Game Over Eva(sion): Securing Deep Learning with Game Theory

The project Game Over Eva(sion): Securing Deep Learning with Game Theory aims to protect deep learning classifiers against targeted attacks. Deep learning classifiers are not only popular in scientific research but are also more and more adapted to the daily life, as self-driving cars, smartphones, and digital personal assistants use these kind of algorithms. Unfortunately, recent research has shown that almost all deep learning classifiers are vulnerable to so-called evasion attacks. In an evasion attack, an attacker can slightly modify a benign object and by this achieves a misclassification with a very high probability. The robustness of deep learning classifiers to these attacks is an open problem. We will model the competition of an attacker who is able to launch an evasion attack and the defender who wants to train a deep learning classifier that is robust against such an attack with means of game theory. In a first step, we will analyze which concepts of other research areas, such as adversarial classification, can be translated to the domain of secure deep learning. Then, we will develop a game-theoretic model that captures all relevant aspects and dependencies between the attackers and the defenders strategies. In the course of the project, we expect the first theoretically well-founded results on the achievable security of deep learning classifiers in the presence of evasion attacks. Furthermore, we will evaluate existing countermeasures against evasion attacks to gain insights about their optimality when facing a strategic attacker. Finally, we want to implement the key properties from out theoretical models in a practical deep learning classifier. We will compare our classifier against other state-of- the-art classifiers in terms of robustness against evasion attacks and accuracy on benign input objects. By this, we can validate if it is possible to make deep learning classifiers robust against evasion attacks. The expected results of the project will enable us to judge if deep learning classifiers are suitable for scenarios where an attacker has incentives to explicitly fool them, i.e., security-critical areas and widespread consumer products.

In the research project "Game Over Eva(sion): Securing Deep Learning with Game Theory", we dedicated ourselves to the topic of machine learning in adversarial environments (Adversarial Machine Learning) and its significance for the security of Deep Learning systems. The focus was on developing strategies and methods to enhance the robustness of these systems against targeted attacks. The research field addressed has existed since 2004, spurred by the discovery that even complex spam filters can be deceived by minimal changes to emails. This realization led to an intensive engagement with the security of Machine Learning models, especially regarding Deep Neural Networks (DNNs), which have been increasingly in focus since 2013. In the course of the project, we focused on two different types of adversarial examples: Sensitivity-based and Invariance-based adversarial examples. Sensitivity-based adversarial examples highlight how minor modifications in the input data can affect and deliberately deceive the predictions of a model. In contrast, Invariance-based adversarial examples concentrate on how changes in the data differently affect the perceptions of humans and machines. In summary, for both types of adversarial examples, the decisions of humans and the algorithms of machine learning differ. A central result of the project is the development of the "Advanced Adversarial Classification Game," a game-theoretical model that represents the interactions between attackers (who create sensitivity-based adversarial examples) and defenders (who try to protect their models against such attacks). This approach allows us to investigate and understand the economic and strategic aspects of Adversarial Machine Learning. Furthermore, experimental studies were conducted within the project to explore the effects of Invariance-based adversarial examples on human perception. This research led to the development of algorithms for generating such examples, in turn providing deeper insights into the differences between human and machine perception. The findings of the "Game Over Eva(sion)" project highlight the importance of continuous development and adaptation of security strategies in the field of Deep Learning. Especially since machine learning algorithms increasingly influence various aspects of daily life, the security of these algorithms becomes increasingly important, both for the academic world and for practical application in industry.