Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/27/2019
09:30 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

False Training Information Can Dupe Machine Learning Models

Researchers from Boston University have shown how really small amounts of disinformation can taint the learning process used by many AI programs.

Researchers from Boston University have recently shown how really small amounts of disinformation can taint the learning process that is used by many "AI" programs.

Panagiota Kiourti, Kacper Wardega, Susmit Jha and Wenchao Li authored the paper that has come out of this effort, "TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents." The paper examines machine learning (ML) systems that are being trained with "reinforcement learning" and came up with a way to fool them so that a Trojan could be slipped into the result of the training.

Neural nets used in ML have long been known to be sensitive to the effects of any low-quality data used in training them. These so-called "adversarial examples" are slightly perturbed inputs that can cause a neural network for a classification task to classify them as a completely different category compared to the original input.

Disturbingly, these perturbed inputs can appear identical to the original from a human perspective.

Sometimes, ML machines will be trained on third-party data sets. Should an attacker gain access to such a model data set and weaponize it with a backdoor to Trojan, the effects could be immense.

The researchers set out to deliberately introduce malicious adversarial examples that would affect the ML's performance in making classifications. For their research, they used a popular and publicly available reinforcement-learning algorithm from DeepMind, called Asynchronous Advantage Actor-Critic, or A3C.

The attack methods were tested on several Atari games that were set up to function in an environment created for reinforcement-learning research. They were Breakout, Pong, Qbert, Space Invaders, Seaquest and Crazy Climber. The games were used since the researchers could measure the effects of the decision/classification performed by the ML used by them.

The attacks are performed on a machine with an Intel i7-6850K CPU and 4×NvidiaGeForce GTX 1080 Ti GPUs that typically completes one training process every 2.4 hours.

Once they tried to defend against attacks they had recognized, things got head-scratching for them. They found that, "Untargeted attacks are difficult to defend against because untargeted attack triggers induce a distribution over outputs […] an effect that breaks the assumptions of Neural Cleanse. There is no demonstrated defense for partial Trojans, where the trigger only corrupts a subset of the output labels."

If an attack is involved with a system having wide dynamic range in its training, they say a defense "will require entirely new defense techniques as all known defenses rest on the basis of discrete outputs. Furthermore, we claim that previous works promising defenses under Threat Model 2 are not effective on Trojaned DRL agents as large training sets and small amount of poisoned inputs inhibit the proper function of such techniques."

So, they can get ML systems to make major classification errors with these adversarial examples, but they are not sure how to defend against them. It makes sense for them to conclude that, "Our work suggests caution in deploying reinforcement learning in high-security safety-critical applications where the training process is not restricted to a controlled and secure environment."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15930
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
CVE-2020-19447
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
CVE-2020-3560
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
CVE-2020-3509
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
CVE-2020-3510
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...