Slashdot Mirror

← Back to Stories (view on slashdot.org)

Poison Attacks Against Machine Learning

Posted by timothy on from the think-zippy-the-pinhead dept.

mikejuk writes "Support Vector Machines (SVMs) are fairly simple but powerful machine learning systems. They learn from data and are usually trained before being deployed. SVMs are used in security to detect abnormal behavior such as fraud, credit card use anomalies and even to weed out spam. In many cases they need to continue to learn as they do the job and this raised the possibility of feeding it with data that causes it to make bad decisions. Three researchers have recently demonstrated how to do this with the minimum poisoned data to maximum effect. What they discovered is that their method was capable of having a surprisingly large impact on the performance of the SVMs tested. They also point out that it could be possible to direct the induced errors so as to produce particular types of error. For example, a spammer could send some poisoned data so as to evade detection for a while. AI based systems may be no more secure than dumb ones."

11 of 82 comments (clear)

  1. Why solely the link to "i-programmer.info"? by Anonymous Coward · · Score: 5, Informative

    Why the hell is the only link in the summary to that rather useless "I Programmer" website? The summary here at Slashdot is basically the content of the entire linked "article"!

    Here is a much more useful link for anyone interested in reading the actual paper: http://arxiv.org/abs/1206.6389v1

  2. Try this on humans by s_p_oneil · · Score: 4, Interesting

    Universities should run a number of psychology experiments to see how this can be done to human intelligence to see how susceptible it is compared to AI. Or you could just study people who tune in to .

    1. Re:Try this on humans by marcosdumay · · Score: 3, Insightful

      You mean propaganda and social pressure.

      Religion and war are just consequences of those.

      --
      Rethinking email
  3. Propaganda by mbone · · Score: 5, Insightful

    On this side of the human / AI line, we call this propaganda. It has historically proved very effective, specially if you can control all of the "training data."

    1. Re:Propaganda by betterunixthanunix · · Score: 5, Insightful

      Drugs with side effects trigger attachments. Caffeine is just as dangerous as Alcohol in that respect

      Except that "attachments" are not dangerous. Coma and death are dangerous, brain damage is dangerous, liver damage is dangerous, and the typical doses of alcohol are frighteningly close to such adverse effects -- whereas the typical dose of caffeine is nowhere near that point.

      Go to a coffee stand (or at work) and watch some people with their hands shaking so hard they can't hold the coffee in the cup.

      Which may be scary, but is not a sign of any permanent damage to that person's mind or body. Caffeine withdrawal is tough, but it is not life threatening, and a person who is committed to it can get through the symptoms at home (maybe with the help of close friend) in less than a week. Alcohol withdrawal, on the other hand, can be so dangerous that it requires medical supervision.

      That is a sign of a drug addiction beyond the persons ability to control.

      Yet the drug abuse and dependence treatment programs that emerged from clinical psychology (read: science) are based on teaching people how to take control and avoid harmful behaviors.

      Prescribed drugs can be abused but at least someone is trying to limit the effects

      Really? A typical Adderall prescription (d,l-amphetamine salts) is for 10-20mg, two-three times per day, for a month. That is well above a lethal quantity, and a person could easily give themselves brain damage by taking a large fraction of their month's supply. People who abuse Adderall and related medicines (other amphetamines, Ritalin, etc.) can have psychotic episodes; see, for example, this recent NY Times article (sorry for paywall) about prescription stimulant abuse among high school and college students:

      https://www.nytimes.com/2012/06/10/education/seeking-academic-edge-teenagers-abuse-stimulants.html?_r=1&hp

      It's not just psychiatric drugs; prescription opiates are also readily abused, and people get high by using the prescribed amount of those drugs. Some pharmaceutical opiates are more potent than heroin, and abuse is an ever-present concern with those drugs; Rush Limbaugh abused prescription opiates:

      http://www.cbsnews.com/2100-201_162-1561324.html

      Here is the problem with the war on drugs: recreational drugs need not be any more dangerous than prescription drugs. Pharmaceutical methamphetamine is safer than "truck stop" methamphetamine, not because it is a different drug, but because the production is much better controlled. Many of the dangerous of recreational methamphetamine stem from the adulterants that are left over from poor production techniques.

      So in a sense, I agree with you: we need better regulation. That means legalizing recreational drugs, and requiring that legal sources adhere to standardized and regulation production and distribution methods (I do not think anyone can argue that a 14 year old should be buying recreational drugs). When someone buys cocaine, they should not have to worry about what is mixed into the drug; when someone buys MDMA (ecstasy), they should not worry about having actually received methamphetamine mixed with caffeine (a well known trick on the black market). There will still be problems with abuse, but when someone visits their doctor, they should be able to tell their doctor what drugs they have been taking, and in what doses -- which is basically impossible if you are buying some mystery powder in an alley somewhere.

      --
      Palm trees and 8
    2. Re:Propaganda by betterunixthanunix · · Score: 4, Interesting

      I disagree; D.A.R.E. has been overwhelmingly successful at convincing people of the legitimacy of the war on drugs and the paramilitary police that were created in the name of that war. Hardly anyone questions the fact that we have soldiers (but with "POLICE" or "DEA" written on their uniforms) attacking unarmed civilians just to serve an arrest warrant. Hardly anyone questions the fact that the executive branch of government, through the Attorney General's office, now has the power to make and enforce drug laws, without democratic action. Hardly anyone questions the fact that the DEA, supposedly a law enforcement agency, has so much signals intelligence capability that the dictators of some nations have tried to demand the DEA's help in spying on political opponents.

      How many propaganda programs have been so successful at convincing people that this sort of unwinding of a democratic system is the right thing to do?

      --
      Palm trees and 8
  4. Known problem, known solutions by Kanel · · Score: 4, Interesting

    There's already a whole subfield of machine learning which concern itself with these problems. It's called "adversarial machine learning".
    The approaches are very different from usual software security. Instead of busying oneself with patching holes in software or setting up firewalls, adversarial machine learning re-design the algorithms completely, using game theory and other techniques. The premise is "How can we make an algorithm that works in an environment full of enemies that try to mislead it?" It's a refreshing change from the usual software-security paradigm, which is all about fencing the code into some supposedly 'safe' environment.

  5. Not very practical by ceoyoyo · · Score: 3, Insightful

    So if you know the algorithm and training data, and you can feed the system new data with manipulated labels then you can confuse it. It's a little early to panic about your spam filter. Hopefully everyone realizes that if you let the spammers tell your computer what is and is not spam, they can cause it to let their spam through.

  6. SVM != AI by SpinyNorman · · Score: 3, Informative

    Support Vector Machines are just a way of performing unsupervised data partitioning/clustering. i.e. you feed a bunch of data vectors into the algorithm and it determines how to split the data into a number of clusters where the members of each cluster are similar to each other and less similar to members of other clusters.

    e.g. you feed it (number of wheels, weight) pairs of a lot of vehicles and it might automatically split the data into 3 clusters - light 2-wheeled vehicles, heavy 4-wheeled ones, and very heavy 4-wheeled ones. If you then labelled these clusters as "bikes", "cars" and "trucks" you could in the future use the clustering rules to determine the category a new data point falls into.

    This isn't Artificial Intelligence - it's just a data mining/classification technique.

    1. Re:SVM != AI by tommeke100 · · Score: 5, Informative

      Wrong. SVM is a supervised learning technique. It looks like you're talking about K-means clustering which is unsupervised.
      The difference between supervised and unsupervised is that in the first you use both features and outcome in your training of the system, where the unsupervised will just use the features. So supervised uses both X and Y to learn (if X are the features and Y is the class/cluster), whereas unsupervised will just use X.

  7. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion