TWC: Medium: Collaborative: Efficient Repair of Learning Systems via Machine Unlearning

TWC：媒介：协作：通过机器取消学习有效修复学习系统

• 批准号: 1854000
• 负责人: Yinzhi Cao
• 金额: $ 44.9万
• 依托单位: Johns Hopkins University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-05 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1854000&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Efficient; Repair

Today individuals and organizations leverage machine learning systems to adjust room temperature, provide recommendations, detect malware, predict earthquakes, forecast weather, maneuver vehicles, and turn Big Data into insights. Unfortunately, these systems are prone to a variety of malicious attacks with potentially disastrous consequences. For example, an attacker might trick an Intrusion Detection System into ignoring the warning signs of a future attack by injecting carefully crafted samples into the training set for the machine learning model (i.e., "polluting" the model). This project is creating an approach to machine unlearning and the necessary algorithms, techniques, and systems to efficiently and effectively repair a learning system after it has been compromised. Machine unlearning provides a last resort against various attacks on learning systems, and is complementary to other existing defenses. The key insight in machine unlearning is that most learning systems can be converted into a form that can be updated incrementally without costly retraining from scratch. For instance, several common learning techniques (e.g., naive Bayesian classifier) can be converted to the non-adaptive statistical query learning form, which depends only on a constant number of summations, each of which is a sum of some efficiently computable transformation of the training data samples. To repair a compromised learning system in this form, operators add or remove the affected training sample and re-compute the trained model by updating a constant number of summations. This approach yields huge speedup -- the asymptotic speedup over retraining is equal to the size of the training set. With unlearning, operators can efficiently correct a polluted learning system by removing the injected sample from the training set, strengthen an evaded learning system by adding evasive samples to the training set, and prevent system inference attacks by forgetting samples stolen by the attacker so that no future attacks can infer anything about the samples.

如今，个人和组织利用机器学习系统来调整室温，提供建议，检测恶意软件，预测地震，预测天气，机动车辆，并将大数据转变为见解。不幸的是，这些系统容易受到各种恶意攻击，并带来了潜在的灾难性后果。例如，攻击者可能会通过将精心制作的样本注入机器学习模型的训练集（即“污染”模型），欺骗入侵检测系统忽略未来攻击的警告信号。该项目正在创建一种用于机器学习的方法以及必要的算法，技术和系统，以损害学习系统，以高效地修复它。 Machine Unerning为学习系统的各种攻击提供了最后的手段，并且与其他现有防御措施相辅相成。 机器学习中的关键见解是，大多数学习系统可以转换为可以逐步更新而无需从头开始的昂贵的重新培训的表单。例如，可以将几种常见的学习技术（例如，天真的贝叶斯分类器）转换为非自适应统计查询学习形式，这仅取决于恒定的求和数量，每个总结都是训练数据样本的某些有效计算转换的总和。要以这种形式修复受损的学习系统，操作员添加或删除了受影响的培训样本，并通过更新恒定数量的求和来重新计算受过训练的模型。这种方法产生了巨大的加速 - 渐近加速对重新培训等于训练集的大小。通过学习，操作员可以通过从训练集中删除注入的样本，通过向训练组中添加回避样本来加强逃避的学习系统，并通过忘记攻击者忘记样本，以防止系统推理攻击来有效地纠正污染的学习系统，从而增强了逃避的学习系统，从而防止了系统推理攻击。