.06640.pdf
  • 44. ● Software implementation may contain many branching statements ○ Based on architecture ○ Mostly independent of input ● Different inputs will often execute ○ same lines of code ○ same branches, ● But will produce interesting variations in behaviour Neural Network Workflow https://arxiv.org/pdf/1705.06640.pdf
  • 46. Let's Dive In! Dio, Holy Diver
  • 47. TensorFuzz 1. We interact with a TensorFlow Graph instead of instrumented Computer Program
  • 48. 2. Valid neural network inputs are fed instead of big array of bytes. Ex. For, if inputs are sequences of character, only allow characters that are in vocabulary extracted from the training set TensorFuzz
  • 49. 3. Input Chooser intelligently chooses elements from input corpus. Following heuristics is used: : Probability of choosing corpus element ck at time t tk: Time when ck was added to the corpus Intuition: Recently sampled inputs are more likely to yield useful new coverage when mutated, but advantage decays over time. TensorFuzz
  • 50. 4. Mutator modifies input in a controlled manner For text input, mutation occurs in accordance to following policy: Uniformly at random perform one of following operations: - Delete, Add, Subtract - Random character at random location TensorFuzz
  • 51. Diving Deeper 5. Mutated inputs are fed to Neural Network. The following are extracted from NN - Set of coverage arrays - Enables computation of coverage - Set of metadata arrays - Fed as input to objective function
  • 52. 5.a Objective Function - Desired Outcome - Ex. Error, crash Outputted Metadata arrays is fed into Objective function, and inputs causing system to reach goal of objective function are flagged TensorFuzz
  • 53. 5.b Coverage Analyzer Core part of product Reading arrays from TensorFlow runtime, turning them into python objects representing coverage, checking whether that coverage is new TensorFuzz
  • 54. Desired Properties of Coverage Analyzer ● Check if Neural Network is in new state ○ Enables detection of misbehaviour ● Check has to be fast ● Should work with many different computation graphs ○ Remove Manual Intervention as much as possible ● Exercising all of the coverage should be hard ○ Or else we won’t cover much of possible behaviours
  • 55. Use Fast Approximate Nearest Neighbour ● Determine if two sets of NN activations are meaningfully different from each other ● Provides a coverage metric producing useful results for neural network ○ Even if underlying software implementation of the neural network does not make use of many data-dependent branches
  • 56. Intuition: Coverage Analyzer Activation Activation Activation ActivationCurrent Input Old Input Delta DeltaDelta New Coverage Reached If Distance Sufficiently Large
  • 57. ● On New Activation Vector a. Use Approximate nearest neighbors Algorithm b. Look up nearest neighbour c. Check distance between current and nearest neighbour in Euclidean distance d. Add input to corpus if distance is greater than Lhttps://medium.com/@erikhallstrm/backpropa gation-from-the-beginning-77356edf427d Coverage Analyzer: Details
  • 58. ● Note: Often, good results are achieved only by looking at logits or layer before logits https://medium.com/@erikhallstrm/backpropa gation-from-the-beginning-77356edf427d Coverage Analyzer: Details
  • 59. 6. Mutated input is: - Add to corpus if - New coverage is achieved - Added to list of test cases if - Objective function is satisfied TensorFuzz
  • 60. Break
  • 62. Experiment: Finding NaNs ● NaNs consistently cause trouble for researchers and practitioners, but they are hard to track them down ● A bad loss function is “fault injected” into a neural network ● TesnorFuzz could find NaNs substantially faster than a baseline random search
  • 63. ● Left: Coverage overtime for 10 different random restarts ● Right: An example of a random image that causes neural network to NaN Experiment: Finding NaNs
  • 64. Experiment: Quantization Errors ● We often want to quantize neural networks ● How to test for accuracy? ● We can look at differences in test sets, but often few show up ● Instead, we can fuzz for inputs that surface differences
  • 65. ● Left: Coverage overtime for 10 different random restarts. Note that 3 runs fail ● Right: An example of an image correctly classified by the original neural network but incorrectly classified by the quantized network Experiment: Quantization Errors
  • 67. Discussion Points ● How do we embed security testing into the ML Solution development lifecycle? ● Can explainable inference help to detect blind spots? ● Can we use multiple classifiers in parallel to reduce the implications of an attack on a specific model?