Security Challenges of Artificial intelligence

Introduction

 The key ingredient of Artificial intelligence is Machine learning. AI applications such as computer vision, natural language processing, and more, show that ML promises enormous implications for the future. Neural Networks are expressive machine learning networks. Adversarial attacks against machine learning systems is where someone can subtly alter an image or sound to trick a computer into mis-classifying it. The implications are huge in a world growing more saturated with so-called machine intelligence. In this post we shall focus more on image processing.

 How do artificial intelligence algorithms work? AI applications mostly depend on artificial neural networks and machine-learning algorithms, a software architecture designed to develop functional rules by analyzing a lot of data(training). For instance, an AI-based image classifier examines millions of pictures labeled by humans and extracts common patterns that define different objects such as cats, cars, humans, and street signs. Afterward, it will be able to distinguish different things it sees in new images and video

What are Adversarial Examples?

Adversarial Examples are model inputs that are specifically designed to disrupt ML models (or neural networks). The challenge is that adversarial examples are nearly identical to their real life sample parts — by adding a small amount of “Adversarial Noise” to a source image, an adversarial example can be indistinguishable to an unaltered image.

Adversarial attacks are more effective in unsupervised architectures such as reinforcement learning. Unlike supervised learning applications, where a fixed dataset of training examples is processed during learning, in reinforcement learning(RL) these examples are gathered throughout the training process. In simpler terms, an RL model trains a policy and, despite the model objectives being the same, training policies can be significantly different.

Attack techniques vary whether the attacker has access to the policy network than when it doesn’t. Adversarial attacks are classified in two main groups: black-box vs. white-box.

White-Box Adversarial Attacks

The white-box adversarial attacks describe scenarios in which the attacker has access to the underlying training policy network of the target model. The research found that even introducing small disturbance in the training policy can drastically affect the performance of the model. Here are some example methods:

• L-BFGS
• FGSM
• BIM
• ILCM
• MI-FGSM
• JSMA
• DeepFool
• C/W

Black-Box Adversarial Attacks

Black-box adversarial attacks describe scenarios in which the attacker does not have complete access to the policy network. Here are some example methods.

• Single Pixel Attack
• Local Search Attack

Defence Techniques Examples

Feature squeezing, which can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond too many different feature vectors in the original space into a single sample.

Thermometer Encoding is one way to resist Adversarial Examples thermometer-encoded inputs consistently have higher accuracy on adversarial examples, while also maintaining the same accuracy on non-adversarial examples and training more quickly.

Ongoing Challenge - Privacy of Training Data

As machine learning is adopted by more organisation are looking to use neural network intelligence to solve problems, some privacy risks are inherent. For example, medical, retailers and government could want to create a neural network based on a wide range of sensitive data sets. Proper restrictions aren’t applied to training data sets, personal information could be extracted by an adversary who has only limited access to the actual data. Organisation should think carefully before using machine learning with training data. It is possible to pull private data, even when a user only has query access to the model.