With the growth of popularity of Field-Programmable Gate Arrays (FPGAs) in cloud environments, new paradigms such as FPGA-as-a-Service (FaaS) emerge. This challenges the conventional FPGA security models which assume trust between the user and the hardware owner. In an FaaS scenario, the user may want to keep data or FPGA configuration bitstream confidential in order to protect privacy or intellectual property. However, securing FaaS use cases is hard due to the difficulty of protecting encryption keys and other secrets from the hardware owner. In this paper we demonstrate that even advanced key provisioning and remote attestation methods based on Physical Unclonable Functions (PUFs) can be broken by profiling side-channel attacks employing deep learning. Using power traces from two profiling FPGA boards implementing an arbiter PUF, we train a Convolutional Neural Network (CNN) model to learn features corresponding to “0” and “1” PUF’s responses. Then, we use the resulting model to classify responses of PUFs implemented in FPGA boards under attack (different from the profiling boards). We show that the presented attack can overcome countermeasures based on encrypting challenges and responses of a PUF.
{"title":"Why Deep Learning Makes it Difficult to Keep Secrets in FPGAs","authors":"Yang Yu, M. Moraitis, E. Dubrova","doi":"10.1145/3477997.3478001","DOIUrl":"https://doi.org/10.1145/3477997.3478001","url":null,"abstract":"With the growth of popularity of Field-Programmable Gate Arrays (FPGAs) in cloud environments, new paradigms such as FPGA-as-a-Service (FaaS) emerge. This challenges the conventional FPGA security models which assume trust between the user and the hardware owner. In an FaaS scenario, the user may want to keep data or FPGA configuration bitstream confidential in order to protect privacy or intellectual property. However, securing FaaS use cases is hard due to the difficulty of protecting encryption keys and other secrets from the hardware owner. In this paper we demonstrate that even advanced key provisioning and remote attestation methods based on Physical Unclonable Functions (PUFs) can be broken by profiling side-channel attacks employing deep learning. Using power traces from two profiling FPGA boards implementing an arbiter PUF, we train a Convolutional Neural Network (CNN) model to learn features corresponding to “0” and “1” PUF’s responses. Then, we use the resulting model to classify responses of PUFs implemented in FPGA boards under attack (different from the profiling boards). We show that the presented attack can overcome countermeasures based on encrypting challenges and responses of a PUF.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128710354","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents an automated adversarial mechanism called WikipediaBot. WikipediaBot allows an adversary to create and control a bot infrastructure for the purpose of adversarial edits of Wikipedia articles. The WikipediaBot is a self-contained mechanism with modules for generating credentials for Wikipedia editors, bypassing login protections, and a production of contextually-relevant adversarial edits for target Wikipedia articles that evade conventional detection. The contextually-relevant adversarial edits are generated using an adversarial Markov chain that incorporates a linguistic manipulation attack known as MIM or malware-induced misperceptions. We conducted a preliminary qualitative analysis with a small focus group to test the effect of the adversarial edits in manipulating the perception a human reader has about a target Wikipedia article. Because the nefarious use of WikipediaBot could result in harmful damages to the integrity of a wide range of Wikipedia articles, we provide an elaborate discussion about the implications, detection, and defenses Wikipedia could employ to address the threat of automated adversarial manipulations.
{"title":"WikipediaBot: Machine Learning Assisted Adversarial Manipulation of Wikipedia Articles","authors":"Filipo Sharevski, Peter Jachim, Emma Pieroni","doi":"10.1145/3477997.3478008","DOIUrl":"https://doi.org/10.1145/3477997.3478008","url":null,"abstract":"This paper presents an automated adversarial mechanism called WikipediaBot. WikipediaBot allows an adversary to create and control a bot infrastructure for the purpose of adversarial edits of Wikipedia articles. The WikipediaBot is a self-contained mechanism with modules for generating credentials for Wikipedia editors, bypassing login protections, and a production of contextually-relevant adversarial edits for target Wikipedia articles that evade conventional detection. The contextually-relevant adversarial edits are generated using an adversarial Markov chain that incorporates a linguistic manipulation attack known as MIM or malware-induced misperceptions. We conducted a preliminary qualitative analysis with a small focus group to test the effect of the adversarial edits in manipulating the perception a human reader has about a target Wikipedia article. Because the nefarious use of WikipediaBot could result in harmful damages to the integrity of a wide range of Wikipedia articles, we provide an elaborate discussion about the implications, detection, and defenses Wikipedia could employ to address the threat of automated adversarial manipulations.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132475397","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present the Semantic Processing Pipeline (SPP), a component of the larger process of our Uncertainty Handling Workflow [10]. The SPP is a configurable, customizable plugin framework for computing network-wide impact of security tools. In addition, it can be used as a labeled data generation mechanism for leveraging machine learning based security techniques. The SPP takes cyber range experiment results as input, quantifies the tool impact, and produces a connected graph encoding knowledge derived from the experiment. This is then used as input into a quantification mechanism of our choice, be it machine learning algorithms or a Multi-Entity Bayesian Network, as in our current implementation. We quantify the level of uncertainty with respect to five key metrics, which we have termed Derived Attributes: Speed, Success, Detectability, Attribution, and Collateral Damage. We present results from experiments quantifying the effect of Nmap, a host and service discovery tool, configured in various ways. While we use Nmap as an example use case, we demonstrate that the SPP easily be applied to various tool types. In addition, we present results regarding performance and correctness of the SPP. We present runtimes for individual components as well as overall, and show that the processing time for the SPP scales quadratically with increasing input sizes. However, the overall runtime is low: the SPP can compute a connected graph from a 200-host topology in roughly one minute.
{"title":"The Semantic Processing Pipeline: Quantifying the Network-Wide Impact of Security Tools","authors":"Katarzyna Olejnik, M. Atighetchi, Stephane Blais","doi":"10.1145/3477997.3478005","DOIUrl":"https://doi.org/10.1145/3477997.3478005","url":null,"abstract":"We present the Semantic Processing Pipeline (SPP), a component of the larger process of our Uncertainty Handling Workflow [10]. The SPP is a configurable, customizable plugin framework for computing network-wide impact of security tools. In addition, it can be used as a labeled data generation mechanism for leveraging machine learning based security techniques. The SPP takes cyber range experiment results as input, quantifies the tool impact, and produces a connected graph encoding knowledge derived from the experiment. This is then used as input into a quantification mechanism of our choice, be it machine learning algorithms or a Multi-Entity Bayesian Network, as in our current implementation. We quantify the level of uncertainty with respect to five key metrics, which we have termed Derived Attributes: Speed, Success, Detectability, Attribution, and Collateral Damage. We present results from experiments quantifying the effect of Nmap, a host and service discovery tool, configured in various ways. While we use Nmap as an example use case, we demonstrate that the SPP easily be applied to various tool types. In addition, we present results regarding performance and correctness of the SPP. We present runtimes for individual components as well as overall, and show that the processing time for the SPP scales quadratically with increasing input sizes. However, the overall runtime is low: the SPP can compute a connected graph from a 200-host topology in roughly one minute.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134569804","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Emily Joback, Leslie Shing, Kenneth Alperin, Steven R. Gomez, Steven Jorgensen, Gabe Elkin
The Domain Name System (DNS) is a critical network protocol that resolves human-readable domain names to IP addresses. Because it is an essential component necessary for the Internet to function, DNS traffic is typically allowed to bypass firewalls and other security services. Additionally, this protocol was not designed for the purpose of data transfer, so is not as heavily monitored as other protocols. These reasons make the protocol an ideal tool for covert data exfiltration by a malicious actor. A typical company or organization has network traffic containing tens to hundreds of thousands of DNS queries a day. It is impossible for an analyst to sift through such a vast dataset and investigate every domain to ensure its legitimacy. An attacker can use this as an advantage to hide traces of malicious activity within a small percentage of total traffic. Recent research in this field has focused on applying supervised machine learning (ML) or one-class classifier techniques to build a predictive model to determine if a DNS domain query is used for exfiltration purposes; however, these models require labelled datasets. In the supervised approach, models require both legitimate and malicious data samples, but it is difficult to train these models since realistic network datasets containing known DNS exploits are rarely made public. Instead, prior studies used synthetic curated datasets, but this has the potential to introduce bias. In addition, some studies have suggested that ML algorithms do not perform as well in situations where the ratio between the two classes of data is significant, as is the case for DNS exfiltration datasets. In the one-class classifier approach, these models require a dataset known to be void of exfiltration data. Our model aims to circumvent these issues by identifying cases of DNS exfiltration within a network, without requiring a labelled or curated dataset. Our approach eliminates the need for a network analyst to sift through a high volume of DNS queries, by automatically detecting traffic indicative of exfiltration.
DNS (Domain Name System)是将人类可读的域名解析为IP地址的重要网络协议。因为它是Internet运行所必需的基本组件,所以通常允许DNS流量绕过防火墙和其他安全服务。此外,该协议不是为数据传输而设计的,因此不像其他协议那样受到严格监控。这些原因使该协议成为恶意行为者隐蔽数据泄露的理想工具。典型的公司或组织每天的网络流量包含数万到数十万个DNS查询。分析师不可能筛选如此庞大的数据集,并调查每个领域以确保其合法性。攻击者可以利用这一优势,在总流量的一小部分中隐藏恶意活动的痕迹。该领域最近的研究主要集中在应用监督机器学习(ML)或单类分类器技术来构建预测模型,以确定DNS域查询是否用于泄漏目的;然而,这些模型需要标记数据集。在监督方法中,模型需要合法和恶意的数据样本,但是很难训练这些模型,因为包含已知DNS漏洞的实际网络数据集很少公开。相反,之前的研究使用了合成整理的数据集,但这有可能引入偏见。此外,一些研究表明,ML算法在两类数据之间的比例很大的情况下表现不佳,就像DNS泄露数据集的情况一样。在单类分类器方法中,这些模型需要一个已知没有泄漏数据的数据集。我们的模型旨在通过识别网络中的DNS泄露案例来规避这些问题,而不需要标记或管理数据集。我们的方法通过自动检测泄露的流量指示,消除了网络分析师筛选大量DNS查询的需要。
{"title":"A Statistical Approach to Detecting Low-Throughput Exfiltration through the Domain Name System Protocol","authors":"Emily Joback, Leslie Shing, Kenneth Alperin, Steven R. Gomez, Steven Jorgensen, Gabe Elkin","doi":"10.1145/3477997.3478007","DOIUrl":"https://doi.org/10.1145/3477997.3478007","url":null,"abstract":"The Domain Name System (DNS) is a critical network protocol that resolves human-readable domain names to IP addresses. Because it is an essential component necessary for the Internet to function, DNS traffic is typically allowed to bypass firewalls and other security services. Additionally, this protocol was not designed for the purpose of data transfer, so is not as heavily monitored as other protocols. These reasons make the protocol an ideal tool for covert data exfiltration by a malicious actor. A typical company or organization has network traffic containing tens to hundreds of thousands of DNS queries a day. It is impossible for an analyst to sift through such a vast dataset and investigate every domain to ensure its legitimacy. An attacker can use this as an advantage to hide traces of malicious activity within a small percentage of total traffic. Recent research in this field has focused on applying supervised machine learning (ML) or one-class classifier techniques to build a predictive model to determine if a DNS domain query is used for exfiltration purposes; however, these models require labelled datasets. In the supervised approach, models require both legitimate and malicious data samples, but it is difficult to train these models since realistic network datasets containing known DNS exploits are rarely made public. Instead, prior studies used synthetic curated datasets, but this has the potential to introduce bias. In addition, some studies have suggested that ML algorithms do not perform as well in situations where the ratio between the two classes of data is significant, as is the case for DNS exfiltration datasets. In the one-class classifier approach, these models require a dataset known to be void of exfiltration data. Our model aims to circumvent these issues by identifying cases of DNS exfiltration within a network, without requiring a labelled or curated dataset. Our approach eliminates the need for a network analyst to sift through a high volume of DNS queries, by automatically detecting traffic indicative of exfiltration.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121126839","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Freiling, Ramin Tavakoli Kolagari, Katja Auernhammer
Machine learning classifiers for image recognition are prevalent in many applications. We study the problem of finding adversarial examples for such classifiers, i.e., to manipulate the images in such a way that they still look like the original images to a human but are misinterpreted by the classifier. Finding adversarial examples corresponds to a search problem in the image space. We focus on black-box attacks that can only use the original classifier to guide the search. The challenge is not to find adversarial examples, but rather to find them efficiently, ideally in real time. We show two novel methods that increase the efficiency of black-box search algorithms for adversarial examples: The first uses a relevance mask, i.e., a bitmask on the original image that restricts the search to those pixels that appear to be more relevant to the attacked classifier than others. The second exploits the discovery of merge drift, a phenomenon that negatively affects search algorithms that are based on the merging of image candidates. We evaluate both concepts on existing and new algorithms.
{"title":"Efficient Black-Box Search for Adversarial Examples using Relevance Masks","authors":"F. Freiling, Ramin Tavakoli Kolagari, Katja Auernhammer","doi":"10.1145/3477997.3478013","DOIUrl":"https://doi.org/10.1145/3477997.3478013","url":null,"abstract":"Machine learning classifiers for image recognition are prevalent in many applications. We study the problem of finding adversarial examples for such classifiers, i.e., to manipulate the images in such a way that they still look like the original images to a human but are misinterpreted by the classifier. Finding adversarial examples corresponds to a search problem in the image space. We focus on black-box attacks that can only use the original classifier to guide the search. The challenge is not to find adversarial examples, but rather to find them efficiently, ideally in real time. We show two novel methods that increase the efficiency of black-box search algorithms for adversarial examples: The first uses a relevance mask, i.e., a bitmask on the original image that restricts the search to those pixels that appear to be more relevant to the attacked classifier than others. The second exploits the discovery of merge drift, a phenomenon that negatively affects search algorithms that are based on the merging of image candidates. We evaluate both concepts on existing and new algorithms.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"162 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121640439","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Data poisoning is one of the most relevant security threats against machine learning and data-driven technologies. Since many applications rely on untrusted training data, an attacker can easily craft malicious samples and inject them into the training dataset to degrade the performance of machine learning models. As recent work has shown, such Denial-of-Service (DoS) data poisoning attacks are highly effective. To mitigate this threat, we propose a new approach of detecting DoS poisoned instances. In comparison to related work, we deviate from clustering and anomaly detection based approaches, which often suffer from the curse of dimensionality and arbitrary anomaly threshold selection. Rather, our defence is based on extracting information from the training data in such a generalized manner that we can identify poisoned samples based on the information present in the unpoisoned portion of the data. We evaluate our defence against two DoS poisoning attacks and seven datasets, and find that it reliably identifies poisoned instances. In comparison to related work, our defence improves false positive / false negative rates by at least 50%, often more.
{"title":"Defending Against Adversarial Denial-of-Service Data Poisoning Attacks","authors":"N. Müller, Simon Roschmann, Konstantin Böttinger","doi":"10.1145/3477997.3478017","DOIUrl":"https://doi.org/10.1145/3477997.3478017","url":null,"abstract":"Data poisoning is one of the most relevant security threats against machine learning and data-driven technologies. Since many applications rely on untrusted training data, an attacker can easily craft malicious samples and inject them into the training dataset to degrade the performance of machine learning models. As recent work has shown, such Denial-of-Service (DoS) data poisoning attacks are highly effective. To mitigate this threat, we propose a new approach of detecting DoS poisoned instances. In comparison to related work, we deviate from clustering and anomaly detection based approaches, which often suffer from the curse of dimensionality and arbitrary anomaly threshold selection. Rather, our defence is based on extracting information from the training data in such a generalized manner that we can identify poisoned samples based on the information present in the unpoisoned portion of the data. We evaluate our defence against two DoS poisoning attacks and seven datasets, and find that it reliably identifies poisoned instances. In comparison to related work, our defence improves false positive / false negative rates by at least 50%, often more.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133874062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Understanding the dynamic behavior of computer programs during normal working conditions is an important task, which has multiple security benefits such as the development of behavior-based anomaly detection, vulnerability discovery, and patching. Existing works achieved this goal by collecting and analyzing various data including network traffic, system calls, instruction traces, etc. In this paper, we explore the use of a new type of data, performance counters, to analyze the dynamic behavior of programs. Using existing primitives, we develop a tool named perfextract to capture data from different performance counters for a program during its startup time, thus forming multiple time series to represent the dynamic behavior of the program. We analyze the collected data and develop a semi-supervised clustering algorithm that allows us to classify each program using its performance counter time series into a specific group and to identify the intrinsic behavior of that group. We carry out extensive experiments with 18 real-world programs that belong to 4 groups including web browsers, text editors, image viewers, and audio players. The experimental results show that the examined programs can be accurately differentiated based on their performance counter data regardless of whether programs are run in physical or virtual environments.
{"title":"Program Behavior Analysis and Clustering using Performance Counters","authors":"S. Kadiyala, Kartheek Akella, Tram Truong-Huu","doi":"10.1145/3477997.3478011","DOIUrl":"https://doi.org/10.1145/3477997.3478011","url":null,"abstract":"Understanding the dynamic behavior of computer programs during normal working conditions is an important task, which has multiple security benefits such as the development of behavior-based anomaly detection, vulnerability discovery, and patching. Existing works achieved this goal by collecting and analyzing various data including network traffic, system calls, instruction traces, etc. In this paper, we explore the use of a new type of data, performance counters, to analyze the dynamic behavior of programs. Using existing primitives, we develop a tool named perfextract to capture data from different performance counters for a program during its startup time, thus forming multiple time series to represent the dynamic behavior of the program. We analyze the collected data and develop a semi-supervised clustering algorithm that allows us to classify each program using its performance counter time series into a specific group and to identify the intrinsic behavior of that group. We carry out extensive experiments with 18 real-world programs that belong to 4 groups including web browsers, text editors, image viewers, and audio players. The experimental results show that the examined programs can be accurately differentiated based on their performance counter data regardless of whether programs are run in physical or virtual environments.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115395631","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Neural Networks (NNs) are vulnerable to adversarial examples. Such inputs differ only slightly from their benign counterparts yet provoke misclassifications of the attacked NNs. The perturbations required to craft the examples are often negligible and even human-imperceptible. To protect deep learning-based systems from such attacks, several countermeasures have been proposed with adversarial training still being considered the most effective. Here, NNs are iteratively retrained using adversarial examples forming a computationally expensive and time consuming process, which often leads to a performance decrease. To overcome the downsides of adversarial training while still providing a high level of security, we present a new training approach we call entropic retraining. Based on an information-theoretic-inspired analysis, we investigate the effects of adversarial training and achieve a robustness increase without laboriously generating adversarial examples. With our prototype implementation we validate and show the effectiveness of our approach for various NN architectures and data sets. We empirically show that entropic retraining leads to a significant increase in NNs’ security and robustness while only relying on the given original data.
{"title":"Optimizing Information Loss Towards Robust Neural Networks","authors":"Philip Sperl, Konstantin Böttinger","doi":"10.1145/3477997.3478016","DOIUrl":"https://doi.org/10.1145/3477997.3478016","url":null,"abstract":"Neural Networks (NNs) are vulnerable to adversarial examples. Such inputs differ only slightly from their benign counterparts yet provoke misclassifications of the attacked NNs. The perturbations required to craft the examples are often negligible and even human-imperceptible. To protect deep learning-based systems from such attacks, several countermeasures have been proposed with adversarial training still being considered the most effective. Here, NNs are iteratively retrained using adversarial examples forming a computationally expensive and time consuming process, which often leads to a performance decrease. To overcome the downsides of adversarial training while still providing a high level of security, we present a new training approach we call entropic retraining. Based on an information-theoretic-inspired analysis, we investigate the effects of adversarial training and achieve a robustness increase without laboriously generating adversarial examples. With our prototype implementation we validate and show the effectiveness of our approach for various NN architectures and data sets. We empirically show that entropic retraining leads to a significant increase in NNs’ security and robustness while only relying on the given original data.","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"305 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125197898","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","authors":"","doi":"10.1145/3477997","DOIUrl":"https://doi.org/10.1145/3477997","url":null,"abstract":"","PeriodicalId":130265,"journal":{"name":"Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129535096","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: