Lujo Bauer::projects::adversarial ML

Lujo Bauer :: projects :: adversarial machine learning

Machine learning (ML) algorithms are becoming ubiquitous; they're used in applications from playing chess and predicting the weather to cancer diagnosis and self-driving cars. In this project we first try to understand how robust ML algorithms are in the face of an adversary. Specifically, we study whether an adversary can fool ML classifiers in practical settings without arousing the suspicion of a human. For instance, we showed that it is possible to 3d print a pair of eyeglasses that, when worn by an adversary, can cause a state-of-the-art face-recognition algorithm to identify the adversary as (a specific) someone else. We leverage what we learn of ML algorithms' weaknesses to design ML algorithms that are more resistant to attack.

Video demonstrating targeted impersonation: Mahmood impersonates Ariel against VGG10. The video shows that the face recognizer isn't confused by non-adversarial eyeglasses, including large, bright ones, but adversarial eyeglasses generated specifically to fool the recognizer into classifying Mahmood as Ariel are overwhelmingly successful at doing so. Targeted impersonation is achieved via the method described in “Adversarial generative nets: neural network attacks on state-of-the-art face recognition” (see below).

Publications

n-ML: Mitigating adversarial examples via ensembles of topologically manipulated classifiers. [PDF, BibTeX, ]
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1912.09059, December 2019.

Optimization-guided binary diversification to mislead neural networks for malware detection. [PDF, BibTeX, ]
Mahmood Sharif, Keane Lucas, Lujo Bauer, Michael K. Reiter, and Saurabh Shintre.
arXiv preprint 1912.09064, December 2019.

A general framework for adversarial examples with objectives. [PDF, BibTeX, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
ACM Transactions on Privacy and Security, 22(3), June 2019. (Revised version of arXiv preprint 1801.00349.) © authors DOI:10.1145/3317611

On the suitability of L_p-norms for creating and preventing adversarial examples. [PDF, BibTeX, ]
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
In Proceedings of The Bright and Dark Sides of Computer Vision: Challenges and Opportunities for Privacy and Security (in conjunction with the 2018 IEEE Conference on Computer Vision and Pattern Recognition), June 2018. © IEEE

Adversarial Generative Nets: Neural network attacks on state-of-the-art face recognition. [PDF, BibTeX, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1801.00349, December 2017.

Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. [PDF, BibTeX, ]
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, October 2016. DOI:10.1145/2976749.2978392

Parts of this work have been supported by MURI grant W911NF-17-1-0370, by the National Security Agency, by the National Science Foundation, by a gift from NVIDIA, and gifts from NATO and Lockheed Martin through Carnegie Mellon CyLab.