Measuring and Enhancing the Security of Machine Learning

Florian Tramèr

PhD Thesis, 2021.



The surprising failure modes of machine learning systems threaten their viability in security-critical
settings. For example, machine learning models are easily fooled by adversarially chosen inputs, and
have the propensity to leak the sensitive data of their users.
In this dissertation, we introduce new techniques to proactively measure and enhance the security
of machine learning systems. We begin by formally analyzing the threat posed by adversarial
examples to the integrity of machine learning models. We argue that the security implications
of these attacks has been overstated for many applications, yet demonstrate one application where
these attacks are indeed realistic—for evading online content moderation systems. We then show that
existing defense techniques operate in fundamentally limited threat models, and therefore cannot
hope to prevent realistic attacks.
We further introduce new techniques for protecting the privacy of users of machine learning
systems—both at training and deployment time. For training, we show how feature engineering
techniques can substantially improve differentially private learning algorithms. For deployment,
we design a system that combines hardware protections and cryptography to privately outsource
machine learning workloads to the cloud. In both cases, we protect a user’s sensitive data from
other parties while achieving significantly better utility than in prior work.
We hope that our results will pave the way towards a more rigorous assessment of machine
learning models’ vulnerability against evasion attacks, and motivate the deployment of efficient
privacy-preserving learning systems.

  author   =   {Tram{\`e}r, Florian},
  title   =   {Measuring and Enhancing the Security of Machine Learning},
  year   =   {2021},
  school   =   {Stanford University}