research-article

Open Access

Making machine learning robust against adversarial inputs

Authors:
Ian Goodfellow

Google Brain, Mountain View, CA

Google Brain, Mountain View, CA
View Profile

,
Patrick McDaniel

Pennsylvania State University, University Park, PA

Pennsylvania State University, University Park, PA
View Profile

,
Nicolas Papernot

Penn State University, University Park, PA

Penn State University, University Park, PA
View Profile

Authors Info & Claims

Communications of the ACM Volume 61 Issue 7July 2018pp 56–66https://doi.org/10.1145/3134599

Published:25 June 2018Publication History

Communications of the ACM

Abstract

Such inputs distort how machine-learning-based systems are able to function in the world as it is.

References

Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., and Siemens, C.E.R.T. Drebin: Effective and explainable detection of Android malware in your pocket. In Proceedings of the NDSS Symposium (San Diego, CA, Feb.). Internet Society, Reston, VA, 2014, 23--26.Google Scholar
Barreno, M., Nelson, B., Sears, R., Joseph, A.D., and Tygar, J.D. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (Taipei, Taiwan, Mar. 21--24). ACM Press, New York, 2006, 16--25. Google ScholarDigital Library
Bolton, R.J. and Hand, D.J. Statistical fraud detection: A review. Statistical Science 17, 3 (2002), 235--249.Google ScholarCross Ref
Carlini, N. and Wagner, D. Towards evaluating the robustness of neural networks. arXiv preprint, 2016; https://arxiv.org/pdf/1608.04644.pdfGoogle Scholar
Dang, H., Yue, H., and Chang, E.C. Evading classifier in the dark: Guiding unpredictable morphing using binary-output blackboxes. arXiv preprint, 2017; https://arxiv.org/pdf/1705.07535.pdf Google ScholarDigital Library
Glorot, X., Bordes, A., and Bengio, Y. Deep sparse rectifier neural networks. In Proceedings of the 14th International Conference on Artificial Intelligence and Statistics (Ft. Lauderdale, FL, Apr. 11--13, 2011), 315--323.Google Scholar
Goodfellow, I., Bengio, Y., and Courville, A. Deep Learning. MIT Press, Cambridge, MA, 2016; http://www.deeplearningbook.org/ Google ScholarDigital Library
Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., and Shet, V. Multi-digit number recognition from Street View imagery using deep convolutional neural networks. In Proceedings of the International Conference on Learning Representations (Banff, Canada, Apr. 14--16, 2014).Google Scholar
Goodfellow, I.J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint, 2014; https://arxiv.org/pdf/1412.6572.pdfGoogle Scholar
Grosse, K., Papernot, N., Manoharan, P., Backes, M., and McDaniel, P. Adversarial perturbations against deep neural networks for malware classification. In Proceedings of the European Symposium on Research in Computer Security (Oslo, Norway, 2017).Google Scholar
Hinton, G., Vinyals, O., and Dean, J. Distilling the knowledge in a neural network. arXiv preprint, 2015; https://arxiv.org/abs/1503.02531Google Scholar
Huang, S., Papernot, N., Goodfellow, I., Duan, Y., and Abbeel, P. Adversarial attacks on neural network policies. arXiv preprint, 2017; https://arxiv.org/abs/1702.02284Google Scholar
Huang, A., Kwiatkowska, M., Wang, S., and Wu, M. Safety verification of deep neural networks. In Proceedings of the International Conference on Computer-Aided Verification (2016); https://link.springer.com/chapter/10.1007/978-3-319-63387-9_1Google Scholar
Jarrett, K., Kavukcuoglu, K., Ranzato, M.A., and LeCun, Y. What is the best multi-stage architecture for object recognition? In Proceedings of the 12th IEEE International Conference on Computer Vision (Kyoto, Japan, Sept. 27--Oct. 4). IEEE Press, 2009.Google ScholarCross Ref
Katz, G., Barrett, C., Dill, D., Julian, K., and Kochenderfer, M. Reluplex: An efficient SMT solver for verifying deep neural networks. In Proceedings of the International Conference on Computer-Aided Verification. Springer, Cham, 2017, 97--117.Google ScholarCross Ref
Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial examples in the physical world. In Proceedings of the International Conference on Learning Representations (2017); https://arxiv.org/abs/1607.02533Google Scholar
Murphy, K.P. Machine Learning: A Probabilistic Perspective. MIT Press, Cambridge, MA, 2012. Google ScholarDigital Library
Nair, V. and Hinton, G.E. Rectified linear units improve restricted Boltzmann machines. In Proceedings of the International Conference on Machine Learning (Haifa, Israel, June 21--24, 2010). Google ScholarDigital Library
Papernot, N., Goodfellow, I., Sheatsley, R., Feinman, R., and McDaniel, P. CleverHans v2.1.0: An adversarial machine learning library; https://github.com/tensorflow/cleverhansGoogle Scholar
Papernot, N., McDaniel, P., and Goodfellow, I. Transferability in machine learning: From phenomena to black-box attacks using adversarial samples. arXiv preprint, 2016; https://arxiv.org/abs/1605.07277Google Scholar
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., and Swami, A. Practical black-box attacks against deep learning systems using adversarial examples. In Proceedings of the ACM Asia Conference on Computer and Communications Security (Abu Dhabi, UAE). ACM Press, New York, 2017. Google ScholarDigital Library
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., and Swami, A. The limitations of deep learning in adversarial settings. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (Saarbrücken, Germany, Mar. 21--24). IEEE Press, 2016, 372--387.Google ScholarCross Ref
Papernot, N., McDaniel, P., Sinha, A., and Wellman, M. Towards the science of security and privacy in machine learning. In Proceedings of the Third IEEE European Symposium on Security and Privacy (London, U.K.); https://arxiv.org/abs/1611.03814Google Scholar
Papernot, N., McDaniel, P., Wu, X., Jha, S., and Swami, A. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the 37th IEEE Symposium on Security and Privacy (San Jose, CA, May 23--25). IEEE Press, 2016, 582--597.Google ScholarCross Ref
Russell, S. and Norvig, P. Artificial Intelligence: A Modern Approach. Prentice-Hall, Englewood Cliffs, NJ, 1995, 25--27. Google ScholarDigital Library
Silver, D., Huang, A., Maddison, C.J., Guez, A., Sifre, L., Van Den Driessche, G., Schrittwieser, J., Antonoglou, I., Panneershelvam, V., Lanctot, M. et al. Mastering the game of Go with deep neural networks and tree search. Nature 529, 7587 (2016), 484--489.Google ScholarCross Ref
Stallkamp, J., Schlipsing, M., Salmen, J., and Igel, C. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural Networks (2012) Google ScholarDigital Library
Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, C., Vanhoucke, V., and Rabinovich, A. Going deeper with convolutions. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. IEEE Press, 2015, 1--9.Google ScholarCross Ref
Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., and Wojna, Z. Rethinking the Inception architecture for computer vision. ArXiv e-prints, Dec. 2015; https://arxiv.org/abs/1512.00567Google Scholar
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations, 2014.Google Scholar
Taigman, Y., Yang, M., Ranzato, M.A., and Wolf, L. DeepFace: Closing the gap to human-level performance in face verification. In Proceedings of the Computer Vision and Pattern Recognition Conference. IEEE Press, 2014. Google ScholarDigital Library
Tramèr, F., Kurakin, A., Papernot, N., Boneh, D., and McDaniel, P. Ensemble adversarial training: Attacks and defenses. arXiv preprint, 2017; https://arxiv.org/abs/1705.07204Google Scholar
Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., and Ristenpart, T. Stealing machine learning models via prediction APIs. In Proceedings of the USENIX Security Conference (San Francisco, CA, Jan. 25--27). USENIX Association, Berkeley, CA, 2016.Google Scholar
Wolpert, D.H. The lack of a priori distinctions between learning algorithms. Neural Computation 8, 7 (1996), 1341--1390. Google ScholarDigital Library
Xu, W., Qi, Y., and Evans, D. Automatically evading classifiers. In Proceedings of the 2016 Network and Distributed Systems Symposium (San Diego, CA, Feb. 21--24). Internet Society, Reston, VA, 2016.Google ScholarCross Ref

Index Terms

Making machine learning robust against adversarial inputs

Recommendations

Adversarial machine learning
AISec '11: Proceedings of the 4th ACM workshop on Security and artificial intelligence

In this paper (expanded from an invited talk at AISEC 2010), we discuss an emerging field of study: adversarial machine learning---the study of effective machine learning techniques against an adversarial opponent. In this paper, we: give a taxonomy for ...
Read More
Adversarial Machine Learning
Read More
Behavior of machine learning algorithms in adversarial environments
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Communications of the ACM Volume 61, Issue 7
July 2018
90 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/3234519
Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY
Issue’s Table of Contents
Copyright © 2018 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 June 2018
Check for updates
Qualifiers
- research-article
- Popular
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 214
  Total Citations
  View Citations
- 33,316
  Total Downloads
- Downloads (Last 12 months)2,845
- Downloads (Last 6 weeks)887
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Making machine learning robust against adversarial inputs

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Adversarial machine learning

Adversarial Machine Learning

Behavior of machine learning algorithms in adversarial environments

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

HTML Format

Caption

Making machine learning robust against adversarial inputs

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Adversarial machine learning

Adversarial Machine Learning

Behavior of machine learning algorithms in adversarial environments

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

HTML Format

Share this Publication link

Share on Social Media