Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

You Don't Need Robust Machine Learning to Manage Adversarial Attack Risks (2306.09951v1)

Published 16 Jun 2023 in cs.LG and stat.ML

Abstract: The robustness of modern ML models has become an increasing concern within the community. The ability to subvert a model into making errant predictions using seemingly inconsequential changes to input is startling, as is our lack of success in building models robust to this concern. Existing research shows progress, but current mitigations come with a high cost and simultaneously reduce the model's accuracy. However, such trade-offs may not be necessary when other design choices could subvert the risk. In this survey we review the current literature on attacks and their real-world occurrences, or limited evidence thereof, to critically evaluate the real-world risks of adversarial machine learning (AML) for the average entity. This is done with an eye toward how one would then mitigate these attacks in practice, the risks for production deployment, and how those risks could be managed. In doing so we elucidate that many AML threats do not warrant the cost and trade-offs of robustness due to a low likelihood of attack or availability of superior non-ML mitigations. Our analysis also recommends cases where an actor should be concerned about AML to the degree where robust ML models are necessary for a complete deployment.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (77)
  1. Google accuses Bing of ’copying’ its search results. BBC News, February 2011. URL https://www.bbc.com/news/technology-12343597.
  2. Microsoft teams up with OpenAI to exclusively license GPT-3 language model, September 2020a. URL https://blogs.microsoft.com/blog/2020/09/22/microsoft-teams-up-with-openai-to-exclusively-license-gpt-3-language-model/.
  3. Response to CVE-2019-20364 | Proofpoint US, April 2020b. URL https://www.proofpoint.com/us/security/security-advisories/pfpt-sn-2020-0001.
  4. Defending Against Software Supply Chain Attacks. Technical report, National Institute of Standards and Technology, April 2021. URL https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf.
  5. When Malware is Packin’ Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features. In Proceedings 2020 Network and Distributed System Security Symposium, San Diego, CA, 2020. Internet Society. ISBN 978-1-891562-61-7. doi: 10.14722/ndss.2020.24310. URL https://www.ndss-symposium.org/wp-content/uploads/2020/02/24310.pdf.
  6. Software Engineering Challenges of Deep Learning. In 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pages 50–59, August 2018. doi: 10.1109/SEAA.2018.00018.
  7. Skylight Cyber | Cylance, I Kill You! URL https://skylightcyber.comhttps://skylightcyber.com/2019/07/18/cylance-i-kill-you/.
  8. A Framework for Designing Cryptographic Key Management Systems. Technical Report NIST Special Publication (SP) 800-130, National Institute of Standards and Technology, August 2013. URL https://csrc.nist.gov/publications/detail/sp/800-130/final.
  9. Alistair Barr. Google Mistakenly Tags Black People as ‘Gorillas,’ Showing Limits of Algorithms. Wall Street Journal, July 2015. ISSN 0099-9660. URL https://www.wsj.com/articles/BL-DGB-42522.
  10. Industrial practitioners’ mental models of adversarial machine learning. pages 97–116, 2022. ISBN 978-1-939133-30-4. URL https://www.usenix.org/conference/soups2022/presentation/bieringer.
  11. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, 84:317–331, December 2018. ISSN 00313203. doi: 10.1016/j.patcog.2018.07.023. URL https://linkinghub.elsevier.com/retrieve/pii/S0031320318302565. arXiv: 1712.03141.
  12. GPT-NeoX-20B: An Open-Source Autoregressive Language Model, April 2022. URL http://arxiv.org/abs/2204.06745. arXiv:2204.06745 [cs].
  13. “I Never Thought About Securing My Machine Learning Systems”: A Study of Security and Privacy Awareness of Machine Learning Practitioners. In Mensch und Computer 2021, MuC ’21, pages 520–546, New York, NY, USA, September 2021. Association for Computing Machinery. ISBN 978-1-4503-8645-6. doi: 10.1145/3473856.3473869. URL https://doi.org/10.1145/3473856.3473869.
  14. Unrestricted Adversarial Examples. arXiv preprint, 2018. arXiv: 1809.08352v1.
  15. We Found Clearview AI’s Shady Face Recognition App, February 2020. URL https://gizmodo.com/we-found-clearview-ais-shady-face-recognition-app-1841961772.
  16. (Certified!!) Adversarial Robustness for Free!, June 2022. URL http://arxiv.org/abs/2206.10550. arXiv:2206.10550 [cs].
  17. Differentially Private Machine Learning Model against Model Extraction Attack. In 2020 International Conferences on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics), pages 722–728, November 2020. doi: 10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics50389.2020.00125.
  18. Underspecification Presents Challenges for Credibility in Modern Machine Learning. 2020. URL http://arxiv.org/abs/2011.03395. arXiv: 2011.03395.
  19. Ernest Davis. AI amusements: the tragic tale of Tay the chatbot. AI Matters, 2(4):20–24, December 2016. doi: 10.1145/3008665.3008674. URL https://doi.org/10.1145/3008665.3008674.
  20. A Survey on Adversarial Recommender Systems: From Attack/Defense Strategies to Generative Adversarial Networks. ACM Computing Surveys, 54(2):35:1–35:38, March 2021. ISSN 0360-0300. doi: 10.1145/3439729. URL https://doi.org/10.1145/3439729.
  21. Collecting Telemetry Data Privately. In Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017. URL https://proceedings.neurips.cc/paper/2017/hash/253614bbac999b38b5b60cae531c4969-Abstract.html.
  22. Calibrating Noise to Sensitivity in Private Data Analysis. In Shai Halevi and Tal Rabin, editors, Theory of Cryptography, Lecture Notes in Computer Science, pages 265–284, Berlin, Heidelberg, 2006. Springer. ISBN 978-3-540-32732-5. doi: 10.1007/11681878˙14.
  23. RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 1054–1067, New York, NY, USA, November 2014. Association for Computing Machinery. ISBN 978-1-4503-2957-6. doi: 10.1145/2660267.2660348. URL https://doi.org/10.1145/2660267.2660348.
  24. Adversarial attacks on medical machine learning. Science (New York, N.Y.), 363(6433):1287–1289, March 2019. ISSN 0036-8075. doi: 10.1126/science.aaw4399. URL https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7657648/.
  25. Non-Negative Networks Against Adversarial Attacks. AAAI-2019 Workshop on Artificial Intelligence for Cyber Security, 2019. URL http://arxiv.org/abs/1806.06108. arXiv: 1806.06108.
  26. Reproducible Research Environments with repo2docker. In Reproducibility in ML Workshop, ICML’18, 2018.
  27. Bias in Computer Systems. ACM Trans. Inf. Syst., 14(3):330–347, July 1996. ISSN 1046-8188. doi: 10.1145/230538.230561. URL https://doi.org/10.1145/230538.230561. Publisher: Association for Computing Machinery Place: New York, NY, USA.
  28. Code Smells in Machine Learning Systems, March 2022. URL http://arxiv.org/abs/2203.00803. arXiv:2203.00803 [cs].
  29. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, April 1988. ISSN 0097-5397. doi: 10.1137/0217017. URL https://doi.org/10.1137/0217017.
  30. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2015.
  31. Membership Inference Attacks on Machine Learning: A Survey. ACM Computing Surveys, 54(11s):235:1–235:37, September 2022. ISSN 0360-0300. doi: 10.1145/3523273. URL https://doi.org/10.1145/3523273.
  32. Adversarial Examples Are Not Bugs, They Are Features. In NeurIPS, 2019. arXiv: 1905.02175.
  33. Adversarially Robust Malware Detection Using Monotonic Classification. In Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, pages 54–63, New York, NY, USA, 2018. ACM. ISBN 978-1-4503-5634-3. doi: 10.1145/3180445.3180449. URL http://doi.acm.org/10.1145/3180445.3180449. Series Title: IWSPA ’18.
  34. A Multiple Instance Learning Strategy for Combating Good Word Attacks on Spam Filters. J. Mach. Learn. Res., 9:1115–1146, June 2008. ISSN 1532-4435. URL http://dl.acm.org/citation.cfm?id=1390681.1390719. Publisher: JMLR.org.
  35. A Holistic Framework for AI Systems in Industrial Applications. In Frederik Ahlemann, Reinhard Schütte, and Stefan Stieglitz, editors, Innovation Through Information Systems, Lecture Notes in Information Systems and Organisation, pages 78–93, Cham, 2021. Springer International Publishing. ISBN 978-3-030-86797-3. doi: 10.1007/978-3-030-86797-3˙6.
  36. AdvHat: Real-World Adversarial Attack on ArcFace Face ID System. In 2020 25th International Conference on Pattern Recognition (ICPR), pages 819–826, January 2021. doi: 10.1109/ICPR48806.2021.9412236. ISSN: 1051-4651.
  37. Arms Race in Adversarial Malware Detection: A Survey. ACM Computing Surveys, 55(1):15:1–15:35, November 2021. ISSN 0360-0300. doi: 10.1145/3484491. URL https://doi.org/10.1145/3484491.
  38. Trojaning Attack on Neural Networks. In Network and Distributed Systems Security (NDSS) Symposium, 2018. doi: 10.14722/ndss.2018.23291.
  39. Good Word Attacks on Statistical Spam Filters. In Conference on email and anti-spam (CEAS), pages 125–132, 2005.
  40. Privacy: Theory meets Practice on the Map. In 2008 IEEE 24th International Conference on Data Engineering, pages 277–286, April 2008. doi: 10.1109/ICDE.2008.4497436. ISSN: 2375-026X.
  41. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR), 2018. URL https://openreview.net/forum?id=rJzIBfZAb. arXiv: 1802.10217.
  42. Dataset Inference: Ownership Resolution in Machine Learning. In ICLR, 2021. arXiv: 2104.10706v1.
  43. Steve Mansfield-Devine. Ransomware: taking businesses hostage. Network Security, 2016(10):8–17, October 2016. ISSN 1353-4858. doi: 10.1016/S1353-4858(16)30096-4. URL https://www.sciencedirect.com/science/article/pii/S1353485816300964.
  44. The Threat of Offensive AI to Organizations. Computers & Security, 124:103006, January 2023. ISSN 0167-4048. doi: 10.1016/j.cose.2022.103006. URL https://www.sciencedirect.com/science/article/pii/S0167404822003984.
  45. Taxonomy of Machine Learning Safety: A Survey and Primer. ACM Computing Surveys, July 2022. ISSN 0360-0300. doi: 10.1145/3551385. URL https://doi.org/10.1145/3551385. Just Accepted.
  46. Detection of malicious and low throughput data exfiltration over the DNS protocol. Computers & Security, 80:36–53, January 2019. ISSN 0167-4048. doi: 10.1016/j.cose.2018.09.006. URL https://www.sciencedirect.com/science/article/pii/S0167404818304000.
  47. Diffusion Models for Adversarial Purification. In Proceedings of the 39th International Conference on Machine Learning, pages 16805–16827. PMLR, June 2022. URL https://proceedings.mlr.press/v162/nie22a.html. ISSN: 2640-3498.
  48. Parmy Olson. Faces Are the Next Target for Fraudsters. Wall Street Journal, July 2021. ISSN 0099-9660. URL https://www.wsj.com/articles/faces-are-the-next-target-for-fraudsters-11625662828.
  49. Challenges in Deploying Machine Learning: a Survey of Case Studies. ACM Computing Surveys, April 2022. ISSN 0360-0300. doi: 10.1145/3533378. URL https://doi.org/10.1145/3533378. Just Accepted.
  50. Data Poisoning Won’t Save You From Facial Recognition. March 2022. URL https://openreview.net/forum?id=B5XahNLmna.
  51. Language Models are Unsupervised Multitask Learners. Technical report, 2019. URL https://openai.com/blog/better-language-models/. Publication Title: OpenAI Technical Report.
  52. Edward Raff. A Step Toward Quantifying Independently Reproducible Machine Learning Research. In NeurIPS, 2019. URL http://arxiv.org/abs/1909.06674. arXiv: 1909.06674.
  53. A Siren Song of Open Source Reproducibility. In ML Evaluation Standards Workshop at ICLR 2022, 2022. doi: 10.48550/arXiv.2204.04372. URL https://arxiv.org/abs/2204.04372.
  54. Dr. AI, Where Did You Get Your Degree? In Fernando Koch, Andrew Koster, David Riaño, Sara Montagna, Michael Schumacher, Annette ten Teije, Christian Guttmann, Manfred Reichert, Isabelle Bichindaritz, Pau Herrero, Richard Lenz, Beatriz López, Cindy Marling, Clare Martin, Stefania Montani, and Nirmalie Wiratunga, editors, Artificial Intelligence in Health, pages 76–83, Cham, 2019a. Springer International Publishing. ISBN 978-3-030-12738-1.
  55. Barrage of Random Transforms for Adversarially Robust Defense. In The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 6528–6537, Long Beach, CA, 2019b. URL http://openaccess.thecvf.com/content_CVPR_2019/html/Raff_Barrage_of_Random_Transforms_for_Adversarially_Robust_Defense_CVPR_2019_paper.html.
  56. Snorkel: rapid training data creation with weak supervision. The VLDB Journal, 29(2):709–730, 2020. ISSN 0949-877X. doi: 10.1007/s00778-019-00552-1. URL https://doi.org/10.1007/s00778-019-00552-1.
  57. Data Programming: Creating Large Training Sets, Quickly. In D D Lee, M Sugiyama, U V Luxburg, I Guyon, and R Garnett, editors, Advances in Neural Information Processing Systems 29, pages 3567–3575. Curran Associates, Inc., 2016.
  58. Adversarial Transfer Attacks With Unknown Data and Class Overlap. In Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security (AISec ’21). Association for Computing Machinery, 2021. doi: 10.1145/3474369.3486862. URL http://arxiv.org/abs/2109.11125. arXiv: 2109.11125.
  59. LinkedIn’s Audience Engagements API: A Privacy Preserving Data Analytics System at Scale, November 2020. URL http://arxiv.org/abs/2002.05839. arXiv:2002.05839 [cs].
  60. ImageNet Large Scale Visual Recognition Challenge. International Journal of Computer Vision (IJCV), 115(3):211–252, 2015. doi: 10.1007/s11263-015-0816-y.
  61. Hidden Technical Debt in Machine Learning Systems. In Proceedings of the 28th International Conference on Neural Information Processing Systems - Volume 2, pages 2503–2511, Cambridge, MA, USA, 2015. MIT Press. Series Title: NIPS’15.
  62. Law and Adversarial Machine Learning. arXiv, 2018. arXiv: 1810.10731v2.
  63. Adversarial Machine Learning-Industry Perspectives. In 2020 IEEE Security and Privacy Workshops (SPW), pages 69–75, May 2020. doi: 10.1109/SPW50608.2020.00028.
  64. Membership Encoding for Deep Learning. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pages 344–356, New York, NY, USA, October 2020. ACM. ISBN 978-1-4503-6750-9. doi: 10.1145/3320269.3384731. URL https://dl.acm.org/doi/10.1145/3320269.3384731.
  65. Ransomware in Healthcare Facilities: A Harbinger of the Future? Management Faculty Research, July 2018. URL https://mds.marshall.edu/mgmt_faculty/231.
  66. Energy and Policy Considerations for Deep Learning in NLP. In Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics, pages 3645–3650, Florence, Italy, July 2019. Association for Computational Linguistics. doi: 10.18653/v1/P19-1355. URL https://aclanthology.org/P19-1355.
  67. An Empirical Study of Refactorings and Technical Debt in Machine Learning Systems. In Proceedings of the 43rd International Conference on Software Engineering, ICSE ’21, pages 238–250, Madrid, Spain, May 2021. IEEE Press. ISBN 978-1-4503-9085-9. doi: 10.1109/ICSE43902.2021.00033. URL https://doi.org/10.1109/ICSE43902.2021.00033.
  68. Bitcoin money laundering: mixed results? An explorative study on money laundering of cybercrime proceeds using bitcoin. Journal of Financial Crime, 25(2):419–435, January 2018. ISSN 1359-0790. doi: 10.1108/JFC-11-2016-0067. URL https://doi.org/10.1108/JFC-11-2016-0067. Publisher: Emerald Publishing Limited.
  69. Imitation Attacks and Defenses for Black-box Machine Translation Systems. In Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 5531–5546, Online, November 2020. Association for Computational Linguistics. doi: 10.18653/v1/2020.emnlp-main.446. URL https://aclanthology.org/2020.emnlp-main.446.
  70. Threats to Training: A Survey of Poisoning Attacks and Defenses on Machine Learning Systems. ACM Computing Surveys, May 2022. ISSN 0360-0300. doi: 10.1145/3538707. URL https://doi.org/10.1145/3538707. Just Accepted.
  71. Whose Vote Should Count More: Optimal Integration of Labels from Labelers of Unknown Expertise. In Advances in Neural Information Processing Systems, volume 22. Curran Associates, Inc., 2009. URL https://papers.nips.cc/paper/2009/hash/f899139df5e1059396431415e770c6dd-Abstract.html.
  72. Zack Whittaker. Security lapse exposed Clearview AI source code, April 2020. URL https://techcrunch.com/2020/04/16/clearview-source-code-lapse/.
  73. Why We Should Have Seen That Coming: Comments on Microsoft’s Tay “Experiment,” and Wider Implications. The ORBIT Journal, 1(2):1–12, January 2017. ISSN 2515-8562. doi: 10.29297/orbit.v1i2.49. URL https://www.sciencedirect.com/science/article/pii/S2515856220300493.
  74. Making an Invisibility Cloak: Real World Adversarial Attacks on Object Detectors. In Andrea Vedaldi, Horst Bischof, Thomas Brox, and Jan-Michael Frahm, editors, Computer Vision – ECCV 2020, volume 12349, pages 1–17. Springer International Publishing, Cham, 2020. ISBN 978-3-030-58547-1 978-3-030-58548-8. doi: 10.1007/978-3-030-58548-8˙1. URL https://link.springer.com/10.1007/978-3-030-58548-8_1. Series Title: Lecture Notes in Computer Science.
  75. Adversarial Examples: Attacks and Defenses for Deep Learning. arXiv, 2017. URL http://arxiv.org/abs/1712.07107. arXiv: 1712.07107.
  76. Attack on Practical Speaker Verification System Using Universal Adversarial Perturbations. In ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 2575–2579, June 2021. doi: 10.1109/ICASSP39728.2021.9413467. ISSN: 2379-190X.
  77. Adversarial Attacks and Defenses in Deep Learning: from a Perspective of Cybersecurity. ACM Computing Surveys, July 2022. ISSN 0360-0300. doi: 10.1145/3547330. URL https://doi.org/10.1145/3547330. Just Accepted.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now