Top

Published in:

2018 | OriginalPaper | Chapter

Training Set Camouflage

Authors : Ayon Sen, Scott Alfeld, Xuezhou Zhang, Ara Vartanian, Yuzhe Ma, Xiaojin Zhu

Published in: Decision and Game Theory for Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We introduce a form of steganography in the domain of machine learning which we call training set camouflage. Imagine Alice has a training set on an illicit machine learning classification task. Alice wants Bob (a machine learning system) to learn the task. However, sending either the training set or the trained model to Bob can raise suspicion if the communication is monitored. Training set camouflage allows Alice to compute a second training set on a completely different – and seemingly benign – classification task. By construction, sending the second training set will not raise suspicion. When Bob applies his standard (public) learning algorithm to the second training set, he approximately recovers the classifier on the original task. Training set camouflage is a novel form of steganography in machine learning. We formulate training set camouflage as a combinatorial bilevel optimization problem and propose solvers based on nonlinear programming and local search. Experiments on real classification tasks demonstrate the feasibility of such camouflage.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Game Theoretic Security Framework for Quantum Key Distribution

next chapter Multi-stage Dynamic Information Flow Tracking Game

Available only for authorised users

Alfeld, S., Zhu, X., Barford, P.: Explicit defense actions against test-set attacks. In: AAAI, pp. 1274–1280 (2017)

Balbach, F.J., Zeugmann, T.: Teaching randomized learners. In: Lugosi, G., Simon, H.U. (eds.) COLT 2006. LNCS (LNAI), vol. 4005, pp. 229–243. Springer, Heidelberg (2006). https://doi.org/10.1007/11776420_19CrossRef

Barreno, M., Nelson, B., Joseph, A.D., Tygar, J.: The security of machine learning. Mach. Learn. 81(2), 121–148 (2010)MathSciNetCrossRef

Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.D.: Can machine learning be secure? In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (2006)

Biggio, B., Roli, F.: Wild patterns: ten years after the rise of adversarial machine learning. arXiv preprint arXiv:1712.03141 (2017)

Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50CrossRef

Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT) 6(3), 13 (2014)MathSciNetMATH

Brückner, M., Kanzow, C., Scheffer, T.: Static prediction games for adversarial learning problems. J. Mach. Learn. Res. 13, 2617–2654 (2012)MathSciNetMATH

Brückner, M., Scheffer, T.: Nash equilibria of static prediction games. In: Advances in Neural Information Processing Systems (2009)

10.

Brückner, M., Scheffer, T.: Stackelberg games for adversarial prediction problems. In: ACM SIGKDD (2011)

11.

Bulò, S.R., Biggio, B., Pillai, I., Pelillo, M., Roli, F.: Randomized prediction games for adversarial machine learning. IEEE Trans. Neural Netw. Learn. Syst. 28, 2466–2478 (2016)MathSciNetCrossRef

12.

Bussieck, M.R., Pruessner, A.: Mixed-integer nonlinear programming. SIAG/OPT Newsl. Views News 14(1), 19–22 (2003)

13.

Cachin, C.: An information-theoretic model for steganography. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 306–318. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_21CrossRef

14.

Chandramouli, R.: A mathematical approach to steganalysis. In: Proceedings SPIE, vol. 4675, pp. 4–25 (2002)

15.

Cox, I.J., Kalker, T., Pakura, G., Scheel, M.: Information transmission and steganography. In: Barni, M., Cox, I., Kalker, T., Kim, H.-J. (eds.) IWDW 2005. LNCS, vol. 3710, pp. 15–29. Springer, Heidelberg (2005). https://doi.org/10.1007/11551492_2CrossRef

16.

Dalvi, N., Domingos, P., Sanghai, S., Verma, D., et al.: Adversarial classification. In: ACM SIGKDD (2004)

17.

Dziugaite, G.K., Roy, D.M., Ghahramani, Z.: Training generative neural networks via maximum mean discrepancy optimization. arXiv preprint arXiv:1505.03906 (2015)

18.

Fridrich, J.: Feature-based steganalysis for JPEG images and its implications for future design of steganographic schemes. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 67–81. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30114-1_6CrossRef

19.

Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5CrossRef

20.

Gretton, A., Borgwardt, K.M., Rasch, M.J., Schölkopf, B., Smola, A.: A kernel two-sample test. J. Mach. Learn. Res. 13(Mar), 723–773 (2012)MathSciNetMATH

21.

Hardt, M., Megiddo, N., Papadimitriou, C., Wootters, M.: Strategic classification. In: ACM ITCS (2016)

22.

He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: IEEE CVPR, pp. 770–778 (2016)

23.

Hearst, M.A., Dumais, S.T., Osuna, E., Platt, J., Scholkopf, B.: Support vector machines. IEEE Intell. Syst. Appl. 13(4), 18–28 (1998)CrossRef

24.

Hoerl, A.E., Kennard, R.W.: Ridge regression: biased estimation for nonorthogonal problems. Technometrics 12(1), 55–67 (1970)CrossRef

25.

Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_6CrossRef

26.

Hosmer Jr., D.W., Lemeshow, S., Sturdivant, R.X.: Applied Logistic Regression, vol. 398. Wiley, Hoboken (2013)CrossRef

27.

Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: AISEC (2011)

28.

Joachims, T.: A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization. Technical report, Carnegie-Mellon University Pittsburgh PA, Department of Computer Science (1996)

29.

Johnson, N.F., Jajodia, S.: Exploring steganography: seeing the unseen. Computer 31(2), 26–34 (1998)CrossRef

30.

Juels, A., Ristenpart, T.: Honey encryption: security beyond the brute-force bound. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 293–310. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_17CrossRef

31.

Katz, J., Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)MATH

32.

Ker, A.D.: Steganalysis of LSB matching in grayscale images. IEEE Signal Process. Lett. 12(6), 441–444 (2005)CrossRef

33.

Kerckhoffs, A.: La Cryptographie Militaire (Part I), vol. 9, pp. 5–38 (1883)

34.

Kerckhoffs, A.: La Cryptographie Militaire (Part II), vol. 9, pp. 161–191 (1883)

35.

Kloft, M., Laskov, P.: A poisoning attack against online anomaly detection. In: NIPS Workshop on Machine Learning in Adversarial Environments for Computer Security. Citeseer (2007)

36.

Kloft, M., Laskov, P.: Online anomaly detection under adversarial impact. In: AISTATS, pp. 405–412 (2010)

37.

Kloft, M., Laskov, P.: Online anomaly detection under adversarial impact (2011)

38.

Kohavi, R., et al.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: IJCAI, vol. 14(2), pp. 1137–1145. Montreal, Canada (1995)

39.

Krasin, I., et al.: Openimages: a public dataset for large-scale multi-label and multi-class image classification. Dataset (2017). https://github.com/openimages

40.

Krenn, R.: Steganography and steganalysis (2004)

41.

Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images (2009)

42.

Laskov, P., Kloft, M.: A framework for quantitative security analysis of machine learning. In: Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence (2009)

43.

Letchford, J., Vorobeychik, Y.: Optimal interdiction of attack plans. In: AAMAS (2013)

44.

Liu, J., Zhu, X.: The teaching dimension of linear learners. J. Mach. Learn. Res. 17(162), 1–25 (2016)MathSciNetMATH

45.

Liu, W., Chawla, S.: A game theoretical model for adversarial learning. In: IEEE International Conference on Data Mining Workshops 2009. ICDMW 2009 (2009)

46.

López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, pp. 1219–1234. ACM (2012)

47.

Lowd, D., Meek, C.: Adversarial learning. In: ACM SIGKDD, pp. 641–647. ACM (2005)

48.

Maganbhai, P.A.K., Chouhan, K.: A study and literature review on image steganography. Int. J. Comput. Sci. Inf. Technol. 6, 685–688 (2015)

49.

Mei, S., Zhu, X.: Using machine teaching to identify optimal training-set attacks on machine learners. In: Twenty-Ninth AAAI Conference on Artificial Intelligence (2015)

50.

Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)

51.

Queirolo, F.: Steganography in images. Final Communications Report 3 (2011)

52.

Reyzin, L., Russell, S.: More efficient provably secure steganography. Department of Computer Science, Boston University (2003)

53.

Rich, E., Knight, K.: Artificial Intelligence. McGraw-Hill, New York (1991)

54.

Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Found. Secur. Comput. 4(11), 169–180 (1978)MathSciNet

55.

Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, pp. 51–67. Springer, Heidelberg (1984). https://doi.org/10.1007/978-1-4684-4730-9_5CrossRef

56.

Singh, K.U.: A survey on image steganography techniques. Int. J. Comput. Appl. 97(18) (2014)

57.

Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_25CrossRefMATH

58.

Steinwart, I.: On the influence of the kernel on the consistency of support vector machines. J. Mach. Learn. Res. 2(Nov), 67–93 (2001)MathSciNetMATH

59.

Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 54–73. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_4CrossRefMATH

60.

Thompson, A.: All the news (2017). https://www.kaggle.com/snapcrack/all-the-news

61.

Van Tilborg, H.C., Jajodia, S.: Encyclopedia of Cryptography and Security. Springer, Heidelberg (2014)

62.

Vorobeychik, Y., Li, B.: Optimal randomized classification in adversarial settings. In: AAMAS (2014)

63.

Wu, H.C.: The Karush-Kuhn-Tucker optimality conditions in an optimization problem with interval-valued objective function. Eur. J. Oper. Res. 176(1), 46–59 (2007)MathSciNetCrossRef

64.

Zhang, L., Wu, J., Zhou, N.: Image encryption with discrete fractional cosine transform and chaos. In: Fifth International Conference on Information Assurance and Security 2009. IAS 2009, vol. 2, pp. 61–64. IEEE (2009)

65.

Zhang, X., Zhu, X., Wright, S.: Training set debugging using trusted items. In: AAAI (2018)

Title: Training Set Camouflage
Authors: Ayon Sen
Scott Alfeld
Xuezhou Zhang
Ara Vartanian
Yuzhe Ma
Xiaojin Zhu
Publisher: Springer International Publishing
Book: Decision and Game Theory for Security
Print ISBN: 978-3-030-01553-4

Electronic ISBN: 978-3-030-01554-1

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-030-01554-1_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner