Defending Against Adversarial Samples Without Security through Obscurity

Wenbo Guo, Qinglong Wang, Kaixuan Zhang, Alexander G. Ororbia, Sui Huang, Xue Liu, C. Lee Giles, Lin Lin, Xinyu Xing

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

It has been recently shown that deep neural networks (DNNs) are susceptible to a particular type of attack that exploits a fundamental flaw in their design. This attack consists of generating particular synthetic examples referred to as adversarial samples. These samples are constructed by slightly manipulating real data-points that change 'fool' the original DNN model, forcing it to misclassify previously correctly classified samples with high confidence. Many believe addressing this flaw is essential for DNNs to be used in critical applications such as cyber security. Previous work has shown that learning algorithms that enhance the robustness of DNN models all use the tactic of 'security through obscurity'. This means that security can be guaranteed only if one can obscure the learning algorithms from adversaries. Once the learning technique is disclosed, DNNs protected by these defense mechanisms are still susceptible to adversarial samples. In this work, we investigate by examining how previous research dealt with this and propose a generic approach to enhance a DNN's resistance to adversarial samples. More specifically, our approach integrates a data transformation module with a DNN, making it robust even if we reveal the underlying learning algorithm. To demonstrate the generality of our proposed approach and its potential for handling cyber security applications, we evaluate our method and several other existing solutions on datasets publicly available, such as a large scale malware dataset and MNIST and IMDB datasets. Our results indicate that our approach typically provides superior classification performance and robustness to attacks compared with state-of-art solutions.

Original languageEnglish (US)
Title of host publication2018 IEEE International Conference on Data Mining, ICDM 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages137-146
Number of pages10
ISBN (Electronic)9781538691588
DOIs
StatePublished - Dec 27 2018
Event18th IEEE International Conference on Data Mining, ICDM 2018 - Singapore, Singapore
Duration: Nov 17 2018Nov 20 2018

Publication series

NameProceedings - IEEE International Conference on Data Mining, ICDM
Volume2018-November
ISSN (Print)1550-4786

Conference

Conference18th IEEE International Conference on Data Mining, ICDM 2018
CountrySingapore
CitySingapore
Period11/17/1811/20/18

Fingerprint

Learning algorithms
Defects
Deep neural networks
Malware

All Science Journal Classification (ASJC) codes

  • Engineering(all)

Cite this

Guo, W., Wang, Q., Zhang, K., Ororbia, A. G., Huang, S., Liu, X., ... Xing, X. (2018). Defending Against Adversarial Samples Without Security through Obscurity. In 2018 IEEE International Conference on Data Mining, ICDM 2018 (pp. 137-146). [8594838] (Proceedings - IEEE International Conference on Data Mining, ICDM; Vol. 2018-November). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICDM.2018.00029
Guo, Wenbo ; Wang, Qinglong ; Zhang, Kaixuan ; Ororbia, Alexander G. ; Huang, Sui ; Liu, Xue ; Giles, C. Lee ; Lin, Lin ; Xing, Xinyu. / Defending Against Adversarial Samples Without Security through Obscurity. 2018 IEEE International Conference on Data Mining, ICDM 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 137-146 (Proceedings - IEEE International Conference on Data Mining, ICDM).
@inproceedings{8d3bcae388554b8899923e8d34f127c9,
title = "Defending Against Adversarial Samples Without Security through Obscurity",
abstract = "It has been recently shown that deep neural networks (DNNs) are susceptible to a particular type of attack that exploits a fundamental flaw in their design. This attack consists of generating particular synthetic examples referred to as adversarial samples. These samples are constructed by slightly manipulating real data-points that change 'fool' the original DNN model, forcing it to misclassify previously correctly classified samples with high confidence. Many believe addressing this flaw is essential for DNNs to be used in critical applications such as cyber security. Previous work has shown that learning algorithms that enhance the robustness of DNN models all use the tactic of 'security through obscurity'. This means that security can be guaranteed only if one can obscure the learning algorithms from adversaries. Once the learning technique is disclosed, DNNs protected by these defense mechanisms are still susceptible to adversarial samples. In this work, we investigate by examining how previous research dealt with this and propose a generic approach to enhance a DNN's resistance to adversarial samples. More specifically, our approach integrates a data transformation module with a DNN, making it robust even if we reveal the underlying learning algorithm. To demonstrate the generality of our proposed approach and its potential for handling cyber security applications, we evaluate our method and several other existing solutions on datasets publicly available, such as a large scale malware dataset and MNIST and IMDB datasets. Our results indicate that our approach typically provides superior classification performance and robustness to attacks compared with state-of-art solutions.",
author = "Wenbo Guo and Qinglong Wang and Kaixuan Zhang and Ororbia, {Alexander G.} and Sui Huang and Xue Liu and Giles, {C. Lee} and Lin Lin and Xinyu Xing",
year = "2018",
month = "12",
day = "27",
doi = "10.1109/ICDM.2018.00029",
language = "English (US)",
series = "Proceedings - IEEE International Conference on Data Mining, ICDM",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "137--146",
booktitle = "2018 IEEE International Conference on Data Mining, ICDM 2018",
address = "United States",

}

Guo, W, Wang, Q, Zhang, K, Ororbia, AG, Huang, S, Liu, X, Giles, CL, Lin, L & Xing, X 2018, Defending Against Adversarial Samples Without Security through Obscurity. in 2018 IEEE International Conference on Data Mining, ICDM 2018., 8594838, Proceedings - IEEE International Conference on Data Mining, ICDM, vol. 2018-November, Institute of Electrical and Electronics Engineers Inc., pp. 137-146, 18th IEEE International Conference on Data Mining, ICDM 2018, Singapore, Singapore, 11/17/18. https://doi.org/10.1109/ICDM.2018.00029

Defending Against Adversarial Samples Without Security through Obscurity. / Guo, Wenbo; Wang, Qinglong; Zhang, Kaixuan; Ororbia, Alexander G.; Huang, Sui; Liu, Xue; Giles, C. Lee; Lin, Lin; Xing, Xinyu.

2018 IEEE International Conference on Data Mining, ICDM 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 137-146 8594838 (Proceedings - IEEE International Conference on Data Mining, ICDM; Vol. 2018-November).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Defending Against Adversarial Samples Without Security through Obscurity

AU - Guo, Wenbo

AU - Wang, Qinglong

AU - Zhang, Kaixuan

AU - Ororbia, Alexander G.

AU - Huang, Sui

AU - Liu, Xue

AU - Giles, C. Lee

AU - Lin, Lin

AU - Xing, Xinyu

PY - 2018/12/27

Y1 - 2018/12/27

N2 - It has been recently shown that deep neural networks (DNNs) are susceptible to a particular type of attack that exploits a fundamental flaw in their design. This attack consists of generating particular synthetic examples referred to as adversarial samples. These samples are constructed by slightly manipulating real data-points that change 'fool' the original DNN model, forcing it to misclassify previously correctly classified samples with high confidence. Many believe addressing this flaw is essential for DNNs to be used in critical applications such as cyber security. Previous work has shown that learning algorithms that enhance the robustness of DNN models all use the tactic of 'security through obscurity'. This means that security can be guaranteed only if one can obscure the learning algorithms from adversaries. Once the learning technique is disclosed, DNNs protected by these defense mechanisms are still susceptible to adversarial samples. In this work, we investigate by examining how previous research dealt with this and propose a generic approach to enhance a DNN's resistance to adversarial samples. More specifically, our approach integrates a data transformation module with a DNN, making it robust even if we reveal the underlying learning algorithm. To demonstrate the generality of our proposed approach and its potential for handling cyber security applications, we evaluate our method and several other existing solutions on datasets publicly available, such as a large scale malware dataset and MNIST and IMDB datasets. Our results indicate that our approach typically provides superior classification performance and robustness to attacks compared with state-of-art solutions.

AB - It has been recently shown that deep neural networks (DNNs) are susceptible to a particular type of attack that exploits a fundamental flaw in their design. This attack consists of generating particular synthetic examples referred to as adversarial samples. These samples are constructed by slightly manipulating real data-points that change 'fool' the original DNN model, forcing it to misclassify previously correctly classified samples with high confidence. Many believe addressing this flaw is essential for DNNs to be used in critical applications such as cyber security. Previous work has shown that learning algorithms that enhance the robustness of DNN models all use the tactic of 'security through obscurity'. This means that security can be guaranteed only if one can obscure the learning algorithms from adversaries. Once the learning technique is disclosed, DNNs protected by these defense mechanisms are still susceptible to adversarial samples. In this work, we investigate by examining how previous research dealt with this and propose a generic approach to enhance a DNN's resistance to adversarial samples. More specifically, our approach integrates a data transformation module with a DNN, making it robust even if we reveal the underlying learning algorithm. To demonstrate the generality of our proposed approach and its potential for handling cyber security applications, we evaluate our method and several other existing solutions on datasets publicly available, such as a large scale malware dataset and MNIST and IMDB datasets. Our results indicate that our approach typically provides superior classification performance and robustness to attacks compared with state-of-art solutions.

UR - http://www.scopus.com/inward/record.url?scp=85061405847&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061405847&partnerID=8YFLogxK

U2 - 10.1109/ICDM.2018.00029

DO - 10.1109/ICDM.2018.00029

M3 - Conference contribution

AN - SCOPUS:85061405847

T3 - Proceedings - IEEE International Conference on Data Mining, ICDM

SP - 137

EP - 146

BT - 2018 IEEE International Conference on Data Mining, ICDM 2018

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Guo W, Wang Q, Zhang K, Ororbia AG, Huang S, Liu X et al. Defending Against Adversarial Samples Without Security through Obscurity. In 2018 IEEE International Conference on Data Mining, ICDM 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 137-146. 8594838. (Proceedings - IEEE International Conference on Data Mining, ICDM). https://doi.org/10.1109/ICDM.2018.00029