Machine learning (ML) algorithms are becoming ubiquitous; they're used in applications from playing chess and predicting the weather to cancer diagnosis and self-driving cars. In this project we first try to understand how robust ML algorithms are in the face of an adversary. Specifically, we study whether an adversary can fool ML classifiers in practical settings without arousing the suspicion of a human. For instance, we showed that it is possible to 3d print a pair of eyeglasses that, when worn by an adversary, can cause a state-of-the-art face-recognition algorithm to identify the adversary as (a specific) someone else. We leverage what we learn of ML algorithms' weaknesses to design ML algorithms that are more resistant to attack.
Video demonstrating targeted impersonation: Mahmood impersonates Ariel against VGG10. The video shows that the face recognizer isn't confused by non-adversarial eyeglasses, including large, bright ones, but adversarial eyeglasses generated specifically to fool the recognizer into classifying Mahmood as Ariel are overwhelmingly successful at doing so. Targeted impersonation is achieved via the method described in “Adversarial generative nets: neural network attacks on state-of-the-art face recognition” (see below).
new!A general framework for adversarial examples with objectives. [BibTeX] Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. ACM Transactions on Privacy and Security, 2019. (Revised version of arXiv preprint 1801.00349.) To appear.
Parts of this work have been supported by MURI grant
W911NF-17-1-0370, by the National Security Agency, by the National Science Foundation, by
a gift from NVIDIA, and gifts from NATO and Lockheed
Martin through Carnegie Mellon CyLab.