Related Resources
Cybersecurity

AI Red Team: Machine Learning Security Training

Oct 19, 2023
By Will Pearce, Joseph Lucas, Rich Harang and John Irwin
Discuss (3)
Picture of the ML security training classroom at Black Hat USA

At Black Hat USA 2023, NVIDIA hosted a two-day training session that provided security professionals with a realistic environment and methodology to explore the unique risks presented by machine learning (ML) in today’s environments. 

In this post, the NVIDIA AI Red Team shares what was covered during the training and other opportunities to continue learning about ML security. 

Black Hat USA training

This has been a banner year for AI. Many security teams are being asked to evaluate and secure AI-enabled products without the skills and knowledge to appropriately evaluate their potential vulnerabilities. 

By providing this training at one of the world’s leading security conferences, we were able to share the NVIDIA AI Red Team’s experience and knowledge across many different industry verticals. We helped ensure that these organizations can begin securely using and developing AI solutions. We also come from that community, so it was a comfortable space to teach in.  

The two-day training consisted of over 20 Jupyter notebooks and 200 slides organized into the following modules: 

  • Introduction
  • Evasion
  • Extraction
  • Assessments
  • Inversion 
  • Membership Inference
  • Poisoning
  • And everything applied to large language models

It was a lot. Attendees took slides and notebooks home to continue iterating on the coursework at their own pace.

The course attempted to take students from all backgrounds and give them a solid foundation in the intersection of machine learning and security. It took students all the way from the basics of NumPy mechanics to algorithmic attacks against large language models. Each module gave some theory and then explored applied scenarios. 

Students were given a basic methodology based on our own framework. (NVIDIA AI Red Team’s assessment framework). They were given an environment and code that they could take back to their organizations and iterate on. There’s a lot of cool work still to be done. 

Attendee questions and concerns

Outside of reshaping questions, there were a lot of questions about the effect and likelihood of attacks against machine learning systems. Machine learning has been in defensive products for a number of years at this point. “ML bypasses” happen every day. 

Our goal was to help attendees understand the threat models, techniques, and attack vectors so that they could design and calibrate their security controls appropriately. Security isn’t one-size-fits-all, but having a working knowledge of the systems inside an organization is a prerequisite for building meaningful defenses. 

Machine learning security has an established history in academia. This course gave students experience applying those techniques to familiar security scenarios.

Key lessons from the training

People are super smart and creative. It’s easy to look at security and point out flaws (and we do, many of them in ML), but security has matured significantly over the last decade. We think the security industry will rise to the challenges presented by ML as well.

The training was also a good exercise in industry baselining. We had a mix of professionals from all industries. Understanding where those industries are in adopting machine learning and securing systems was really interesting. It would be fair to say the majority of people are just beginning their journey. 

In general, we came away happy that people who are interested in this field have a base camp from which to operate. It’s a fun space to be in at the moment and we enjoyed sharing our material with peers.

Opportunities to learn more about ML security

The next iteration of the NVIDIA Machine Learning Security course will be at Black Hat EU on December 4 and 5. 

We are also researching alternative delivery modalities and mechanisms. If you have a request, contact the AI Red Team. Students who took the course will receive updates as we make them available!

Related resources

Discuss (3)

Tags

Cybersecurity | Data Science | Cloud Services | General | Beginner Technical | Deep dive | AI Red Team | AI Security | featured

About the Authors

Will Pearce
About Will Pearce
Will Pearce is a Senior Security Researcher on the AI Red Team at NVIDIA. He focuses on attacking machine learning systems and developing ML-enabled red team capabilities. Previously, he was the Red Team Lead for the Azure Trustworthy ML team at Microsoft, and a Senior Security Consultant at Silent Break Security. His work on offensive machine learning has appeared at industry conferences including Blackhat, Defcon AI Village, WWHF, DerbyCon, LabsCon, and academic appearances at the SAI Conference on Computing and IEEE.
Joseph Lucas
About Joseph Lucas
Joe is a senior offensive security researcher focused on AI at NVIDIA. He is the founder and chair of the NumFOCUS Security Committee and is a member of the Jupyter Security Council. He was one of the architects and hosts of the DEF CON 30 AI Village Capture the Flag competition and is passionate about machine learning security education. He served in the US Army at US Cyber Command and the 101st Airborne Division. He holds a master's degree in Computer Science from Georgia Institute of Technology and a bachelor's degree in Mathematics from the United States Military Academy.
Rich Harang
About Rich Harang
Rich Harang is a Principal Security Architect at NVIDIA, specializing in ML/AI systems, with over a decade of experience at the intersection of computer security, machine learning, and privacy. He received his PhD in Statistics from the University of California Santa Barbara in 2010. Prior to joining NVIDIA, he led the Algorithms Research team at Duo, led research on using machine learning models to detect malicious software, scripts, and web content at Sophos AI, and worked as a Team Lead at the US Army Research Laboratory. His research interests include adversarial machine learning, addressing bias and uncertainty in machine learning, and ways to use machine learning to support human analysis. Richard’s work has been presented at USENIX, BlackHat, IEEE S&P workshops, and DEF CON AI Village, among others, and has also been featured in The Register and KrebsOnSecurity.
Avatar photo
About John Irwin
John Irwin is a senior security engineer focused on AI at NVIDIA. Prior to focusing on AI, he identified vulnerabilities and mitigations in many NVIDIA products, mostly focused on cloud and high-performance compute solutions. He has also competed in and occasionally run CTFs for over a decade. Before NVIDIA, he worked in Microsoft’s AI & Research org and as a consultant helping secure many different types of products. He holds a B.Sc. in Informatics from the University of Washington’s iSchool and an AS in computer science and engineering.

Comments