Bo Li

DOI: https://doi.org/10.1109/ICDMW.2015.44

2015-11-14

Abstract:Machine learning and data mining have become ubiquitous tools in modern computing applications and large enterprise systems benefit from its adaptability and intelligent ability to infer patterns that can be used for prediction or decision-making. Great success has been achieved by applying machine learning and data mining to the security settings for large dataset, such as in intrusion detection, virus detection, biometric identity recognition, and spam filtering. However, the strengths of the learning systems, such as the adaptability and ability to infer patterns, can also become their vulnerabilities when there are adversarial manipulations during the learning and predicting process. Considering the fact that the traditional learning strategies could potentially introduce security faults into the learning systems, robust machine learning techniques against the sophisticated adversaries need to be studied, which is referred to as secure learning and mining through this abstract. Based on the goal of secure learning and mining, I aim to analyze the behavior of learning systems in adversarial environments by studying different kinds of attacks against the learning systems. Then design robust learning algorithms to counter the corresponding malicious behaviors based on the evaluation and prediction of the adversaries' goal and capabilities. The interactions between the defender and attackers are modeled as different forms of games, therefore game theoretic analysis are applied to evaluate and predict the constraints for both participants to deal with the real world large dataset.

Computer Science

Tsui-Wei (Lily) Weng

DOI: https://doi.org/10.1609/aaai.v38i20.30298

2024-03-24

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep neural networks (DNNs) have achieved unprecedented success across many scientific and engineering fields in the last decades. Despite its empirical success, unfortunately, recent studies have shown that there are various failure modes and blindspots in DNN models which may result in unexpected serious failures and potential harms, e.g. the existence of adversarial examples and small perturbations. This is not acceptable especially for safety critical and high stakes applications in the real-world, including healthcare, self-driving cars, aircraft control systems, hiring and malware detection protocols. Moreover, it has been challenging to understand why and when DNNs will fail due to their complicated structures and black-box behaviors. Lacking interpretability is one critical issue that may seriously hinder the deployment of DNNs in high-stake applications, which need interpretability to trust the prediction, to understand potential failures, and to be able to mitigate harms and eliminate biases in the model. To make DNNs trustworthy and reliable for deployment, it is necessary and urgent to develop methods and tools that can (i) quantify and improve their robustness against adversarial and natural perturbations, and (ii) understand their underlying behaviors and further correct errors to prevent injuries and damages. These are the important first steps to enable Trustworthy AI and Trustworthy Machine Learning. In this talk, I will survey a series of research efforts in my lab contributed to tackling the grand challenges in (i) and (ii). In the first part of my talk, I will overview our research effort in Robust Machine Learning since 2017, where we have proposed the first attack-agnostic robustness evaluation metric, the first efficient robustness certification algorithms for various types of perturbations, and efficient robust learning algorithms across supervised learning to deep reinforcement learning. In the second part of my talk, I will survey a series of exciting results in my lab on accelerating interpretable machine learning and explainable AI. Specifically, I will show how we could bring interpretability into deep learning by leveraging recent advances in multi-modal models. I'll present recent works in our group on automatically dissecting neural networks with open vocabulary concepts, designing interpretable neural networks without concept labels, and briefly overview our recent efforts on demystifying black-box DNN training process, automated neuron explanations for Large Language Models and the first robustness evaluation of a family of neuron-level interpretation techniques.

Yanjie Li,Bin Xie,Songtao Guo,Yuanyuan Yang,Bin Xiao

2023-10-01

Abstract:Benefiting from the rapid development of deep learning, 2D and 3D computer vision applications are deployed in many safe-critical systems, such as autopilot and identity authentication. However, deep learning models are not trustworthy enough because of their limited robustness against adversarial attacks. The physically realizable adversarial attacks further pose fatal threats to the application and human safety. Lots of papers have emerged to investigate the robustness and safety of deep learning models against adversarial attacks. To lead to trustworthy AI, we first construct a general threat model from different perspectives and then comprehensively review the latest progress of both 2D and 3D adversarial attacks. We extend the concept of adversarial examples beyond imperceptive perturbations and collate over 170 papers to give an overview of deep learning model robustness against various adversarial attacks. To the best of our knowledge, we are the first to systematically investigate adversarial attacks for 3D models, a flourishing field applied to many real-world applications. In addition, we examine physical adversarial attacks that lead to safety violations. Last but not least, we summarize present popular topics, give insights on challenges, and shed light on future research on trustworthy AI.

Machine Learning,Artificial Intelligence

Xianmin Wang,Jing Li,Xiaohui Kuang,Yu-an Tan,Jin Li

DOI: https://doi.org/10.1016/j.jpdc.2019.03.003

IF: 4.542

2019-01-01

Journal of Parallel and Distributed Computing

Abstract:Machine learning (ML) methods have demonstrated impressive performance in many application fields such as autopilot, facial recognition, and spam detection. Traditionally, ML models are trained and deployed in a benign setting, in which the testing and training data have identical statistical characteristics. However, this assumption usually does not hold in the sense that the ML model is designed in an adversarial setting, where some statistical properties of the data can be tampered with by a capable adversary. Specifically, it has been observed that adversarial examples (also known as adversarial input perambulations) elaborately crafted during training/test phases can seriously undermine the ML performance. The susceptibility of ML models in adversarial settings and the corresponding countermeasures have been studied by many researchers in both academic and industrial communities. In this work, we present a comprehensive overview of the investigation of the security properties of ML algorithms under adversarial settings. First, we analyze the ML security model to develop a blueprint for this interdisciplinary research area. Then, we review adversarial attack methods and discuss the defense strategies against them. Finally, relying upon the reviewed work, we provide prospective relevant future works for designing more secure ML models.

Xiaofeng Liao,Liping Ding,Yongji Wang

DOI: https://doi.org/10.1109/ssiri-c.2011.15

2011-01-01

Abstract:The purpose of this article is to give a brief overview on the current work towards the emerging research problem of secure machine learning. Machine learning technique has been applied widely in various applications especially in spam detection and network intrusion detection. Most existing learning schemes assume that the environment they settle in is benign. However this is not always true in the real adversarial decision-making situations where the future data sets and the training data set are no longer from the same population, due to the transformations employed by the adversaries. As more and more machine learning systems are put into use, it is imperative to consider the security of the machine learning system. As a emerging problem, it is attracting more and more researchers' attention. In this article, we present a brief overview on secure machine learning and current progress on developing secure machine learning algorithms.

Han Shao

2024-08-03

Abstract:Machine learning has witnessed remarkable breakthroughs in recent years. As machine learning permeates various aspects of daily life, individuals and organizations increasingly interact with these systems, exhibiting a wide range of social and adversarial behaviors. These behaviors may have a notable impact on the behavior and performance of machine learning systems. Specifically, during these interactions, data may be generated by strategic individuals, collected by self-interested data collectors, possibly poisoned by adversarial attackers, and used to create predictors, models, and policies satisfying multiple objectives. As a result, the machine learning systems' outputs might degrade, such as the susceptibility of deep neural networks to adversarial examples (Shafahi et al., 2018; Szegedy et al., 2013) and the diminished performance of classic algorithms in the presence of strategic individuals (Ahmadi et al., 2021). Addressing these challenges is imperative for the success of machine learning in societal settings.

Machine Learning,Artificial Intelligence,Computer Science and Game Theory

Michael Everett,Bjorn Lutjens,Jonathan P How

DOI: https://doi.org/10.1109/TNNLS.2021.3056046

Abstract:Deep neural network-based systems are now state-of-the-art in many robotics tasks, but their application in safety-critical domains remains dangerous without formal guarantees on network robustness. Small perturbations to sensor inputs (from noise or adversarial examples) are often enough to change network-based decisions, which was recently shown to cause an autonomous vehicle to swerve into another lane. In light of these dangers, numerous algorithms have been developed as defensive mechanisms from these adversarial inputs, some of which provide formal robustness guarantees or certificates. This work leverages research on certified adversarial robustness to develop an online certifiably robust for deep reinforcement learning algorithms. The proposed defense computes guaranteed lower bounds on state-action values during execution to identify and choose a robust action under a worst case deviation in input space due to possible adversaries or noise. Moreover, the resulting policy comes with a certificate of solution quality, even though the true state and optimal action are unknown to the certifier due to the perturbations. The approach is demonstrated on a deep Q-network (DQN) policy and is shown to increase robustness to noise and adversaries in pedestrian collision avoidance scenarios, a classic control task, and Atari Pong. This article extends our prior work with new performance guarantees, extensions to other reinforcement learning algorithms, expanded results aggregated across more scenarios, an extension into scenarios with adversarial behavior, comparisons with a more computationally expensive method, and visualizations that provide intuition about the robustness algorithm.

Ivan Evtimov,Weidong Cui,Ece Kamar,Emre Kiciman,Tadayoshi Kohno,Jerry Li

DOI: https://doi.org/10.48550/arXiv.2007.07205

2020-07-13

Cryptography and Security

Abstract:Machine learning (ML) models deployed in many safety- and business-critical systems are vulnerable to exploitation through adversarial examples. A large body of academic research has thoroughly explored the causes of these blind spots, developed sophisticated algorithms for finding them, and proposed a few promising defenses. A vast majority of these works, however, study standalone neural network models. In this work, we build on our experience evaluating the security of a machine learning software product deployed on a large scale to broaden the conversation to include a systems security view of these vulnerabilities. We describe novel challenges to implementing systems security best practices in software with ML components. In addition, we propose a list of short-term mitigation suggestions that practitioners deploying machine learning modules can use to secure their systems. Finally, we outline directions for new research into machine learning attacks and defenses that can serve to advance the state of ML systems security.

Jirong Yi,Hui Xie,Leixin Zhou,Xiaodong Wu,Weiyu Xu,Raghuraman Mudumbai

DOI: https://doi.org/10.48550/arXiv.1905.11381

2019-05-26

Abstract:Deep-learning based classification algorithms have been shown to be susceptible to adversarial attacks: minor changes to the input of classifiers can dramatically change their outputs, while being imperceptible to humans. In this paper, we present a simple hypothesis about a feature compression property of artificial intelligence (AI) classifiers and present theoretical arguments to show that this hypothesis successfully accounts for the observed fragility of AI classifiers to small adversarial perturbations. Drawing on ideas from information and coding theory, we propose a general class of defenses for detecting classifier errors caused by abnormally small input perturbations. We further show theoretical guarantees for the performance of this detection method. We present experimental results with (a) a voice recognition system, and (b) a digit recognition system using the MNIST database, to demonstrate the effectiveness of the proposed defense methods. The ideas in this paper are motivated by a simple analogy between AI classifiers and the standard Shannon model of a communication system.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Alina Oprea

DOI: https://doi.org/10.1145/3450569.3462164

2021-01-01

Abstract:ABSTRACTMachine learning is increasingly being used for automated decisions in applications such as health care, finance, autonomous vehicles, and personalized recommendations. These critical applications require strong guarantees on both the integrity of the machine learning models and the privacy of the user data used to train these models. The area of adversarial machine learning studies the effect of adversarial attacks against machine learning models and aims to design robust defense algorithms. The main challenges in this space are the development of realistic adversarial models that consider the specifics of real-world applications, and the design of machine learning algorithms resilient against a wide range of threats. In this talk, we describe our work on creating a taxonomy of poisoning attacks against machine learning systems at training time. In light of recent software supply chain vulnerabilities revealed by the SolarWinds attack, the supply chain of machine learning development needs to be protected. First, we introduce our optimization approach to create poisoning availability attacks against linear regression and discuss robust defenses based on techniques from robust statistics [1]. Then, we discuss how an attacker with minimal knowledge of a machine learning classifier can inject backdoor poisoning attacks, by leveraging techniques from machine learning explainability [4]. We demonstrate these methods on several malware classifiers and show the challenges of designing robust defenses to protect against these attacks. We also define a new attack model called subpopulation poisoning, that requires a small set of poisoning points to impact the accuracy of the model on a targeted subpopulation [2]. We evaluate our poisoning attacks on multiple data modalities, including image, text, and tabular data. Finally, we highlight a surprising connection between machine learning integrity and privacy attacks, and show how poisoning attacks can be used for auditing the privacy of machine learning algorithms such as differentially private stochastic gradient descent [3].

Guofu Li,Pengjia Zhu,Jin Li,Zhemin Yang,Ning Cao,Zhiyi Chen

DOI: https://doi.org/10.48550/arXiv.1810.07339

2018-10-23

Abstract:Adversarial machine learning is a fast growing research area, which considers the scenarios when machine learning systems may face potential adversarial attackers, who intentionally synthesize input data to make a well-trained model to make mistake. It always involves a defending side, usually a classifier, and an attacking side that aims to cause incorrect output. The earliest studies on the adversarial examples for machine learning algorithms start from the information security area, which considers a much wider varieties of attacking methods. But recent research focus that popularized by the deep learning community places strong emphasis on how the "imperceivable" perturbations on the normal inputs may cause dramatic mistakes by the deep learning with supposed super-human accuracy. This paper serves to give a comprehensive introduction to a range of aspects of the adversarial deep learning topic, including its foundations, typical attacking and defending strategies, and some extended studies.

Machine Learning,Cryptography and Security

Bhavani Bhavani,Soundarya. S.,Tejashwini. V.,Sumitha. S.,,,,

DOI: https://doi.org/10.54216/jchci.070105

2024-01-01

Journal of Cognitive Human-Computer Interaction

Abstract:The increasing prevalence of deep learning technology has paved the way for a new era of AI-powered capabilities, promising revolutionary advancements across various societal domains such as healthcare and autonomous vehicles. Despite offering potent solutions to complex problems, the formidable power of these AI systems is accompanied by a susceptibility that malicious actors could exploit. Adversarial attacks, particularly targeting deep learning models, involve the crafting of altered inputs, often imperceptible changes to images, to deceive or undermine the functionality of the AI system. Within the domain of autonomous driving systems, adversarial attacks pose a severe risk. Envision a situation where a precisely manipulated adversarial attack targets a red traffic light sign, causing the AI system to misclassify it as an entirely unrelated object, perhaps identifying it as a bird. The potential consequences of such misclassifications underscore the serious impact that adversarial attacks can exert on the safety and dependability of autonomous vehicles. The potential repercussions of such misclassification are severe, with the risk of causing traffic accidents and posing a notable safety threat. Ensuring the resilience and security of AI technologies against adversarial threats is of utmost importance as AI continues to play a pivotal role in critical applications such as healthcare, finance, and autonomous systems. It necessitates a holistic strategy that melds advanced research, meticulous testing, and the deployment of robust security measures. This comprehensive approach is essential for fostering trust and mitigating potential harm in an ever- growing, AI-driven world.

Romeo Valentin

2024-03-12

Abstract:Although an ever-growing number of applications employ deep learning based systems for prediction, decision-making, or state estimation, almost no certification processes have been established that would allow such systems to be deployed in safety-critical applications. In this work we consider real-world problems arising in aviation and other safety-critical areas, and investigate their requirements for a certified model. To this end, we investigate methodologies from the machine learning research community aimed towards verifying robustness and reliability of deep learning systems, and evaluate these methodologies with regard to their applicability to real-world problems. Then, we establish a new framework towards deep learning certification based on (i) inherently safe design, and (ii) run-time error detection. Using a concrete use case from aviation, we show how deep learning models can recover disentangled variables through the use of weakly-supervised representation learning. We argue that such a system design is inherently less prone to common model failures, and can be verified to encode underlying mechanisms governing the data. Then, we investigate four techniques related to the run-time safety of a model, namely (i) uncertainty quantification, (ii) out-of-distribution detection, (iii) feature collapse, and (iv) adversarial attacks. We evaluate each for their applicability and formulate a set of desiderata that a certified model should fulfill. Finally, we propose a novel model structure that exhibits all desired properties discussed in this work, and is able to make regression and uncertainty predictions, as well as detect out-of-distribution inputs, while requiring no regression labels to train. We conclude with a discussion of the current state and expected future progress of deep learning certification, and its industrial and social implications.

Machine Learning

Ramesh Upreti,Pedro G. Lind,Ahmed Elmokashfi,Anis Yazidi

DOI: https://doi.org/10.1007/s10207-024-00813-3

2024-04-03

International Journal of Information Security

Abstract:Abstract Artificial intelligence-based algorithms are widely adopted in critical applications such as healthcare and autonomous vehicles. Mitigating the security and privacy issues of AI models, and enhancing their trustworthiness have become of paramount importance. We present a detailed investigation of existing security, privacy, and defense techniques and strategies to make machine learning more secure and trustworthy. We focus on the new paradigm of machine learning called federated learning, where one aims to develop machine learning models involving different partners (data sources) that do not need to share data and information with each other. In particular, we discuss how federated learning bridges security and privacy, how it guarantees privacy requirements of AI applications, and then highlight challenges that need to be addressed in the future. Finally, after having surveyed the high-level concepts of trustworthy AI and its different components and identifying present research trends addressing security, privacy, and trustworthiness separately, we discuss possible interconnections and dependencies between these three fields. All in all, we provide some insight to explain how AI researchers should focus on building a unified solution combining security, privacy, and trustworthy AI in the future.

computer science, information systems, theory & methods, software engineering

Lei Ma, Felix Juefei-Xu, Minhui Xue, Qiang Hu, Sen Chen, Bo Li, Yang Liu, Jianjun Zhao, Jianxiong Yin, Simon See

2018-10-01

Abstract:Over the past decades, deep learning (DL) systems have achieved tremendous success and gained great popularity in various applications, such as intelligent machines, image processing, speech processing, and medical diagnostics. Deep neural networks are the key driving force behind its recent success, but still seem to be a magic black box lacking interpretability and understanding. This brings up many open safety and security issues with enormous and urgent demands on rigorous methodologies and engineering practice for quality enhancement. A plethora of studies have shown that the state-of-the-art DL systems suffer from defects and vulnerabilities that can lead to severe loss and tragedies, especially when applied to real-world safety-critical applications. In this paper, we perform a large-scale study and construct a paper repository of 223 relevant works to the quality assurance, security, and interpretation of deep learning. We, from a software quality assurance perspective, pinpoint challenges and future opportunities towards universal secure deep learning engineering. We hope this work and the accompanied paper repository can pave the path for the software engineering community towards addressing the pressing industrial demand of secure intelligent applications.

Jindong Wang,Haoliang Li,Haohan Wang,Sinno Jialin Pan,Xing Xie

DOI: https://doi.org/10.1145/3580305.3599574

2023-01-01

Abstract:Machine learning is becoming increasingly important in today's world. Beyond its powerful performances, there has been an emerging concern about the trustworthiness of machine learning, including but not limited to: robustness to malicious attacks, generalization to unseen datasets, and interpretability to explain its outputs. Such concerns are even more urgent in some safety-critical applications such as medical diagnosis and autonomous driving. Trustworthy machine learning (TrustML) aims to tackle these challenges from the perspectives of theory, algorithm, and applications. In this tutorial, we will give a comprehensive introduction to the recent advance of trustworthy machine learning in robustness, generalization, and interpretability. We will cover their problem formulation, related research, popular algorithms, and successful applications. Additionally, we will also introduce some potential challenges for future research. We do hope that this tutorial will not only serve as a platform to understand TrustML, but also raise the awareness of everyone for more trustworthy applications.

Lei Ma,Felix Juefei-Xu,Minhui Xue,Qiang Hu,Sen Chen,Bo Li,Yang Liu,Jianjun Zhao,Jianxiong Yin,Simon See

2018-01-01

Abstract:Over the past decades, deep learning (DL) systems have achieved tremendous success and gained great popularity in various applications, such as intelligent machines, image processing, speech processing, and medical diagnostics. Deep neural networks are the key driving force behind its recent success, but still seem to be a magic black box lacking interpretability and understanding. This brings up many open safety and security issues with enormous and urgent demands on rigorous methodologies and engineering practice for quality enhancement. A plethora of studies have shown that the state-of-the-art DL systems suffer from defects and vulnerabilities that can lead to severe loss and tragedies, especially when applied to real-world safety-critical applications. In this paper, we perform a large-scale study and construct a paper repository of 223 relevant works to the quality assurance, security, and interpretation of deep learning. We, from a software quality assurance perspective, pinpoint challenges and future opportunities towards universal secure deep learning engineering. We hope this work and the accompanied paper repository can pave the path for the software engineering community towards addressing the pressing industrial demand of secure intelligent applications.

Haseeb Javed,Shaker El-Sappagh,Tamer Abuhmed

DOI: https://doi.org/10.1007/s10462-024-11005-9

IF: 9.588

2024-11-09

Artificial Intelligence Review

Abstract:The current study investigates the robustness of deep learning models for accurate medical diagnosis systems with a specific focus on their ability to maintain performance in the presence of adversarial or noisy inputs. We examine factors that may influence model reliability, including model complexity, training data quality, and hyperparameters; we also examine security concerns related to adversarial attacks that aim to deceive models along with privacy attacks that seek to extract sensitive information. Researchers have discussed various defenses to these attacks to enhance model robustness, such as adversarial training and input preprocessing, along with mechanisms like data augmentation and uncertainty estimation. Tools and packages that extend the reliability features of deep learning frameworks such as TensorFlow and PyTorch are also being explored and evaluated. Existing evaluation metrics for robustness are additionally being discussed and evaluated. This paper concludes by discussing limitations in the existing literature and possible future research directions to continue enhancing the status of this research topic, particularly in the medical domain, with the aim of ensuring that AI systems are trustworthy, reliable, and stable.

computer science, artificial intelligence

Yang Liu, Lei Ma, Jianjun Zhao

2019-01-01

Abstract:Over the past decades, deep learning (DL) systems have achieved tremendous success and gained great popularity in various applications, such as intelligent machines, image processing, speech processing, and medical diagnostics. Deep neural networks are the key driving force behind its recent success, but still seem to be a magic black box lacking interpretability and understanding. This brings up many open safety and security issues with enormous and urgent demands on rigorous methodologies and engineering practice for quality enhancement. A plethora of studies have shown that state-of-the-art DL systems suffer from defects and vulnerabilities that can lead to severe loss and tragedies, especially when applied to real-world safety-critical applications. In this paper, we perform a large-scale study and construct a paper repository of 223 relevant works to the quality assurance, security …

Chao Shen

DOI: https://doi.org/10.1109/NaNA51271.2020.00008

2020-01-01

Abstract:Human society is witnessing a wave of machine learning(ML) driven by dep learning techniques, bringing a technological revolution for human production and life. In some specific fields, ML achieved or even surpassed human-level performance. However, most previous machine learning theories have not considered the open and even adversarial environments, and the security and privacy issues are gradually rising. Besides of insecure code implementations, blased models, adversarial examples, sensor spoofing can also lead to security risks, which are hard to be discovered by traditional security analysis tools. This talk reviews previous works on ML system security and privacy, revealing potential security and privacy risks. Firstly, we introduce a threat model of ML systems, including attack surfaces, attach capabilitiesand attack goals. Second, we analyze security risks and countermeasures in terms of four critical components in ML systems: data input (sensor), data preprocessing, machine learning model and output. Finally, we discuss future research trends on the security of ML systems. The aim si to arise the attention of the computer security society and the ML society on security and privacy of ML systems, and so that they can work together to unlock ML's potential to build a bright future.