SlideShare a Scribd company logo

On Security and Sparsity of Linear Classifiers for Adversarial Settings

Pluribus One
Pluribus One

Authors: Ambra Demontis, Paolo Russu, Battista Biggio, Giorgio Fumera and Fabio Roli. Presentation given at S+SSPR 2016

Education
1 of 26
Download to read offline
Pattern Recognition and Applications Lab University of Cagliari, Italy Department of Electrical and Electronic Engineering On Security and Sparsity of Linear Classifiers for Adversarial Settings Ambra Demontis, Paolo Russu, Battista Biggio, Giorgio Fumera, Fabio Roli battista.biggio@diee.unica.it Dept. Of Electrical and Electronic Engineering University of Cagliari, Italy S+SSPR, Merida, Mexico, Dec. 1 2016
http://pralab.diee.unica.it Recent Applications of Machine Learning • Consumer technologies for personal applications 2
http://pralab.diee.unica.it iPhone 5s with Fingerprint Recognition… 3
http://pralab.diee.unica.it … Cracked a Few Days After Its Release 4 EU FP7 Project: TABULA RASA
http://pralab.diee.unica.it New Challenges for Machine Learning • The use of machine learning opens up new big possibilities but also new security risks • Proliferation and sophistication of attacks and cyberthreats – Skilled / economically-motivated attackers (e.g., ransomware) • Several security systems use machine learning to detect attacks – but … is machine learning secure enough? 5
http://pralab.diee.unica.it Classifier Evasion 6
http://pralab.diee.unica.it Is Machine Learning Secure Enough? • Problem: how to evade a linear (trained) classifier? Start 2007 with a bang! Make WBFS YOUR PORTFOLIO’s first winner of the year ... start bang portfolio winner year ... university campus 1 1 1 1 1 ... 0 0 +6 > 0, SPAM (correctly classified) f (x) = sign(wT x) x start bang portfolio winner year ... university campus +2 +1 +1 +1 +1 ... -3 -4 w x’ St4rt 2007 with a b4ng! Make WBFS YOUR PORTFOLIO’s first winner of the year ... campus start bang portfolio winner year ... university campus 0 0 1 1 1 ... 0 1 +3 -4 < 0, HAM (misclassified email) f (x) = sign(wT x) 7
http://pralab.diee.unica.it Evasion of Linear Classifiers • Formalized as an optimization problem – Goal: to minimize the discriminant function • i.e., to be classified as legitimate with the maximum confidence – Constraints on input data manipulation • e.g., number of words to be modified in each spam email 8 min$% 𝑤( 𝑥′ 𝑠. 𝑡. 𝑑(𝑥, 𝑥% ) ≤ 𝑑34$
http://pralab.diee.unica.it Dense and Sparse Evasion Attacks • L2-norm noise corresponds to dense evasion attacks – All features are modified by a small amount • L1-norm noise corresponds to sparse evasion attacks – Few features are significantly modified 9 min$% 𝑤( 𝑥′ 𝑠. 𝑡. |𝑥 − 𝑥% |7 7 ≤ 𝑑34$ min$% 𝑤( 𝑥% 𝑠. 𝑡. |𝑥 − 𝑥% |8 ≤ 𝑑34$
http://pralab.diee.unica.it Examples on Handwritten Digits (9 vs 8) 10 original sample 5 10 15 20 25 5 10 15 20 25 SVM g(x)= −0.216 5 10 15 20 25 5 10 15 20 25 Sparse evasion attacks (l1-norm constrained) original sample 5 10 15 20 25 5 10 15 20 25 cSVM g(x)= 0.242 5 10 15 20 25 5 10 15 20 25 Dense evasion attacks (l2-norm constrained) manipulated sample manipulated sample
http://pralab.diee.unica.it Robustness and Regularization 11
http://pralab.diee.unica.it • SVM learning is equivalent to a robust optimization problem Robustness and Regularization [Xu et al., JMLR 2009] 12 min w,b 1 2 wT w+C max 0,1− yi f (xi )( ) i ∑ min w,b max ui∈U max 0,1− yi f (xi +ui )( ) i ∑ 1/margin classification error on training data (hinge loss) bounded perturbation!
http://pralab.diee.unica.it Generalizing to Other Norms • Optimal regularizer should use dual norm of noise uncertainty sets 13 l2-norm regularization is optimal against l2-norm noise! Infinity-norm regularization is optimal against l1-norm noise! min w,b 1 2 wT w+C max 0,1− yi f (xi )( ) i ∑ min w,b w ∞ +C max 0,1− yi f (xi )( ) i ∑ , w ∞ = max i=1,...,d wi
http://pralab.diee.unica.it Interesting Fact • Infinity-norm SVM is more secure against L1 attacks as it bounds the maximum absolute value of the feature weights • This explains the heuristic intuition of using more uniform feature weights in previous work [Kolcz and Teo, 2009; Biggio et al., 2010] 14 weights weights
http://pralab.diee.unica.it Security and Sparsity of Linear Classifiers 15
http://pralab.diee.unica.it Security vs Sparsity • Problem: SVM and Infinity-norm SVM provide dense solutions! • Trade-off between security (to l2 or l1 attacks) and sparsity – Sparsity reduces computational complexity at test time! 16 weights weights
http://pralab.diee.unica.it Elastic-Net Regularization [H. Zou & T. Hastie, 2005] • Originally proposed for feature selection – to group correlated features together • Trade-off between sparsity and security against l2-norm attacks 17 𝑤 9:;9< = 1 − 𝜆 𝑤 8 + 𝜆 2 𝑤 7 7 elastic net l1 l2
http://pralab.diee.unica.it Octagonal Regularization • Trade-off between sparsity and security against l1-norm attacks 18 𝑤 BCD; = 1 − 𝜌 𝑤 8 + 𝜌 𝑤 F octagonal l1 infinity (max)
http://pralab.diee.unica.it Experimental Analysis 19
http://pralab.diee.unica.it Linear Classifiers • SVM – quadratic prog. • Infinity-norm SVM – linear prog. • 1-norm SVM – linear prog. • Elastic-net SVM – quadratic prog. • Octagonal SVM – linear prog. 20 min G,H 1 2 𝑤 7 7 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 𝑤 F + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 𝑤 8 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 1 − 𝜆 𝑤 8 + 𝜆 2 𝑤 7 7 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 1 − 𝜌 𝑤 8 + 𝜌 𝑤 F + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 𝑓 𝑥 = 𝑤( 𝑥 + 𝑏
http://pralab.diee.unica.it Security and Sparsity Measures • Sparsity – Fraction of weights equal to zero • Security (Weight Evenness) – E=1/d if only one weight is different from zero – E=1 if all weights are equal in absolute value • Parameter selection with 5-fold cross-validation optimizing: AUC + 0.1 S + 0.1 E 21 𝑆 = 1 𝑑 𝑤T|𝑤T = 0, 𝑘 = 1, … , 𝑑 𝐸 = 1 𝑑 𝑤 8 𝑤 F ∈ [ 1 𝑑 , 1]
http://pralab.diee.unica.it Results on Spam Filtering Sparse Evasion Attack • 5000 samples from TREC 07 (spam/ham emails) • 200 features (words) selected to maximize information gain • Results averaged on 5 repetitions, using 500 TR/TS samples • (S,E) measures reported in the legend (in %) 22 0 10 20 30 40 0 0.2 0.4 0.6 0.8 1 Spam Filtering AUC10% d max SVM (0, 37) ∞−norm (4, 96) 1−norm (86, 4) el−net (67, 6) 8gon (12, 88) maximum number of words modified in each spam
http://pralab.diee.unica.it Results on PDF Malware Detection Sparse Evasion Attack • PDF: hierarchy of interconnected objects (keyword/value pairs) 23 0 20 40 60 80 0 0.2 0.4 0.6 0.8 1 PDF Malware DetectionAUC10% d max SVM (0, 47) ∞−norm (0, 100) 1−norm (91, 2) el−net (55, 13) 8gon (69, 29) maximum number of keywords added in each malicious PDF file /Type 2 /Page 1 /Encoding 1 … 13 0 obj << /Kids [ 1 0 R 11 0 R ] /Type /Page ... >> end obj 17 0 obj << /Type /Encoding ...>> endobj Features: keyword count 11,500 samples 5 reps - 500 TR/TS samples 114 features (keywords) selected with information gain
http://pralab.diee.unica.it Conclusions and Future Work • We have shed light on the theoretical and practical implications of sparsity and security in linear classifiers • We have defined a novel regularizer to tune the trade-off between sparsity and security against sparse evasion attacks • Future work – To investigate a similar trade-off for • poisoning (training) attacks • nonlinear classifiers 24
http://pralab.diee.unica.it ?Any questions Thanks for your attention! 26
http://pralab.diee.unica.it Limited-Knowledge (LK) attacks 26 PD(X,Y)data Surrogate training data f(x) Send queries Get labels Learn surrogate classifier f’(x)

Recommended

Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Pluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
Pluribus One
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Pluribus One
 

Recommended

Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Pluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
Pluribus One
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Pluribus One
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Pluribus One
 
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
Edge AI and Vision Alliance
 
Workshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with RWorkshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with R
Shirin Elsinghorst
 
Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...
yaevents
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Pluribus One
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Pluribus One
 
Making neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionMaking neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursion
Katy Lee
 
Generative adversarial networks
Generative adversarial networksGenerative adversarial networks
Generative adversarial networks
남주 김
 
kls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakatkls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakat
Novii Kanadia
 
Jft 13-desktop-optical-power-meter-jfopt
Jft 13-desktop-optical-power-meter-jfoptJft 13-desktop-optical-power-meter-jfopt
Jft 13-desktop-optical-power-meter-jfopt
Jiafu fiber optic cable Co., Ltd
 
The Creative Minds: Steps in enhancing your creativity
The Creative Minds: Steps in enhancing your creativityThe Creative Minds: Steps in enhancing your creativity
The Creative Minds: Steps in enhancing your creativity
History Lovr
 
Comm skills1
Comm skills1Comm skills1
Comm skills1
Raj Kaur
 
2008111807581919
20081118075819192008111807581919
2008111807581919
psy101618
 
Spinal cord trauma
Spinal cord traumaSpinal cord trauma
Spinal cord trauma
Paulina Asiain L
 
Ten years analysing large code bases: a perspective
Ten years analysing large code bases: a perspectiveTen years analysing large code bases: a perspective
Ten years analysing large code bases: a perspective
Roberto Di Cosmo
 
Bat Algorithm_Basics
Bat Algorithm_BasicsBat Algorithm_Basics
Bat Algorithm_Basics
Designage Solutions
 
Lecture3 xing fei-fei
Lecture3 xing fei-feiLecture3 xing fei-fei
Lecture3 xing fei-fei
Tianlu Wang
 
Deep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech EnhancementDeep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech Enhancement
NAVER Engineering
 
Chap 8. Optimization for training deep models
Chap 8. Optimization for training deep modelsChap 8. Optimization for training deep models
Chap 8. Optimization for training deep models
Young-Geun Choi
 

More Related Content

What's hot

Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Pluribus One
 
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
Edge AI and Vision Alliance
 
Workshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with RWorkshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with R
Shirin Elsinghorst
 
Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...
yaevents
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
NAVER Engineering
 

What's hot (7)

Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
“Practical Guide to Implementing Deep Neural Network Inferencing at the Edge,...
 
Workshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with RWorkshop - Introduction to Machine Learning with R
Workshop - Introduction to Machine Learning with R
 
Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...Using classifiers to compute similarities between face images. Prof. Lior Wol...
Using classifiers to compute similarities between face images. Prof. Lior Wol...
 
Research of adversarial example on a deep neural network
Research of adversarial example on a deep neural networkResearch of adversarial example on a deep neural network
Research of adversarial example on a deep neural network
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
 

Viewers also liked

Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Pluribus One
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Pluribus One
 
kls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakatkls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakat
Novii Kanadia
 
Comm skills1
Comm skills1Comm skills1
Comm skills1
Raj Kaur
 

Viewers also liked (11)

Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
 
Making neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursionMaking neural programming architectures generalize via recursion
Making neural programming architectures generalize via recursion
 
Generative adversarial networks
Generative adversarial networksGenerative adversarial networks
Generative adversarial networks
 
kls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakatkls xii : Bab iii pers dlm masyarakat
kls xii : Bab iii pers dlm masyarakat
 
Jft 13-desktop-optical-power-meter-jfopt
Jft 13-desktop-optical-power-meter-jfoptJft 13-desktop-optical-power-meter-jfopt
Jft 13-desktop-optical-power-meter-jfopt
 
The Creative Minds: Steps in enhancing your creativity
The Creative Minds: Steps in enhancing your creativityThe Creative Minds: Steps in enhancing your creativity
The Creative Minds: Steps in enhancing your creativity
 
Comm skills1
Comm skills1Comm skills1
Comm skills1
 
2008111807581919
20081118075819192008111807581919
2008111807581919
 
Spinal cord trauma
Spinal cord traumaSpinal cord trauma
Spinal cord trauma
 
Ten years analysing large code bases: a perspective
Ten years analysing large code bases: a perspectiveTen years analysing large code bases: a perspective
Ten years analysing large code bases: a perspective
 

Similar to On Security and Sparsity of Linear Classifiers for Adversarial Settings

Deep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech EnhancementDeep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech Enhancement
NAVER Engineering
 
System Monitoring
System MonitoringSystem Monitoring
System Monitoring
butest
 
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
AnthonyDalton
 
Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine Learning
AI Summary
 
2021 itu challenge_reinforcement_learning
2021 itu challenge_reinforcement_learning2021 itu challenge_reinforcement_learning
2021 itu challenge_reinforcement_learning
LASSEMedia
 
Adaptive non-linear-filtering-technique-for-image-restoration
Adaptive non-linear-filtering-technique-for-image-restorationAdaptive non-linear-filtering-technique-for-image-restoration
Adaptive non-linear-filtering-technique-for-image-restoration
Cemal Ardil
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 

Similar to On Security and Sparsity of Linear Classifiers for Adversarial Settings (20)

Bat Algorithm_Basics
Bat Algorithm_BasicsBat Algorithm_Basics
Bat Algorithm_Basics
 
Lecture3 xing fei-fei
Lecture3 xing fei-feiLecture3 xing fei-fei
Lecture3 xing fei-fei
 
Deep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech EnhancementDeep Learning Based Voice Activity Detection and Speech Enhancement
Deep Learning Based Voice Activity Detection and Speech Enhancement
 
Chap 8. Optimization for training deep models
Chap 8. Optimization for training deep modelsChap 8. Optimization for training deep models
Chap 8. Optimization for training deep models
 
System Monitoring
System MonitoringSystem Monitoring
System Monitoring
 
Data-Driven Recommender Systems
Data-Driven Recommender SystemsData-Driven Recommender Systems
Data-Driven Recommender Systems
 
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
Monitoring Motor Patterns of Epileptic Seziures using Wearable Sensor Technol...
 
A review of Noise Suppression Technology for Real-Time Speech Enhancement
A review of Noise Suppression Technology for Real-Time Speech EnhancementA review of Noise Suppression Technology for Real-Time Speech Enhancement
A review of Noise Suppression Technology for Real-Time Speech Enhancement
 
Introduction to Machine Learning
Introduction to Machine LearningIntroduction to Machine Learning
Introduction to Machine Learning
 
Anomaly detection, part 1
Anomaly detection, part 1Anomaly detection, part 1
Anomaly detection, part 1
 
HMIPoster
HMIPosterHMIPoster
HMIPoster
 
Accelerated Particle Swarm Optimization and Support Vector Machine for Busine...
Accelerated Particle Swarm Optimization and Support Vector Machine for Busine...Accelerated Particle Swarm Optimization and Support Vector Machine for Busine...
Accelerated Particle Swarm Optimization and Support Vector Machine for Busine...
 
2021 itu challenge_reinforcement_learning
2021 itu challenge_reinforcement_learning2021 itu challenge_reinforcement_learning
2021 itu challenge_reinforcement_learning
 
Kost for china-2011
Kost for china-2011Kost for china-2011
Kost for china-2011
 
Predictive Analytics
Predictive AnalyticsPredictive Analytics
Predictive Analytics
 
Predictive Analytics
Predictive AnalyticsPredictive Analytics
Predictive Analytics
 
Safety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdfSafety Verification of Deep Neural Networks_.pdf
Safety Verification of Deep Neural Networks_.pdf
 
Adaptive non-linear-filtering-technique-for-image-restoration
Adaptive non-linear-filtering-technique-for-image-restorationAdaptive non-linear-filtering-technique-for-image-restoration
Adaptive non-linear-filtering-technique-for-image-restoration
 
TestowanieIoT2016
TestowanieIoT2016TestowanieIoT2016
TestowanieIoT2016
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 

More from Pluribus One

Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
Pluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
Pluribus One
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...
Pluribus One
 
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Pluribus One
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environments
Pluribus One
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 Poster
Pluribus One
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011
Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Pluribus One
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011
Pluribus One
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern Analysis
Pluribus One
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011
Pluribus One
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Pluribus One
 
Wiamis2010 poster
Wiamis2010 posterWiamis2010 poster
Wiamis2010 poster
Pluribus One
 

More from Pluribus One (18)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 
Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...Robustness of multimodal biometric verification systems under realistic spoof...
Robustness of multimodal biometric verification systems under realistic spoof...
 
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...
 
Understanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environmentsUnderstanding the risk factors of learning in adversarial environments
Understanding the risk factors of learning in adversarial environments
 
Amilab IJCB 2011 Poster
Amilab IJCB 2011 PosterAmilab IJCB 2011 Poster
Amilab IJCB 2011 Poster
 
Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011Ariu - Workshop on Artificial Intelligence and Security - 2011
Ariu - Workshop on Artificial Intelligence and Security - 2011
 
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterAriu - Workshop on Applications of Pattern Analysis 2010 - Poster
Ariu - Workshop on Applications of Pattern Analysis 2010 - Poster
 
Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011Ariu - Workshop on Multiple Classifier Systems - 2011
Ariu - Workshop on Multiple Classifier Systems - 2011
 
Ariu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern AnalysisAriu - Workshop on Applications of Pattern Analysis
Ariu - Workshop on Applications of Pattern Analysis
 
Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011Ariu - Workshop on Multiple Classifier Systems 2011
Ariu - Workshop on Multiple Classifier Systems 2011
 
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
Robustness of Multimodal Biometric Systems under Realistic Spoof Attacks agai...
 
Wiamis2010 poster
Wiamis2010 posterWiamis2010 poster
Wiamis2010 poster
 

Recently uploaded

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 

Recently uploaded (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 

On Security and Sparsity of Linear Classifiers for Adversarial Settings

  • 1. Pattern Recognition and Applications Lab University of Cagliari, Italy Department of Electrical and Electronic Engineering On Security and Sparsity of Linear Classifiers for Adversarial Settings Ambra Demontis, Paolo Russu, Battista Biggio, Giorgio Fumera, Fabio Roli battista.biggio@diee.unica.it Dept. Of Electrical and Electronic Engineering University of Cagliari, Italy S+SSPR, Merida, Mexico, Dec. 1 2016
  • 2. http://pralab.diee.unica.it Recent Applications of Machine Learning • Consumer technologies for personal applications 2
  • 3. http://pralab.diee.unica.it iPhone 5s with Fingerprint Recognition… 3
  • 4. http://pralab.diee.unica.it … Cracked a Few Days After Its Release 4 EU FP7 Project: TABULA RASA
  • 5. http://pralab.diee.unica.it New Challenges for Machine Learning • The use of machine learning opens up new big possibilities but also new security risks • Proliferation and sophistication of attacks and cyberthreats – Skilled / economically-motivated attackers (e.g., ransomware) • Several security systems use machine learning to detect attacks – but … is machine learning secure enough? 5
  • 7. http://pralab.diee.unica.it Is Machine Learning Secure Enough? • Problem: how to evade a linear (trained) classifier? Start 2007 with a bang! Make WBFS YOUR PORTFOLIO’s first winner of the year ... start bang portfolio winner year ... university campus 1 1 1 1 1 ... 0 0 +6 > 0, SPAM (correctly classified) f (x) = sign(wT x) x start bang portfolio winner year ... university campus +2 +1 +1 +1 +1 ... -3 -4 w x’ St4rt 2007 with a b4ng! Make WBFS YOUR PORTFOLIO’s first winner of the year ... campus start bang portfolio winner year ... university campus 0 0 1 1 1 ... 0 1 +3 -4 < 0, HAM (misclassified email) f (x) = sign(wT x) 7
  • 8. http://pralab.diee.unica.it Evasion of Linear Classifiers • Formalized as an optimization problem – Goal: to minimize the discriminant function • i.e., to be classified as legitimate with the maximum confidence – Constraints on input data manipulation • e.g., number of words to be modified in each spam email 8 min$% 𝑤( 𝑥′ 𝑠. 𝑡. 𝑑(𝑥, 𝑥% ) ≤ 𝑑34$
  • 9. http://pralab.diee.unica.it Dense and Sparse Evasion Attacks • L2-norm noise corresponds to dense evasion attacks – All features are modified by a small amount • L1-norm noise corresponds to sparse evasion attacks – Few features are significantly modified 9 min$% 𝑤( 𝑥′ 𝑠. 𝑡. |𝑥 − 𝑥% |7 7 ≤ 𝑑34$ min$% 𝑤( 𝑥% 𝑠. 𝑡. |𝑥 − 𝑥% |8 ≤ 𝑑34$
  • 10. http://pralab.diee.unica.it Examples on Handwritten Digits (9 vs 8) 10 original sample 5 10 15 20 25 5 10 15 20 25 SVM g(x)= −0.216 5 10 15 20 25 5 10 15 20 25 Sparse evasion attacks (l1-norm constrained) original sample 5 10 15 20 25 5 10 15 20 25 cSVM g(x)= 0.242 5 10 15 20 25 5 10 15 20 25 Dense evasion attacks (l2-norm constrained) manipulated sample manipulated sample
  • 12. http://pralab.diee.unica.it • SVM learning is equivalent to a robust optimization problem Robustness and Regularization [Xu et al., JMLR 2009] 12 min w,b 1 2 wT w+C max 0,1− yi f (xi )( ) i ∑ min w,b max ui∈U max 0,1− yi f (xi +ui )( ) i ∑ 1/margin classification error on training data (hinge loss) bounded perturbation!
  • 13. http://pralab.diee.unica.it Generalizing to Other Norms • Optimal regularizer should use dual norm of noise uncertainty sets 13 l2-norm regularization is optimal against l2-norm noise! Infinity-norm regularization is optimal against l1-norm noise! min w,b 1 2 wT w+C max 0,1− yi f (xi )( ) i ∑ min w,b w ∞ +C max 0,1− yi f (xi )( ) i ∑ , w ∞ = max i=1,...,d wi
  • 14. http://pralab.diee.unica.it Interesting Fact • Infinity-norm SVM is more secure against L1 attacks as it bounds the maximum absolute value of the feature weights • This explains the heuristic intuition of using more uniform feature weights in previous work [Kolcz and Teo, 2009; Biggio et al., 2010] 14 weights weights
  • 16. http://pralab.diee.unica.it Security vs Sparsity • Problem: SVM and Infinity-norm SVM provide dense solutions! • Trade-off between security (to l2 or l1 attacks) and sparsity – Sparsity reduces computational complexity at test time! 16 weights weights
  • 17. http://pralab.diee.unica.it Elastic-Net Regularization [H. Zou & T. Hastie, 2005] • Originally proposed for feature selection – to group correlated features together • Trade-off between sparsity and security against l2-norm attacks 17 𝑤 9:;9< = 1 − 𝜆 𝑤 8 + 𝜆 2 𝑤 7 7 elastic net l1 l2
  • 18. http://pralab.diee.unica.it Octagonal Regularization • Trade-off between sparsity and security against l1-norm attacks 18 𝑤 BCD; = 1 − 𝜌 𝑤 8 + 𝜌 𝑤 F octagonal l1 infinity (max)
  • 20. http://pralab.diee.unica.it Linear Classifiers • SVM – quadratic prog. • Infinity-norm SVM – linear prog. • 1-norm SVM – linear prog. • Elastic-net SVM – quadratic prog. • Octagonal SVM – linear prog. 20 min G,H 1 2 𝑤 7 7 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 𝑤 F + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 𝑤 8 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 1 − 𝜆 𝑤 8 + 𝜆 2 𝑤 7 7 + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 min G,H 1 − 𝜌 𝑤 8 + 𝜌 𝑤 F + 𝐶 J max 0,1 − 𝑦O 𝑓 𝑥O ; OQ8 𝑓 𝑥 = 𝑤( 𝑥 + 𝑏
  • 21. http://pralab.diee.unica.it Security and Sparsity Measures • Sparsity – Fraction of weights equal to zero • Security (Weight Evenness) – E=1/d if only one weight is different from zero – E=1 if all weights are equal in absolute value • Parameter selection with 5-fold cross-validation optimizing: AUC + 0.1 S + 0.1 E 21 𝑆 = 1 𝑑 𝑤T|𝑤T = 0, 𝑘 = 1, … , 𝑑 𝐸 = 1 𝑑 𝑤 8 𝑤 F ∈ [ 1 𝑑 , 1]
  • 22. http://pralab.diee.unica.it Results on Spam Filtering Sparse Evasion Attack • 5000 samples from TREC 07 (spam/ham emails) • 200 features (words) selected to maximize information gain • Results averaged on 5 repetitions, using 500 TR/TS samples • (S,E) measures reported in the legend (in %) 22 0 10 20 30 40 0 0.2 0.4 0.6 0.8 1 Spam Filtering AUC10% d max SVM (0, 37) ∞−norm (4, 96) 1−norm (86, 4) el−net (67, 6) 8gon (12, 88) maximum number of words modified in each spam
  • 23. http://pralab.diee.unica.it Results on PDF Malware Detection Sparse Evasion Attack • PDF: hierarchy of interconnected objects (keyword/value pairs) 23 0 20 40 60 80 0 0.2 0.4 0.6 0.8 1 PDF Malware DetectionAUC10% d max SVM (0, 47) ∞−norm (0, 100) 1−norm (91, 2) el−net (55, 13) 8gon (69, 29) maximum number of keywords added in each malicious PDF file /Type 2 /Page 1 /Encoding 1 … 13 0 obj << /Kids [ 1 0 R 11 0 R ] /Type /Page ... >> end obj 17 0 obj << /Type /Encoding ...>> endobj Features: keyword count 11,500 samples 5 reps - 500 TR/TS samples 114 features (keywords) selected with information gain
  • 24. http://pralab.diee.unica.it Conclusions and Future Work • We have shed light on the theoretical and practical implications of sparsity and security in linear classifiers • We have defined a novel regularizer to tune the trade-off between sparsity and security against sparse evasion attacks • Future work – To investigate a similar trade-off for • poisoning (training) attacks • nonlinear classifiers 24
  • 26. http://pralab.diee.unica.it Limited-Knowledge (LK) attacks 26 PD(X,Y)data Surrogate training data f(x) Send queries Get labels Learn surrogate classifier f’(x)