SlideShare uma empresa Scribd logo

Adversarial Pattern Classification

Pluribus One
Pluribus One

Presentation of PhD Thesis by Battista Biggio

EducaçãoTecnologiaNotícias e política
1 de 33
Baixar para ler offline
PhD in Electronic and Computer Engineering Adversarial Pattern Classification Battista Biggio XXII cycle Advisor: prof. Fabio Roli Department of Electrical and Electronic Engineering University of Cagliari, Italy
Outline • Problem definition • Open issues • Contributions of this thesis – Experiments • Conclusions and future works 05-03-2010 Adv ersarial Classification - B. Biggio 2
What is adversarial classification? • Pattern recognition in security applications – spam filtering, intrusion detection, biometrics • Malicious adversaries aim to mislead the system x2 legitimate f(x) malicious Buy viagra! Buy vi4gr@! x1 05-03-2010 Adv ersarial Classification - B. Biggio 3
Open issues 1. Vulnerability identification • potential vulnerabilities may be exploited by an adversary to mislead the system 2. Performance evaluation under attack • standard performance evaluation does not provide information about the robustness of a classifier under attack 3. Defence strategies for robust classifier design • classification algorithms were not originally thought to be robust against adversarial attacks 05-03-2010 Adv ersarial Classification - B. Biggio 4
Main contributions of this thesis 1. State of the art in adversarial classification – to highlight the need for a unifying view of the problem 2. Robustness evaluation – to provide an estimate of the performance of a classifier under attack – to select a more appropriate classification model 3. Defence strategies for robust classifier design – to improve the robustness of classifiers under attack 05-03-2010 Adv ersarial Classification - B. Biggio 5
1. State of the art
State of the art • Vulnerability identification – Good word attacks in spam filtering [W ittel, Lowd, Graham-Cumming] – Polymorphic and poisoning attacks in IDSs [Fogla, Lee, Kloft, Laskov ] – Possible attacks to a biometric verification system [Ratha, Jain] • Defence strategies against specific attacks – Good word attacks in spam filtering [Jorgensen, Nelson] – Polymorphic and poisoning attacks in IDSs [Perdisci, Cretu] – Spoof attacks in biometrics [Rodrigues] • No general methodology exists to evaluate the performance of classifiers under attack 05-03-2010 Adv ersarial Classification - B. Biggio 7
State of the art A clear and unifying view of the problem as well as practical guidelines for the design of classifiers in adversarial environments do not exist yet! 05-03-2010 Adv ersarial Classification - B. Biggio 8
2. Robustness evaluation
Standard performance evaluation accuracy C2 TRAINING SET C1 COLLECTED CLASSIFIER DATA TESTING SET Techniques Performance measures Validation Classification accuracy Cross validation ROC curve Bootstrap Area Under the ROC curve (AUC) … … 05-03-2010 Adv ersarial Classification - B. Biggio 10
Problems • Standard performance evaluation is likely to provide an optimistic estimate of the performance [Kolcz] 1. collected data may not include attacks at all Biometric systems are not typically tested against spoof attacks 05-03-2010 Adv ersarial Classification - B. Biggio 11
Problems • Standard performance evaluation is likely to provide an optimistic estimate of the performance [Kolcz] 2. collected data may contain attacks which however were not targeted against the system being designed Attacks collected in spam filtering or IDSs might have targeted systems based on different features 05-03-2010 Adv ersarial Classification - B. Biggio 12
Problems 3. Collected data does not contain attacks of different attack strength • e.g., number of words modified in spam e-mails Buy viagra! Buy vi4gr4! Buy vi4gr4! Did you ever play that game when you were a kid? It is of interest to evaluate robustness of classifiers under different attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 13
Robustness evaluation • Result of our robustness evaluation – performance vs attack strength Example Standard performance performance degradation of evaluation text classifiers in spam filtering under different number of modified words C2 C1 accuracy 0 05-03-2010 Adv ersarial Classification - B. Biggio 14
Robustness evaluation • Robustness evaluation is required to have a more complete understanding of the classifier’s performance – We need to figure out how an adversary may attack the classifier (security by design) • Designing attacks may be a very difficult task – in-depth knowledge on the specific application is required – costly and time-consuming • e.g., fake fingerprints • We thus propose to simulate the effect of attacks by modifying the feature values of malicious samples 05-03-2010 Adv ersarial Classification - B. Biggio 15
Attack simulation • Biometric multi-modal verification system • Potential attacks – spoof attempts s2 Fingerprint Claimed identity spoof Genuine + + Fingerprint score Face Fingerprint matcher matcher s1 s2 + + Impostor Face Fusion module spoof s1 Genuine / Impostor Face score f (x) 05-03-2010 Adv ersarial Classification - B. Biggio 16
Attack simulation • Text classifiers in spam filtering – binary features (presence / absence of word) • Potential attacks – bad word obfuscation (BWO) / good word insertion (GWI) Buy viagra! Buy vi4gr4! Did you ever play that game when you were a kid where the little plastic hippo tries to gobble up all your marbles? x = [0 0 1 0 0 0 0 0 …] x’ = [0 0 0 0 1 0 0 1 …] x ' = A(x) 05-03-2010 Adv ersarial Classification - B. Biggio 17
Attack strength • Distance in the feature space – chosen depending on the application and features Example • Text classifiers in spam filtering – binary features (presence / absence of word) Buy viagra ! … Buy vi@gr4 ! … x = [0 0 1 0 1 …] x’ = [0 0 0 0 1 …] Hamming distance number of words modified d(x, x ') = 1 in the spam message 05-03-2010 Adv ersarial Classification - B. Biggio 18
Attack strategy A(x) Buy viagra! A1 (x) + + B-u-y viagra! A2 (x) + 0 D Buy vi4gr@! d(x, x ') ! D D =1 A(x) depends on the adversary’s knowledge about the classifier! 05-03-2010 Adv ersarial Classification - B. Biggio 19
Worst case attack • To simulate attacks which exploits knowledge on the decision function of the classifier # +1, malicious f (x) = sign g(x) ! $ %"1, legitimate e.g., g(x) = & wi xi + w0 Buy viagra! i B-u-y viagra! + + D =1 A(x) = arg min g(x ') x' f (x) + s.t. d(x, x ') ! D Buy vi4gr@! 05-03-2010 Adv ersarial Classification - B. Biggio 20
Worst case attack • Linear classifiers / binary features viagra Buy viagra! buy D weights Buy vi4gr@! kid B-u-y vi4gr@! game B-u-y vi4gr@! game • Features which have been assigned the highest absolute weights are modified first 05-03-2010 Adv ersarial Classification - B. Biggio 21
Experiments on spam filtering Text classifiers (worst case) • TREC 2007 public data set – Training set: 10K emails – Testing set: 10K emails • Features: words (tokens) • Classifiers (using different number of features) – Logistic Regression (LR) Attack strength – Linear SVM TP • AUC10% 0 0.1 FP Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 22
Mimicry attack • To simulate attacks where no information on the classification function is exploited • Malicious samples are camouflaged to mimic legitimate samples – e.g., spoof attempts, polymorphic attacks Buy viagra! ! B-u-y vi4gr@! D=2 A(x) = arg min d(x ', x ) + x' + s.t. d(x, x ') " D Buy viagra! funny game + + Yesterday I played a funny game… 05-03-2010 Adv ersarial Classification - B. Biggio 23
Experiments on spam filtering Text classifiers (mimicry) • TREC 2007 public data set – Training set: 10K emails – Testing set: 10K emails • Features: words (tokens) Attack strength • Classifiers (using different number of features) – Logistic Regression (LR) – Linear SVM – Bayesian text classifier (SpamAssassin) – SVM with RBF kernel Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 24
Experiments on intrusion detection (mimicry) • Data set of real network traffic (Georgia Tech, 2006) – Training set: 20K legitimate packets – Testing set: 20K legitimate packets + 66 distinct HTTP attacks (205 packets) • Packets are classified separately – Features: relative byte frequencies (PAYL) [Wang] 0 1 2 … 255 • One-class classifiers – Mahalanobis Distance classifier (MD) – SVM with RBF kernel • Attack strength – Percentage of bytes modified in a packet Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 25
To sum up 1. The proposed methodology for robustness evaluation extends standard performance evaluation to adversarial applications 2. Experiments showed how this methodology may give useful insights for the design of PR systems in adversarial tasks • e.g., LR outperforms BayesSA, etc. 05-03-2010 Adv ersarial Classification - B. Biggio 26
3. Robust classifiers
Defence strategies for robust classifier design • Rationale – Discriminant capability of features may change at operating phase due to attacks – Avoiding to under- or over-emphasise features may increase robustness against attacks which exploit some knowledge on the decision function viagra buy buy viagra weights weights Buy viagra! … kid kid game game • Feature weighting for improved classifier robustness [Kolcz ] – Algorithms for improving robustness of linear classifiers – Underlying idea: to obtain more uniform set of weights 05-03-2010 Adv ersarial Classification - B. Biggio 28
Robust classifiers by MCSs f1 (x) = ! wi1 xi + w1 0 bagging, 1 K DATA RSM … ! fk (x) K k =1 fK (x) = ! wiK xi + w0 K • We investigated if bagging and RSM can be exploited to design more robust linear classifiers • The underlying idea is still to obtain more uniform set of weights 05-03-2010 Adv ersarial Classification - B. Biggio 29
Robust training • Adding simulated attacks to the training set f '(x) s2 Fingerprint Claimed identity spoof Genuine + + Fingerprint score Face Fingerprint matcher matcher s1 s2 + + Impostor Face Fusion module spoof s1 Genuine / Impostor Face score f (x) 05-03-2010 Adv ersarial Classification - B. Biggio 30
Experiments on spam filtering SpamAssassin w1 Header analysis s ! th w2 spam URL filter ! s w3 th Keyword filter … wn legitimate Text classifier s < th • SpamAssassin: open source spam filter – Linear classifier / binary features (tests) • default weights are manually tuned by designers to improve robustness • TREC 2007 public data set – First 10,000 e-mails to train the text classifier – Second 10,000 e-mails to train the linear decision function – Third 10,000 e-mails as testing set 05-03-2010 Adv ersarial Classification - B. Biggio 31
Experiments on spam filtering SpamAssassin (worst case) • Attack strength – number of evaded tests • Robust training – to defend against worst case attacks Attack strength • Defence strategies are not effective against the mimicry attack • Strategies proposed by Kolcz exhibited similar results to RSM and bagging Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 32
Conclusions and future works • Adversarial pattern classification and open issues • Contributions of this thesis – State of the art of works in adversarial classification – Methodology for robustness evaluation – Defence strategies for robust classifier design • Experimental results provide useful insights for the design of PR systems in adversarial environments • Future works – Theoretical investigation of adversarial classification – Robustness evaluation of biometric verification systems 05-03-2010 Adv ersarial Classification - B. Biggio 33

Recomendados

Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Papitha Velumani
 
Cluster analysis
Cluster analysisCluster analysis
Cluster analysisJewel Refran
 
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Javier Tallón
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attackIcomm Technologies
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSKenny Huang Ph.D.
 
Statistical Models for Face Recognition System With Different Distance Measures
Statistical Models for Face Recognition System With Different Distance MeasuresStatistical Models for Face Recognition System With Different Distance Measures
Statistical Models for Face Recognition System With Different Distance MeasuresCSCJournals
 
Deep Learning for Computer Vision: Generative models and adversarial training...
Deep Learning for Computer Vision: Generative models and adversarial training...Deep Learning for Computer Vision: Generative models and adversarial training...
Deep Learning for Computer Vision: Generative models and adversarial training...Universitat Politècnica de Catalunya
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 

Recomendados

Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Papitha Velumani
 
Cluster analysis
Cluster analysisCluster analysis
Cluster analysisJewel Refran
 
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way
Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way Javier Tallón
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attackIcomm Technologies
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSKenny Huang Ph.D.
 
Statistical Models for Face Recognition System With Different Distance Measures
Statistical Models for Face Recognition System With Different Distance MeasuresStatistical Models for Face Recognition System With Different Distance Measures
Statistical Models for Face Recognition System With Different Distance MeasuresCSCJournals
 
Deep Learning for Computer Vision: Generative models and adversarial training...
Deep Learning for Computer Vision: Generative models and adversarial training...Deep Learning for Computer Vision: Generative models and adversarial training...
Deep Learning for Computer Vision: Generative models and adversarial training...Universitat Politècnica de Catalunya
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Pen test free_01_2012
Pen test free_01_2012Pen test free_01_2012
Pen test free_01_2012Amiga Utomo
 
Strategic short notes
Strategic short notesStrategic short notes
Strategic short notesDreams Design
 
APT Webinar
APT WebinarAPT Webinar
APT WebinarJoseph Schorr
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Research
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Simmethod risk alerts
Simmethod risk alertsSimmethod risk alerts
Simmethod risk alertsSIMMETHOD: Converting Information Into Assets
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Since no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdfSince no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdfapoorvikamobileworld
 
Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Pluribus One
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Pluribus One
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Pluribus One
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsPluribus One
 

Mais conteúdo relacionado

Semelhante a Adversarial Pattern Classification

Pen test free_01_2012
Pen test free_01_2012Pen test free_01_2012
Pen test free_01_2012Amiga Utomo
 
Strategic short notes
Strategic short notesStrategic short notes
Strategic short notesDreams Design
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Research
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...Security Ninja
 
Since no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdfSince no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdfapoorvikamobileworld
 

Semelhante a Adversarial Pattern Classification (15)

Pen test free_01_2012
Pen test free_01_2012Pen test free_01_2012
Pen test free_01_2012
 
Strategic short notes
Strategic short notesStrategic short notes
Strategic short notes
 
APT Webinar
APT WebinarAPT Webinar
APT Webinar
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas BautersNVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Simmethod risk alerts
Simmethod risk alertsSimmethod risk alerts
Simmethod risk alerts
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...SecurityBSides London - Jedi mind tricks for building application security pr...
SecurityBSides London - Jedi mind tricks for building application security pr...
 
Since no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdfSince no two IT firms are same, and cyberthreats are Custom built to.pdf
Since no two IT firms are same, and cyberthreats are Custom built to.pdf
 

Mais de Pluribus One

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Pluribus One
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Pluribus One
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019Pluribus One
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Pluribus One
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsPluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksPluribus One
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Pluribus One
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Pluribus One
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Pluribus One
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringPluribus One
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Pluribus One
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Pluribus One
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Pluribus One
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Pluribus One
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesPluribus One
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Pluribus One
 

Mais de Pluribus One (20)

Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu Smart Textiles - Prospettive di mercato - Davide Ariu
Smart Textiles - Prospettive di mercato - Davide Ariu
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...
 
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...
 
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...
 
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
On Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial SettingsOn Security and Sparsity of Linear Classifiers for Adversarial Settings
On Security and Sparsity of Linear Classifiers for Adversarial Settings
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresMachine Learning under Attack: Vulnerability Exploitation and Security Measures
Machine Learning under Attack: Vulnerability Exploitation and Security Measures
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...
 
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware ClusteringBattista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering
 
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
 
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...
 
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"
 
Zahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense SlidesZahid Akhtar - Ph.D. Defense Slides
Zahid Akhtar - Ph.D. Defense Slides
 
Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...Design of robust classifiers for adversarial environments - Systems, Man, and...
Design of robust classifiers for adversarial environments - Systems, Man, and...
 

Último

microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 

Último (20)

microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 

Adversarial Pattern Classification

  • 1. PhD in Electronic and Computer Engineering Adversarial Pattern Classification Battista Biggio XXII cycle Advisor: prof. Fabio Roli Department of Electrical and Electronic Engineering University of Cagliari, Italy
  • 2. Outline • Problem definition • Open issues • Contributions of this thesis – Experiments • Conclusions and future works 05-03-2010 Adv ersarial Classification - B. Biggio 2
  • 3. What is adversarial classification? • Pattern recognition in security applications – spam filtering, intrusion detection, biometrics • Malicious adversaries aim to mislead the system x2 legitimate f(x) malicious Buy viagra! Buy vi4gr@! x1 05-03-2010 Adv ersarial Classification - B. Biggio 3
  • 4. Open issues 1. Vulnerability identification • potential vulnerabilities may be exploited by an adversary to mislead the system 2. Performance evaluation under attack • standard performance evaluation does not provide information about the robustness of a classifier under attack 3. Defence strategies for robust classifier design • classification algorithms were not originally thought to be robust against adversarial attacks 05-03-2010 Adv ersarial Classification - B. Biggio 4
  • 5. Main contributions of this thesis 1. State of the art in adversarial classification – to highlight the need for a unifying view of the problem 2. Robustness evaluation – to provide an estimate of the performance of a classifier under attack – to select a more appropriate classification model 3. Defence strategies for robust classifier design – to improve the robustness of classifiers under attack 05-03-2010 Adv ersarial Classification - B. Biggio 5
  • 7. State of the art • Vulnerability identification – Good word attacks in spam filtering [W ittel, Lowd, Graham-Cumming] – Polymorphic and poisoning attacks in IDSs [Fogla, Lee, Kloft, Laskov ] – Possible attacks to a biometric verification system [Ratha, Jain] • Defence strategies against specific attacks – Good word attacks in spam filtering [Jorgensen, Nelson] – Polymorphic and poisoning attacks in IDSs [Perdisci, Cretu] – Spoof attacks in biometrics [Rodrigues] • No general methodology exists to evaluate the performance of classifiers under attack 05-03-2010 Adv ersarial Classification - B. Biggio 7
  • 8. State of the art A clear and unifying view of the problem as well as practical guidelines for the design of classifiers in adversarial environments do not exist yet! 05-03-2010 Adv ersarial Classification - B. Biggio 8
  • 10. Standard performance evaluation accuracy C2 TRAINING SET C1 COLLECTED CLASSIFIER DATA TESTING SET Techniques Performance measures Validation Classification accuracy Cross validation ROC curve Bootstrap Area Under the ROC curve (AUC) … … 05-03-2010 Adv ersarial Classification - B. Biggio 10
  • 11. Problems • Standard performance evaluation is likely to provide an optimistic estimate of the performance [Kolcz] 1. collected data may not include attacks at all Biometric systems are not typically tested against spoof attacks 05-03-2010 Adv ersarial Classification - B. Biggio 11
  • 12. Problems • Standard performance evaluation is likely to provide an optimistic estimate of the performance [Kolcz] 2. collected data may contain attacks which however were not targeted against the system being designed Attacks collected in spam filtering or IDSs might have targeted systems based on different features 05-03-2010 Adv ersarial Classification - B. Biggio 12
  • 13. Problems 3. Collected data does not contain attacks of different attack strength • e.g., number of words modified in spam e-mails Buy viagra! Buy vi4gr4! Buy vi4gr4! Did you ever play that game when you were a kid? It is of interest to evaluate robustness of classifiers under different attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 13
  • 14. Robustness evaluation • Result of our robustness evaluation – performance vs attack strength Example Standard performance performance degradation of evaluation text classifiers in spam filtering under different number of modified words C2 C1 accuracy 0 05-03-2010 Adv ersarial Classification - B. Biggio 14
  • 15. Robustness evaluation • Robustness evaluation is required to have a more complete understanding of the classifier’s performance – We need to figure out how an adversary may attack the classifier (security by design) • Designing attacks may be a very difficult task – in-depth knowledge on the specific application is required – costly and time-consuming • e.g., fake fingerprints • We thus propose to simulate the effect of attacks by modifying the feature values of malicious samples 05-03-2010 Adv ersarial Classification - B. Biggio 15
  • 16. Attack simulation • Biometric multi-modal verification system • Potential attacks – spoof attempts s2 Fingerprint Claimed identity spoof Genuine + + Fingerprint score Face Fingerprint matcher matcher s1 s2 + + Impostor Face Fusion module spoof s1 Genuine / Impostor Face score f (x) 05-03-2010 Adv ersarial Classification - B. Biggio 16
  • 17. Attack simulation • Text classifiers in spam filtering – binary features (presence / absence of word) • Potential attacks – bad word obfuscation (BWO) / good word insertion (GWI) Buy viagra! Buy vi4gr4! Did you ever play that game when you were a kid where the little plastic hippo tries to gobble up all your marbles? x = [0 0 1 0 0 0 0 0 …] x’ = [0 0 0 0 1 0 0 1 …] x ' = A(x) 05-03-2010 Adv ersarial Classification - B. Biggio 17
  • 18. Attack strength • Distance in the feature space – chosen depending on the application and features Example • Text classifiers in spam filtering – binary features (presence / absence of word) Buy viagra ! … Buy vi@gr4 ! … x = [0 0 1 0 1 …] x’ = [0 0 0 0 1 …] Hamming distance number of words modified d(x, x ') = 1 in the spam message 05-03-2010 Adv ersarial Classification - B. Biggio 18
  • 19. Attack strategy A(x) Buy viagra! A1 (x) + + B-u-y viagra! A2 (x) + 0 D Buy vi4gr@! d(x, x ') ! D D =1 A(x) depends on the adversary’s knowledge about the classifier! 05-03-2010 Adv ersarial Classification - B. Biggio 19
  • 20. Worst case attack • To simulate attacks which exploits knowledge on the decision function of the classifier # +1, malicious f (x) = sign g(x) ! $ %"1, legitimate e.g., g(x) = & wi xi + w0 Buy viagra! i B-u-y viagra! + + D =1 A(x) = arg min g(x ') x' f (x) + s.t. d(x, x ') ! D Buy vi4gr@! 05-03-2010 Adv ersarial Classification - B. Biggio 20
  • 21. Worst case attack • Linear classifiers / binary features viagra Buy viagra! buy D weights Buy vi4gr@! kid B-u-y vi4gr@! game B-u-y vi4gr@! game • Features which have been assigned the highest absolute weights are modified first 05-03-2010 Adv ersarial Classification - B. Biggio 21
  • 22. Experiments on spam filtering Text classifiers (worst case) • TREC 2007 public data set – Training set: 10K emails – Testing set: 10K emails • Features: words (tokens) • Classifiers (using different number of features) – Logistic Regression (LR) Attack strength – Linear SVM TP • AUC10% 0 0.1 FP Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 22
  • 23. Mimicry attack • To simulate attacks where no information on the classification function is exploited • Malicious samples are camouflaged to mimic legitimate samples – e.g., spoof attempts, polymorphic attacks Buy viagra! ! B-u-y vi4gr@! D=2 A(x) = arg min d(x ', x ) + x' + s.t. d(x, x ') " D Buy viagra! funny game + + Yesterday I played a funny game… 05-03-2010 Adv ersarial Classification - B. Biggio 23
  • 24. Experiments on spam filtering Text classifiers (mimicry) • TREC 2007 public data set – Training set: 10K emails – Testing set: 10K emails • Features: words (tokens) Attack strength • Classifiers (using different number of features) – Logistic Regression (LR) – Linear SVM – Bayesian text classifier (SpamAssassin) – SVM with RBF kernel Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 24
  • 25. Experiments on intrusion detection (mimicry) • Data set of real network traffic (Georgia Tech, 2006) – Training set: 20K legitimate packets – Testing set: 20K legitimate packets + 66 distinct HTTP attacks (205 packets) • Packets are classified separately – Features: relative byte frequencies (PAYL) [Wang] 0 1 2 … 255 • One-class classifiers – Mahalanobis Distance classifier (MD) – SVM with RBF kernel • Attack strength – Percentage of bytes modified in a packet Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 25
  • 26. To sum up 1. The proposed methodology for robustness evaluation extends standard performance evaluation to adversarial applications 2. Experiments showed how this methodology may give useful insights for the design of PR systems in adversarial tasks • e.g., LR outperforms BayesSA, etc. 05-03-2010 Adv ersarial Classification - B. Biggio 26
  • 28. Defence strategies for robust classifier design • Rationale – Discriminant capability of features may change at operating phase due to attacks – Avoiding to under- or over-emphasise features may increase robustness against attacks which exploit some knowledge on the decision function viagra buy buy viagra weights weights Buy viagra! … kid kid game game • Feature weighting for improved classifier robustness [Kolcz ] – Algorithms for improving robustness of linear classifiers – Underlying idea: to obtain more uniform set of weights 05-03-2010 Adv ersarial Classification - B. Biggio 28
  • 29. Robust classifiers by MCSs f1 (x) = ! wi1 xi + w1 0 bagging, 1 K DATA RSM … ! fk (x) K k =1 fK (x) = ! wiK xi + w0 K • We investigated if bagging and RSM can be exploited to design more robust linear classifiers • The underlying idea is still to obtain more uniform set of weights 05-03-2010 Adv ersarial Classification - B. Biggio 29
  • 30. Robust training • Adding simulated attacks to the training set f '(x) s2 Fingerprint Claimed identity spoof Genuine + + Fingerprint score Face Fingerprint matcher matcher s1 s2 + + Impostor Face Fusion module spoof s1 Genuine / Impostor Face score f (x) 05-03-2010 Adv ersarial Classification - B. Biggio 30
  • 31. Experiments on spam filtering SpamAssassin w1 Header analysis s ! th w2 spam URL filter ! s w3 th Keyword filter … wn legitimate Text classifier s < th • SpamAssassin: open source spam filter – Linear classifier / binary features (tests) • default weights are manually tuned by designers to improve robustness • TREC 2007 public data set – First 10,000 e-mails to train the text classifier – Second 10,000 e-mails to train the linear decision function – Third 10,000 e-mails as testing set 05-03-2010 Adv ersarial Classification - B. Biggio 31
  • 32. Experiments on spam filtering SpamAssassin (worst case) • Attack strength – number of evaded tests • Robust training – to defend against worst case attacks Attack strength • Defence strategies are not effective against the mimicry attack • Strategies proposed by Kolcz exhibited similar results to RSM and bagging Attack strength 05-03-2010 Adv ersarial Classification - B. Biggio 32
  • 33. Conclusions and future works • Adversarial pattern classification and open issues • Contributions of this thesis – State of the art of works in adversarial classification – Methodology for robustness evaluation – Defence strategies for robust classifier design • Experimental results provide useful insights for the design of PR systems in adversarial environments • Future works – Theoretical investigation of adversarial classification – Robustness evaluation of biometric verification systems 05-03-2010 Adv ersarial Classification - B. Biggio 33