Elements of Security

• Security requirements (also called "policies")
  • What does it mean for my system to be secure?
• Threat model
  • What are the attacker's goals, capabilities, and incentives?
• Attack surface
  • Which parts of the system are exposed to the attacker?
• Defense mechanisms (mitigiations)
  • How do we prevent the attacker from compromising a security requirement?

Security Requirements

• What do we mean by "secure"?
• Common security requirements: "CIA triad" of information security
• Confidentiality: Sensitive data must be accessed by authorized users only
• Integrity: Sensitive data must be modifiable by authorized users only
• Availability: Critical services must be available when needed by clients

Example: College Admission System

Confidentiality, integrity, or availability?

• Applications to the program can only be viewed by staff and faculty in the department.
• The application site should be able to handle requests on the day of the application deadline.
• Application decisions are recorded only by the faculty and staff.
• The acceptance notices can only be sent out by the program director.

Other Security Requirements

• Authentication: Users are who they say they are
• Non-repudiation: Certain changes/actions in the system can be traced to who was responsible for it
• Authorization: Only users with the right permissions can access a resource/perform an action

Why Threat Model?

What is Threat Modeling?

• Threat model: A profile of an attacker
  • Goal: What is the attacker trying to achieve?
  • Capability:
    • Knowledge: What does the attacker know?
    • Actions: What can the attacker do?
    • Resources: How much effort can it spend?
  • Incentive: Why does the attacker want to do this?

Attacker Goal

• What is the attacker trying to achieve?
  • Typically, undermine one or more security requirements
• Example: College admission
  • Access other applicants info without being authorized
  • Modify application status to “accepted”
  • Cause website shutdown to sabotage other applicants

Attacker Capability

• What actions are available to the attacker (to achieve its goal)?
  • Depends on system boundary & interfaces exposed to external actors
  • Use an architecture diagram to identify attack surface & actions

STRIDE Threat Modeling

• A systematic approach to identifying threats (i.e., attacker actions)
  • Construct an architectural diagram with components & connections
  • Designate the trust boundary
  • For each untrusted component/connection, identify potential threats
  • For each potential threat, devise a mitigation strategy

More info: STRIDE approach

STRIDE: College Admission

• Spoofing: ?
• Tampering: ?
• Information disclosure: ?
• Denial of service: ?

STRIDE: College Admission

• Spoofing: Attacker pretends to be another applicant by logging in
• Tampering: Attacker modifies applicant info using browser exploits
• Information disclosure: Attacker intercepts HTTP requests from/to server to read applicant info
• Denial of service: Attacker creates a large number of bogus accounts and overwhelms system with requests

STRIDE: Mitigations

• Spoofing: Attacker pretends to be another applicant by logging in -> Require stronger passwords
• Tampering: Attacker modifies applicant info using browser exploits -> Add server-side security tokens
• Information disclosure: Attacker intercepts HTTP requests from/to server to read applicant info -> Use encryption (HTTPS)
• Denial of service: Attacker creates many bogus accounts and overwhelms system with requests -> Limit requests per IP address

STRIDE & Other Threat Modeling Methods

• A systematic approach to identifying threats & attacker actions
• Limitations:
  • May end up with a long list of threats, not all of them critical
  • False sense of security: STRIDE does not imply completeness!
• Consider cost vs. benefit trade-offs: Implementing mitigations add to development cost and complexity
  • Focus on most critical/likely threats

ML Attacker Goal

• Confidentiality attacks: Exposure of sensitive data
  • Infer a sensitive label for a data point (e.g., hospital record)
• Integrity attacks: Unauthorized modification of data
  • Induce a model to misclassify data points from one class to another
  • e.g., Spam filter: Classify a spam as a non-spam
• Availability attacks: Disruption to critical services
  • Reduce the accuracy of a model
  • Induce a model to misclassify many data points

ML Attacker Capability

• Knowledge: Does the attacker have access to the model?
  • Training data? Learning algorithm used? Parameters?
• Attacker actions:
  • Training time: Poisoning attacks
  • Inference time: Evasion attacks, model inversion attacks

Poisoning Attacks: Availability

• Availability: Inject mislabeled training data to damage model quality
  • 3% poisoning => 11% decrease in accuracy (Steinhardt, 2017)
• Attacker must have some access to the training set
  • e.g., models trained on public data set (e.g., ImageNet)
• Example: Anti-virus (AV) scanner
  • Online platform for submission of potentially malicious code
  • Some AV company (allegedly) poisoned competitor's model

Poisoning Attacks: Integrity

• Insert training data with seemingly correct labels
• More targeted than availability attacks
  • Cause misclassification from one specific class to another

Defense against Poisoning Attacks

• Q. How would you mitigate poisoning attacks?

Defense against Poisoning Attacks

• Anomaly detection & data sanitization
  • Identify and remove outliers in training set (see data quality lecture)
  • Identify and understand drift from telemetry
• Quality control over your training data
  • Who can modify or add to my training set? Do I trust the data source?
  • Use security mechanisms (e.g., authentication) and logging to track data provenance

Evasion Attacks (Adversarial Examples)

• Add noise to an existing sample & cause misclassification
• Attack at inference time
  • Typically assumes knowledge of the model (algorithm, parameters)
  • Recently, shown to be possible even when the attacker only has access to model output ("blackbox" attack)

Evasion Attacks: Another Example

Task Decision Boundary vs Model Boundary

• Decision boundary: Ground truth; often unknown and not specifiable
• Model boundary: What is learned; an approximation of decision boundary

Defense against Evasion Attacks

• Q. How would you mitigate evasion attacks?

Defense against Evasion Attacks

• Adversarial training
  • Generate/find a set of adversarial examples
  • Re-train your model with correct labels
• Input sanitization
  • "Clean" & remove noise from input samples
  • e.g., Color depth reduction, spatial smoothing, JPEG compression
• Redundancy: Design multiple mechanisms to detect an attack
  • Stop sign: Insert a barcode as a checksum; harder to bypass

Generating Adversarial Examples

• Q. How do we generate adversarial examples?

Generating Adversarial Examples

• See counterfactual explanations
• Find similar inputs with different predictions
  • Can be targeted (specific prediction) or untargeted (any wrong prediction)
• Many similarity measures (e.g., change one feature vs small changes to many features)
  • $x^* = x + arg min \{ |\epsilon| : f(x+\epsilon) \neq f(x) \}$
• Attacks more effective with access to model internals, but black-box attacks also feasible
  • With model internals: Follow the model's gradient
  • Without model internals: Learn surrogate model
  • With access to confidence scores: Heuristic search (e.g., hill climbing)

Model Inversion: Confidentiality

• Given a model output (e.g., name of a person), infer the corresponding, potentially sensitive input (facial image of the person)
• One method: Gradient descent on input space
  • Assumes that the model produces a confidence score for prediction
  • Start with a random input vector & iterate towards input values with higher confidence level

Defense against Model Inversion Attacks

• Limit attacker access to confidence scores
  • e.g., reduce the precision of the scores by rounding them off
  • But also reduces the utility of legitimate use of these scores!
• Differential privacy in ML
  • Limit what attacker can learn about the model (e.g., parameters) based on an individual training sample
  • Achieved by adding noise to input or output (e.g., DP-SGD)
  • More noise => higher privacy, but also lower model accuracy!

Breakout: Dashcam System

• Recall: Dashcam system from I2
• Post on #lecture in Slack:
  • What are the security requirements?
  • What are possible (ML) attacks on the system?
  • What are some possible mitigations against these attacks?

State of ML Security

• On-going arms race (mostly among researchers)
  • Defenses proposed & quickly broken by noble attacks
• Assume ML component is likely vulnerable
  • Design your system to minimize impact of an attack
• Remember: There may be easier ways to compromise system
  • e.g., poor security misconfiguration (default password), lack of encryption, code vulnerabilities, etc.,

Security Mindset

• Assume that all components may be compromised at one point or another
• Don't assume users will behave as expected; assume all inputs to the system as potentially malicious
• Aim for risk minimization, not perfect security; reduce the chance of catastrophic failures from attacks

Secure Design Principles

• Goal: Minimize the impact of a compromised component on the rest of the system
  • In poor system designs, vulnerability in one component => entire system compromised!
• Principle of least privilege
  • A component should be given the minimal privileges needed to fulfill its functionality
• Isolation/compartmentalization
  • Components should be able to interact with each other no more than necessary
  • Components should treat inputs from each other as potentially malicious

Monolithic Design

Monolithic Design

Flaw in any part of the system => Security impact on the entire system!

Compartmentalized Design

Compartmentalized Design

Flaw in one component => Limited impact on the rest of the system!

Example: Vehicle Security

• Research project from UCSD: Remotely taking over vehicle control
  • Create MP3 with malicious code & burn onto CD
  • Play CD => send malicious commands to brakes, engine, locks...
• Problem: Over-privilege & lack of isolation!
  • In traditional vehicles, components share a common CAN bus
  • Anyone can broadcast & read messages

Secure Design Principles for ML

• Principle of least privilege
  • Who has access to training data, model internal, system input & output, etc.,?
  • Does any user/stakeholder have more access than necessary?
    • If so, limit access by using authentication mechanisms

Secure Design Principles for ML

• Principle of least privilege
  • Who has access to training data, model internal, system input & output, etc.,?
  • Does any user/stakeholder have more access than necessary?
    • If so, limit access by using authentication mechanisms
• Isolation & compartmentalization
  • Can a security attack on one ML component (e.g., misclassification) adversely affect other parts of the system?
    • If so, compartmentalize or build in mechanisms to limit impact (see risk mitigation strategies)
• Monitoring & detection:
  • Look for odd shifts in the dataset and clean the data if needed (for poisoning attacks)
  • Assume all system input as potentially malicious & sanitize (evasion attacks)

Many Defense Systems use Machine Learning

• Classifiers to learn malicious content
  • Spam filters, virus detection
• Anomaly detection
  • Identify unusual/suspicious activity, eg. credit card fraud, intrusion detection
  • Often unsupervised learning, e.g. clustering
• Game theory
  • Model attacker costs and reactions, design countermeasures
• Automate incidence response and mitigation activities
  • Integrated with DevOps
• Network analysis
  • Identify bad actors and their communication in public/intelligence data
• Many more, huge commercial interest

AI Security Solutions are AI-Enabled Systems Too

• AI/ML component one part of a larger system
• Consider entire system, from training to telemetry, to user interface, to pipeline automation, to monitoring
• AI-based security solutions can be attacked themselves

Andew Pole, who heads a 60-person team at Target that studies customer behavior, boasted at a conference in 2010 about a proprietary program that could identify women - based on their purchases and demographic profile - who were pregnant.

Data Lakes

Data Privacy vs Utility

Data Privacy vs Utility

Data Privacy vs Utility

Data Privacy vs Utility

• ML can leverage data to greatly improve utility for individuals and society
• But unrestrained collection & use of data can enable abuse and harm!
• Viewpoint: Users should be given an ability to learn and control how their data is collected and used

Best Practices for ML & Data Privacy

• Data collection & processing
  • Only collect and store what you need
  • Remove sensitive attributes, anonymize, or aggregate

Data Anonymization

• Simply removing explicit identifiers (e.g., name) is often not enough
  • {ZIP, gender, birthdate} can identify 87% of Americans (L. Sweeney)
• k-anonymization: Identity-revealing data tuples appear in at least k rows
  • Suppression: Replace certain values in columns with an asterisk
  • Generalization: Replace individual values with broader categories

Best Practices for ML & Data Privacy

• Data collection & processing
  • Only collect and store what you need
  • Remove sensitive attributes, anonymize, or aggregate
• Training: Local, on-device processing if possible
  • Federated learning

Federated Learning

• Train a global model using local data stored across multiple edge devices
• Local devices push only model updates, not the raw data
• Improved data privacy & leveraging local processing power; but increased network communication and other security risks (e.g., backdoor injection)

Best Practices for ML & Data Privacy

• Data collection & processing
  • Only collect and store what you need
  • Remove sensitive attributes, anonymize, or aggregate
• Training: Local, on-device processing if possible
  • Federated learning
• Basic security practices
  • Encryption & authentication
  • Provenance: Track data sources and destinations
• Provide transparency to users
  • Clearly explain what data is being collected and why
• Understand and follow the data protection regulations!
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Domain-specific regulations: HIPPA (healthcare), FERPA (educational)

General Data Protection Regulation (GDPR)

• Introduced by the European Union (EU) in 2016
• Organizations must state:
  • What personal data is being collected & stored
  • Purpose(s) for which the data will be used
  • Other entities that the data will be shared with
• Organizations must receive explicit consent from users
• Each user must be provided with the ability to:
  • View, modify and delete any personal data
• Compliance & enforcement
  • Complaints are filed against non-compliant organizations
  • A failure to comply may result in heavy penalties!

Privacy Consent and Control

Best Practices for ML & Data Privacy

Be ethical and responsible with user data! Think about potential harms to users & society, caused by (mis-)handling of personal data

• Data collection & processing
• Training: Local, on-device processing if possible
• Basic security practices
• Provide transparency to users
• Understand and follow the data protection regulations!