Klewel
Player is loading...

When foes are friends: adversarial examples as protective technologies
Carmela Troncoso, Assistant Professor at EPFL

Thursday, June 6, 2019   ·   11:09 a.m.   ·   45m  42s

Embed

Copy embed code

Transcriptions

Note: this content has been automatically generated.
00:00:00
take it to be excellent action
00:00:05
hello everyone uh it is a pleasure for me to be here today i'm percent the work that we have done uh in
00:00:11
the late this year and a half since we arrived yesterday p.
00:00:14
f. l. at the intersection of machine learning security and privacy issues
00:00:22
um so i'm the head of a laugh skull to get him
00:00:26
privacy in the near the lab spring and as gently as sad
00:00:31
we work in a wide range of security and privacy subjects and
00:00:35
all of them have been one way or another very much affected
00:00:39
by this thing that maybe you have for the buyout which is the machine loony revolution and
00:00:45
the machine and revolution is this thing that is gonna change each and every aspect of our lives
00:00:51
how health is gonna be don how finances is
00:00:54
gonna be don how advertising works out the supply chain
00:00:59
is gonna work although just fix everything that uh
00:01:03
we knew on the analogy wold is gonna be change
00:01:06
by machine loaning me devoting essentially an exception i
00:01:10
have heard not yet much loon voting recognition but i'm
00:01:13
sure that that will come sometime soon it would probably be done in the block chains gonna be great um
00:01:22
but with device of machine learning of course also rise the other sort of mushy and this is kind of
00:01:30
the big is not to mark of anyone lend your system that is at the core of all of these
00:01:35
uh improvements now is actually subject to tax
00:01:39
and there are many mail it to class of the tax uh on machine learning systems
00:01:44
on the one hand you may have heard of additional examples many people have seen this
00:01:49
image of a panda that uh can be seen by the machine learning system as a given
00:01:57
and these are um normal things that you could put in the machine
00:02:01
learning uh i'll go if somebody tried to more to find a little bit
00:02:05
maybe by adding some noise maybe by rotating a little bit the image
00:02:10
or maybe um as we have at the very and they just um
00:02:14
crafting the big image when you're even create in it so that whenever the machine learning uh looks a bit
00:02:21
it doesn't recognise the wheel image and is tricked into given different out and here it
00:02:27
is a quick search i did a couple of days ago about the purpose of this topic
00:02:32
we already have eight mean universal single go of people working and set
00:02:36
the style examples and this is the node i gave 'em an excerpt
00:02:40
of the stock uh in the end of a generate these here and
00:02:45
we had a half of the results should do show a pay increase
00:02:51
and the other time for tax we have are called poisoning at times in this case
00:02:55
instead of attacking the machine learning algorithm on the deployment with trying to modify the training
00:03:02
with machine learning bass is to take a lot of bait and try to make a model out
00:03:06
of fit in order to predict or classify events
00:03:10
if we actually can modify the smaller that we'll
00:03:14
then we will have an influence on the out to uh so
00:03:17
here we have the spam filter where maybe you can try to question
00:03:21
uh the training to include some wasn't yes this is
00:03:26
that at some point you my make be able to
00:03:29
of bush as um to the system because you have made the system believe
00:03:34
that the spam is actually good here the number is about seven million a
00:03:39
fun fact this number actually reduced uh from the number i had in generate
00:03:44
what i uh guess that google just changed their machine learning how good a friend
00:03:49
to classify a two works and internet and removed a lot of poisoning having to
00:03:54
do with the actual poisoning of people maybe and that's how we end up there
00:04:00
i'm kind of the greatest news of these is that from a research perspective where care of closer to
00:04:07
prove that are these type of attacks actually either end
00:04:12
of the very core of how much you doing works
00:04:15
uh the high dimensional spaces in which machine learning worked and the complexity of the
00:04:20
tacit this trying to known will always have these little space so that we will be
00:04:25
able to push kind of this hell example or two why uh but this put in
00:04:30
some point in the breeze in the training set be able to um mortified out sick
00:04:38
um so at this point in time the question is okay
00:04:42
so have we lost should be just lose hope and uh
00:04:47
instead of working on my shouldn't just all join brian and work on the block chain uh maybe for voting
00:04:54
um and well i mean well this is kind of a great picture
00:04:58
and it is true that me these type of attacks can not um
00:05:03
be removed at the laugh belief that no winter last forever
00:05:09
and you know that is always a silver lining on the couch
00:05:12
that maybe we can take advantage to today i want to present
00:05:16
three different ways of using ah this type of of this for
00:05:19
the technologies as defensive technologies for security to protect machine learning systems
00:05:26
for privacy uh whenever the machine is used to
00:05:29
invade the privacy of users um for social das these
00:05:33
when machine learning aren't better in um some of our processes creating some of 'em
00:05:39
a source type of hawks so let me start by the security problem and of course the first
00:05:45
thing you would think okay if all of the subset examples exist and we have eight million people working
00:05:52
on a on them don't we have the fans and when
00:05:56
you went to the fans from something uh the security field
00:05:59
we go back very much to the principles of the art of war actually we have some to
00:06:04
a chain is general muster in these and he already taught us very very in the past that
00:06:11
to know you and i need you must become your enemy so we've we can
00:06:15
maybe no this uh at this or other examples we can protect against them and
00:06:21
oh this is actually wiped uh the people in the muscle the the men have town which is okay
00:06:28
let's gonna try to be calm detail examples so if i have a train set i'm also gonna add
00:06:35
noisy versions of my training set that kind of manic what did this really would do so
00:06:41
i am actually prepared when one of these samples calm and the department to say hey i
00:06:46
already have seen you you're trying to trick me i'm not gonna pay attention and then i'm
00:06:51
gonna classify this pond as a given because i know this is a fake panda i had betrayed
00:06:58
and the question we may that was out is that
00:07:00
that's that's really a soul for security problem that big deal
00:07:07
and this here um that we realised is that
00:07:11
a lot of all of these work is actually made
00:07:14
for images it comes a machine then has a lot of the nature and computer
00:07:19
vision it has a lot of traction in out to me that cars that use cameras
00:07:24
uh in face recognition and in places where people um
00:07:29
i have discovered that even modifications i don't know what's going on with the slides
00:07:36
okay so we'll deal with that um
00:07:41
where uh they have discovered that if we just modify a little bit too
00:07:45
much we can actually create accidents with cars we can actually create a pop technicians
00:07:51
uh in face recognition system that can create security problem so the focus
00:07:55
a lot on these and in this problem we have the fact that
00:08:00
when you put an avon them noise and a much to create these thing um
00:08:05
yet the cell examples into creating here we have totals that
00:08:08
all of them are classified as rifles is that for this one
00:08:12
and they have different type of flowers but i guess that all of
00:08:15
you really see that what you don't have any problem recognising the total
00:08:19
we could even put more noise and the images make them a little bit more blurry ah creates
00:08:24
some floor up here and you would still say hey this is a tort so what that means that
00:08:30
adding random noise across an image doesn't seem very problematic because
00:08:35
you always have a new much and then the gentle sounds you
00:08:38
always actually have very seamless image that you have before but it
00:08:43
may have to security problems big deal uh in the security domain
00:08:48
this is not the case so one common security problem is the detection of mao work and um
00:08:55
monday's we'll talk a little bit about this buxom i'll work you'd like to be able to train classifiers to find
00:09:01
them out where to find when something is gonna be evil also ought to stop it but um it so happens that
00:09:08
um when we gonna created this l. examples for our where a defence which is that one of them noise
00:09:15
a problem with from the noise is not the problem anymore it's not gonna compile is not gonna execute what about
00:09:21
detecting together bought and we had this in the beginning because tutor boats are one of the sources of fake news
00:09:29
but now after what is an accountant account that has a name has a number of forward
00:09:34
it has a number of posts number of mikes we had from the movies duties what does
00:09:39
it because it's not an accounting board and the same happens with this problem i'm here done
00:09:45
was given an example of how was palm uh can be using people are trying to trick uh
00:09:50
any email providers do not feel that this farm and we have the
00:09:53
same problem how can we train if these from the noise doesn't work and
00:10:00
is not only one them noise i actually quite sure to try to get used problem afterwards and try
00:10:04
to rotate the program i make the process to run it uh is kind of doesn't work very well so
00:10:12
the question here is that insecurity problems take some pills that be sure if they
00:10:18
don't they are not like images they belong to a very discreet the main and
00:10:22
when in maine indiscreet of course images also discrete they're a bunch of pixels that
00:10:27
represented by that there may uh these bits are kind of thing that continues space
00:10:34
while uh all of the example some getting here we have a much more discreet this bases uh as part i think is
00:10:41
very constrained in terms of visibility so which of this has examples
00:10:46
can actually exist in the real world as i say model work
00:10:51
uh is this to be mao what still needs to be executable the bought it about is the easy to be it to your account
00:10:57
in order to want to fulfil its job i was um skin is to be an email and text uh in order to be spa
00:11:05
ah and in terms of cost we also have the problem that um
00:11:12
all of these um in the in which the main you can at any noise as i said you cannot a bit more of
00:11:17
noise and we still uh recognise the total insecurity the means insecurity
00:11:21
problems every need to know is that we would cross the cost
00:11:25
for them out what it is i may be removing functionality i may be
00:11:29
removing militias notes from i'm out in the case of the tudor bought um
00:11:35
and you know the to increase the number of like you have enough to to increase the
00:11:39
number of four ways you may need to go to to start with and actually buy this
00:11:43
for this uneconomical cost in the case of this problem when it reduce power people to try
00:11:49
to get in to get them into something that is some meaning so if i'm gonna mortified
00:11:54
if you want that the more defined has the cost in the sense of a difference on the mess at the time convey
00:12:00
so the question here is how can we be county and in a
00:12:04
in a space it is a of the start because all of the
00:12:08
uh methodologies we find in the literature do not
00:12:11
help us here because they uh conduct satisfy what constraints
00:12:17
so our approach ah is to model this search about this oh look samples
00:12:23
that's a rough ah so let me illustrate these with a very simple example
00:12:28
ah imagine a teacher bought detector that just receives a
00:12:32
an account and then we'll just tell us is this about
00:12:36
or a real person and in general the use of a bunch
00:12:41
of a different feature them strips the number of it treats uh
00:12:45
the ratio between these two and some others um but let me
00:12:49
take a very simplistic example what imagine we only have two features
00:12:54
the number for which they have and the age of the account so how long has this account taxes that are
00:13:01
and then let's start with ever bought an because of course like we don't wanna
00:13:07
uh my work march we have a very new account that has few
00:13:11
for that was because has just been created and and we just as well
00:13:15
you look like a boat and we would like to make this account look like a human so
00:13:19
that we would not buy and and we can voice and this many american elections is to um
00:13:25
so the first thing you could change for instance could be the age of the account so you can try to instead of
00:13:31
just making your new account by an account to read excess
00:13:35
then ah that has windy or did years and three years it's
00:13:39
that traitor kind of things that if you know that's still maybe uh
00:13:44
not actually a real person so you can try to
00:13:48
modify a dual the degree of liberty and you can
00:13:52
try to buy more for worse and then at some
00:13:55
point you could actually get to be classified uh suppers
00:14:00
this is very nice because it's also i would feasibility problem is
00:14:05
now what about the cost and the nice thing about the practical approach is that then we
00:14:11
can try three d.'s assume prof i'm the edges in this graph we can put whites and
00:14:17
and these weights can be whatever you want a in this case
00:14:21
um we actually can model how much it cost to buy this type of accounts in the
00:14:26
internet so it may be that bit by an account that is older takes more of money or
00:14:34
the more forward to buy a the more money you have to spend time is that you
00:14:40
can actually uh find your detailed example that has the minimal cost you with the minimal that's
00:14:48
so these actually solves our two problems and then these uh approach as
00:14:55
uh additional benefits it not only has a very natural
00:14:59
way of them better and the constraints of the model
00:15:02
of such as feasibility and cost feasibility because my transformations in the prof
00:15:08
i can created in such a way that all of them are valid
00:15:11
so i don't need to go propose something to keep its value don't not
00:15:15
and then make a decision i can only explore but it works and it actually
00:15:20
lost a very not really to mortal cost because of a roughly you just
00:15:25
have a place and a ages and i think that the use of a graph
00:15:31
in a most asked to then go back and take all of the theory
00:15:35
that calms of from a big raw fury fox and we have a actually a
00:15:39
very nice b. b. b. v. e. p. f. l. doing these things and
00:15:43
use all of the algorithms that have produced years and years of research to on
00:15:48
the one hand efficiently find the cell examples in this very huge prof i
00:15:53
gave a very see example with only two features but imagine that you have many
00:15:57
more how do we explore the graph we just can't take a standard algorithms
00:16:02
for these but more importantly if we can at a assigned cost to does edges
00:16:08
we can actually find what that the minimal cost to the cell examples
00:16:12
and this has an extremely important a consequence for security which is that dan
00:16:19
and we can take this minimal cost of this l. example is the security metric
00:16:24
because in the beginning was saying of course as good security researchers because like
00:16:29
the risk of having another cell example b. zero but research is telling us
00:16:34
that that fall is almost lost we're not gonna have that case
00:16:38
but now what if we know that the net is hell example kind exist but we can
00:16:43
try to push the cost of the set the cell example to something that then is not um
00:16:50
appealing anymore for the adverse or so in the case of
00:16:54
the speaker accounts get we can push the adverse really to have
00:16:58
to spend maybe thousands and thousands of uh you was in each
00:17:02
of the treated what's that they have to create we're gonna um
00:17:06
um decrease the amount of accounts this diversity can have
00:17:10
or maybe even discordant sheen because big gain that he can get eight uh that he can gain from having
00:17:16
the second is a small enough and the same theme me hold some ah were of for all their um
00:17:22
type for tax so haven't now are way off becoming be me we can actually
00:17:28
train a good algorithms with other cell examples that are on the low cost so that
00:17:34
the first of the cell example that is possible uh is just not feasible from
00:17:39
an economic perspective and these kind of puts the machine and insecurity world on something that
00:17:46
it's quite non about the security community this type of free
00:17:49
score and the security that ah sometimes is not very um
00:17:55
amenable and academic community but is exactly what uh the business side needs because if
00:18:02
you cannot really solve the problem at least you wanna know what is the price
00:18:08
so let's remove uh to how now we can use this thing was it to
00:18:12
help privacy and here at the first ovation that we made so we had before
00:18:17
that's security and privacy problems and not the same as a beam much problem but also
00:18:24
the question of this uh this whole examples is that they are only adversarial when you
00:18:29
are the how question and for privacy problems and i just have here an excerpt of
00:18:35
possible things that machine learning can uh due to invade privacy
00:18:40
so from ruining the demographics of a house
00:18:43
from a full to some face broke a loosening
00:18:48
ah near get new that they did it if the store this from web search signals so much and then
00:18:54
can find many of these things and yet uh the motion low a loony tribes you're going to church or
00:19:02
looks at the problem in a very different way so not only it assumes
00:19:07
that there is a crowd namely us that interacts with the machine don't insist
00:19:12
this is there and the goal is to avoid that the machine under some databases right is the privacy goal
00:19:20
but um in general they assume a system in which these data is uh actually
00:19:28
actively provided to deceased so the users are interacting with
00:19:32
the system their devices on porpoise and in this data to
00:19:35
the machine learning algorithm and then we just can have
00:19:39
the user device putting dollars maybe just an encryption to um
00:19:44
ensure that the mushy loony here does not learn any date but into problems
00:19:50
that we're thinking about the problems in the previous slide there's no active sharing
00:19:55
right the users just the data on the internet to just do web searches and something like that is the machine that gets all
00:20:02
of these data anything for linking to power them directly ceases bit
00:20:06
demographics their friends their family and uh basically anything you can think of
00:20:13
so we cannot really count on the machine we cannot really
00:20:17
count on the whole griffin to do anything for this because the algorithms here is acting in another site
00:20:25
so then we thought okay but now big system the thought this alex campus is great because it provides
00:20:31
us with an for bust and started it affected between
00:20:35
these privacy adversary so how we see them won't is
00:20:39
basic crowd again us that use the internet and we just provide data
00:20:43
to the internet and the term unit of my introduction to social networks my
00:20:50
a web searches or the fact that that's my phone is connected to a lot of places and data
00:20:55
all the time and there's gonna be anniversaries you're trying to make inferences without me know when we like
00:21:02
so the goal is how can we modified the side here
00:21:07
so that we can actually break uh the adversary and
00:21:11
that would mean break a modify the day to put a
00:21:14
social networks modify my browsing patterns modify the network data um
00:21:19
modify my location i see to share it's it that's it
00:21:23
and i think here is that if you think about each
00:21:26
of these domains again we are in very constrained domains where
00:21:31
uh at the feasibility is important not everything that i can
00:21:35
put on a social network is actually a i cannot just
00:21:38
put noise not of a disk images that is a lot of text that is a lot of my method data um
00:21:44
and the cost is also very important so one example that
00:21:48
you can run from its hiding demographics uh we're here now our
00:21:53
much learning algorithm will pay guess my tracks and then we're trying to for my age
00:21:58
i'm not i think you're or am i kind of from all all the perks are so
00:22:04
imagine that i would like to post that i love very much deeper
00:22:09
um so okay if i just say i love justin beaver probably the
00:22:14
machine is gonna think i'm a teenager at that uh kind of makes sense
00:22:18
so how can i modify this thing well on the one hand i
00:22:21
can maybe become a bit less emphasis yes yep adjusting did or ah
00:22:26
that's the that would get me kind of a teenage just items they
00:22:29
like in a loving justin gave her a liking instead of locking him yeah
00:22:35
so the class that i'm still may be willing to do that uh for
00:22:39
the sake of a protective my demographics but is still that gives me that
00:22:44
or like a little if justin deeper then um for short on the kind of the elderly site uh of
00:22:49
the population ah but yeah i may not be using that because i wanna say that a lot of testing beaver
00:22:56
ah so i can still try to make more changes i could say i love justin trudeau
00:23:01
but of course no teenager notes with justin should all so that definitely means that
00:23:06
i'm actually a little the person or i could say i love justin timberlake now so
00:23:13
justin timberlake is not only a a pretty boy dances and
00:23:17
kind of makes music seemed destined to work is also an actor
00:23:21
has appear more times so maybe yeah maybe i'm actually gentle that
00:23:25
person because maybe timber youngsters don't even know just thinking but it's
00:23:31
um but of course as i said before we also want it the
00:23:34
minimal cost we are to keep the meaning i wanted to love testing be
00:23:38
but i wanted to love my friends i actually like on the ball is
00:23:42
exactly one uh kind of guy that things in a very particular way so
00:23:47
here we can say that the cost of hating he's very high and as i was saying before okay maybe
00:23:54
i don't wanna say i love just into door i don't even know what does do it is for all
00:23:58
that matters ah but i may be located which actually sane justin timberlake it
00:24:04
has it s. has a very similar style so my still declaring something uh that
00:24:11
and we can use these more cases um
00:24:16
we have in the previous talk in talking a lot about
00:24:19
and to and think reaction and twenty encryption is that that uh
00:24:24
includes our communication and even though as down said before the servicing clients
00:24:30
do not always get very well these uh p. l. s. communications over all
00:24:35
of this was pretty well but results have shown again and again that
00:24:40
even the data is encrypted uh the traffic factors contribute a lot of information
00:24:46
so you can't recover warts from this kind of conversation just
00:24:50
by looking at the size of packets on the order you
00:24:54
can find which devices are connected in the smart house just
00:24:58
by looking at different traffic patterns and where did different communications go
00:25:04
and uh it you can even in fair which apps users are uh have on
00:25:09
the phones and how often do they use them and when did you just say so
00:25:15
all of this is of course to do don't through machine learning and here we have again a
00:25:19
machine learning algorithm that has some uh information arguably
00:25:23
not very um sensitive i'm from that be learning
00:25:28
everything that we do on the internet so we can also use this approach to think of kate
00:25:34
in the case of traffic uh we have a very small set of feasible perturbations
00:25:39
because we can only out packets right all of the packets of that
00:25:42
on the network i cannot remove them and i can only add delays um
00:25:48
because so far we have not invent a time machine that allows me to put packets in the past right it's a a
00:25:54
causality so i can have very limited might come uh all my
00:25:58
transformations so you can again define a feasible graph and uh and
00:26:04
a traversal to find efficient once thank here minimal cost is again essential will put
00:26:10
in packets on the network every packet that we put on a network has a cost
00:26:15
not only for the user uh who cares about usability but also
00:26:19
for a service providers that don't want asked actually clogging the networks
00:26:28
um so here we have sound how of at this i
00:26:32
look samples are not lost a whole for much you know i
00:26:36
think there are many cases with machine learning algorithms are actually
00:26:40
on the adversary side of the problem i mean these case um
00:26:45
being able to find a a feasible a minimal cost of a cell examples maybe actually the only hope
00:26:52
we have to actually reclaim back a lot of the privacy that we have lost in the internet i maybe
00:26:58
in a couple of years that cartoon that martin had in the beginning with markings to go but trying to
00:27:02
steal for how what data we can actually have somebody that just have some can hand and avoids the part
00:27:10
so let me just uh go to the third of the examples um which is social justice and but
00:27:16
i mean the source to task is is that more more and so in the beginning machine learning and then
00:27:22
learning algorithms are just embedded and trench it in our daily activities
00:27:27
and example of these are optimisation systems and optimisation systems
00:27:32
we call those that take some data from the environment
00:27:36
uh try to learn about it and then push signals back to try
00:27:40
to modify the behaviour of the population a clear example is at tyson
00:27:45
where uh the advertisers get all of five the more great uh demographic
00:27:49
data aware of operations and internet and then they try to sell me
00:27:54
i don't know nice trips switzerland uh done here they are trying to a show
00:28:00
came very nice hiking passed so that he can do a a nice hike to moral
00:28:06
um we have a more more routing applications did get signals from the
00:28:11
mime and what is the traffic uh what is the layout of the
00:28:14
c. d. and try to give back to users better routes that optimise
00:28:20
uh time of a commute and we also have a credit scoring where um
00:28:28
the most learning algorithm is fed a lot of demographics another data what users and tries to
00:28:33
predict whether it gives users get uh ask for alone are they gonna be able to repay you're
00:28:39
not so i asked to protect a little bit the system from uh too much that and
00:28:45
also make some modifications on what actually has the right to create a new company or to hatch
00:28:52
but this is can might create a lot of societal harks on the one hand
00:28:57
in general been very focus on their own users and amy disregard all the is just
00:29:03
ah be needed to sign or they may end up benefiting only if you
00:29:08
of the part of the population uh as we probably had already have
00:29:12
seen many times in the case of for instance face recognition machine learning
00:29:17
is very good i transposed him biases that we have
00:29:20
been training data into the decisions um many times they disregard
00:29:25
um the exploration risks so optimisation normally works in an interactive
00:29:30
way and uh when we design it a c. d. now we're
00:29:33
offices and this is very nice you always think about the last part of the t. v. station but this is this is
00:29:39
table again and everything is great but there are many risks in the nato would you actually kind of or playing a little
00:29:45
bit and to you get to to use a constant with jim
00:29:49
would you may be creating a harms for part of the population
00:29:53
it to most of what how can people to stop trying to do good things would
00:29:57
work they just wanna get good to score because that's actually what is gonna impress the decision
00:30:03
and i'm from privacy perspective in general they require a massive amount
00:30:08
of data collection uh creating maybe more surveillance uses somewhat types six
00:30:15
so we propose what we called protective optimisation technologies
00:30:20
parks and these technologies are aimed at meeting kate and this type of site don't harms
00:30:26
when the system provide there i did not does not have the incentive to
00:30:30
change itself because it's an economic agent and is more driven by economic incentives
00:30:35
or maybe when they do not have the means because sometimes even if you want to do something
00:30:40
maybe it is not the algorithm yet to actually do it and i'm gonna give here two examples um
00:30:47
one about these regarding the users and one about as possible says so let me introduce you to
00:30:54
to a town of your uh this is a little town up into outside of new york city um
00:31:03
yeah we have my head then we have a penchant weaver okay physically on it and um
00:31:09
already in the fifties uh america's build great a road system so there
00:31:15
is this uh interstate eighty the drinks commuters uh from the north of pennsylvania
00:31:22
to new york city and it passes through and also um to bring the people from the sounds of um
00:31:30
pennsylvania elected is like feely or even down from a washington uh to
00:31:36
uh and also everybody finished your say there is another interest paid here
00:31:40
oh both of them conflict here in the only and that you can
00:31:44
um imagine that these nice highway that was made a do not uh
00:31:51
but the the c. d. will love this topic nowadays with the number of
00:31:54
commuters that come in and out of new york city has a big traffic jam
00:31:59
but no worries because technologies here to save you
00:32:03
so many of these users are turned into ways ah
00:32:07
how many of you use ways of or a good drive americans one american
00:32:14
uh so what happened here is that by the use of ways ways is recommending all of
00:32:19
the people that before where he and in the big jam to go to the only yeah
00:32:25
and now these little towns here that was quiet had the smallest reads people
00:32:30
uh 'cause we're playing on the streets now turns out that you don't rush hours
00:32:35
yes absolutely impossible and we're not prepared to get this amount of course they had not prepared
00:32:41
to handle the pollution the noise or anything so
00:32:47
ah the town viaduct and there are many of these
00:32:50
towns around a big blob uh in particular around home
00:32:55
big cities like paris along don't brussels all of them have
00:33:00
this problem and what the menu lovely only decided to do
00:33:03
is there like enough is enough i'm gonna close my city so they made all of to see this in the town
00:33:10
local transit only they gave to see distance uh really
00:33:13
does um yellow sticker and then there is a policeman on
00:33:17
the entrance of the town that that we can do come in if you don't have to deal with it will stop
00:33:22
you and will ask you what you don't argue just use you ways i do policy your grandmother been deleted basket with
00:33:29
muffins you're gonna to see your your grandma to allow to pass is the l. you have to stop at the beginning
00:33:35
and if you are actually always user trying to just keep
00:33:38
uh the jam you're gonna be fine two thousand you uh doors
00:33:44
and what happened here is that ah as you can well imagine is very nice from uh
00:33:49
well for point of view but it was not so nice for the economics of the city
00:33:54
actually the business started protesting and say well we if also from all the people the tractors
00:34:01
this if you just close the c. d. and make it so difficult for people to come here
00:34:06
uh what economists actually some frame and eventually somebody found a loophole
00:34:12
or maybe not soulful loophole in the um americans i think last and these uh close
00:34:17
enough this is thing was called a legal and they have to open the c. d.
00:34:23
so what what can be working on is in a protective of the message and technology where um
00:34:29
we model the problem from a technical perspective and this
00:34:33
is the baby basic network flow problem what we have ah
00:34:38
a flow that goes out of the c. t. afford it comes and hand and not right
00:34:43
now but is gonna happening is that actually taking the rod with the c. d. is has
00:34:48
actually a lot were cost and what uh the major did this kind of take a drastic
00:34:54
option to try to me to to make the cost of driving to the city so tight
00:35:00
they actually make it if in it live prohibit in it
00:35:03
but actually we have ways of using a petition afro interdiction techniques
00:35:09
to find out which are the rocks here that we need to close or to
00:35:12
use make a slow work so with that because he's a high enough that without
00:35:18
fully close in the c. d. to anyone else you can actually push uh the traffic back to the
00:35:26
to the highway and these actually lost to get a much better trade off between
00:35:31
the well being on the c. d. and the economic interest of the seats sets
00:35:36
and you may be wondering okay but what is the machine didn't think it and it is true
00:35:41
that here we're not using of the so much i don't think we're using very basic uh network techniques
00:35:47
to be the machine learning at first three but let me given in
00:35:50
for a an example of a actually and use about this whole machine learning
00:35:55
let's think about the credit the scoring system which is this a
00:35:59
says that before with that decide who is actually likely to repay across
00:36:04
what happens with the system is that because of
00:36:06
the historical data that uses um many minorities actually
00:36:11
a a lack access to this type of of loans and this creates a
00:36:17
glass ceiling for many people because their families because they're a gender because that ethnicity
00:36:23
never repay the loan because they didn't exist in the system the another gonna
00:36:27
go so we have a negative fit but look that kind of discriminates a part
00:36:31
of the population and credit was on the one hand to have a little
00:36:36
incentive to change at the end of the day we have given by profit and
00:36:40
also the fairness techniques that would allow them to come but this thing for young
00:36:45
it's very hard to know when actually they gonna be ready to be the product
00:36:51
so we propose to use of putting it uh this but they're cute incision technologies that would enable
00:36:57
users for instance to help other uses to get all so we could have a if you wish
00:37:03
some dropping what's that actually is not taken don't and repay them in a very particular button so
00:37:10
was to change the decision boundary for classifying and
00:37:13
uh increase the credit to score of the minorities
00:37:17
or we can have a particular official examples for the minorities
00:37:22
so they if they really feel that they can repay the loan they can use
00:37:27
uh this technology to actually ask for alone so the thing here is that um
00:37:33
of course when you're asking for a long you cannot change would gender you cannot change your
00:37:36
job you can't change maybe your address but you can change the amount that we're asking for
00:37:42
and the amount of time that you willing to use to be p. and we can guess modify delete this to thanks
00:37:48
actually get many of these loans accept that even though if
00:37:52
in the beginning the uh the person would be denied what it
00:37:58
so just to finish my talk take a ways of the cell machine learning
00:38:03
is ask here asked masculinity pollution is and it is very hard to defend from
00:38:09
but not everything is dark these brings
00:38:12
great opportunities for security and privacy applications
00:38:17
and to be at this have given some examples but there are many more cases were this of
00:38:22
the so the machine learning can become a protected
00:38:24
technology that help us a preserve the bodies of society
00:38:29
and concretely i have shown how when you graphical framework is very much indicated to deal
00:38:35
with this problem and to build this protective technologies uh when we deal with security privacy it's
00:38:42
so here decaf more information about what we do and if you wanna read more and you calm want to
00:38:48
come with fast build more paths all to be more parts would be delighted to collaborate which thank you very much
00:38:59
hi
00:39:03
alton really a factor much would wife for questions
00:39:24
i think you owe question about the russian for sure for sure what's off
00:39:31
to crunch five for some reason for structure right so when the way so
00:39:37
tech support you used frosts dishes she just put more to know where stuff for sure just
00:39:44
switch off generates of should pop up so sure oh oh that's a very good question so
00:39:52
a sometimes we do know the machine learning program or at least with you know the architecture of the machine learning program
00:39:59
and uh again a very nice thing but still examples when
00:40:04
you look at them from the perspective is that they get transferred
00:40:08
they are very much transferable because as i was saying they uh many times interact
00:40:13
to the type of data half to where do
00:40:17
you have under presentation not uh so we can actually
00:40:22
take a an imaginary classified to the same simulation of
00:40:25
flows we do assimilated classifier would we can have um
00:40:30
we do all of our twenty for this hell examples and the host
00:40:34
tend to transfer uh to the to the other classifier uh we have a
00:40:39
study where we show when do they transferred and what not you can get
00:40:42
different trade offs depending on the effort and the cost you want to make
00:40:47
as well but a good again taking a property that is very scary
00:40:51
from the machine learning perspective when it's not the enemy to turn it into
00:40:56
a magnificent tool would you actually want to uh to one of these things
00:41:02
and also in because of the security metric you want big guy that
00:41:05
is trying to detect the box should be perfectly not what you classify
00:41:11
it wasn't the question down here yeah yeah thanks for her nest talk from you my question is kind of high level
00:41:19
in the first part sure was how little the
00:41:23
fan against oppressors examples maybe make more expensive so
00:41:28
later on she learned more robust guest she of course are examples
00:41:34
and the second part sure how to use cheap upper sort of examples to protect stream or so
00:41:41
do you think that the fence is feasible in the light of your first resort especially before
00:41:47
we have to go training should sort of resources to put into the raw scores
00:41:54
and that's a very good question and uh yeah this is gonna
00:41:57
be announced race that type of comes race really colour just pop
00:42:02
uh and i don't have any other question that that is a very good observation and
00:42:08
that's it we we're gonna have to deal with that um maybe
00:42:12
for the privacy fences or two people are willing to spend a more
00:42:18
you know that to protect the privacy
00:42:22
which is
00:42:30
so uh to have a question which she still does ring true top
00:42:35
no question before it from then i should mention several examples of what is going according to rule
00:42:43
oh we're on topics we start with with which is a first
00:42:50
what proper trench drawbridge examples are are shoppers just stop which is which
00:42:58
she worked example of a sort of dropping out of a job or
00:43:06
shoulder dawson rockets shape file we're seeing that
00:43:12
some orange shirt you should be you know
00:43:16
there's we have come after it cost itself would be the charges not gorge for
00:43:22
wrong or just should should be brought to chew the reader how difficult to to use
00:43:29
to solve problems one solution which one uh
00:43:33
also or she such a force to you so
00:43:39
such cool with which is just your reach for for each groups
00:43:50
so that's a very good question and and in in d. who a
00:43:54
lot of the churches focus in this futuristic cases is the driving cars
00:43:58
well the problems that they have pointed out here that actually real problems
00:44:02
that are happening now and that they're having an influence as society now
00:44:05
mark where that gets into the voting machine
00:44:08
a tutor box that modify our reality uh
00:44:13
but if you asked me what is the thing that is gonna most modify uh how we're
00:44:18
reality nowadays and we're actually the regulations so far is very small so we have a
00:44:24
lot of the privacy thing but didn't have a lot of these protect him from optimisation
00:44:29
that is a lot of machine learning going on uh that has if you wish very unethical goals
00:44:36
uh we have now a big push for creating ethic of
00:44:40
frameworks and this ethical frame was a very lethal times actually question
00:44:46
the very ethical nature of the system so is how
00:44:49
we're gonna make advertisement more ethical well it may be
00:44:54
that is not about making sure that men and women receive the same dot finder advisement
00:44:59
but to make sure that that part time that's kinda change the wall didn't unethical way
00:45:06
colour for tours but it's also to exactly that and and that
00:45:10
shows dixie moral of many of these ethical same works where yeah
00:45:16
so it's a really shitty well shoot people see so it
00:45:21
will cost room to see what to do with just one step
00:45:25
i hope that's yep okay how

Share this talk: 

Conference Program

09:23
Welcome address
Martin Vetterli, President of EPFL
June 6, 2019 · 9:48 a.m.
1565 views
08:50
Introduction
James Larus, Dean of IC School, EPFL
June 6, 2019 · 9:58 a.m.
127 views
06:56
Introduction
Jean-Pierre Hubaux, IC Research Day co-chair
June 6, 2019 · 10:07 a.m.
227 views
53:50
Adventures in electronic voting research
Dan Wallach, Professor at Rice University, Houston, USA
June 6, 2019 · 10:14 a.m.
45:42
When foes are friends: adversarial examples as protective technologies
Carmela Troncoso, Assistant Professor at EPFL
June 6, 2019 · 11:09 a.m.
169 views
02:09
Low-Latency Metadata Protection for Organizational Networks
Ludovic Barman, LCA1|DeDiS, EPFL
June 6, 2019 · noon
148 views
02:14
Interactive comparison-based search, and who-is-th.at
Daniyar Chumbalov, INDY 1, EPFL
June 6, 2019 · 12:06 p.m.
137 views
02:21
Decentralized, Secure and Verifiable Data Sharing
David Froelicher, LCA1|DeDiS, EPFL
June 6, 2019 · 12:09 p.m.
102 views
02:18
Communication Efficient Decentralised Machine Learning
Anastasia Koloskova, MLO, EPFL
June 6, 2019 · 12:11 p.m.
732 views
01:46
Detecting the Unexpected via Image Resynthesis
Krzysztof Lis, CVLab, EPFL
June 6, 2019 · 12:14 p.m.
188 views
02:14
Sublinear Algorithms for Graph Processing
Aida Mousavifar, THL4, EPFL
June 6, 2019 · 12:16 p.m.
878 views
02:23
Protecting the Metadata of Your Secret Messages
Kirill Nikitin, DEDIS, EPFL
June 6, 2019 · 12:18 p.m.
341 views
01:55
Teaching a machine learning algorithm faster
Farnood Salehi, INDY 2, EPFL
June 6, 2019 · 12:21 p.m.
570 views
02:08
Secure Microarchitectural Design
Atri Bhattacharyya, PARSA/HexHive, EPFL
June 6, 2019 · 12:23 p.m.
3458 views
57:33
Security testing hard to reach code
Mathias Payer, Assistant Professor at EPFL
June 6, 2019 · 1:50 p.m.
297 views
01:04:22
[via Skype] Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges
Ari Juels, Professor at Cornell Tech
June 6, 2019 · 2:49 p.m.
497 views
04:28
Best Research Presentation Award Ceremony
Bryan Ford, Jean-Pierre Hubaux, Deirdre Rochat, EPFL
June 6, 2019 · 3:54 p.m.
211 views

Recommended talks

01:19:41
The Web: Wisdom of Crowds or Wisdom of a Few?
Ricardo Baeza-Yates, Yahoo! Labs
May 21, 2014 · 3:07 p.m.
123 views
49:56
ACM-W Athena Lecture: Large-Scale Behavioral Data: Potential and Pitfalls
Susan Dumais, Distinguished Scientist, Microsoft and Deputy Managing Director, Microsoft Research Lab
April 23, 2015 · 8:36 a.m.
203 views