Measuring and Enhancing the Security of Machine Learning

Florian Tramèr

PhD Thesis 2021


The surprising failure modes of machine learning systems threaten their viability in security-critical settings. For example, machine learning models are easily fooled by adversarially chosen inputs, and have the propensity to leak the sensitive data of their users.
In this dissertation, we introduce new techniques to proactively measure and enhance the security of machine learning systems. We begin by formally analyzing the threat posed by adversarial examples to the integrity of machine learning models. We argue that the security implications of these attacks has been overstated for many applications, yet demonstrate one application where these attacks are indeed realistic—for evading online content moderation systems. We then show that existing defense techniques operate in fundamentally limited threat models, and therefore cannot hope to prevent realistic attacks.
We further introduce new techniques for protecting the privacy of users of machine learning systems—both at training and deployment time. For training, we show how feature engineering techniques can substantially improve differentially private learning algorithms. For deployment, we design a system that combines hardware protections and cryptography to privately outsource machine learning workloads to the cloud. In both cases, we protect a user’s sensitive data from other parties while achieving significantly better utility than in prior work.
We hope that our results will pave the way towards a more rigorous assessment of machine learning models’ vulnerability against evasion attacks, and motivate the deployment of efficient privacy-preserving learning systems.

  author   =   {Tram{\`e}r, Florian},
  title   =   {Measuring and Enhancing the Security of Machine Learning},
  year   =   {2021},
  school   =   {Stanford University},
  url   =   {}