Title: Analyzing Attacks on SLTbased Techniques: Novelty Detection
1Analyzing Attacks on SLT-based Techniques
Novelty Detection
- Blaine Nelson, Marco Barreno, Russell Sears,
Anthony Josephbarreno, nelsonb, sears,
adj_at_cs.berkeley.edu
2Motivation
- Learning techniques are becoming more widely used
in security-sensitive applications. - Relatively little attention has been paid to
analyzing the behavior of Statistical Learners
when influenced by an attacker. - How much of a threat is an attacker to
statistical learning techniques?
3Categories of Attacks
- Does it matter which points are misclassified?
- Yes Specific
- No Numbing
- What sort of errors does the attack cause?
- Incorrect Acceptance Dodging
- Incorrect Rejection Denial of Service
- Does the attack affect learning directly?
- Yes Indoctrination
- No Analysis
4Novelty Detection
- Novelty detection is an important component in
many applications where - there is an abundance of normal data while
abnormal (e.g. failure) data is scarce. - even if abnormal data is available, abnormality
is not easily characterized.
5Types of Novelty Detectors
Naïve Hypersphere
Mean-Centered Minimal
Minimally Enclosing
One-Class SVM
6Fooling Mean-Centered Approaches
- Attack Shift the mean of a hypersphere
- Assumptions
- Learner Mean-centered, Fixed Radius
- Training Policy Bootstrapping, no Aging
- Attacker Knows Destination State of Learner
7Finding the Optimal Attack
- M total points
- T attack iterations
- D(A) is the distance the mean is shifted.
- A is the optimal attack strategy with sequence
of attack points A at
8Physics Analogy
A at as Stacking Blocks
9Unconstrained Optimal
Finding the Optimal Solution
The physics analogy reveals the unrestricted
optimal solution the block spacing follows the
harmonic sequence.
10Refined Physics AnalogyStacking Variable
Weighted Blocks
To constrain the duration of the attack, the
analogy becomes one of stacking blocks of varying
weight and choosing the weights for optimal
stacking.
11Alternative FormulationReformulate as Total
Cumulative Mass
- Total Mass (Mt) the sum of all mass used up to
and including iteration t - The optimal solution yielded by the total mass
formulation
12Ideas for Countering AttacksA Game-Theoretic
Approach
- Identify policies for retraining
- Revise the learners retraining strategy.
- Bootstrapping Policy Retrain only on data
identified as normal by the novelty detector. - Introduces bias into the training set and thereby
misrepresents the support of the distribution. - Censor data based on location (Censoring)
- Analysis of the statistical properties of
distributions biased by the choice of the
training set.
13Conclusion
- Providing security-analyses for learning
applications is essential as such applications
are incorporated into security-sensitive
environments - The simplified model allowed for a rigorous
analysis of optimal attack strategies. This sort
of analysis can be extended in more realistic
ways. - We need to perform a rigorous analysis on
potential countermeasures and their statistical
consequences.