Talks

PhD Defense: Building Secure and Reliable Deep Learning Systems from a Systems Security Perspective

Sanghyun Hong

Remote

Friday, July 23, 2021, 12:00-2:00 pm

You are subscribed to this talk through .
You are watching this talk through .
You are subscribed to this talk. (unsubscribe, watch)
You are watching this talk. (unwatch, subscribe)
You are not subscribed to this talk. (watch, subscribe)

Abstract

As deep learning is becoming a key component in many business and safety-critical systems, e.g., self-driving cars or AI-assisted robotic surgery, adversaries have started placing them on their radar. To understand their potential threats, recent work studied the worst-case behaviors of deep neural networks (DNNs), such as mispredictions caused by adversarial examples or models altered by data poisoning. However, most of the prior work narrowly considers DNNs as an isolated mathematical concept, and it overlooks a holistic picture---leaving out the security threats caused by practical hardware or system-level attacks.

In this talk, on three separate projects, I will present my research on how deep learning systems, owing to the computational properties of DNNs, are particularly vulnerable to existing well-studied attacks. First, I will show how over-parameterization hurts a system's resilience to fault-injection attacks [USENIX'19]. Even with a single bit-flip, when chosen carefully, an attacker can inflict an accuracy drop up to 100%, and half of a DNN's parameters have at least one-bit that degrades its accuracy over 10%. An adversary who wields Rowhammer, a fault attack that flips random or targeted bits in the physical memory (DRAM), can exploit this graceless degradation in practice. Second, I will how computational regularities can compromise the confidentiality of a system [ICLR'20]. Leveraging the information leaked by a DNN processing a single sample, an adversary can steal the DNN's often proprietary architecture. An attacker armed with Flush+Reload, a remote side-channel attack, can accurately perform this reconstruction against a DNN deployed in the cloud. Third, I will show how input-adaptive DNNs, e.g., multi-exit networks, fail to promise computational efficiency in an adversarial setting [ICLR'21]. By adding imperceptible input perturbations, an attacker can significantly increase a multi-exit network's computations to have predictions on an input. This vulnerability also leads to exploitation in resource-constrained settings such as an IoT scenario, where input-adaptive networks are gaining traction. Finally, building on the lessons learned from my projects, I will conclude my talk by outlining future research directions for designing secure and reliable deep learning systems.

Examining Committee:

Chair: Dr. Tudor Dumitras
Dean's rep: Dr. Mike Hicks
Members:   Dr. Dana Dachman-Soled
    Dr. Leonidas Lampropoulos

  Dr. Abhinav Shrivastava
    Dr. Nicolas Papernot
Dr. Nicholas Carlini

Bio

Sanghyun Hong is a PhD candidate in computer science at the University of Maryland, College Park, advised by Prof. Tudor Dumitras. His research interests lie at the intersection of computer security and machine learning. His current research focus is to study the computational properties of DNNs from a systems security perspective. He also works on identifying distinct computational behaviors of DNNs, such as network confusion or gradient-level disparity, whose quantification led to defenses against backdooring or data poisoning. He was invited as a speaker at USENIX Enigma'21, where he talked about practical hardware attacks on deep learning, and he is also a recipient of the Ann G. Wylie Dissertation Fellowship. He received his BS in EECS at Seoul National University in South Korea. Sanghyun will join Oregon State University as an Assistant Professor in Fall 2021.

This talk is organized by Tom Hurst