Fulvio Di Girolamo
Fighting Fire with Fire - On the Effectiveness of Neural Backdoors in Countering Test-Time Evasion Attacks.
Rel. Cataldo Basile. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021
Abstract: |
Due to its outstanding performances, over the years deep learning - i.e. the branch of machine learning which uses models known as deep neural networks - has become increasingly prevalent in several application domains, including security- or safety-sensitive ones such as anomaly detection, authentication systems, and autonomous driving, among others. In such contexts an adversary might be motivated to look for ways to induce the misclassification of given inputs, e.g. in order to pass a malware off as benign software or to provoke an accident. Test-time evasion attacks and neural backdoors are two types of attacks against deep learning models which, albeit very different in nature, both allow reaching this same adversarial goal, the former by taking advantage of malicious inputs known as adversarial samples at inference time, the latter by manipulating the training of the target model. In this document we explore the interactions between these two attack types, with the intent of setting them against one another. More precisely, first we assess how infecting a model with a neural backdoor changes the classification of adversarial samples depending on the properties of the backdoor trigger, i.e. the secret component which activates the backdoor functionality when recognized by the infected model; then, we determine the type of trigger which maximizes the discrepancy in behaviour between adversarial and natural samples; finally, we evaluate the degree to which such discrepancy could potentially be exploited to improve the robustness of a given model against evasion attacks by leveraging an ensemble of infected versions of it. |
---|---|
Relatori: | Cataldo Basile |
Anno accademico: | 2020/21 |
Tipo di pubblicazione: | Elettronica |
Numero di pagine: | 49 |
Informazioni aggiuntive: | Tesi secretata. Fulltext non presente |
Soggetti: | |
Corso di laurea: | Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering) |
Classe di laurea: | Nuovo ordinamento > Laurea magistrale > LM-32 - INGEGNERIA INFORMATICA |
Ente in cotutela: | TELECOM ParisTech - EURECOM (FRANCIA) |
Aziende collaboratrici: | NEC Laboratories Europe GmbH |
URI: | http://webthesis.biblio.polito.it/id/eprint/18123 |
Modifica (riservato agli operatori) |