Litcius/Paper detail

Adversarial Machine Learning in Cloud Environments: Vulnerabilities of AWS SageMaker against Poisoning Attacks

Venkata Krishna Bharadwaj Parasaram

2023Innovative Research Thoughts12 citationsDOIOpen Access PDF

Abstract

Modern machine learning pipelines use cloud systems like AWS SageMaker for data ingestion, training, tuning, and large-scale deployment. As corporations use these managed systems increasingly, adversarial machine learning security concerns have increased, especially poisoning attacks that discreetly change training data. This study analyzes how poisoning attacks impair SageMaker ML operations and why cloud environments make them hard to detect. The attack surface of cloud-based ML is unintentionally increased by data coming from distributed teams, external vendors, automated pipelines, or streaming sources, programmatic training, and containerized environments that rely heavily on third-party libraries. Especially if dataset verification is irregular or automated, these aspects make it easy for an attacker to insert harmful samples. A poisoning attack modifies a subset of training data to teach the model undesirable patterns. Uploading mislabeled instances, implementing a backdoor trigger, or attacking shared data bucket access controls are examples of this in the cloud. Even a tiny number of poisoned samples can cause the model to make bad decisions while maintaining high validation accuracy, rendering standard assessment measures worthless. Closed-box managed cloud platforms make detection harder since users rarely examine the training environment, container setup, or system logs. This paper identifies SageMaker workflow points vulnerable to poisoning: S3 buckets that store datasets, ingestion pipelines that merge incremental data, training jobs that run inside containers that may depend on unverified libraries, and automated retraining workflows tied to continuous delivery systems. It also describes how automated setups enable backdoor poisoning since triggers can lie dormant for months until the attacker activates them at right time. The risk increases due to poor dataset provenance tracking, access controls, shared multi-tenant infrastructure, and external dataset sources. SageMaker offers IAM, VPC isolation, Model Monitor, and logging, but many firms don't configure these for ML threats. We found that poisoning attacks are conceivable and cost-effective for an adversary with limited access in SageMaker, especially when an organization uses public or third-party datasets or interacts with several stakeholders.

Topics & Concepts

BackdoorComputer scienceComputer securityCloud computingWorkflowAdversarial systemUploadArtificial intelligenceMachine learningRetrainingVirtual machineAdversarySoftware deploymentServerMalwareThreat modelPipeline transportDeep learningRendering (computer graphics)AutomationALARMAdversarial Robustness in Machine LearningNetwork Security and Intrusion DetectionSecurity and Verification in Computing