secure

Title: Strong authentication on smart wireless devices. (arXiv:2208.03541v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03541
Code URL: null
Copy Paste: [[2208.03541] Strong authentication on smart wireless devices](http://arxiv.org/abs/2208.03541)
Summary:
The rapid deployment of wireless technologies has given rise to the current situation where mobile phones and other wireless devices have become essential elements in all types of activities, including in the home. In particular, smartphones and laptops are used for wirelessly sharing photos and documents, playing games, browsing websites, and viewing multimedia, for example. This work describes a proposal for both desktop and mobile applications that use Identity-Based Cryptography (IBC) to protect communications between smart wireless devices in the home. It combines the use of IBC for Wi-Fi and Bluetooth communication, with the promising Near Field Communication (NFC) technology for secure authentication. The proposed scheme involves NFC pairing to establish as public key a piece of information linked to the device, such as a phone number or an IP address. In this way, such information can be then used in an IBC scheme for peer-to-peer communication. This is a work in progress, but preliminary implementations of prototypes on several mobile platforms have already produced promising results.

Title: An Enclave-based TEE for SE-in-SoC in RISC-V Industry. (arXiv:2208.03631v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03631
Code URL: null
Copy Paste: [[2208.03631] An Enclave-based TEE for SE-in-SoC in RISC-V Industry](http://arxiv.org/abs/2208.03631)
Summary:
Secure Element (SE) in SoC sees an increasing adoption in industry. Many applications in IoT devices are bound to the SE because it provides strong cryptographic functions and physical protection. Though SE-in-SoC provides strong proven isolation for software programs, it also brings more design complexity and higher cost to PCB board building. More, SE-in-SoC may still have security concerns, such as malware installation and user impersonation. In this work, we employ TEE, a hardware-backed security technique, for protecting SE-in-SoC and RISCV. In particular, we construct various enclaves for isolating applications and manipulating the SE, with the inherently-secure primitives provided by RISC-V. Using hardware and software co-design, the solution ensures trusted execution and secure communication among applications. The security of SE is further protected by enforcing the SE to be controlled by a trusted enclave and making the RISC-V core resilient to side-channel attacks.

Title: IoT-REX: A Secure Remote-Control System for IoT Devices from Centralized Multi-Designated Verifier Signatures. (arXiv:2208.03781v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03781
Code URL: null
Copy Paste: [[2208.03781] IoT-REX: A Secure Remote-Control System for IoT Devices from Centralized Multi-Designated Verifier Signatures](http://arxiv.org/abs/2208.03781)
Summary:
IoT technology has been developing rapidly, while at the same time, it raises cybersecurity concerns. Mirai, a notorious IoT malware, is one of the representative threats; it infects many IoT devices and turns them into botnets, and the botnets rapidly spread infection over IoT networks. It seems hard to eliminate the chance of devices being infected with malware completely. Therefore, we believe it is essential to consider systems that enable us to remotely stop (or control) infected devices as soon as possible to prevent or limit malicious behaviors of infected devices. In this paper, we design a promising candidate for such remote-control systems, called IoT-REX (REemote-Control System for IoT devices). IoT-REX allows a systems manager to designate an arbitrary subset of all IoT devices in the system and generate authenticated information that contains any command the system manager wants. Every device can confirm whether or not the device itself was designated; if so, the device executes the command. Towards realizing IoT-REX, we introduce a novel cryptographic primitive called centralized multi-designated verifier signatures (CMDVS). Although CMDVS works under a restricted condition compared to conventional MDVS, it is sufficient for realizing IoT-REX. We provide an efficient CMDVS construction from any approximate membership query structures and digital signatures, yielding compact communication sizes and efficient verification procedures for IoT-REX.

Title: CoVault: A Secure Analytics Platform. (arXiv:2208.03784v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03784
Code URL: null
Copy Paste: [[2208.03784] CoVault: A Secure Analytics Platform](http://arxiv.org/abs/2208.03784)
Summary:
In a secure analytics platform, data sources consent to the exclusive use of their data for a pre-defined set of analytics queries performed by a specific group of analysts, and for a limited period. If the platform is secure under a sufficiently strong threat model, it can provide the missing link to enabling powerful analytics of sensitive personal data, by alleviating data subjects' concerns about leakage and misuse of data. For instance, many types of powerful analytics that benefit public health, mobility, infrastructure, finance, or sustainable energy can be made differentially private, thus alleviating concerns about privacy. However, no platform currently exists that is sufficiently secure to alleviate concerns about data leakage and misuse; as a result, many types of analytics that would be in the interest of data subjects and the public are not done. CoVault uses a new multi-party implementation of functional encryption (FE) for secure analytics, which relies on a unique combination of secret sharing, multi-party secure computation (MPC), and different trusted execution environments (TEEs). CoVault is secure under a very strong threat model that tolerates compromise and side-channel attacks on any one of a small set of parties and their TEEs. Despite the cost of MPC, we show that CoVault scales to very large data sizes using map-reduce based query parallelization. For example, we show that CoVault can perform queries relevant to epidemic analytics at scale.

Title: HWGN2: Side-channel Protected Neural Networks through Secure and Private Function Evaluation. (arXiv:2208.03806v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03806
Code URL: null
Copy Paste: [[2208.03806] HWGN2: Side-channel Protected Neural Networks through Secure and Private Function Evaluation](http://arxiv.org/abs/2208.03806)
Summary:
Recent work has highlighted the risks of intellectual property (IP) piracy of deep learning (DL) models from the side-channel leakage of DL hardware accelerators. In response, to provide side-channel leakage resiliency to DL hardware accelerators, several approaches have been proposed, mainly borrowed from the methodologies devised for cryptographic implementations. Therefore, as expected, the same challenges posed by the complex design of such countermeasures should be dealt with. This is despite the fact that fundamental cryptographic approaches, specifically secure and private function evaluation, could potentially improve the robustness against side-channel leakage. To examine this and weigh the costs and benefits, we introduce hardware garbled NN (HWGN2), a DL hardware accelerator implemented on FPGA. HWGN2 also provides NN designers with the flexibility to protect their IP in real-time applications, where hardware resources are heavily constrained, through a hardware-communication cost trade-off. Concretely, we apply garbled circuits, implemented using a MIPS architecture that achieves up to 62.5x fewer logical and 66x less memory utilization than the state-of-the-art approaches at the price of communication overhead. Further, the side-channel resiliency of HWGN2 is demonstrated by employing the test vector leakage assessment (TVLA) test against both power and electromagnetic side-channels. This is in addition to the inherent feature of HWGN2: it ensures the privacy of users' input, including the architecture of NNs. We also demonstrate a natural extension to the malicious security modeljust as a by-product of our implementation.

security

Title: Video-based Human Action Recognition using Deep Learning: A Review. (arXiv:2208.03775v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03775
Code URL: null
Copy Paste: [[2208.03775] Video-based Human Action Recognition using Deep Learning: A Review](http://arxiv.org/abs/2208.03775)
Summary:
Human action recognition is an important application domain in computer vision. Its primary aim is to accurately describe human actions and their interactions from a previously unseen data sequence acquired by sensors. The ability to recognize, understand, and predict complex human actions enables the construction of many important applications such as intelligent surveillance systems, human-computer interfaces, health care, security, and military applications. In recent years, deep learning has been given particular attention by the computer vision community. This paper presents an overview of the current state-of-the-art in action recognition using video analysis with deep learning techniques. We present the most important deep learning models for recognizing human actions, and analyze them to provide the current progress of deep learning algorithms applied to solve human action recognition problems in realistic videos highlighting their advantages and disadvantages. Based on the quantitative analysis using recognition accuracies reported in the literature, our study identifies state-of-the-art deep architectures in action recognition and then provides current trends and open problems for future works in this field.

Title: LCCDE: A Decision-Based Ensemble Framework for Intrusion Detection in The Internet of Vehicles. (arXiv:2208.03399v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03399
Code URL: https://github.com/Western-OC2-Lab/Intrusion-Detection-System-Using-Machine-Learning
Copy Paste: [[2208.03399] LCCDE: A Decision-Based Ensemble Framework for Intrusion Detection in The Internet of Vehicles](http://arxiv.org/abs/2208.03399)
Summary:
Modern vehicles, including autonomous vehicles and connected vehicles, have adopted an increasing variety of functionalities through connections and communications with other vehicles, smart devices, and infrastructures. However, the growing connectivity of the Internet of Vehicles (IoV) also increases the vulnerabilities to network attacks. To protect IoV systems against cyber threats, Intrusion Detection Systems (IDSs) that can identify malicious cyber-attacks have been developed using Machine Learning (ML) approaches. To accurately detect various types of attacks in IoV networks, we propose a novel ensemble IDS framework named Leader Class and Confidence Decision Ensemble (LCCDE). It is constructed by determining the best-performing ML model among three advanced ML algorithms (XGBoost, LightGBM, and CatBoost) for every class or type of attack. The class leader models with their prediction confidence values are then utilized to make accurate decisions regarding the detection of various types of cyber-attacks. Experiments on two public IoV security datasets (Car-Hacking and CICIDS2017 datasets) demonstrate the effectiveness of the proposed LCCDE for intrusion detection on both intra-vehicle and external networks.

Title: PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?. (arXiv:2208.03412v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03412
Code URL: null
Copy Paste: [[2208.03412] PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?](http://arxiv.org/abs/2208.03412)
Summary:
The OpenSSF Scorecard project is an automated tool to monitor the security health of open source software. We used the tool to understand the security practices and gaps in npm and PyPI ecosystems and to confirm the applicability of the Scorecard tool.

Title: Towards Interdependent Safety Security Assessments using Bowties. (arXiv:2208.03484v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03484
Code URL: null
Copy Paste: [[2208.03484] Towards Interdependent Safety Security Assessments using Bowties](http://arxiv.org/abs/2208.03484)
Summary:
We present a way to combine security and safety assessments using Bowtie Diagrams. Bowties model both the causes leading up to a central failure event and consequences which arise from that event, as well as barriers which impede events. Bowties have previously been used separately for security and safety assessments, but we suggest that a unified treatment in a single model can elegantly capture safety-security interdependencies of several kinds. We showcase our approach with the example of the October 2021 Facebook DNS shutdown, examining the chains of events and the interplay between the security and safety barriers which caused the outage.

Title: "All of them claim to be the best": Multi-perspective study of VPN users and VPN providers. (arXiv:2208.03505v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03505
Code URL: null
Copy Paste: [[2208.03505] "All of them claim to be the best": Multi-perspective study of VPN users and VPN providers](http://arxiv.org/abs/2208.03505)
Summary:
As more users adopt VPNs for a variety of reasons, it is important to develop empirical knowledge of their needs and mental models of what a VPN offers. Moreover, studying VPN users alone is not enough because, in using a VPN, a user essentially transfers trust, say from their network provider, onto the VPN provider. To that end, we are the first to study the VPN ecosystem from both the users' and the providers' perspectives. In this paper, we conduct a quantitative survey of 1,252 VPN users in the U.S. and qualitative interviews of nine providers to answer several research questions regarding the motivations, needs, threat model, and mental model of users and the key challenges and insights from VPN providers. We create novel insights by augmenting our multi-perspective results, and highlight cases where the user and provider perspectives are misaligned. Alarmingly, we find that users rely on and trust VPN review sites, but VPN providers shed light on how they are mostly motivated by money. Worryingly, we find that users have flawed mental models about the protection VPNs provide, and about the data collected by VPNs. We present actionable recommendations for technologists and security and privacy advocates by identifying potential areas to focus efforts and improve the VPN ecosystem.

Title: MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware. (arXiv:2208.03528v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03528
Code URL: null
Copy Paste: [[2208.03528] MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware](http://arxiv.org/abs/2208.03528)
Summary:
In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.

Title: Cyber Pirates Ahoy! An Analysis of Cybersecurity Challenges in the Shipping Industry. (arXiv:2208.03607v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03607
Code URL: null
Copy Paste: [[2208.03607] Cyber Pirates Ahoy! An Analysis of Cybersecurity Challenges in the Shipping Industry](http://arxiv.org/abs/2208.03607)
Summary:
Maritime shipping has become a trillion-dollar industry that now impacts the economy of virtually every country around the world. It is therefore no surprise that countries and companies have spent billions of dollars to modernize shipping vessels and ports with various technologies. However, the implementation of these technologies has also caught the attention of cybercriminals. For example, a cyberattack on one shipping company resulted in nearly $300 millions in financial losses. Hence, this paper describes cybersecurity vulnerabilities present in the international shipping business. The contribution of this paper is the identification and dissection of cyber vulnerabilities specific to the shipping industry, along with how and why these potential vulnerabilities exist.

Title: Automatic Security Assessment of GitHub Actions Workflows. (arXiv:2208.03837v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03837
Code URL: https://github.com/Mobile-IoT-Security-Lab/GHAST
Copy Paste: [[2208.03837] Automatic Security Assessment of GitHub Actions Workflows](http://arxiv.org/abs/2208.03837)
Summary:
The demand for quick and reliable DevOps operations pushed distributors of repository platforms to implement workflows. Workflows allow automating code management operations directly on the repository hosting the software. However, this feature also introduces security issues that directly affect the repository, its content, and all the software supply chains in which the hosted code is involved in. Hence, an attack exploiting vulnerable workflows can affect disruptively large software ecosystems. To empirically assess the importance of this problem, in this paper, we focus on the de-facto main distributor (i.e., GitHub), and we developed a security assessment methodology for GitHub Actions workflows, which are widely adopted in software supply chains. We implemented the methodology in a tool (GHAST) and applied it on 50 open-source projects. The experimental results are worrisome as they allowed identifying a total of 24,905 security issues (all reported to the corresponding stakeholders), thereby indicating that the problem is open and demands further research and investigation.

Title: Simplifying Electronic Document Digital Signatures. (arXiv:2208.03951v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03951
Code URL: null
Copy Paste: [[2208.03951] Simplifying Electronic Document Digital Signatures](http://arxiv.org/abs/2208.03951)
Summary:
Electronic documents are typically signed using private keys and the matching digital certificate through a Public Key Infrastructure (PKI). Private keys must be kept in a safe place so they can be used multiple times. This makes private key management a critical component of PKI for which there is no foolproof answer. Existing solutions are often expensive and cumbersome. This work proposes issuing an irrevocable digital certificate for each new document to be signed. We demonstrate that an ephemeral key can be used with these certificates, eliminating the need to store private keys. We analyze the overhead caused by the requirement to generate new key pairs for each document, provide a security overview and show the advantages over the traditional model.

privacy

Title: DP$^2$-VAE: Differentially Private Pre-trained Variational Autoencoders. (arXiv:2208.03409v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03409
Code URL: null
Copy Paste: [[2208.03409] DP$^2$-VAE: Differentially Private Pre-trained Variational Autoencoders](http://arxiv.org/abs/2208.03409)
Summary:
Modern machine learning systems achieve great success when trained on large datasets. However, these datasets usually contain sensitive information (e.g. medical records, face images), leading to serious privacy concerns. Differentially private generative models (DPGMs) emerge as a solution to circumvent such privacy concerns by generating privatized sensitive data. Similar to other differentially private (DP) learners, the major challenge for DPGM is also how to achieve a subtle balance between utility and privacy. We propose DP$^2$-VAE, a novel training mechanism for variational autoencoders (VAE) with provable DP guarantees and improved utility via \emph{pre-training on private data}. Under the same DP constraints, DP$^2$-VAE minimizes the perturbation noise during training, and hence improves utility. DP$^2$-VAE is very flexible and easily amenable to many other VAE variants. Theoretically, we study the effect of pretraining on private data. Empirically, we conduct extensive experiments on image datasets to illustrate our superiority over baselines under various privacy budgets and evaluation metrics.

Title: Garbled EDA: Privacy Preserving Electronic Design Automation. (arXiv:2208.03822v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03822
Code URL: null
Copy Paste: [[2208.03822] Garbled EDA: Privacy Preserving Electronic Design Automation](http://arxiv.org/abs/2208.03822)
Summary:
The complexity of modern integrated circuits (ICs) necessitates collaboration between multiple distrusting parties, including thirdparty intellectual property (3PIP) vendors, design houses, CAD/EDA tool vendors, and foundries, which jeopardizes confidentiality and integrity of each party's IP. IP protection standards and the existing techniques proposed by researchers are ad hoc and vulnerable to numerous structural, functional, and/or side-channel attacks. Our framework, Garbled EDA, proposes an alternative direction through formulating the problem in a secure multi-party computation setting, where the privacy of IPs, CAD tools, and process design kits (PDKs) is maintained. As a proof-of-concept, Garbled EDA is evaluated in the context of simulation, where multiple IP description formats (Verilog, C, S) are supported. Our results demonstrate a reasonable logical-resource cost and negligible memory overhead. To further reduce the overhead, we present another efficient implementation methodology, feasible when the resource utilization is a bottleneck, but the communication between two parties is not restricted. Interestingly, this implementation is private and secure even in the presence of malicious adversaries attempting to, e.g., gain access to PDKs or in-house IPs of the CAD tool providers.

Title: Dataset Obfuscation: Its Applications to and Impacts on Edge Machine Learning. (arXiv:2208.03909v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03909
Code URL: null
Copy Paste: [[2208.03909] Dataset Obfuscation: Its Applications to and Impacts on Edge Machine Learning](http://arxiv.org/abs/2208.03909)
Summary:
Obfuscating a dataset by adding random noises to protect the privacy of sensitive samples in the training dataset is crucial to prevent data leakage to untrusted parties for edge applications. We conduct comprehensive experiments to investigate how the dataset obfuscation can affect the resultant model weights - in terms of the model accuracy, Frobenius-norm (F-norm)-based model distance, and level of data privacy - and discuss the potential applications with the proposed Privacy, Utility, and Distinguishability (PUD)-triangle diagram to visualize the requirement preferences. Our experiments are based on the popular MNIST and CIFAR-10 datasets under both independent and identically distributed (IID) and non-IID settings. Significant results include a trade-off between the model accuracy and privacy level and a trade-off between the model difference and privacy level. The results indicate broad application prospects for training outsourcing in edge computing and guarding against attacks in Federated Learning among edge devices.

protect

defense

attack

Title: Blackbox Attacks via Surrogate Ensemble Search. (arXiv:2208.03610v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03610
Code URL: null
Copy Paste: [[2208.03610] Blackbox Attacks via Surrogate Ensemble Search](http://arxiv.org/abs/2208.03610)
Summary:
Blackbox adversarial attacks can be categorized into transfer- and query-based attacks. Transfer methods do not require any feedback from the victim model, but provide lower success rates compared to query-based methods. Query attacks often require a large number of queries for success. To achieve the best of both approaches, recent efforts have tried to combine them, but still require hundreds of queries to achieve high success rates (especially for targeted attacks). In this paper, we propose a novel method for blackbox attacks via surrogate ensemble search (BASES) that can generate highly successful blackbox attacks using an extremely small number of queries. We first define a perturbation machine that generates a perturbed image by minimizing a weighted loss function over a fixed set of surrogate models. To generate an attack for a given victim model, we search over the weights in the loss function using queries generated by the perturbation machine. Since the dimension of the search space is small (same as the number of surrogate models), the search requires a small number of queries. We demonstrate that our proposed method achieves better success rate with at least 30x fewer queries compared to state-of-the-art methods on different image classifiers trained with ImageNet (including VGG-19, DenseNet-121, and ResNext-50). In particular, our method requires as few as 3 queries per image (on average) to achieve more than a 90% success rate for targeted attacks and 1-2 queries per image for over a 99% success rate for non-targeted attacks. Our method is also effective on Google Cloud Vision API and achieved a 91% non-targeted attack success rate with 2.9 queries per image. We also show that the perturbations generated by our proposed method are highly transferable and can be adopted for hard-label blackbox attacks.

Title: Multi-Frames Temporal Abnormal Clues Learning Method for Face Anti-Spoofing. (arXiv:2208.04076v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.04076
Code URL: null
Copy Paste: [[2208.04076] Multi-Frames Temporal Abnormal Clues Learning Method for Face Anti-Spoofing](http://arxiv.org/abs/2208.04076)
Summary:
Face anti-spoofing researches are widely used in face recognition and has received more attention from industry and academics. In this paper, we propose the EulerNet, a new temporal feature fusion network in which the differential filter and residual pyramid are used to extract and amplify abnormal clues from continuous frames, respectively. A lightweight sample labeling method based on face landmarks is designed to label large-scale samples at a lower cost and has better results than other methods such as 3D camera. Finally, we collect 30,000 live and spoofing samples using various mobile ends to create a dataset that replicates various forms of attacks in a real-world setting. Extensive experiments on public OULU-NPU show that our algorithm is superior to the state of art and our solution has already been deployed in real-world systems servicing millions of users.

Title: Adversarial Attacks on Image Generation With Made-Up Words. (arXiv:2208.04135v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.04135
Code URL: null
Copy Paste: [[2208.04135] Adversarial Attacks on Image Generation With Made-Up Words](http://arxiv.org/abs/2208.04135)
Summary:
Text-guided image generation models can be prompted to generate images using nonce words adversarially designed to robustly evoke specific visual concepts. Two approaches for such generation are introduced: macaronic prompting, which involves designing cryptic hybrid words by concatenating subword units from different languages; and evocative prompting, which involves designing nonce words whose broad morphological features are similar enough to that of existing words to trigger robust visual associations. The two methods can also be combined to generate images associated with more specific visual concepts. The implications of these techniques for the circumvention of existing approaches to content moderation, and particularly the generation of offensive or harmful images, are discussed.

Title: Differential biases, $c$-differential uniformity, and their relation to differential attacks. (arXiv:2208.03884v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03884
Code URL: null
Copy Paste: [[2208.03884] Differential biases, $c$-differential uniformity, and their relation to differential attacks](http://arxiv.org/abs/2208.03884)
Summary:
Differential cryptanalysis famously uses statistical biases in the propagation of differences in a block cipher to attack the cipher. In this paper, we investigate the existence of more general statistical biases in the differences. To this end, we discuss the $c$-differential uniformity of S-boxes, which is a concept that was recently introduced in Ellingsen et. al. to measure certain statistical biases that could potentially be used in attacks similar to differential attacks. Firstly, we prove that a large class of potential candidates for S-boxes necessarily has large $c$-differential uniformity for all but at most $B$ choices of $c$, where $B$ is a constant independent of the size of the finite field $q$. This result implies that for a large class of functions, certain statistical differential biases are inevitable.

In a second part, we discuss the practical possibility of designing a differential attack based on weaknesses of S-boxes related to their $c$-differential uniformity.

robust

Title: Slice-level Detection of Intracranial Hemorrhage on CT Using Deep Descriptors of Adjacent Slices. (arXiv:2208.03403v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03403
Code URL: null
Copy Paste: [[2208.03403] Slice-level Detection of Intracranial Hemorrhage on CT Using Deep Descriptors of Adjacent Slices](http://arxiv.org/abs/2208.03403)
Summary:
The rapid development in representation learning techniques and the availability of large-scale medical imaging data have to a rapid increase in the use of machine learning in the 3D medical image analysis. In particular, deep convolutional neural networks (D-CNNs) have been key players and were adopted by the medical imaging community to assist clinicians and medical experts in disease diagnosis. However, training deep neural networks such as D-CNN on high-resolution 3D volumes of Computed Tomography (CT) scans for diagnostic tasks poses formidable computational challenges. This raises the need of developing deep learning-based approaches that are robust in learning representations in 2D images, instead 3D scans. In this paper, we propose a new strategy to train \emph{slice-level} classifiers on CT scans based on the descriptors of the adjacent slices along the axis. In particular, each of which is extracted through a convolutional neural network (CNN). This method is applicable to CT datasets with per-slice labels such as the RSNA Intracranial Hemorrhage (ICH) dataset, which aims to predict the presence of ICH and classify it into 5 different sub-types. We obtain a single model in the top 4\% best-performing solutions of the RSNA ICH challenge, where model ensembles are allowed. Experiments also show that the proposed method significantly outperforms the baseline model on CQ500. The proposed method is general and can be applied for other 3D medical diagnosis tasks such as MRI imaging. To encourage new advances in the field, we will make our codes and pre-trained model available upon acceptance of the paper.

Title: Exploring the Effects of Data Augmentation for Drivable Area Segmentation. (arXiv:2208.03437v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03437
Code URL: null
Copy Paste: [[2208.03437] Exploring the Effects of Data Augmentation for Drivable Area Segmentation](http://arxiv.org/abs/2208.03437)
Summary:
The real-time segmentation of drivable areas plays a vital role in accomplishing autonomous perception in cars. Recently there have been some rapid strides in the development of image segmentation models using deep learning. However, most of the advancements have been made in model architecture design. In solving any supervised deep learning problem related to segmentation, the success of the model that one builds depends upon the amount and quality of input training data we use for that model. This data should contain well-annotated varied images for better working of the segmentation model. Issues like this pertaining to annotations in a dataset can lead the model to conclude with overwhelming Type I and II errors in testing and validation, causing malicious issues when trying to tackle real world problems. To address this problem and to make our model more accurate, dynamic, and robust, data augmentation comes into usage as it helps in expanding our sample training data and making it better and more diversified overall. Hence, in our study, we focus on investigating the benefits of data augmentation by analyzing pre-existing image datasets and performing augmentations accordingly. Our results show that the performance and robustness of existing state of the art (or SOTA) models can be increased dramatically without any increase in model complexity or inference time. The augmentations decided on and used in this paper were decided only after thorough research of several other augmentation methodologies and strategies and their corresponding effects that are in widespread usage today. All our results are being reported on the widely used Cityscapes Dataset.

Title: AFE-CNN: 3D Skeleton-based Action Recognition with Action Feature Enhancement. (arXiv:2208.03444v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03444
Code URL: null
Copy Paste: [[2208.03444] AFE-CNN: 3D Skeleton-based Action Recognition with Action Feature Enhancement](http://arxiv.org/abs/2208.03444)
Summary:
Existing 3D skeleton-based action recognition approaches reach impressive performance by encoding handcrafted action features to image format and decoding by CNNs. However, such methods are limited in two ways: a) the handcrafted action features are difficult to handle challenging actions, and b) they generally require complex CNN models to improve action recognition accuracy, which usually occur heavy computational burden. To overcome these limitations, we introduce a novel AFE-CNN, which devotes to enhance the features of 3D skeleton-based actions to adapt to challenging actions. We propose feature enhance modules from key joint, bone vector, key frame and temporal perspectives, thus the AFE-CNN is more robust to camera views and body sizes variation, and significantly improve the recognition accuracy on challenging actions. Moreover, our AFE-CNN adopts a light-weight CNN model to decode images with action feature enhanced, which ensures a much lower computational burden than the state-of-the-art methods. We evaluate the AFE-CNN on three benchmark skeleton-based action datasets: NTU RGB+D, NTU RGB+D 120, and UTKinect-Action3D, with extensive experimental results demonstrate our outstanding performance of AFE-CNN.

Title: Contrastive Positive Mining for Unsupervised 3D Action Representation Learning. (arXiv:2208.03497v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03497
Code URL: null
Copy Paste: [[2208.03497] Contrastive Positive Mining for Unsupervised 3D Action Representation Learning](http://arxiv.org/abs/2208.03497)
Summary:
Recent contrastive based 3D action representation learning has made great progress. However, the strict positive/negative constraint is yet to be relaxed and the use of non-self positive is yet to be explored. In this paper, a Contrastive Positive Mining (CPM) framework is proposed for unsupervised skeleton 3D action representation learning. The CPM identifies non-self positives in a contextual queue to boost learning. Specifically, the siamese encoders are adopted and trained to match the similarity distributions of the augmented instances in reference to all instances in the contextual queue. By identifying the non-self positive instances in the queue, a positive-enhanced learning strategy is proposed to leverage the knowledge of mined positives to boost the robustness of the learned latent space against intra-class and inter-class diversity. Experimental results have shown that the proposed CPM is effective and outperforms the existing state-of-the-art unsupervised methods on the challenging NTU and PKU-MMD datasets.

Title: Multiplex-detection Based Multiple Instance Learning Network for Whole Slide Image Classification. (arXiv:2208.03526v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03526
Code URL: null
Copy Paste: [[2208.03526] Multiplex-detection Based Multiple Instance Learning Network for Whole Slide Image Classification](http://arxiv.org/abs/2208.03526)
Summary:
Multiple instance learning (MIL) is a powerful approach to classify whole slide images (WSIs) for diagnostic pathology. A fundamental challenge of MIL on WSI classification is to discover the \textit{critical instances} that trigger the bag label. However, previous methods are primarily designed under the independent and identical distribution hypothesis (\textit{i.i.d}), ignoring either the correlations between instances or heterogeneity of tumours. In this paper, we propose a novel multiplex-detection-based multiple instance learning (MDMIL) to tackle the issues above. Specifically, MDMIL is constructed by the internal query generation module (IQGM) and the multiplex detection module (MDM) and assisted by the memory-based contrastive loss during training. Firstly, IQGM gives the probability of instances and generates the internal query (IQ) for the subsequent MDM by aggregating highly reliable features after the distribution analysis. Secondly, the multiplex-detection cross-attention (MDCA) and multi-head self-attention (MHSA) in MDM cooperate to generate the final representations for the WSI. In this process, the IQ and trainable variational query (VQ) successfully build up the connections between instances and significantly improve the model's robustness toward heterogeneous tumours. At last, to further enforce constraints in the feature space and stabilize the training process, we adopt a memory-based contrastive loss, which is practicable for WSI classification even with a single sample as input in each iteration. We conduct experiments on three computational pathology datasets, e.g., CAMELYON16, TCGA-NSCLC, and TCGA-RCC datasets. The superior accuracy and AUC demonstrate the superiority of our proposed MDMIL over other state-of-the-art methods.

Title: Robust Multi-Object Tracking by Marginal Inference. (arXiv:2208.03727v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03727
Code URL: null
Copy Paste: [[2208.03727] Robust Multi-Object Tracking by Marginal Inference](http://arxiv.org/abs/2208.03727)
Summary:
Multi-object tracking in videos requires to solve a fundamental problem of one-to-one assignment between objects in adjacent frames. Most methods address the problem by first discarding impossible pairs whose feature distances are larger than a threshold, followed by linking objects using Hungarian algorithm to minimize the overall distance. However, we find that the distribution of the distances computed from Re-ID features may vary significantly for different videos. So there isn't a single optimal threshold which allows us to safely discard impossible pairs. To address the problem, we present an efficient approach to compute a marginal probability for each pair of objects in real time. The marginal probability can be regarded as a normalized distance which is significantly more stable than the original feature distance. As a result, we can use a single threshold for all videos. The approach is general and can be applied to the existing trackers to obtain about one point improvement in terms of IDF1 metric. It achieves competitive results on MOT17 and MOT20 benchmarks. In addition, the computed probability is more interpretable which facilitates subsequent post-processing operations.

Title: Fine-Grained Egocentric Hand-Object Segmentation: Dataset, Model, and Applications. (arXiv:2208.03826v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03826
Code URL: https://github.com/owenzlz/egohos
Copy Paste: [[2208.03826] Fine-Grained Egocentric Hand-Object Segmentation: Dataset, Model, and Applications](http://arxiv.org/abs/2208.03826)
Summary:
Egocentric videos offer fine-grained information for high-fidelity modeling of human behaviors. Hands and interacting objects are one crucial aspect of understanding a viewer's behaviors and intentions. We provide a labeled dataset consisting of 11,243 egocentric images with per-pixel segmentation labels of hands and objects being interacted with during a diverse array of daily activities. Our dataset is the first to label detailed hand-object contact boundaries. We introduce a context-aware compositional data augmentation technique to adapt to out-of-distribution YouTube egocentric video. We show that our robust hand-object segmentation model and dataset can serve as a foundational tool to boost or enable several downstream vision applications, including hand state classification, video activity recognition, 3D mesh reconstruction of hand-object interactions, and video inpainting of hand-object foregrounds in egocentric videos. Dataset and code are available at: https://github.com/owenzlz/EgoHOS

Title: RadSegNet: A Reliable Approach to Radar Camera Fusion. (arXiv:2208.03849v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03849
Code URL: null
Copy Paste: [[2208.03849] RadSegNet: A Reliable Approach to Radar Camera Fusion](http://arxiv.org/abs/2208.03849)
Summary:
Perception systems for autonomous driving have seen significant advancements in their performance over last few years. However, these systems struggle to show robustness in extreme weather conditions because sensors like lidars and cameras, which are the primary sensors in a sensor suite, see a decline in performance under these conditions. In order to solve this problem, camera-radar fusion systems provide a unique opportunity for all weather reliable high quality perception. Cameras provides rich semantic information while radars can work through occlusions and in all weather conditions. In this work, we show that the state-of-the-art fusion methods perform poorly when camera input is degraded, which essentially results in losing the all-weather reliability they set out to achieve. Contrary to these approaches, we propose a new method, RadSegNet, that uses a new design philosophy of independent information extraction and truly achieves reliability in all conditions, including occlusions and adverse weather. We develop and validate our proposed system on the benchmark Astyx dataset and further verify these results on the RADIATE dataset. When compared to state-of-the-art methods, RadSegNet achieves a 27% improvement on Astyx and 41.46% increase on RADIATE, in average precision score and maintains a significantly better performance in adverse weather conditions

Title: Adversarial robustness of $\beta-$VAE through the lens of local geometry. (arXiv:2208.03923v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03923
Code URL: null
Copy Paste: [[2208.03923] Adversarial robustness of $\beta-$VAE through the lens of local geometry](http://arxiv.org/abs/2208.03923)
Summary:
Variational autoencoders (VAEs) are susceptible to adversarial attacks. An adversary can find a small perturbation in the input sample to change its latent encoding non-smoothly, thereby compromising the reconstruction. A known reason for such vulnerability is the latent space distortions arising from a mismatch between approximated latent posterior and a prior distribution. Consequently, a slight change in the inputs leads to a significant change in the latent space encodings. This paper demonstrates that the sensitivity around a data point is due to a directional bias of a stochastic pullback metric tensor induced by the encoder network. The pullback metric tensor measures the infinitesimal volume change from input to latent space. Thus, it can be viewed as a lens to analyse the effect of small changes in the input leading to distortions in the latent space. We propose robustness evaluation scores using the eigenspectrum of a pullback metric. Moreover, we empirically show that the scores correlate with the robustness parameter $\beta$ of the $\beta-$VAE.

Title: Abutting Grating Illusion: Cognitive Challenge to Neural Network Models. (arXiv:2208.03958v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03958
Code URL: null
Copy Paste: [[2208.03958] Abutting Grating Illusion: Cognitive Challenge to Neural Network Models](http://arxiv.org/abs/2208.03958)
Summary:
Even the state-of-the-art deep learning models lack fundamental abilities compared to humans. Multiple comparison paradigms have been proposed to explore the distinctions between humans and deep learning. While most comparisons rely on corruptions inspired by mathematical transformations, very few have bases on human cognitive phenomena. In this study, we propose a novel corruption method based on the abutting grating illusion, which is a visual phenomenon widely discovered in both human and a wide range of animal species. The corruption method destroys the gradient-defined boundaries and generates the perception of illusory contours using line gratings abutting each other. We applied the method on MNIST, high resolution MNIST, and silhouette object images. Various deep learning models are tested on the corruption, including models trained from scratch and 109 models pretrained with ImageNet or various data augmentation techniques. Our results show that abutting grating corruption is challenging even for state-of-the-art deep learning models because most models are randomly guessing. We also discovered that the DeepAugment technique can greatly improve robustness against abutting grating illusion. Visualisation of early layers indicates that better performing models exhibit stronger end-stopping property, which is consistent with neuroscience discoveries. To validate the corruption method, 24 human subjects are involved to classify samples of corrupted datasets.

Title: MetaGraspNet: A Large-Scale Benchmark Dataset for Scene-Aware Ambidextrous Bin Picking via Physics-based Metaverse Synthesis. (arXiv:2208.03963v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03963
Code URL: null
Copy Paste: [[2208.03963] MetaGraspNet: A Large-Scale Benchmark Dataset for Scene-Aware Ambidextrous Bin Picking via Physics-based Metaverse Synthesis](http://arxiv.org/abs/2208.03963)
Summary:
Autonomous bin picking poses significant challenges to vision-driven robotic systems given the complexity of the problem, ranging from various sensor modalities, to highly entangled object layouts, to diverse item properties and gripper types. Existing methods often address the problem from one perspective. Diverse items and complex bin scenes require diverse picking strategies together with advanced reasoning. As such, to build robust and effective machine-learning algorithms for solving this complex task requires significant amounts of comprehensive and high quality data. Collecting such data in real world would be too expensive and time prohibitive and therefore intractable from a scalability perspective. To tackle this big, diverse data problem, we take inspiration from the recent rise in the concept of metaverses, and introduce MetaGraspNet, a large-scale photo-realistic bin picking dataset constructed via physics-based metaverse synthesis. The proposed dataset contains 217k RGBD images across 82 different article types, with full annotations for object detection, amodal perception, keypoint detection, manipulation order and ambidextrous grasp labels for a parallel-jaw and vacuum gripper. We also provide a real dataset consisting of over 2.3k fully annotated high-quality RGBD images, divided into 5 levels of difficulties and an unseen object set to evaluate different object and layout properties. Finally, we conduct extensive experiments showing that our proposed vacuum seal model and synthetic dataset achieves state-of-the-art performance and generalizes to real world use-cases.

Title: Deep Computational Model for the Inference of Ventricular Activation Properties. (arXiv:2208.04028v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.04028
Code URL: null
Copy Paste: [[2208.04028] Deep Computational Model for the Inference of Ventricular Activation Properties](http://arxiv.org/abs/2208.04028)
Summary:
Patient-specific cardiac computational models are essential for the efficient realization of precision medicine and in-silico clinical trials using digital twins. Cardiac digital twins can provide non-invasive characterizations of cardiac functions for individual patients, and therefore are promising for the patient-specific diagnosis and therapy stratification. However, current workflows for both the anatomical and functional twinning phases, referring to the inference of model anatomy and parameter from clinical data, are not sufficiently efficient, robust, and accurate. In this work, we propose a deep learning based patient-specific computational model, which can fuse both anatomical and electrophysiological information for the inference of ventricular activation properties, i.e., conduction velocities and root nodes. The activation properties can provide a quantitative assessment of cardiac electrophysiological function for the guidance of interventional procedures. We employ the Eikonal model to generate simulated electrocardiogram (ECG) with ground truth properties to train the inference model, where specific patient information has also been considered. For evaluation, we test the model on the simulated data and obtain generally promising results with fast computational time.

Title: Towards Semantic Communications: Deep Learning-Based Image Semantic Coding. (arXiv:2208.04094v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.04094
Code URL: null
Copy Paste: [[2208.04094] Towards Semantic Communications: Deep Learning-Based Image Semantic Coding](http://arxiv.org/abs/2208.04094)
Summary:
Semantic communications has received growing interest since it can remarkably reduce the amount of data to be transmitted without missing critical information. Most existing works explore the semantic encoding and transmission for text and apply techniques in Natural Language Processing (NLP) to interpret the meaning of the text. In this paper, we conceive the semantic communications for image data that is much more richer in semantics and bandwidth sensitive. We propose an reinforcement learning based adaptive semantic coding (RL-ASC) approach that encodes images beyond pixel level. Firstly, we define the semantic concept of image data that includes the category, spatial arrangement, and visual feature as the representation unit, and propose a convolutional semantic encoder to extract semantic concepts. Secondly, we propose the image reconstruction criterion that evolves from the traditional pixel similarity to semantic similarity and perceptual performance. Thirdly, we design a novel RL-based semantic bit allocation model, whose reward is the increase in rate-semantic-perceptual performance after encoding a certain semantic concept with adaptive quantization level. Thus, the task-related information is preserved and reconstructed properly while less important data is discarded. Finally, we propose the Generative Adversarial Nets (GANs) based semantic decoder that fuses both locally and globally features via an attention module. Experimental results demonstrate that the proposed RL-ASC is noise robust and could reconstruct visually pleasant and semantic consistent image, and saves times of bit cost compared to standard codecs and other deep learning-based image codecs.

Title: DALLE-URBAN: Capturing the urban design expertise of large text to image transformers. (arXiv:2208.04139v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.04139
Code URL: https://github.com/sachith500/dalleurban
Copy Paste: [[2208.04139] DALLE-URBAN: Capturing the urban design expertise of large text to image transformers](http://arxiv.org/abs/2208.04139)
Summary:
Automatically converting text descriptions into images using transformer architectures has recently received considerable attention. Such advances have implications for many applied design disciplines across fashion, art, architecture, urban planning, landscape design and the future tools available to such disciplines. However, a detailed analysis capturing the capabilities of such models, specifically with a focus on the built environment, has not been performed to date. In this work, we investigate the capabilities and biases of such text-to-image methods as it applies to the built environment in detail. We use a systematic grammar to generate queries related to the built environment and evaluate resulting generated images. We generate 1020 different images and find that text to image transformers are robust at generating realistic images across different domains for this use-case. Generated imagery can be found at the github: https://github.com/sachith500/DALLEURBAN

Title: Semantic Enhanced Text-to-SQL Parsing via Iteratively Learning Schema Linking Graph. (arXiv:2208.03903v1 [cs.CL])

Paper URL: http://arxiv.org/abs/2208.03903
Code URL: null
Copy Paste: [[2208.03903] Semantic Enhanced Text-to-SQL Parsing via Iteratively Learning Schema Linking Graph](http://arxiv.org/abs/2208.03903)
Summary:
The generalizability to new databases is of vital importance to Text-to-SQL systems which aim to parse human utterances into SQL statements. Existing works achieve this goal by leveraging the exact matching method to identify the lexical matching between the question words and the schema items. However, these methods fail in other challenging scenarios, such as the synonym substitution in which the surface form differs between the corresponding question words and schema items. In this paper, we propose a framework named ISESL-SQL to iteratively build a semantic enhanced schema-linking graph between question tokens and database schemas. First, we extract a schema linking graph from PLMs through a probing procedure in an unsupervised manner. Then the schema linking graph is further optimized during the training process through a deep graph learning method. Meanwhile, we also design an auxiliary task called graph regularization to improve the schema information mentioned in the schema-linking graph. Extensive experiments on three benchmarks demonstrate that ISESL-SQL could consistently outperform the baselines and further investigations show its generalizability and robustness.

Title: On the Fundamental Limits of Formally (Dis)Proving Robustness in Proof-of-Learning. (arXiv:2208.03567v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03567
Code URL: null
Copy Paste: [[2208.03567] On the Fundamental Limits of Formally (Dis)Proving Robustness in Proof-of-Learning](http://arxiv.org/abs/2208.03567)
Summary:
Proof-of-learning (PoL) proposes a model owner use machine learning training checkpoints to establish a proof of having expended the necessary compute for training. The authors of PoL forego cryptographic approaches and trade rigorous security guarantees for scalability to deep learning by being applicable to stochastic gradient descent and adaptive variants. This lack of formal analysis leaves the possibility that an attacker may be able to spoof a proof for a model they did not train.

We contribute a formal analysis of why the PoL protocol cannot be formally (dis)proven to be robust against spoofing adversaries. To do so, we disentangle the two roles of proof verification in PoL: (a) efficiently determining if a proof is a valid gradient descent trajectory, and (b) establishing precedence by making it more expensive to craft a proof after training completes (i.e., spoofing). We show that efficient verification results in a tradeoff between accepting legitimate proofs and rejecting invalid proofs because deep learning necessarily involves noise. Without a precise analytical model for how this noise affects training, we cannot formally guarantee if a PoL verification algorithm is robust. Then, we demonstrate that establishing precedence robustly also reduces to an open problem in learning theory: spoofing a PoL post hoc training is akin to finding different trajectories with the same endpoint in non-convex learning. Yet, we do not rigorously know if priori knowledge of the final model weights helps discover such trajectories.

We conclude that, until the aforementioned open problems are addressed, relying more heavily on cryptography is likely needed to formulate a new class of PoL protocols with formal robustness guarantees. In particular, this will help with establishing precedence. As a by-product of insights from our analysis, we also demonstrate two novel attacks against PoL.

Title: Robust and Imperceptible Black-box DNN Watermarking Based on Fourier Perturbation Analysis and Frequency Sensitivity Clustering. (arXiv:2208.03944v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03944
Code URL: null
Copy Paste: [[2208.03944] Robust and Imperceptible Black-box DNN Watermarking Based on Fourier Perturbation Analysis and Frequency Sensitivity Clustering](http://arxiv.org/abs/2208.03944)
Summary:
Recently, more and more attention has been focused on the intellectual property protection of deep neural networks (DNNs), promoting DNN watermarking to become a hot research topic. Compared with embedding watermarks directly into DNN parameters, inserting trigger-set watermarks enables us to verify the ownership without knowing the internal details of the DNN, which is more suitable for application scenarios. The cost is we have to carefully craft the trigger samples. Mainstream methods construct the trigger samples by inserting a noticeable pattern to the clean samples in the spatial domain, which does not consider sample imperceptibility, sample robustness and model robustness, and therefore has limited the watermarking performance and the model generalization. It has motivated the authors in this paper to propose a novel DNN watermarking method based on Fourier perturbation analysis and frequency sensitivity clustering. First, we analyze the perturbation impact of different frequency components of the input sample on the task functionality of the DNN by applying random perturbation. Then, by K-means clustering, we determine the frequency components that result in superior watermarking performance for crafting the trigger samples. Our experiments show that the proposed work not only maintains the performance of the DNN on its original task, but also provides better watermarking performance compared with related works.

Title: Discovery of partial differential equations from highly noisy and sparse data with physics-informed information criterion. (arXiv:2208.03322v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03322
Code URL: https://github.com/woshixuhao/pic_code
Copy Paste: [[2208.03322] Discovery of partial differential equations from highly noisy and sparse data with physics-informed information criterion](http://arxiv.org/abs/2208.03322)
Summary:
Data-driven discovery of PDEs has made tremendous progress recently, and many canonical PDEs have been discovered successfully for proof-of-concept. However, determining the most proper PDE without prior references remains challenging in terms of practical applications. In this work, a physics-informed information criterion (PIC) is proposed to measure the parsimony and precision of the discovered PDE synthetically. The proposed PIC achieves state-of-the-art robustness to highly noisy and sparse data on seven canonical PDEs from different physical scenes, which confirms its ability to handle difficult situations. The PIC is also employed to discover unrevealed macroscale governing equations from microscopic simulation data in an actual physical scene. The results show that the discovered macroscale PDE is precise and parsimonious, and satisfies underlying symmetries, which facilitates understanding and simulation of the physical process. The proposition of PIC enables practical applications of PDE discovery in discovering unrevealed governing equations in broader physical scenes.

Title: How Adversarial Robustness Transfers from Pre-training to Downstream Tasks. (arXiv:2208.03835v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03835
Code URL: null
Copy Paste: [[2208.03835] How Adversarial Robustness Transfers from Pre-training to Downstream Tasks](http://arxiv.org/abs/2208.03835)
Summary:
Given the rise of large-scale training regimes, adapting pre-trained models to a wide range of downstream tasks has become a standard approach in machine learning. While large benefits in empirical performance have been observed, it is not yet well understood how robustness properties transfer from a pre-trained model to a downstream task. We prove that the robustness of a predictor on downstream tasks can be bound by the robustness of its underlying representation, irrespective of the pre-training protocol. Taken together, our results precisely characterize what is required of the representation function for reliable performance upon deployment.

Title: Towards Robust Deep Learning using Entropic Losses. (arXiv:2208.03566v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03566
Code URL: null
Copy Paste: [[2208.03566] Towards Robust Deep Learning using Entropic Losses](http://arxiv.org/abs/2208.03566)
Summary:
Current deep learning solutions are well known for not informing whether they can reliably classify an example during inference. One of the most effective ways to build more reliable deep learning solutions is to improve their performance in the so-called out-of-distribution detection task, which essentially consists of "know that you do not know" or "know the unknown". In other words, out-of-distribution detection capable systems may reject performing a nonsense classification when submitted to instances of classes on which the neural network was not trained. This thesis tackles the defiant out-of-distribution detection task by proposing novel loss functions and detection scores. Uncertainty estimation is also a crucial auxiliary task in building more robust deep learning systems. Therefore, we also deal with this robustness-related task, which evaluates how realistic the probabilities presented by the deep neural network are. To demonstrate the effectiveness of our approach, in addition to a substantial set of experiments, which includes state-of-the-art results, we use arguments based on the principle of maximum entropy to establish the theoretical foundation of the proposed approaches. Unlike most current methods, our losses and scores are seamless and principled solutions that produce accurate predictions in addition to fast and efficient inference. Moreover, our approaches can be incorporated into current and future projects simply by replacing the loss used to train the deep neural network and computing a rapid score for detection.

Title: A Game-Theoretic Perspective of Generalization in Reinforcement Learning. (arXiv:2208.03650v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03650
Code URL: null
Copy Paste: [[2208.03650] A Game-Theoretic Perspective of Generalization in Reinforcement Learning](http://arxiv.org/abs/2208.03650)
Summary:
Generalization in reinforcement learning (RL) is of importance for real deployment of RL algorithms. Various schemes are proposed to address the generalization issues, including transfer learning, multi-task learning and meta learning, as well as the robust and adversarial reinforcement learning. However, there is not a unified formulation of the various schemes, as well as the comprehensive comparisons of methods across different schemes. In this work, we propose a game-theoretic framework for the generalization in reinforcement learning, named GiRL, where an RL agent is trained against an adversary over a set of tasks, where the adversary can manipulate the distributions over tasks within a given threshold. With different configurations, GiRL can reduce the various schemes mentioned above. To solve GiRL, we adapt the widely-used method in game theory, policy space response oracle (PSRO) with the following three important modifications: i) we use model-agnostic meta learning (MAML) as the best-response oracle, ii) we propose a modified projected replicated dynamics, i.e., R-PRD, which ensures the computed meta-strategy of the adversary fall in the threshold, and iii) we also propose a protocol for the few-shot learning of the multiple strategies during testing. Extensive experiments on MuJoCo environments demonstrate that our proposed methods can outperform existing baselines, e.g., MAML.

Title: Robust Training and Verification of Implicit Neural Networks: A Non-Euclidean Contractive Approach. (arXiv:2208.03889v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03889
Code URL: null
Copy Paste: [[2208.03889] Robust Training and Verification of Implicit Neural Networks: A Non-Euclidean Contractive Approach](http://arxiv.org/abs/2208.03889)
Summary:
This paper proposes a theoretical and computational framework for training and robustness verification of implicit neural networks based upon non-Euclidean contraction theory. The basic idea is to cast the robustness analysis of a neural network as a reachability problem and use (i) the $\ell_{\infty}$-norm input-output Lipschitz constant and (ii) the tight inclusion function of the network to over-approximate its reachable sets. First, for a given implicit neural network, we use $\ell_{\infty}$-matrix measures to propose sufficient conditions for its well-posedness, design an iterative algorithm to compute its fixed points, and provide upper bounds for its $\ell_\infty$-norm input-output Lipschitz constant. Second, we introduce a related embedded network and show that the embedded network can be used to provide an $\ell_\infty$-norm box over-approximation of the reachable sets of the original network. Moreover, we use the embedded network to design an iterative algorithm for computing the upper bounds of the original system's tight inclusion function. Third, we use the upper bounds of the Lipschitz constants and the upper bounds of the tight inclusion functions to design two algorithms for the training and robustness verification of implicit neural networks. Finally, we apply our algorithms to train implicit neural networks on the MNIST dataset and compare the robustness of our models with the models trained via existing approaches in the literature.

Title: Dynamic Maintenance of Kernel Density Estimation Data Structure: From Practice to Theory. (arXiv:2208.03915v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03915
Code URL: null
Copy Paste: [[2208.03915] Dynamic Maintenance of Kernel Density Estimation Data Structure: From Practice to Theory](http://arxiv.org/abs/2208.03915)
Summary:
Kernel density estimation (KDE) stands out as a challenging task in machine learning. The problem is defined in the following way: given a kernel function $f(x,y)$ and a set of points ${x_1, x_2, \cdots, x_n } \subset \mathbb{R}^d$, we would like to compute $\frac{1}{n}\sum_{i=1}^{n} f(x_i,y)$ for any query point $y \in \mathbb{R}^d$. Recently, there has been a growing trend of using data structures for efficient KDE. However, the proposed KDE data structures focus on static settings. The robustness of KDE data structures over dynamic changing data distributions is not addressed. In this work, we focus on the dynamic maintenance of KDE data structures with robustness to adversarial queries. Especially, we provide a theoretical framework of KDE data structures. In our framework, the KDE data structures only require subquadratic spaces. Moreover, our data structure supports the dynamic update of the dataset in sublinear time. Furthermore, we can perform adaptive queries with the potential adversary in sublinear time.

biometric

steal

Title: Detecting Algorithmically Generated Domains Using a GCNN-LSTM Hybrid Neural Network. (arXiv:2208.03445v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03445
Code URL: null
Copy Paste: [[2208.03445] Detecting Algorithmically Generated Domains Using a GCNN-LSTM Hybrid Neural Network](http://arxiv.org/abs/2208.03445)
Summary:
Domain generation algorithm (DGA) is used by botnets to build a stealthy command and control (C&C) communication channel between the C&C server and the bots. A DGA can periodically produce a large number of pseudo-random algorithmically generated domains (AGDs). AGD detection algorithms provide a lightweight, promising solution in response to the existing DGA techniques. In this paper, a GCNN (gated convolutional neural network)-LSTM (long short-term memory) Hybrid Neural Network (GLHNN) for AGD detection is proposed. In GLHNN, GCNN is applied to extract the informative features from domain names on top of LSTM which further processes the feature sequence. GLHNN is experimentally validated using representative AGDs covering six classes of DGAs. GLHNN is compared with the state-of-the-art detection models and demonstrates the best overall detection performance among these tested models.

extraction

Title: A novel deep learning-based approach for sleep apnea detection using single-lead ECG signals. (arXiv:2208.03408v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03408
Code URL: null
Copy Paste: [[2208.03408] A novel deep learning-based approach for sleep apnea detection using single-lead ECG signals](http://arxiv.org/abs/2208.03408)
Summary:
Sleep apnea (SA) is a type of sleep disorder characterized by snoring and chronic sleeplessness, which can lead to serious conditions such as high blood pressure, heart failure, and cardiomyopathy (enlargement of the muscle tissue of the heart). The electrocardiogram (ECG) plays a critical role in identifying SA since it might reveal abnormal cardiac activity. Recent research on ECG-based SA detection has focused on feature engineering techniques that extract specific characteristics from multiple-lead ECG signals and use them as classification model inputs. In this study, a novel method of feature extraction based on the detection of S peaks is proposed to enhance the detection of adjacent SA segments using a single-lead ECG. In particular, ECG features collected from a single lead (V2) are used to identify SA episodes. On the extracted features, a CNN model is trained to detect SA. Experimental results demonstrate that the proposed method detects SA from single-lead ECG data is more accurate than existing state-of-the-art methods, with 91.13% classification accuracy, 92.58% sensitivity, and 88.75% specificity. Moreover, the further usage of features associated with the S peaks enhances the classification accuracy by 0.85%. Our findings indicate that the proposed machine learning system has the potential to be an effective method for detecting SA episodes.

Title: Deep Uncalibrated Photometric Stereo via Inter-Intra Image Feature Fusion. (arXiv:2208.03440v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03440
Code URL: null
Copy Paste: [[2208.03440] Deep Uncalibrated Photometric Stereo via Inter-Intra Image Feature Fusion](http://arxiv.org/abs/2208.03440)
Summary:
Uncalibrated photometric stereo is proposed to estimate the detailed surface normal from images under varying and unknown lightings. Recently, deep learning brings powerful data priors to this underdetermined problem. This paper presents a new method for deep uncalibrated photometric stereo, which efficiently utilizes the inter-image representation to guide the normal estimation. Previous methods use optimization-based neural inverse rendering or a single size-independent pooling layer to deal with multiple inputs, which are inefficient for utilizing information among input images. Given multi-images under different lighting, we consider the intra-image and inter-image variations highly correlated. Motivated by the correlated variations, we designed an inter-intra image feature fusion module to introduce the inter-image representation into the per-image feature extraction. The extra representation is used to guide the per-image feature extraction and eliminate the ambiguity in normal estimation. We demonstrate the effect of our design on a wide range of samples, especially on dark materials. Our method produces significantly better results than the state-of-the-art methods on both synthetic and real data.

Title: Graph R-CNN: Towards Accurate 3D Object Detection with Semantic-Decorated Local Graph. (arXiv:2208.03624v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03624
Code URL: https://github.com/nightmare-n/graphrcnn
Copy Paste: [[2208.03624] Graph R-CNN: Towards Accurate 3D Object Detection with Semantic-Decorated Local Graph](http://arxiv.org/abs/2208.03624)
Summary:
Two-stage detectors have gained much popularity in 3D object detection. Most two-stage 3D detectors utilize grid points, voxel grids, or sampled keypoints for RoI feature extraction in the second stage. Such methods, however, are inefficient in handling unevenly distributed and sparse outdoor points. This paper solves this problem in three aspects. 1) Dynamic Point Aggregation. We propose the patch search to quickly search points in a local region for each 3D proposal. The dynamic farthest voxel sampling is then applied to evenly sample the points. Especially, the voxel size varies along the distance to accommodate the uneven distribution of points. 2) RoI-graph Pooling. We build local graphs on the sampled points to better model contextual information and mine point relations through iterative message passing. 3) Visual Features Augmentation. We introduce a simple yet effective fusion strategy to compensate for sparse LiDAR points with limited semantic cues. Based on these modules, we construct our Graph R-CNN as the second stage, which can be applied to existing one-stage detectors to consistently improve the detection performance. Extensive experiments show that Graph R-CNN outperforms the state-of-the-art 3D detection models by a large margin on both the KITTI and Waymo Open Dataset. And we rank first place on the KITTI BEV car detection leaderboard. Code will be available at \url{https://github.com/Nightmare-n/GraphRCNN}.

Title: Weakly Supervised Online Action Detection for Infant General Movements. (arXiv:2208.03648v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03648
Code URL: https://github.com/scofiedluo/wo-gma
Copy Paste: [[2208.03648] Weakly Supervised Online Action Detection for Infant General Movements](http://arxiv.org/abs/2208.03648)
Summary:
To make the earlier medical intervention of infants' cerebral palsy (CP), early diagnosis of brain damage is critical. Although general movements assessment(GMA) has shown promising results in early CP detection, it is laborious. Most existing works take videos as input to make fidgety movements(FMs) classification for the GMA automation. Those methods require a complete observation of videos and can not localize video frames containing normal FMs. Therefore we propose a novel approach named WO-GMA to perform FMs localization in the weakly supervised online setting. Infant body keypoints are first extracted as the inputs to WO-GMA. Then WO-GMA performs local spatio-temporal extraction followed by two network branches to generate pseudo clip labels and model online actions. With the clip-level pseudo labels, the action modeling branch learns to detect FMs in an online fashion. Experimental results on a dataset with 757 videos of different infants show that WO-GMA can get state-of-the-art video-level classification and cliplevel detection results. Moreover, only the first 20% duration of the video is needed to get classification results as good as fully observed, implying a significantly shortened FMs diagnosis time. Code is available at: https://github.com/scofiedluo/WO-GMA.

Title: Information Extraction from Scanned Invoice Images using Text Analysis and Layout Features. (arXiv:2208.04011v1 [cs.CL])

Paper URL: http://arxiv.org/abs/2208.04011
Code URL: null
Copy Paste: [[2208.04011] Information Extraction from Scanned Invoice Images using Text Analysis and Layout Features](http://arxiv.org/abs/2208.04011)
Summary:
While storing invoice content as metadata to avoid paper document processing may be the future trend, almost all of daily issued invoices are still printed on paper or generated in digital formats such as PDFs. In this paper, we introduce the OCRMiner system for information extraction from scanned document images which is based on text analysis techniques in combination with layout features to extract indexing metadata of (semi-)structured documents. The system is designed to process the document in a similar way a human reader uses, i.e. to employ different layout and text attributes in a coordinated decision. The system consists of a set of interconnected modules that start with (possibly erroneous) character-based output from a standard OCR system and allow to apply different techniques and to expand the extracted knowledge at each step. Using an open source OCR, the system is able to recover the invoice data in 90% for English and in 88% for the Czech set.

Title: DeepTLS: comprehensive and high-performance feature extraction for encrypted traffic. (arXiv:2208.03862v1 [cs.CR])

Paper URL: http://arxiv.org/abs/2208.03862
Code URL: null
Copy Paste: [[2208.03862] DeepTLS: comprehensive and high-performance feature extraction for encrypted traffic](http://arxiv.org/abs/2208.03862)
Summary:
Feature extraction is critical for TLS traffic analysis using machine learning techniques, which it is also very difficult and time-consuming requiring huge engineering efforts. We designed and implemented DeepTLS, a system which extracts full spectrum of features from pcaps across meta, statistical, SPLT, byte distribution, TLS header and certificates. The backend is written in C++ to achieve high performance, which can analyze a GB-size pcap in a few minutes. DeepTLS was thoroughly evaluated against two state-of-the-art tools Joy and Zeek with four well-known malicious traffic datasets consisted of 160 pcaps. Evaluation results show DeepTLS has advantage of analyzing large pcaps with half analysis time, and identified more certificates with acceptable performance loss compared with Joy. DeepTLS can significantly accelerate machine learning pipeline by reducing feature extraction time from hours even days to minutes. The system is online at https://deeptls.com, where test artifacts can be viewed and validated. In addition, two open source tools Pysharkfeat and Tlsfeatmark are also released.

Title: Sparse Representation Learning with Modified q-VAE towards Minimal Realization of World Model. (arXiv:2208.03936v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03936
Code URL: null
Copy Paste: [[2208.03936] Sparse Representation Learning with Modified q-VAE towards Minimal Realization of World Model](http://arxiv.org/abs/2208.03936)
Summary:
Extraction of low-dimensional latent space from high-dimensional observation data is essential to construct a real-time robot controller with a world model on the extracted latent space. However, there is no established method for tuning the dimension size of the latent space automatically, suffering from finding the necessary and sufficient dimension size, i.e. the minimal realization of the world model. In this study, we analyze and improve Tsallis-based variational autoencoder (q-VAE), and reveal that, under an appropriate configuration, it always facilitates making the latent space sparse. Even if the dimension size of the pre-specified latent space is redundant compared to the minimal realization, this sparsification collapses unnecessary dimensions, allowing for easy removal of them. We experimentally verified the benefits of the sparsification by the proposed method that it can easily find the necessary and sufficient six dimensions for a reaching task with a mobile manipulator that requires a six-dimensional state space. Moreover, by planning with such a minimal-realization world model learned in the extracted dimensions, the proposed method was able to exert a more optimal action sequence in real-time, reducing the reaching accomplishment time by around 20 %. The attached video is uploaded on youtube: https://youtu.be/-QjITrnxaRs

membership infer

federate

Title: Federated Learning for Medical Applications: A Taxonomy, Current Trends, and Research Challenges. (arXiv:2208.03392v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03392
Code URL: null
Copy Paste: [[2208.03392] Federated Learning for Medical Applications: A Taxonomy, Current Trends, and Research Challenges](http://arxiv.org/abs/2208.03392)
Summary:
With the advent of the IoT, AI, and ML/DL algorithms, the data-driven medical application has emerged as a promising tool for designing reliable and scalable diagnostic and prognostic models from medical data. This has attracted a great deal of attention from academia to industry in recent years. This has undoubtedly improved the quality of healthcare delivery. However, these AI-based medical applications still have poor adoption due to their difficulties in satisfying strict security, privacy, and quality of service standards (such as low latency). Moreover, medical data are usually fragmented and private, making it challenging to generate robust results across populations. Recent developments in federated learning (FL) have made it possible to train complex machine-learned models in a distributed manner. Thus, FL has become an active research domain, particularly processing the medical data at the edge of the network in a decentralized way to preserve privacy and security concerns. To this end, this survey paper highlights the current and future of FL technology in medical applications where data sharing is a significant burden. It also review and discuss the current research trends and their outcomes for designing reliable and scalable FL models. We outline the general FL's statistical problems, device challenges, security, privacy concerns, and its potential in the medical domain. Moreover, our study is also focused on medical applications where we highlight the burden of global cancer and the efficient use of FL for the development of computer-aided diagnosis tools for addressing them. We hope that this review serves as a checkpoint that sets forth the existing state-of-the-art works in a thorough manner and offers open problems and future research directions for this field.

Title: Federated Adversarial Learning: A Framework with Convergence Analysis. (arXiv:2208.03635v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03635
Code URL: null
Copy Paste: [[2208.03635] Federated Adversarial Learning: A Framework with Convergence Analysis](http://arxiv.org/abs/2208.03635)
Summary:
Federated learning (FL) is a trending training paradigm to utilize decentralized training data. FL allows clients to update model parameters locally for several epochs, then share them to a global model for aggregation. This training paradigm with multi-local step updating before aggregation exposes unique vulnerabilities to adversarial attacks. Adversarial training is a popular and effective method to improve the robustness of networks against adversaries. In this work, we formulate a general form of federated adversarial learning (FAL) that is adapted from adversarial learning in the centralized setting. On the client side of FL training, FAL has an inner loop to generate adversarial samples for adversarial training and an outer loop to update local model parameters. On the server side, FAL aggregates local model updates and broadcast the aggregated model. We design a global robust training loss and formulate FAL training as a min-max optimization problem. Unlike the convergence analysis in classical centralized training that relies on the gradient direction, it is significantly harder to analyze the convergence in FAL for three reasons: 1) the complexity of min-max optimization, 2) model not updating in the gradient direction due to the multi-local updates on the client-side before aggregation and 3) inter-client heterogeneity. We address these challenges by using appropriate gradient approximation and coupling techniques and present the convergence analysis in the over-parameterized regime. Our main result theoretically shows that the minimum loss under our algorithm can converge to $\epsilon$ small with chosen learning rate and communication rounds. It is noteworthy that our analysis is feasible for non-IID clients.

fair

Title: Shap-CAM: Visual Explanations for Convolutional Neural Networks based on Shapley Value. (arXiv:2208.03608v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03608
Code URL: null
Copy Paste: [[2208.03608] Shap-CAM: Visual Explanations for Convolutional Neural Networks based on Shapley Value](http://arxiv.org/abs/2208.03608)
Summary:
Explaining deep convolutional neural networks has been recently drawing increasing attention since it helps to understand the networks' internal operations and why they make certain decisions. Saliency maps, which emphasize salient regions largely connected to the network's decision-making, are one of the most common ways for visualizing and analyzing deep networks in the computer vision community. However, saliency maps generated by existing methods cannot represent authentic information in images due to the unproven proposals about the weights of activation maps which lack solid theoretical foundation and fail to consider the relations between each pixel. In this paper, we develop a novel post-hoc visual explanation method called Shap-CAM based on class activation mapping. Unlike previous gradient-based approaches, Shap-CAM gets rid of the dependence on gradients by obtaining the importance of each pixel through Shapley value. We demonstrate that Shap-CAM achieves better visual performance and fairness for interpreting the decision making process. Our approach outperforms previous methods on both recognition and localization tasks.

Title: Bias Reducing Multitask Learning on Mental Health Prediction. (arXiv:2208.03621v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03621
Code URL: null
Copy Paste: [[2208.03621] Bias Reducing Multitask Learning on Mental Health Prediction](http://arxiv.org/abs/2208.03621)
Summary:
There has been an increase in research in developing machine learning models for mental health detection or prediction in recent years due to increased mental health issues in society. Effective use of mental health prediction or detection models can help mental health practitioners re-define mental illnesses more objectively than currently done, and identify illnesses at an earlier stage when interventions may be more effective. However, there is still a lack of standard in evaluating bias in such machine learning models in the field, which leads to challenges in providing reliable predictions and in addressing disparities. This lack of standards persists due to factors such as technical difficulties, complexities of high dimensional clinical health data, etc., which are especially true for physiological signals. This along with prior evidence of relations between some physiological signals with certain demographic identities restates the importance of exploring bias in mental health prediction models that utilize physiological signals. In this work, we aim to perform a fairness analysis and implement a multi-task learning based bias mitigation method on anxiety prediction models using ECG data. Our method is based on the idea of epistemic uncertainty and its relationship with model weights and feature space representation. Our analysis showed that our anxiety prediction base model introduced some bias with regards to age, income, ethnicity, and whether a participant is born in the U.S. or not, and our bias mitigation method performed better at reducing the bias in the model, when compared to the reweighting mitigation technique. Our analysis on feature importance also helped identify relationships between heart rate variability and multiple demographic groupings.

Title: Counterfactual Fairness Is Basically Demographic Parity. (arXiv:2208.03843v1 [cs.LG])

Paper URL: http://arxiv.org/abs/2208.03843
Code URL: https://github.com/lurosenb/simplifying_counterfactual_fairness
Copy Paste: [[2208.03843] Counterfactual Fairness Is Basically Demographic Parity](http://arxiv.org/abs/2208.03843)
Summary:
Making fair decisions is crucial to ethically implementing machine learning algorithms in social settings. In this work, we consider the celebrated definition of counterfactual fairness [Kusner et al., NeurIPS, 2017]. We begin by showing that an algorithm which satisfies counterfactual fairness also satisfies demographic parity, a far simpler fairness constraint. Similarly, we show that all algorithms satisfying demographic parity can be trivially modified to satisfy counterfactual fairness. Together, our results indicate that counterfactual fairness is basically equivalent to demographic parity, which has important implications for the growing body of work on counterfactual fairness. We then validate our theoretical findings empirically, analyzing three existing algorithms for counterfactual fairness against three simple benchmarks. We find that two simple benchmark algorithms outperform all three existing algorithms -- in terms of fairness, accuracy, and efficiency -- on several data sets. Our analysis leads us to formalize a concrete fairness goal: to preserve the order of individuals within protected groups. We believe transparency around the ordering of individuals within protected groups makes fair algorithms more trustworthy. By design, the two simple benchmark algorithms satisfy this goal while the existing algorithms for counterfactual fairness do not.

interpretability

Title: Sampling Based On Natural Image Statistics Improves Local Surrogate Explainers. (arXiv:2208.03961v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03961
Code URL: null
Copy Paste: [[2208.03961] Sampling Based On Natural Image Statistics Improves Local Surrogate Explainers](http://arxiv.org/abs/2208.03961)
Summary:
Many problems in computer vision have recently been tackled using models whose predictions cannot be easily interpreted, most commonly deep neural networks. Surrogate explainers are a popular post-hoc interpretability method to further understand how a model arrives at a particular prediction. By training a simple, more interpretable model to locally approximate the decision boundary of a non-interpretable system, we can estimate the relative importance of the input features on the prediction. Focusing on images, surrogate explainers, e.g., LIME, generate a local neighbourhood around a query image by sampling in an interpretable domain. However, these interpretable domains have traditionally been derived exclusively from the intrinsic features of the query image, not taking into consideration the manifold of the data the non-interpretable model has been exposed to in training (or more generally, the manifold of real images). This leads to suboptimal surrogates trained on potentially low probability images. We address this limitation by aligning the local neighbourhood on which the surrogate is trained with the original training data distribution, even when this distribution is not accessible. We propose two approaches to do so, namely (1) altering the method for sampling the local neighbourhood and (2) using perceptual metrics to convey some of the properties of the distribution of natural images.

exlainability

watermark

Title: AWEncoder: Adversarial Watermarking Pre-trained Encoders in Contrastive Learning. (arXiv:2208.03948v1 [cs.CV])

Paper URL: http://arxiv.org/abs/2208.03948
Code URL: null
Copy Paste: [[2208.03948] AWEncoder: Adversarial Watermarking Pre-trained Encoders in Contrastive Learning](http://arxiv.org/abs/2208.03948)
Summary:
As a self-supervised learning paradigm, contrastive learning has been widely used to pre-train a powerful encoder as an effective feature extractor for various downstream tasks. This process requires numerous unlabeled training data and computational resources, which makes the pre-trained encoder become valuable intellectual property of the owner. However, the lack of a priori knowledge of downstream tasks makes it non-trivial to protect the intellectual property of the pre-trained encoder by applying conventional watermarking methods. To deal with this problem, in this paper, we introduce AWEncoder, an adversarial method for watermarking the pre-trained encoder in contrastive learning. First, as an adversarial perturbation, the watermark is generated by enforcing the training samples to be marked to deviate respective location and surround a randomly selected key image in the embedding space. Then, the watermark is embedded into the pre-trained encoder by further optimizing a joint loss function. As a result, the watermarked encoder not only performs very well for downstream tasks, but also enables us to verify its ownership by analyzing the discrepancy of output provided using the encoder as the backbone under both white-box and black-box conditions. Extensive experiments demonstrate that the proposed work enjoys pretty good effectiveness and robustness on different contrastive learning algorithms and downstream tasks, which has verified the superiority and applicability of the proposed work.