Skip to content

Latest commit

 

History

History
104 lines (73 loc) · 9.56 KB

mitigations.md

File metadata and controls

104 lines (73 loc) · 9.56 KB

Mitigation Strategies Analysis for bvlc/caffe

Mitigation Strategy: Adversarial Training (Caffe-Specific)

Description:

  1. Generate Adversarial Examples: Use tools (which may or may not integrate directly with Caffe's Python interface) to create adversarial examples. The key here is that the target of the attack is the Caffe model.
  2. Augment Training Data: Add these generated examples to your Caffe training data (typically LMDB or LevelDB datasets). This requires modifying your data preparation scripts to include the adversarial examples.
  3. Modify Solver Protobuf: Adjust your Caffe solver prototxt file (e.g., solver.prototxt). You might need to adjust learning rates, weight decay, or other hyperparameters to effectively train with adversarial examples.
  4. Retrain with Caffe: Use the Caffe command-line tools (or Python interface) to retrain your model using the augmented dataset and modified solver. This is a direct interaction with the Caffe framework.
  5. Iterative Process: Repeat the process, generating new adversarial examples based on the retrained Caffe model.
  6. Monitor Caffe Logs: Carefully monitor Caffe's training logs (output to the console or log files) to track the model's performance on both clean and adversarial data during training.

  • Threats Mitigated:

    • Model Poisoning/Adversarial Attacks (High Severity): Directly improves the Caffe model's robustness against adversarial inputs.
    • Data Integrity Violations (High Severity): Maintains the integrity of Caffe model predictions.

  • Impact:

    • Model Poisoning/Adversarial Attacks: Significant reduction in attack success rate, directly impacting the Caffe model's behavior.
    • Data Integrity Violations: High impact; improves the reliability of the Caffe model.

  • Currently Implemented: (e.g., Modifications to train.py using caffe.Net, changes to solver.prototxt, custom data layer for adversarial examples) Replace with your project's details.

  • Missing Implementation: (e.g., "Adversarial training not implemented for specific Caffe layers.", "No automated generation of adversarial examples within the Caffe training loop.") Replace with your project's details.

Mitigation Strategy: Input Validation and Sanitization (Caffe-Specific)

Description:

  1. Define Input Blob Specifications: Clearly define the expected dimensions, data type (e.g., float32), and range (e.g., 0-255 for image pixels) of the input blob(s) to your Caffe model. This is directly tied to the input_shape defined in your deploy.prototxt.
  2. Pre-Inference Checks: Before calling net.forward() (in Python) or the equivalent C++ code, implement checks to ensure the input data matches the defined specifications. This is crucial before the data enters the Caffe network.
  3. Data Layer Validation (Less Common, but Possible): In very specific cases, you could implement custom data layers (in C++ or Python) that perform some basic validation within the Caffe framework itself. This is less common and more complex than pre-inference checks.
  4. Reject/Error Handling: If validation fails, do not pass the data to Caffe. Return an error or throw an exception.
  5. Sanitize Valid Inputs (Optional and Caffe-Related): If using image data, consider using Caffe's built-in image preprocessing capabilities (e.g., mean subtraction, scaling) within the deploy.prototxt or as part of a data layer. This can sometimes disrupt adversarial perturbations, although it's not a primary defense. This is a Caffe-specific configuration.

  • Threats Mitigated:

    • Model Poisoning/Adversarial Attacks (Medium Severity): Can prevent some basic attacks that rely on out-of-range values.
    • Denial of Service (DoS) (Medium Severity): Prevents excessively large inputs (if size checks are done before Caffe processing).
    • Code Injection (Low Severity, Indirect): Reduces the risk of exploiting vulnerabilities in Caffe's input handling.

  • Impact:

    • Model Poisoning/Adversarial Attacks: Moderate impact; effective against simple attacks.
    • Denial of Service (DoS): High impact if size checks are done before Caffe processing.
    • Code Injection: Low, indirect impact.

  • Currently Implemented: (e.g., Checks before net.forward() in inference.py, custom data layer with validation) Replace with your project's details.

  • Missing Implementation: (e.g., "No validation of input data type.", "Missing checks for image dimensions before net.forward().") Replace with your project's details.

Mitigation Strategy: Model Integrity Verification (Caffe-Specific)

Description:

  1. Checksum Generation: After training and saving your Caffe model (.caffemodel file), generate a cryptographic hash (e.g., SHA-256).
  2. Secure Checksum Storage: Store this hash separately and securely.
  3. Verification Before caffe.Net(): Before creating a caffe.Net object (in Python) or the equivalent C++ code to load the model, recalculate the checksum of the .caffemodel file.
  4. Comparison: Compare the recalculated checksum with the securely stored checksum.
  5. Rejection on Mismatch: If the checksums do not match, do not proceed with loading the model using caffe.Net(). Raise an error or exception. This prevents the Caffe framework from loading a potentially compromised model.

  • Threats Mitigated:

    • Insecure Model Loading (High Severity): Prevents loading a tampered-with Caffe model, which is a direct threat to the Caffe framework's operation.
    • Data Integrity Violations (High Severity): Ensures the integrity of the Caffe model itself.

  • Impact:

    • Insecure Model Loading: High impact; directly prevents the Caffe framework from using a compromised model.
    • Data Integrity Violations: High impact; ensures the Caffe model is the intended one.

  • Currently Implemented: (e.g., Checksum verification before caffe.Net() in model_loading.py) Replace with your project's details.

  • Missing Implementation: (e.g., "Checksum verification is not performed before loading the Caffe model.") Replace with your project's details.

Mitigation Strategy: Defensive Distillation (Caffe-Specific)

  • Description:

    1. Train Teacher Model: Train your initial Caffe model (the "teacher") as usual.
    2. Generate Soft Labels: Use the trained teacher model to generate "soft" labels (probabilities from the softmax layer) for your training data. This involves running inference with the teacher model using net.forward().
    3. Train Student Model: Train a second Caffe model (the "student") using the soft labels from the teacher model as the target, instead of the original "hard" labels. This requires modifying your training data to use the soft labels.
    4. Adjust Temperature: Use a "temperature" parameter in the softmax function of both the teacher and student models during training. This controls the "softness" of the probabilities. A higher temperature produces softer probabilities. This is a direct modification to the Caffe model definition (prototxt).
    5. Deploy Student Model: Deploy the trained student model for inference.

  • Threats Mitigated:

    • Model Poisoning/Adversarial Attacks (Medium Severity): Makes the model less sensitive to small input perturbations.

  • Impact:

    • Model Poisoning/Adversarial Attacks: Moderate impact; reduces the effectiveness of some adversarial attacks.

  • Currently Implemented: (e.g., Separate training scripts for teacher and student models, modified prototxt files with temperature parameter) Replace with your project's details.

  • Missing Implementation: (e.g., "Defensive distillation not implemented.", "Temperature parameter not used.") Replace with your project's details.

Mitigation Strategy: Feature Squeezing (Caffe-Specific, Limited)

  • Description:

    1. Bit Depth Reduction: If using image data, reduce the color bit depth of the input images before feeding them to the Caffe model. This can be done as a preprocessing step before calling net.forward().
    2. Spatial Smoothing: Apply spatial smoothing (e.g., using a Gaussian filter) to the input images before feeding them to the Caffe model. This can also be done as a preprocessing step.
    3. Caffe's Image Preprocessing (Limited): Utilize Caffe's built-in image preprocessing capabilities (mean subtraction, scaling) within the deploy.prototxt or a data layer. While not primarily designed for feature squeezing, these transformations can have a similar effect.

  • Threats Mitigated:

    • Model Poisoning/Adversarial Attacks (Low-Medium Severity): Reduces the search space for adversarial attacks.

  • Impact:

    • Model Poisoning/Adversarial Attacks: Low to moderate impact; can be effective against some attacks, but may be bypassed by others.

  • Currently Implemented: (e.g., Preprocessing steps before net.forward(), modifications to deploy.prototxt) Replace with your project's details.

  • Missing Implementation: (e.g., "Feature squeezing techniques not applied.", "Only basic Caffe preprocessing is used.") Replace with your project's details.