Hacking Artificial Intelligence by Davey Gibian;

Author:Davey Gibian;
Language: eng
Format: epub
Publisher: Rowman & Littlefield Publishing
Published: 2022-03-29T00:00:00+00:00

STEALING DATA

To understand how underlying data can be stolen, it is important to understand how an AI learns. Recall that an AI learns first on a set of training data. Once trained, an AI can then be applied to real-world data to which it had not been exposed before. Exposing the AI to data beyond the dataset, known as the AI’s generalized learning, is critical. It is what allows an AI to be taken out of a training environment and exposed to real-world problems. If it was only able to operate under known, set conditions then it would resemble the rules-based classical AI school of thought, abandoned in favor of machine learning.

However, in a concept that borders on science fiction, AIs have memories. The entire notion of machine learning is based on the concept of these AI memories, and they are part of what makes choosing the correct training data so important. During training time, AIs learn patterns in the training data that are then applied elsewhere. Because AIs can then be taken and run on new data, AIs inherently “remember” the data they were trained on and make predictions based on this information. By interacting with an AI repeatedly, patterns can emerge that make it possible to reverse engineer the training data. These data privacy attacks weaponize these memories of an AI and make it possible to steal proprietary, underlying information that was used to train it.

One common approach to understanding the underlying training data of an AI is to test if a piece of data was in the original training set. This can be done even in situations where an adversary has no access to the AI other than the endpoint, similar to a BlackBox evasion attack. In one example, AI research teams used a technique known as a membership inference attack to recognize the differences in the AI’s predictions on inputs that were originally in the training set versus those that were not. This is a relatively straightforward example. The model simply made better predictions on data that was in its original training set. What is impressive about this simple technique is that it has been proven to be effective even against commercial “machine learning as a service” providers such as Google and Amazon.1

A real-world example of the damage a membership inference attack can have includes leaking personal information from a hospital. Using the same technique used against the Google and Amazon classifiers, AI security researchers were able to successfully test if certain persons were included in an AI system trained on hospital records.2 This could be used to see if certain patients had a certain health condition, such as a sexually transmitted disease, that they would prefer not be public knowledge, while also putting the company running the AI potentially in breach of HIPPA compliance.

In another potential compliance breach using membership inference attacks, teams have been able to determine if a user’s text message3 and location data4 was used to train an AI. Using this method,

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.