通过加密眼镜的机器学习:通过基于密钥的多样化聚合对抗对抗性攻击。

IF 2.5 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
EURASIP Journal on Information Security Pub Date : 2020-01-01 Epub Date: 2020-06-01 DOI:10.1186/s13635-020-00106-x
Olga Taran, Shideh Rezaeifar, Taras Holotyak, Slava Voloshynovskiy
{"title":"通过加密眼镜的机器学习:通过基于密钥的多样化聚合对抗对抗性攻击。","authors":"Olga Taran,&nbsp;Shideh Rezaeifar,&nbsp;Taras Holotyak,&nbsp;Slava Voloshynovskiy","doi":"10.1186/s13635-020-00106-x","DOIUrl":null,"url":null,"abstract":"<p><p>In recent years, classification techniques based on deep neural networks (DNN) were widely used in many fields such as computer vision, natural language processing, and self-driving cars. However, the vulnerability of the DNN-based classification systems to adversarial attacks questions their usage in many critical applications. Therefore, the development of robust DNN-based classifiers is a critical point for the future deployment of these methods. Not less important issue is understanding of the mechanisms behind this vulnerability. Additionally, it is not completely clear how to link machine learning with cryptography to create an information advantage of the defender over the attacker. In this paper, we propose a key-based diversified aggregation (KDA) mechanism as a defense strategy in a gray- and black-box scenario. KDA assumes that the attacker (i) knows the architecture of classifier and the used defense strategy, (ii) has an access to the training data set, but (iii) does not know a secret key and does not have access to the internal states of the system. The robustness of the system is achieved by a specially designed key-based randomization. The proposed randomization prevents the gradients' back propagation and restricts the attacker to create a \"bypass\" system. The randomization is performed simultaneously in several channels. Each channel introduces its own randomization in a special transform domain. The sharing of a secret key between the training and test stages creates an information advantage to the defender. Finally, the aggregation of soft outputs from each channel stabilizes the results and increases the reliability of the final score. The performed experimental evaluation demonstrates a high robustness and universality of the KDA against state-of-the-art gradient-based gray-box transferability attacks and the non-gradient-based black-box attacks (The results reported in this paper have been partially presented in CVPR 2019 (Taran et al., Defending against adversarial attacks by randomized diversification, 2019) & ICIP 2019 (Taran et al., Robustification of deep net classifiers by key-based diversified aggregation with pre-filtering, 2019)).</p>","PeriodicalId":46070,"journal":{"name":"EURASIP Journal on Information Security","volume":"2020 1","pages":"10"},"PeriodicalIF":2.5000,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1186/s13635-020-00106-x","citationCount":"6","resultStr":"{\"title\":\"Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation.\",\"authors\":\"Olga Taran,&nbsp;Shideh Rezaeifar,&nbsp;Taras Holotyak,&nbsp;Slava Voloshynovskiy\",\"doi\":\"10.1186/s13635-020-00106-x\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p><p>In recent years, classification techniques based on deep neural networks (DNN) were widely used in many fields such as computer vision, natural language processing, and self-driving cars. However, the vulnerability of the DNN-based classification systems to adversarial attacks questions their usage in many critical applications. Therefore, the development of robust DNN-based classifiers is a critical point for the future deployment of these methods. Not less important issue is understanding of the mechanisms behind this vulnerability. Additionally, it is not completely clear how to link machine learning with cryptography to create an information advantage of the defender over the attacker. In this paper, we propose a key-based diversified aggregation (KDA) mechanism as a defense strategy in a gray- and black-box scenario. KDA assumes that the attacker (i) knows the architecture of classifier and the used defense strategy, (ii) has an access to the training data set, but (iii) does not know a secret key and does not have access to the internal states of the system. The robustness of the system is achieved by a specially designed key-based randomization. The proposed randomization prevents the gradients' back propagation and restricts the attacker to create a \\\"bypass\\\" system. The randomization is performed simultaneously in several channels. Each channel introduces its own randomization in a special transform domain. The sharing of a secret key between the training and test stages creates an information advantage to the defender. Finally, the aggregation of soft outputs from each channel stabilizes the results and increases the reliability of the final score. The performed experimental evaluation demonstrates a high robustness and universality of the KDA against state-of-the-art gradient-based gray-box transferability attacks and the non-gradient-based black-box attacks (The results reported in this paper have been partially presented in CVPR 2019 (Taran et al., Defending against adversarial attacks by randomized diversification, 2019) & ICIP 2019 (Taran et al., Robustification of deep net classifiers by key-based diversified aggregation with pre-filtering, 2019)).</p>\",\"PeriodicalId\":46070,\"journal\":{\"name\":\"EURASIP Journal on Information Security\",\"volume\":\"2020 1\",\"pages\":\"10\"},\"PeriodicalIF\":2.5000,\"publicationDate\":\"2020-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1186/s13635-020-00106-x\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"EURASIP Journal on Information Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1186/s13635-020-00106-x\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"2020/6/1 0:00:00\",\"PubModel\":\"Epub\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"EURASIP Journal on Information Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1186/s13635-020-00106-x","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2020/6/1 0:00:00","PubModel":"Epub","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 6

摘要

近年来,基于深度神经网络(DNN)的分类技术被广泛应用于计算机视觉、自然语言处理、自动驾驶汽车等多个领域。然而,基于dnn的分类系统在对抗性攻击中的脆弱性质疑了它们在许多关键应用中的使用。因此,基于dnn的鲁棒分类器的开发是这些方法未来部署的关键点。同样重要的问题是理解这个漏洞背后的机制。此外,目前还不完全清楚如何将机器学习与密码学联系起来,以创造防御者对攻击者的信息优势。在本文中,我们提出了一种基于密钥的多样化聚合(KDA)机制作为灰盒和黑盒场景下的防御策略。KDA假设攻击者(i)知道分类器的架构和使用的防御策略,(ii)可以访问训练数据集,但(iii)不知道密钥,也无法访问系统的内部状态。系统的鲁棒性是通过特殊设计的基于密钥的随机化来实现的。所提出的随机化可以防止梯度的反向传播,并限制攻击者创建“绕过”系统。随机化在多个通道中同时进行。每个通道在一个特殊的变换域中引入自己的随机化。在训练和测试阶段之间共享密钥为防御者创造了信息优势。最后,来自每个通道的软输出的聚合稳定了结果并增加了最终分数的可靠性。所进行的实验评估表明,KDA对最先进的基于梯度的灰盒可转移性攻击和非基于梯度的黑盒攻击具有高鲁棒性和通用性(本文报告的结果已在CVPR 2019 (Taran等人,通过随机多样化防御对抗性攻击,2019)和ICIP 2019 (Taran等人,2019)中部分呈现。基于预过滤键的多元聚合对深度网络分类器的鲁棒性增强,2019)。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation.

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation.

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation.

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation.

In recent years, classification techniques based on deep neural networks (DNN) were widely used in many fields such as computer vision, natural language processing, and self-driving cars. However, the vulnerability of the DNN-based classification systems to adversarial attacks questions their usage in many critical applications. Therefore, the development of robust DNN-based classifiers is a critical point for the future deployment of these methods. Not less important issue is understanding of the mechanisms behind this vulnerability. Additionally, it is not completely clear how to link machine learning with cryptography to create an information advantage of the defender over the attacker. In this paper, we propose a key-based diversified aggregation (KDA) mechanism as a defense strategy in a gray- and black-box scenario. KDA assumes that the attacker (i) knows the architecture of classifier and the used defense strategy, (ii) has an access to the training data set, but (iii) does not know a secret key and does not have access to the internal states of the system. The robustness of the system is achieved by a specially designed key-based randomization. The proposed randomization prevents the gradients' back propagation and restricts the attacker to create a "bypass" system. The randomization is performed simultaneously in several channels. Each channel introduces its own randomization in a special transform domain. The sharing of a secret key between the training and test stages creates an information advantage to the defender. Finally, the aggregation of soft outputs from each channel stabilizes the results and increases the reliability of the final score. The performed experimental evaluation demonstrates a high robustness and universality of the KDA against state-of-the-art gradient-based gray-box transferability attacks and the non-gradient-based black-box attacks (The results reported in this paper have been partially presented in CVPR 2019 (Taran et al., Defending against adversarial attacks by randomized diversification, 2019) & ICIP 2019 (Taran et al., Robustification of deep net classifiers by key-based diversified aggregation with pre-filtering, 2019)).

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
EURASIP Journal on Information Security
EURASIP Journal on Information Security COMPUTER SCIENCE, INFORMATION SYSTEMS-
CiteScore
8.80
自引率
0.00%
发文量
6
审稿时长
13 weeks
期刊介绍: The overall goal of the EURASIP Journal on Information Security, sponsored by the European Association for Signal Processing (EURASIP), is to bring together researchers and practitioners dealing with the general field of information security, with a particular emphasis on the use of signal processing tools in adversarial environments. As such, it addresses all works whereby security is achieved through a combination of techniques from cryptography, computer security, machine learning and multimedia signal processing. Application domains lie, for example, in secure storage, retrieval and tracking of multimedia data, secure outsourcing of computations, forgery detection of multimedia data, or secure use of biometrics. The journal also welcomes survey papers that give the reader a gentle introduction to one of the topics covered as well as papers that report large-scale experimental evaluations of existing techniques. Pure cryptographic papers are outside the scope of the journal. Topics relevant to the journal include, but are not limited to: • Multimedia security primitives (such digital watermarking, perceptual hashing, multimedia authentictaion) • Steganography and Steganalysis • Fingerprinting and traitor tracing • Joint signal processing and encryption, signal processing in the encrypted domain, applied cryptography • Biometrics (fusion, multimodal biometrics, protocols, security issues) • Digital forensics • Multimedia signal processing approaches tailored towards adversarial environments • Machine learning in adversarial environments • Digital Rights Management • Network security (such as physical layer security, intrusion detection) • Hardware security, Physical Unclonable Functions • Privacy-Enhancing Technologies for multimedia data • Private data analysis, security in outsourced computations, cloud privacy
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信