secure

Title: PASS: Parameters Audit-based Secure and Fair Federated Learning Scheme against Free Rider. (arXiv:2207.07292v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07292
• Code URL: null
• Copy Paste: [[2207.07292] PASS: Parameters Audit-based Secure and Fair Federated Learning Scheme against Free Rider](http://arxiv.org/abs/2207.07292)
• Summary:

  Federated Learning (FL) as a secure distributed learning frame gains interest in Internet of Things (IoT) due to its capability of protecting private data of participants. However, traditional FL systems are vulnerable to attacks such as Free-Rider (FR) attack, which causes not only unfairness but also privacy leakage and inferior performance to FL systems. The existing defense mechanisms against FR attacks only concern the scenarios where the adversaries declare less than 50% of the total amount of clients. Moreover, they lose effectiveness in resisting selfish FR (SFR) attacks. In this paper, we propose a Parameter Audit-based Secure and fair federated learning Scheme (PASS) against FR attacks. The PASS has the following key features: (a) works well in the scenario where adversaries are more than 50% of the total amount of clients; (b) is effective in countering anonymous FR attacks and SFR attacks; (c) prevents from privacy leakage without accuracy loss. Extensive experimental results verify the data protecting capability in mean square error against privacy leakage and reveal the effectiveness of PASS in terms of a higher defense success rate and lower false positive rate against anonymous SFR attacks. Note in addition, PASS produces no effect on FL accuracy when there is no FR adversary.

Title: Electric Democracy: Proof of Work to secure Elections. (arXiv:2207.07446v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07446
• Code URL: null
• Copy Paste: [[2207.07446] Electric Democracy: Proof of Work to secure Elections](http://arxiv.org/abs/2207.07446)
• Summary:

  Electronic voting consistently fails to supplant conventional paper ballot due to a plethora of security shortcomings. Not only are traditional voting methods mediocre in terms of convenience and interface, they also encompass principal-agent problem, where the state may have vested interest in the outcome of the ballot. Electronic voting protocol using cryptography to deliver in zero trust environments is long overdue. Here I propose using Proof of Work algorithm at user devices in combination with other well-known security primitives to build a zero-trust voting system. The state would only issue single-use voting authorizations to its citizens, while zero trust design would allow conducting elections by an open-source platform with enhanced observability. It is also hypothesized that the heighten availability of plebiscite by means of the proposed design may ultimately change the way our society participates in the policy making.

security

Title: ERIC: An Efficient and Practical Software Obfuscation Framework. (arXiv:2207.07407v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07407
• Code URL: https://github.com/kasirgalabs/eric
• Copy Paste: [[2207.07407] ERIC: An Efficient and Practical Software Obfuscation Framework](http://arxiv.org/abs/2207.07407)
• Summary:

  Modern cloud computing systems distribute software executables over a network to keep the software sources, which are typically compiled in a security-critical cluster, secret. We develop ERIC, a new, efficient, and general software obfuscation framework. ERIC protects software against (i) static analysis, by making only an encrypted version of software executables available to the human eye, no matter how the software is distributed, and (ii) dynamic analysis, by guaranteeing that an encrypted executable can only be correctly decrypted and executed by a single authenticated device. ERIC comprises key hardware and software components to provide efficient software obfuscation support: (i) a hardware decryption engine (HDE) enables efficient decryption of encrypted hardware in the target device, (ii) the compiler can seamlessly encrypt software executables given only a unique device identifier. Both the hardware and software components are ISA-independent, making ERIC general. The key idea of ERIC is to use physical unclonable functions (PUFs), unique device identifiers, as secret keys in encrypting software executables. Malicious parties that cannot access the PUF in the target device cannot perform static or dynamic analyses on the encrypted binary. We develop ERIC's prototype on an FPGA to evaluate it end-to-end. Our prototype extends RISC-V Rocket Chip with the hardware decryption engine (HDE) to minimize the overheads of software decryption. We augment the custom LLVM-based compiler to enable partial/full encryption of RISC-V executables. The HDE incurs minor FPGA resource overheads, it requires 2.63% more LUTs and 3.83% more flip-flops compared to the Rocket Chip baseline. LLVM-based software encryption increases compile time by 15.22% and the executable size by 1.59%. ERIC is publicly available and can be downloaded from https://github.com/kasirgalabs/ERIC

Title: Creating an Explainable Intrusion Detection System Using Self Organizing Maps. (arXiv:2207.07465v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07465
• Code URL: null
• Copy Paste: [[2207.07465] Creating an Explainable Intrusion Detection System Using Self Organizing Maps](http://arxiv.org/abs/2207.07465)
• Summary:

  Modern Artificial Intelligence (AI) enabled Intrusion Detection Systems (IDS) are complex black boxes. This means that a security analyst will have little to no explanation or clarification on why an IDS model made a particular prediction. A potential solution to this problem is to research and develop Explainable Intrusion Detection Systems (X-IDS) based on current capabilities in Explainable Artificial Intelligence (XAI). In this paper, we create a Self Organizing Maps (SOMs) based X-IDS system that is capable of producing explanatory visualizations. We leverage SOM's explainability to create both global and local explanations. An analyst can use global explanations to get a general idea of how a particular IDS model computes predictions. Local explanations are generated for individual datapoints to explain why a certain prediction value was computed. Furthermore, our SOM based X-IDS was evaluated on both explanation generation and traditional accuracy tests using the NSL-KDD and the CIC-IDS-2017 datasets.

privacy

Title: Towards Privacy-Preserving Person Re-identification via Person Identify Shift. (arXiv:2207.07311v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07311
• Code URL: null
• Copy Paste: [[2207.07311] Towards Privacy-Preserving Person Re-identification via Person Identify Shift](http://arxiv.org/abs/2207.07311)
• Summary:

  Recently privacy concerns of person re-identification (ReID) raise more and more attention and preserving the privacy of the pedestrian images used by ReID methods become essential. De-identification (DeID) methods alleviate privacy issues by removing the identity-related of the ReID data. However, most of the existing DeID methods tend to remove all personal identity-related information and compromise the usability of de-identified data on the ReID task. In this paper, we aim to develop a technique that can achieve a good trade-off between privacy protection and data usability for person ReID. To achieve this, we propose a novel de-identification method designed explicitly for person ReID, named Person Identify Shift (PIS). PIS removes the absolute identity in a pedestrian image while preserving the identity relationship between image pairs. By exploiting the interpolation property of variational auto-encoder, PIS shifts each pedestrian image from the current identity to another with a new identity, resulting in images still preserving the relative identities. Experimental results show that our method has a better trade-off between privacy-preserving and model performance than existing de-identification methods and can defend against human and model attacks for data privacy.

Title: Privacy-Preserving Face Recognition with Learnable Privacy Budgets in Frequency Domain. (arXiv:2207.07316v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07316
• Code URL: https://github.com/Tencent/TFace
• Copy Paste: [[2207.07316] Privacy-Preserving Face Recognition with Learnable Privacy Budgets in Frequency Domain](http://arxiv.org/abs/2207.07316)
• Summary:

  Face recognition technology has been used in many fields due to its high recognition accuracy, including the face unlocking of mobile devices, community access control systems, and city surveillance. As the current high accuracy is guaranteed by very deep network structures, facial images often need to be transmitted to third-party servers with high computational power for inference. However, facial images visually reveal the user's identity information. In this process, both untrusted service providers and malicious users can significantly increase the risk of a personal privacy breach. Current privacy-preserving approaches to face recognition are often accompanied by many side effects, such as a significant increase in inference time or a noticeable decrease in recognition accuracy. This paper proposes a privacy-preserving face recognition method using differential privacy in the frequency domain. Due to the utilization of differential privacy, it offers a guarantee of privacy in theory. Meanwhile, the loss of accuracy is very slight. This method first converts the original image to the frequency domain and removes the direct component termed DC. Then a privacy budget allocation method can be learned based on the loss of the back-end face recognition network within the differential privacy framework. Finally, it adds the corresponding noise to the frequency domain features. Our method performs very well with several classical face recognition test sets according to the extensive experiments.

Title: DuetFace: Collaborative Privacy-Preserving Face Recognition via Channel Splitting in the Frequency Domain. (arXiv:2207.07340v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07340
• Code URL: https://github.com/Tencent/TFace
• Copy Paste: [[2207.07340] DuetFace: Collaborative Privacy-Preserving Face Recognition via Channel Splitting in the Frequency Domain](http://arxiv.org/abs/2207.07340)
• Summary:

  With the wide application of face recognition systems, there is rising concern that original face images could be exposed to malicious intents and consequently cause personal privacy breaches. This paper presents DuetFace, a novel privacy-preserving face recognition method that employs collaborative inference in the frequency domain. Starting from a counterintuitive discovery that face recognition can achieve surprisingly good performance with only visually indistinguishable high-frequency channels, this method designs a credible split of frequency channels by their cruciality for visualization and operates the server-side model on non-crucial channels. However, the model degrades in its attention to facial features due to the missing visual information. To compensate, the method introduces a plug-in interactive block to allow attention transfer from the client-side by producing a feature mask. The mask is further refined by deriving and overlaying a facial region of interest (ROI). Extensive experiments on multiple datasets validate the effectiveness of the proposed method in protecting face images from undesired visual inspection, reconstruction, and identification while maintaining high task availability and performance. Results show that the proposed method achieves a comparable recognition accuracy and computation cost to the unprotected ArcFace and outperforms the state-of-the-art privacy-preserving methods. The source code is available at https://github.com/Tencent/TFace/tree/master/recognition/tasks/duetface.

Title: Characterizing and Optimizing End-to-End Systems for Private Inference. (arXiv:2207.07177v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07177
• Code URL: null
• Copy Paste: [[2207.07177] Characterizing and Optimizing End-to-End Systems for Private Inference](http://arxiv.org/abs/2207.07177)
• Summary:

  Increasing privacy concerns have given rise to Private Inference (PI). In PI, both the client's personal data and the service provider's trained model are kept confidential. State-of-the-art PI protocols combine several cryptographic primitives: Homomorphic Encryption (HE), Secret Sharing (SS), Garbled Circuits (GC), and Oblivious Transfer (OT). Today, PI remains largely arcane and too slow for practical use, despite the need and recent performance improvements. This paper addresses PI's shortcomings with a detailed characterization of a standard high-performance protocol to build foundational knowledge and intuition in the systems community. The characterization pinpoints all sources of inefficiency -- compute, communication, and storage. A notable aspect of this work is the use of inference request arrival rates rather than studying individual inferences in isolation. Prior to this work, and without considering arrival rate, it has been assumed that PI pre-computations can be handled offline and their overheads ignored. We show this is not the case. The offline costs in PI are so high that they are often incurred online, as there is insufficient downtime to hide pre-compute latency. We further propose three optimizations to address the computation (layer-parallel HE), communication (wireless slot allocation), and storage (Client-Garbler) overheads leveraging insights from our characterization. Compared to the state-of-the-art PI protocol, the optimizations provide a total PI speedup of 1.8$\times$, with the ability to sustain inference requests up to a 2.24$\times$ greater rate.

Title: Feed-Forward Source-Free Latent Domain Adaptation via Cross-Attention. (arXiv:2207.07624v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07624
• Code URL: null
• Copy Paste: [[2207.07624] Feed-Forward Source-Free Latent Domain Adaptation via Cross-Attention](http://arxiv.org/abs/2207.07624)
• Summary:

  We study the highly practical but comparatively under-studied problem of latent-domain adaptation, where a source model should be adapted to a target dataset that contains a mixture of unlabelled domain-relevant and domain-irrelevant examples. Furthermore, motivated by the requirements for data privacy and the need for embedded and resource-constrained devices of all kinds to adapt to local data distributions, we focus on the setting of feed-forward source-free domain adaptation, where adaptation should not require access to the source dataset, and also be back propagation-free. Our solution is to meta-learn a network capable of embedding the mixed-relevance target dataset and dynamically adapting inference for target examples using cross-attention. The resulting framework leads to consistent improvement on strong ERM baselines. We also show that our framework sometimes even improves on the upper bound of domain-supervised adaptation, where only domain-relevant instances are provided for adaptation. This suggests that human annotated domain labels may not always be optimal, and raises the possibility of doing better through automated instance selection.

protect

Title: Does Twitter know your political views? POLiTweets dataset and semi-automatic method for political leaning discovery. (arXiv:2207.07586v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2207.07586
• Code URL: null
• Copy Paste: [[2207.07586] Does Twitter know your political views? POLiTweets dataset and semi-automatic method for political leaning discovery](http://arxiv.org/abs/2207.07586)
• Summary:

  Every day, the world is flooded by millions of messages and statements posted on Twitter or Facebook. Social media platforms try to protect users' personal data, but there still is a real risk of misuse, including elections manipulation. Did you know, that only 13 posts addressing important or controversial topics for society are enough to predict one's political affiliation with a 0.85 F1-score? To examine this phenomenon, we created a novel universal method of semi-automated political leaning discovery. It relies on a heuristical data annotation procedure, which was evaluated to achieve 0.95 agreement with human annotators (counted as an accuracy metric). We also present POLiTweets - the first publicly open Polish dataset for political affiliation discovery in a multi-party setup, consisting of over 147k tweets from almost 10k Polish-writing users annotated heuristically and almost 40k tweets from 166 users annotated manually as a test set. We used our data to study the aspects of domain shift in the context of topics and the type of content writers - ordinary citizens vs. professional politicians.

Title: Identifying and Quantifying Trade-offs in Multi-Stakeholder Risk Evaluation with Applications to the Data Protection Impact Assessment of the GDPR. (arXiv:2207.07385v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07385
• Code URL: https://github.com/stfbk/msrmp
• Copy Paste: [[2207.07385] Identifying and Quantifying Trade-offs in Multi-Stakeholder Risk Evaluation with Applications to the Data Protection Impact Assessment of the GDPR](http://arxiv.org/abs/2207.07385)
• Summary:

  Cybersecurity risk management consists of several steps including the selection of appropriate controls to minimize risks. This is a difficult task that requires to search through all possible subsets of a set of available controls and identify those that minimize the risks of all stakeholders. Since stakeholders may have different perceptions of the risks (especially when considering the impact of threats), conflicting goals may arise that require to find the best possible trade-offs among the various needs. In this work, we propose a quantitative and (semi)automated approach to solve this problem based on the well-known notion of Pareto optimality. For validation, we show how a prototype tool based on our approach can assist in the Data Protection Impact Assessment mandated by the General Data Protection Regulation on a simplified but realistic use case scenario. We also evaluate the scalability of the approach by conducting an experimental evaluation with the prototype with encouraging results.

defense

attack

Title: Lipschitz Bound Analysis of Neural Networks. (arXiv:2207.07232v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07232
• Code URL: null
• Copy Paste: [[2207.07232] Lipschitz Bound Analysis of Neural Networks](http://arxiv.org/abs/2207.07232)
• Summary:

  Lipschitz Bound Estimation is an effective method of regularizing deep neural networks to make them robust against adversarial attacks. This is useful in a variety of applications ranging from reinforcement learning to autonomous systems. In this paper, we highlight the significant gap in obtaining a non-trivial Lipschitz bound certificate for Convolutional Neural Networks (CNNs) and empirically support it with extensive graphical analysis. We also show that unrolling Convolutional layers or Toeplitz matrices can be employed to convert Convolutional Neural Networks (CNNs) to a Fully Connected Network. Further, we propose a simple algorithm to show the existing 20x-50x gap in a particular data distribution between the actual lipschitz constant and the obtained tight bound. We also ran sets of thorough experiments on various network architectures and benchmark them on datasets like MNIST and CIFAR-10. All these proposals are supported by extensive testing, graphs, histograms and comparative analysis.

Title: Classification of Bark Beetle-Induced Forest Tree Mortality using Deep Learning. (arXiv:2207.07241v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07241
• Code URL: null
• Copy Paste: [[2207.07241] Classification of Bark Beetle-Induced Forest Tree Mortality using Deep Learning](http://arxiv.org/abs/2207.07241)
• Summary:

  Bark beetle outbreaks can dramatically impact forest ecosystems and services around the world. For the development of effective forest policies and management plans, the early detection of infested trees is essential. Despite the visual symptoms of bark beetle infestation, this task remains challenging, considering overlapping tree crowns and non-homogeneity in crown foliage discolouration. In this work, a deep learning based method is proposed to effectively classify different stages of bark beetle attacks at the individual tree level. The proposed method uses RetinaNet architecture (exploiting a robust feature extraction backbone pre-trained for tree crown detection) to train a shallow subnetwork for classifying the different attack stages of images captured by unmanned aerial vehicles (UAVs). Moreover, various data augmentation strategies are examined to address the class imbalance problem, and consequently, the affine transformation is selected to be the most effective one for this purpose. Experimental evaluations demonstrate the effectiveness of the proposed method by achieving an average accuracy of 98.95%, considerably outperforming the baseline method by approximately 10%.

Title: SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables. (arXiv:2207.07413v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07413
• Code URL: null
• Copy Paste: [[2207.07413] SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables](http://arxiv.org/abs/2207.07413)
• Summary:

  This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments. We discuss related work on this topic and provide technical background. We show the design of the transmitter and receiver and present the implementation of these components. We also demonstrate the attack on different computers and provide the evaluation. The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. Furthermore, we show that the attack can operate from user mode, is effective even from inside a Virtual Machine (VM), and can successfully work with other running workloads in the background. Finally, we discuss defense and mitigation techniques for this new air-gap attack.

robust

Title: A Dual-Masked Auto-Encoder for Robust Motion Capture with Spatial-Temporal Skeletal Token Completion. (arXiv:2207.07381v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07381
• Code URL: null
• Copy Paste: [[2207.07381] A Dual-Masked Auto-Encoder for Robust Motion Capture with Spatial-Temporal Skeletal Token Completion](http://arxiv.org/abs/2207.07381)
• Summary:

  Multi-person motion capture can be challenging due to ambiguities caused by severe occlusion, fast body movement, and complex interactions. Existing frameworks build on 2D pose estimations and triangulate to 3D coordinates via reasoning the appearance, trajectory, and geometric consistencies among multi-camera observations. However, 2D joint detection is usually incomplete and with wrong identity assignments due to limited observation angle, which leads to noisy 3D triangulation results. To overcome this issue, we propose to explore the short-range autoregressive characteristics of skeletal motion using transformer. First, we propose an adaptive, identity-aware triangulation module to reconstruct 3D joints and identify the missing joints for each identity. To generate complete 3D skeletal motion, we then propose a Dual-Masked Auto-Encoder (D-MAE) which encodes the joint status with both skeletal-structural and temporal position encoding for trajectory completion. D-MAE's flexible masking and encoding mechanism enable arbitrary skeleton definitions to be conveniently deployed under the same framework. In order to demonstrate the proposed model's capability in dealing with severe data loss scenarios, we contribute a high-accuracy and challenging motion capture dataset of multi-person interactions with severe occlusion. Evaluations on both benchmark and our new dataset demonstrate the efficiency of our proposed model, as well as its advantage against the other state-of-the-art methods.

Title: 3DVerifier: Efficient Robustness Verification for 3D Point Cloud Models. (arXiv:2207.07539v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07539
• Code URL: https://github.com/trustai/3dverifier
• Copy Paste: [[2207.07539] 3DVerifier: Efficient Robustness Verification for 3D Point Cloud Models](http://arxiv.org/abs/2207.07539)
• Summary:

  3D point cloud models are widely applied in safety-critical scenes, which delivers an urgent need to obtain more solid proofs to verify the robustness of models. Existing verification method for point cloud model is time-expensive and computationally unattainable on large networks. Additionally, they cannot handle the complete PointNet model with joint alignment network (JANet) that contains multiplication layers, which effectively boosts the performance of 3D models. This motivates us to design a more efficient and general framework to verify various architectures of point cloud models. The key challenges in verifying the large-scale complete PointNet models are addressed as dealing with the cross-non-linearity operations in the multiplication layers and the high computational complexity of high-dimensional point cloud inputs and added layers. Thus, we propose an efficient verification framework, 3DVerifier, to tackle both challenges by adopting a linear relaxation function to bound the multiplication layer and combining forward and backward propagation to compute the certified bounds of the outputs of the point cloud models. Our comprehensive experiments demonstrate that 3DVerifier outperforms existing verification algorithms for 3D models in terms of both efficiency and accuracy. Notably, our approach achieves an orders-of-magnitude improvement in verification efficiency for the large network, and the obtained certified bounds are also significantly tighter than the state-of-the-art verifiers. We release our tool 3DVerifier via https://github.com/TrustAI/3DVerifier for use by the community.

Title: A Flexible Schema-Guided Dialogue Management Framework: From Friendly Peer to Virtual Standardized Cancer Patient. (arXiv:2207.07276v1 [cs.AI])

• Paper URL: http://arxiv.org/abs/2207.07276
• Code URL: null
• Copy Paste: [[2207.07276] A Flexible Schema-Guided Dialogue Management Framework: From Friendly Peer to Virtual Standardized Cancer Patient](http://arxiv.org/abs/2207.07276)
• Summary:

  A schema-guided approach to dialogue management has been shown in recent work to be effective in creating robust customizable virtual agents capable of acting as friendly peers or task assistants. However, successful applications of these methods in open-ended, mixed-initiative domains remain elusive -- particularly within medical domains such as virtual standardized patients, where such complex interactions are commonplace -- and require more extensive and flexible dialogue management capabilities than previous systems provide. In this paper, we describe a general-purpose schema-guided dialogue management framework used to develop SOPHIE, a virtual standardized cancer patient that allows a doctor to conveniently practice for interactions with patients. We conduct a crowdsourced evaluation of conversations between medical students and SOPHIE. Our agent is judged to produce responses that are natural, emotionally appropriate, and consistent with her role as a cancer patient. Furthermore, it significantly outperforms an end-to-end neural model fine-tuned on a human standardized patient corpus, attesting to the advantages of a schema-guided approach.

Title: Contrastive Adapters for Foundation Model Group Robustness. (arXiv:2207.07180v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07180
• Code URL: null
• Copy Paste: [[2207.07180] Contrastive Adapters for Foundation Model Group Robustness](http://arxiv.org/abs/2207.07180)
• Summary:

  While large pretrained foundation models (FMs) have shown remarkable zero-shot classification robustness to dataset-level distribution shifts, their robustness to subpopulation or group shifts is relatively underexplored. We study this problem, and find that FMs such as CLIP may not be robust to various group shifts. Across 9 robustness benchmarks, zero-shot classification with their embeddings results in gaps of up to 80.7 percentage points (pp) between average and worst-group accuracy. Unfortunately, existing methods to improve robustness require retraining, which can be prohibitively expensive on large foundation models. We also find that efficient ways to improve model inference (e.g., via adapters, lightweight networks with FM embeddings as inputs) do not consistently improve and can sometimes hurt group robustness compared to zero-shot (e.g., increasing the accuracy gap by 50.1 pp on CelebA). We thus develop an adapter training strategy to effectively and efficiently improve FM group robustness. Our motivating observation is that while poor robustness results from groups in the same class being embedded far apart in the foundation model "embedding space," standard adapter training may not bring these points closer together. We thus propose contrastive adapting, which trains adapters with contrastive learning to bring sample embeddings close to both their ground-truth class embeddings and other sample embeddings in the same class. Across the 9 benchmarks, our approach consistently improves group robustness, raising worst-group accuracy by 8.5 to 56.0 pp over zero-shot. Our approach is also efficient, doing so without any FM finetuning and only a fixed set of frozen FM embeddings. On benchmarks such as Waterbirds and CelebA, this leads to worst-group accuracy comparable to state-of-the-art methods that retrain entire models, while only training $\leq$1% of the model parameters.

Title: Provably Adversarially Robust Nearest Prototype Classifiers. (arXiv:2207.07208v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07208
• Code URL: https://github.com/vvoracek/provably-adversarially-robust-nearest-prototype-classifiers
• Copy Paste: [[2207.07208] Provably Adversarially Robust Nearest Prototype Classifiers](http://arxiv.org/abs/2207.07208)
• Summary:

  Nearest prototype classifiers (NPCs) assign to each input point the label of the nearest prototype with respect to a chosen distance metric. A direct advantage of NPCs is that the decisions are interpretable. Previous work could provide lower bounds on the minimal adversarial perturbation in the $\ell_p$-threat model when using the same $\ell_p$-distance for the NPCs. In this paper we provide a complete discussion on the complexity when using $\ell_p$-distances for decision and $\ell_q$-threat models for certification for $p,q \in {1,2,\infty}$. In particular we provide scalable algorithms for the \emph{exact} computation of the minimal adversarial perturbation when using $\ell_2$-distance and improved lower bounds in other cases. Using efficient improved lower bounds we train our Provably adversarially robust NPC (PNPC), for MNIST which have better $\ell_2$-robustness guarantees than neural networks. Additionally, we show up to our knowledge the first certification results w.r.t. to the LPIPS perceptual metric which has been argued to be a more realistic threat model for image classification than $\ell_p$-balls. Our PNPC has on CIFAR10 higher certified robust accuracy than the empirical robust accuracy reported in (Laidlaw et al., 2021). The code is available in our repository.

Title: Improving Task-free Continual Learning by Distributionally Robust Memory Evolution. (arXiv:2207.07256v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07256
• Code URL: null
• Copy Paste: [[2207.07256] Improving Task-free Continual Learning by Distributionally Robust Memory Evolution](http://arxiv.org/abs/2207.07256)
• Summary:

  Task-free continual learning (CL) aims to learn a non-stationary data stream without explicit task definitions and not forget previous knowledge. The widely adopted memory replay approach could gradually become less effective for long data streams, as the model may memorize the stored examples and overfit the memory buffer. Second, existing methods overlook the high uncertainty in the memory data distribution since there is a big gap between the memory data distribution and the distribution of all the previous data examples. To address these problems, for the first time, we propose a principled memory evolution framework to dynamically evolve the memory data distribution by making the memory buffer gradually harder to be memorized with distributionally robust optimization (DRO). We then derive a family of methods to evolve the memory buffer data in the continuous probability measure space with Wasserstein gradient flow (WGF). The proposed DRO is w.r.t the worst-case evolved memory data distribution, thus guarantees the model performance and learns significantly more robust features than existing memory-replay-based methods. Extensive experiments on existing benchmarks demonstrate the effectiveness of the proposed methods for alleviating forgetting. As a by-product of the proposed framework, our method is more robust to adversarial examples than existing task-free CL methods.

Title: Set-based value operators for non-stationary Markovian environments. (arXiv:2207.07271v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07271
• Code URL: null
• Copy Paste: [[2207.07271] Set-based value operators for non-stationary Markovian environments](http://arxiv.org/abs/2207.07271)
• Summary:

  This paper analyzes finite state Markov Decision Processes (MDPs) with uncertain parameters in compact sets and re-examines results from robust MDP via set-based fixed point theory. We generalize the Bellman and policy evaluation operators to operators that contract on the space of value functions and denote them as \emph{value operators}. We generalize these value operators to act on the space of value function sets and denote them as \emph{set-based value operators}. We prove that these set-based value operators are contractions in the space of compact value function sets. Leveraging insights from set theory, we generalize the rectangularity condition for the Bellman operator from classic robust MDP literature to a \emph{containment condition} for a generic value operator, which is weaker and can be applied to a larger set of parameter-uncertain MDPs and contractive operators in dynamic programming and reinforcement learning. We prove that both the rectangularity condition and the containment condition sufficiently ensure that the set-based value operator's fixed point set contains its own supremum and infimum elements. For convex and compact sets of uncertain MDP parameters, we show equivalence between the classic robust value function and the supremum of the fixed point set of the set-based Bellman operator. Under dynamically changing MDP parameters in compact sets, we prove a set convergence result for value iteration, which otherwise may not converge to a single value function.

Title: Plex: Towards Reliability using Pretrained Large Model Extensions. (arXiv:2207.07411v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07411
• Code URL: https://github.com/google/uncertainty-baselines
• Copy Paste: [[2207.07411] Plex: Towards Reliability using Pretrained Large Model Extensions](http://arxiv.org/abs/2207.07411)
• Summary:

  A recent trend in artificial intelligence is the use of pretrained models for language and vision tasks, which have achieved extraordinary performance but also puzzling failures. Probing these models' abilities in diverse ways is therefore critical to the field. In this paper, we explore the reliability of models, where we define a reliable model as one that not only achieves strong predictive performance but also performs well consistently over many decision-making tasks involving uncertainty (e.g., selective prediction, open set recognition), robust generalization (e.g., accuracy and proper scoring rules such as log-likelihood on in- and out-of-distribution datasets), and adaptation (e.g., active learning, few-shot uncertainty). We devise 10 types of tasks over 40 datasets in order to evaluate different aspects of reliability on both vision and language domains. To improve reliability, we developed ViT-Plex and T5-Plex, pretrained large model extensions for vision and language modalities, respectively. Plex greatly improves the state-of-the-art across reliability tasks, and simplifies the traditional protocol as it improves the out-of-the-box performance and does not require designing scores or tuning the model for each task. We demonstrate scaling effects over model sizes up to 1B parameters and pretraining dataset sizes up to 4B examples. We also demonstrate Plex's capabilities on challenging tasks including zero-shot open set recognition, active learning, and uncertainty in conversational language understanding.

Title: Blessing of Nonconvexity in Deep Linear Models: Depth Flattens the Optimization Landscape Around the True Solution. (arXiv:2207.07612v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07612
• Code URL: null
• Copy Paste: [[2207.07612] Blessing of Nonconvexity in Deep Linear Models: Depth Flattens the Optimization Landscape Around the True Solution](http://arxiv.org/abs/2207.07612)
• Summary:

  This work characterizes the effect of depth on the optimization landscape of linear regression, showing that, despite their nonconvexity, deeper models have more desirable optimization landscape. We consider a robust and over-parameterized setting, where a subset of measurements are grossly corrupted with noise and the true linear model is captured via an $N$-layer linear neural network. On the negative side, we show that this problem \textit{does not} have a benign landscape: given any $N\geq 1$, with constant probability, there exists a solution corresponding to the ground truth that is neither local nor global minimum. However, on the positive side, we prove that, for any $N$-layer model with $N\geq 2$, a simple sub-gradient method becomes oblivious to such ``problematic'' solutions; instead, it converges to a balanced solution that is not only close to the ground truth but also enjoys a flat local landscape, thereby eschewing the need for "early stopping". Lastly, we empirically verify that the desirable optimization landscape of deeper models extends to other robust learning tasks, including deep matrix recovery and deep ReLU networks with $\ell_1$-loss.

biometric

Title: Mobile Keystroke Biometrics Using Transformers. (arXiv:2207.07596v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2207.07596
• Code URL: null
• Copy Paste: [[2207.07596] Mobile Keystroke Biometrics Using Transformers](http://arxiv.org/abs/2207.07596)
• Summary:

  Behavioural biometrics have proven to be effective against identity theft as well as be considered user-friendly authentication methods. One of the most popular traits in the literature is keystroke dynamics due to the large deployment of computers and mobile devices in our society. This paper focuses on improving keystroke biometric systems on the free-text scenario. This scenario is characterised as very challenging due to the uncontrolled text conditions, the influential of the user's emotional and physical state, and the in-use application. To overcome these drawbacks, methods based on deep learning such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs) have been proposed in the literature, outperforming traditional machine learning methods. However, these architectures still have aspects that need to be reviewed and improved. To the best of our knowledge, this is the first study that proposes keystroke biometric systems based on Transformers. The proposed Transformer architecture has achieved Equal Error Rate (EER) values of 3.84% in the popular Aalto mobile keystroke database using only 5 enrolment sessions, outperforming in large margin other state-of-the-art approaches in the literature.

steal

extraction

Title: Boosting Multi-Modal E-commerce Attribute Value Extraction via Unified Learning Scheme and Dynamic Range Minimization. (arXiv:2207.07278v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07278
• Code URL: null
• Copy Paste: [[2207.07278] Boosting Multi-Modal E-commerce Attribute Value Extraction via Unified Learning Scheme and Dynamic Range Minimization](http://arxiv.org/abs/2207.07278)
• Summary:

  With the prosperity of e-commerce industry, various modalities, e.g., vision and language, are utilized to describe product items. It is an enormous challenge to understand such diversified data, especially via extracting the attribute-value pairs in text sequences with the aid of helpful image regions. Although a series of previous works have been dedicated to this task, there remain seldomly investigated obstacles that hinder further improvements: 1) Parameters from up-stream single-modal pretraining are inadequately applied, without proper jointly fine-tuning in a down-stream multi-modal task. 2) To select descriptive parts of images, a simple late fusion is widely applied, regardless of priori knowledge that language-related information should be encoded into a common linguistic embedding space by stronger encoders. 3) Due to diversity across products, their attribute sets tend to vary greatly, but current approaches predict with an unnecessary maximal range and lead to more potential false positives. To address these issues, we propose in this paper a novel approach to boost multi-modal e-commerce attribute value extraction via unified learning scheme and dynamic range minimization: 1) Firstly, a unified scheme is designed to jointly train a multi-modal task with pretrained single-modal parameters. 2) Secondly, a text-guided information range minimization method is proposed to adaptively encode descriptive parts of each modality into an identical space with a powerful pretrained linguistic model. 3) Moreover, a prototype-guided attribute range minimization method is proposed to first determine the proper attribute set of the current product, and then select prototypes to guide the prediction of the chosen attributes. Experiments on the popular multi-modal e-commerce benchmarks show that our approach achieves superior performance over the other state-of-the-art techniques.

Title: Bi-PointFlowNet: Bidirectional Learning for Point Cloud Based Scene Flow Estimation. (arXiv:2207.07522v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2207.07522
• Code URL: https://github.com/cwc1260/BiFlow
• Copy Paste: [[2207.07522] Bi-PointFlowNet: Bidirectional Learning for Point Cloud Based Scene Flow Estimation](http://arxiv.org/abs/2207.07522)
• Summary:

  Scene flow estimation, which extracts point-wise motion between scenes, is becoming a crucial task in many computer vision tasks. However, all of the existing estimation methods utilize only the unidirectional features, restricting the accuracy and generality. This paper presents a novel scene flow estimation architecture using bidirectional flow embedding layers. The proposed bidirectional layer learns features along both forward and backward directions, enhancing the estimation performance. In addition, hierarchical feature extraction and warping improve the performance and reduce computational overhead. Experimental results show that the proposed architecture achieved a new state-of-the-art record by outperforming other approaches with large margin in both FlyingThings3D and KITTI benchmarks. Codes are available at https://github.com/cwc1260/BiFlow.

membership infer

federate

Title: Accelerated Federated Learning with Decoupled Adaptive Optimization. (arXiv:2207.07223v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07223
• Code URL: null
• Copy Paste: [[2207.07223] Accelerated Federated Learning with Decoupled Adaptive Optimization](http://arxiv.org/abs/2207.07223)
• Summary:

  The federated learning (FL) framework enables edge clients to collaboratively learn a shared inference model while keeping privacy of training data on clients. Recently, many heuristics efforts have been made to generalize centralized adaptive optimization methods, such as SGDM, Adam, AdaGrad, etc., to federated settings for improving convergence and accuracy. However, there is still a paucity of theoretical principles on where to and how to design and utilize adaptive optimization methods in federated settings. This work aims to develop novel adaptive optimization methods for FL from the perspective of dynamics of ordinary differential equations (ODEs). First, an analytic framework is established to build a connection between federated optimization methods and decompositions of ODEs of corresponding centralized optimizers. Second, based on this analytic framework, a momentum decoupling adaptive optimization method, FedDA, is developed to fully utilize the global momentum on each local iteration and accelerate the training convergence. Last but not least, full batch gradients are utilized to mimic centralized optimization in the end of the training process to ensure the convergence and overcome the possible inconsistency caused by adaptive optimization methods.

fair

Title: Sound Randomized Smoothing in Floating-Point Arithmetics. (arXiv:2207.07209v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07209
• Code URL: null
• Copy Paste: [[2207.07209] Sound Randomized Smoothing in Floating-Point Arithmetics](http://arxiv.org/abs/2207.07209)
• Summary:

  Randomized smoothing is sound when using infinite precision. However, we show that randomized smoothing is no longer sound for limited floating-point precision. We present a simple example where randomized smoothing certifies a radius of $1.26$ around a point, even though there is an adversarial example in the distance $0.8$ and extend this example further to provide false certificates for CIFAR10. We discuss the implicit assumptions of randomized smoothing and show that they do not apply to generic image classification models whose smoothed versions are commonly certified. In order to overcome this problem, we propose a sound approach to randomized smoothing when using floating-point precision with essentially equal speed and matching the certificates of the standard, unsound practice for standard classifiers tested so far. Our only assumption is that we have access to a fair coin.

Title: COOR-PLT: A hierarchical control model for coordinating adaptive platoons of connected and autonomous vehicles at signal-free intersections based on deep reinforcement learning. (arXiv:2207.07195v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07195
• Code URL: null
• Copy Paste: [[2207.07195] COOR-PLT: A hierarchical control model for coordinating adaptive platoons of connected and autonomous vehicles at signal-free intersections based on deep reinforcement learning](http://arxiv.org/abs/2207.07195)
• Summary:

  Platooning and coordination are two implementation strategies that are frequently proposed for traffic control of connected and autonomous vehicles (CAVs) at signal-free intersections instead of using conventional traffic signals. However, few studies have attempted to integrate both strategies to better facilitate the CAV control at signal-free intersections. To this end, this study proposes a hierarchical control model, named COOR-PLT, to coordinate adaptive CAV platoons at a signal-free intersection based on deep reinforcement learning (DRL). COOR-PLT has a two-layer framework. The first layer uses a centralized control strategy to form adaptive platoons. The optimal size of each platoon is determined by considering multiple objectives (i.e., efficiency, fairness and energy saving). The second layer employs a decentralized control strategy to coordinate multiple platoons passing through the intersection. Each platoon is labeled with coordinated status or independent status, upon which its passing priority is determined. As an efficient DRL algorithm, Deep Q-network (DQN) is adopted to determine platoon sizes and passing priorities respectively in the two layers. The model is validated and examined on the simulator Simulation of Urban Mobility (SUMO). The simulation results demonstrate that the model is able to: (1) achieve satisfactory convergence performances; (2) adaptively determine platoon size in response to varying traffic conditions; and (3) completely avoid deadlocks at the intersection. By comparison with other control methods, the model manifests its superiority of adopting adaptive platooning and DRL-based coordination strategies. Also, the model outperforms several state-of-the-art methods on reducing travel time and fuel consumption in different traffic conditions.

interpretability

Title: Explainable Sparse Knowledge Graph Completion via High-order Graph Reasoning Network. (arXiv:2207.07503v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07503
• Code URL: null
• Copy Paste: [[2207.07503] Explainable Sparse Knowledge Graph Completion via High-order Graph Reasoning Network](http://arxiv.org/abs/2207.07503)
• Summary:

  Knowledge Graphs (KGs) are becoming increasingly essential infrastructures in many applications while suffering from incompleteness issues. The KG completion task (KGC) automatically predicts missing facts based on an incomplete KG. However, existing methods perform unsatisfactorily in real-world scenarios. On the one hand, their performance will dramatically degrade along with the increasing sparsity of KGs. On the other hand, the inference procedure for prediction is an untrustworthy black box.

This paper proposes a novel explainable model for sparse KGC, compositing high-order reasoning into a graph convolutional network, namely HoGRN. It can not only improve the generalization ability to mitigate the information insufficiency issue but also provide interpretability while maintaining the model's effectiveness and efficiency. There are two main components that are seamlessly integrated for joint optimization. First, the high-order reasoning component learns high-quality relation representations by capturing endogenous correlation among relations. This can reflect logical rules to justify a broader of missing facts. Second, the entity updating component leverages a weight-free Graph Convolutional Network (GCN) to efficiently model KG structures with interpretability. Unlike conventional methods, we conduct entity aggregation and design composition-based attention in the relational space without additional parameters. The lightweight design makes HoGRN better suitable for sparse settings. For evaluation, we have conducted extensive experiments-the results of HoGRN on several sparse KGs present impressive improvements (9% MRR gain on average). Further ablation and case studies demonstrate the effectiveness of the main components. Our codes will be released upon acceptance.

Title: Sparse Relational Reasoning with Object-Centric Representations. (arXiv:2207.07512v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2207.07512
• Code URL: null
• Copy Paste: [[2207.07512] Sparse Relational Reasoning with Object-Centric Representations](http://arxiv.org/abs/2207.07512)
• Summary:

  We investigate the composability of soft-rules learned by relational neural architectures when operating over object-centric (slot-based) representations, under a variety of sparsity-inducing constraints. We find that increasing sparsity, especially on features, improves the performance of some models and leads to simpler relations. Additionally, we observe that object-centric representations can be detrimental when not all objects are fully captured; a failure mode to which CNNs are less prone. These findings demonstrate the trade-offs between interpretability and performance, even for models designed to tackle relational tasks.

exlainability

watermark