Attacks against Machine Learning in Structured Domains

针对结构化领域中的机器学习的攻击

• 批准号: 492020528
• 负责人: Professor Dr. Konrad Rieck
• 金额: --
• 依托单位: Fachgebiet Maschinelles Lernen und IT-Sicherheit
• 依托单位国家: 德国
• 项目类别: Research Grants
• 资助国家: 德国
• 项目状态: 未结题
• 来源: https://gepris.dfg.de/gepris/projekt/492020528?language=en
• 关键词: Attacks; against; Machine; Learning; Structured

Machine learning techniques are increasingly used in security-critical applications, such as for the detection of malicious code and attacks. However, current learning algorithms are often vulnerable themselves and can be deceived by manipulated inputs. In recent years, a large number of new attack techniques against machine learning has thus been developed. With few exceptions this research has focused on a simplified scenario: The attacks are conducted in the feature space of the learning algorithms only. By making small changes to vectors in this space, it becomes possible to to influence the algorithms' decisions and provoke incorrect predictions. In practice, however, these attacks are only applicable if the manipulated vectors can be mapped back to real objects. For structured data, such as program code, file formats and natural language, this inverse mapping from vectors to structures is almost never defined. Thus, the robustness of many security-critical applications cannot be investigated and tested with the majority of existing attacks.The goal of this project is to explore the security of learning algorithms in structured domains and close a gap of current research. In contrast to previous work, a systematic understanding of the relationship between the problem space of the original data and the feature space will be developed. Two strategies will be pursued for this purpose: First, new inverse mappings for structured data will be explored and developed that replicate missing semantics and syntax in the problem space. Second, new attacks will be devised that operate directly on structured data and thus are not affected by feature mappings. Based on both strategies, new defenses can emerge that build on the interleaving of the problem space and feature space to realize more robust learning systems for computer security.

机器学习技术越来越多地用于安全关键型应用，例如检测恶意代码和攻击。然而，目前的学习算法本身往往是脆弱的，可以被操纵的输入欺骗。近年来，大量针对机器学习的新攻击技术因此被开发出来。除了少数例外，这项研究集中在一个简化的场景：攻击只在学习算法的特征空间中进行。通过对这个空间中的向量进行微小的改变，就有可能影响算法的决策并引发不正确的预测。然而，在实践中，这些攻击仅在被操纵的向量可以被映射回真实的对象时才适用。对于结构化数据，如程序代码、文件格式和自然语言，这种从向量到结构的逆映射几乎从未定义过。因此，许多安全关键的应用程序的鲁棒性无法调查和测试与大多数现有的attacks.The项目的目标是探索在结构化域的学习算法的安全性，并关闭目前的研究差距。与以前的工作相比，系统地了解原始数据的问题空间和特征空间之间的关系。为此，将采取两种策略：首先，将探索和开发结构化数据的新的逆映射，以复制问题空间中缺失的语义和语法。其次，新的攻击将被设计成直接对结构化数据进行操作，因此不受特征映射的影响。基于这两种策略，新的防御可以出现，建立在问题空间和特征空间的交织，实现更强大的学习系统的计算机安全。