Huaming Chen,M. Ali Babar

2023-12-18

Abstract:The rapid development of Machine Learning (ML) has demonstrated superior performance in many areas, such as computer vision, video and speech recognition. It has now been increasingly leveraged in software systems to automate the core tasks. However, how to securely develop the machine learning-based modern software systems (MLBSS) remains a big challenge, for which the insufficient consideration will largely limit its application in safety-critical domains. One concern is that the present MLBSS development tends to be rush, and the latent vulnerabilities and privacy issues exposed to external users and attackers will be largely neglected and hard to be identified. Additionally, machine learning-based software systems exhibit different liabilities towards novel vulnerabilities at different development stages from requirement analysis to system maintenance, due to its inherent limitations from the model and data and the external adversary capabilities. The successful generation of such intelligent systems will thus solicit dedicated efforts jointly from different research areas, i.e., software engineering, system security and machine learning. Most of the recent works regarding the security issues for ML have a strong focus on the data and models, which has brought adversarial attacks into consideration. In this work, we consider that security for machine learning-based software systems may arise from inherent system defects or external adversarial attacks, and the secure development practices should be taken throughout the whole lifecycle. While machine learning has become a new threat domain for existing software engineering practices, there is no such review work covering the topic. Overall, we present a holistic review regarding the security for MLBSS, which covers a systematic understanding from a structure review of three distinct aspects in terms of security threats...

Cryptography and Security,Software Engineering

Ivan Evtimov,Weidong Cui,Ece Kamar,Emre Kiciman,Tadayoshi Kohno,Jerry Li

DOI: https://doi.org/10.48550/arXiv.2007.07205

2020-07-13

Cryptography and Security

Abstract:Machine learning (ML) models deployed in many safety- and business-critical systems are vulnerable to exploitation through adversarial examples. A large body of academic research has thoroughly explored the causes of these blind spots, developed sophisticated algorithms for finding them, and proposed a few promising defenses. A vast majority of these works, however, study standalone neural network models. In this work, we build on our experience evaluating the security of a machine learning software product deployed on a large scale to broaden the conversation to include a systems security view of these vulnerabilities. We describe novel challenges to implementing systems security best practices in software with ML components. In addition, we propose a list of short-term mitigation suggestions that practitioners deploying machine learning modules can use to secure their systems. Finally, we outline directions for new research into machine learning attacks and defenses that can serve to advance the state of ML systems security.

Rama Akkiraju,Vibha Sinha,Anbang Xu,Jalal Mahmud,Pritam Gundecha,Zhe Liu,Xiaotong Liu,John Schumacher

DOI: https://doi.org/10.48550/arXiv.1811.04871

IF: 5.414

2018-11-12

Machine Learning

Abstract:Academic literature on machine learning modeling fails to address how to make machine learning models work for enterprises. For example, existing machine learning processes cannot address how to define business use cases for an AI application, how to convert business requirements from offering managers into data requirements for data scientists, and how to continuously improve AI applications in term of accuracy and fairness, and how to customize general purpose machine learning models with industry, domain, and use case specific data to make them more accurate for specific situations etc. Making AI work for enterprises requires special considerations, tools, methods and processes. In this paper we present a maturity framework for machine learning model lifecycle management for enterprises. Our framework is a re-interpretation of the software Capability Maturity Model (CMM) for machine learning model development process. We present a set of best practices from our personal experience of building large scale real-world machine learning models to help organizations achieve higher levels of maturity independent of their starting point.

Jan Schröder,Jakub Breier

2024-06-15

Abstract:Machine learning (ML) models are used in many safety- and security-critical applications nowadays. It is therefore important to measure the security of a system that uses ML as a component. This paper focuses on the field of ML, particularly the security of autonomous vehicles. For this purpose, a technical framework will be described, implemented, and evaluated in a case study. Based on ISO/IEC 27004:2016, risk indicators are utilized to measure and evaluate the extent of damage and the effort required by an attacker. It is not possible, however, to determine a single risk value that represents the attacker's effort. Therefore, four different values must be interpreted individually.

Cryptography and Security,Artificial Intelligence,Machine Learning

Nicolas Papernot,Patrick McDaniel,Arunesh Sinha,Michael Wellman

DOI: https://doi.org/10.48550/arXiv.1611.03814

2016-11-11

Cryptography and Security

Abstract:Advances in machine learning (ML) in recent years have enabled a dizzying array of applications such as data analytics, autonomous systems, and security diagnostics. ML is now pervasive---new systems and models are being deployed in every domain imaginable, leading to rapid and widespread deployment of software based inference and decision making. There is growing recognition that ML exposes new vulnerabilities in software systems, yet the technical community's understanding of the nature and extent of these vulnerabilities remains limited. We systematize recent findings on ML security and privacy, focusing on attacks identified on these systems and defenses crafted to date. We articulate a comprehensive threat model for ML, and categorize attacks and defenses within an adversarial framework. Key insights resulting from works both in the ML and security communities are identified and the effectiveness of approaches are related to structural elements of ML algorithms and the data used to train them. We conclude by formally exploring the opposing relationship between model accuracy and resilience to adversarial manipulation. Through these explorations, we show that there are (possibly unavoidable) tensions between model complexity, accuracy, and resilience that must be calibrated for the environments in which they will be used.

Jakub Breier,Adrian Baldwin,Helen Balinsky,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2012.04884

2020-12-09

Cryptography and Security

Abstract:Adversarial attacks for machine learning models have become a highly studied topic both in academia and industry. These attacks, along with traditional security threats, can compromise confidentiality, integrity, and availability of organization's assets that are dependent on the usage of machine learning models. While it is not easy to predict the types of new attacks that might be developed over time, it is possible to evaluate the risks connected to using machine learning models and design measures that help in minimizing these risks. In this paper, we outline a novel framework to guide the risk management process for organizations reliant on machine learning models. First, we define sets of evaluation factors (EFs) in the data domain, model domain, and security controls domain. We develop a method that takes the asset and task importance, sets the weights of EFs' contribution to confidentiality, integrity, and availability, and based on implementation scores of EFs, it determines the overall security state in the organization. Based on this information, it is possible to identify weak links in the implemented security measures and find out which measures might be missing completely. We believe our framework can help in addressing the security issues related to usage of machine learning models in organizations and guide them in focusing on the adequate security measures to protect their assets.

Hala Abdelkader,Mohamed Abdelrazek,Scott Barnett,Jean-Guy Schneider,Priya Rani,Rajesh Vasa

2024-01-12

Abstract:Machine learning (ML), especially with the emergence of large language models (LLMs), has significantly transformed various industries. However, the transition from ML model prototyping to production use within software systems presents several challenges. These challenges primarily revolve around ensuring safety, security, and transparency, subsequently influencing the overall robustness and trustworthiness of ML models. In this paper, we introduce ML-On-Rails, a protocol designed to safeguard ML models, establish a well-defined endpoint interface for different ML tasks, and clear communication between ML providers and ML consumers (software engineers). ML-On-Rails enhances the robustness of ML models via incorporating detection capabilities to identify unique challenges specific to production ML. We evaluated the ML-On-Rails protocol through a real-world case study of the MoveReminder application. Through this evaluation, we emphasize the importance of safeguarding ML models in production.

Software Engineering,Artificial Intelligence,Machine Learning

Helen Jiang,Erwen Senge

DOI: https://doi.org/10.48550/arXiv.2008.07738

2020-08-18

Computers and Society

Abstract:While the applications and demands of Machine learning (ML) systems in mental health are growing, there is little discussion nor consensus regarding a uniquely challenging aspect: building security methods and requirements into these ML systems, and keep the ML system usable for end-users. This question of usable security is very important, because the lack of consideration in either security or usability would hinder large-scale user adoption and active usage of ML systems in mental health applications. In this short paper, we introduce a framework of four pillars, and a set of desired properties which can be used to systematically guide and evaluate security-related designs, implementations, and deployments of ML systems for mental health. We aim to weave together threads from different domains, incorporate existing views, and propose new principles and requirements, in an effort to lay out a clear framework where criteria and expectations are established, and are used to make security mechanisms usable for end-users of those ML systems in mental health. Together with this framework, we present several concrete scenarios where different usable security cases and profiles in ML-systems in mental health applications are examined and evaluated.

Boyang Zhang,Zheng Li,Ziqing Yang,Xinlei He,Michael Backes,Mario Fritz,Yang Zhang

2023-10-19

Abstract:While advanced machine learning (ML) models are deployed in numerous real-world applications, previous works demonstrate these models have security and privacy vulnerabilities. Various empirical research has been done in this field. However, most of the experiments are performed on target ML models trained by the security researchers themselves. Due to the high computational resource requirement for training advanced models with complex architectures, researchers generally choose to train a few target models using relatively simple architectures on typical experiment datasets. We argue that to understand ML models' vulnerabilities comprehensively, experiments should be performed on a large set of models trained with various purposes (not just the purpose of evaluating ML attacks and defenses). To this end, we propose using publicly available models with weights from the Internet (public models) for evaluating attacks and defenses on ML models. We establish a database, namely SecurityNet, containing 910 annotated image classification models. We then analyze the effectiveness of several representative attacks/defenses, including model stealing attacks, membership inference attacks, and backdoor detection on these public models. Our evaluation empirically shows the performance of these attacks/defenses can vary significantly on public models compared to self-trained models. We share SecurityNet with the research community. and advocate researchers to perform experiments on public models to better demonstrate their proposed methods' effectiveness in the future.

Cryptography and Security,Machine Learning

Sondes Ksibi,Faouzi Jaidi,Adel Bouhoula

DOI: https://doi.org/10.1007/s10207-024-00923-y

2024-11-10

International Journal of Information Security

Abstract:Internet of Medical Things (IoMT) applications, called also Medical Internet of Things (MIoT) or IoT for e-health, allow integrating smart technologies to medical devices for a better monitoring of disease progression and patients tracking. While it offers extensive benefits and despite of its expansion, IoMT brings round additional security concerns. Connected Medical Devices (CMD) raise up several security and privacy problems. The complexity and heterogeneity of data and technology in IoMT communications create additional security risks and threats. Malicious users may exploit crucial vulnerabilities in a wide range of IoMT applications, networks and devices. Hence, thinking about smart and efficient security solutions is an urgent need to understand and assess IoMT-related threats. Existing traditional models are no longer convenient and remain unsuitable to address the various born risks. We present in the current manuscript an in depth study of security concerns within IoMT. We review popular risk assessment and management approaches and discuss their suitability to the IoMT context. The main shortcomings are inherent to the complex architecture, the lack of automation and the numerous stakeholders with different security needs and skills.With reference to the conducted study, we introduce our solution as a framework to enhance trustworthiness and support decision making within IoMT environments. The proposal relies on a fine-grained approach for managing associated risks with regard to different areas of focus and common risk factors. To do so, a Machine Learning (ML)-based anomaly detection model and a hybrid Risk Assessment (RA) model are defined to evaluate cumulative IoMT risk. Experiments show obtained competitive results compared to state of the art ML models to detect intrusions in IoT/IoMT systems and we obtained an accuracy rate of 100% with some algorithms. A use case of application is presented to highlight the efficiency of the proposal.

computer science, information systems, theory & methods, software engineering

Lukas Bieringer,Kathrin Grosse,Michael Backes,Battista Biggio,Katharina Krombholz

DOI: https://doi.org/10.48550/arXiv.2105.03726

2022-06-29

Abstract:Although machine learning is widely used in practice, little is known about practitioners' understanding of potential security challenges. In this work, we close this substantial gap and contribute a qualitative study focusing on developers' mental models of the machine learning pipeline and potentially vulnerable components. Similar studies have helped in other security fields to discover root causes or improve risk communication. Our study reveals two \facets of practitioners' mental models of machine learning security. Firstly, practitioners often confuse machine learning security with threats and defences that are not directly related to machine learning. Secondly, in contrast to most academic research, our participants perceive security of machine learning as not solely related to individual models, but rather in the context of entire workflows that consist of multiple components. Jointly with our additional findings, these two facets provide a foundation to substantiate mental models for machine learning security and have implications for the integration of adversarial machine learning into corporate workflows, \new{decreasing practitioners' reported uncertainty}, and appropriate regulatory frameworks for machine learning security.

Cryptography and Security,Artificial Intelligence

Heju Jiang,Jasvir Nagra,Parvez Ahammad

DOI: https://doi.org/10.48550/arXiv.1611.03186

2016-11-10

Cryptography and Security

Abstract:The idea of applying machine learning(ML) to solve problems in security domains is almost 3 decades old. As information and communications grow more ubiquitous and more data become available, many security risks arise as well as appetite to manage and mitigate such risks. Consequently, research on applying and designing ML algorithms and systems for security has grown fast, ranging from intrusion detection systems(IDS) and malware classification to security policy management(SPM) and information leak checking. In this paper, we systematically study the methods, algorithms, and system designs in academic publications from 2008-2015 that applied ML in security domains. 98 percent of the surveyed papers appeared in the 6 highest-ranked academic security conferences and 1 conference known for pioneering ML applications in security. We examine the generalized system designs, underlying assumptions, measurements, and use cases in active research. Our examinations lead to 1) a taxonomy on ML paradigms and security domains for future exploration and exploitation, and 2) an agenda detailing open and upcoming challenges. Based on our survey, we also suggest a point of view that treats security as a game theory problem instead of a batch-trained ML problem.

Giovanni Apruzzese,Pavel Laskov,Edgardo Montes de Oca,Wissam Mallouli,Luis Brdalo Rapa,Athanasios Vasileios Grammatopoulos,Fabio Di Franco

DOI: https://doi.org/10.1145/3545574

2023-03-07

Digital Threats: Research and Practice

Abstract:Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such a discrepancy has its root cause in the current state of the art, which does not allow us to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience. This article is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain—to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.

Randy Heiland,Betsy Thomas,Von Welch,Craig Jackson

DOI: https://doi.org/10.48550/arXiv.1309.1677

2013-09-06

Cryptography and Security

Abstract:In its Vision and Strategy for Software for Science, Engineering, and Education the NSF states that it will invest in activities that: "Recognize that software strategies must include the secure and reliable deployment and operation of services, for example by campuses or national facilities or industry, where identity, authentication, authorization and assurance are crucial operational capabilities." and "Result in high-quality, usable, secure, vulnerability-free, sustainable, robust, well-tested, and maintainable/evolvable software; and which promotes the sustainability of solid and useful on-going investments." Such statements evidence that security should indeed be a first-class consideration of the software ecosystem. In this position paper, we share some thoughts related to research software security. Our thoughts are based on the observation that security is not a binary, all-or-nothing attribute, but a range of practices and requirements depending on how the software is expected to be deployed and used. We propose that the community leverage the concept of a maturity model, and work to agree on a research software security maturity model. This model would categorize different sets of security needs of the deployment community, and provide software developers a roadmap for advancing the security maturity of their software. The intent of this paper is not to express such a comprehensive maturity model, but instead to start a conversation and set some initial requirements.

Yilong Yang,Bingjie Zeng,Juntao Gao

DOI: https://doi.org/10.1007/s00766-024-00431-4

2024-11-26

Requirements Engineering

Abstract:Machine learning (ML)-enabled is one of the appealing characteristics of modern software systems, which usually contain ML components to make the system more intelligent for easier living. Requirements for ML-enabled software systems involve functional, quality, environmental, and data requirements. UML is a de facto approach for requirements analysis and system design, but its current modeling capabilities do not yet cover ML-enabled software systems to describe software quality requirements, environmental requirements, and data requirements. In this paper, we propose a requirements model for ML-enabled software systems and a modeling process for this model based on an extension of UML. In addition, we demonstrate the proposed model and modeling process through the case of the Tesla Autopilot system. The results show that the proposed model is expressive and usable and has a low learning curve when the software developers have basic knowledge of UML. Our proposed model can be further implemented and used in industrial settings.

computer science, information systems, software engineering

Ram Shankar Siva Kumar,Magnus Nyström,John Lambert,Andrew Marshall,Mario Goertzel,Andi Comissoneru,Matt Swann,Sharon Xia

DOI: https://doi.org/10.48550/arXiv.2002.05646

2021-03-20

Abstract:Based on interviews with 28 organizations, we found that industry practitioners are not equipped with tactical and strategic tools to protect, detect and respond to attacks on their Machine Learning (ML) systems. We leverage the insights from the interviews and we enumerate the gaps in perspective in securing machine learning systems when viewed in the context of traditional software security development. We write this paper from the perspective of two personas: developers/ML engineers and security incident responders who are tasked with securing ML systems as they are designed, developed and deployed ML systems. The goal of this paper is to engage researchers to revise and amend the Security Development Lifecycle for industrial-grade software in the adversarial ML era.

Computers and Society,Cryptography and Security,Machine Learning

Samson Tan,Araz Taeihagh,Kathy Baxter

DOI: https://doi.org/10.48550/arXiv.2204.09852

2022-04-21

Computers and Society

Abstract:The speed and scale at which machine learning (ML) systems are deployed are accelerating even as an increasing number of studies highlight their potential for negative impact. There is a clear need for companies and regulators to manage the risk from proposed ML systems before they harm people. To achieve this, private and public sector actors first need to identify the risks posed by a proposed ML system. A system's overall risk is influenced by its direct and indirect effects. However, existing frameworks for ML risk/impact assessment often address an abstract notion of risk or do not concretize this dependence. We propose to address this gap with a context-sensitive framework for identifying ML system risks comprising two components: a taxonomy of the first- and second-order risks posed by ML systems, and their contributing factors. First-order risks stem from aspects of the ML system, while second-order risks stem from the consequences of first-order risks. These consequences are system failures that result from design and development choices. We explore how different risks may manifest in various types of ML systems, the factors that affect each risk, and how first-order risks may lead to second-order effects when the system interacts with the real world. Throughout the paper, we show how real events and prior research fit into our Machine Learning System Risk framework (MLSR). MLSR operates on ML systems rather than technologies or domains, recognizing that a system's design, implementation, and use case all contribute to its risk. In doing so, it unifies the risks that are commonly discussed in the ethical AI community (e.g., ethical/human rights risks) with system-level risks (e.g., application, design, control risks), paving the way for holistic risk assessments of ML systems.

Shalaleh Rismani,Renee Shelby,Andrew Smart,Renelito Delos Santos,AJung Moon,Negar Rostamzadeh

2023-07-19

Abstract:Identifying potential social and ethical risks in emerging machine learning (ML) models and their applications remains challenging. In this work, we applied two well-established safety engineering frameworks (FMEA, STPA) to a case study involving text-to-image models at three stages of the ML product development pipeline: data processing, integration of a T2I model with other models, and use. Results of our analysis demonstrate the safety frameworks - both of which are not designed explicitly examine social and ethical risks - can uncover failure and hazards that pose social and ethical risks. We discovered a broad range of failures and hazards (i.e., functional, social, and ethical) by analyzing interactions (i.e., between different ML models in the product, between the ML product and user, and between development teams) and processes (i.e., preparation of training data or workflows for using an ML service/product). Our findings underscore the value and importance of examining beyond an ML model in examining social and ethical risks, especially when we have minimal information about an ML model.

Computers and Society,Human-Computer Interaction

Alexander Lavin,Ciarán M. Gilligan-Lee,Alessya Visnjic,Siddha Ganju,Dava Newman,Atılım Güneş Baydin,Sujoy Ganguly,Danny Lange,Amit Sharma,Stephan Zheng,Eric P. Xing,Adam Gibson,James Parr,Chris Mattmann,Yarin Gal

DOI: https://doi.org/10.1038/s41467-022-33128-9

2021-11-30

Abstract:The development and deployment of machine learning (ML) systems can be executed easily with modern tools, but the process is typically rushed and means-to-an-end. The lack of diligence can lead to technical debt, scope creep and misaligned objectives, model misuse and failures, and expensive consequences. Engineering systems, on the other hand, follow well-defined processes and testing standards to streamline development for high-quality, reliable results. The extreme is spacecraft systems, where mission critical measures and robustness are ingrained in the development process. Drawing on experience in both spacecraft engineering and ML (from research through product across domain areas), we have developed a proven systems engineering approach for machine learning development and deployment. Our "Machine Learning Technology Readiness Levels" (MLTRL) framework defines a principled process to ensure robust, reliable, and responsible systems while being streamlined for ML workflows, including key distinctions from traditional software engineering. Even more, MLTRL defines a lingua franca for people across teams and organizations to work collaboratively on artificial intelligence and machine learning technologies. Here we describe the framework and elucidate it with several real world use-cases of developing ML methods from basic research through productization and deployment, in areas such as medical diagnostics, consumer computer vision, satellite imagery, and particle physics.

Machine Learning,Artificial Intelligence,Software Engineering

Nicolas Papernot

DOI: https://doi.org/10.48550/arXiv.1811.01134

2018-11-03

Cryptography and Security

Abstract:There is growing recognition that machine learning (ML) exposes new security and privacy vulnerabilities in software systems, yet the technical community's understanding of the nature and extent of these vulnerabilities remains limited but expanding. In this talk, we explore the threat model space of ML algorithms through the lens of Saltzer and Schroeder's principles for the design of secure computer systems. This characterization of the threat space prompts an investigation of current and future research directions. We structure our discussion around three of these directions, which we believe are likely to lead to significant progress. The first encompasses a spectrum of approaches to verification and admission control, which is a prerequisite to enable fail-safe defaults in machine learning systems. The second seeks to design mechanisms for assembling reliable records of compromise that would help understand the degree to which vulnerabilities are exploited by adversaries, as well as favor psychological acceptability of machine learning applications. The third pursues formal frameworks for security and privacy in machine learning, which we argue should strive to align machine learning goals such as generalization with security and privacy desiderata like robustness or privacy. Key insights resulting from these three directions pursued both in the ML and security communities are identified and the effectiveness of approaches are related to structural elements of ML algorithms and the data used to train them. We conclude by systematizing best practices in our community.