Adversarial machine learning 101: A new cybersecurity frontier

Adversarial machine learning (AML) is a dynamic and multi-faceted discipline within the realm of cybersecurity that is gaining significant attention and traction in the current digital landscape. The exponential growth of digital data and the unrelenting advancement of cyber-attacks have made the need for effective AML solutions imperative. This area of study encompasses the development of algorithms, techniques, and methods to protect machine learning models from malicious manipulation or exploitation, with the ultimate goal of ensuring the security and integrity of data.

The significance of data in today’s digital environment cannot be overstated. From financial transactions and sensitive personal information to strategic corporate intelligence, the value of data has become paramount. As a result, organizations and individuals recognize the critical importance of protecting their data from malicious actors and the devastating consequences of a breach.

What is adversarial machine learning?

Adversarial machine learning is a rapidly growing field of study that focuses on developing algorithms that can resist attempts to mislead or trick them. The idea is to build robust models against so-called “adversarial examples,” which are inputs specifically crafted to confuse the model. These examples can take many forms, from minor perturbations to an image that causes a computer vision system to misclassify it, to fake data designed to trick a recommendation system into making an incorrect prediction.

Adversarial machine learning has become a critical area of research due to the increasing reliance on machine learning algorithms in a variety of applications, from cybersecurity and financial fraud detection to autonomous vehicles and healthcare. As these algorithms are used in more critical domains, it is becoming increasingly important to ensure that they are robust against adversarial attacks, which can have serious real-world consequences.

One of the main challenges in adversarial machine learning is developing models that can generalize to new types of attacks, as attackers are constantly finding new ways to trick the algorithms. Researchers are working to develop algorithms that are more robust and able to defend against these attacks. This includes developing algorithms that can detect when they are being attacked and adapting their behavior to resist the attack.

Despite the growing importance of adversarial machine learning, the field is still in its early stages, and much work remains to be done to develop more robust and effective algorithms. Nevertheless, the progress that has been made so far has shown the importance of this research, and the field is likely to continue to grow in importance in the coming years.

The history of adversarial machine learning

In 2004, Dalvi et al. identified the vulnerability of linear classifiers in spam filters to simple evasion attacks, where spammers incorporated benign terms into their spam emails. Later, in an effort to evade OCR-based filters, some spammers utilized random noise in “image spam.” In 2006, Barreno et al. published a comprehensive analysis of attacks on machine learning in their paper “Can Machine Learning Be Secure?”

Despite the hope of some researchers that non-linear classifiers, such as support vector machines and neural networks, would be resistant to adversaries, Biggio et al. demonstrated the feasibility of gradient-based attacks on these models in 2012-2013. The rise of deep neural networks in computer vision starting in 2012 was quickly followed by the discovery by Szegedy et al. in 2014 that these networks could also be susceptible to gradient-based adversarial attacks.

Recently, it has been observed that the production of adversarial attacks is challenged in practical environments due to environmental constraints that counteract the effect of adversarial perturbations. For instance, minor rotations or changes in illumination can nullify the adversariality of an image.

Additionally, researchers such as Google Brain’s Nicholas Frosst have noted that it is easier to disrupt self-driving cars by physically removing stop signs rather than generating adversarial examples. Frosst critiques the assumption made by the adversarial machine learning community that models trained on a specific data distribution will generalize well to entirely different distributions. Instead, he proposes exploring alternative approaches to machine learning and is currently working on a novel neural network designed to better approximate human perception than the existing state-of-the-art methods.

The fantastic precursors of Artificial Intelligence

Adversarial machine learning remains a popular area of study in academia, but tech giants like Google, Microsoft, and IBM have started compiling the documentation and making their code open-source to enable others to evaluate the strength of machine learning models better and reduce the threat of adversarial attacks.

How machine learning “understands” the world?

Before explaining adversarial machine learning examples, it’s crucial to comprehend how machine learning algorithms process images and videos. The machine learning model undergoes a “training” stage, where it is given numerous images with their labels (e.g., panda, cat, dog, etc.). During this phase, the model analyzes the image pixels and adjusts its internal parameters to match each image with its label. Once trained, the model should be able to identify new images and assign them the correct label. In essence, a machine learning model can be thought of as a mathematical function that takes in pixel values and outputs the image’s label.

Artificial Neural Networks (ANN), a machine learning algorithm, excel at handling complex and disorganized data like images, audio, and text. They have many variables that allow them to adapt to different patterns in training data. When several ANNs are combined, they form “deep neural networks,” which improve in their ability to classify and predict.

Artificial intelligence is currently at its cutting edge thanks to deep learning, a subset of machine learning that makes use of deep neural networks. Deep learning algorithms frequently perform as well as—and even better than—humans in previously inaccessible computer tasks like computer vision and natural language processing. However, it is important to remember that computing devices are fundamental components of deep learning and machine learning algorithms. They are capable of detecting minor and complex patterns in word orders, sound waves, and pixel values, but they do not perceive the world as we do.

What’s the aim of adversarial machine learning projects?

The aim of adversarial machine learning projects is to protect machine learning models from malicious manipulation or exploitation by adversarial actors. The ultimate goal of AML is to ensure the security and integrity of data and the reliability of machine learning models.

This is achieved through the development and implementation of algorithms, techniques, and methods that are designed to identify and defend against various forms of adversarial attacks, such as data poisoning, model inversion, evasion, and exploitation attacks.

AML projects aim to address the vulnerability of machine learning models to adversarial manipulation and provide a more secure and trustworthy foundation for organizations and individuals to use and rely on machine learning in their operations and decision-making processes.

Types of adversarial attacks

Machine learning automates complex tasks, but it creates a new vulnerability that attackers can target. Your IT system is now susceptible to new types of attacks like poisoning, evasion, and model theft.

Poisoning attacks

The target of a poisoning assault is the data used to train the model. Here, a hacker will insert or modify data that is already present. This data will cause the model that was trained on it to predict incorrectly for data that has been correctly labeled. An attacker might reclassify fraud cases as non-fraud, for instance. The attacker might only do this in specific instances of fraud so that the next time they try to commit fraud in the same manner, the system won’t catch them.

Models only need to be trained once for multiple applications. There may not be much room for such attacks because the data and model would both be properly examined. For some systems, models undergo ongoing retraining. For instance, reinforcement learning models can be trained on fresh data once daily, once weekly, or even as soon as it is provided. In the end, this kind of setting provides more potential for a poisoning attack.

Model stealing

Similar to this, model stealing attacks concentrate on the trained model. An attacker is specifically interested in the model’s structure or the data used to train it. Examples of private information that could be collected using big language processing algorithms include social security numbers and addresses.

An attacker might be interested in learning about the model’s structure in order to leverage it for financial benefit. To trade stocks, for instance, a stock trading model may be imitated. This data could be used by an attacker to launch additional assaults. For instance, they could pinpoint the precise terms that a spam filtering algorithm will mark as spam. In order to ensure that spam and phishing emails reach the inbox, the attacker could then modify them.

Byzantine attacks

When machine learning is scaled, it typically involves utilizing multiple computing machines. One example of this is federated learning, where edge devices and a central server work together by sharing gradients or model parameters. However, there is a risk that some of these devices may act maliciously, such as attempting to harm the central server’s model or manipulating the algorithms to favor certain outcomes.

On the other hand, if machine learning is only trained on a single machine, the model becomes highly susceptible to failure or attack. The single machine serves as a single point of failure, meaning that if it experiences any issues, the entire system could be impacted. Furthermore, there is also the possibility that the machine owner could deliberately insert hidden backdoors, making the system vulnerable to undetectable attacks.

The current approaches for ensuring the resilience of distributed learning algorithms against malicious participants are using robust gradient aggregation rules. However, when dealing with heterogeneous honest participants, such as users with varying consumption patterns for recommendation algorithms or distinct writing styles for language models, it is mathematically proven that no robust learning algorithm can provide guaranteed results.

Evasion attacks

Evasion attacks target the model specifically. They involve manipulating data to make it appear valid while producing incorrect predictions. To be clear, the attacker does not alter data used to train models; rather, they alter data used by a model to make predictions. An attacker could use a VPN to conceal their actual place of origin, for instance, when requesting a loan. They might be from a dangerous nation; thus, the model would have denied their application if the attacker had given their real nationality.

Attacks of this nature are more frequently found in areas like image recognition. Attackers have the ability to produce visuals that appear fully natural to humans but produce utterly false predictions. For instance, Google researchers demonstrated how adding particular noise to an image could alter the model’s forecast for image recognition.

This is possible because image recognition models are trained to link certain pixels to the intended variable. We can vary the model’s forecast by precisely adjusting those pixels. If these kinds of attacks were utilized to affect systems like self-driving cars, the results might be disastrous. Could the same changes be made to a stop sign or traffic light? A driver might not notice such an attack, but it could lead to the automobile making fatal judgments.

Adversarial machine learning defenses

The two most effective techniques for training AI systems to withstand adversarial machine learning attacks are adversarial training and defensive distillation.

Adversarial training

Adversarial training is a supervised learning method that uses brute force to feed as many adversarial examples as possible into the model and explicitly label them as threatening, similar to the approach used by typical antivirus software. While effective, it requires continuous maintenance to keep up with new threats and still suffers from the limitation that it can only prevent known attacks from happening again.

Defensive distillation

Defensive distillation, on the other hand, adds flexibility to an algorithm’s classification process to make the model less susceptible to exploitation. It involves training one model to predict the output probabilities of another model that was trained on an earlier standard to emphasize accuracy. The biggest advantage of this approach is its adaptability to unknown threats and the need for less human intervention compared to adversarial machine learning training. However, the second model is still limited by the general rules of the first model, making it vulnerable to reverse engineering by attackers with sufficient computing power and fine-tuning.

Finding loopholes with machine learning techniques

Adversarial machine learning examples

Adversarial examples are inputs to machine learning models that an attacker has purposely designed to cause the model to make a mistake. An adversarial example is a corrupted version of a valid input, where the corruption is done by adding a perturbation of a small magnitude to it. This barely noticed nuisance is designed to deceive the classifier by maximizing the probability of an incorrect class. The adversarial machine learning example is designed to appear “normal” to humans but causes misclassification by the targeted machine learning model.

Limited-memory BFGS (L-BFGS)

To reduce the number of perturbations added to images, the Limited-memory Broyden-Fletcher-Goldfarb-Shanno (L-BFGS) technique uses a non-linear gradient-based numerical optimization methodology.

• Pros: Capable of producing adversarial examples.
• Cons: Because it is an efficient approach with box limitations, it requires a lot of processing. The process is cumbersome and inefficient.

FastGradient Sign method (FGSM)

A simple and fast gradient-based method is used to generate adversarial machine learning examples to minimize the maximum amount of perturbation added to any pixel of the image to cause misclassification.

• Pros: Relatively efficient computing times.
• Cons: Every feature receives further perturbations.

Jacobian-based Saliency Map attack (JSMA)

The approach reduces the number of features being misclassified by using feature selection, unlike FGSM. Features are perturbed systematically in descending order of their saliency value.

• Pros: Very few features are perturbed.
• Cons: More computationally intensive than FGSM.

Deepfool attack

With this untargeted adversarial sample generation method, the euclidean distance between perturbed samples and original samples is to be as small as possible. Estimated decision boundaries between classes are introduced iteratively, along with perturbations.

• Pros: Produces adversarial instances well, with higher misclassification rates and lower perturbations.
• Cons: Requires more processing than FGSM and JSMA. Additionally, antagonistic examples are probably not the best.

Carlini & Wagner (C&W) attack

The method is based on the L-BFGS attack (optimization problem), although it does not use box limitations or use various goal functions. The approach was found to be able to overcome cutting-edge defenses, such as defensive distillation and adversarial machine learning training, making it more effective in generating adversarial cases.

• Pros: Excellent in creating examples of opposition. It can also undermine some adversarial defenses.
• Cons: Requires more computing power than FGSM, JSMA, and Deepfool.

Generative Adversarial Networks (GAN)

Two neural networks are pitted against one another in adversarial machine learning attacks using generative adversarial networks (GANs). The result is that one acts as a generator and the other as a discriminator. The generator aims to provide samples that the discriminator will misclassify in a zero-sum competition between the two networks. The discriminator, meanwhile, makes an effort to discriminate between genuine samples and those produced by the generator.

• Pros: Creation of samples that are distinct from those utilized for training.
• Cons: It takes a lot of processing power to train a Generate Adversarial Network, and it might be very unstable.

Zeroth-order optimization attack (ZOO)

The ZOO approach is perfect for black-box assaults since it enables an estimate of the gradient of the classifiers without access to the classifier. By querying the target model with updated individual features, the method calculates gradient and hessian and applies Adam’s or Newton’s method to optimize perturbations.

• Pros: Performance comparable to the C&W attack. There is no need to train alternative models or learn anything about the classifier.
• Cons: Calls for a lot of queries to the target classifier.

Key takeaways

• Adversarial machine learning is a crucial tool in protecting data and machine learning models from malicious manipulation and exploitation by adversarial actors.
• Adversarial machine learning aims to address the vulnerability of machine learning models to adversarial attacks, including data poisoning, model inversion, evasion, and exploitation attacks, and provide a more secure and trustworthy foundation for organizations and individuals to use machine learning.
• Adversarial machine learning training and defensive distillation are two of the most effective techniques for training AI systems to withstand adversarial attacks.
• Adversarial training is a supervised learning method that uses brute force to feed as many adversarial examples as possible into the model and explicitly label them as threatening.
• Defensive distillation adds flexibility to an algorithm’s classification process to make the model less susceptible to exploitation, and it has the advantage of adaptability to unknown threats. However, the second model is still limited by the general rules of the first model and may still be vulnerable to reverse engineering by attackers.

Conclusion

The current state of cybersecurity in the digital environment requires a proactive and multi-layered approach to ensure the protection of data. Adversarial machine learning represents a crucial aspect of this approach, leveraging the power of machine learning to defend against evolving cyber threats. The adversarial machine learning field continues to advance and evolve, providing organizations and individuals with a wider range of solutions to choose from in the fight against cyber-attacks.

In conclusion, the importance of AML in today’s digital environment cannot be overstated. Its role in ensuring the security and integrity of data is central to the protection of organizations, individuals, and the overall digital landscape. As the digital environment continues to evolve and expand, organizations and individuals must continue to invest in and integrate adversarial machine learning solutions into their cybersecurity strategies.