Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Command-and-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.
RFC8915中规定的NTS (Network Time Security)是一种以NTP (Network Time Protocol)为基础,为时钟同步提供加密安全的机制。通过使用TLS (Transport Layer Security)和AEAD (Authenticated Encryption with Associated Data)技术,NTS可以保证服务器和客户端同步时间的完整性和真实性。然而,过去的研究表明,时间同步协议,如网络时间协议(NTP)和精确时间协议(PTP)可能被用作隐蔽通道的载体,潜在地渗透或泄露信息,或在恶意软件感染的情况下用作命令和控制通道。通过系统地分析NTS规范,我们确定了12个潜在的隐蔽通道,并在本文中进行了描述和讨论。从12个通道中,我们选择了一种客户端方法,使用NTS随机uid进行概念验证实现。此外,我们分析和调查了潜在的对策,并提出了一种能够减轻本文中描述的隐蔽通道的主动监狱长的设计。
{"title":"Covert Channels in Network Time Security","authors":"Kevin Lamshöft, J. Dittmann","doi":"10.1145/3531536.3532947","DOIUrl":"https://doi.org/10.1145/3531536.3532947","url":null,"abstract":"Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Command-and-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"137 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127425331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 4: Steganography I","authors":"J. Fridrich","doi":"10.1145/3545214","DOIUrl":"https://doi.org/10.1145/3545214","url":null,"abstract":"","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127202533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Árpád Berta, Gábor Danner, István Hegedüs, Márk Jelasity
Machine learning models are vulnerable to adversarial attacks, where a small, invisible, malicious perturbation of the input changes the predicted label. A large area of research is concerned with verification techniques that attempt to decide whether a given model has adversarial inputs close to a given benign input. Here, we show that current approaches to verification have a key vulnerability: we construct a model that is not robust but passes current verifiers. The idea is to insert artificial adversarial perturbations by adding a backdoor to a robust neural network model. In our construction, the adversarial input subspace that triggers the backdoor has a very small volume, and outside this subspace the gradient of the model is identical to that of the clean model. In other words, we seek to create a "needle in a haystack" search problem. For practical purposes, we also require that the adversarial samples be robust to JPEG compression. Large "needle in the haystack" problems are practically impossible to solve with any search algorithm. Formal verifiers can handle this in principle, but they do not scale up to real-world networks at the moment, and achieving this is a challenge because the verification problem is NP-complete. Our construction is based on training a hiding and a revealing network using deep steganography. Using the revealing network, we create a separate backdoor network and integrate it into the target network. We train our deep steganography networks over the CIFAR-10 dataset. We then evaluate our construction using state-of-the-art adversarial attacks and backdoor detectors over the CIFAR-10 and the ImageNet datasets. We made the code and models publicly available at https://github.com/szegedai/hiding-needles-in-a-haystack.
{"title":"Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification","authors":"Árpád Berta, Gábor Danner, István Hegedüs, Márk Jelasity","doi":"10.1145/3531536.3532966","DOIUrl":"https://doi.org/10.1145/3531536.3532966","url":null,"abstract":"Machine learning models are vulnerable to adversarial attacks, where a small, invisible, malicious perturbation of the input changes the predicted label. A large area of research is concerned with verification techniques that attempt to decide whether a given model has adversarial inputs close to a given benign input. Here, we show that current approaches to verification have a key vulnerability: we construct a model that is not robust but passes current verifiers. The idea is to insert artificial adversarial perturbations by adding a backdoor to a robust neural network model. In our construction, the adversarial input subspace that triggers the backdoor has a very small volume, and outside this subspace the gradient of the model is identical to that of the clean model. In other words, we seek to create a \"needle in a haystack\" search problem. For practical purposes, we also require that the adversarial samples be robust to JPEG compression. Large \"needle in the haystack\" problems are practically impossible to solve with any search algorithm. Formal verifiers can handle this in principle, but they do not scale up to real-world networks at the moment, and achieving this is a challenge because the verification problem is NP-complete. Our construction is based on training a hiding and a revealing network using deep steganography. Using the revealing network, we create a separate backdoor network and integrate it into the target network. We train our deep steganography networks over the CIFAR-10 dataset. We then evaluate our construction using state-of-the-art adversarial attacks and backdoor detectors over the CIFAR-10 and the ImageNet datasets. We made the code and models publicly available at https://github.com/szegedai/hiding-needles-in-a-haystack.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"223 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114600573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Watermarking neural networks (NNs) for ownership protection has received considerable attention recently. Resisting both model pruning and fine-tuning is commonly considered to evaluate the robustness of a watermarked NN. However, the rationale behind such a robustness is still relatively unexplored in the literature. In this paper, we study this problem to propose a so-called sparse trigger pattern (STP) guided deep learning model watermarking method. We provide empirical evidence to show that trigger patterns are able to make the distribution of model parameters compact, and thus exhibit interpretable resilience to model pruning and fine-tuning. We find the effect of STP can also be technically interpreted as the first layer dropout. Extensive experiments demonstrate the robustness of our method.
{"title":"Sparse Trigger Pattern Guided Deep Learning Model Watermarking","authors":"Chun-Shien Lu","doi":"10.1145/3531536.3532961","DOIUrl":"https://doi.org/10.1145/3531536.3532961","url":null,"abstract":"Watermarking neural networks (NNs) for ownership protection has received considerable attention recently. Resisting both model pruning and fine-tuning is commonly considered to evaluate the robustness of a watermarked NN. However, the rationale behind such a robustness is still relatively unexplored in the literature. In this paper, we study this problem to propose a so-called sparse trigger pattern (STP) guided deep learning model watermarking method. We provide empirical evidence to show that trigger patterns are able to make the distribution of model parameters compact, and thus exhibit interpretable resilience to model pruning and fine-tuning. We find the effect of STP can also be technically interpreted as the first layer dropout. Extensive experiments demonstrate the robustness of our method.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134555329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing AMR (Adaptive Multi-Rate) steganalysis algorithms based on pitch delay have low detection accuracy on samples with short time or low embedding rate, and the model shows fragility under the attack of adversarial samples. To solve this problem, we design an advanced AMR steganalysis method based on adversarial Bi-GRU (Bi-directional Gated Recurrent Unit) and data distillation. First, Gaussian white noise is randomly added to part of the original speech to form adversarial data set, then artificially annotate a small amount of voice to train the model. Second, perform three transformations of 1.5 times speed, 0.5 times speed, and mirror flip on the remaining original voice data, then put them into Bi-GRU for classification, and the final predicted label obtained by the decision fusion corresponds to the original data. All data with the label is put back into the Bi-GRU model for final training at last. What needs to be pointed out is that each batch of final training data includes normal and adversarial samples. This method adopts a semi-supervised learning method, which greatly saves the resources consumed by manual labeling, and introduces adversarial Bi-GRU, which can realize the two-direction analysis of samples for a long time. Based on improving the detection accuracy, the safety and robustness of the model are greatly improved. The experimental results show that for normal and adversarial samples, the algorithm can achieve accuracy of 96.73% and 95.6% respectively.
{"title":"AMR Steganalysis based on Adversarial Bi-GRU and Data Distillation","authors":"Z. Wu, Junjun Guo","doi":"10.1145/3531536.3532958","DOIUrl":"https://doi.org/10.1145/3531536.3532958","url":null,"abstract":"Existing AMR (Adaptive Multi-Rate) steganalysis algorithms based on pitch delay have low detection accuracy on samples with short time or low embedding rate, and the model shows fragility under the attack of adversarial samples. To solve this problem, we design an advanced AMR steganalysis method based on adversarial Bi-GRU (Bi-directional Gated Recurrent Unit) and data distillation. First, Gaussian white noise is randomly added to part of the original speech to form adversarial data set, then artificially annotate a small amount of voice to train the model. Second, perform three transformations of 1.5 times speed, 0.5 times speed, and mirror flip on the remaining original voice data, then put them into Bi-GRU for classification, and the final predicted label obtained by the decision fusion corresponds to the original data. All data with the label is put back into the Bi-GRU model for final training at last. What needs to be pointed out is that each batch of final training data includes normal and adversarial samples. This method adopts a semi-supervised learning method, which greatly saves the resources consumed by manual labeling, and introduces adversarial Bi-GRU, which can realize the two-direction analysis of samples for a long time. Based on improving the detection accuracy, the safety and robustness of the model are greatly improved. The experimental results show that for normal and adversarial samples, the algorithm can achieve accuracy of 96.73% and 95.6% respectively.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133941457","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Machine learning techniques have been widely applied in modern financial activities. Participants in the field are aware of the importance of data privacy. Vertical federated learning (VFL) was proposed as a solution to multi-party secure computation for machine learning to obtain the huge data required by the models as well as keep the privacy of the data holders. However, previous research majorly analyzed the algorithms under ideal conditions. Data imbalance in VFL is still an open problem. In this paper, we propose a privacy-preserving sampling strategy for imbalanced VFL based on federated graph embedding of the samples, without leaking any distribution information. The participants of the federation provide partial neighbor information for each sample during the intersection stage and the controversial negative sample will be filtered out. Experiments were conducted on commonly used financial datasets and one real-world dataset. Our proposed approach obtained the leading F1 score on all tested datasets on comparing with the baseline under sampling strategies for VFL.
{"title":"A Nearest Neighbor Under-sampling Strategy for Vertical Federated Learning in Financial Domain","authors":"Denghao Li, Jianzong Wang, Lingwei Kong, Shijing Si, Zhangcheng Huang, Chenyu Huang, Jing Xiao","doi":"10.1145/3531536.3532960","DOIUrl":"https://doi.org/10.1145/3531536.3532960","url":null,"abstract":"Machine learning techniques have been widely applied in modern financial activities. Participants in the field are aware of the importance of data privacy. Vertical federated learning (VFL) was proposed as a solution to multi-party secure computation for machine learning to obtain the huge data required by the models as well as keep the privacy of the data holders. However, previous research majorly analyzed the algorithms under ideal conditions. Data imbalance in VFL is still an open problem. In this paper, we propose a privacy-preserving sampling strategy for imbalanced VFL based on federated graph embedding of the samples, without leaking any distribution information. The participants of the federation provide partial neighbor information for each sample during the intersection stage and the controversial negative sample will be filtered out. Experiments were conducted on commonly used financial datasets and one real-world dataset. Our proposed approach obtained the leading F1 score on all tested datasets on comparing with the baseline under sampling strategies for VFL.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131156312","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yiming Xue, Boya Yang, Yaqian Deng, Wanli Peng, Juan Wen
Traditional text steganalysis methods rely on a large amount of labeled data. At the same time, the test data should be independent and identically distributed with the training data. However, in practice, a large number of text types make it difficult to satisfy the i.i.d condition between the training set and the test set, which leads to the problem of domain mismatch and significantly reduces the detection performance. In this paper, we draw on the ideas of domain adaptation and transductive learning to design a novel text steganalysis method. In this method, we design a distributed adaptation layer and adopt three loss functions to achieve domain adaptation, so that the model can learn the domain-invariant text features. The experimental results show that the method has better steganalysis performance in the case of domain mismatch.
{"title":"Domain Adaptational Text Steganalysis Based on Transductive Learning","authors":"Yiming Xue, Boya Yang, Yaqian Deng, Wanli Peng, Juan Wen","doi":"10.1145/3531536.3532963","DOIUrl":"https://doi.org/10.1145/3531536.3532963","url":null,"abstract":"Traditional text steganalysis methods rely on a large amount of labeled data. At the same time, the test data should be independent and identically distributed with the training data. However, in practice, a large number of text types make it difficult to satisfy the i.i.d condition between the training set and the test set, which leads to the problem of domain mismatch and significantly reduces the detection performance. In this paper, we draw on the ideas of domain adaptation and transductive learning to design a novel text steganalysis method. In this method, we design a distributed adaptation layer and adopt three loss functions to achieve domain adaptation, so that the model can learn the domain-invariant text features. The experimental results show that the method has better steganalysis performance in the case of domain mismatch.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123728156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 2: Security of Machine Learning","authors":"Yassine Yousfi","doi":"10.1145/3545212","DOIUrl":"https://doi.org/10.1145/3545212","url":null,"abstract":"","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132518028","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this work we aim to design a steganographic scheme undetectable by the Reverse JPEG Compatibility Attack (RJCA). The RJCA, while only effective for JPEG images compressed with quality factors 99 and 100, was shown to work mainly due to change in variance of the rounding errors after decompression of the DCT coefficients, which is induced by embedding changes incompatible with the JPEG format. One remedy to preserve the aforementioned format is utilizing during the embedding the rounding errors created during the JPEG compression, but no steganographic method is known to be resilient to RJCA without this knowledge. Inspecting the effect of embedding changes on variance and also mean of decompression rounding errors, we propose a steganographic method allowing resistance against RJCA without any side-information. To resist RJCA, we propose a distortion metric making all embedding changes within a DCT block dependent, resulting in a lattice-based embedding. Then it turns out it is enough to cleverly pick the side of the (binary) embedding changes through inspection of their effect on the variance of decompression rounding errors and simply use uniform costs in order to enforce their sparsity across DCT blocks. To increase security against detectors in the spatial (pixel) domain, we show an easy way of combining the proposed methodology with steganography designed for spatial domain security, further improving the undetectability for quality factor 99. The improvements over existing non-informed steganography are up to 40% in terms of detector's accuracy.
{"title":"Fighting the Reverse JPEG Compatibility Attack: Pick your Side","authors":"Jan Butora, P. Bas","doi":"10.1145/3531536.3532955","DOIUrl":"https://doi.org/10.1145/3531536.3532955","url":null,"abstract":"In this work we aim to design a steganographic scheme undetectable by the Reverse JPEG Compatibility Attack (RJCA). The RJCA, while only effective for JPEG images compressed with quality factors 99 and 100, was shown to work mainly due to change in variance of the rounding errors after decompression of the DCT coefficients, which is induced by embedding changes incompatible with the JPEG format. One remedy to preserve the aforementioned format is utilizing during the embedding the rounding errors created during the JPEG compression, but no steganographic method is known to be resilient to RJCA without this knowledge. Inspecting the effect of embedding changes on variance and also mean of decompression rounding errors, we propose a steganographic method allowing resistance against RJCA without any side-information. To resist RJCA, we propose a distortion metric making all embedding changes within a DCT block dependent, resulting in a lattice-based embedding. Then it turns out it is enough to cleverly pick the side of the (binary) embedding changes through inspection of their effect on the variance of decompression rounding errors and simply use uniform costs in order to enforce their sparsity across DCT blocks. To increase security against detectors in the spatial (pixel) domain, we show an easy way of combining the proposed methodology with steganography designed for spatial domain security, further improving the undetectability for quality factor 99. The improvements over existing non-informed steganography are up to 40% in terms of detector's accuracy.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133766318","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Over the last 20 years, my students and I have built systems that look for signals of malice in large datasets. These datasets include network traffic, program code, web transactions, and social media posts. For many of our detection systems, we used feature engineering to model properties of the data and then leveraged different types of machine learning to find outliers or to build classifiers that could recognize unwanted inputs. In this presentation, I will cover three recent works that go beyond that basic approach. First, I will talk about cross-dataset analysis. The key idea is that we look at the same data from different vantage points. Instead of directly detecting malicious instances, the analysis compares the views across multiple angles and finds those cases where these views meaningfully differ. Second, I will cover an approach to perform meta-analysis of the outputs (events) that a detection model might produce. Sometimes, looking at a single event is insufficient to determine whether it is malicious. In such cases, it is necessary to correlate multiple events. We have built a semi-supervised analysis that leverages the context of an event to determine whether it should be treated as malicious or not. Third, I will discuss ways in which attackers might attempt to thwart our efforts to build detectors. Specifically, I will talk about a fast and efficient clean-label dataset poisoning attack. In this attack, correctly labeled poison samples are injected into the training dataset. While these poison samples look legitimate to a human observer, they contain malicious characteristics that trigger a targeted misclassification during detection (inference).
{"title":"Looking for Signals: A Systems Security Perspective","authors":"Christopher Kruegel","doi":"10.1145/3531536.3533774","DOIUrl":"https://doi.org/10.1145/3531536.3533774","url":null,"abstract":"Over the last 20 years, my students and I have built systems that look for signals of malice in large datasets. These datasets include network traffic, program code, web transactions, and social media posts. For many of our detection systems, we used feature engineering to model properties of the data and then leveraged different types of machine learning to find outliers or to build classifiers that could recognize unwanted inputs. In this presentation, I will cover three recent works that go beyond that basic approach. First, I will talk about cross-dataset analysis. The key idea is that we look at the same data from different vantage points. Instead of directly detecting malicious instances, the analysis compares the views across multiple angles and finds those cases where these views meaningfully differ. Second, I will cover an approach to perform meta-analysis of the outputs (events) that a detection model might produce. Sometimes, looking at a single event is insufficient to determine whether it is malicious. In such cases, it is necessary to correlate multiple events. We have built a semi-supervised analysis that leverages the context of an event to determine whether it should be treated as malicious or not. Third, I will discuss ways in which attackers might attempt to thwart our efforts to build detectors. Specifically, I will talk about a fast and efficient clean-label dataset poisoning attack. In this attack, correctly labeled poison samples are injected into the training dataset. While these poison samples look legitimate to a human observer, they contain malicious characteristics that trigger a targeted misclassification during detection (inference).","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123606230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: