872 research outputs found
Robust Algorithms Under Adversarial Injections
In this paper, we study streaming and online algorithms in the context of randomness in the input. For several problems, a random order of the input sequence - as opposed to the worst-case order - appears to be a necessary evil in order to prove satisfying guarantees. However, algorithmic techniques that work under this assumption tend to be vulnerable to even small changes in the distribution. For this reason, we propose a new adversarial injections model, in which the input is ordered randomly, but an adversary may inject misleading elements at arbitrary positions. We believe that studying algorithms under this much weaker assumption can lead to new insights and, in particular, more robust algorithms. We investigate two classical combinatorial-optimization problems in this model: Maximum matching and cardinality constrained monotone submodular function maximization. Our main technical contribution is a novel streaming algorithm for the latter that computes a 0.55-approximation. While the algorithm itself is clean and simple, an involved analysis shows that it emulates a subdivision of the input stream which can be used to greatly limit the power of the adversary
Biometric Backdoors: A Poisoning Attack Against Unsupervised Template Updating
In this work, we investigate the concept of biometric backdoors: a template
poisoning attack on biometric systems that allows adversaries to stealthily and
effortlessly impersonate users in the long-term by exploiting the template
update procedure. We show that such attacks can be carried out even by
attackers with physical limitations (no digital access to the sensor) and zero
knowledge of training data (they know neither decision boundaries nor user
template). Based on the adversaries' own templates, they craft several
intermediate samples that incrementally bridge the distance between their own
template and the legitimate user's. As these adversarial samples are added to
the template, the attacker is eventually accepted alongside the legitimate
user. To avoid detection, we design the attack to minimize the number of
rejected samples.
We design our method to cope with the weak assumptions for the attacker and
we evaluate the effectiveness of this approach on state-of-the-art face
recognition pipelines based on deep neural networks. We find that in scenarios
where the deep network is known, adversaries can successfully carry out the
attack over 70% of cases with less than ten injection attempts. Even in
black-box scenarios, we find that exploiting the transferability of adversarial
samples from surrogate models can lead to successful attacks in around 15% of
cases. Finally, we design a poisoning detection technique that leverages the
consistent directionality of template updates in feature space to discriminate
between legitimate and malicious updates. We evaluate such a countermeasure
with a set of intra-user variability factors which may present the same
directionality characteristics, obtaining equal error rates for the detection
between 7-14% and leading to over 99% of attacks being detected after only two
sample injections.Comment: 12 page
Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection
Machine learning based solutions have been successfully employed for
automatic detection of malware in Android applications. However, machine
learning models are known to lack robustness against inputs crafted by an
adversary. So far, the adversarial examples can only deceive Android malware
detectors that rely on syntactic features, and the perturbations can only be
implemented by simply modifying Android manifest. While recent Android malware
detectors rely more on semantic features from Dalvik bytecode rather than
manifest, existing attacking/defending methods are no longer effective. In this
paper, we introduce a new highly-effective attack that generates adversarial
examples of Android malware and evades being detected by the current models. To
this end, we propose a method of applying optimal perturbations onto Android
APK using a substitute model. Based on the transferability concept, the
perturbations that successfully deceive the substitute model are likely to
deceive the original models as well. We develop an automated tool to generate
the adversarial examples without human intervention to apply the attacks. In
contrast to existing works, the adversarial examples crafted by our method can
also deceive recent machine learning based detectors that rely on semantic
features such as control-flow-graph. The perturbations can also be implemented
directly onto APK's Dalvik bytecode rather than Android manifest to evade from
recent detectors. We evaluated the proposed manipulation methods for
adversarial examples by using the same datasets that Drebin and MaMadroid (5879
malware samples) used. Our results show that, the malware detection rates
decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just
a small distortion generated by our adversarial examples manipulation method.Comment: 15 pages, 11 figure
Measuring the Impact of Adversarial Errors on Packet Scheduling Strategies
In this paper we explore the problem of achieving efficient packet
transmission over unreliable links with worst case occurrence of errors. In
such a setup, even an omniscient offline scheduling strategy cannot achieve
stability of the packet queue, nor is it able to use up all the available
bandwidth. Hence, an important first step is to identify an appropriate metric
for measuring the efficiency of scheduling strategies in such a setting. To
this end, we propose a relative throughput metric which corresponds to the long
term competitive ratio of the algorithm with respect to the optimal. We then
explore the impact of the error detection mechanism and feedback delay on our
measure. We compare instantaneous error feedback with deferred error feedback,
that requires a faulty packet to be fully received in order to detect the
error. We propose algorithms for worst-case adversarial and stochastic packet
arrival models, and formally analyze their performance. The relative throughput
achieved by these algorithms is shown to be close to optimal by deriving lower
bounds on the relative throughput of the algorithms and almost matching upper
bounds for any algorithm in the considered settings. Our collection of results
demonstrate the potential of using instantaneous feedback to improve the
performance of communication systems in adverse environments
Fault Sneaking Attack: a Stealthy Framework for Misleading Deep Neural Networks
Despite the great achievements of deep neural networks (DNNs), the
vulnerability of state-of-the-art DNNs raises security concerns of DNNs in many
application domains requiring high reliability.We propose the fault sneaking
attack on DNNs, where the adversary aims to misclassify certain input images
into any target labels by modifying the DNN parameters. We apply ADMM
(alternating direction method of multipliers) for solving the optimization
problem of the fault sneaking attack with two constraints: 1) the
classification of the other images should be unchanged and 2) the parameter
modifications should be minimized. Specifically, the first constraint requires
us not only to inject designated faults (misclassifications), but also to hide
the faults for stealthy or sneaking considerations by maintaining model
accuracy. The second constraint requires us to minimize the parameter
modifications (using L0 norm to measure the number of modifications and L2 norm
to measure the magnitude of modifications). Comprehensive experimental
evaluation demonstrates that the proposed framework can inject multiple
sneaking faults without losing the overall test accuracy performance.Comment: Accepted by the 56th Design Automation Conference (DAC 2019
- …