Robust Machine Learning Models for Security-Critical Applications
Keywords:
imperceptible, perturbation, reinforcement, implementations, algorithms, adversarial.Abstract
A modest and human-imperceptible input perturbation may easily modify the model output entirely, as revealed by recent research. Machine learning models are susceptible to adversarial perturbations, which are also known as adversarial perturbations. Formal verification of the resilience of machine learning models is becoming more relevant as a result of the substantial security vulnerabilities that this has produced for a large number of real-world applications. This thesis investigates the resilience of tree-based models and deep neural networks, and it also takes into consideration the applications of robust machine learning models in the field of deep reinforcement learning. In the beginning, we come up with an innovative method to learn robust trees. Our technique seeks to improve performance under the worst-case perturbation of input characteristics, which gives rise to a max-min saddle point issue when splitting nodes in trees. Our method's goal is to optimize performance under these conditions. Through the process of approximating the inner minimizer in this saddle point issue, we suggest fast tree construction methods. Furthermore, we show efficient implementations for traditional information gain based trees as well as state-of-the-art tree boosting models such as XGBoost. The resilience of the model is greatly improved by our strategy, as shown by the experiments. In addition to this, we present an effective way for determining whether or not tree ensembles are resilient. The topic of verifying tree ensembles is recast as a max-clique problem on a multipartite graph by our team. We design an effective multi-level verification approach that is capable of providing tight lower limits on the resilience of decision tree ensembles. Additionally, our algorithm allows for iterative improvement and termination at any moment with no restrictions. When applied to random forest or gradient boosted decision trees models that have been trained on a variety of datasets, our algorithm is up to hundreds of times faster than the previous approach, which requires the solution of a mixed integer linear programming problem. Furthermore, our algorithm is able to provide tight robustness verification bounds on large ensembles that contain hundreds of deep trees. We submit a variety of empirical studies on the feasibility and the difficulty of adversarial training for neural networks. These findings are based on our own research. We demonstrate that even with adversarial defense, the resilience of a model on a test example has a substantial association with the distance between that example and the myriad of training data incorporated by the network. This is the case even when the adversarial defense is included. It is more probable that adversarial assaults will be successful against test samples that are quite far away from this manifold. As a consequence of this, we show that an adversarial training-based defense is susceptible to a new category of attacks known as the "blind-spot attack." This type of attack occurs when the input examples are located in low density regions (also known as "blind spots") of the empirical distribution of training data, but they are still on the valid ground-truth data manifold. In conclusion, we take neural network resilient training approaches and apply them to deep reinforcement learning (DRL) in order to train agents that are resistant to perturbations on state observations. In order to investigate the underlying characteristics of this issue, we offer the state-adversarial Markov decision process (SA-MDP). Additionally, we provide a theoretically principled regularization that can be used for a variety of deep learning and reinforcement learning algorithms, such as deep Q networks (DQN) and proximal policy optimization (PPO). We provide major improvements to the resilience of agents when they are subjected to powerful adversarial assaults via white box, including novel attacks that we have developed ourselves.
Downloads
References
G. Mcgraw, R. Bonett, H. Figueroa, V. Shepardson, Security engineering for machine learning, Computer 52 (8) (2019) 54{57. doi:10.1109/MC. 2019.2909955.
Y. Lecun, Y. Bengio, G. Bengio, Deep learning, Nature 521 (7553) (2015) 436{444.
B. Biggio, F. Roli, Wild patterns: Ten years after the rise of adversarial machine learning, Pattern Recognition 84 (2018) 317 { 331. doi:https://doi.org/10.1016/j.patcog.2018.07.023. URL http://www.sciencedirect.com/science/article/pii/ S0031320318302565
P. Dasgupta, J. B. Collins, A survey of game theoretic approaches for adversarial machine learning in cybersecurity tasks, AI Magazine 40 (2) (2019) 31{43, name - MIT Press; Cornell University; Copyright
- Copyright Association for the Advancement of Arti_cial Intelligence Summer 2019; Last updated - 2019-08-09; SubjectsTermNotLitGenreText
X. Wang, J. Li, X. Kuang, Y. an Tan, J. Li, The security of machine learning in an adversarial setting: A survey, Journal of Parallel and Distributed Computing 130 (2019) 12 { 23. doi:https://doi.org/10.1016/j.jpdc.2019.03.003. URL http://www.sciencedirect.com/science/article/pii/ S0743731518309183
M. Al-Rubaie, J. M. Chang, Privacy-preserving machine learning: Threats and solutions, IEEE Security Privacy 17 (2) (2019) 49{58. doi:10.1109/ MSEC.2018.2888775.
The Law Library of Congress, Regulation of Arti_cial Intelligence in Selected Jurisdictions 5080 (January) (2019) 138. URL https://www.loc.gov/law/help/artificial-intelligence/ index.php
B. Mittelstadt, Principles alone cannot guarantee ethical AI, Nature Machine Intelligence 1 (11) (2019) 501{507. doi:10.1038/ s42256-019-0114-4.
M. Brundage, S. Avin, J.-B. Wang, et al., Toward trustworthy ai development: Mechanisms for supporting veri_able claims, ArXiv abs/2004.07213 (2020).
M. Barreno, B. Nelson, A. D. Joseph, J. D. Tygar, The security of machine learning, Machine Learning 81 (2) (2010) 121{148.
M. Xue, C. Yuan, H. Wu, Y. Zhang, W. Liu, Machine Learning Security: Threats, Countermeasures, and Evaluations, IEEE Access 8 (2020) 74720{ 74742. doi:10.1109/ACCESS.2020.2987435.
N. Papernot, P. McDaniel, A. Sinha, M. P. Wellman, SoK: Security and Privacy in Machine Learning, Proceedings - 3rd IEEE European Symposium on Security and Privacy, EURO S and P 2018 (2018) 399{ 414doi:10.1109/EuroSP.2018.00035.
Q. Liu, P. Li, W. Zhao, W. Cai, S. Yu, V. C. Leung, A survey on security threats and defensive techniques of machine learning: A data driven view, IEEE Access 6 (2018) 12103{12117. doi:10.1109/ACCESS.2018. 2805680.
K. Ren, T. Zheng, Z. Qin, X. Liu, Adversarial Attacks and Defenses in Deep Learning, Engineering 6 (3) (2020) 346{360. doi:10.1016/j.eng. 2019.12.012. URL https://doi.org/10.1016/j.eng.2019.12.012
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
