Umeå University's logo

umu.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Massively parallel evasion attacks and the pitfalls of adversarial retraining
Umeå University, Faculty of Science and Technology, Department of Computing Science.
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0001-7119-7646
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0002-2633-6798
2024 (English)In: EAI Endorsed Transactions on Internet of Things, E-ISSN 2414-1399, Vol. 10Article in journal (Refereed) Published
Abstract [en]

Even with widespread adoption of automated anomaly detection in safety-critical areas, both classical and advanced machine learning models are susceptible to first-order evasion attacks that fool models at run-time (e.g. an automated firewall or an anti-virus application). Kernelized support vector machines (KSVMs) are an especially useful model because they combine a complex geometry with low run-time requirements (e.g. when compared to neural networks), acting as a run-time lower bound when compared to contemporary models (e.g. deep neural networks), to provide a cost-efficient way to measure model and attack run-time costs. To properly measure and combat adversaries, we propose a massively parallel projected gradient descent (PGD) evasion attack framework. Through theoretical examinations and experiments carried out using linearly-separable Gaussian normal data, we present (i) a massively parallel naive attack, we show that adversarial retraining is unlikely to be an effective means to combat an attacker even on linearly separable datasets, (ii) a cost effective way of evaluating models defences and attacks, and an extensible code base for doing so, (iii) an inverse relationship between adversarial robustness and benign accuracy, (iv) the lack of a general relationship between attack time and efficacy, and (v) that adversarial retraining increases compute time exponentially while failing to reliably prevent highly-confident false classifications.

Place, publisher, year, edition, pages
Gent EAI , 2024. Vol. 10
Keywords [en]
Machine Learning, Support Vector Machines, Trustworthy AI, Anomaly Detection, AI for Cybersecurity
National Category
Computer Vision and Robotics (Autonomous Systems)
Identifiers
URN: urn:nbn:se:umu:diva-228214DOI: 10.4108/eetiot.6652Scopus ID: 2-s2.0-85200255571OAI: oai:DiVA.org:umu-228214DiVA, id: diva2:1886941
Funder
Knut and Alice Wallenberg Foundation, 2019.0352Available from: 2024-08-05 Created: 2024-08-05 Last updated: 2024-08-15Bibliographically approved

Open Access in DiVA

fulltext(1314 kB)35 downloads
File information
File name FULLTEXT01.pdfFile size 1314 kBChecksum SHA-512
d19e7f42d95385706a756d128b6ecf410717f0a4de6b514c1d78ae8f107f738b5534898b2b2b74ce962593365b1d14b5ddaf6cdd8e40d1b53fe536bbf9b9ae5c
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Meyers, CharlesLöfstedt, TommyElmroth, Erik

Search in DiVA

By author/editor
Meyers, CharlesLöfstedt, TommyElmroth, Erik
By organisation
Department of Computing Science
Computer Vision and Robotics (Autonomous Systems)

Search outside of DiVA

GoogleGoogle Scholar
Total: 35 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 146 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf