SlideShare a Scribd company logo
1 of 28
Download to read offline
Pattern Recognition 
and Applications Lab 
Poisoning Complete-Linkage Hierarchical 
University 
of Cagliari, Italy 
Department of 
Electrical and Electronic 
Engineering 
Clustering 
Ba#sta 
Biggio1, 
Samuel 
Rota 
Bulò2, 
Ignazio 
Pillai1, 
Michele 
Mura1, 
Eyasu 
Zemene 
Mequanint3, 
Marcello 
Pelillo3, 
and 
Fabio 
Roli1 
(1) 
Università 
di 
Cagliari 
(IT); 
(2) 
FBK-­‐irst, 
Trento 
(IT); 
(3) 
Università 
Ca’ 
Foscari 
di 
Venezia 
(IT) 
Joensuu, 
Finland, 
S+SSPR 
2014 
20-­‐22 
August 
2014
Threats and Attacks in Computer Security 
• Growing number of devices, 
services and applications 
connected to the Internet 
• Vulnerabilities and attacks 
through malicious software (malware) 
– Examples: Android market, 
malware applications 
• Identity theft 
• Stolen credentials / credit card numbers 
http://pralab.diee.unica.it 
2
Threats and Attacks in Computer Security 
• Need for (automated) detection (and rule generation) 
– machine learning-based defenses (data clustering) 
http://pralab.diee.unica.it 
3 
Evasion: malware families / variants 
+65% new malware variants from 2012 to 2013 
Mobile Adware and Malw. Analysis, Symantec, 2014 
Detection: antivirus systems 
Rule-based systems
Data Clustering for Computer Security 
• Goal: clustering of malware families to identify common 
characteristics and design suitable countermeasures 
• e.g., antivirus rules / signatures 
http://pralab.diee.unica.it 
4 
xx 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x1 
x2 
... 
xd 
feature extraction 
(e.g., URL length, 
num. of parameters, etc.) 
data collection 
(honeypots) 
clustering of 
malware families 
(e.g., similar HTTP 
requests) 
if 
… 
then 
… 
else 
… 
data analysis / 
countermeasure design 
(e.g., signature generation) 
e.g., 
suspicious 
HTTP 
request 
to 
a 
web 
server 
hVp://www.vulnerablehotel.com/components/ 
com_hbssearch/longDesc.php?h_id=1& 
id=-­‐2%20union%20select%20concat%28username, 
0x3a,password%29%20from%20jos_users-­‐-­‐
Is Data Clustering Secure? 
• Attackers can poison input data to subvert malware clustering 
http://pralab.diee.unica.it 
5 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x1 
x2 
... 
xd 
feature extraction 
(e.g., URL length, 
num. of parameters, etc.) 
data collection 
(honeypots) 
clustering of 
malware families 
(e.g., similar HTTP 
requests) 
if 
… 
then 
… 
else 
… 
data analysis / 
countermeasure design 
(e.g., signature generation) 
Well-­‐cra9ed 
HTTP 
requests 
to 
subvert 
clustering 
hVp://www.vulnerablehotel.com/… 
hVp://www.vulnerablehotel.com/… 
hVp://www.vulnerablehotel.com/… 
hVp://www.vulnerablehotel.com/… 
… is significantly 
compromised 
… becomes 
useless (too many 
false alarms, low 
detection rate) 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
Is Data Clustering Secure? 
• Earlier work (1,2): qualitative definition of attacks 
http://pralab.diee.unica.it 
6 
x 
x 
x 
Samples can be added to 
merge (and/or split) existing 
clusters 
x 
x 
Samples can be obfuscated 
and hidden within existing 
clusters (e.g., fringe clusters) 
(1) D. B. Skillicorn. Adversarial knowledge discovery. IEEE Intelligent Systems, 24:54–61, 2009. 
(2) J. G. Dutrisac and D. Skillicorn. Hiding clusters in adversarial settings. In IEEE Int’l Conf. 
Intelligence and Security Informatics, pp.185–187, 2008. 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
Clustering on untainted data
Is Data Clustering Secure? 
• Our previous work (1): 
– Framework for security evaluation of clustering algorithms 
– Formalization of poisoning and obfuscation attacks (optimization) 
– Case study on single-linkage hierarchical clustering 
• Despite hierarchical clustering is widely used for malware 
clustering (2,3), it is significantly vulnerable to well-crafted attacks! 
• In this work we focus on 
Poisoning 
a+acks 
against 
complete-­‐linkage 
http://pralab.diee.unica.it 
7 
hierarchical 
clustering 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013. 
(2) R. Perdisci, D. Ariu, and G. Giacinto. Scalable fine-grained behavioral clustering of http-based 
malware. Computer Networks, 57(2):487-500, 2013 
(3) K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using 
machine learning. J. Comput. Secur., 19(4):639-668, 2011.
Complete-Linkage Hierarchical Clustering 
• Bottom-up agglomerative clustering 
– each point is initially considered as a cluster 
– closest clusters are iteratively merged 
• Linkage criterion to define distance between clusters 
– complete-linkage criterion 
x 
x 
• Clustering output is a hierarchy of clusterings 
– Criterion needed to select a given clustering (e.g., number of clusters) 
http://pralab.diee.unica.it 
8 
dist(Ci,Cj ) = max 
a∈Ci , b∈Cj 
d(a, b) x 
x 
x 
x 
x 
x
Poisoning Attacks 
• Goal: to maximally compromise the clustering output on D 
• Capability: adding m attack samples 
• Knowledge: perfect / worst-case attack 
• Attack strategy: 
Distance between the clustering in the absence of attack and that under attack 
x 
http://pralab.diee.unica.it 
9 
max 
A 
m 
dc (Y,Y!(A)), A= ai { }i=1 
x 
Y = f (D) Y! = fD(D∪A) 
x 
x 
x 
Attack samples A 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
Clustering on untainted data D
Poisoning Attacks 
dc (Y,Y!) = YY T −Y!Y!T 
http://pralab.diee.unica.it 
10 
F 
m 
, Y = 
%%%%%% & 
1 0 0 
0 0 1 
0 0 1 
1 0 0 
0 1 0 
# 
$ 
(((((( 
, YY T = 
' 
%%%%%% 
The clustering algorithm chooses the number of clusters 
that minimizes the attacker’s objective! 
1 0 0 1 0 
0 1 1 0 0 
0 1 1 0 0 
1 0 0 1 0 
0 0 0 0 1 
# 
$ 
& 
(((((( 
' 
For a given clustering: 
Sample 1 
… 
Sample 5 
max 
A 
dc (Y,Y!(A)), A= ai { }i=1 
How to choose a given clustering from the hierarchy? 
This gives us a lower bound on the worst-case attack’s impact!
Poisoning Complete-Linkage Clustering 
• Attack strategy: 
• Heuristic-based solutions 
m 
– Greedy approach: adding one attack sample at a time 
http://pralab.diee.unica.it 
11 
max 
A 
dc (Y,Y!(A)), A= ai { }i=1
Poisoning Complete-Linkage Clustering 
• Local maxima are found at the clusters’ boundaries (wide regions) 
http://pralab.diee.unica.it 
12 
dc (Y,Y!(a)) 
x1 
x2
Poisoning Complete-Linkage Clustering 
http://pralab.diee.unica.it 
13 
• Underlying idea: to increase intra-cluster distance (extend attack) 
• For each cluster, consider two candidate attack points 
Candidate attack points
Poisoning Complete-Linkage Clustering 
http://pralab.diee.unica.it 
14 
• Underlying idea: to increase intra-cluster distance (extend attack)
Poisoning Complete-Linkage Clustering 
http://pralab.diee.unica.it 
15 
• Underlying idea: to increase intra-cluster distance (extend attack) 
Candidate attack points
Poisoning Complete-Linkage Clustering 
1. Extend (Best): evaluates Y’(a) for each candidate attack, 
retaining the best one 
– Clustering is run for each candidate attack point, twice per cluster 
2. Extend (Hard): estimates Y’(a) assuming that each candidate will 
split the corresponding cluster, potentially merging it with a 
fragment of the closest cluster 
– It does not require running clustering to find the best attack point 
3. Extend (Soft): estimates Y’(a) as Extend (Hard), but using a soft 
probabilistic estimate instead of 0/1 sample-to-cluster 
assignments 
– It does not require running clustering to find the best attack point 
http://pralab.diee.unica.it 
16
Poisoning Complete-Linkage Clustering 
• The attack compromises the initial clustering by forming 
heterogeneous clusters 
http://pralab.diee.unica.it 
17 
Clustering on untainted data Clustering after adding 10 attack samples
Experimental Setup 
• Banana: artificial data, 80 samples, 2 features, k=4 initial clusters 
• Malware: real data (1), 1,000 samples, 6 features, k≈9 initial clusters 
(estimated from data minimizing the Davies-Bouldin Index) 
– Features: 
1. number of GET requests 
2. number of POST requests 
3. average URL length 
4. average number of URL parameters 
5. average amount of data sent by POST requests 
6. average response length 
• MNIST Handwritten Digits: real data, 330 samples per cluster, 
28 x 28 = 784 features (pixels), 
k=3 initial clusters corresponding to 
http://pralab.diee.unica.it 
18 
(1) R. Perdisci, D. Ariu, and G. Giacinto. Scalable fine-grained behavioral 
clustering of http-based malware. Computer Networks, 57(2):487-500, 2013.
Experimental Results 
• Attack strategies: Extend (Best/Hard/Soft), Random, Random (Best) 
– Banana: 
• Extend (Best) very close to Optimal (Grid Search) 
• Random (Best) competitive with Extend (Hard / Soft) 
50 
45 
40 
35 
30 
25 
20 
15 
10 
5 
0 
Random Random (Best) Extend (Hard) Extend (Soft) Extend (Best) Optimal (Grid Search) 
http://pralab.diee.unica.it 
19 
0%2%5%7%9% 12% 15% 18% 20% 
Objective Function 
Banana 
Fraction of samples controlled by the attacker 
0% 11.1% (10 attack samples)
Experimental Results 
• Attack strategies: Extend (Best/Hard/Soft), Random, Random (Best) 
Random Random (Best) Extend (Hard) Extend (Soft) Extend (Best) Optimal 150 
100 
50 
0 
http://pralab.diee.unica.it 
250 
200 
150 
100 
50 
0 
0.0% 0.2% 0.4% 0.6% 0.8% 1.0% 
Objective Function 
Digits 
0% 1% 2% 3% 4% 5% 
Objective Function 
Malware 
– Malware: 
• Extend attacks and Random (Best) perform rather well 
– MNIST Handwritten Digits: 
• Random (Best) not effective 
– high-dimensional feature space 
• Extend (Soft) outperforms Extend (Best / Hard) 
20 
Fraction of samples controlled by the attacker
Conclusions and Future Work 
• Framework for security evaluation of clustering algorithms 
• Poisoning attack vs. complete-linkage hierarchical clustering 
– Even random-based attacks can be effective! 
• Future work 
– Extensions to other clustering algorithms, common attack strategy 
• e.g., black-box optimization with suitable heuristics 
– Attacks with limited knowledge of the input data 
http://pralab.diee.unica.it 
21 
Secure clustering algorithms 
Attacks against clustering
http://pralab.diee.unica.it 
? 
22 
Thanks 
for 
your 
aVenion! 
Any 
ques<ons
Extra 
slides 
http://pralab.diee.unica.it 23
Is Data Clustering Secure? 
• Our previous work (1): 
– Framework for security evaluation of clustering algorithms 
1. Formal definition of potential attacks 
2. Empirical evaluation of their impact 
• Adversary’s model 
– Goal (security violation) 
– Knowledge of the attacked system 
– Capability of manipulating the input data 
– Attack strategy (optimization problem) 
• Inspired from previous work on adversarial machine learning 
– Barreno et al., Can machine learning be secure?, ASIACCS 2006 
– Huang et al., Adversarial machine learning, AISec 2011 
– Biggio et al., Security evaluation of pattern classifiers under attack, IEEE Trans. 
Knowledge and Data Eng., 2013 
http://pralab.diee.unica.it 
24 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
Adversary’s Goal 
• Security violation 
– Integrity: hiding clusters / malicious 
activities without compromising normal 
system operation 
• e.g., creating fringe clusters à 
obfuscation attack 
– Availability: compromising normal 
system operation by maximally 
altering the clustering output 
• e.g., merging existing clusters à 
poisoning attack 
Integrity 
Availability Privacy 
– Privacy: gaining confidential information about system users by 
reverse-engineering the clustering process 
http://pralab.diee.unica.it 
25 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
Adversary’s Knowledge 
• Perfect knowledge 
x 
xx 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x 
x1 
x2 
... 
xd 
– upper bound on the performance degradation under attack 
http://pralab.diee.unica.it 
26 
INPUT DATA 
FEATURE 
REPRESENTATION 
CLUSTERING 
ALGORITHM 
e.g., k-means 
ALGORITHM 
PARAMETERS 
e.g., initialization 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
Adversary’s Capability 
• Attacker’s capability is bounded: 
– maximum number of samples that can be added to the input data 
• e.g., the attacker may only control a small fraction of malware samples 
collected by a honeypot 
– maximum amount of modifications 
(application-specific constraints in feature space) 
• e.g., malware samples should preserve their malicious functionality 
(elements can not be removed à features can only be incremented) 
http://pralab.diee.unica.it 
27 
x Feasible 
domain 
x ' 
(1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial 
settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
Formalizing the Optimal Attack Strategy 
http://pralab.diee.unica.it 
28 
max 
A 
Eθ ~μ g A;θ ( ) !" 
#$ 
s.t. A ∈ Ω 
Knowledge of the data, features, … 
Capability of manipulating the input data 
Attacker’s goal 
Perfect knowledge: Eθ ~μ g A;θ ( ) !" 
#$ 
= g A;θ0 ( )

More Related Content

What's hot

Adversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam BhattacharyaAdversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam BhattacharyaRupam Bhattacharya
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkNAVER Engineering
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitRam Shankar Siva Kumar
 
Self-learning systems for cyber security
Self-learning systems for cyber securitySelf-learning systems for cyber security
Self-learning systems for cyber securityKim Hammar
 
Universal Adversarial Perturbation
Universal Adversarial PerturbationUniversal Adversarial Perturbation
Universal Adversarial PerturbationHyunwoo Kim
 
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...GeekPwn Keen
 
Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Ram Shankar Siva Kumar
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsRam Shankar Siva Kumar
 
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...Allen Day, PhD
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningKuppusamy P
 
IRJET- Machine Learning and Deep Learning Methods for Cybersecurity
IRJET- Machine Learning and Deep Learning Methods for CybersecurityIRJET- Machine Learning and Deep Learning Methods for Cybersecurity
IRJET- Machine Learning and Deep Learning Methods for CybersecurityIRJET Journal
 
The evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacksThe evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacksSimossyi Funabashi
 

What's hot (17)

Adversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam BhattacharyaAdversarial Learning_Rupam Bhattacharya
Adversarial Learning_Rupam Bhattacharya
 
Adversarial ML - Part 2.pdf
Adversarial ML - Part 2.pdfAdversarial ML - Part 2.pdf
Adversarial ML - Part 2.pdf
 
Adversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdfAdversarial ML - Part 1.pdf
Adversarial ML - Part 1.pdf
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
 
Subverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profitSubverting Machine Learning Detections for fun and profit
Subverting Machine Learning Detections for fun and profit
 
Self-learning systems for cyber security
Self-learning systems for cyber securitySelf-learning systems for cyber security
Self-learning systems for cyber security
 
Universal Adversarial Perturbation
Universal Adversarial PerturbationUniversal Adversarial Perturbation
Universal Adversarial Perturbation
 
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
 
Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense Infiltrate 2015 - Data Driven Offense
Infiltrate 2015 - Data Driven Offense
 
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
2019 Triangle Machine Learning Day - Mitigating Evasion Attacks to Deep Neura...
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using Graphs
 
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...
20170426 - Deep Learning Applications in Genomics - Vancouver - Simon Fraser ...
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine Learning
 
IRJET- Machine Learning and Deep Learning Methods for Cybersecurity
IRJET- Machine Learning and Deep Learning Methods for CybersecurityIRJET- Machine Learning and Deep Learning Methods for Cybersecurity
IRJET- Machine Learning and Deep Learning Methods for Cybersecurity
 
The evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacksThe evaluation for the defense of adversarial attacks
The evaluation for the defense of adversarial attacks
 
Msc dare journal 1
Msc dare journal 1Msc dare journal 1
Msc dare journal 1
 
Dnasec
DnasecDnasec
Dnasec
 

Viewers also liked

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Pluribus One
 
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Pluribus One
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Pluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
 
Making neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionMaking neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionKaty Lee
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Viewers also liked (12)

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
 
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Making neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionMaking neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursion
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Similar to Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage Hierarchical Clustering

Edge-based Discovery of Training Data for Machine Learning
Edge-based Discovery of Training Data for Machine LearningEdge-based Discovery of Training Data for Machine Learning
Edge-based Discovery of Training Data for Machine LearningZiqiang Feng
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfMichelleHoogenhout
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Mohammed Almeshekah
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniquesiosrjce
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Privacy-preserving Information Sharing: Tools and Applications
Privacy-preserving Information Sharing: Tools and ApplicationsPrivacy-preserving Information Sharing: Tools and Applications
Privacy-preserving Information Sharing: Tools and ApplicationsEmiliano De Cristofaro
 
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Graeme Jenkinson
 
“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19Francesco Flammini
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHM
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHMAUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHM
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHMijma
 

Similar to Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage Hierarchical Clustering (20)

Edge-based Discovery of Training Data for Machine Learning
Edge-based Discovery of Training Data for Machine LearningEdge-based Discovery of Training Data for Machine Learning
Edge-based Discovery of Training Data for Machine Learning
 
Adversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdfAdversarial Attacks and Defenses in Deep Learning.pdf
Adversarial Attacks and Defenses in Deep Learning.pdf
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
 
06558266
0655826606558266
06558266
 
NETWORJS3.pdf
NETWORJS3.pdfNETWORJS3.pdf
NETWORJS3.pdf
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 
L017317681
L017317681L017317681
L017317681
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Privacy-preserving Information Sharing: Tools and Applications
Privacy-preserving Information Sharing: Tools and ApplicationsPrivacy-preserving Information Sharing: Tools and Applications
Privacy-preserving Information Sharing: Tools and Applications
 
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
 
“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHM
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHMAUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHM
AUDIO CRYPTOGRAPHY VIA ENHANCED GENETIC ALGORITHM
 

More from Pluribus One

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Pluribus One
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Pluribus One
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Pluribus One
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesPluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Pluribus One
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Pluribus One
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsPluribus One
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 PosterPluribus One
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterPluribus One
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisPluribus One
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Pluribus One
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Pluribus One
 

More from Pluribus One (18)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environments
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 Poster
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern Analysis
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
 
Wiamis2010 poster
Wiamis2010 posterWiamis2010 poster
Wiamis2010 poster
 

Recently uploaded

Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 

Recently uploaded (20)

Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 

Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage Hierarchical Clustering

  • 1. Pattern Recognition and Applications Lab Poisoning Complete-Linkage Hierarchical University of Cagliari, Italy Department of Electrical and Electronic Engineering Clustering Ba#sta Biggio1, Samuel Rota Bulò2, Ignazio Pillai1, Michele Mura1, Eyasu Zemene Mequanint3, Marcello Pelillo3, and Fabio Roli1 (1) Università di Cagliari (IT); (2) FBK-­‐irst, Trento (IT); (3) Università Ca’ Foscari di Venezia (IT) Joensuu, Finland, S+SSPR 2014 20-­‐22 August 2014
  • 2. Threats and Attacks in Computer Security • Growing number of devices, services and applications connected to the Internet • Vulnerabilities and attacks through malicious software (malware) – Examples: Android market, malware applications • Identity theft • Stolen credentials / credit card numbers http://pralab.diee.unica.it 2
  • 3. Threats and Attacks in Computer Security • Need for (automated) detection (and rule generation) – machine learning-based defenses (data clustering) http://pralab.diee.unica.it 3 Evasion: malware families / variants +65% new malware variants from 2012 to 2013 Mobile Adware and Malw. Analysis, Symantec, 2014 Detection: antivirus systems Rule-based systems
  • 4. Data Clustering for Computer Security • Goal: clustering of malware families to identify common characteristics and design suitable countermeasures • e.g., antivirus rules / signatures http://pralab.diee.unica.it 4 xx x x x x x x x x x x x x x x x x1 x2 ... xd feature extraction (e.g., URL length, num. of parameters, etc.) data collection (honeypots) clustering of malware families (e.g., similar HTTP requests) if … then … else … data analysis / countermeasure design (e.g., signature generation) e.g., suspicious HTTP request to a web server hVp://www.vulnerablehotel.com/components/ com_hbssearch/longDesc.php?h_id=1& id=-­‐2%20union%20select%20concat%28username, 0x3a,password%29%20from%20jos_users-­‐-­‐
  • 5. Is Data Clustering Secure? • Attackers can poison input data to subvert malware clustering http://pralab.diee.unica.it 5 x x x x x x x x x x x x x x x x x x1 x2 ... xd feature extraction (e.g., URL length, num. of parameters, etc.) data collection (honeypots) clustering of malware families (e.g., similar HTTP requests) if … then … else … data analysis / countermeasure design (e.g., signature generation) Well-­‐cra9ed HTTP requests to subvert clustering hVp://www.vulnerablehotel.com/… hVp://www.vulnerablehotel.com/… hVp://www.vulnerablehotel.com/… hVp://www.vulnerablehotel.com/… … is significantly compromised … becomes useless (too many false alarms, low detection rate) (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
  • 6. Is Data Clustering Secure? • Earlier work (1,2): qualitative definition of attacks http://pralab.diee.unica.it 6 x x x Samples can be added to merge (and/or split) existing clusters x x Samples can be obfuscated and hidden within existing clusters (e.g., fringe clusters) (1) D. B. Skillicorn. Adversarial knowledge discovery. IEEE Intelligent Systems, 24:54–61, 2009. (2) J. G. Dutrisac and D. Skillicorn. Hiding clusters in adversarial settings. In IEEE Int’l Conf. Intelligence and Security Informatics, pp.185–187, 2008. x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Clustering on untainted data
  • 7. Is Data Clustering Secure? • Our previous work (1): – Framework for security evaluation of clustering algorithms – Formalization of poisoning and obfuscation attacks (optimization) – Case study on single-linkage hierarchical clustering • Despite hierarchical clustering is widely used for malware clustering (2,3), it is significantly vulnerable to well-crafted attacks! • In this work we focus on Poisoning a+acks against complete-­‐linkage http://pralab.diee.unica.it 7 hierarchical clustering (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013. (2) R. Perdisci, D. Ariu, and G. Giacinto. Scalable fine-grained behavioral clustering of http-based malware. Computer Networks, 57(2):487-500, 2013 (3) K. Rieck, P. Trinius, C. Willems, and T. Holz. Automatic analysis of malware behavior using machine learning. J. Comput. Secur., 19(4):639-668, 2011.
  • 8. Complete-Linkage Hierarchical Clustering • Bottom-up agglomerative clustering – each point is initially considered as a cluster – closest clusters are iteratively merged • Linkage criterion to define distance between clusters – complete-linkage criterion x x • Clustering output is a hierarchy of clusterings – Criterion needed to select a given clustering (e.g., number of clusters) http://pralab.diee.unica.it 8 dist(Ci,Cj ) = max a∈Ci , b∈Cj d(a, b) x x x x x x
  • 9. Poisoning Attacks • Goal: to maximally compromise the clustering output on D • Capability: adding m attack samples • Knowledge: perfect / worst-case attack • Attack strategy: Distance between the clustering in the absence of attack and that under attack x http://pralab.diee.unica.it 9 max A m dc (Y,Y!(A)), A= ai { }i=1 x Y = f (D) Y! = fD(D∪A) x x x Attack samples A x x x x x x x x x x x x x x x x x x x x x x x Clustering on untainted data D
  • 10. Poisoning Attacks dc (Y,Y!) = YY T −Y!Y!T http://pralab.diee.unica.it 10 F m , Y = %%%%%% & 1 0 0 0 0 1 0 0 1 1 0 0 0 1 0 # $ (((((( , YY T = ' %%%%%% The clustering algorithm chooses the number of clusters that minimizes the attacker’s objective! 1 0 0 1 0 0 1 1 0 0 0 1 1 0 0 1 0 0 1 0 0 0 0 0 1 # $ & (((((( ' For a given clustering: Sample 1 … Sample 5 max A dc (Y,Y!(A)), A= ai { }i=1 How to choose a given clustering from the hierarchy? This gives us a lower bound on the worst-case attack’s impact!
  • 11. Poisoning Complete-Linkage Clustering • Attack strategy: • Heuristic-based solutions m – Greedy approach: adding one attack sample at a time http://pralab.diee.unica.it 11 max A dc (Y,Y!(A)), A= ai { }i=1
  • 12. Poisoning Complete-Linkage Clustering • Local maxima are found at the clusters’ boundaries (wide regions) http://pralab.diee.unica.it 12 dc (Y,Y!(a)) x1 x2
  • 13. Poisoning Complete-Linkage Clustering http://pralab.diee.unica.it 13 • Underlying idea: to increase intra-cluster distance (extend attack) • For each cluster, consider two candidate attack points Candidate attack points
  • 14. Poisoning Complete-Linkage Clustering http://pralab.diee.unica.it 14 • Underlying idea: to increase intra-cluster distance (extend attack)
  • 15. Poisoning Complete-Linkage Clustering http://pralab.diee.unica.it 15 • Underlying idea: to increase intra-cluster distance (extend attack) Candidate attack points
  • 16. Poisoning Complete-Linkage Clustering 1. Extend (Best): evaluates Y’(a) for each candidate attack, retaining the best one – Clustering is run for each candidate attack point, twice per cluster 2. Extend (Hard): estimates Y’(a) assuming that each candidate will split the corresponding cluster, potentially merging it with a fragment of the closest cluster – It does not require running clustering to find the best attack point 3. Extend (Soft): estimates Y’(a) as Extend (Hard), but using a soft probabilistic estimate instead of 0/1 sample-to-cluster assignments – It does not require running clustering to find the best attack point http://pralab.diee.unica.it 16
  • 17. Poisoning Complete-Linkage Clustering • The attack compromises the initial clustering by forming heterogeneous clusters http://pralab.diee.unica.it 17 Clustering on untainted data Clustering after adding 10 attack samples
  • 18. Experimental Setup • Banana: artificial data, 80 samples, 2 features, k=4 initial clusters • Malware: real data (1), 1,000 samples, 6 features, k≈9 initial clusters (estimated from data minimizing the Davies-Bouldin Index) – Features: 1. number of GET requests 2. number of POST requests 3. average URL length 4. average number of URL parameters 5. average amount of data sent by POST requests 6. average response length • MNIST Handwritten Digits: real data, 330 samples per cluster, 28 x 28 = 784 features (pixels), k=3 initial clusters corresponding to http://pralab.diee.unica.it 18 (1) R. Perdisci, D. Ariu, and G. Giacinto. Scalable fine-grained behavioral clustering of http-based malware. Computer Networks, 57(2):487-500, 2013.
  • 19. Experimental Results • Attack strategies: Extend (Best/Hard/Soft), Random, Random (Best) – Banana: • Extend (Best) very close to Optimal (Grid Search) • Random (Best) competitive with Extend (Hard / Soft) 50 45 40 35 30 25 20 15 10 5 0 Random Random (Best) Extend (Hard) Extend (Soft) Extend (Best) Optimal (Grid Search) http://pralab.diee.unica.it 19 0%2%5%7%9% 12% 15% 18% 20% Objective Function Banana Fraction of samples controlled by the attacker 0% 11.1% (10 attack samples)
  • 20. Experimental Results • Attack strategies: Extend (Best/Hard/Soft), Random, Random (Best) Random Random (Best) Extend (Hard) Extend (Soft) Extend (Best) Optimal 150 100 50 0 http://pralab.diee.unica.it 250 200 150 100 50 0 0.0% 0.2% 0.4% 0.6% 0.8% 1.0% Objective Function Digits 0% 1% 2% 3% 4% 5% Objective Function Malware – Malware: • Extend attacks and Random (Best) perform rather well – MNIST Handwritten Digits: • Random (Best) not effective – high-dimensional feature space • Extend (Soft) outperforms Extend (Best / Hard) 20 Fraction of samples controlled by the attacker
  • 21. Conclusions and Future Work • Framework for security evaluation of clustering algorithms • Poisoning attack vs. complete-linkage hierarchical clustering – Even random-based attacks can be effective! • Future work – Extensions to other clustering algorithms, common attack strategy • e.g., black-box optimization with suitable heuristics – Attacks with limited knowledge of the input data http://pralab.diee.unica.it 21 Secure clustering algorithms Attacks against clustering
  • 22. http://pralab.diee.unica.it ? 22 Thanks for your aVenion! Any ques<ons
  • 24. Is Data Clustering Secure? • Our previous work (1): – Framework for security evaluation of clustering algorithms 1. Formal definition of potential attacks 2. Empirical evaluation of their impact • Adversary’s model – Goal (security violation) – Knowledge of the attacked system – Capability of manipulating the input data – Attack strategy (optimization problem) • Inspired from previous work on adversarial machine learning – Barreno et al., Can machine learning be secure?, ASIACCS 2006 – Huang et al., Adversarial machine learning, AISec 2011 – Biggio et al., Security evaluation of pattern classifiers under attack, IEEE Trans. Knowledge and Data Eng., 2013 http://pralab.diee.unica.it 24 (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
  • 25. Adversary’s Goal • Security violation – Integrity: hiding clusters / malicious activities without compromising normal system operation • e.g., creating fringe clusters à obfuscation attack – Availability: compromising normal system operation by maximally altering the clustering output • e.g., merging existing clusters à poisoning attack Integrity Availability Privacy – Privacy: gaining confidential information about system users by reverse-engineering the clustering process http://pralab.diee.unica.it 25 (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
  • 26. Adversary’s Knowledge • Perfect knowledge x xx x x x x x x x x x x x x x x x1 x2 ... xd – upper bound on the performance degradation under attack http://pralab.diee.unica.it 26 INPUT DATA FEATURE REPRESENTATION CLUSTERING ALGORITHM e.g., k-means ALGORITHM PARAMETERS e.g., initialization (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
  • 27. Adversary’s Capability • Attacker’s capability is bounded: – maximum number of samples that can be added to the input data • e.g., the attacker may only control a small fraction of malware samples collected by a honeypot – maximum amount of modifications (application-specific constraints in feature space) • e.g., malware samples should preserve their malicious functionality (elements can not be removed à features can only be incremented) http://pralab.diee.unica.it 27 x Feasible domain x ' (1) B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is data clustering in adversarial settings secure? In Proc. ACM Workshop on Artif. Intell. & Sec., AISec ’13, pp. 87–98, 2013.
  • 28. Formalizing the Optimal Attack Strategy http://pralab.diee.unica.it 28 max A Eθ ~μ g A;θ ( ) !" #$ s.t. A ∈ Ω Knowledge of the data, features, … Capability of manipulating the input data Attacker’s goal Perfect knowledge: Eθ ~μ g A;θ ( ) !" #$ = g A;θ0 ( )