The next paper from the RAID 2006 proceedings cites a paper called Can Machine Learning Be Secure? as it's source of inspiration. This is a theoretical paper while the RAID paper complements it by being experimental. Thus it seemed reasonable to read it before reading the next RAID paper.
Can Machine Learning Be Secure? That seems to be a good question. This paper analyzes how secure a learning system can be.
A learning system adjusts it's model given new data, these are some of the questions asked:
Then the paper lists defenses against the different attacks, such as adding prior distributions (robustness) that makes the system less sensitive to altered data, detecting attacks with intrusion detection mechanism that analyzes the training data, confusing the attacker using disinformation that hinders the attacker from learning decision boundaries and, what seems to be a special case of the former, randomization of the decision boundaries.
Comment: Bayesian learning methods seems to a be natural choice since prior distributions are in the essence of the Bayesian concept.
Last in the paper, they analyze a simple learning example for outlier detection on the bounds of the effort an attacker has to use to manipulate the learning system into wrongly classify a malicious call.
Comment: I cannot write much about this analysis since I could not understand the definition of the relative distance they use. I don't understand why they use it and what it means. Thus I do not understand the result. Is there anybody out there that can help me with this?
See follow up post on this issue.
Can Machine Learning Be Secure? That seems to be a good question. This paper analyzes how secure a learning system can be.
A learning system adjusts it's model given new data, these are some of the questions asked:
- Can it be trained by an attacker to allow malicious calls?
- Can it be degenerated such that it becomes useless and must be shut down?
- Are there any defenses against these attacks?
- Influence: the part of the learning system that is manipulated, causative (alter the training data) or exploratory (trying to discover information about the system)
- Specificity: a continuous spectrum, from achieving a specific goal, for instance to manipulate the learning system to accept a specfic malicious call, to acheiving a broader goal, for instance to manipulate the learner to reveal the existence of any possible malicious call.
- Security violation: what security goal is violated, integrity (false negative) or availability (many classification errors making the system useless).
Then the paper lists defenses against the different attacks, such as adding prior distributions (robustness) that makes the system less sensitive to altered data, detecting attacks with intrusion detection mechanism that analyzes the training data, confusing the attacker using disinformation that hinders the attacker from learning decision boundaries and, what seems to be a special case of the former, randomization of the decision boundaries.
Comment: Bayesian learning methods seems to a be natural choice since prior distributions are in the essence of the Bayesian concept.
Last in the paper, they analyze a simple learning example for outlier detection on the bounds of the effort an attacker has to use to manipulate the learning system into wrongly classify a malicious call.
Comment: I cannot write much about this analysis since I could not understand the definition of the relative distance they use. I don't understand why they use it and what it means. Thus I do not understand the result. Is there anybody out there that can help me with this?
See follow up post on this issue.
powered by performancing firefox
No comments:
Post a Comment