Withdraw
Loading…
Game of threads: Enabling asynchronous poisoning attacks
Sanchez Vicarte, Jose Rodrigo
Loading…
Permalink
https://hdl.handle.net/2142/106293
Description
- Title
- Game of threads: Enabling asynchronous poisoning attacks
- Author(s)
- Sanchez Vicarte, Jose Rodrigo
- Issue Date
- 2019-12-12
- Director of Research (if dissertation) or Advisor (if thesis)
- Fletcher, Christopher W
- Department of Study
- Electrical & Computer Eng
- Discipline
- Electrical & Computer Engr
- Degree Granting Institution
- University of Illinois at Urbana-Champaign
- Degree Name
- M.S.
- Degree Level
- Thesis
- Keyword(s)
- adversarial machine learning trusted execution environment SGX operating systems multi-processing asynchronous stochastic gradient descent poisoning attacks machine learning
- Abstract
- As data sizes continue to grow at an unprecedented rate, machine learning training is being forced to adopt asynchronous training algorithms to maintain performance and scalability. In asynchronous training, many threads share and update the model in a racy fashion to avoid inter-thread synchronization. This work studies the security implications of these codes by introducing asynchronous poisoning attacks. Our attack influences training outcome---e.g., degrades accuracy or biases the model towards an adversary-specified label---purely by scheduling asynchronous training threads in a malicious fashion. Since thread scheduling is outside the protections of modern trusted execution environments (TEEs), e.g., Intel SGX, our attack bypasses these protections even when the training set can be verified as correct. To the best of our knowledge, this represents the first example where a class of applications loses integrity guarantees, despite being protected by enclave-based TEEs such as Intel SGX. We demonstrate both accuracy degradation and model biasing attacks on the CIFAR-10 image recognition task using ResNet-style DNNs, attacking an asynchronous training implementation published by PyTorch. We perform a deeper analysis on a LeNet-style DNN. We also perform proof-of-concept experiments to validate our assumptions on an SGX-enabled machine. Our most powerful accuracy degradation attack makes no assumptions about the underlying training algorithm aside from the algorithm supporting racy updates, yet is capable of returning a fully trained network back to the accuracy of an untrained network, or to some accuracy in between based on attacker-controlled parameters. Our model biasing attack is capable of biasing the model towards an attacker-chosen label by up to $\sim2\times$ the label's normal prediction rate.
- Graduation Semester
- 2019-12
- Type of Resource
- text
- Permalink
- http://hdl.handle.net/2142/106293
- Copyright and License Information
- Copyright 2019 Jose Rodrigo Sanchez Vicarte
Owning Collections
Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at IllinoisDissertations and Theses - Electrical and Computer Engineering
Dissertations and Theses in Electrical and Computer EngineeringManage Files
Loading…
Edit Collection Membership
Loading…
Edit Metadata
Loading…
Edit Properties
Loading…
Embargoes
Loading…