THE CURRENT STATE OF AFFAIRS AND WHY IT’S NOT QUITE ENOUGH
Machine Learning (ML) and Artificial Intelligence (AI) is a new technology that is still finding its footing in the commercial sector. Although few systems are touted as a complete solution, there are many new AI/ML based companies that are capitalising on the benefits, and traditional business will need to follow suit. ML Ops, the ML equivalent of DevOps will become increasingly important.
With the transition of AI and ML to the business and service sectors instead of purely research, a new development domain opened. This was the beginning of ML Ops (DevOps (Development Operations) for Machine Learning), which focuses on the Automation, Reproducibility, Validation, Deployment and Retraining of a machine learning model.
Current MLOps looks to provide an automated framework and method for constant or regular validation of models or applications in the same way that traditional DevOps looks to minimise the time between development and any fixes or changes that are required post-deployment.
In MLOps terms, this consists of design, development, and operations
This continuous life cycle is aimed at ensuring that models do not become outdated or experience data drift, even after they are deployed in the wild.
Within this lifecycle, MLOps aims to provide solutions for:
- Model Lifecycle
- Model Versioning & Iteration
- Model Monitoring and Management
- Model Governance.
- Model Discovery
- Model Security
Currently, the key cloud providers (AWS, Google, Microsoft) provide a mechanism for MLOps as well as dedicated providers such as Valohai, but it is also a methodology aimed at best practices.
In October 2020, Microsoft announced a collaborative partnership with technology leaders, researchers and private industry that was aimed at formalising a methodology for understanding how AI and ML systems can be attacked.
The aim of this project was to foster research and collaboration into a core understanding of these weaknesses that can be addressed by using a Threat Matrix.
Figure 2. Microsoft/Mitre ML Threat Matrix
The current threat matrix is a research framework for identifying attack methodologies based on case studies that highlight where AI and ML systems are most susceptible. This is an active and evolving framework which utilises a combination of traditional red team attacks to gain access to private information, as well as newer methodologies that are specific to machine learning attacks.
This is the domain that Advai works in. We provide a mechanism to identify data poisoning, flag adversarial attacks in real time, protect sensitive model information, and harden models against Adversarial AI (AAI) attacks, by leveraging our research into potential attack vectors.
Our goal is to identify, understand and mitigate these attacks, and provide a mechanism that allows AI/ML to mature into a trusted platform.
As the threat landscape for AI is still evolving, there is not a definitive set of solutions you can use to prevent attacks. There are, however, core practices you can use to limit the risk of your model being attacked:
- Review your training data carefully and curate it.
- Require an API key to access your models.
- Limit concurrent executions for users where applicable.
- Use input pre-processing to transform inputs before model processing.
- Watermark outputs, where possible.
- Do not expose scoring information.
- Add Gaussian noise to outputs
- Periodically review the output with a human user.
- Retrain models with new data at regular intervals.
MLOps is a welcome addition, but is ultimately limited in its scope as it still looks at a more traditional approach to development of systems, rather than the systems and datasets themselves.
AI and ML applications, depending on how they are implemented, use a combination of complex algorithms, optimisation functions, multi-dimensional vectors, reinforcement, or hybrid methodologies. These complex systems are susceptible to Adversarial AI/ML attacks — imperceptible manipulations of inputs or training data that change the system’s decisions or confusion it entirely.
What’s more, it is also possible to steal models based on how they respond and then use those responses to rebuild the sensitive training data that was used to create them or recreate their logic. These are all issues not currently addressed by MLOps.
Current MLOPs processes focuses on optimising AI/ML models by reviewing them against:
- Accuracy, Precision and Robustness
- Bias Identification
- Model Drift
- Explainability
If applied regularly, these techniques can help maintain a robust model but do not resolve the underlying issues that make them vulnerable to attacks for model theft, data theft, denial of service, fraud, or deception. That’s where you probably want help.
If you are interested in talking to us about the work that we’re doing to protect AI/ML systems and whether we can help you, get in touch through our website or by emailing us directly at contact@advai.co.uk.