{"title":"对抗性深度学习的规避和因果攻击","authors":"Yi Shi, Y. Sagduyu","doi":"10.1109/MILCOM.2017.8170807","DOIUrl":null,"url":null,"abstract":"This paper presents a novel approach to launch and defend against the causative and evasion attacks on machine learning classifiers. As the preliminary step, the adversary starts with an exploratory attack based on deep learning (DL) and builds a functionally equivalent classifier by polling the online target classifier with input data and observing the returned labels. Using this inferred classifier, the adversary can select samples according to their DL scores and feed them to the original classifier. In an evasion attack, the adversary feeds the target classifier with test data after selecting samples with DL scores that are close to the decision boundary to increase the chance that these samples are misclassified. In a causative attack, the adversary feeds the target classifier with training data after changing the labels of samples with DL scores that are far away from the decision boundary to reduce the reliability of the training process. Results obtained for text and image classification show that the proposed evasion and causative attacks can significantly increase the error during test and training phases, respectively. A defense strategy is presented to change a small number of labels of the original classifier to prevent its reliable inference by the adversary and its effective use in evasion and causative attacks. These findings identify new vulnerabilities of machine learning and demonstrate that a proactive defense mechanism can reduce the impact of the underlying attacks.","PeriodicalId":113767,"journal":{"name":"MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM)","volume":"39 40","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"36","resultStr":"{\"title\":\"Evasion and causative attacks with adversarial deep learning\",\"authors\":\"Yi Shi, Y. Sagduyu\",\"doi\":\"10.1109/MILCOM.2017.8170807\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper presents a novel approach to launch and defend against the causative and evasion attacks on machine learning classifiers. As the preliminary step, the adversary starts with an exploratory attack based on deep learning (DL) and builds a functionally equivalent classifier by polling the online target classifier with input data and observing the returned labels. Using this inferred classifier, the adversary can select samples according to their DL scores and feed them to the original classifier. In an evasion attack, the adversary feeds the target classifier with test data after selecting samples with DL scores that are close to the decision boundary to increase the chance that these samples are misclassified. In a causative attack, the adversary feeds the target classifier with training data after changing the labels of samples with DL scores that are far away from the decision boundary to reduce the reliability of the training process. Results obtained for text and image classification show that the proposed evasion and causative attacks can significantly increase the error during test and training phases, respectively. A defense strategy is presented to change a small number of labels of the original classifier to prevent its reliable inference by the adversary and its effective use in evasion and causative attacks. These findings identify new vulnerabilities of machine learning and demonstrate that a proactive defense mechanism can reduce the impact of the underlying attacks.\",\"PeriodicalId\":113767,\"journal\":{\"name\":\"MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM)\",\"volume\":\"39 40\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"36\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MILCOM.2017.8170807\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MILCOM.2017.8170807","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Evasion and causative attacks with adversarial deep learning
This paper presents a novel approach to launch and defend against the causative and evasion attacks on machine learning classifiers. As the preliminary step, the adversary starts with an exploratory attack based on deep learning (DL) and builds a functionally equivalent classifier by polling the online target classifier with input data and observing the returned labels. Using this inferred classifier, the adversary can select samples according to their DL scores and feed them to the original classifier. In an evasion attack, the adversary feeds the target classifier with test data after selecting samples with DL scores that are close to the decision boundary to increase the chance that these samples are misclassified. In a causative attack, the adversary feeds the target classifier with training data after changing the labels of samples with DL scores that are far away from the decision boundary to reduce the reliability of the training process. Results obtained for text and image classification show that the proposed evasion and causative attacks can significantly increase the error during test and training phases, respectively. A defense strategy is presented to change a small number of labels of the original classifier to prevent its reliable inference by the adversary and its effective use in evasion and causative attacks. These findings identify new vulnerabilities of machine learning and demonstrate that a proactive defense mechanism can reduce the impact of the underlying attacks.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
