secure

Title: Secure ambient intelligence prototype for airports. (arXiv:2208.05734v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05734
• Code URL: null
• Copy Paste: [[2208.05734] Secure ambient intelligence prototype for airports](http://arxiv.org/abs/2208.05734)
• Summary:

  Nowadays, many technological advances applied to the Internet of Things (IoT) make the introduction of innovative sensors aimed to deploy efficient wireless sensor networks possible. In order to improve the environment and people's lives, real time analysis of certain environmental variables may favor the reduction of health risks related to the deterioration of air quality. To this respect, the proposed system implements a particular prototype of IoT device characterized by the assembly of ambient sensors capable of measuring pollutant gases, temperature and humidity. For this purpose, Raspberry Pi and Arduino platforms are used. Several security methods are introduced to ensure the integrity of air quality data by implementing Merkle Trees on each IoT node and on the Cloud server. Besides, the authenticity of IoT devices and the confidentiality of communications are guaranteed by implementing HTTPS requests. Finally, authentication tokens are used to identify system users, and different security rules are applied to manage database operations.

Title: Twisted by the Pools: Detection of Selfish Anomalies in Proof-of-Work Mining. (arXiv:2208.05748v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05748
• Code URL: null
• Copy Paste: [[2208.05748] Twisted by the Pools: Detection of Selfish Anomalies in Proof-of-Work Mining](http://arxiv.org/abs/2208.05748)
• Summary:

  The core of many cryptocurrencies is the decentralised validation network operating on proof-of-work technology. In these systems, validation is done by so-called miners who can digitally sign blocks once they solve a computationally-hard problem. Conventional wisdom generally considers this protocol as secure and stable as miners are incentivised to follow the behaviour of the majority. However, whether some strategic mining behaviours occur in practice is still a major concern. In this paper we target this question by focusing on a security threat: a selfish mining attack in which malicious miners deviate from protocol by not immediately revealing their newly mined blocks. We propose a statistical test to analyse each miner's behaviour in five popular cryptocurrencies: Bitcoin, Litecoin, Monacoin, Ethereum and Bitcoin Cash. Our method is based on the realisation that selfish mining behaviour will cause identifiable anomalies in the statistics of miner's successive blocks discovery. Secondly, we apply heuristics-based address clustering to improve the detectability of this kind of behaviour. We find a marked presence of abnormal miners in Monacoin and Bitcoin Cash, and, to a lesser extent, in Ethereum. Finally, we extend our method to detect coordinated selfish mining attacks, finding mining cartels in Monacoin where miners might secretly share information about newly mined blocks in advance. Our analysis contributes to the research on security in cryptocurrency systems by providing the first empirical evidence that the aforementioned strategic mining behaviours do take place in practice.

security

Title: A Comprehensive Analysis of AI Biases in DeepFake Detection With Massively Annotated Databases. (arXiv:2208.05845v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05845
• Code URL: null
• Copy Paste: [[2208.05845] A Comprehensive Analysis of AI Biases in DeepFake Detection With Massively Annotated Databases](http://arxiv.org/abs/2208.05845)
• Summary:

  In recent years, image and video manipulations with DeepFake have become a severe concern for security and society. Therefore, many detection models and databases have been proposed to detect DeepFake data reliably. However, there is an increased concern that these models and training databases might be biased and thus, cause DeepFake detectors to fail. In this work, we tackle these issues by (a) providing large-scale demographic and non-demographic attribute annotations of 41 different attributes for five popular DeepFake datasets and (b) comprehensively analysing AI-bias of multiple state-of-the-art DeepFake detection models on these databases. The investigation analyses the influence of a large variety of distinctive attributes (from over 65M labels) on the detection performance, including demographic (age, gender, ethnicity) and non-demographic (hair, skin, accessories, etc.) information. The results indicate that investigated databases lack diversity and, more importantly, show that the utilised DeepFake detection models are strongly biased towards many investigated attributes. Moreover, the results show that the models' decision-making might be based on several questionable (biased) assumptions, such if a person is smiling or wearing a hat. Depending on the application of such DeepFake detection methods, these biases can lead to generalizability, fairness, and security issues. We hope that the findings of this study and the annotation databases will help to evaluate and mitigate bias in future DeepFake detection techniques. Our annotation datasets are made publicly available.

Title: Multi-Factor Key Derivation Function (MFKDF). (arXiv:2208.05586v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05586
• Code URL: null
• Copy Paste: [[2208.05586] Multi-Factor Key Derivation Function (MFKDF)](http://arxiv.org/abs/2208.05586)
• Summary:

  We present the first general construction of a Multi-Factor Key Derivation Function (MFKDF). Our function expands upon password-based key derivation functions (PBKDFs) with support for using other popular authentication factors like TOTP, HOTP, and hardware tokens in the key derivation process. In doing so, it provides an exponential security improvement over PBKDFs with less than 12 ms of additional computational overhead in a typical web browser. We further present a threshold MFKDF construction, allowing for client-side key recovery and reconstitution if a factor is lost. Finally, by "stacking" derived keys, we provide a means of cryptographically enforcing arbitrarily specific key derivation policies. The result is a paradigm shift toward direct cryptographic protection of user data using all available authentication factors, with no noticeable change to the user experience. We demonstrate the ability of our solution to not only significantly improve the security of existing systems implementing PBKDFs, but also to enable new applications where PBKDFs would not be considered a feasible approach.

Title: A Trust-Based Malicious RSU Detection Mechanism in Edge-Enabled Vehicular Ad Hoc Networks. (arXiv:2208.05680v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05680
• Code URL: null
• Copy Paste: [[2208.05680] A Trust-Based Malicious RSU Detection Mechanism in Edge-Enabled Vehicular Ad Hoc Networks](http://arxiv.org/abs/2208.05680)
• Summary:

  Edge-enabled Vehicular Ad Hoc Network (VANET) introduces real-time services and storage, computation, and communication facilities to the vehicles through Roadside Units (RSUs). Nevertheless, RSUs are often easy targets for security assaults due to their placement in an open, unprotected environment and resource-constrained nature. The malicious RSUs compromised by security attacks impose threats to human safety by impeding the operations of VANETs. Hence, an effective malevolent RSU detection mechanism is crucial for VANETs. Existing trust-based detection mechanisms assign trust scores to RSUs based on their interactions with moving vehicles where precise detection of rogue RSUs depends on the accuracy of trust scores. However, brief interaction of RSUs with the running vehicles permits inadequate time to estimate trust accurately. Besides, current works use only vehicle speed and density in beacon messages to assess trust without considering the sensor-detected data in the same messages. Nonetheless, sensor data is useful for traffic management, and neglecting them creates inaccuracy in trust estimation. In this paper, we address these limitations and propose a trust-based scheme to detect malicious RSUs that uses stable and frequent RSU-to-RSU (R2R) interaction to precisely analyze the behavior of an RSU. We also offer a mechanism to detect alteration of sensor-detected data in beacon content and incorporate this scheme in the trust calculation of RSUs. The experimental results show that the proposed solution effectively detects approximately 92% malicious RSUs, even in the presence of hostile vehicles. Moreover, integrating the proposed solution with the VANET routing protocols improves routing efficiency.

privacy

Title: Going Incognito in the Metaverse. (arXiv:2208.05604v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05604
• Code URL: null
• Copy Paste: [[2208.05604] Going Incognito in the Metaverse](http://arxiv.org/abs/2208.05604)
• Summary:

  Virtual reality (VR) telepresence applications and the so-called "metaverse" promise to be the next major medium of interaction with the internet. However, with numerous recent studies showing the ease at which VR users can be profiled, deanonymized, and data harvested, metaverse platforms carry all the privacy risks of the current internet and more while at present having none of the defensive privacy tools we are accustomed to using on the web. To remedy this, we present the first known method of implementing an "incognito mode" for VR. Our technique leverages local {\epsilon}-differential privacy to quantifiably obscure sensitive user data attributes, with a focus on intelligently adding noise when and where it is needed most to maximize privacy while minimizing usability impact. Moreover, our system is capable of flexibly adapting to the unique needs of each metaverse application to further optimize this trade-off. We implement our solution as a universal Unity (C#) plugin that we then evaluate using several popular VR applications. Upon faithfully replicating the most well known VR privacy attack studies, we show a significant degradation of attacker capabilities when using our proposed solution.

Title: Privacy Preservation Among Honest-but-Curious Edge Nodes: A Survey. (arXiv:2208.05922v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05922
• Code URL: null
• Copy Paste: [[2208.05922] Privacy Preservation Among Honest-but-Curious Edge Nodes: A Survey](http://arxiv.org/abs/2208.05922)
• Summary:

  Users care greatly about preserving the privacy of their personal data gathered during their use of information systems. This extends to both the data they actively provide in exchange for services as well as the metadata passively generated in many aspects of their computing experiences. However, new technologies are at a great risk of being inadequate to protect a user's privacy if researchers focus primarily on the use cases of these technologies without giving sufficient consideration to incorporating privacy at a fundamental level. Edge computing has been introduced as a promising networking paradigm for processing the incredible magnitude of data produced by modern IoT networks. As edge computing is still considered a relatively new technology, the edge computing community has a responsibility to ensure privacy protection is interwoven into its implementations at a foundational level. In this paper, I first introduce the concepts of user privacy and edge computing; I then provide a state-of-the-art overview of current literature as it relates to privacy preservation in honest-but-curious edge computing. Finally, I provide future research recommendations in the hope that the edge computing research and development community will be inspired to ensure strong privacy protections in their current and future work.

protect

Title: Searching for chromate replacements using natural language processing and machine learning algorithms. (arXiv:2208.05672v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2208.05672
• Code URL: null
• Copy Paste: [[2208.05672] Searching for chromate replacements using natural language processing and machine learning algorithms](http://arxiv.org/abs/2208.05672)
• Summary:

  The past few years has seen the application of machine learning utilised in the exploration of new materials. As in many fields of research - the vast majority of knowledge is published as text, which poses challenges in either a consolidated or statistical analysis across studies and reports. Such challenges include the inability to extract quantitative information, and in accessing the breadth of non-numerical information. To address this issue, the application of natural language processing (NLP) has been explored in several studies to date. In NLP, assignment of high-dimensional vectors, known as embeddings, to passages of text preserves the syntactic and semantic relationship between words. Embeddings rely on machine learning algorithms and in the present work, we have employed the Word2Vec model, previously explored by others, and the BERT model - applying them towards a unique challenge in materials engineering. That challenge is the search for chromate replacements in the field of corrosion protection. From a database of over 80 million records, a down-selection of 5990 papers focused on the topic of corrosion protection were examined using NLP. This study demonstrates it is possible to extract knowledge from the automated interpretation of the scientific literature and achieve expert human level insights.

defense

attack

Title: Patching open-vocabulary models by interpolating weights. (arXiv:2208.05592v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05592
• Code URL: https://github.com/mlfoundations/patching
• Copy Paste: [[2208.05592] Patching open-vocabulary models by interpolating weights](http://arxiv.org/abs/2208.05592)
• Summary:

  Open-vocabulary models like CLIP achieve high accuracy across many image classification tasks. However, there are still settings where their zero-shot performance is far from optimal. We study model patching, where the goal is to improve accuracy on specific tasks without degrading accuracy on tasks where performance is already adequate. Towards this goal, we introduce PAINT, a patching method that uses interpolations between the weights of a model before fine-tuning and the weights after fine-tuning on a task to be patched. On nine tasks where zero-shot CLIP performs poorly, PAINT increases accuracy by 15 to 60 percentage points while preserving accuracy on ImageNet within one percentage point of the zero-shot model. PAINT also allows a single model to be patched on multiple tasks and improves with model scale. Furthermore, we identify cases of broad transfer, where patching on one task increases accuracy on other tasks even when the tasks have disjoint classes. Finally, we investigate applications beyond common benchmarks such as counting or reducing the impact of typographic attacks on CLIP. Our findings demonstrate that it is possible to expand the set of tasks on which open-vocabulary models achieve high accuracy without re-training them from scratch.

Title: Diverse Generative Adversarial Perturbations on Attention Space for Transferable Adversarial Attacks. (arXiv:2208.05650v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05650
• Code URL: null
• Copy Paste: [[2208.05650] Diverse Generative Adversarial Perturbations on Attention Space for Transferable Adversarial Attacks](http://arxiv.org/abs/2208.05650)
• Summary:

  Adversarial attacks with improved transferability - the ability of an adversarial example crafted on a known model to also fool unknown models - have recently received much attention due to their practicality. Nevertheless, existing transferable attacks craft perturbations in a deterministic manner and often fail to fully explore the loss surface, thus falling into a poor local optimum and suffering from low transferability. To solve this problem, we propose Attentive-Diversity Attack (ADA), which disrupts diverse salient features in a stochastic manner to improve transferability. Primarily, we perturb the image attention to disrupt universal features shared by different models. Then, to effectively avoid poor local optima, we disrupt these features in a stochastic manner and explore the search space of transferable perturbations more exhaustively. More specifically, we use a generator to produce adversarial perturbations that each disturbs features in different ways depending on an input latent code. Extensive experimental evaluations demonstrate the effectiveness of our method, outperforming the transferability of state-of-the-art methods. Codes are available at https://github.com/wkim97/ADA.

Title: Unsupervised Face Morphing Attack Detection via Self-paced Anomaly Detection. (arXiv:2208.05787v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05787
• Code URL: https://github.com/meilfang/spl-mad
• Copy Paste: [[2208.05787] Unsupervised Face Morphing Attack Detection via Self-paced Anomaly Detection](http://arxiv.org/abs/2208.05787)
• Summary:

  The supervised-learning-based morphing attack detection (MAD) solutions achieve outstanding success in dealing with attacks from known morphing techniques and known data sources. However, given variations in the morphing attacks, the performance of supervised MAD solutions drops significantly due to the insufficient diversity and quantity of the existing MAD datasets. To address this concern, we propose a completely unsupervised MAD solution via self-paced anomaly detection (SPL-MAD) by leveraging the existing large-scale face recognition (FR) datasets and the unsupervised nature of convolutional autoencoders. Using general FR datasets that might contain unintentionally and unlabeled manipulated samples to train an autoencoder can lead to a diverse reconstruction behavior of attack and bona fide samples. We analyze this behavior empirically to provide a solid theoretical ground for designing our unsupervised MAD solution. This also results in proposing to integrate our adapted modified self-paced learning paradigm to enhance the reconstruction error separability between the bona fide and attack samples in a completely unsupervised manner. Our experimental results on a diverse set of MAD evaluation datasets show that the proposed unsupervised SPL-MAD solution outperforms the overall performance of a wide range of supervised MAD solutions and provides higher generalizability on unknown attacks.

Title: Face Morphing Attacks and Face Image Quality: The Effect of Morphing and the Unsupervised Attack Detection by Quality. (arXiv:2208.05864v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05864
• Code URL: null
• Copy Paste: [[2208.05864] Face Morphing Attacks and Face Image Quality: The Effect of Morphing and the Unsupervised Attack Detection by Quality](http://arxiv.org/abs/2208.05864)
• Summary:

  Morphing attacks are a form of presentation attacks that gathered increasing attention in recent years. A morphed image can be successfully verified to multiple identities. This operation, therefore, poses serious security issues related to the ability of a travel or identity document to be verified to belong to multiple persons. Previous works touched on the issue of the quality of morphing attack images, however, with the main goal of quantitatively proofing the realistic appearance of the produced morphing attacks. We theorize that the morphing processes might have an effect on both, the perceptual image quality and the image utility in face recognition (FR) when compared to bona fide samples. Towards investigating this theory, this work provides an extensive analysis of the effect of morphing on face image quality, including both general image quality measures and face image utility measures. This analysis is not limited to a single morphing technique, but rather looks at six different morphing techniques and five different data sources using ten different quality measures. This analysis reveals consistent separability between the quality scores of morphing attack and bona fide samples measured by certain quality measures. Our study goes further to build on this effect and investigate the possibility of performing unsupervised morphing attack detection (MAD) based on quality scores. Our study looks intointra and inter-dataset detectability to evaluate the generalizability of such a detection concept on different morphing techniques and bona fide sources. Our final results point out that a set of quality measures, such as MagFace and CNNNIQA, can be used to perform unsupervised and generalized MAD with a correct classification accuracy of over 70%.

Title: Are Gradients on Graph Structure Reliable in Gray-box Attacks?. (arXiv:2208.05514v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05514
• Code URL: null
• Copy Paste: [[2208.05514] Are Gradients on Graph Structure Reliable in Gray-box Attacks?](http://arxiv.org/abs/2208.05514)
• Summary:

  Graph edge perturbations are dedicated to damaging the prediction of graph neural networks by modifying the graph structure. Previous gray-box attackers employ gradients from the surrogate model to locate the vulnerable edges to perturb the graph structure. However, unreliability exists in gradients on graph structures, which is rarely studied by previous works. In this paper, we discuss and analyze the errors caused by the unreliability of the structural gradients. These errors arise from rough gradient usage due to the discreteness of the graph structure and from the unreliability in the meta-gradient on the graph structure. In order to address these problems, we propose a novel attack model with methods to reduce the errors inside the structural gradients. We propose edge discrete sampling to select the edge perturbations associated with hierarchical candidate selection to ensure computational efficiency. In addition, semantic invariance and momentum gradient ensemble are proposed to address the gradient fluctuation on semantic-augmented graphs and the instability of the surrogate model. Experiments are conducted in untargeted gray-box poisoning scenarios and demonstrate the improvement in the performance of our approach.

Title: A Survey of MulVAL Extensions and Their Attack Scenarios Coverage. (arXiv:2208.05750v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05750
• Code URL: null
• Copy Paste: [[2208.05750] A Survey of MulVAL Extensions and Their Attack Scenarios Coverage](http://arxiv.org/abs/2208.05750)
• Summary:

  Organizations employ various adversary models in order to assess the risk and potential impact of attacks on their networks. Attack graphs represent vulnerabilities and actions an attacker can take to identify and compromise an organization's assets. Attack graphs facilitate both visual presentation and algorithmic analysis of attack scenarios in the form of attack paths. MulVAL is a generic open-source framework for constructing logical attack graphs, which has been widely used by researchers and practitioners and extended by them with additional attack scenarios. This paper surveys all of the existing MulVAL extensions, and maps all MulVAL interaction rules to MITRE ATT&CK Techniques to estimate their attack scenarios coverage. This survey aligns current MulVAL extensions along unified ontological concepts and highlights the existing gaps. It paves the way for methodical improvement of MulVAL and the comprehensive modeling of the entire landscape of adversarial behaviors captured in MITRE ATT&CK.

Title: Shielding Federated Learning Systems against Inference Attacks with ARM TrustZone. (arXiv:2208.05895v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05895
• Code URL: null
• Copy Paste: [[2208.05895] Shielding Federated Learning Systems against Inference Attacks with ARM TrustZone](http://arxiv.org/abs/2208.05895)
• Summary:

  Federated Learning (FL) opens new perspectives for training machine learning models while keeping personal data on the users premises. Specifically, in FL, models are trained on the users devices and only model updates (i.e., gradients) are sent to a central server for aggregation purposes. However, the long list of inference attacks that leak private data from gradients, published in the recent years, have emphasized the need of devising effective protection mechanisms to incentivize the adoption of FL at scale. While there exist solutions to mitigate these attacks on the server side, little has been done to protect users from attacks performed on the client side. In this context, the use of Trusted Execution Environments (TEEs) on the client side are among the most proposing solutions. However, existing frameworks (e.g., DarkneTZ) require statically putting a large portion of the machine learning model into the TEE to effectively protect against complex attacks or a combination of attacks. We present GradSec, a solution that allows protecting in a TEE only sensitive layers of a machine learning model, either statically or dynamically, hence reducing both the TCB size and the overall training time by up to 30% and 56%, respectively compared to state-of-the-art competitors.

Title: SignalKG: Towards reasoning about the underlying causes of sensor observations. (arXiv:2208.05627v1 [cs.AI])

• Paper URL: http://arxiv.org/abs/2208.05627
• Code URL: null
• Copy Paste: [[2208.05627] SignalKG: Towards reasoning about the underlying causes of sensor observations](http://arxiv.org/abs/2208.05627)
• Summary:

  This paper demonstrates our vision for knowledge graphs that assist machines to reason about the cause of signals observed by sensors. We show how the approach allows for constructing smarter surveillance systems that reason about the most likely cause (e.g., an attacker breaking a window) of a signal rather than acting directly on the received signal without consideration for how it was produced.

robust

Title: Quality Not Quantity: On the Interaction between Dataset Design and Robustness of CLIP. (arXiv:2208.05516v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2208.05516
• Code URL: null
• Copy Paste: [[2208.05516] Quality Not Quantity: On the Interaction between Dataset Design and Robustness of CLIP](http://arxiv.org/abs/2208.05516)
• Summary:

  Web-crawled datasets have enabled remarkable generalization capabilities in recent image-text models such as CLIP (Contrastive Language-Image pre-training) or Flamingo, but little is known about the dataset creation processes. In this work, we introduce a testbed of six publicly available data sources - YFCC, LAION, Conceptual Captions, WIT, RedCaps, Shutterstock - to investigate how pre-training distributions induce robustness in CLIP. We find that the performance of the pre-training data varies substantially across distribution shifts, with no single data source dominating. Moreover, we systematically study the interactions between these data sources and find that combining multiple sources does not necessarily yield better models, but rather dilutes the robustness of the best individual data source. We complement our empirical findings with theoretical insights from a simple setting, where combining the training data also results in diluted robustness. In addition, our theoretical model provides a candidate explanation for the success of the CLIP-based data filtering technique recently employed in the LAION dataset. Overall our results demonstrate that simply gathering a large amount of data from the web is not the most effective way to build a pre-training dataset for robust generalization, necessitating further study into dataset design.

Title: Self-Knowledge Distillation via Dropout. (arXiv:2208.05642v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05642
• Code URL: null
• Copy Paste: [[2208.05642] Self-Knowledge Distillation via Dropout](http://arxiv.org/abs/2208.05642)
• Summary:

  To boost the performance, deep neural networks require deeper or wider network structures that involve massive computational and memory costs. To alleviate this issue, the self-knowledge distillation method regularizes the model by distilling the internal knowledge of the model itself. Conventional self-knowledge distillation methods require additional trainable parameters or are dependent on the data. In this paper, we propose a simple and effective self-knowledge distillation method using a dropout (SD-Dropout). SD-Dropout distills the posterior distributions of multiple models through a dropout sampling. Our method does not require any additional trainable modules, does not rely on data, and requires only simple operations. Furthermore, this simple method can be easily combined with various self-knowledge distillation approaches. We provide a theoretical and experimental analysis of the effect of forward and reverse KL-divergences in our work. Extensive experiments on various vision tasks, i.e., image classification, object detection, and distribution shift, demonstrate that the proposed method can effectively improve the generalization of a single network. Further experiments show that the proposed method also improves calibration performance, adversarial robustness, and out-of-distribution detection ability.

Title: General Cutting Planes for Bound-Propagation-Based Neural Network Verification. (arXiv:2208.05740v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2208.05740
• Code URL: null
• Copy Paste: [[2208.05740] General Cutting Planes for Bound-Propagation-Based Neural Network Verification](http://arxiv.org/abs/2208.05740)
• Summary:

  Bound propagation methods, when combined with branch and bound, are among the most effective methods to formally verify properties of deep neural networks such as correctness, robustness, and safety. However, existing works cannot handle the general form of cutting plane constraints widely accepted in traditional solvers, which are crucial for strengthening verifiers with tightened convex relaxations. In this paper, we generalize the bound propagation procedure to allow the addition of arbitrary cutting plane constraints, including those involving relaxed integer variables that do not appear in existing bound propagation formulations. Our generalized bound propagation method, GCP-CROWN, opens up the opportunity to apply general cutting plane methods} for neural network verification while benefiting from the efficiency and GPU acceleration of bound propagation methods. As a case study, we investigate the use of cutting planes generated by off-the-shelf mixed integer programming (MIP) solver. We find that MIP solvers can generate high-quality cutting planes for strengthening bound-propagation-based verifiers using our new formulation. Since the branching-focused bound propagation procedure and the cutting-plane-focused MIP solver can run in parallel utilizing different types of hardware (GPUs and CPUs), their combination can quickly explore a large number of branches with strong cutting planes, leading to strong verification performance. Experiments demonstrate that our method is the first verifier that can completely solve the oval20 benchmark and verify twice as many instances on the oval21 benchmark compared to the best tool in VNN-COMP 2021, and also noticeably outperforms state-of-the-art verifiers on a wide range of benchmarks. GCP-CROWN is part of the $\alpha$,$\beta$-CROWN verifier, the VNN-COMP 2022 winner. Code is available at this http URL

Title: Towards Sequence-Level Training for Visual Tracking. (arXiv:2208.05810v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05810
• Code URL: https://github.com/byminji/SLTtrack
• Copy Paste: [[2208.05810] Towards Sequence-Level Training for Visual Tracking](http://arxiv.org/abs/2208.05810)
• Summary:

  Despite the extensive adoption of machine learning on the task of visual object tracking, recent learning-based approaches have largely overlooked the fact that visual tracking is a sequence-level task in its nature; they rely heavily on frame-level training, which inevitably induces inconsistency between training and testing in terms of both data distributions and task objectives. This work introduces a sequence-level training strategy for visual tracking based on reinforcement learning and discusses how a sequence-level design of data sampling, learning objectives, and data augmentation can improve the accuracy and robustness of tracking algorithms. Our experiments on standard benchmarks including LaSOT, TrackingNet, and GOT-10k demonstrate that four representative tracking models, SiamRPN++, SiamAttn, TransT, and TrDiMP, consistently improve by incorporating the proposed methods in training without modifying architectures.

Title: Differencing based Self-supervised pretraining for Scene Change Detection. (arXiv:2208.05838v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05838
• Code URL: https://github.com/neurai-lab/dsp
• Copy Paste: [[2208.05838] Differencing based Self-supervised pretraining for Scene Change Detection](http://arxiv.org/abs/2208.05838)
• Summary:

  Scene change detection (SCD), a crucial perception task, identifies changes by comparing scenes captured at different times. SCD is challenging due to noisy changes in illumination, seasonal variations, and perspective differences across a pair of views. Deep neural network based solutions require a large quantity of annotated data which is tedious and expensive to obtain. On the other hand, transfer learning from large datasets induces domain shift. To address these challenges, we propose a novel \textit{Differencing self-supervised pretraining (DSP)} method that uses feature differencing to learn discriminatory representations corresponding to the changed regions while simultaneously tackling the noisy changes by enforcing temporal invariance across views. Our experimental results on SCD datasets demonstrate the effectiveness of our method, specifically to differences in camera viewpoints and lighting conditions. Compared against the self-supervised Barlow Twins and the standard ImageNet pretraining that uses more than a million additional labeled images, DSP can surpass it without using any additional data. Our results also demonstrate the robustness of DSP to natural corruptions, distribution shift, and learning under limited labeled data.

Title: PointTree: Transformation-Robust Point Cloud Encoder with Relaxed K-D Trees. (arXiv:2208.05962v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05962
• Code URL: https://github.com/immortalco/pointtree
• Copy Paste: [[2208.05962] PointTree: Transformation-Robust Point Cloud Encoder with Relaxed K-D Trees](http://arxiv.org/abs/2208.05962)
• Summary:

  Being able to learn an effective semantic representation directly on raw point clouds has become a central topic in 3D understanding. Despite rapid progress, state-of-the-art encoders are restrictive to canonicalized point clouds, and have weaker than necessary performance when encountering geometric transformation distortions. To overcome this challenge, we propose PointTree, a general-purpose point cloud encoder that is robust to transformations based on relaxed K-D trees. Key to our approach is the design of the division rule in K-D trees by using principal component analysis (PCA). We use the structure of the relaxed K-D tree as our computational graph, and model the features as border descriptors which are merged with pointwise-maximum operation. In addition to this novel architecture design, we further improve the robustness by introducing pre-alignment -- a simple yet effective PCA-based normalization scheme. Our PointTree encoder combined with pre-alignment consistently outperforms state-of-the-art methods by large margins, for applications from object classification to semantic segmentation on various transformed versions of the widely-benchmarked datasets. Code and pre-trained models are available at https://github.com/immortalCO/PointTree.

Title: Distributionally Robust Model-Based Offline Reinforcement Learning with Near-Optimal Sample Complexity. (arXiv:2208.05767v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2208.05767
• Code URL: null
• Copy Paste: [[2208.05767] Distributionally Robust Model-Based Offline Reinforcement Learning with Near-Optimal Sample Complexity](http://arxiv.org/abs/2208.05767)
• Summary:

  This paper concerns the central issues of model robustness and sample efficiency in offline reinforcement learning (RL), which aims to learn to perform decision making from history data without active exploration. Due to uncertainties and variabilities of the environment, it is critical to learn a robust policy -- with as few samples as possible -- that performs well even when the deployed environment deviates from the nominal one used to collect the history dataset. We consider a distributionally robust formulation of offline RL, focusing on a tabular non-stationary finite-horizon robust Markov decision process with an uncertainty set specified by the Kullback-Leibler divergence. To combat with sample scarcity, a model-based algorithm that combines distributionally robust value iteration with the principle of pessimism in the face of uncertainty is proposed, by penalizing the robust value estimates with a carefully designed data-driven penalty term. Under a mild and tailored assumption of the history dataset that measures distribution shift without requiring full coverage of the state-action space, we establish the finite-sample complexity of the proposed algorithm, and further show it is almost unimprovable in light of a nearly-matching information-theoretic lower bound up to a polynomial factor of the horizon length. To the best our knowledge, this provides the first provably near-optimal robust offline RL algorithm that learns under model uncertainty and partial coverage.

Title: HyperTime: Implicit Neural Representation for Time Series. (arXiv:2208.05836v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2208.05836
• Code URL: null
• Copy Paste: [[2208.05836] HyperTime: Implicit Neural Representation for Time Series](http://arxiv.org/abs/2208.05836)
• Summary:

  Implicit neural representations (INRs) have recently emerged as a powerful tool that provides an accurate and resolution-independent encoding of data. Their robustness as general approximators has been shown in a wide variety of data sources, with applications on image, sound, and 3D scene representation. However, little attention has been given to leveraging these architectures for the representation and analysis of time series data. In this paper, we analyze the representation of time series using INRs, comparing different activation functions in terms of reconstruction accuracy and training convergence speed. We show how these networks can be leveraged for the imputation of time series, with applications on both univariate and multivariate data. Finally, we propose a hypernetwork architecture that leverages INRs to learn a compressed latent representation of an entire time series dataset. We introduce an FFT-based loss to guide training so that all frequencies are preserved in the time series. We show that this network can be used to encode time series as INRs, and their embeddings can be interpolated to generate new time series from existing ones. We evaluate our generative method by using it for data augmentation, and show that it is competitive against current state-of-the-art approaches for augmentation of time series.

biometric

steal

extraction

Title: FIGO: Enhanced Fingerprint Identification Approach Using GAN and One Shot Learning Techniques. (arXiv:2208.05615v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05615
• Code URL: null
• Copy Paste: [[2208.05615] FIGO: Enhanced Fingerprint Identification Approach Using GAN and One Shot Learning Techniques](http://arxiv.org/abs/2208.05615)
• Summary:

  Fingerprint evidence plays an important role in a criminal investigation for the identification of individuals. Although various techniques have been proposed for fingerprint classification and feature extraction, automated fingerprint identification of fingerprints is still in its earliest stage. The performance of traditional \textit{Automatic Fingerprint Identification System} (AFIS) depends on the presence of valid minutiae points and still requires human expert assistance in feature extraction and identification stages. Based on this motivation, we propose a Fingerprint Identification approach based on Generative adversarial network and One-shot learning techniques (FIGO). Our solution contains two components: fingerprint enhancement tier and fingerprint identification tier. First, we propose a Pix2Pix model to transform low-quality fingerprint images to a higher level of fingerprint images pixel by pixel directly in the fingerprint enhancement tier. With the proposed enhancement algorithm, the fingerprint identification model's performance is significantly improved. Furthermore, we develop another existing solution based on Gabor filters as a benchmark to compare with the proposed model by observing the fingerprint device's recognition accuracy. Experimental results show that our proposed Pix2pix model has better support than the baseline approach for fingerprint identification. Second, we construct a fully automated fingerprint feature extraction model using a one-shot learning approach to differentiate each fingerprint from the others in the fingerprint identification process. Two twin convolutional neural networks (CNNs) with shared weights and parameters are used to obtain the feature vectors in this process. Using the proposed method, we demonstrate that it is possible to learn necessary information from only one training sample with high accuracy.

Title: Optimal Transport Features for Morphometric Population Analysis. (arXiv:2208.05891v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2208.05891
• Code URL: https://github.com/kitwaremedical/utm
• Copy Paste: [[2208.05891] Optimal Transport Features for Morphometric Population Analysis](http://arxiv.org/abs/2208.05891)
• Summary:

  Brain pathologies often manifest as partial or complete loss of tissue. The goal of many neuroimaging studies is to capture the location and amount of tissue changes with respect to a clinical variable of interest, such as disease progression. Morphometric analysis approaches capture local differences in the distribution of tissue or other quantities of interest in relation to a clinical variable. We propose to augment morphometric analysis with an additional feature extraction step based on unbalanced optimal transport. The optimal transport feature extraction step increases statistical power for pathologies that cause spatially dispersed tissue loss, minimizes sensitivity to shifts due to spatial misalignment or differences in brain topology, and separates changes due to volume differences from changes due to tissue location. We demonstrate the proposed optimal transport feature extraction step in the context of a volumetric morphometric analysis of the OASIS-1 study for Alzheimer's disease. The results demonstrate that the proposed approach can identify tissue changes and differences that are not otherwise measurable.

Title: Sequence Feature Extraction for Malware Family Analysis via Graph Neural Network. (arXiv:2208.05476v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05476
• Code URL: null
• Copy Paste: [[2208.05476] Sequence Feature Extraction for Malware Family Analysis via Graph Neural Network](http://arxiv.org/abs/2208.05476)
• Summary:

  Malicious software (malware) causes much harm to our devices and life. We are eager to understand the malware behavior and the threat it made. Most of the record files of malware are variable length and text-based files with time stamps, such as event log data and dynamic analysis profiles. Using the time stamps, we can sort such data into sequence-based data for the following analysis. However, dealing with the text-based sequences with variable lengths is difficult. In addition, unlike natural language text data, most sequential data in information security have specific properties and structure, such as loop, repeated call, noise, etc. To deeply analyze the API call sequences with their structure, we use graphs to represent the sequences, which can further investigate the information and structure, such as the Markov model. Therefore, we design and implement an Attention Aware Graph Neural Network (AWGCN) to analyze the API call sequences. Through AWGCN, we can obtain the sequence embeddings to analyze the behavior of the malware. Moreover, the classification experiment result shows that AWGCN outperforms other classifiers in the call-like datasets, and the embedding can further improve the classic model's performance.

membership infer

federate

fair

Title: Finding Reusable Machine Learning Components to Build Programming Language Processing Pipelines. (arXiv:2208.05596v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2208.05596
• Code URL: null
• Copy Paste: [[2208.05596] Finding Reusable Machine Learning Components to Build Programming Language Processing Pipelines](http://arxiv.org/abs/2208.05596)
• Summary:

  Programming Language Processing (PLP) using machine learning has made vast improvements in the past few years. Increasingly more people are interested in exploring this promising field. However, it is challenging for new researchers and developers to find the right components to construct their own machine learning pipelines, given the diverse PLP tasks to be solved, the large number of datasets and models being released, and the set of complex compilers or tools involved. To improve the findability, accessibility, interoperability and reusability (FAIRness) of machine learning components, we collect and analyze a set of representative papers in the domain of machine learning-based PLP. We then identify and characterize key concepts including PLP tasks, model architectures and supportive tools. Finally, we show some example use cases of leveraging the reusable components to construct machine learning pipelines to solve a set of PLP tasks.

interpretability

exlainability

watermark

Title: Customized Watermarking for Deep Neural Networks via Label Distribution Perturbation. (arXiv:2208.05477v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2208.05477
• Code URL: null
• Copy Paste: [[2208.05477] Customized Watermarking for Deep Neural Networks via Label Distribution Perturbation](http://arxiv.org/abs/2208.05477)
• Summary:

  With the increasing application value of machine learning, the intellectual property (IP) rights of deep neural networks (DNN) are getting more and more attention. With our analysis, most of the existing DNN watermarking methods can resist fine-tuning and pruning attack, but distillation attack. To address these problem, we propose a new DNN watermarking framework, Unified Soft-label Perturbation (USP), having a detector paired with the model to be watermarked, and Customized Soft-label Perturbation (CSP), embedding watermark via adding perturbation into the model output probability distribution. Experimental results show that our methods can resist all watermark removal attacks and outperform in distillation attack. Besides, we also have an excellent trade-off between the main task and watermarking that achieving 98.68% watermark accuracy while only affecting the main task accuracy by 0.59%.