and pdfThursday, December 10, 2020 9:49:58 AM1

Machine Learning And Security Pdf

machine learning and security pdf

File Name: machine learning and security .zip
Size: 1826Kb
Published: 10.12.2020

Metrics details. Therefore, a reliable RL system is the foundation for the security critical applications in AI, which has attracted a concern that is more critical than ever. However, recent studies discover that the interesting attack mode adversarial attack also be effective when targeting neural network policies in the context of reinforcement learning, which has inspired innovative researches in this direction.

Explore a preview version of Machine Learning and Security right now. Can machine learning techniques solve our computer security problems and finally put an end to the cat-and-mouse game between attackers and defenders? Or is this hope merely hype? Now you can dive into the science and answer this question for yourself.

Adversarial attack and defense in reinforcement learning-from AI security view

Metrics details. Therefore, a reliable RL system is the foundation for the security critical applications in AI, which has attracted a concern that is more critical than ever. However, recent studies discover that the interesting attack mode adversarial attack also be effective when targeting neural network policies in the context of reinforcement learning, which has inspired innovative researches in this direction.

Hence, in this paper, we give the very first attempt to conduct a comprehensive survey on adversarial attacks in reinforcement learning under AI security. Moreover, we give briefly introduction on the most representative defense technologies against existing adversarial attacks. Artificial intelligence AI is providing major breakthroughs in solving the problems that have withstood many attempts of natural language understanding, speech recognition, image understanding and so on.

The latest studies He et al. Reinforcement learning RL is one of the main techniques that can realize artificial intelligence AI , which is currently being used to decipher hard scientific problems at an unprecedented scale.

To summarized, the researches of reinforcement learning under artificial intelligence are mainly focused on the following fields. In terms of autonomous driving Shalev-Shwartz et al. In the aspect of game play Liang et al. Meanwhile, for Atari game, Mnih et al. Moreover, Liang et al.

Guo et al. In the field of control system , Zhang et al. Bougiouklis et al. Yang et al. In addition, reinforcement learning is also an important technique for Connected and Automated Vehicle System CAV , which is a hotspot issue in recent years.

Meanwhile, the security research for this direction has attracted numerous concerns Chen et al. Chen et al. Therefore, how to build a reliable and security reinforcement learning system to support the security critical applications in AI, has become a concern which is more critical than ever.

However, the weaknesses of reinforcement learning are gradually exposed which can be exploited by attackers. Huang et al. Regardless of the learned task or training algorithm, they observed a significant drop in performance, even with very small adversarial perturbations which are invisible to human.

Even worse, they found that the cross-dataset transferability property Szegedy et al. Such discoveries have attracted public interests in the research of adversarial attacks and their corresponding defense technologies in the context of reinforcement learning.

After Huang et al. For instance, in the field of Atari game , Lin et al. Moreover, in the terms of automatic path planning , Liu et al. Examples for adversarial attacks on reinforcement learning. As shown in the first line are the examples for adversarial attack in the field of Atari game. Moreover, the second line shows the examples for adversarial attack in the domain of automatic path planning.

Same as the first row, the first image represents the original pathfinding map, and the remaining two images denote the adversarial examples generated by noise added. In view of the extensive and valuable applications of the reinforcement learning in modern artificial intelligence AI , and the critical role for reinforcement learning in AI security, inspiring innovative researches in the field of adversarial research.

We give the very first attempt to conduct a comprehensive and in-depth survey on the literatures of adversarial research in the context of reinforcement learning from AI security view. The structure of this paper is organized as follow.

In this section, we give explanation for the common terms related to adversarial attack in the field of reinforcement learning. In addition, we also briefly introduce the most representative reinforcement learning algorithms, and take comparison of these algorithms from approach type , learning type , and application scenarios.

Reinforcement Learning : is an important branch of machine learning, which contains two basic elements state and action. Performing a certain action under the certain state, what the agent need to do is to continuously explore and learn, so as to obtain a good strategy. Adversarial Example : Deceiving AI system which can lead them make mistakes.

The general form of adversarial examples is the information carrier such as image, voice or txt with small perturbations added, which can remain imperceptible to human vision system. Adversarial Attack : Attacking on artificial intelligence AI system by utilizing adversarial examples. Adversarial attacks are generally can be classified into two categories:.

Misclassification attacks : aiming for generating adversarial examples which can be misclassified by target network. Targeted attacks : aiming for generating adversarial examples which can target misclassifies into an arbitrary label designated by adversary specially. Perturbation : The noise added on the original clean information carriers such as image, voice or txt , which can make them to be adversarial examples.

Adversary : The agent who attack AI system with adversarial examples. However, in some cases, it also refer to adversarial example itself Akhtar and Mian Black-Box Attack : The attacker has no idea of the details related to training algorithm and corresponding parameters of the model.

However, the attacker can still interact with the model system, for instance, by passing in arbitrary input to observe changes in output, so as to achieve the purpose of attack.

In some work Huang et al. White-Box Attack : The attacker has access to the details related to training algorithm and corresponding parameters of the model.

Attacker can interact with the target model in the process of generating adversarial attack data. Threat Model : Finding system potential threat to establish an adversarial policy, so as to achieve the establishment of a secure system Swiderski and Snyder In the context of adversarial research, threat model considers adversaries capable of introducing small perturbations to the raw input of the policy.

Transferability : an adversarial example designed to be misclassified by one model is often misclassified by other models trained to solve the same task Szegedy et al. Target Agent : The target subject attacked by adversarial examples, usually can be a network model trained by reinforcement learning policy, which can detect whether adversarial examples can attack successfully. This kind of reinforcement learning algorithm will learn different strategies, in other words, the probability of taking one action under the certain state is constantly adjusted.

Q-Learning is a classical algorithm for reinforcement learning, was proposed earlier and has been used widely. Q-Learning was firstly proposed by C. The idea of Q-Learning is based on the value iteration, which can be concluded as, the agent perceives surrounding information from the environment and selects appropriate methods to change the sate of environment according to its own method, and obtains corresponding incentives and penalties to correct the strategy.

Throughout the continuous iteration and learning process, the agent tries to maximize the rewards it receives and finds the best path to the goal, and the Q matrix can be obtained. Q is an action utility function that evaluates the strengths and weakness of actions in a particular state and can be interpreted as the brain of an intelligent agent. DeepMind applies DQN to Atari games, which is different from the previous practice, utilizing the video information as input and playing games against humans.

In this paper, authors gave the very first attempt to introduce the concept of Deep Reinforcement Learning , and has attracted public attentions in this direction.

However, the input for value network are state S , action A , and feedback reward R. Therefore, how to calculate the target Q-value correctly is the key problem in the context of DQN. Tamar et al. This paper mainly solved the problem of weak generalization ability of deep reinforcement learning. There is a special value iterative network structure in VIN Touretzky et al.

For this novel method proposed in this work, it not only needs to use neural network to learn a direct mapping from state to decision, but also can embeds the traditional planning algorithm into the neural network so that the neural network can learn how to act under current environment, and use long-term planning-assisted neural networks to give a better decision.

A3C completely utilizes the Actor-Critic framework and introduces the idea of asynchronous training, which can improves the performance and speeds up the whole training process. If the action is considered to be bad, the possibility for this action will be reduced. Through iterative training, A3C constantly adjusts the neural network to find the best action selected policy. TRPO is proposed by J. Schulman in Schulman et al. TRPO can solves the problem of step selection of gradient update, and gives a monotonous strategy improvement method.

Based on the A3C algorithm, the performance and training process for this algorithm are further improved. For UNREAL, there are two types of auxiliary tasks, the first one is the control task, including pixel control and hidden layer activation control.

The other one is back prediction tasks, as in many scenarios feedback r is not always available, allowing the neural network to predict the feedback value will give it a better ability to express.

UNREAL algorithm uses historical continuous multi-frame image input to predict the next-step feedback value as a training target and uses history information to additionally increase the value iteration task. In this section, we discuss the related research of adversarial attack in the field of reinforcement learning.

The reviewed literatures mainly conduct the adversarial research on specific application scenarios, and generate adversarial examples by adding perturbations to the information carrier, so as to realize the adversarial attack on reinforcement learning system.

We organize the review mainly according to chronological order. Meanwhile, in order to make readers can understand the core technical concepts of the surveyed works, we go into technical details of important methods and representative technologies by referring to the original papers. In part 3. In terms of Black-box attacking, the design of adversarial attack against the target model is shown in part 3.

Meanwhile, we analyze the availability and contribution of adversarial attack researches in the above two fields. Additionally, we also give summary on the attributions of adversarial attacking methods discussed in this section in part 3.

Meanwhile, for this work, the adversary attacks a deep RL agent at every time step, by perturbing each image the agent observes. The main contributions for Huang et al. They gave the very first attempt to prove that reinforcement learning systems are vulnerable to adversarial attack, and the traditional generation algorithms designed for adversarial examples still can be utilized to attack under such scenario.

Authors creatively verified how effectiveness of adversarial examples are impacted by the deep RL algorithm used to learn the policy. Noting that the adversarial examples are calculated by fast gradient sign method FGSM Goodfellow et al. The first line: computing adversarial perturbations by fast gradient sign method FGSM Goodfellow et al. Linearizing the cost function to obtain an optimal max-norm constrained perturbation which can be concluded as.

In addition, authors also proved that policies trained with reinforcement learning are vulnerable to the adversarial attack. Under the domain of Atari game, authors showed that by adding human invisible noises to the original clean game background can make the game unable to work properly, and realize adversarial attack successfully.

Machine Learning and Security

Skip to content. Permalink master. Branches Tags. Nothing to show. Sorry, something went wrong. You signed in with another tab or window. Reload to refresh your session.

Machine Learning and Security

Skip to search form Skip to main content You are currently offline. Some features of the site may not work correctly. Artificial intelligence AI has made incredible progress, resulting in highly capable software and advanced autonomous machines. Meanwhile, the cyber domain has become a battleground for access, influence, security and control. This paper will address key AI technologies including machine learning in an attempt to help in understanding their role in cyber security and the implications of these new technologies.

Machine Learning Algorithms in Cyber Security

Use the buttons below to view this publication.


  1. Edward F.

    16.12.2020 at 11:58

    Advanced deep learning with keras rowel atienza pdf free download bible in english pdf

Your email address will not be published. Required fields are marked *