Provably Secure Machine Learning

Abstract

The overarching goal of this proposal is to build provably secure machine learning techniques. Adversarial examples and poisoning attacks are two basic security threats to machine learning, which compromise the security of the testing and training phase of machine learning, respectively. The proposal aims to build machine learning methods that are provably secure against adversarial examples and poisoning attacks. The proposal will leverage randomized smoothing as an approach. Compared to other provably secure machine learning methods, randomized smoothing has two key advantages: it is applicable to any classifier and scalable to large neural networks. However, existing studies on randomized smoothing suffer from several limitations. First, they can only certify robustness against adversarial examples for top-1 predictions and limited types of data. Second, they focused on adversarial examples, and certified robustness against poisoning attacks is largely unexplored. Third, they did not have principled methods to optimize the noise distribution for a given application scenario. The proposal aims to address these limitations. Specifically, the proposal has three objectives. First, the proposal aims to develop randomized smoothing methods to certify robustness of general top-k predictions against adversarial examples for different types of data such as continuous, discrete, and mixed data. Second, the proposal aims to develop randomized smoothing methods to certify robustness against poisoning attacks such as label poisoning attacks, feature-label poisoning attacks, and trojan/backdoor attacks. Third, the proposal aims to develop principled methods to optimize the noise distribution for a given application scenario. To achieve the first and second objectives, the key idea of the proposal is to add random noise to the data (e.g., testing example, training example) that could be manipulated by attackers to certify robustness against such attackers. To achieve the third objective, the proposal will formulate searching the optimal noise distribution as an optimization problem and leverage black-box optimization methods to solve the optimization problem. The results of this project will significantly advance the field of secure machine learning. Specifically, the project is the first one to develop certified robustness of general top-k predictions against adversarial examples. The project is the first one to develop certified robustness against poisoning attacks. The project is the first one to develop principled methods to optimize the noise distribution for a given application scenario. Moreover, the project will also advance the education on secure machine learning. Specifically, the results of the project will be incorporated into a graduate course on secure machine learning that the PI is developing.

Document Details

Document Type

DoD Grant Award

Publication Date

Jun 25, 2021

Source ID

W911NF2110182

Entities

Tags