RISS

Resilient Information Systems Security

Procedural Noise Adversarial Examples for Black-Box Attacks on Deep Convolutional Networks (CCS ’19)

Our paper on procedural noise adversarial examples has been accepted to the 26th ACM Conference on Computer and Communications Security (ACM CCS ’19).

official: https://dl.acm.org/citation.cfm?id=3345660
code: https://github.com/kenny-co/procedural-advml

Abstract: Deep Convolutional Networks (DCNs) have been shown to be vulnerable to adversarial examples—perturbed inputs specifically designed to produce intentional errors in the learning algorithms at test time. Existing input-agnostic adversarial perturbations exhibit interesting visual patterns that are currently unexplained. In this paper, we introduce a structured approach for generating Universal Adversarial Perturbations (UAPs) with procedural noise functions. Our approach unveils the systemic vulnerability of popular DCN models like Inception v3 and YOLO v3, with single noise patterns able to fool a model on up to 90% of the dataset. Procedural noise allows us to generate a distribution of UAPs with high universal evasion rates using only a few parameters. Additionally, we propose Bayesian optimization to efficiently learn procedural noise parameters to construct inexpensive untargeted black-box attacks. We demonstrate that it can achieve an average of less than 10 queries per successful attack, a 100-fold improvement on existing methods. We further motivate the use of input-agnostic defences to increase the stability of models to adversarial perturbations. The universality of our attacks suggests that DCN models may be sensitive to aggregations of low-level class-agnostic features. These findings give insight on the nature of some universal adversarial perturbations and how they could be generated in other applications.

Research Assistant/Research Associate in Federated and Adversarial Machine Learning

Research Assistant/Research Associate in Federated and Adversarial Machine Learning (Imperial College London)

Full Time, Fixed Term appointment for to start October 2019 until the 31/11/2021

The Resilient Information Systems Security Group (RISS) in the Department of Computing at Imperial College London is seeking a Research Assistant/Associate to work on EU funded Musketeer project. Musketeer aims to create a federated and privacy preserving machine learning data platform, that is interoperable, efficient and robust against internal and external threats. Led by IBM the project involves 11 academic and industrial partners from 7 countries and will validate its findings in two industrial scenarios in smart manufacturing and health care. Further details about the project can be found at: www.musketeer.eu.

The main contribution of the RISS group to Musketeer project focuses on the investigation and development of federated machine learning algorithms robust against attacks at training and test time, including the investigation of new poisoning attack and defence strategies, as well as novel mechanisms to generate adversarial examples and mitigate their effects. The work also includes the analysis of scenarios where multiple malicious users collude to manipulate or degrade the performance of federated machine learning systems.

There will be opportunities to collaborate with other researchers and PhD students in the RISS group working on adversarial machine learning and other machine learning applications in the security domain.

To apply for this position, you will need to have a strong machine learning background with proven knowledge and track record in one or more of the following research areas and techniques:

  • Adversarial machine learning.
  • Robust machine learning.
  • Federated or distributed machine learning.
  • Deep learning.
  • Bayesian inference.

Research Assistant applicants will have a Master’s degree (or equivalent) in an area pertinent to the subject area, i.e., Computing or Engineering. Research Associate applicants will have a PhD degree (or equivalent) in an area pertinent to the subject area, i.e., Computing or Engineering.

You must have excellent verbal and written communication skills, enjoy working in collaboratively and be able to organise your own work with minimal supervision and prioritise work to meet deadlines. Preference will be given to applicants with a proven research record and publications in the relevant areas, including in prestigious machine learning and security journals and conferences.

The post is based in the Department of Computing at Imperial College London on the South Kensington Campus. The post holder will be required to travel occasionally to attend project meetings and to work collaboratively with the project partners.

How to apply:

Please complete our online application by visiting http://www.imperial.ac.uk/jobs/description/ENG00916/research-assistant-research-associates-federated-and-adversarial-machine-learning

Applications must include the following:

  • A full CV and list of publications
  • A 1 page statement outlining why you think you would be ideal for this post.

Should you have any queries regarding the application process please contact Jamie Perrins via j.perrins@imperial.ac.uk

Informal Enquiries can be addressed to Professor Emil Lupu (e.c.lupu@imperial.ac.uk)

Full Details, visit : https://www.jobs.ac.uk/job/BTY970/research-assistant-research-associates-in-federated-and-adversarial-machine-learning

A Formal Approach to Analyzing Cyber-Forensics Evidence

Erisa Karafili’s paper “A Formal Approach to Analyzing Cyber-Forensics Evidence” was accepted at the European Symposium on Research in Computer Security (ESORICS) 2018. This work is part of the AF-Cyber Project, and was a joint collaboration with King’s College London and the University of Verona.

Title: A Formal Approach to Analyzing Cyber-Forensics Evidence

Authors: Erisa Karafili, Matteo Cristani, Luca Viganò

Abstract: The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.

 

You can find the paper here.

This work was funded from the European Union’s Horizon 2020 research and innovation program under the Marie Sklodowska-Curie grant agreement No 746667.

Label Sanitization against Label Flipping Poisoning Attacks

Andrea Paudice, Luis Muñoz-González, Emil C. Lupu. 2018. Label Sanitization against Label Flipping Poisoning Attacks. arXiv preprint arXiv:1803.00992.

Many machine learning systems rely on data collected in the wild from untrusted sources, exposing the learning algorithms to data poisoning. Attackers can inject malicious data in the training dataset to subvert the learning process, compromising the performance of the algorithm producing errors in a targeted or an indiscriminate way. Label flipping attacks are a special case of data poisoning, where the attacker can control the labels assigned to a fraction of the training points. Even if the capabilities of the attacker are constrained, these attacks have been shown to be effective to significantly degrade the performance of the system. In this paper we propose an efficient algorithm to perform optimal label flipping poisoning attacks and a mechanism to detect and relabel suspicious data points, mitigating the effect of such poisoning attacks.

Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection

Andrea Paudice, Luis Muñoz-González, Andras Gyorgy, Emil C. Lupu. 2018. Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection. arXiv preprint arXiv:1802.03041.

 

Machine learning has become an important component for many systems and applications including computer vision, spam filtering, malware and network intrusion detection, among others. Despite the capabilities of machine learning algorithms to extract valuable information from data and produce accurate predictions, it has been shown that these algorithms are vulnerable to attacks.
 Data poisoning is one of the most relevant security threats against machine learning systems, where attackers can subvert the learning process by injecting malicious samples in the training data. Recent work in adversarial machine learning has shown that the so-called optimal attack strategies can successfully poison linear classifiers, degrading the performance of the system dramatically after compromising a small fraction of the training dataset. In this paper we propose a defence mechanism to mitigate the effect of these optimal poisoning attacks based on outlier detection. We show empirically that the adversarial examples generated by these attack strategies are quite different from genuine points, as no detectability constrains are considered to craft the attack. Hence, they can be detected with an appropriate pre-filtering of the training dataset.

 

AF-Cyber: Logic-based Attribution and Forensics in Cyber Security

Dr Karafili is officially a Marie Curie Fellow at the Department of Computing, Imperial College. She will work on the project “AF-Cyber: Logic-based Attribution and Forensics in Cyber Security“.  The project was granted by the European Union’s Horizon 2020 Research and Innovation Programme under the Marie Sklodowska-Curie grant agreement No 746667.

 

AF-Cyber: Logic-based Attribution and Forensics in Cyber Security

The main goal of AF-Cyber is to investigate and analyse the problem of attributing cyber attacks. We plan to construct a logic-based framework for performing attribution of cyber attacks, based on cyber forensics evidence, social science approaches and an intelligent methodology for dynamic evidence collection. AF-Cyber will relieve part of the cyberattacks problem, by supporting forensics investigation and attribution with logical-based frameworks representation, reasoning and supporting tools. AF-Cyber is multi-disciplinary and collaborative, bridging forensics in cyber attacks, theoretical computer science (logics and formal proofs), security, software engineering, and social science.