secml: A Python Library for Secure and Explainable Machine Learning (1912.10013v2)

Abstract: We present \texttt{secml}, an open-source Python library for secure and explainable machine learning. It implements the most popular attacks against machine learning, including test-time evasion attacks to generate adversarial examples against deep neural networks and training-time poisoning attacks against support vector machines and many other algorithms. These attacks enable evaluating the security of learning algorithms and the corresponding defenses under both white-box and black-box threat models. To this end, \texttt{secml} provides built-in functions to compute security evaluation curves, showing how quickly classification performance decreases against increasing adversarial perturbations of the input data. \texttt{secml} also includes explainability methods to help understand why adversarial attacks succeed against a given model, by visualizing the most influential features and training prototypes contributing to each decision. It is distributed under the Apache License 2.0 and hosted at \url{https://github.com/pralab/secml}.

• The paper introduces secml as a comprehensive Python library that simulates adversarial attacks including both evasion and poisoning strategies.
• The paper demonstrates the creation of security evaluation curves that reveal the degradation of classification performance under adversarial perturbations.
• The paper integrates explainability methods and external libraries like CleverHans and Foolbox, making secml a pivotal tool for secure ML research.

Overview of "secml: Secure and Explainable Machine Learning in Python"

The paper "secml: Secure and Explainable Machine Learning in Python" introduces secml, an open-source library designed to enhance the security and explainability of ML models. Developed using Python, this library offers a comprehensive suite of functionalities mandatory for assessing the vulnerability of ML algorithms through simulation of various adversarial attacks. These functionalities span evasion and poisoning attacks, thus allowing assessments of models used at both the test time and the training time.

Key Contributions

The authors of this paper have structured secml to serve numerous high-stakes purposes that are pivotal for modern ML applications:

1. Adversarial Attack Simulations: The library encompasses implementations of popular attack types, including test-time evasion attacks and training-time poisoning attacks. These are crafted for diverse ML algorithms, such as deep neural networks (DNNs) and support vector machines (SVMs).
2. Security Evaluation Under Threat Models: A standout feature in secml is the construction of security evaluation curves. These graphs illustrate the degradation in classification performance as adversarial perturbations intensify, providing users with clarity on the resilience of particular ML models.
3. Explainability Methods: In conjunction with attack simulations, secml incorporates explainability techniques. These methods are crucial for understanding the successful execution of adversarial attacks, revealing the contributing features and prototypes critical to attack outcomes.
4. Integration with Other Libraries: secml stands out with its capacity to incorporate adversarial attack methodologies from existing libraries such as CleverHans and Foolbox. This is achieved by wrapping these libraries in secml's robust structure to facilitate easier attack execution and comparison.

Architectural and Functional Insights

The secml library boasts a modular framework designed for reusability and ease of extension. Its architecture allows seamless implementation of novel attacks or classifiers through an abstraction that distinctly separates optimization problem definition from the algorithms solving them. This flexibility is valuable, particularly when switching between white-box and black-box attack models by merely changing the employed optimizer.

Parallelly, secml's integration with PyTorch and scikit-learn extends its usability to DNNs and classifiers. The analytical implementation of classifier gradients assists in conducting attacks, and end-to-end gradient computation is automated via the chain rule when chaining different modules, such as scalers and classifiers.

The library's structured packages contain essential components including attack conduct methodologies, ML classifiers, data loaders for extensive datasets, and the use of both dense and sparse arrays through optimized array interfaces. An associated model zoo provides pre-trained models, thus expediting the evaluation of novel attack strategies.

Comparative Edge and Practical Application

Compared to other adversarial ML frameworks, secml distinguishes itself by offering unique functionalities like attack loss inspection plots, which guide the adjustment of hyperparameters critical for successful model assessments. The library also facilitates comprehensive security evaluation plots, simplifying the evaluation of defenses against adversarial attacks.

Practical Example Demonstrations

The paper elaborately demonstrates secml's utility with practical examples, focusing on evasion attacks against DNNs like the ResNet-18 and poisoning attacks against SVMs. By executing targeted perturbations and observing the ML models' response, secml proves crucial in visualizing adversarial impacts.

Future Directions

The paper underscores secml's ongoing evolution to become a reference tool for ML security assessments. The authors anticipate maintaining and enhancing the library with added functionalities, integration with more frameworks, and an expanded model zoo to accommodate new ML developments.

In conclusion, secml presents itself as a versatile and accessible library crucial for conducting extensive adversarial assessments, enriched by its thoughtful inclusion of explainability features and broad compatibility with existing tools and frameworks. This tool is expected to significantly contribute to the fields of secure and explainable machine learning.