Generative Adversarial Networks for Black-Box API Attacks with Limited Training Data
As online systems based on machine learning are offered to public or paid subscribers via application programming interfaces (APIs), they become vulnerable to frequent exploits and attacks. This paper studies adversarial machine learning in the practical case when there are rate limitations on API c...
Saved in:
| Published in | 2018 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT) pp. 453 - 458 |
|---|---|
| Main Authors | , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
IEEE
01.12.2018
|
| Subjects | |
| Online Access | Get full text |
| DOI | 10.1109/ISSPIT.2018.8642683 |
Cover
| Abstract | As online systems based on machine learning are offered to public or paid subscribers via application programming interfaces (APIs), they become vulnerable to frequent exploits and attacks. This paper studies adversarial machine learning in the practical case when there are rate limitations on API calls. The adversary launches an exploratory (inference) attack by querying the API of an online machine learning system (in particular, a classifier) with input data samples, collecting returned labels to build up the training data, and training an adversarial classifier that is functionally equivalent and statistically close to the target classifier. The exploratory attack with limited training data is shown to fail to reliably infer the target classifier of a real text classifier API that is available online to the public. In return, a generative adversarial network (GAN) based on deep learning is built to generate synthetic training data from a limited number of real training data samples, thereby extending the training data and improving the performance of the inferred classifier. The exploratory attack provides the basis to launch the causative attack (that aims to poison the training process) and evasion attack (that aims to fool the classifier into making wrong decisions) by selecting training and test data samples, respectively, based on the confidence scores obtained from the inferred classifier. These stealth attacks with small footprint (using a small number of API calls) make adversarial machine learning practical under the realistic case with limited training data available to the adversary. |
|---|---|
| AbstractList | As online systems based on machine learning are offered to public or paid subscribers via application programming interfaces (APIs), they become vulnerable to frequent exploits and attacks. This paper studies adversarial machine learning in the practical case when there are rate limitations on API calls. The adversary launches an exploratory (inference) attack by querying the API of an online machine learning system (in particular, a classifier) with input data samples, collecting returned labels to build up the training data, and training an adversarial classifier that is functionally equivalent and statistically close to the target classifier. The exploratory attack with limited training data is shown to fail to reliably infer the target classifier of a real text classifier API that is available online to the public. In return, a generative adversarial network (GAN) based on deep learning is built to generate synthetic training data from a limited number of real training data samples, thereby extending the training data and improving the performance of the inferred classifier. The exploratory attack provides the basis to launch the causative attack (that aims to poison the training process) and evasion attack (that aims to fool the classifier into making wrong decisions) by selecting training and test data samples, respectively, based on the confidence scores obtained from the inferred classifier. These stealth attacks with small footprint (using a small number of API calls) make adversarial machine learning practical under the realistic case with limited training data available to the adversary. |
| Author | Yi Shi Sagduyu, Yalin E. Li, Jason H. Davaslioglu, Kemal |
| Author_xml | – sequence: 1 surname: Yi Shi fullname: Yi Shi email: yshi@i-a-i.com organization: Intell. Autom. Inc., Rockville, MD, USA – sequence: 2 givenname: Yalin E. surname: Sagduyu fullname: Sagduyu, Yalin E. email: ysagduyu@i-a-i.com organization: Intell. Autom. Inc., Rockville, MD, USA – sequence: 3 givenname: Kemal surname: Davaslioglu fullname: Davaslioglu, Kemal email: kdavaslioglu@i-a-i.com organization: Intell. Autom. Inc., Rockville, MD, USA – sequence: 4 givenname: Jason H. surname: Li fullname: Li, Jason H. email: jli@i-a-i.com organization: Intell. Autom. Inc., Rockville, MD, USA |
| BookMark | eNotj8tOg0AUQMfELrT2C7qZHwBnmAeXJa1aSYhtUvbNBS46KQUzTFr9ezV2dXI2Jzn37HYYB2JsKUUspcgei_1-V1RxIiTEYHViQd2wRZaCNApsaiykd6za0EAegzsTz9sz-Qm9w56_UbiM_jjxbvR81WNzjFbjF893Bc9D-NWJX1z44KU7uUAtrzy6wQ3v_AkDPrBZh_1EiyvnrHp5rtavUbndFOu8jFwmQgSZJo2IoGqdQEZJagyItAVppWxarWuJUtSmoRpQdbpppCWjLIiu_ttRc7b8zzoiOnx6d0L_fbiuqh-opU1O |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/ISSPIT.2018.8642683 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Xplore Digital Library IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 9781538675687 1538675684 |
| EndPage | 458 |
| ExternalDocumentID | 8642683 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IL CBEJK RIE RIL |
| ID | FETCH-LOGICAL-i90t-894e4aaa83b4289e2755807d81611cd44b1a10b5ceb8a3f4cc16e53680fb64263 |
| IEDL.DBID | RIE |
| IngestDate | Thu Jun 29 18:39:19 EDT 2023 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i90t-894e4aaa83b4289e2755807d81611cd44b1a10b5ceb8a3f4cc16e53680fb64263 |
| PageCount | 6 |
| ParticipantIDs | ieee_primary_8642683 |
| PublicationCentury | 2000 |
| PublicationDate | 2018-Dec. |
| PublicationDateYYYYMMDD | 2018-12-01 |
| PublicationDate_xml | – month: 12 year: 2018 text: 2018-Dec. |
| PublicationDecade | 2010 |
| PublicationTitle | 2018 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT) |
| PublicationTitleAbbrev | ISSPIT |
| PublicationYear | 2018 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| Score | 1.8911889 |
| Snippet | As online systems based on machine learning are offered to public or paid subscribers via application programming interfaces (APIs), they become vulnerable to... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 453 |
| SubjectTerms | Adversarial machine learning Biological neural networks causative attack Deep learning evasion attack exploratory attack Gallium nitride generative adversarial network Neurons Training Training data |
| Title | Generative Adversarial Networks for Black-Box API Attacks with Limited Training Data |
| URI | https://ieeexplore.ieee.org/document/8642683 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LawIxEB7UU09t0dI3OfTYrFnz2ORoH6IFRXAL3iSJCZSClrqC9Nc32d1aWnroLYRAHpNkJpPvmwG4IT4coPDuwsJ5gpnuKayM5-Ey5NJrT1nmo0N_PBHDZ_Y05_MG3O65MM65Enzmklgs__KXa7uNrrKuDMaykLQJzUyKiqtVBxJKieqOZrPpKI9oLZnULX-kTCk1xuAQxl99VUCR12RbmMR-_ArD-N_BHEHnm5uHpnutcwwNt2pDXkWPjlcXKlMsb3TcWGhSgbw3KJimqPTV4bv1DvWnI9QvikivR9ERi2qaE8rrhBHoQRe6A_ngMb8f4jpfAn5RpMBSMce01pKa8KZQrpdxLkm2lMGoS-2SMZPqlBhunZGaemZtKhynQhJv4lzoCbRW65U7BWSl0MT0vAoNGRVKe0-JS5X3TlhBsjNoxwVZvFURMRb1Wpz_XX0BB1EoFQjkElrF-9ZdBVVemOtShp-0KaAi |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LSwMxEB5qPehJpRXf5uDRbbPNY5NjfZSutqXQFXorSZqACK3YLYi_3mR3rSgevIUQyGOSzGTyfTMAV9j5A-TfXRG3DkdUdWQktWP-MmTCKUdo4oJDfzji_Sf6MGXTGlxvuDDW2gJ8ZluhWPzlz5dmHVxlbeGNZS7IFmwzSikr2VpVKKEYy3Y6mYzTLOC1RKtq-yNpSqEzensw_OqthIq8tNa5bpmPX4EY_zucfWh-s_PQeKN3DqBmFw3IyvjR4fJCRZLllQpbC41KmPcKeeMUFd666Gb5jrrjFHXzPBDsUXDFoorohLIqZQS6U7lqQta7z277UZUxIXqWOI-EpJYqpQTR_lUhbSdhTOBkLrxZF5s5pTpWMdbMWC0UcdSYmFtGuMBOh7mQQ6gvlgt7BMgIrrDuOOkbUsKlco5gG0vnLDccJ8fQCAsyey1jYsyqtTj5u_oSdvrZcDAbpKPHU9gNAiohIWdQz9_W9twr9lxfFPL8BEX3o28 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2018+IEEE+International+Symposium+on+Signal+Processing+and+Information+Technology+%28ISSPIT%29&rft.atitle=Generative+Adversarial+Networks+for+Black-Box+API+Attacks+with+Limited+Training+Data&rft.au=Yi+Shi&rft.au=Sagduyu%2C+Yalin+E.&rft.au=Davaslioglu%2C+Kemal&rft.au=Li%2C+Jason+H.&rft.date=2018-12-01&rft.pub=IEEE&rft.spage=453&rft.epage=458&rft_id=info:doi/10.1109%2FISSPIT.2018.8642683&rft.externalDocID=8642683 |