We provide a comprehensive overview of adversarial machine learning focusing on two application domains, i.e., cybersecurity and computer vision. Research in adversarial machine learning addresses a significant threat to the wide application of machine learning techniques -- they are vulnerable to carefully crafted attacks from malicious adversaries. For example, deep neural networks fail to correctly classify adversarial images, which are generated by adding imperceptible perturbations to clean images.We first discuss three main categories of attacks against machine learning techniques -- poisoning attacks, evasion attacks, and privacy attacks. Then the corresponding defense approaches are introduced along with the weakness and limitations of the existing defense approaches. We notice adversarial samples in cybersecurity and computer vision are fundamentally different. While adversarial samples in cybersecurity often have different properties/distributions compared with training data, adversarial images in computer vision are created with minor input perturbations. This further complicates the development of robust learning techniques, because a robust learning technique must withstand different types of attacks.
翻译:我们全面概述了以两个应用领域,即网络安全和计算机愿景为重点的对抗性机器学习。对对抗性机器学习的研究对机器学习技术的广泛应用构成了重大威胁 -- -- 它们很容易受到恶意对手精心设计的攻击。例如,深神经网络未能正确分类对抗性图像,而对抗性图像的生成是通过给清洁图像添加不易察觉的扰动而产生的。我们首先讨论了对机器学习技术的攻击的三大类 -- -- 中毒袭击、规避袭击和隐私袭击。随后,引入了相应的防御方法,同时引入了现有防御方法的弱点和局限性。我们注意到网络安全和计算机愿景中的对抗性样本存在根本的不同。尽管网络安全性格和计算机愿景中的对抗性样本与培训数据相比往往具有不同的属性/分布,但计算机愿景中的对抗性图像却以轻微的干扰来生成。这进一步使强力学习技术的开发复杂化,因为强力学习技术必须承受不同类型的攻击。