CityU & PolyU Jointly Seminar on Attacks and Defenses on Machine Learning Services

The Centre for Chaos and Complex Networks at the City University of Hong Kong and the Department of Electronic and Information Engineering at the Hong Kong Polytechnic University continue their joint seminar series in this semester, to present tutorial overviews and original research work in the general areas of systems theory, control, complex networks and their engineering applications.  The Jointly Seminar named “Attacks and Defenses on Machine Learning Services” was held in PolyU on 1^st Nov 2019.  Mr. Huadi Zheng (PhD candidate, PolyU) was the speaker in this seminar.

Mr. Zheng briefed the outline of his talk included “Machine Learning (ML) Services”, “Common Attacks and Defenses”, “Model Extraction” and “Boundary Differentially Private Layer”.  Firstly, he briefed the existing popular public prediction API such as Amazon, Google, etc.  

The ML service process integrated human labor, computation resource and sensitive data.  Therefore, security and privacy were very important including training data manipulation, model memorized data, misclassification and well-trained model to be stolen, etc.  

Then Mr. Zheng introduced Model Poisoning that 5% poisoning could cause 20% error.  So that we needed to defense through Sanctification.  He raised an example of Model Evasion that adding a noise pattern into the image and changed the classification result.  One of solutions was Adversarial Training as defence to train the classifier with “bad” panda image.

After that he introduced the Taxonomy of ML services.  Boundary Sensitive Zone (BSZ) was used to protect the privacy based on the wide of boundary that had tradeoff with accuracy. 

There were two differential privacy approach and they were Centralized Different Privacy (CDP) and Local Differential Privacy (LDP). 

Perturbation Mechanism was introduced that the positive result had probability to be negative in next observation.  Finally, Mr. Zheng summarized popular attacks and defenses on machine learning were mentioned. A boundary differentially private layer was introduced against model extraction attacks.  Lastly, he would continue to research for handing vulnerability and counter measures.

Reference:

Centre for Chaos and Complex Networks, CityU - http://www.ee.cityu.edu.hk/~cccn/

Department of Electronic and Information Engineering, PolyU - http://www.eie.polyu.edu.hk/home/index.html

Joint seminar series - http://cktse.eie.polyu.edu.hk/seminar/