## Files in this item

FilesDescriptionFormat

application/pdf

SANCHEZVICARTE-THESIS-2019.pdf (5MB)
(no description provided)PDF

## Description

 Title: Game of threads: Enabling asynchronous poisoning attacks Author(s): Sanchez Vicarte, Jose Rodrigo Advisor(s): Fletcher, Christopher W Department / Program: Electrical & Computer Eng Discipline: Electrical & Computer Engr Degree Granting Institution: University of Illinois at Urbana-Champaign Degree: M.S. Genre: Thesis Subject(s): adversarial machine learning trusted execution environment SGX operating systems multi-processing asynchronous stochastic gradient descent poisoning attacks machine learning Abstract: As data sizes continue to grow at an unprecedented rate, machine learning training is being forced to adopt asynchronous training algorithms to maintain performance and scalability. In asynchronous training, many threads share and update the model in a racy fashion to avoid inter-thread synchronization. This work studies the security implications of these codes by introducing asynchronous poisoning attacks. Our attack influences training outcome---e.g., degrades accuracy or biases the model towards an adversary-specified label---purely by scheduling asynchronous training threads in a malicious fashion. Since thread scheduling is outside the protections of modern trusted execution environments (TEEs), e.g., Intel SGX, our attack bypasses these protections even when the training set can be verified as correct. To the best of our knowledge, this represents the first example where a class of applications loses integrity guarantees, despite being protected by enclave-based TEEs such as Intel SGX. We demonstrate both accuracy degradation and model biasing attacks on the CIFAR-10 image recognition task using ResNet-style DNNs, attacking an asynchronous training implementation published by PyTorch. We perform a deeper analysis on a LeNet-style DNN. We also perform proof-of-concept experiments to validate our assumptions on an SGX-enabled machine. Our most powerful accuracy degradation attack makes no assumptions about the underlying training algorithm aside from the algorithm supporting racy updates, yet is capable of returning a fully trained network back to the accuracy of an untrained network, or to some accuracy in between based on attacker-controlled parameters. Our model biasing attack is capable of biasing the model towards an attacker-chosen label by up to $\sim2\times$ the label's normal prediction rate. Issue Date: 2019-12-12 Type: Text URI: http://hdl.handle.net/2142/106293 Rights Information: Copyright 2019 Jose Rodrigo Sanchez Vicarte Date Available in IDEALS: 2020-03-02 Date Deposited: 2019-12
﻿