Technical Report: When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks

TL;DR

This paper introduces the FAIL attacker model to define adversary capabilities in machine learning security, enabling the design of practical poisoning attacks like StingRay that are effective under realistic constraints and can bypass existing defenses.

Contribution

The paper proposes the FAIL model for adversary capabilities, and develops StingRay, a practical targeted poisoning attack that considers realistic constraints and transferability.

Findings

StingRay successfully attacks 4 ML applications across 3 algorithms.

StingRay bypasses 2 existing defenses effectively.

Prior evasion attacks are less effective under the FAIL model.

Abstract

Recent results suggest that attacks against supervised machine learning systems are quite effective, while defenses are easily bypassed by new attacks. However, the specifications for machine learning systems currently lack precise adversary definitions, and the existing attacks make diverse, potentially unrealistic assumptions about the strength of the adversary who launches them. We propose the FAIL attacker model, which describes the adversary's knowledge and control along four dimensions. Our model allows us to consider a wide range of weaker adversaries who have limited control and incomplete knowledge of the features, learning algorithms and training instances utilized. To evaluate the utility of the FAIL model, we consider the problem of conducting targeted poisoning attacks in a realistic setting: the crafted poison samples must have clean labels, must be individually and collectively inconspicuous, and must exhibit a generalized form of transferability, defined by the FAIL model. By taking these constraints into account, we design StingRay, a targeted poisoning attack that is practical against 4 machine learning applications, which use 3 different learning algorithms, and can bypass 2 existing defenses. Conversely, we show that a prior evasion attack is less effective under generalized transferability. Such attack evaluations, under the FAIL adversary model, may also suggest promising directions for future defenses.