Model-Reuse Attacks on Deep Learning Systems

Ji, Yujie; Zhang, Xinyang; Ji, Shouling; Wang, Liu; Wang, Ting

doi:10.1145/3243734.3243757

Cited by 147 publications

(121 citation statements)

References 40 publications

Supporting

Mentioning

120

Contrasting

Order By: Relevance

“…Ji et al [44] proposed classification of security threats for Deep Learning in 3 different angles, which influence classifieds, security breaches, and privacy of attacks.…”

Section: Security Attack Taxonomymentioning

confidence: 99%

See 1 more Smart Citation

A Review of Deep Learning Security and Privacy Defensive Techniques

Tariq

Memon

Ahmed

et al. 2020

Mobile Information Systems

View full text Add to dashboard Cite

In recent past years, Deep Learning presented an excellent performance in different areas like image recognition, pattern matching, and even in cybersecurity. The Deep Learning has numerous advantages including fast solving complex problems, huge automation, maximum application of unstructured data, ability to give high quality of results, reduction of high costs, no need for data labeling, and identification of complex interactions, but it also has limitations like opaqueness, computationally intensive, need for abundant data, and more complex algorithms. In our daily life, we used many applications that use Deep Learning models to make decisions based on predictions, and if Deep Learning models became the cause of misprediction due to internal/external malicious effects, it may create difficulties in our real life. Furthermore, the Deep Learning training models often have sensitive information of the users and those models should not be vulnerable and expose security and privacy. The algorithms of Deep Learning and machine learning are still vulnerable to different types of security threats and risks. Therefore, it is necessary to call the attention of the industry in respect of security threats and related countermeasures techniques for Deep Learning, which motivated the authors to perform a comprehensive survey of Deep Learning security and privacy security challenges and countermeasures in this paper. We also discussed the open challenges and current issues.

show abstract

“…Ji et al [44] proposed classification of security threats for Deep Learning in 3 different angles, which influence classifieds, security breaches, and privacy of attacks.…”

Section: Security Attack Taxonomymentioning

confidence: 99%

“…e software bugs of the systems that hosted Deep Learning applications on its operating system can be hijacked due to remote compromise and application bugs [44,82]. is mostly happens when the system is connected with the cloud system and the Deep Learning applications are also running on that cloud-based system.…”

Section: Deep Learning Reat Type-iiimentioning

confidence: 99%

A Review of Deep Learning Security and Privacy Defensive Techniques

Tariq

Memon

Ahmed

et al. 2020

Mobile Information Systems

View full text Add to dashboard Cite

show abstract

“…Conversely, if the attack is targeted to only have few samples misclassified at test time, then it is named as a poisoning integrity attack [7,8,11,15,17,45,46,49,50,69]. We also include backdoor attacks into this category, as they also aim to cause specific misclassifications at test time by compromising the training process of the learning algorithm [22,43,47,57]. Their underlying idea is to compromise a model during the training phase or, more generally, at design time (this may include, e.g., also modifications to the architecture of a deep network by addition of specific layers or neurons), with the goal of enforcing the model to classify backdoored samples at test time as desired by the attacker.…”

Section: Model Extraction/stealing Model Inversion Membership Inferencementioning

confidence: 99%

Towards Adversarial Malware Detection

Maiorca¹,

Biggio²,

Giacinto³

2019

ACM Comput. Surv.

View full text Add to dashboard Cite

Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines. Research showed that machine-learning algorithms provide effective detection mechanisms against such threats, but the existence of an arms race in adversarial settings has recently challenged such systems. In this work, we focus on malware embedded in PDF files as a representative case of such an arms race. We start by providing a comprehensive taxonomy of the different approaches used to generate PDF malware, and of the corresponding learning-based detection systems. We then categorize threats specifically targeted against learning-based PDF malware detectors, using a well-established framework in the field of adversarial machine learning. This framework allows us to categorize known vulnerabilities of learning-based PDF malware detectors and to identify novel attacks that may threaten such systems, along with the potential defense mechanisms that can mitigate the impact of such threats. We conclude the paper by discussing how such findings highlight promising research directions towards tackling the more general challenge of designing robust malware detectors in adversarial settings.:2 D. Maiorca et al.formats to conceal malicious code, making their detection significantly harder. Second, infection vectors can be effectively used in social engineering campaigns, as victims are more prone to receive and open documents or multimedia content. Finally, although vulnerabilities of third-party applications are often publicly disclosed, they are not promptly patched. The absence of proper security updates makes thus the lifespan of attacks perpetrated with infection vectors much longer.Machine learning-based technologies have been increasingly used both in academic and industrial environments (see e.g., [48]) to detect malware embedded in infection vectors like malicious PDF files. Research work has demonstrated that learning-based systems could be effective at detecting obfuscated attacks that are typically able to evade simple heuristics [23,65,82,95], but the problem is still far from being solved. Despite the significant increment of detected attacks, researchers started questioning the reliability of learning algorithms against adversarial attacks carefully-crafted against them [8-10, 17, 18]. Such attacks became widely popular when researchers showed that it was possible to evade deep learning algorithms for computer vision with adversarial examples, i.e., minimally-perturbed images that mislead classification [40,88]. The same attack principles have also been employed to craft adversarial malware samples, as first shown in [9], and subsequently explored in [29,42,52,96,99]. Such attacks can typically perform few, fine-grained changes on correctly detected, malicious samples to have them misclassified as legitimate. Acc...

show abstract

“…They show that their attack performance degrades if several layers of the student models are fine-tuned. Ji et al [23] maliciously train pre-trained models in order to implement model-reuse attacks against ML systems without knowing the developer's dataset or fine-tuning strategies. Hashemi et al [17] query the target model with images that come from a similar distribution as the training images of the target model, augment the dataset with random noise and use this augmented dataset to train a substitute model.…”

Section: Related Workmentioning

confidence: 99%

Making Targeted Black-box Evasion Attacks Effective and Efficient

Juuti

Atli

Asokan

2019

Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

We investigate how an adversary can optimally use its query budget for targeted evasion attacks against deep neural networks in a blackbox setting. We formalize the problem setting and systematically evaluate what benefits the adversary can gain by using substitute models. We show that there is an exploration-exploitation tradeoff in that query efficiency comes at the cost of effectiveness. We present two new attack strategies for using substitute models and show that they are as effective as previous "query-only" techniques but require significantly fewer queries, by up to three orders of magnitude. We also show that an agile adversary capable of switching through different attack techniques can achieve pareto-optimal efficiency. We demonstrate our attack against Google Cloud Vision showing that the difficulty of black-box attacks against real-world prediction APIs is significantly easier than previously thought (requiring ≈500 queries instead of ≈20,000 as in previous works).

show abstract

Model-Reuse Attacks on Deep Learning Systems

Cited by 147 publications

References 40 publications

A Review of Deep Learning Security and Privacy Defensive Techniques

A Review of Deep Learning Security and Privacy Defensive Techniques

Towards Adversarial Malware Detection

Making Targeted Black-box Evasion Attacks Effective and Efficient

Contact Info

Product

Resources

About