Training Set Camouflage

Abstract

We introduce a form of steganography in the domain of machine learning which we call training set camouflage. Imagine Alice has a training set on an illicit machine learning classification task. Alice wants Bob (a machine learning system) to learn the task. However, sending either the training set or the trained model to Bob can raise suspicion if the communication is monitored. Training set camouflage allows Alice to compute a second training set on a completely different – and seemingly benign – classification task. By construction, sending the second training set will not raise suspicion. When Bob applies his standard (public) learning algorithm to the second training set, he approximately recovers the classifier on the original task. Training set camouflage is a novel form of steganography in machine learning. We formulate training set camouflage as a combinatorial bilevel optimization problem and propose solvers based on nonlinear programming and local search. Experiments on real classification tasks demonstrate the feasibility of such camouflage.

A Appendix A: MMD as Eve’s Detection Function

One critical component of our camouflage framework is Eve’s detection function \(\varPsi \)—how she determines if a training set is suspicious or not. Eve’s detection function is a two-sample test as its goal is to discern if the two sets \({\mathcal {C}}, D\) are drawn from the same distribution or not. In what follows we discuss using Maximum Mean Discrepancy (MMD) [20] as Eve’s detection function, as we do in our experiments. MMD is a widely used two-sample test [17], but, of course other detection functions can be used in (1). We first review basic \(\mathbf{MMD }\) following [20]. Let p and \(p'\) be two Borel probability measures defined on a topological space \(\mathcal {Z}\). Given a class of functions \(\mathcal {F}\) such that \(f:\mathcal {Z}\mapsto {\mathbb R}, f\in \mathcal {F}\), \(\mathbf{MMD }\) is defined as \( \mathbf{MMD }(p,p')=\sup _{f\in \mathcal {F}}(E_{{\mathbf z}}[f({{\mathbf z}})]-E_{{{\mathbf z}}'}[f({{\mathbf z}}')]) \). Any unit ball in a reproducing kernel Hilbert space (RKHS) can be used as the function class \(\mathcal {F}\) if the kernel is universal (e.g., Gaussian and Laplace kernels [58]). Using this function space, \(\mathbf{MMD }\) is a metric. This means \(\mathbf{MMD }(p,p') = 0 \Leftrightarrow p = p'\). Computing \(\mathbf{MMD }\) requires the expectations to be known, which generally, is not the case in practice. We obtain an empirical estimation by replacing the population expectations with empirical mean computed on i.i.d. samples \(Z=\{{{\mathbf z}}_1,\ldots ,{{\mathbf z}}_n\}\) and \(Z'=\{{{\mathbf z}}'_1,\ldots ,{{\mathbf z}}'_m\}\) from p and \(p'\), respectively. We define

where k is the kernel of the RKHS. Let \(d=\vert \mathbf{MMD }(Z,Z')-\mathbf{MMD }(p,p')\vert \). Gretton et al. show that \( P\left( d > 2 \left( \sqrt{\frac{K}{n}} + \sqrt{\frac{K}{m}}\right) + \epsilon \right) \le 2 e^{-\frac{\epsilon ^2nm}{2K(n\,+\,m)}} \), where K is an upperbound on the kernel values. We convert the above bound into a one-sided hypothesis testing procedure. Under the null hypothesis \(p=p'\) we have \(\mathbf{MMD }(p,p')=0\). We consider positive deviations of \(\mathbf{MMD }(Z,Z')\) from \(\mathbf{MMD }(p,p')\). Equating the RHS with \(\alpha \) (probability of incorrectly stating \(p\ne p'\) also known as the type I error) gives a hypothesis test of level-\(\alpha \), where solving \(\epsilon \) as a function of \(\alpha \) gives \( \alpha = e^{-\frac{\epsilon ^2nm}{2K(n\,+\,m)}} \Rightarrow \epsilon = \sqrt{\frac{2K(n\,+\,m)}{nm}\log \frac{1}{\alpha }} \). We retain the null hypothesis if \( \mathbf{MMD }(Z,Z') - T <0 \), where the threshold is \(T = 2 \left( \sqrt{\frac{K}{n}} + \sqrt{\frac{K}{m}}\right) + \sqrt{\frac{2K(n\,+\,m)}{nm}\log \frac{1}{\alpha }}.\) This also defines Eve’s detection function (\(\varPsi ({\mathcal {C}},D)\)) at level-\(\alpha \): \( \varPsi ({\mathcal {C}},D)\equiv \mathbf{MMD }({\mathcal {C}},D) - T. \) If \(\varPsi ({\mathcal {C}},D) \ge 0\) then Eve realizes that \(D\) is not drawn i.i.d. from \(\mathbb {Q}_{({{\mathbf x}}, y)}\) and flags it as suspicious.

For all our experiments Eve used the RBF kernel \(k({{\mathbf z}}_i, {{\mathbf z}}_j) = \exp \left( -\frac{\Vert {{\mathbf z}}_i\,-\,{{\mathbf z}}_j \Vert ^2}{2\sigma ^2}\right) \). Eve set \(\sigma \) to be the median distance between points in the camouflage pool as proposed in [20]. Eve also included the scaled class label as a feature dimension: \([{{\mathbf x}}_i, c \mathbbm {1}\{y_i=1\}]\) where \(c=\max _{k,l\text { such that } y_k = y_l} \Vert {{\mathbf x}}_{k} - {{\mathbf x}}_{l}\Vert \) and \(\mathbbm {1}\{\cdot \}\) is the indicator function. This augmented feature enables Eve to monitor both features and labels. When using the NLP solver Alice only has to consider instances from camouflage pool. She calculated \(\mathbf{MMD }\) in the following manner:

(6)