Séminaire des équipes de recherche
Can Machine Learning Work in the Presence of Adversaries?
Machine learning classifiers are increasingly popular for security applications, and often achieve outstanding performance in testing. When deployed, however, classifiers can be thwarted by motivated adversaries who adaptively construct adversarial examples that are misclassified.
- Date : 17/05/2017
- Place : Inria de Paris, 2 rue Simone Iff, 75012 Paris - Bâtiment C, Salle Jacques-Louis Lions 2 - 11h00
- Guest(s) : David Evans, University of Virginia (visiting Prosecco from May to August 2017)
In this talk, I'll describe work by the EvadeML project (https://evademl.org), in understanding the vulnerability of classifiers to adversarial examples and developing more robust classifiers.
Previous work on adversarial examples has focused on finding small distortions to inputs that fool a classifier, and previous defenses have been both ineffective and very expensive. In this talk, I'll describe a new strategy, feature squeezing, that can be used to harden classifiers by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample, and can detect adversarial examples by comparing the outputs on
the original and squeezed sample. Adversaries, however, are not limited to small distortions. Indeed, it may be possible to make large changes to an input without losing its intended malicious behavior. I'll describe our work on an evolutionary framework to search for such adversarial examples, and show how it can automatically find evasive variants against state-of-the-art classifiers.
David Evans is a Professor of Computer Science at the University of Virginia and leader of the Security Research Group. He is the author of an open computer science textbook, a children's book on combinatorics and computability, and teacher of one of the world's most popular MOOCs. He is Program Co-Chair for ACM Conference on Computer and Communications Security (CCS) 2017, and previously was Program Co-Chair for the 31st (2009) and 32nd (2010) IEEE Symposia on Security and Privacy (where he initiated the SoK papers). He has SB, SM and PhD degrees in Computer Science from MIT and has been a faculty member at the University of Virginia since 1999.