Abstract
Adversarial instances are malicious inputs designed to fool machine learning models. In particular, motivated and sophisticated attackers intentionally design adversarial instances to evade classifiers which have been trained to detect security violation, such as malware detection. While the existing approaches provide effective solutions in detecting and defending adversarial samples, they fail to detect them when they are encrypted. In this study, a novel framework is proposed which employs statistical test to detect adversarial instances, when data under analysis are encrypted. An experimental evaluation of our approach shows its practical feasibility in terms of computation cost.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Srndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 197–211, IEEE Computer Society, Washington, DC (2014)
Lowd, D.: Good word attacks on statistical spam filters. In: Proceedings of the Second Conference on Email and Anti-Spam (CEAS) (2005)
Maiorca, D., Corona, I., Giacinto, G.: Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 119–130. ACM, New York (2013)
Elsayed, G.F., et al.: Adversarial examples that fool both human and computer vision, CoRR abs/1802.08195 (2018)
Szegedy, C., et al.: Intriguing properties of neural networks, CoRR abs1312.6199 (2013)
Lu, J., Sibai, H., Fabry, E., Forsyth, D.A.: No need to worry about adversarial examples in object detection in autonomous vehicles, CoRR abs/1707.03501 (2017)
Fawzi, A., Fawzi, O., Frossard, P.: Analysis of classifiers’ robustness to adversarial perturbations. Mach. Learn. 107(3), 481–508 (2018)
Biggio, B., et al.: Evasion attacks against machine learning at test time. In: Blockeel, H., Kersting, K., Nijssen, S., Železný, F. (eds.) ECML PKDD 2013, Part III. LNCS (LNAI), vol. 8190, pp. 387–402. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40994-3_25
Papernot, N., McDaniel, P.D., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks, CoRR abs1511.04508 (2016)
Grosse, K., Manoharan, P., Papernot, N., Backes, M., McDaniel, P.D.: On the (statistical) detection of adversarial examples, CoRR abs1702.06280 (2017)
Potey, M.M., Dhote, C., Sharma, D.H.: Homomorphic encryption for security of cloud data. Procedia Comput. Sci. 79, 175–181 (2016). Proceedings of International Conference on Communication, Computing and Virtualization (ICCCV) 2016
Gretton, A., Borgwardt, K.M., Rasch, M.J., Scholkopf, B., Smola, A.: A kernel two-sample test. J. Mach. Learn. Res. 13, 723–773 (2012)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Nateghizad, M., Erkin, Z., Lagendijk, R.L.: An efficient privacy-preserving comparison protocol in smart metering systems. EURASIP J. Inf. Secur. (1), 11 (2016)
Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., Lagendijk, I., Toft, T.: Privacy-preserving face recognition. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 235–253. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03168-7_14
Sheikhalishahi, M., Saracino, A., Mejri, M., Tawbi, N., Martinelli, F.: Fast and effective clustering of spam emails based on structural similarity. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds.) FPS 2015. LNCS, vol. 9482, pp. 195–211. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30303-1_12
Lindell, Y.: How to simulate it – a tutorial on the simulation proof technique. Tutorials on the Foundations of Cryptography. ISC, pp. 277–346. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_6
Nateghizad, M., Erkin, Z., Lagendijk, R.L.: Efficient and secure equality tests. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6 (2016)
Viola, P., Jones, M.: Rapid object detection using a boosted cascade of simple features. In: Proceedings of the 2001 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, CVPR 2001, vol. 1 (2001)
Munoz-Gonzalez, L., et al.: Towards poisoning of deep learning algorithms with back-gradient optimization. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec 2017, New York, NY, USA, pp. 27–38 (2017)
Biggio, B., Fumera, G., Roli, F.: Security evaluation of pattern classifiers under attack, CoRR abs/1709.00609 (2017)
Jordaney, R., et al.: Transcend: detecting concept drift in malware classification models. In: 26th USENIX Security Symposium, Vancouver, BC, pp. 625–642. USENIX Association (2017)
Bos, J.W., Lauter, K., Naehrig, M.: Private predictive analysis on encrypted medical data. J. Biomed. Inform. 50, 234–243 (2014)
Sheikhalishahi, M., Martinelli, F.: Privacy preserving clustering over horizontal and vertical partitioned data. In: 2017 IEEE Symposium on Computers and Communications, ISCC 2017, Heraklion, Greece, 3–6 July 2017, pp. 1237–1244 (2017)
Bost, R. Popa, R.A., Tu, S., Goldwasser, S.: Machine learning classification over encrypted data. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015 (2015)
Sheikhalishahi, M., Martinelli, F.: Privacy-utility feature selection as a tool in private data classification. Distributed Computing and Artificial Intelligence, 14th International Conference. AISC, vol. 620, pp. 254–261. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-62410-5_31
Costantino, G., Marra, A.L., Martinelli, F., Saracino, A., Sheikhalishahi, M.: Privacy-preserving text mining as a service. In: 2017 IEEE Symposium on Computers and Communications, ISCC 2017, Heraklion, Greece, 3–6 July 2017, pp. 890–897 (2017)
Martinelli, F., Saracino, A., Sheikhalishahi, M.: Modeling privacy aware information sharing systems: a formal and general approach. In: 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 23–26 August 2016, pp. 767–774 (2016)
Acknowledgment
This work was partially supported by the H2020 EU funded project SECREDAS [GA #783119] and by the H2020 EU funded project C3ISP [GA #700294].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
In what follows we prove Theorem 1, claiming that if we set \(\alpha ' = \sqrt{ \alpha ^2- 2d \updelta }\) (for negligible \(\updelta \)), then from \(MMD'(D'_1, D'_2) \le \alpha '\) we can conclude that \(MMD(D_1, D_2) \le \alpha \).
Basically, we are looking for \(\alpha '\) such that if the following relation holds:
We can conclude that:
To this end, we first find a relation between two above relations:
From the application of binomial theorem, we obtain:
This means that it is enough to set \({\alpha '}^2 = \alpha ^2 - 2 \updelta d\), because:
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sheikhalishahi, M., Nateghizad, M., Martinelli, F., Erkin, Z., Loog, M. (2019). On the Statistical Detection of Adversarial Instances over Encrypted Data. In: Mauw, S., Conti, M. (eds) Security and Trust Management. STM 2019. Lecture Notes in Computer Science(), vol 11738. Springer, Cham. https://doi.org/10.1007/978-3-030-31511-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-31511-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31510-8
Online ISBN: 978-3-030-31511-5
eBook Packages: Computer ScienceComputer Science (R0)