Too Big to FAIL: What You Need to Know Before Attacking a Machine Learning System

• Published in: Security Protocols XXVI Vol. 11286; pp. 150 - 162
• Main Authors: Dumitraş, Tudor, Kaya, Yiğitcan, Mărginean, Radu, Suciu, Octavian
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 01.01.2018; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Adversary model; Machine learning
• ISBN: 9783030032500; 3030032507
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-03251-7_17

There is an emerging arms race in the field of adversarial machine learning (AML). Recent results suggest that machine learning (ML) systems are vulnerable to a wide range of attacks; meanwhile, there are no systematic defenses. In this position paper we argue that to make progress toward such defenses, the specifications for machine learning systems must include precise adversary definitions—a key requirement in other fields, such as cryptography or network security. Without common adversary definitions, new AML attacks risk making strong and unrealistic assumptions about the adversary’s capabilities. Furthermore, new AML defenses are evaluated based on their robustness against adversarial samples generated by a specific attack algorithm, rather than by a general class of adversaries. We propose the FAIL adversary model, which describes the adversary’s knowledge and control along four dimensions: data Features, learning Algorithms, training Instances and crafting Leverage. We analyze several common assumptions, often implicit, from the AML literature, and we argue that the FAIL model can represent and generalize the adversaries considered in these references. The FAIL model allows us to consider a range of adversarial capabilities and enables systematic comparisons of attacks against ML systems, providing a clearer picture of the security threats that these attacks raise. By evaluating how much a new AML attack’s success depends on the strength of the adversary along each of the FAIL dimensions, researchers will be able to reason about the real effectiveness of the attack. Additionally, such evaluations may suggest promising directions for investigating defenses against the ML threats.