Autore Topic: Metasploit for Machine Learning: Deep-Pwning  (Letto 264 volte)

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline Flavio58

Metasploit for Machine Learning: Deep-Pwning
« Risposta #1 il: Giugno 18, 2018, 03:53:12 pm »
Advertisement
Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is no where close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

 

Metasploit for Machine Learning: Background
    Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

This tool was released at DEF CON 24 in Las Vegas, August 2016, during a talk titled Machine Duping 101: Pwning Deep Learning Systems:

    “Deep learning and neural networks have gained incredible popularity in recent years. The technology has grown to be the most talked-about and least well-understood branch of machine learning. Aside from it’s highly publicized victories in playing Go, numerous successful applications of deep learning in image and speech recognition has kickstarted movements to integrate it into critical fields like medical imaging and self-driving cars. In the security field, deep learning has shown good experimental results in malware/anomaly detection, APT protection, spam/phishing detection, and traffic identification. This DEF CON 101 session will guide the audience through the theory and motivations behind deep learning systems. We look at the simplest form of neural networks, then explore how variations such as convolutional neural networks and recurrent neural networks can be used to solve real problems with an unreasonable effectiveness. Then, we demonstrate that most deep learning systems are not designed with security and resiliency in mind, and can be duped by any patient attacker with a good understanding of the system. The efficacy of applications using machine learning should not only be measured with precision and recall, but also by their malleability in an adversarial setting. After diving into popular deep learning software, we show how it can be tampered with to do what you want it do, while avoiding detection by system administrators.

     Besides giving a technical demonstration of deep learning and its inherent shortcomings in an adversarial setting, we will focus on tampering real systems to show weaknesses in critical systems built with it. In particular, this demo-driven session will be focused on manipulating an image recognition system built with deep learning at the core, and exploring the difficulties in attacking systems in the wild. We will introduce a tool that helps deep learning hackers generate adversarial content for arbitrary machine learning systems, which can help make models more robust. By discussing defensive measures that should be put in place to prevent the class of attacks demonstrated, we hope to address the hype behind deep learning from the context of security, and look towards a more resilient future of the technology where developers can use it safely in critical deployments.”

 

Structure
This framework is built on top of Tensorflow, and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository.

All of the included examples and code implement deep neural networks, but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of ‘transferability’ in machine learning, which was Papernot et al. expounded expertly upon in this paper. This means means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B, as well as some other SVM model C.

This figure taken from the aforementioned paper (Papernot et al.) shows the percentage of successful adversarial misclassification for a source model (used to generate the adversarial sample) on a target model (upon which the adversarial sample is tested).

 

Components
Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).

These are the code modules that make up the current iteration of Deep-pwning:

Drivers
The drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.

Models
This is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function witihn lenet5.py. It defines the network as the following:

Codice: [Seleziona]
  -> Input
  -> Convolutional Layer 1
  -> Max Pooling Layer 1
  -> Convolutional Layer 2
  -> Max Pooling Layer 2
  -> Dropout Layer
  -> Softmax Layer
  -> Output

LeCun et al. LeNet-5 Convolutional Neural Network
Adversarial (advgen)
    This module contains the code that generates adversarial output for the models. The run() function defined in each of these advgen classes takes in an input_dict, that contains several predefined tensor operations for the machine learning model defined in Tensorflow. If the model that you are generating the adversarial sample for is known, the variables in the input dict should be based off that model definition. Else, if the model is unknown, (black box generation) a substitute model should be used/implemented, and that model definition should be used. Variables that need to be passed in are the input tensor placeholder variables and labels (often refered to as x -> input and y_ -> labels), the model output (often refered to as y_conv), and the actual test data and labels that the adversarial images will be based off of.

Config
Application configurations.

Utils
Miscellaneous utilities that don’t belong anywhere else. These include helper functions to read data, deal with Tensorflow queue inputs etc.

 

These are the resource directories relevant to the application:

Checkpoints
Tensorflow allows you to load a partially trained model to resume training, or load a fully trained model into the application for evaluation or performing other operations. All these saved ‘checkpoints’ are stored in this resource directory.

Data
This directory stores all the input data in whatever format that the driver application takes in.

Output
This is the output directory for all application output, including adversarial images that are generated.

 

Getting Started
Installation
$ pip install -r requirements.txt
 

Execution Example (with the MNIST driver)
To restore from a previously trained checkpoint. (configuration in config/mnist.conf)

$ cd dpwn
$ python mnist_driver.py --restore_checkpoint
To train from scratch. (note that any previous checkpoint(s) located in the folder specified in the configuration will be overwritten)

Codice: [Seleziona]
$ cd dpwn
$ python mnist_driver.py


Requirements
Tensorflow 0.8.0
Matplotlib >= 1.5.1
Numpy >= 1.11.1
Pandas >= 0.18.1
Six >= 1.10.0
Note that dpwn requires Tensorflow 0.8.0. Tensorflow 0.9.0 introduces some

 

Papers
Szegedy et al. Intriguing properties of neural networks
Papernot et al. The Limitations of Deep Learning in Adversarial Settings
Papernot et al. Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples
Goodfellow et al. Explaining and Harnessing Adversarial Examples
Papernot et al. Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
Grosse et al. Adversarial Perturbations Against Deep Neural Networks for Malware Classification
Nguyen et al. Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images
Xu et al. Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers
Kantchelian et al. Evasion and Hardening of Tree Ensemble Classifiers
Biggio et al. Support Vector Machines Under Adversarial Label Noise
Biggio et al. Poisoning Attacks against Support Vector Machines
Papernot et al. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks
Ororbia II et al. Unifying Adversarial Training Algorithms with Flexible Deep Data Gradient Regularization
Jin et al. Robust Convolutional Neural Networks under Adversarial Noise
Pang et al. Seeing stars: Exploiting class relationships for sentiment categorization with respect to rating scales
Goodfellow et al. Deep Learning Adversarial Examples – Clarifying Misconceptions

https://github.com/cchio/deep-pwning


Consulente in Informatica dal 1984

Software automazione, progettazione elettronica, computer vision, intelligenza artificiale, IoT, sicurezza informatica, tecnologie di sicurezza militare, SIGINT. 

Facebook:https://www.facebook.com/flaviobernardotti58
Twitter : https://www.twitter.com/Flavio58

Cell:  +39 366 3416556

f.bernardotti@deeplearningitalia.eu

#deeplearning #computervision #embeddedboard #iot #ai

 

Related Topics

  Oggetto / Aperto da Risposte Ultimo post
0 Risposte
200 Visite
Ultimo post Maggio 12, 2018, 12:40:11 am
da Flavio58
0 Risposte
109 Visite
Ultimo post Maggio 17, 2018, 07:01:41 pm
da Flavio58
0 Risposte
302 Visite
Ultimo post Giugno 07, 2018, 12:26:12 am
da Flavio58
0 Risposte
70 Visite
Ultimo post Agosto 13, 2018, 10:02:43 am
da Flavio58
0 Risposte
86 Visite
Ultimo post Ottobre 04, 2018, 10:04:35 pm
da Flavio58

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326