Artificial Intelligence has been a boon to the human race.
Artificial intelligence has made a lot of tasks look more comfortable than they usually were.
However, like any other technology, there are certain risks associated with this technology too.
Let us discuss some of the security risks associated with Artificial intelligence.
Adversarial attacks are usually created by the attackers to confuse the machine learning for making mistakes.
In short, these types of attacks can be explained as an optical illusion for the machines.
Here the attackers want the output classifications of machines to be wrong.
The biggest impact of this attack technology is that it can be printed on a standard paper.
If these images are then further collected by smartphones, these can still confuse the machine systems.
Adversarial attacks are modified inputs that are quite indistinguishable from the original.
Attackers find the distortions for every class of image, then the representation vector is replaced into another cell from its initial cell.
Let us assume the original image as “Source” and distortion as “Noise”.
Through the method of Fast Gradient Step Method (FGSM), a little noise is added at every optimization step.
Here it is made sure that the noise is kept subtle also meaning here the intensity of the pixel channel.
Ensuring the limiting of noise keeps it imperceptible.
Thus image may look like overly compressed JPEG causing an error in calculation.
Attackers will increase the noise to maximize the error.
There are many other categories of adversarial attacks in context to the assumption of the attacker’s knowledge:
- White box: Here the attackers are assumed to have full knowledge as well as access related to the model.
- Black box: Here the attackers are assumed to have the knowledge of only inputs and outputs of the model.
- Black box with probing: Here the attacker is assumed to not have much knowledge about the model but can probe into it.
- Black box without probing: Attackers are expected to have a limited or no knowledge relating to the model.
- Digital attack: The attacker here is expected to have direct access to the data that is being fed to the model.
- Physical attack: The attacker has no digital access but he feds the model through inputs obtained through sensors, cameras, or microphones.
This is the technique wherein reverse engineering is used.
A model inversion attack is used on machine learning to fetch for the information used to train it.
Such type of attacks is a grave threat to the privacy of the data in machine models.
The attack is made on the training data, where the same data is reconstructed by taking its correlational advantage with model outputs.
In a model inversion attack, consider a data set A, data set B, and a model M(B) that is a machine-learned model trained on personal data.
Under this attack, a data controller might not have direct access to B but has access to A and M(B).
This allows it to retrieve data information for those individuals that are present both in the training set as well as extra data set A, from B.
These variables further on connection with each other such that the data set in question is present with values of A as well as B.
Data so recovered from the training sets might be with errors but will be accurate than the characteristics that were deduced from the ones not present in training sets.
A Trojan can be defined as a set of codes or can even be software that might present itself as legit and can control the systems.
Once loaded, it performs the unethical function it was designed for.
For an AI, Trojan can be defined as a backdoor attack having the ability to trick the AI into accepting specific triggers on acceptance of which AI is expected to give wrong results.
Attackers would have to install Trojan in a healthy operating environment since activating it on data sets, or normal operations could make AI users suspicious.
AI mixed with Trojan has to exhibit normal behavior without triggers to eliminate the threat of raising suspicions.
Concerns were raised for the model GPT-2, wherein this model was giving wrong information to the public about different searches done by users.
A model, text generator was developed by OpenAI.
This particular model was, however, dropped for various threats of it being abused.
GPT-2 was initially trained on more than 8 million web pages.
Apparently, a smaller version of the same was introduced for a trial purpose.
This smaller version was made available with few parameters like phrases as well as sentences.
The majority of the time, it was found that the platform was giving incorrect, self-made as well as vague statements.
For the search of statement, “Turkeys hate Christmas” a user got the reply, “Turkey is the only nation in the world that doesn’t celebrate Christmas”
Adversarial training will help the machine to understand better between data inputs.
If done to a more considerable extent, this method can prove efficient in reducing the system’s miscalculations.
Kerckhoff’s cryptographic principle states that the key to access systems should remain unknown.
The idea is that the defendant and the attacker both have the same amount of knowledge related to systems.
This principle suggests that access to a system should remain unknown and then only there would be an upper edge for the defendant against attacks.
The randomization of the mechanism for the classifier structure that was measured by a secret key was introduced.
This knowledge of this secret would not be available to any attacker and thus would present an added advantage for defending against attacks.
What happens here is the labeling of the inputs.
Labeled input is collected in clusters.
Clusters contain images that belong to the same class.
If inputs are classified differently, the whole region is drawn again, and the experiment is repeated until a safe parameter is achieved.
If no such incorrect input is found, then the process is considered to be safe.
Elimination of noises present in the inputs is removed here so that only needed features are taken to reconstruct the original image.
Inputs in this autoencoder method before reconstructing info on the outer layer are first passed through lower-dimensional layers for reducing the dimensionality of the inputs.
This helps in the removal of adversarial perturbations.
While working with AI, one should properly analyze the standards being used for the same, and the proper role management system should be enabled to overcome any sort of threat to AI.