Certifiers Make Neural Networks Vulnerable to Availability Attacks

Lorenz, Tobias and Kwiatkowska, Marta and Fritz, Mario
(2023) Certifiers Make Neural Networks Vulnerable to Availability Attacks.
In: 16th ACM Workshop on Artificial Intelligence and Security, 30.11.2023, Copenhagen, Denmark.
Conference: AISec ACM Workshop on Artificial Intelligence and Security
(In Press)

[img] Text
Certifiers Make Neural Networks Vulnerable to Availability Attacks Author Version.pdf
Download (621kB)
Official URL: https://doi.org/10.1145/3605764.3623917

Abstract

To achieve reliable, robust, and safe AI systems, it is vital to implement fallback strategies when AI predictions cannot be trusted. Certifiers for neural networks are a reliable way to check the robustness of these predictions. They guarantee for some predictions that a certain class of manipulations or attacks could not have changed the outcome. For the remaining predictions without guarantees, the method abstains from making a prediction, and a fallback strategy needs to be invoked, which typically incurs additional costs, can require a human operator, or even fail to provide any prediction. While this is a key concept towards safe and secure AI, we show for the first time that this approach comes with its own security risks, as such fallback strategies can be deliberately triggered by an adversary. In addition to naturally occurring abstains for some inputs and perturbations, the adversary can use training-time attacks to deliberately trigger the fallback with high probability. This transfers the main system load onto the fallback, reducing the overall system's integrity and/or availability. We design two novel availability attacks, which show the practical relevance of these threats. For example, adding 1% poisoned data during training is sufficient to trigger the fallback and hence make the model unavailable for up to 100% of all inputs by inserting the trigger. Our extensive experiments across multiple datasets, model architectures, and certifiers demonstrate the broad applicability of these attacks. An initial investigation into potential defenses shows that current approaches are insufficient to mitigate the issue, highlighting the need for new, specific solutions.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Mario Fritz (MF)
Conference: AISec ACM Workshop on Artificial Intelligence and Security
Depositing User: Tobias Lorenz
Date Deposited: 17 Oct 2023 13:24
Last Modified: 17 Oct 2023 13:24
Primary Research Area: NRA2: Reliable Security Guarantees
URI: https://publications.cispa.saarland/id/eprint/4042

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.