secure

security

Title: Beyond Random Split for Assessing Statistical Model Performance. (arXiv:2209.03346v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03346
• Code URL: null
• Copy Paste: [[2209.03346] Beyond Random Split for Assessing Statistical Model Performance](http://arxiv.org/abs/2209.03346)
• Summary:

  Even though a train/test split of the dataset randomly performed is a common practice, could not always be the best approach for estimating performance generalization under some scenarios. The fact is that the usual machine learning methodology can sometimes overestimate the generalization error when a dataset is not representative or when rare and elusive examples are a fundamental aspect of the detection problem. In the present work, we analyze strategies based on the predictors' variability to split in training and testing sets. Such strategies aim at guaranteeing the inclusion of rare or unusual examples with a minimal loss of the population's representativeness and provide a more accurate estimation about the generalization error when the dataset is not representative. Two baseline classifiers based on decision trees were used for testing the four splitting strategies considered. Both classifiers were applied on CTU19 a low-representative dataset for a network security detection problem. Preliminary results showed the importance of applying the three alternative strategies to the Monte Carlo splitting strategy in order to get a more accurate error estimation on different but feasible scenarios.

Title: Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing. (arXiv:2209.03441v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03441
• Code URL: https://github.com/forte-research/hexcite
• Copy Paste: [[2209.03441] Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing](http://arxiv.org/abs/2209.03441)
• Summary:

  Coverage-guided fuzzing's aggressive, high-volume testing has helped reveal tens of thousands of software security flaws. While executing billions of test cases mandates fast code coverage tracing, the nature of binary-only targets leads to reduced tracing performance. A recent advancement in binary fuzzing performance is Coverage-guided Tracing (CGT), which brings orders-of-magnitude gains in throughput by restricting the expense of coverage tracing to only when new coverage is guaranteed. Unfortunately, CGT suits only a basic block coverage granularity -- yet most fuzzers require finer-grain coverage metrics: edge coverage and hit counts. It is this limitation which prohibits nearly all of today's state-of-the-art fuzzers from attaining the performance benefits of CGT.

This paper tackles the challenges of adapting CGT to fuzzing's most ubiquitous coverage metrics. We introduce and implement a suite of enhancements that expand CGT's introspection to fuzzing's most common code coverage metrics, while maintaining its orders-of-magnitude speedup over conventional always-on coverage tracing. We evaluate their trade-offs with respect to fuzzing performance and effectiveness across 12 diverse real-world binaries (8 open- and 4 closed-source). On average, our coverage-preserving CGT attains near-identical speed to the present block-coverage-only CGT, UnTracer; and outperforms leading binary- and source-level coverage tracers QEMU, Dyninst, RetroWrite, and AFL-Clang by 2-24x, finding more bugs in less time.

Title: OblivGM: Oblivious Attributed Subgraph Matching as a Cloud Service. (arXiv:2209.03526v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03526
• Code URL: null
• Copy Paste: [[2209.03526] OblivGM: Oblivious Attributed Subgraph Matching as a Cloud Service](http://arxiv.org/abs/2209.03526)
• Summary:

  In recent years there has been growing popularity of leveraging cloud computing for storing and querying attributed graphs, which have been widely used to model complex structured data in various applications. Such trend of outsourced graph analytics, however, is accompanied with critical privacy concerns regarding the information-rich and proprietary attributed graph data. In light of this, we design, implement, and evaluate OblivGM, a new system aimed at oblivious graph analytics services outsourced to the cloud. OblivGM focuses on the support for attributed subgraph matching, one popular and fundamental graph query functionality aiming to retrieve from a large attributed graph subgraphs isomorphic to a small query graph. Built from a delicate synergy of insights from attributed graph modelling and advanced lightweight cryptography, OblivGM protects the confidentiality of data content associated with attributed graphs and queries, conceals the connections among vertices in attributed graphs, and hides search access patterns. Meanwhile, OblivGM flexibly supports oblivious evaluation of varying subgraph queries, which may contain equality and/or range predicates. Extensive experiments over a real-world attributed graph dataset demonstrate that while providing strong security guarantees, OblivGM achieves practically affordable performance (with query latency on the order of a few seconds).

Title: MalDetConv: Automated Behaviour-based Malware Detection Framework Based on Natural Language Processing and Deep Learning Techniques. (arXiv:2209.03547v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03547
• Code URL: null
• Copy Paste: [[2209.03547] MalDetConv: Automated Behaviour-based Malware Detection Framework Based on Natural Language Processing and Deep Learning Techniques](http://arxiv.org/abs/2209.03547)
• Summary:

  The popularity of Windows attracts the attention of hackers/cyber-attackers, making Windows devices the primary target of malware attacks in recent years. Several sophisticated malware variants and anti-detection methods have been significantly enhanced and as a result, traditional malware detection techniques have become less effective. This work presents MalBehavD-V1, a new behavioural dataset of Windows Application Programming Interface (API) calls extracted from benign and malware executable files using the dynamic analysis approach. In addition, we present MalDetConV, a new automated behaviour-based framework for detecting both existing and zero-day malware attacks. MalDetConv uses a text processing-based encoder to transform features of API calls into a suitable format supported by deep learning models. It then uses a hybrid of convolutional neural network (CNN) and bidirectional gated recurrent unit (CNN-BiGRU) automatic feature extractor to select high-level features of the API Calls which are then fed to a fully connected neural network module for malware classification. MalDetConv also uses an explainable component that reveals features that contributed to the final classification outcome, helping the decision-making process for security analysts. The performance of the proposed framework is evaluated using our MalBehavD-V1 dataset and other benchmark datasets. The detection results demonstrate the effectiveness of MalDetConv over the state-of-the-art techniques with detection accuracy of 96.10%, 95.73%, 98.18%, and 99.93% achieved while detecting unseen malware from MalBehavD-V1, Allan and John, Brazilian, and Ki-D datasets, respectively. The experimental results show that MalDetConv is highly accurate in detecting both known and zero-day malware attacks on Windows devices.

Title: Security Analysis of the EDHOC protocol. (arXiv:2209.03599v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03599
• Code URL: null
• Copy Paste: [[2209.03599] Security Analysis of the EDHOC protocol](http://arxiv.org/abs/2209.03599)
• Summary:

  Ephemeral Diffie-Hellman Over COSE (EDHOC) aims at being a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. It is expected to provide mutual authentication, forward secrecy, and identity protection, with a 128-bit security level.A formal analysis has already been proposed at SECRYPT '21, on a former version, leading to some improvements, in the ongoing evaluation process by IETF. Unfortunately, while formal analysis can detect some misconceptions in the protocol, it cannot evaluate the actual security level.In this paper, we study the last version. Without complete breaks, we anyway exhibit attacks in 2^64 operations, which contradict the expected 128-bit security level. We thereafter propose improvements, some of them being at no additional cost, to achieve 128-bit security for all the security properties (i.e. key privacy, mutual authentication, and identity-protection).

Title: Multisecret-sharing scheme with two-level security and its applications in Blockchain. (arXiv:2209.03670v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03670
• Code URL: null
• Copy Paste: [[2209.03670] Multisecret-sharing scheme with two-level security and its applications in Blockchain](http://arxiv.org/abs/2209.03670)
• Summary:

  A $(t,m)$-threshold secret sharing and multisecret-sharing scheme based on Shamir's SSS are introduced with two-level security using a one-way function. Besides we give its application in smart contract-enabled consortium blockchain network. The proposed scheme is thoroughly examined in terms of security and efficiency. Privacy, security, integrity, and scalability are also analyzed while applying it to the blockchain network.

Title: Multi-signer Strong Designated Multi-verifier Signature Schemes based on Multiple Cryptographic Algorithms. (arXiv:2209.03682v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03682
• Code URL: null
• Copy Paste: [[2209.03682] Multi-signer Strong Designated Multi-verifier Signature Schemes based on Multiple Cryptographic Algorithms](http://arxiv.org/abs/2209.03682)
• Summary:

  A designated verifier signature scheme allows a signer to generate a signature that only the designated verifier can verify. This paper proposes multi-signer strong designated multi-verifier signature schemes based on multiple cryptographic algorithms and has proven their security in the random oracle model.

Title: Evaluating the Future Device Security Risk Indicator for Hundreds of IoT Devices. (arXiv:2209.03826v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03826
• Code URL: null
• Copy Paste: [[2209.03826] Evaluating the Future Device Security Risk Indicator for Hundreds of IoT Devices](http://arxiv.org/abs/2209.03826)
• Summary:

  IoT devices are present in many, especially corporate and sensitive, networks and regularly introduce security risks due to slow vendor responses to vulnerabilities and high difficulty of patching. In this paper, we want to evaluate to what extent the development of future risk of IoT devices due to new and unpatched vulnerabilities can be predicted based on historic information. For this analysis, we build on existing prediction algorithms available in the SAFER framework (prophet and ARIMA) which we evaluate by means of a large data-set of vulnerabilities and patches from 793 IoT devices. Our analysis shows that the SAFER framework can predict a correct future risk for 91% of the devices, demonstrating its applicability. We conclude that this approach is a reliable means for network operators to efficiently detect and act on risks emanating from IoT devices in their networks.

privacy

Title: A Framework for Evaluating Privacy-Utility Trade-off in Vertical Federated Learning. (arXiv:2209.03885v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03885
• Code URL: null
• Copy Paste: [[2209.03885] A Framework for Evaluating Privacy-Utility Trade-off in Vertical Federated Learning](http://arxiv.org/abs/2209.03885)
• Summary:

  Federated learning (FL) has emerged as a practical solution to tackle data silo issues without compromising user privacy. One of its variants, vertical federated learning (VFL), has recently gained increasing attention as the VFL matches the enterprises' demands of leveraging more valuable features to build better machine learning models while preserving user privacy. Current works in VFL concentrate on developing a specific protection or attack mechanism for a particular VFL algorithm. In this work, we propose an evaluation framework that formulates the privacy-utility evaluation problem. We then use this framework as a guide to comprehensively evaluate a broad range of protection mechanisms against most of the state-of-the-art privacy attacks for three widely-deployed VFL algorithms. These evaluations may help FL practitioners select appropriate protection mechanisms given specific requirements. Our evaluation results demonstrate that: the model inversion and most of the label inference attacks can be thwarted by existing protection mechanisms; the model completion (MC) attack is difficult to be prevented, which calls for more advanced MC-targeted protection mechanisms. Based on our evaluation results, we offer concrete advice on improving the privacy-preserving capability of VFL systems.

Title: Reconstruction Attacks on Aggressive Relaxations of Differential Privacy. (arXiv:2209.03905v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03905
• Code URL: https://github.com/cmla-psu/idpreconstruction
• Copy Paste: [[2209.03905] Reconstruction Attacks on Aggressive Relaxations of Differential Privacy](http://arxiv.org/abs/2209.03905)
• Summary:

  Differential privacy is a widely accepted formal privacy definition that allows aggregate information about a dataset to be released while controlling privacy leakage for individuals whose records appear in the data. Due to the unavoidable tension between privacy and utility, there have been many works trying to relax the requirements of differential privacy to achieve greater utility. One class of relaxation, which is starting to gain support outside the privacy community is embodied by the definitions of individual differential privacy (IDP) and bootstrap differential privacy (BDP). The original version of differential privacy defines a set of neighboring database pairs and achieves its privacy guarantees by requiring that each pair of neighbors should be nearly indistinguishable to an attacker. The privacy definitions we study, however, aggressively reduce the set of neighboring pairs that are protected. Both IDP and BDP define a measure of "privacy loss" that satisfies formal privacy properties such as postprocessing invariance and composition, and achieve dramatically better utility than the traditional variants of differential privacy. However, there is a significant downside - we show that they allow a significant portion of the dataset to be reconstructed using algorithms that have arbitrarily low privacy loss under their privacy accounting rules. We demonstrate these attacks using the preferred mechanisms of these privacy definitions. In particular, we design a set of queries that, when protected by these mechanisms with high noise settings (i.e., with claims of very low privacy loss), yield more precise information about the dataset than if they were not protected at all.

protect

Title: Supervised GAN Watermarking for Intellectual Property Protection. (arXiv:2209.03466v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03466
• Code URL: null
• Copy Paste: [[2209.03466] Supervised GAN Watermarking for Intellectual Property Protection](http://arxiv.org/abs/2209.03466)
• Summary:

  We propose a watermarking method for protecting the Intellectual Property (IP) of Generative Adversarial Networks (GANs). The aim is to watermark the GAN model so that any image generated by the GAN contains an invisible watermark (signature), whose presence inside the image can be checked at a later stage for ownership verification. To achieve this goal, a pre-trained CNN watermarking decoding block is inserted at the output of the generator. The generator loss is then modified by including a watermark loss term, to ensure that the prescribed watermark can be extracted from the generated images. The watermark is embedded via fine-tuning, with reduced time complexity. Results show that our method can effectively embed an invisible watermark inside the generated images. Moreover, our method is a general one and can work with different GAN architectures, different tasks, and different resolutions of the output image. We also demonstrate the good robustness performance of the embedded watermark against several post-processing, among them, JPEG compression, noise addition, blurring, and color transformations.

Title: A Survey of Recent Advances in Deep Learning Models for Detecting Malware in Desktop and Mobile Platforms. (arXiv:2209.03622v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03622
• Code URL: null
• Copy Paste: [[2209.03622] A Survey of Recent Advances in Deep Learning Models for Detecting Malware in Desktop and Mobile Platforms](http://arxiv.org/abs/2209.03622)
• Summary:

  Malware is one of the most common and severe cyber-attack today. Malware infects millions of devices and can perform several malicious activities including mining sensitive data, encrypting data, crippling system performance, and many more. Hence, malware detection is crucial to protect our computers and mobile devices from malware attacks. Deep learning (DL) is one of the emerging and promising technologies for detecting malware. The recent high production of malware variants against desktop and mobile platforms makes DL algorithms powerful approaches for building scalable and advanced malware detection models as they can handle big datasets. This work explores current deep learning technologies for detecting malware attacks on the Windows, Linux, and Android platforms. Specifically, we present different categories of DL algorithms, network optimizers, and regularization methods. Different loss functions, activation functions, and frameworks for implementing DL models are presented. We also present feature extraction approaches and a review of recent DL-based models for detecting malware attacks on the above platforms. Furthermore, this work presents major research issues on malware detection including future directions to further advance knowledge and research in this field.

defense

attack

Title: Incorporating Locality of Images to Generate Targeted Transferable Adversarial Examples. (arXiv:2209.03716v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03716
• Code URL: null
• Copy Paste: [[2209.03716] Incorporating Locality of Images to Generate Targeted Transferable Adversarial Examples](http://arxiv.org/abs/2209.03716)
• Summary:

  Despite that leveraging the transferability of adversarial examples can attain a fairly high attack success rate for non-targeted attacks, it does not work well in targeted attacks since the gradient directions from a source image to a targeted class are usually different in different DNNs. To increase the transferability of target attacks, recent studies make efforts in aligning the feature of the generated adversarial example with the feature distributions of the targeted class learned from an auxiliary network or a generative adversarial network. However, these works assume that the training dataset is available and require a lot of time to train networks, which makes it hard to apply to real-world scenarios. In this paper, we revisit adversarial examples with targeted transferability from the perspective of universality and find that highly universal adversarial perturbations tend to be more transferable. Based on this observation, we propose the Locality of Images (LI) attack to improve targeted transferability. Specifically, instead of using the classification loss only, LI introduces a feature similarity loss between intermediate features from adversarial perturbed original images and randomly cropped images, which makes the features from adversarial perturbations to be more dominant than that of benign images, hence improving targeted transferability. Through incorporating locality of images into optimizing perturbations, the LI attack emphasizes that targeted perturbations should be universal to diverse input patterns, even local image patches. Extensive experiments demonstrate that LI can achieve high success rates for transfer-based targeted attacks. On attacking the ImageNet-compatible dataset, LI yields an improvement of 12\% compared with existing state-of-the-art methods.

Title: Fact-Saboteurs: A Taxonomy of Evidence Manipulation Attacks against Fact-Verification Systems. (arXiv:2209.03755v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03755
• Code URL: null
• Copy Paste: [[2209.03755] Fact-Saboteurs: A Taxonomy of Evidence Manipulation Attacks against Fact-Verification Systems](http://arxiv.org/abs/2209.03755)
• Summary:

  Mis- and disinformation are now a substantial global threat to our security and safety. To cope with the scale of online misinformation, one viable solution is to automate the fact-checking of claims by retrieving and verifying against relevant evidence. While major recent advances have been achieved in pushing forward the automatic fact-verification, a comprehensive evaluation of the possible attack vectors against such systems is still lacking. Particularly, the automated fact-verification process might be vulnerable to the exact disinformation campaigns it is trying to combat. In this work, we assume an adversary that automatically tampers with the online evidence in order to disrupt the fact-checking model via camouflaging the relevant evidence, or planting a misleading one. We first propose an exploratory taxonomy that spans these two targets and the different threat model dimensions. Guided by this, we design and propose several potential attack methods. We show that it is possible to subtly modify claim-salient snippets in the evidence, in addition to generating diverse and claim-aligned evidence. As a result, we highly degrade the fact-checking performance under many different permutations of the taxonomy's dimensions. The attacks are also robust against post-hoc modifications of the claim. Our analysis further hints at potential limitations in models' inference when faced with contradicting evidence. We emphasize that these attacks can have harmful implications on the inspectable and human-in-the-loop usage scenarios of such models, and we conclude by discussing challenges and directions for future defenses.

Title: Reward Delay Attacks on Deep Reinforcement Learning. (arXiv:2209.03540v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03540
• Code URL: null
• Copy Paste: [[2209.03540] Reward Delay Attacks on Deep Reinforcement Learning](http://arxiv.org/abs/2209.03540)
• Summary:

  Most reinforcement learning algorithms implicitly assume strong synchrony. We present novel attacks targeting Q-learning that exploit a vulnerability entailed by this assumption by delaying the reward signal for a limited time period. We consider two types of attack goals: targeted attacks, which aim to cause a target policy to be learned, and untargeted attacks, which simply aim to induce a policy with a low reward. We evaluate the efficacy of the proposed attacks through a series of experiments. Our first observation is that reward-delay attacks are extremely effective when the goal is simply to minimize reward. Indeed, we find that even naive baseline reward-delay attacks are also highly successful in minimizing the reward. Targeted attacks, on the other hand, are more challenging, although we nevertheless demonstrate that the proposed approaches remain highly effective at achieving the attacker's targets. In addition, we introduce a second threat model that captures a minimal mitigation that ensures that rewards cannot be used out of sequence. We find that this mitigation remains insufficient to ensure robustness to attacks that delay, but preserve the order, of rewards.

Title: Black-Box Audits for Group Distribution Shifts. (arXiv:2209.03620v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03620
• Code URL: null
• Copy Paste: [[2209.03620] Black-Box Audits for Group Distribution Shifts](http://arxiv.org/abs/2209.03620)
• Summary:

  When a model informs decisions about people, distribution shifts can create undue disparities. However, it is hard for external entities to check for distribution shift, as the model and its training set are often proprietary. In this paper, we introduce and study a black-box auditing method to detect cases of distribution shift that lead to a performance disparity of the model across demographic groups. By extending techniques used in membership and property inference attacks -- which are designed to expose private information from learned models -- we demonstrate that an external auditor can gain the information needed to identify these distribution shifts solely by querying the model. Our experimental results on real-world datasets show that this approach is effective, achieving 80--100% AUC-ROC in detecting shifts involving the underrepresentation of a demographic group in the training set. Researchers and investigative journalists can use our tools to perform non-collaborative audits of proprietary models and expose cases of underrepresentation in the training datasets.

robust

Title: R$^3$LIVE++: A Robust, Real-time, Radiance reconstruction package with a tightly-coupled LiDAR-Inertial-Visual state Estimator. (arXiv:2209.03666v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03666
• Code URL: https://github.com/hku-mars/r3live
• Copy Paste: [[2209.03666] R$^3$LIVE++: A Robust, Real-time, Radiance reconstruction package with a tightly-coupled LiDAR-Inertial-Visual state Estimator](http://arxiv.org/abs/2209.03666)
• Summary:

  Simultaneous localization and mapping (SLAM) are crucial for autonomous robots (e.g., self-driving cars, autonomous drones), 3D mapping systems, and AR/VR applications. This work proposed a novel LiDAR-inertial-visual fusion framework termed R$^3$LIVE++ to achieve robust and accurate state estimation while simultaneously reconstructing the radiance map on the fly. R$^3$LIVE++ consists of a LiDAR-inertial odometry (LIO) and a visual-inertial odometry (VIO), both running in real-time. The LIO subsystem utilizes the measurements from a LiDAR for reconstructing the geometric structure (i.e., the positions of 3D points), while the VIO subsystem simultaneously recovers the radiance information of the geometric structure from the input images. R$^3$LIVE++ is developed based on R$^3$LIVE and further improves the accuracy in localization and mapping by accounting for the camera photometric calibration (e.g., non-linear response function and lens vignetting) and the online estimation of camera exposure time. We conduct more extensive experiments on both public and our private datasets to compare our proposed system against other state-of-the-art SLAM systems. Quantitative and qualitative results show that our proposed system has significant improvements over others in both accuracy and robustness. In addition, to demonstrate the extendability of our work, {we developed several applications based on our reconstructed radiance maps, such as high dynamic range (HDR) imaging, virtual environment exploration, and 3D video gaming.} Lastly, to share our findings and make contributions to the community, we make our codes, hardware design, and dataset publicly available on our Github: github.com/hku-mars/r3live

Title: A crowdsourced dataset of aerial images with annotated solar photovoltaic arrays and installation metadata. (arXiv:2209.03726v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03726
• Code URL: null
• Copy Paste: [[2209.03726] A crowdsourced dataset of aerial images with annotated solar photovoltaic arrays and installation metadata](http://arxiv.org/abs/2209.03726)
• Summary:

  Photovoltaic (PV) energy generation plays a crucial role in the energy transition. Small-scale PV installations are deployed at an unprecedented pace, and their integration into the grid can be challenging since public authorities often lack quality data about them. Overhead imagery is increasingly used to improve the knowledge of residential PV installations with machine learning models capable of automatically mapping these installations. However, these models cannot be easily transferred from one region or data source to another due to differences in image acquisition. To address this issue known as domain shift and foster the development of PV array mapping pipelines, we propose a dataset containing aerial images, annotations, and segmentation masks. We provide installation metadata for more than 28,000 installations. We provide ground truth segmentation masks for 13,000 installations, including 7,000 with annotations for two different image providers. Finally, we provide installation metadata that matches the annotation for more than 8,000 installations. Dataset applications include end-to-end PV registry construction, robust PV installations mapping, and analysis of crowdsourced datasets.

Title: PixTrack: Precise 6DoF Object Pose Tracking using NeRF Templates and Feature-metric Alignment. (arXiv:2209.03910v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03910
• Code URL: null
• Copy Paste: [[2209.03910] PixTrack: Precise 6DoF Object Pose Tracking using NeRF Templates and Feature-metric Alignment](http://arxiv.org/abs/2209.03910)
• Summary:

  We present PixTrack, a vision based object pose tracking framework using novel view synthesis and deep feature-metric alignment. Our evaluations demonstrate that our method produces highly accurate, robust, and jitter-free 6DoF pose estimates of objects in RGB images without the need of any data annotation or trajectory smoothing. Our method is also computationally efficient making it easy to have multi-object tracking with no alteration to our method and just using CPU multiprocessing.

Title: Towards explainable evaluation of language models on the semantic similarity of visual concepts. (arXiv:2209.03723v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03723
• Code URL: null
• Copy Paste: [[2209.03723] Towards explainable evaluation of language models on the semantic similarity of visual concepts](http://arxiv.org/abs/2209.03723)
• Summary:

  Recent breakthroughs in NLP research, such as the advent of Transformer models have indisputably contributed to major advancements in several tasks. However, few works research robustness and explainability issues of their evaluation strategies. In this work, we examine the behavior of high-performing pre-trained language models, focusing on the task of semantic similarity for visual vocabularies. First, we address the need for explainable evaluation metrics, necessary for understanding the conceptual quality of retrieved instances. Our proposed metrics provide valuable insights in local and global level, showcasing the inabilities of widely used approaches. Secondly, adversarial interventions on salient query semantics expose vulnerabilities of opaque metrics and highlight patterns in learned linguistic representations.

Title: SynSciPass: detecting appropriate uses of scientific text generation. (arXiv:2209.03742v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03742
• Code URL: https://github.com/domenicrosati/synscipass
• Copy Paste: [[2209.03742] SynSciPass: detecting appropriate uses of scientific text generation](http://arxiv.org/abs/2209.03742)
• Summary:

  Approaches to machine generated text detection tend to focus on binary classification of human versus machine written text. In the scientific domain where publishers might use these models to examine manuscripts under submission, misclassification has the potential to cause harm to authors. Additionally, authors may appropriately use text generation models such as with the use of assistive technologies like translation tools. In this setting, a binary classification scheme might be used to flag appropriate uses of assistive text generation technology as simply machine generated which is a cause of concern. In our work, we simulate this scenario by presenting a state-of-the-art detector trained on the DAGPap22 with machine translated passages from Scielo and find that the model performs at random. Given this finding, we develop a framework for dataset development that provides a nuanced approach to detecting machine generated text by having labels for the type of technology used such as for translation or paraphrase resulting in the construction of SynSciPass. By training the same model that performed well on DAGPap22 on SynSciPass, we show that not only is the model more robust to domain shifts but also is able to uncover the type of technology used for machine generated text. Despite this, we conclude that current datasets are neither comprehensive nor realistic enough to understand how these models would perform in the wild where manuscript submissions can come from many unknown or novel distributions, how they would perform on scientific full-texts rather than small passages, and what might happen when there is a mix of appropriate and inappropriate uses of natural language generation.

Title: Bispectral Neural Networks. (arXiv:2209.03416v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03416
• Code URL: null
• Copy Paste: [[2209.03416] Bispectral Neural Networks](http://arxiv.org/abs/2209.03416)
• Summary:

  We present a novel machine learning architecture, Bispectral Neural Networks (BNNs), for learning representations of data that are invariant to the actions of groups on the space over which a signal is defined. The model incorporates the ansatz of the bispectrum, an analytically defined group invariant that is complete--that is, it preserves all signal structure while removing only the variation due to group actions. Here, we demonstrate that BNNs are able to discover arbitrary commutative group structure in data, with the trained models learning the irreducible representations of the groups, which allows for the recovery of the group Cayley tables. Remarkably, trained networks learn to approximate bispectra on these groups, and thus possess the robustness, completeness, and generality of the analytical object.

Title: Improved Robust Algorithms for Learning with Discriminative Feature Feedback. (arXiv:2209.03753v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03753
• Code URL: null
• Copy Paste: [[2209.03753] Improved Robust Algorithms for Learning with Discriminative Feature Feedback](http://arxiv.org/abs/2209.03753)
• Summary:

  Discriminative Feature Feedback is a setting proposed by Dastupta et al. (2018), which provides a protocol for interactive learning based on feature explanations that are provided by a human teacher. The features distinguish between the labels of pairs of possibly similar instances. That work has shown that learning in this model can have considerable statistical and computational advantages over learning in standard label-based interactive learning models.

In this work, we provide new robust interactive learning algorithms for the Discriminative Feature Feedback model, with mistake bounds that are significantly lower than those of previous robust algorithms for this setting. In the adversarial setting, we reduce the dependence on the number of protocol exceptions from quadratic to linear. In addition, we provide an algorithm for a slightly more restricted model, which obtains an even smaller mistake bound for large models with many exceptions.

In the stochastic setting, we provide the first algorithm that converges to the exception rate with a polynomial sample complexity. Our algorithm and analysis for the stochastic setting involve a new construction that we call Feature Influence, which may be of wider applicability.

biometric

steal

extraction

Title: Sign Language Detection. (arXiv:2209.03578v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03578
• Code URL: null
• Copy Paste: [[2209.03578] Sign Language Detection](http://arxiv.org/abs/2209.03578)
• Summary:

  With the advancements in Computer vision techniques the need to classify images based on its features have become a huge task and necessity. In this project we proposed 2 models i.e. feature extraction and classification using ORB and SVM and the second is using CNN architecture. The end result of the project is to understand the concept behind feature extraction and image classification. The trained CNN model will also be used to convert it to tflite format for Android Development.

Title: FETA: Towards Specializing Foundation Models for Expert Task Applications. (arXiv:2209.03648v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03648
• Code URL: null
• Copy Paste: [[2209.03648] FETA: Towards Specializing Foundation Models for Expert Task Applications](http://arxiv.org/abs/2209.03648)
• Summary:

  Foundation Models (FMs) have demonstrated unprecedented capabilities including zero-shot learning, high fidelity data synthesis, and out of domain generalization. However, as we show in this paper, FMs still have poor out-of-the-box performance on expert tasks (e.g. retrieval of car manuals technical illustrations from language queries), data for which is either unseen or belonging to a long-tail part of the data distribution of the huge datasets used for FM pre-training. This underlines the necessity to explicitly evaluate and finetune FMs on such expert tasks, arguably ones that appear the most in practical real-world applications. In this paper, we propose a first of its kind FETA benchmark built around the task of teaching FMs to understand technical documentation, via learning to match their graphical illustrations to corresponding language descriptions. Our FETA benchmark focuses on text-to-image and image-to-text retrieval in public car manuals and sales catalogue brochures. FETA is equipped with a procedure for completely automatic annotation extraction (code would be released upon acceptance), allowing easy extension of FETA to more documentation types and application domains in the future. Our automatic annotation leads to an automated performance metric shown to be consistent with metrics computed on human-curated annotations (also released). We provide multiple baselines and analysis of popular FMs on FETA leading to several interesting findings that we believe would be very valuable to the FM community, paving the way towards real-world application of FMs for practical expert tasks currently 'overlooked' by standard benchmarks focusing on common objects.

Title: Transformer based Fingerprint Feature Extraction. (arXiv:2209.03846v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03846
• Code URL: null
• Copy Paste: [[2209.03846] Transformer based Fingerprint Feature Extraction](http://arxiv.org/abs/2209.03846)
• Summary:

  Fingerprint feature extraction is a task that is solved using either a global or a local representation. State-of-the-art global approaches use heavy deep learning models to process the full fingerprint image at once, which makes the corresponding approach memory intensive. On the other hand, local approaches involve minutiae based patch extraction, multiple feature extraction steps and an expensive matching stage, which make the corresponding approach time intensive. However, both these approaches provide useful and sometimes exclusive insights for solving the problem. Using both approaches together for extracting fingerprint representations is semantically useful but quite inefficient. Our convolutional transformer based approach with an in-built minutiae extractor provides a time and memory efficient solution to extract a global as well as a local representation of the fingerprint. The use of these representations along with a smart matching process gives us state-of-the-art performance across multiple databases. The project page can be found at https://saraansh1999.github.io/global-plus-local-fp-transformer.

Title: AILAB-Udine@SMM4H 22: Limits of Transformers and BERT Ensembles. (arXiv:2209.03452v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03452
• Code URL: null
• Copy Paste: [[2209.03452] AILAB-Udine@SMM4H 22: Limits of Transformers and BERT Ensembles](http://arxiv.org/abs/2209.03452)
• Summary:

  This paper describes the models developed by the AILAB-Udine team for the SMM4H 22 Shared Task. We explored the limits of Transformer based models on text classification, entity extraction and entity normalization, tackling Tasks 1, 2, 5, 6 and 10. The main take-aways we got from participating in different tasks are: the overwhelming positive effects of combining different architectures when using ensemble learning, and the great potential of generative models for term normalization.

Title: Applying Transformer-based Text Summarization for Keyphrase Generation. (arXiv:2209.03791v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03791
• Code URL: null
• Copy Paste: [[2209.03791] Applying Transformer-based Text Summarization for Keyphrase Generation](http://arxiv.org/abs/2209.03791)
• Summary:

  Keyphrases are crucial for searching and systematizing scholarly documents. Most current methods for keyphrase extraction are aimed at the extraction of the most significant words in the text. But in practice, the list of keyphrases often includes words that do not appear in the text explicitly. In this case, the list of keyphrases represents an abstractive summary of the source text. In this paper, we experiment with popular transformer-based models for abstractive text summarization using four benchmark datasets for keyphrase extraction. We compare the results obtained with the results of common unsupervised and supervised methods for keyphrase extraction. Our evaluation shows that summarization models are quite effective in generating keyphrases in the terms of the full-match F1-score and BERTScore. However, they produce a lot of words that are absent in the author's list of keyphrases, which makes summarization models ineffective in terms of ROUGE-1. We also investigate several ordering strategies to concatenate target keyphrases. The results showed that the choice of strategy affects the performance of keyphrase generation.

membership infer

federate

Title: FADE: Enabling Large-Scale Federated Adversarial Training on Resource-Constrained Edge Devices. (arXiv:2209.03839v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03839
• Code URL: null
• Copy Paste: [[2209.03839] FADE: Enabling Large-Scale Federated Adversarial Training on Resource-Constrained Edge Devices](http://arxiv.org/abs/2209.03839)
• Summary:

  Adversarial Training (AT) has been proven to be an effective method of introducing strong adversarial robustness into deep neural networks. However, the high computational cost of AT prohibits the deployment of large-scale AT on resource-constrained edge devices, e.g., with limited computing power and small memory footprint, in Federated Learning (FL) applications. Very few previous studies have tried to tackle these constraints in FL at the same time. In this paper, we propose a new framework named Federated Adversarial Decoupled Learning (FADE) to enable AT on resource-constrained edge devices in FL. FADE reduces the computation and memory usage by applying Decoupled Greedy Learning (DGL) to federated adversarial training such that each client only needs to perform AT on a small module of the entire model in each communication round. In addition, we improve vanilla DGL by adding an auxiliary weight decay to alleviate objective inconsistency and achieve better performance. FADE offers a theoretical guarantee for the adversarial robustness and convergence. The experimental results also show that FADE can significantly reduce the computing resources consumed by AT while maintaining almost the same accuracy and robustness as fully joint training.

fair

Title: Efficient Gender Debiasing of Pre-trained Indic Language Models. (arXiv:2209.03661v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03661
• Code URL: null
• Copy Paste: [[2209.03661] Efficient Gender Debiasing of Pre-trained Indic Language Models](http://arxiv.org/abs/2209.03661)
• Summary:

  The gender bias present in the data on which language models are pre-trained gets reflected in the systems that use these models. The model's intrinsic gender bias shows an outdated and unequal view of women in our culture and encourages discrimination. Therefore, in order to establish more equitable systems and increase fairness, it is crucial to identify and mitigate the bias existing in these models. While there is a significant amount of work in this area in English, there is a dearth of research being done in other gendered and low resources languages, particularly the Indian languages. English is a non-gendered language, where it has genderless nouns. The methodologies for bias detection in English cannot be directly deployed in other gendered languages, where the syntax and semantics vary. In our paper, we measure gender bias associated with occupations in Hindi language models. Our major contributions in this paper are the construction of a novel corpus to evaluate occupational gender bias in Hindi, quantify this existing bias in these systems using a well-defined metric, and mitigate it by efficiently fine-tuning our model. Our results reflect that the bias is reduced post-introduction of our proposed mitigation techniques. Our codebase is available publicly.

Title: FAT Forensics: A Python Toolbox for Implementing and Deploying Fairness, Accountability and Transparency Algorithms in Predictive Systems. (arXiv:2209.03805v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03805
• Code URL: null
• Copy Paste: [[2209.03805] FAT Forensics: A Python Toolbox for Implementing and Deploying Fairness, Accountability and Transparency Algorithms in Predictive Systems](http://arxiv.org/abs/2209.03805)
• Summary:

  Predictive systems, in particular machine learning algorithms, can take important, and sometimes legally binding, decisions about our everyday life. In most cases, however, these systems and decisions are neither regulated nor certified. Given the potential harm that these algorithms can cause, their qualities such as fairness, accountability and transparency (FAT) are of paramount importance. To ensure high-quality, fair, transparent and reliable predictive systems, we developed an open source Python package called FAT Forensics. It can inspect important fairness, accountability and transparency aspects of predictive algorithms to automatically and objectively report them back to engineers and users of such systems. Our toolbox can evaluate all elements of a predictive pipeline: data (and their features), models and predictions. Published under the BSD 3-Clause open source licence, FAT Forensics is opened up for personal and commercial usage.

Title: Analyzing the Effect of Sampling in GNNs on Individual Fairness. (arXiv:2209.03904v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03904
• Code URL: https://github.com/rsalganik1123/facctrec2022
• Copy Paste: [[2209.03904] Analyzing the Effect of Sampling in GNNs on Individual Fairness](http://arxiv.org/abs/2209.03904)
• Summary:

  Graph neural network (GNN) based methods have saturated the field of recommender systems. The gains of these systems have been significant, showing the advantages of interpreting data through a network structure. However, despite the noticeable benefits of using graph structures in recommendation tasks, this representational form has also bred new challenges which exacerbate the complexity of mitigating algorithmic bias. When GNNs are integrated into downstream tasks, such as recommendation, bias mitigation can become even more difficult. Furthermore, the intractability of applying existing methods of fairness promotion to large, real world datasets places even more serious constraints on mitigation attempts. Our work sets out to fill in this gap by taking an existing method for promoting individual fairness on graphs and extending it to support mini-batch, or sub-sample based, training of a GNN, thus laying the groundwork for applying this method to a downstream recommendation task. We evaluate two popular GNN methods: Graph Convolutional Network (GCN), which trains on the entire graph, and GraphSAGE, which uses probabilistic random walks to create subgraphs for mini-batch training, and assess the effects of sub-sampling on individual fairness. We implement an individual fairness notion called \textit{REDRESS}, proposed by Dong et al., which uses rank optimization to learn individual fair node, or item, embeddings. We empirically show on two real world datasets that GraphSAGE is able to achieve, not just, comparable accuracy, but also, improved fairness as compared with the GCN model. These finding have consequential ramifications to individual fairness promotion, GNNs, and in downstream form, recommender systems, showing that mini-batch training facilitate individual fairness promotion by allowing for local nuance to guide the process of fairness promotion in representation learning.

interpretability

Title: Levenshtein OCR. (arXiv:2209.03594v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03594
• Code URL: null
• Copy Paste: [[2209.03594] Levenshtein OCR](http://arxiv.org/abs/2209.03594)
• Summary:

  A novel scene text recognizer based on Vision-Language Transformer (VLT) is presented. Inspired by Levenshtein Transformer in the area of NLP, the proposed method (named Levenshtein OCR, and LevOCR for short) explores an alternative way for automatically transcribing textual content from cropped natural images. Specifically, we cast the problem of scene text recognition as an iterative sequence refinement process. The initial prediction sequence produced by a pure vision model is encoded and fed into a cross-modal transformer to interact and fuse with the visual features, to progressively approximate the ground truth. The refinement process is accomplished via two basic character-level operations: deletion and insertion, which are learned with imitation learning and allow for parallel decoding, dynamic length change and good interpretability. The quantitative experiments clearly demonstrate that LevOCR achieves state-of-the-art performances on standard benchmarks and the qualitative analyses verify the effectiveness and advantage of the proposed LevOCR algorithm. Code will be released soon.

Title: Frame-Subtitle Self-Supervision for Multi-Modal Video Question Answering. (arXiv:2209.03609v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2209.03609
• Code URL: null
• Copy Paste: [[2209.03609] Frame-Subtitle Self-Supervision for Multi-Modal Video Question Answering](http://arxiv.org/abs/2209.03609)
• Summary:

  Multi-modal video question answering aims to predict correct answer and localize the temporal boundary relevant to the question. The temporal annotations of questions improve QA performance and interpretability of recent works, but they are usually empirical and costly. To avoid the temporal annotations, we devise a weakly supervised question grounding (WSQG) setting, where only QA annotations are used and the relevant temporal boundaries are generated according to the temporal attention scores. To substitute the temporal annotations, we transform the correspondence between frames and subtitles to Frame-Subtitle (FS) self-supervision, which helps to optimize the temporal attention scores and hence improve the video-language understanding in VideoQA model. The extensive experiments on TVQA and TVQA+ datasets demonstrate that the proposed WSQG strategy gets comparable performance on question grounding, and the FS self-supervision helps improve the question answering and grounding performance on both QA-supervision only and full-supervision settings.

Title: Does Attention Mechanism Possess the Feature of Human Reading? A Perspective of Sentiment Classification Task. (arXiv:2209.03557v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2209.03557
• Code URL: null
• Copy Paste: [[2209.03557] Does Attention Mechanism Possess the Feature of Human Reading? A Perspective of Sentiment Classification Task](http://arxiv.org/abs/2209.03557)
• Summary:

  [Purpose] To understand the meaning of a sentence, humans can focus on important words in the sentence, which reflects our eyes staying on each word in different gaze time or times. Thus, some studies utilize eye-tracking values to optimize the attention mechanism in deep learning models. But these studies lack to explain the rationality of this approach. Whether the attention mechanism possesses this feature of human reading needs to be explored. [Design/methodology/approach] We conducted experiments on a sentiment classification task. Firstly, we obtained eye-tracking values from two open-source eye-tracking corpora to describe the feature of human reading. Then, the machine attention values of each sentence were learned from a sentiment classification model. Finally, a comparison was conducted to analyze machine attention values and eye-tracking values. [Findings] Through experiments, we found the attention mechanism can focus on important words, such as adjectives, adverbs, and sentiment words, which are valuable for judging the sentiment of sentences on the sentiment classification task. It possesses the feature of human reading, focusing on important words in sentences when reading. Due to the insufficient learning of the attention mechanism, some words are wrongly focused. The eye-tracking values can help the attention mechanism correct this error and improve the model performance. [Originality/value] Our research not only provides a reasonable explanation for the study of using eye-tracking values to optimize the attention mechanism, but also provides new inspiration for the interpretability of attention mechanism.

Title: Distilling Deep RL Models Into Interpretable Neuro-Fuzzy Systems. (arXiv:2209.03357v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03357
• Code URL: null
• Copy Paste: [[2209.03357] Distilling Deep RL Models Into Interpretable Neuro-Fuzzy Systems](http://arxiv.org/abs/2209.03357)
• Summary:

  Deep Reinforcement Learning uses a deep neural network to encode a policy, which achieves very good performance in a wide range of applications but is widely regarded as a black box model. A more interpretable alternative to deep networks is given by neuro-fuzzy controllers. Unfortunately, neuro-fuzzy controllers often need a large number of rules to solve relatively simple tasks, making them difficult to interpret. In this work, we present an algorithm to distill the policy from a deep Q-network into a compact neuro-fuzzy controller. This allows us to train compact neuro-fuzzy controllers through distillation to solve tasks that they are unable to solve directly, combining the flexibility of deep reinforcement learning and the interpretability of compact rule bases. We demonstrate the algorithm on three well-known environments from OpenAI Gym, where we nearly match the performance of a DQN agent using only 2 to 6 fuzzy rules.

Title: A Survey of Neural Trees. (arXiv:2209.03415v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03415
• Code URL: https://github.com/zju-vipa/awesome-neural-trees
• Copy Paste: [[2209.03415] A Survey of Neural Trees](http://arxiv.org/abs/2209.03415)
• Summary:

  Neural networks (NNs) and decision trees (DTs) are both popular models of machine learning, yet coming with mutually exclusive advantages and limitations. To bring the best of the two worlds, a variety of approaches are proposed to integrate NNs and DTs explicitly or implicitly. In this survey, these approaches are organized in a school which we term as neural trees (NTs). This survey aims to present a comprehensive review of NTs and attempts to identify how they enhance the model interpretability. We first propose a thorough taxonomy of NTs that expresses the gradual integration and co-evolution of NNs and DTs. Afterward, we analyze NTs in terms of their interpretability and performance, and suggest possible solutions to the remaining challenges. Finally, this survey concludes with a discussion about other considerations like conditional computation and promising directions towards this field. A list of papers reviewed in this survey, along with their corresponding codes, is available at: https://github.com/zju-vipa/awesome-neural-trees

Title: Sell Me the Blackbox! Why eXplainable Artificial Intelligence (XAI) May Hurt Customers. (arXiv:2209.03499v1 [cs.AI])

• Paper URL: http://arxiv.org/abs/2209.03499
• Code URL: null
• Copy Paste: [[2209.03499] Sell Me the Blackbox! Why eXplainable Artificial Intelligence (XAI) May Hurt Customers](http://arxiv.org/abs/2209.03499)
• Summary:

  Recent AI algorithms are blackbox models whose decisions are difficult to interpret. eXplainable AI (XAI) seeks to address lack of AI interpretability and trust by explaining to customers their AI decision, e.g., decision to reject a loan application. The common wisdom is that regulating AI by mandating fully transparent XAI leads to greater social welfare. This paper challenges this notion through a game theoretic model for a policy-maker who maximizes social welfare, firms in a duopoly competition that maximize profits, and heterogenous consumers. The results show that XAI regulation may be redundant. In fact, mandating fully transparent XAI may make firms and customers worse off. This reveals a trade-off between maximizing welfare and receiving explainable AI outputs. We also discuss managerial implications for policy-maker and firms.

Title: AST-GIN: Attribute-Augmented Spatial-Temporal Graph Informer Network for Electric Vehicle Charging Station Availability Forecasting. (arXiv:2209.03356v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2209.03356
• Code URL: null
• Copy Paste: [[2209.03356] AST-GIN: Attribute-Augmented Spatial-Temporal Graph Informer Network for Electric Vehicle Charging Station Availability Forecasting](http://arxiv.org/abs/2209.03356)
• Summary:

  Electric Vehicle (EV) charging demand and charging station availability forecasting is one of the challenges in the intelligent transportation system. With the accurate EV station situation prediction, suitable charging behaviors could be scheduled in advance to relieve range anxiety. Many existing deep learning methods are proposed to address this issue, however, due to the complex road network structure and comprehensive external factors, such as point of interests (POIs) and weather effects, many commonly used algorithms could just extract the historical usage information without considering comprehensive influence of external factors. To enhance the prediction accuracy and interpretability, the Attribute-Augmented Spatial-Temporal Graph Informer (AST-GIN) structure is proposed in this study by combining the Graph Convolutional Network (GCN) layer and the Informer layer to extract both external and internal spatial-temporal dependence of relevant transportation data. And the external factors are modeled as dynamic attributes by the attribute-augmented encoder for training. AST-GIN model is tested on the data collected in Dundee City and experimental results show the effectiveness of our model considering external factors influence over various horizon settings compared with other baselines.

exlainability

watermark

Title: SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-supervised Learning. (arXiv:2209.03563v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2209.03563
• Code URL: null
• Copy Paste: [[2209.03563] SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-supervised Learning](http://arxiv.org/abs/2209.03563)
• Summary:

  Recent years have witnessed significant success in Self-Supervised Learning (SSL), which facilitates various downstream tasks. However, attackers may steal such SSL models and commercialize them for profit, making it crucial to protect their Intellectual Property (IP). Most existing IP protection solutions are designed for supervised learning models and cannot be used directly since they require that the models' downstream tasks and target labels be known and available during watermark embedding, which is not always possible in the domain of SSL. To address such a problem especially when downstream tasks are diverse and unknown during watermark embedding, we propose a novel black-box watermarking solution, named SSL-WM, for protecting the ownership of SSL models. SSL-WM maps watermarked inputs by the watermarked encoders into an invariant representation space, which causes any downstream classifiers to produce expected behavior, thus allowing the detection of embedded watermarks. We evaluate SSL-WM on numerous tasks, such as Computer Vision (CV) and Natural Language Processing (NLP), using different SSL models, including contrastive-based and generative-based. Experimental results demonstrate that SSL-WM can effectively verify the ownership of stolen SSL models in various downstream tasks. Furthermore, SSL-WM is robust against model fine-tuning and pruning attacks. Lastly, SSL-WM can also evade detection from evaluated watermark detection approaches, demonstrating its promising application in protecting the IP of SSL models.