{"id":267963,"date":"2021-06-06T13:00:57","date_gmt":"2021-06-06T10:00:57","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/"},"modified":"2021-06-06T13:00:57","modified_gmt":"2021-06-06T10:00:57","slug":"the-rush-to-commercialize-ai-is-creating-major-security-risks","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/","title":{"rendered":"#The rush to commercialize AI is creating major security risks"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2dbbe748f88\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2dbbe748f88\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/#Shallow_deep_networks\" >Shallow deep networks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/#Slowdown_attacks_on_neural_networks\" >Slowdown attacks on neural networks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/#Attacks_in_real-world_settings\" >Attacks in real-world settings<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/the-rush-to-commercialize-ai-is-creating-major-security-risks\/#Security_culture_in_machine_learning_research\" >Security culture in machine learning research<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#The rush to commercialize AI is creating major security risks<\/strong>&#8221;<\/p>\n<div>At this year\u2019s International Conference on Learning Representations (ICLR), a team of researchers from the University of Maryland presented an attack technique meant to slow down deep learning models that have been optimized for fast and sensitive operations. The attack, aptly named DeepSloth, targets \u201cadaptive deep neural networks,\u201d a range of deep learning architectures that cut down computations to speed up processing.<\/p>\n<p>Recent years have seen growing interest in the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bdtechtalks.com\/2018\/12\/27\/deep-learning-adversarial-attacks-ai-malware\/\">security of machine learning and deep learning<\/a>, and there are numerous papers and techniques on hacking and defending neural networks. But one thing made DeepSloth particularly interesting: The researchers at the University of Maryland were presenting a vulnerability in a technique they themselves had developed two years earlier.<\/p>\n<p>In some ways, the story of DeepSloth illustrates the challenges that the machine learning community faces. On the one hand, many researchers and developers are racing to make deep learning available to different <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications. On the other hand, their innovations cause new challenges of their own. And they need to actively seek out and address those challenges before they cause irreparable damage.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Shallow_deep_networks\"><\/span>Shallow deep networks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One of the biggest hurdles of deep learning the computational costs of training and running deep neural networks. Many deep learning models require huge amounts of memory and processing power, and therefore they can only run on servers that have abundant resources. This makes them unusable for applications that require all computations and data to remain on edge devices or need real-time inference and can\u2019t afford the delay caused by sending their data to a cloud server.<\/p>\n<p>In the past few years, machine learning researchers have developed several techniques to make neural networks less costly. One range of optimization techniques called \u201cmulti-exit architecture\u201d stops computations when a neural network reaches acceptable accuracy. Experiments show that for many inputs, you don\u2019t need to go through every layer of the neural network to reach a conclusive decision. Multi-exit neural networks save computation resources and bypass the calculations of the remaining layers when they become confident about their results.<\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355794 js-lazy\" alt=\"\" width=\"611\" height=\"420\" sizes=\"auto, (max-width: 611px) 100vw, 611px\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1.jpeg\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1.jpeg 611w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-280x192.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-393x270.jpeg 393w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-196x135.jpeg 196w\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fneural%2F2021%2F06%2F06%2Frush-commercialize-ai-creating-security-risks-syndication%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Experiments show that for many inputs, neural networks can reach conclusive results without processing all layers.\" data-title=\"Share Experiments show that for many inputs, neural networks can reach conclusive results without processing all layers. on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Experiments show that for many inputs, neural networks can reach conclusive results without processing all layers. on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>Experiments show that for many inputs, neural networks can reach conclusive results without processing all layers.<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355794\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1.jpeg\" alt=\"\" width=\"611\" height=\"420\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1.jpeg 611w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-280x192.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-393x270.jpeg 393w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI1-196x135.jpeg 196w\"\/><\/noscript><\/figure>\n<p>\u00a0<\/p>\n<p>In 2019, Yigitan Kaya, a Ph.D. student in Computer <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" data-internallinksmanager029f6b8e52c=\"5\" title=\"Science\" target=\"_blank\" rel=\"noopener\">Science<\/a> at the University of Maryland, developed a multi-exit technique called <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arxiv.org\/abs\/1810.07052\">\u201cshallow-deep network,\u201d<\/a> which could reduce the average inference cost of deep neural networks by up to 50 percent. Shallow-deep networks address the problem of \u201coverthinking,\u201d where deep neural networks start to perform unneeded computations that result in wasteful energy consumption and degrade the model\u2019s performance. The shallow-deep network was accepted at the 2019 International Conference on Machine Learning (ICML).<\/p>\n<p>\u201cEarly-exit models are a relatively new concept, but there is a growing interest,\u201d Tudor Dumitras, Kaya\u2019s research advisor and associate professor at the University of Maryland, told TechTalks. \u201cThis is because deep learning models are getting more and more expensive computationally, and researchers look for ways to make them more efficient.\u201d<\/p>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355795 js-lazy\" alt=\"\" width=\"696\" height=\"374\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2.jpeg\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-280x150.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-502x270.jpeg 502w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-251x135.jpeg 251w\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fneural%2F2021%2F06%2F06%2Frush-commercialize-ai-creating-security-risks-syndication%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: shallow-deep networkShallow-deep networks bypass the computations of neural networks and make early exits when they reach an acceptability threshold.\" data-title=\"Share shallow-deep networkShallow-deep networks bypass the computations of neural networks and make early exits when they reach an acceptability threshold. on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share shallow-deep networkShallow-deep networks bypass the computations of neural networks and make early exits when they reach an acceptability threshold. on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>shallow-deep network<br \/>Shallow-deep networks bypass the computations of neural networks and make early exits when they reach an acceptability threshold.<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355795\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2.jpeg\" alt=\"\" width=\"696\" height=\"374\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-280x150.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-502x270.jpeg 502w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI2-251x135.jpeg 251w\"\/><\/noscript><\/figure>\n<p>\u00a0<\/p>\n<p>Dumitras has a background in cybersecurity and is also a member of the Maryland Cybersecurity Center. In the past few years, he has been engaged in research on security threats to machine learning systems. But while a lot of the work in the field focuses on adversarial attacks, Dumitras and his colleagues were interested in finding all possible attack vectors that an adversary might use against machine learning systems. Their work has spanned various fields including <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arxiv.org\/abs\/1906.01017\">hardware faults<\/a>, cache side-channel attacks, software bugs, and other types of attacks on neural networks.<\/p>\n<p>While working on the deep-shallow network with Kaya, Dumitras and his colleagues started thinking about the harmful ways the technique might be exploited.<\/p>\n<p>\u201cWe then wondered if an adversary could force the system to overthink; in other words, we wanted to see if the latency and energy savings provided by early exit models like SDN are robust against attacks,\u201d he said.<\/p>\n<p>\u00a0<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Slowdown_attacks_on_neural_networks\"><\/span>Slowdown attacks on neural networks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355796 js-lazy\" alt=\"\" width=\"696\" height=\"590\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3.jpeg\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-248x210.jpeg 248w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-319x270.jpeg 319w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-159x135.jpeg 159w\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fneural%2F2021%2F06%2F06%2Frush-commercialize-ai-creating-security-risks-syndication%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Tudor Dumitras, Assistant Professor at the University of Maryland, College Park\" data-title=\"Share Tudor Dumitras, Assistant Professor at the University of Maryland, College Park on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Tudor Dumitras, Assistant Professor at the University of Maryland, College Park on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>Tudor Dumitras, Assistant Professor at the University of Maryland, College Park<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355796\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3.jpeg\" alt=\"\" width=\"696\" height=\"590\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-248x210.jpeg 248w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-319x270.jpeg 319w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI3-159x135.jpeg 159w\"\/><\/noscript><\/figure>\n<p>Dumitras started exploring slowdown attacks on shallow-deep networks with Ionut Modoranu, then a cybersecurity research intern at the University of Maryland. When the initial work showed promising results, Kaya and Sanghyun Hong, another Ph.D. student at the University of Maryland, joined the effort. Their research eventually culminated into the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arxiv.org\/abs\/2010.02432\">DeepSloth attack<\/a>.<\/p>\n<p>Like adversarial attacks, DeepSloth relies on carefully crafted input that manipulates the behavior of machine learning systems. However, while classic adversarial examples force the target model to make wrong predictions, DeepSloth disrupts computations. The DeepSloth attack slows down shallow-deep networks by preventing them from making early exits and forcing them to carry out the full computations of all layers.<\/p>\n<p>\u201cSlowdown attacks have the potential of negating the benefits of multi-exit architectures,\u201d Dumitras said. \u201cThese architectures can halve the energy consumption of a deep neural network model at inference time, and we showed that for any input we can craft a perturbation that wipes out those savings completely.\u201d<\/p>\n<p>The researchers\u2019 findings show that the DeepSloth attack can reduce the efficacy of the multi-exit neural networks by 90-100 percent. In the simplest scenario, this can cause a deep learning system to bleed memory and compute resources and become inefficient at serving users.<\/p>\n<p>But in some cases, it can cause more serious harm. For example, one use of multi-exit architectures involves splitting a deep learning model between two endpoints. The first few layers of the neural network can be installed on an edge location, such as a wearable or IoT device. The deeper layers of the network are deployed on a cloud server. The edge side of the deep learning model takes care of the simple inputs that can be confidently computed in the first few layers. In cases where the edge side of the model does not reach a conclusive result, it defers further computations to the cloud.<\/p>\n<p>In such a setting, the DeepSloth attack would force the deep learning model to send all inferences to the cloud. Aside from the extra energy and server resources wasted, the attack could have much more destructive impact.<\/p>\n<p>\u201cIn a scenario typical for IoT deployments, where the model is partitioned between edge devices and the cloud, DeepSloth amplifies the latency by 1.5\u20135X, negating the benefits of model partitioning,\u201d Dumitras said. \u201cThis could cause the edge device to miss critical deadlines, for instance in an elderly monitoring program that uses AI to quickly detect accidents and call for help if necessary.\u201d<\/p>\n<p>While the researchers made most of their tests on deep-shallow networks, they later found that the same technique would be effective on other types of early-exit models.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Attacks_in_real-world_settings\"><\/span>Attacks in real-world settings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355797 js-lazy\" alt=\"\" width=\"696\" height=\"696\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4.jpeg\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-96x96.jpeg 96w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-210x210.jpeg 210w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-270x270.jpeg 270w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-135x135.jpeg 135w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-192x192.jpeg 192w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-550x550.jpeg 550w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-470x470.jpeg 470w\"\/><figcaption><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/thenextweb.com\/news\/#\" data-url=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feditorial.thenextweb.com%2Fneural%2F2021%2F06%2F06%2Frush-commercialize-ai-creating-security-risks-syndication%2F&amp;via=thenextweb&amp;related=thenextweb&amp;text=Check out this picture on: Yigitcan Kaya, Ph.D. student in Computer Science at University of Maryland, College Park\" data-title=\"Share Yigitcan Kaya, Ph.D. student in Computer Science at University of Maryland, College Park on Twitter\" data-width=\"685\" data-height=\"500\" class=\"post-image-share popitup\" title=\"Share Yigitcan Kaya, Ph.D. student in Computer Science at University of Maryland, College Park on Twitter\"><i class=\"icon icon--inline icon--twitter--dark\"\/><\/a>Yigitcan Kaya, Ph.D. student in Computer Science at University of Maryland, College Park<\/figcaption><noscript><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1355797\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4.jpeg\" alt=\"\" width=\"696\" height=\"696\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-96x96.jpeg 96w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-210x210.jpeg 210w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-270x270.jpeg 270w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-135x135.jpeg 135w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-192x192.jpeg 192w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-550x550.jpeg 550w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI4-470x470.jpeg 470w\"\/><\/noscript><\/figure>\n<p>As with most works on machine learning security, the researchers first assumed that an attacker has full knowledge of the target model and has unlimited computing resources to craft DeepSloth attacks. But the criticality of an attack also depends on whether it can be staged in practical settings, where the adversary has partial knowledge of the target and limited resources.<\/p>\n<p>\u201cIn most adversarial attacks, the attacker needs to have full access to the model itself, basically, they have an exact copy of the victim model,\u201d Kaya told TechTalks. \u201cThis, of course, is not practical in many settings where the victim model is protected from outside, for example with an API like Google Vision AI.\u201d<\/p>\n<p>To develop a realistic evaluation of the attacker, the researchers simulated an adversary who doesn\u2019t have full knowledge of the target deep learning model. Instead, the attacker has a surrogate model on which he tests and tunes the attack. The attacker then transfers the attack to the actual target. The researchers trained surrogate models that have different neural network architectures, different training sets, and even different early-exit mechanisms.<\/p>\n<p>\u201cWe find that the attacker that uses a surrogate can still cause slowdowns (between 20-50%) in the victim model,\u201d Kaya said.<\/p>\n<p>Such transfer attacks are much more realistic than full-knowledge attacks, Kaya said. And as long as the adversary has a reasonable surrogate model, he will be able to attack a black-box model, such as a machine learning system served through a web API.<\/p>\n<p>\u201cAttacking a surrogate is effective because neural networks that perform similar tasks (e.g., object classification) tend to learn similar features (e.g., shapes, edges, colors),\u201d Kaya said.<\/p>\n<p>Dumitras says DeepSloth is just the first attack that works in this threat model, and he believes more devastating slowdown attacks will be discovered. He also pointed out that, aside from multi-exit architectures, other speed optimization mechanisms are vulnerable to slowdown attacks. His research team tested DeepSloth on SkipNet, a special optimization technique for <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bdtechtalks.com\/2020\/01\/06\/convolutional-neural-networks-cnn-convnets\/\">convolutional neural networks<\/a> (CNN). Their findings showed that DeepSloth examples crafted for multi-exit architecture also caused slowdowns in SkipNet models.<\/p>\n<p>\u201cThis suggests that the two different mechanisms might share a deeper vulnerability, yet to be characterized rigorously,\u201d Dumitras said. \u201cI believe that slowdown attacks may become an important threat in the future.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Security_culture_in_machine_learning_research\"><\/span>Security culture in machine learning research<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><figure class=\"post-image post-mediaBleed aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1355798 js-lazy\" alt=\"\" width=\"696\" height=\"392\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5.jpeg\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-280x158.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-479x270.jpeg 479w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-240x135.jpeg 240w\"\/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1355798\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5.jpeg\" alt=\"\" width=\"696\" height=\"392\" srcset=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5.jpeg 696w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-280x158.jpeg 280w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-479x270.jpeg 479w, https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/BDI5-240x135.jpeg 240w\"\/><\/noscript><\/figure>\n<p>The researchers also believe that security must be baked into the machine learning research process.<\/p>\n<p>\u201cI don\u2019t think any researcher today who is doing work on machine learning is ignorant of the basic security problems. Nowadays even introductory deep learning courses include recent threat models like adversarial examples,\u201d Kaya said.<\/p>\n<p>The problem, Kaya believes, has to do with adjusting incentives. \u201cProgress is measured on standardized benchmarks and whoever develops a new technique uses these benchmarks and standard metrics to evaluate their method,\u201d he said, adding that reviewers who decide on the fate of a paper also look at whether the method is evaluated according to their claims on suitable benchmarks.<\/p>\n<p>\u201cOf course, when a measure becomes a target, it ceases to be a good measure,\u201d he said.<\/p>\n<p>Kaya believes there should be a shift in the incentives of publications and academia. \u201cRight now, academics have a luxury or burden to make perhaps unrealistic claims about the nature of their work,\u201d he says. If machine learning researchers acknowledge that their solution will never see the light of day, their paper might be rejected. But their research might serve other purposes.<\/p>\n<p>For example, adversarial training causes large utility drops, has poor scalability, and is difficult to get right, limitations that are unacceptable for many machine learning applications. But Kaya points out that adversarial training can have benefits that have been overlooked, such as steering models toward <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arxiv.org\/pdf\/1906.00945.pdf\">becoming more interpretable<\/a>.<\/p>\n<p>One of the implications of too much focus on benchmarks is that most machine learning researchers don\u2019t examine the implications of their work when applied to real-world settings and realistic settings.<\/p>\n<p>\u201cOur biggest problem is that we treat machine learning security as an academic problem right now. So the problems we study and the solutions we design are also academic,\u201d Kaya says. \u201cWe don\u2019t know if any real-world attacker is interested in using adversarial examples or any real-world practitioner in defending against them.\u201d<\/p>\n<p>Kaya believes the machine learning community should promote and encourage research in understanding the actual adversaries of machine learning systems rather than \u201cdreaming up our own adversaries.\u201d<\/p>\n<p>And finally, he says that authors of machine learning papers should be encouraged to do their homework and find ways to break their own solutions, as he and his colleagues did with the shallow-deep networks. And researchers should be explicit and clear about the limits and potential threats of their machine learning models and techniques.<\/p>\n<p>\u201cIf we look at the papers proposing early-exit architectures, we see there\u2019s no effort to understand security risks although they claim that these solutions are of practical value,\u201d he says. \u201cIf an industry practitioner finds these papers and implements these solutions, they are not warned about what can go wrong. Although groups like ours try to expose potential problems, we are less visible to a practitioner who wants to use an early-exit model. Even including a paragraph about the potential risks involved in a solution goes a long way.\u201d<\/p>\n<p><i><span>This article was originally published by Ben Dickson on\u00a0<\/span><\/i><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bdtechtalks.com\/\"><i><span>TechTalks<\/span><\/i><\/a><i><span>, a publication that examines trends in <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a>, how they affect the way we live and do business, and the problems they solve. But we also discuss the evil side of technology, the darker implications of new tech, and what we need to look out for. You can read the original article\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bdtechtalks.com\/2021\/06\/03\/machine-learning-security-neural-networks\/\">here<\/a>.<\/span><\/i><\/p>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/rush-commercialize-ai-creating-security-risks-syndication\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#The rush to commercialize AI is creating major security risks&#8221; At this year\u2019s International Conference on Learning Representations (ICLR), a team of researchers from the University of Maryland presented an attack technique meant to slow down deep learning models that have been optimized for fast and sensitive operations. The attack, aptly named DeepSloth, targets \u201cadaptive&#8230;<\/p>\n","protected":false},"author":1,"featured_media":267964,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/neural?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/06\/AI-Security-hed-shutterstock_1740944516.jpg&signature=47e30a1c370659443e3ae86f0a64fd63","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-267963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/267963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=267963"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/267963\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/267964"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=267963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=267963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=267963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}