secure

security

Title: Differentially Private Deep Learning with ModelMix. (arXiv:2210.03843v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03843
• Code URL: null
• Copy Paste: [[2210.03843] Differentially Private Deep Learning with ModelMix](http://arxiv.org/abs/2210.03843)
• Summary:

  Training large neural networks with meaningful/usable differential privacy security guarantees is a demanding challenge. In this paper, we tackle this problem by revisiting the two key operations in Differentially Private Stochastic Gradient Descent (DP-SGD): 1) iterative perturbation and 2) gradient clipping. We propose a generic optimization framework, called {\em ModelMix}, which performs random aggregation of intermediate model states. It strengthens the composite privacy analysis utilizing the entropy of the training trajectory and improves the $(\epsilon, \delta)$ DP security parameters by an order of magnitude.

We provide rigorous analyses for both the utility guarantees and privacy amplification of ModelMix. In particular, we present a formal study on the effect of gradient clipping in DP-SGD, which provides theoretical instruction on how hyper-parameters should be selected. We also introduce a refined gradient clipping method, which can further sharpen the privacy loss in private learning when combined with ModelMix.

Thorough experiments with significant privacy/utility improvement are presented to support our theory. We train a Resnet-20 network on CIFAR10 with $70.4\%$ accuracy via ModelMix given $(\epsilon=8, \delta=10^{-5})$ DP-budget, compared to the same performance but with $(\epsilon=145.8,\delta=10^{-5})$ using regular DP-SGD; assisted with additional public low-dimensional gradient embedding, one can further improve the accuracy to $79.1\%$ with $(\epsilon=6.1, \delta=10^{-5})$ DP-budget, compared to the same performance but with $(\epsilon=111.2, \delta=10^{-5})$ without ModelMix.

Title: Study and security analysis of the Spanish identity card. (arXiv:2210.04064v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.04064
• Code URL: null
• Copy Paste: [[2210.04064] Study and security analysis of the Spanish identity card](http://arxiv.org/abs/2210.04064)
• Summary:

  The National Identity Document is a fundamental piece of documentation for the identification of citizens throughout the world. That is precisely the case of the DNI (Documento Nacional de Identidad) of Spain. Its importance has been enhanced in recent years with the addition of a chip for the authentication of users within telematic administrative services. Thus, the document has since been called: electronic DNI or simply DNIe. Sensitive user information is stored in that integrated circuit, such as personal and biometric data, along with signature and authentication certificates. Some of the functionalities of the DNIe in its current version at the time of writing this work have been implemented for years in the DNI 3.0 version launched in 2015, and therefore have already been extensively studied. This work provides a theoretical and practical compilation study of some of the security mechanisms included in the current DNIe and in some of the applications that require its use. It has been carried out using only mobile devices and generic card readers, without having any type of privileged access to hardware, software or specific documentation for the interception of packets between the DNIe and the destination application. In other words, it is an exploratory analysis carried out with the intention of confirming with basic tools the level of robustness of this very important security token.

Title: Drowsiness detection in drivers with a smartwatch. (arXiv:2210.04066v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.04066
• Code URL: null
• Copy Paste: [[2210.04066] Drowsiness detection in drivers with a smartwatch](http://arxiv.org/abs/2210.04066)
• Summary:

  The main objective of this work is to detect early if a driver shows symptoms of sleepiness that indicate that he/she is falling asleep and, in that case, generate an alert to wake him/her up. To solve this problem, an application has been designed that collects various parameters, through a smartwatch while driving. First, the application detects the driving action. Then, it collects information about the most significant physiological variables of a person while driving. On the other hand, given the high level of sensitivity of the data managed in the designed application, in this work special attention has been paid to the security of the implementation. The proposed solution improves road safety, reducing the number of accidents caused by drowsiness while driving.

privacy

protect

defense

Title: Symmetry Subgroup Defense Against Adversarial Attacks. (arXiv:2210.04087v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.04087
• Code URL: null
• Copy Paste: [[2210.04087] Symmetry Subgroup Defense Against Adversarial Attacks](http://arxiv.org/abs/2210.04087)
• Summary:

  Adversarial attacks and defenses disregard the lack of invariance of convolutional neural networks (CNNs), that is, the inability of CNNs to classify samples and their symmetric transformations the same. The lack of invariance of CNNs with respect to symmetry transformations is detrimental when classifying transformed original samples but not necessarily detrimental when classifying transformed adversarial samples. For original images, the lack of invariance means that symmetrically transformed original samples are classified differently from their correct labels. However, for adversarial images, the lack of invariance means that symmetrically transformed adversarial images are classified differently from their incorrect adversarial labels. Might the CNN lack of invariance revert symmetrically transformed adversarial samples to the correct classification? This paper answers this question affirmatively for a threat model that ranges from zero-knowledge adversaries to perfect-knowledge adversaries. We base our defense against perfect-knowledge adversaries on devising a Klein four symmetry subgroup that incorporates an additional artificial symmetry of pixel intensity inversion. The closure property of the subgroup not only provides a framework for the accuracy evaluation but also confines the transformations that an adaptive, perfect-knowledge adversary can apply. We find that by using only symmetry defense, no adversarial samples, and by changing nothing in the model architecture and parameters, we can defend against white-box PGD adversarial attacks, surpassing the PGD adversarial training defense by up to ~50% even against a perfect-knowledge adversary for ImageNet. The proposed defense also maintains and surpasses the classification accuracy for non-adversarial samples.

attack

Title: Early Detection of Bark Beetle Attack Using Remote Sensing and Machine Learning: A Review. (arXiv:2210.03829v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03829
• Code URL: null
• Copy Paste: [[2210.03829] Early Detection of Bark Beetle Attack Using Remote Sensing and Machine Learning: A Review](http://arxiv.org/abs/2210.03829)
• Summary:

  Bark beetle outbreaks can result in a devastating impact on forest ecosystem processes, biodiversity, forest structure and function, and economies. Accurate and timely detection of bark beetle infestations is crucial to mitigate further damage, develop proactive forest management activities, and minimize economic losses. Incorporating remote sensing (RS) data with machine learning (ML) (or deep learning (DL)) can provide a great alternative to the current approaches that rely on aerial surveys and field surveys, which are impractical over vast geographical regions. This paper provides a comprehensive review of past and current advances in the early detection of bark beetle-induced tree mortality from three key perspectives: bark beetle & host interactions, RS, and ML/DL. We parse recent literature according to bark beetle species & attack phases, host trees, study regions, imagery platforms & sensors, spectral/spatial/temporal resolutions, spectral signatures, spectral vegetation indices (SVIs), ML approaches, learning schemes, task categories, models, algorithms, classes/clusters, features, and DL networks & architectures. This review focuses on challenging early detection, discussing current challenges and potential solutions. Our literature survey suggests that the performance of current ML methods is limited (less than 80%) and depends on various factors, including imagery sensors & resolutions, acquisition dates, and employed features & algorithms/networks. A more promising result from DL networks and then the random forest (RF) algorithm highlighted the potential to detect subtle changes in visible, thermal, and short-wave infrared (SWIR) spectral regions.

Title: Towards the Detection of Malicious Java Packages. (arXiv:2210.03998v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.03998
• Code URL: null
• Copy Paste: [[2210.03998] Towards the Detection of Malicious Java Packages](http://arxiv.org/abs/2210.03998)
• Summary:

  Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect such attacks is ongoing research. Despite its popularity, the Java ecosystem is the less explored one in the context of supply chain attacks.

In this paper we present indicators of malicious behavior that can be observed statically through the analysis of Java bytecode. Then we evaluate how such indicators and their combinations perform when detecting malicious code injections. We do so by injecting three malicious payloads taken from real-world examples into the Top-10 most popular Java libraries from libraries.io.

We found that the analysis of strings in the constant pool and of sensitive APIs in the bytecode instructions aid in the task of detecting malicious Java packages by significantly reducing the information, thus, making also manual triage possible.

Title: SpyHammer: Using RowHammer to Remotely Spy on Temperature. (arXiv:2210.04084v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.04084
• Code URL: null
• Copy Paste: [[2210.04084] SpyHammer: Using RowHammer to Remotely Spy on Temperature](http://arxiv.org/abs/2210.04084)
• Summary:

  RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row by just accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly more vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we leverage two key observations about RowHammer characteristics to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer cause bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. SpyHammer can spy on absolute temperature with an error of less than 2.5 {\deg}C at the 90th percentile of tested temperature points, for 12 real DRAM modules from 4 main manufacturers.

robust

Title: LOCL: Learning Object-Attribute Composition using Localization. (arXiv:2210.03780v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03780
• Code URL: https://github.com/satish1901/LOCL-Learning-Object-Attribute-Composition-using-Localization
• Copy Paste: [[2210.03780] LOCL: Learning Object-Attribute Composition using Localization](http://arxiv.org/abs/2210.03780)
• Summary:

  This paper describes LOCL (Learning Object Attribute Composition using Localization) that generalizes composition zero shot learning to objects in cluttered and more realistic settings. The problem of unseen Object Attribute (OA) associations has been well studied in the field, however, the performance of existing methods is limited in challenging scenes. In this context, our key contribution is a modular approach to localizing objects and attributes of interest in a weakly supervised context that generalizes robustly to unseen configurations. Localization coupled with a composition classifier significantly outperforms state of the art (SOTA) methods, with an improvement of about 12% on currently available challenging datasets. Further, the modularity enables the use of localized feature extractor to be used with existing OA compositional learning methods to improve their overall performance.

Title: ViewFool: Evaluating the Robustness of Visual Recognition to Adversarial Viewpoints. (arXiv:2210.03895v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03895
• Code URL: https://github.com/heathcliff-saku/viewfool_
• Copy Paste: [[2210.03895] ViewFool: Evaluating the Robustness of Visual Recognition to Adversarial Viewpoints](http://arxiv.org/abs/2210.03895)
• Summary:

  Recent studies have demonstrated that visual recognition models lack robustness to distribution shift. However, current work mainly considers model robustness to 2D image transformations, leaving viewpoint changes in the 3D world less explored. In general, viewpoint changes are prevalent in various real-world applications (e.g., autonomous driving), making it imperative to evaluate viewpoint robustness. In this paper, we propose a novel method called ViewFool to find adversarial viewpoints that mislead visual recognition models. By encoding real-world objects as neural radiance fields (NeRF), ViewFool characterizes a distribution of diverse adversarial viewpoints under an entropic regularizer, which helps to handle the fluctuations of the real camera pose and mitigate the reality gap between the real objects and their neural representations. Experiments validate that the common image classifiers are extremely vulnerable to the generated adversarial viewpoints, which also exhibit high cross-model transferability. Based on ViewFool, we introduce ImageNet-V, a new out-of-distribution dataset for benchmarking viewpoint robustness of image classifiers. Evaluation results on 40 classifiers with diverse architectures, objective functions, and data augmentations reveal a significant drop in model performance when tested on ImageNet-V, which provides a possibility to leverage ViewFool as an effective data augmentation strategy to improve viewpoint robustness.

Title: Detaching and Boosting: Dual Engine for Scale-Invariant Self-Supervised Monocular Depth Estimation. (arXiv:2210.03952v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03952
• Code URL: null
• Copy Paste: [[2210.03952] Detaching and Boosting: Dual Engine for Scale-Invariant Self-Supervised Monocular Depth Estimation](http://arxiv.org/abs/2210.03952)
• Summary:

  Monocular depth estimation (MDE) in the self-supervised scenario has emerged as a promising method as it refrains from the requirement of ground truth depth. Despite continuous efforts, MDE is still sensitive to scale changes especially when all the training samples are from one single camera. Meanwhile, it deteriorates further since camera movement results in heavy coupling between the predicted depth and the scale change. In this paper, we present a scale-invariant approach for self-supervised MDE, in which scale-sensitive features (SSFs) are detached away while scale-invariant features (SIFs) are boosted further. To be specific, a simple but effective data augmentation by imitating the camera zooming process is proposed to detach SSFs, making the model robust to scale changes. Besides, a dynamic cross-attention module is designed to boost SIFs by fusing multi-scale cross-attention features adaptively. Extensive experiments on the KITTI dataset demonstrate that the detaching and boosting strategies are mutually complementary in MDE and our approach achieves new State-of-The-Art performance against existing works from 0.097 to 0.090 w.r.t absolute relative error. The code will be made public soon.

Title: Robust Graph Structure Learning over Images via Multiple Statistical Tests. (arXiv:2210.03956v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03956
• Code URL: https://github.com/thomas-wyh/b-attention
• Copy Paste: [[2210.03956] Robust Graph Structure Learning over Images via Multiple Statistical Tests](http://arxiv.org/abs/2210.03956)
• Summary:

  Graph structure learning aims to learn connectivity in a graph from data. It is particularly important for many computer vision related tasks since no explicit graph structure is available for images for most cases. A natural way to construct a graph among images is to treat each image as a node and assign pairwise image similarities as weights to corresponding edges. It is well known that pairwise similarities between images are sensitive to the noise in feature representations, leading to unreliable graph structures. We address this problem from the viewpoint of statistical tests. By viewing the feature vector of each node as an independent sample, the decision of whether creating an edge between two nodes based on their similarity in feature representation can be thought as a ${\it single}$ statistical test. To improve the robustness in the decision of creating an edge, multiple samples are drawn and integrated by ${\it multiple}$ statistical tests to generate a more reliable similarity measure, consequentially more reliable graph structure. The corresponding elegant matrix form named $\mathcal{B}\textbf{-Attention}$ is designed for efficiency. The effectiveness of multiple tests for graph structure learning is verified both theoretically and empirically on multiple clustering and ReID benchmark datasets. Source codes are available at https://github.com/Thomas-wyh/B-Attention.

Title: Multi-Modal Human Authentication Using Silhouettes, Gait and RGB. (arXiv:2210.04050v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.04050
• Code URL: null
• Copy Paste: [[2210.04050] Multi-Modal Human Authentication Using Silhouettes, Gait and RGB](http://arxiv.org/abs/2210.04050)
• Summary:

  Whole-body-based human authentication is a promising approach for remote biometrics scenarios. Current literature focuses on either body recognition based on RGB images or gait recognition based on body shapes and walking patterns; both have their advantages and drawbacks. In this work, we propose Dual-Modal Ensemble (DME), which combines both RGB and silhouette data to achieve more robust performances for indoor and outdoor whole-body based recognition. Within DME, we propose GaitPattern, which is inspired by the double helical gait pattern used in traditional gait analysis. The GaitPattern contributes to robust identification performance over a large range of viewing angles. Extensive experimental results on the CASIA-B dataset demonstrate that the proposed method outperforms state-of-the-art recognition systems. We also provide experimental results using the newly collected BRIAR dataset.

Title: SDA: Simple Discrete Augmentation for Contrastive Sentence Representation Learning. (arXiv:2210.03963v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03963
• Code URL: null
• Copy Paste: [[2210.03963] SDA: Simple Discrete Augmentation for Contrastive Sentence Representation Learning](http://arxiv.org/abs/2210.03963)
• Summary:

  Contrastive learning methods achieve state-of-the-art results in unsupervised sentence representation learning. Although playing essential roles in contrastive learning, data augmentation methods applied on sentences have not been fully explored. Current SOTA method SimCSE utilizes a simple dropout mechanism as continuous augmentation which outperforms discrete augmentations such as cropping, word deletion and synonym replacement. To understand the underlying rationales, we revisit existing approaches and attempt to hypothesize the desiderata of reasonable data augmentation methods: balance of semantic consistency and expression diversity. Based on the hypothesis, we propose three simple yet effective discrete sentence augmentation methods, i.e., punctuation insertion, affirmative auxiliary and double negation. The punctuation marks, auxiliaries and negative words act as minimal noises in lexical level to produce diverse sentence expressions. Unlike traditional augmentation methods which randomly modify the sentence, our augmentation rules are well designed for generating semantically consistent and grammatically correct sentences. We conduct extensive experiments on both English and Chinese semantic textual similarity datasets. The results show the robustness and effectiveness of the proposed methods.

Title: Bird-Eye Transformers for Text Generation Models. (arXiv:2210.03985v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03985
• Code URL: https://github.com/ml-jku/hopfield-layers
• Copy Paste: [[2210.03985] Bird-Eye Transformers for Text Generation Models](http://arxiv.org/abs/2210.03985)
• Summary:

  Transformers have become an indispensable module for text generation models since their great success in machine translation. Previous works attribute the~success of transformers to the query-key-value dot-product attention, which provides a robust inductive bias by the fully connected token graphs. However, we found that self-attention has a severe limitation. When predicting the (i+1)-th token, self-attention only takes the i-th token as an information collector, and it tends to give a high attention weight to those tokens similar to itself. Therefore, most of the historical information that occurred before the i-th token is not taken into consideration. Based on this observation, in this paper, we propose a new architecture, called bird-eye transformer(BET), which goes one step further to improve the performance of transformers by reweighting self-attention to encourage it to focus more on important historical information. We have conducted experiments on multiple text generation tasks, including machine translation (2 datasets) and language models (3 datasets). These experimental~results show that our proposed model achieves a better performance than the baseline transformer architectures on~all~datasets. The code is released at: \url{https://sites.google.com/view/bet-transformer/home}.

Title: Generative Language Models for Paragraph-Level Question Generation. (arXiv:2210.03992v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03992
• Code URL: https://github.com/asahi417/lm-question-generation
• Copy Paste: [[2210.03992] Generative Language Models for Paragraph-Level Question Generation](http://arxiv.org/abs/2210.03992)
• Summary:

  Powerful generative models have led to recent progress in question generation (QG). However, it is difficult to measure advances in QG research since there are no standardized resources that allow a uniform comparison among approaches. In this paper, we introduce QG-Bench, a multilingual and multidomain benchmark for QG that unifies existing question answering datasets by converting them to a standard QG setting. It includes general-purpose datasets such as SQuAD for English, datasets from ten domains and two styles, as well as datasets in eight different languages. Using QG-Bench as a reference, we perform an extensive analysis of the capabilities of language models for the task. First, we propose robust QG baselines based on fine-tuning generative language models. Then, we complement automatic evaluation based on standard metrics with an extensive manual evaluation, which in turn sheds light on the difficulty of evaluating QG models. Finally, we analyse both the domain adaptability of these models as well as the effectiveness of multilingual models in languages other than English. QG-Bench is released along with the fine-tuned models presented in the paper https://github.com/asahi417/lm-question-generation, which are also available as a demo https://autoqg.net/.

Title: FedDef: Robust Federated Learning-based Network Intrusion Detection Systems Against Gradient Leakage. (arXiv:2210.04052v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.04052
• Code URL: null
• Copy Paste: [[2210.04052] FedDef: Robust Federated Learning-based Network Intrusion Detection Systems Against Gradient Leakage](http://arxiv.org/abs/2210.04052)
• Summary:

  Deep learning methods have been widely applied to anomaly-based network intrusion detection systems (NIDS) to detect malicious traffic. To expand the usage scenarios of DL-based methods, the federated learning (FL) framework allows intelligent techniques to jointly train a model by multiple individuals on the basis of respecting individual data privacy. However, it has not yet been systematically evaluated how robust FL-based NIDSs are against existing privacy attacks under existing defenses. To address this issue, in this paper we propose two privacy evaluation metrics designed for FL-based NIDSs, including leveraging two reconstruction attacks to recover the training data to obtain the privacy score for traffic features, followed by Generative Adversarial Network (GAN) based attack that generates adversarial examples with the reconstructed benign traffic to evaluate evasion rate against other NIDSs. We conduct experiments to show that existing defenses provide little protection that the corresponding adversarial traffic can even evade the SOTA NIDS Kitsune. To build a more robust FL-based NIDS, we further propose a novel optimization-based input perturbation defense strategy with theoretical guarantee that achieves both high utility by minimizing the gradient distance and strong privacy protection by maximizing the input distance. We experimentally evaluate four existing defenses on four datasets and show that our defense outperforms all the baselines with strong privacy guarantee while maintaining model accuracy loss within 3% under optimal parameter combination.

Title: Augmentations in Hypergraph Contrastive Learning: Fabricated and Generative. (arXiv:2210.03801v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03801
• Code URL: https://github.com/weitianxin/HyperGCL
• Copy Paste: [[2210.03801] Augmentations in Hypergraph Contrastive Learning: Fabricated and Generative](http://arxiv.org/abs/2210.03801)
• Summary:

  This paper targets at improving the generalizability of hypergraph neural networks in the low-label regime, through applying the contrastive learning approach from images/graphs (we refer to it as HyperGCL). We focus on the following question: How to construct contrastive views for hypergraphs via augmentations? We provide the solutions in two folds. First, guided by domain knowledge, we fabricate two schemes to augment hyperedges with higher-order relations encoded, and adopt three vertex augmentation strategies from graph-structured data. Second, in search of more effective views in a data-driven manner, we for the first time propose a hypergraph generative model to generate augmented views, and then an end-to-end differentiable pipeline to jointly learn hypergraph augmentations and model parameters. Our technical innovations are reflected in designing both fabricated and generative augmentations of hypergraphs. The experimental findings include: (i) Among fabricated augmentations in HyperGCL, augmenting hyperedges provides the most numerical gains, implying that higher-order information in structures is usually more downstream-relevant; (ii) Generative augmentations do better in preserving higher-order information to further benefit generalizability; (iii) HyperGCL also boosts robustness and fairness in hypergraph representation learning. Codes are released at https://github.com/weitianxin/HyperGCL.

Title: Robustness of Unsupervised Representation Learning without Labels. (arXiv:2210.04076v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.04076
• Code URL: https://github.com/aleksandarpetrov/unsupervised-robustness
• Copy Paste: [[2210.04076] Robustness of Unsupervised Representation Learning without Labels](http://arxiv.org/abs/2210.04076)
• Summary:

  Unsupervised representation learning leverages large unlabeled datasets and is competitive with supervised learning. But non-robust encoders may affect downstream task robustness. Recently, robust representation encoders have become of interest. Still, all prior work evaluates robustness using a downstream classification task. Instead, we propose a family of unsupervised robustness measures, which are model- and task-agnostic and label-free. We benchmark state-of-the-art representation encoders and show that none dominates the rest. We offer unsupervised extensions to the FGSM and PGD attacks. When used in adversarial training, they improve most unsupervised robustness measures, including certified robustness. We validate our results against a linear probe and show that, for MOCOv2, adversarial training results in 3 times higher certified accuracy, a 2-fold decrease in impersonation attack success rate and considerable improvements in certified robustness.

Title: Unified Probabilistic Neural Architecture and Weight Ensembling Improves Model Robustness. (arXiv:2210.04083v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.04083
• Code URL: null
• Copy Paste: [[2210.04083] Unified Probabilistic Neural Architecture and Weight Ensembling Improves Model Robustness](http://arxiv.org/abs/2210.04083)
• Summary:

  Robust machine learning models with accurately calibrated uncertainties are crucial for safety-critical applications. Probabilistic machine learning and especially the Bayesian formalism provide a systematic framework to incorporate robustness through the distributional estimates and reason about uncertainty. Recent works have shown that approximate inference approaches that take the weight space uncertainty of neural networks to generate ensemble prediction are the state-of-the-art. However, architecture choices have mostly been ad hoc, which essentially ignores the epistemic uncertainty from the architecture space. To this end, we propose a Unified probabilistic architecture and weight ensembling Neural Architecture Search (UraeNAS) that leverages advances in probabilistic neural architecture search and approximate Bayesian inference to generate ensembles form the joint distribution of neural network architectures and weights. The proposed approach showed a significant improvement both with in-distribution (0.86% in accuracy, 42% in ECE) CIFAR-10 and out-of-distribution (2.43% in accuracy, 30% in ECE) CIFAR-10-C compared to the baseline deterministic approach.

Title: The Asymmetric Maximum Margin Bias of Quasi-Homogeneous Neural Networks. (arXiv:2210.03820v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03820
• Code URL: null
• Copy Paste: [[2210.03820] The Asymmetric Maximum Margin Bias of Quasi-Homogeneous Neural Networks](http://arxiv.org/abs/2210.03820)
• Summary:

  In this work, we explore the maximum-margin bias of quasi-homogeneous neural networks trained with gradient flow on an exponential loss and past a point of separability. We introduce the class of quasi-homogeneous models, which is expressive enough to describe nearly all neural networks with homogeneous activations, even those with biases, residual connections, and normalization layers, while structured enough to enable geometric analysis of its gradient dynamics. Using this analysis, we generalize the existing results of maximum-margin bias for homogeneous networks to this richer class of models. We find that gradient flow implicitly favors a subset of the parameters, unlike in the case of a homogeneous model where all parameters are treated equally. We demonstrate through simple examples how this strong favoritism toward minimizing an asymmetric norm can degrade the robustness of quasi-homogeneous models. On the other hand, we conjecture that this norm-minimization discards, when possible, unnecessary higher-order parameters, reducing the model to a sparser parameterization. Lastly, by applying our theorem to sufficiently expressive neural networks with normalization layers, we reveal a universal mechanism behind the empirical phenomenon of Neural Collapse.

Title: APE: Aligning Pretrained Encoders to Quickly Learn Aligned Multimodal Representations. (arXiv:2210.03927v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03927
• Code URL: null
• Copy Paste: [[2210.03927] APE: Aligning Pretrained Encoders to Quickly Learn Aligned Multimodal Representations](http://arxiv.org/abs/2210.03927)
• Summary:

  Recent advances in learning aligned multimodal representations have been primarily driven by training large neural networks on massive, noisy paired-modality datasets. In this work, we ask whether it is possible to achieve similar results with substantially less training time and data. We achieve this by taking advantage of existing pretrained unimodal encoders and careful curation of alignment data relevant to the downstream task of interest. We study a natural approach to aligning existing encoders via small auxiliary functions, and we find that this method is competitive with (or outperforms) state of the art in many settings while being less prone to overfitting, less costly to train, and more robust to distribution shift. With a properly chosen alignment distribution, our method surpasses prior state of the art for ImageNet zero-shot classification on public data while using two orders of magnitude less time and data and training 77% fewer parameters.

Title: Asymptotically Unbiased Instance-wise Regularized Partial AUC Optimization: Theory and Algorithm. (arXiv:2210.03967v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03967
• Code URL: https://github.com/shaocr/pauci
• Copy Paste: [[2210.03967] Asymptotically Unbiased Instance-wise Regularized Partial AUC Optimization: Theory and Algorithm](http://arxiv.org/abs/2210.03967)
• Summary:

  The Partial Area Under the ROC Curve (PAUC), typically including One-way Partial AUC (OPAUC) and Two-way Partial AUC (TPAUC), measures the average performance of a binary classifier within a specific false positive rate and/or true positive rate interval, which is a widely adopted measure when decision constraints must be considered. Consequently, PAUC optimization has naturally attracted increasing attention in the machine learning community within the last few years. Nonetheless, most of the existing methods could only optimize PAUC approximately, leading to inevitable biases that are not controllable. Fortunately, a recent work presents an unbiased formulation of the PAUC optimization problem via distributional robust optimization. However, it is based on the pair-wise formulation of AUC, which suffers from the limited scalability w.r.t. sample size and a slow convergence rate, especially for TPAUC. To address this issue, we present a simpler reformulation of the problem in an asymptotically unbiased and instance-wise manner. For both OPAUC and TPAUC, we come to a nonconvex strongly concave minimax regularized problem of instance-wise functions. On top of this, we employ an efficient solver enjoys a linear per-iteration computational complexity w.r.t. the sample size and a time-complexity of $O(\epsilon^{-1/3})$ to reach a $\epsilon$ stationary point. Furthermore, we find that the minimax reformulation also facilitates the theoretical analysis of generalization error as a byproduct. Compared with the existing results, we present new error bounds that are much easier to prove and could deal with hypotheses with real-valued outputs. Finally, extensive experiments on several benchmark datasets demonstrate the effectiveness of our method.

Title: Enhance Sample Efficiency and Robustness of End-to-end Urban Autonomous Driving via Semantic Masked World Model. (arXiv:2210.04017v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.04017
• Code URL: null
• Copy Paste: [[2210.04017] Enhance Sample Efficiency and Robustness of End-to-end Urban Autonomous Driving via Semantic Masked World Model](http://arxiv.org/abs/2210.04017)
• Summary:

  End-to-end autonomous driving provides a feasible way to automatically maximize overall driving system performance by directly mapping the raw pixels from a front-facing camera to control signals. Recent advanced methods construct a latent world model to map the high dimensional observations into compact latent space. However, the latent states embedded by the world model proposed in previous works may contain a large amount of task-irrelevant information, resulting in low sampling efficiency and poor robustness to input perturbations. Meanwhile, the training data distribution is usually unbalanced, and the learned policy is hard to cope with the corner cases during the driving process. To solve the above challenges, we present a semantic masked recurrent world model (SEM2), which introduces a latent filter to extract key task-relevant features and reconstruct a semantic mask via the filtered features, and is trained with a multi-source data sampler, which aggregates common data and multiple corner case data in a single batch, to balance the data distribution. Extensive experiments on CARLA show that our method outperforms the state-of-the-art approaches in terms of sample efficiency and robustness to input permutations.

Title: SlenderGNN: Accurate, Robust, and Interpretable GNN, and the Reasons for its Success. (arXiv:2210.04081v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.04081
• Code URL: null
• Copy Paste: [[2210.04081] SlenderGNN: Accurate, Robust, and Interpretable GNN, and the Reasons for its Success](http://arxiv.org/abs/2210.04081)
• Summary:

  Can we design a GNN that is accurate and interpretable at the same time? Could it also be robust to handle the case of homophily, heterophily, or even noisy edges without network effects? We propose SlenderGNN that has all desirable properties: (a) accurate, (b) robust, and (c) interpretable. For the reasons of its success, we had to dig deeper: The result is our GNNLin framework which highlights the fundamental differences among popular GNN models (e.g., feature combination, structural normalization, etc.) and thus reveals the reasons for the success of our SlenderGNN, as well as the reasons for occasional failures of other GNN variants. Thanks to our careful design, SlenderGNN passes all the 'sanity checks' we propose, and it achieves the highest overall accuracy on 9 real-world datasets of both homophily and heterophily graphs, when compared against 10 recent GNN models. Specifically, SlenderGNN exceeds the accuracy of linear GNNs and matches or exceeds the accuracy of nonlinear models with up to 64 times fewer parameters.

biometric

steal

extraction

Title: Point Cloud Upsampling via Cascaded Refinement Network. (arXiv:2210.03942v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03942
• Code URL: https://github.com/hikvision-research/3dvision
• Copy Paste: [[2210.03942] Point Cloud Upsampling via Cascaded Refinement Network](http://arxiv.org/abs/2210.03942)
• Summary:

  Point cloud upsampling focuses on generating a dense, uniform and proximity-to-surface point set. Most previous approaches accomplish these objectives by carefully designing a single-stage network, which makes it still challenging to generate a high-fidelity point distribution. Instead, upsampling point cloud in a coarse-to-fine manner is a decent solution. However, existing coarse-to-fine upsampling methods require extra training strategies, which are complicated and time-consuming during the training. In this paper, we propose a simple yet effective cascaded refinement network, consisting of three generation stages that have the same network architecture but achieve different objectives. Specifically, the first two upsampling stages generate the dense but coarse points progressively, while the last refinement stage further adjust the coarse points to a better position. To mitigate the learning conflicts between multiple stages and decrease the difficulty of regressing new points, we encourage each stage to predict the point offsets with respect to the input shape. In this manner, the proposed cascaded refinement network can be easily optimized without extra learning strategies. Moreover, we design a transformer-based feature extraction module to learn the informative global and local shape context. In inference phase, we can dynamically adjust the model efficiency and effectiveness, depending on the available computational resources. Extensive experiments on both synthetic and real-scanned datasets demonstrate that the proposed approach outperforms the existing state-of-the-art methods.

Title: ConstGCN: Constrained Transmission-based Graph Convolutional Networks for Document-level Relation Extraction. (arXiv:2210.03949v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03949
• Code URL: null
• Copy Paste: [[2210.03949] ConstGCN: Constrained Transmission-based Graph Convolutional Networks for Document-level Relation Extraction](http://arxiv.org/abs/2210.03949)
• Summary:

  Document-level relation extraction with graph neural networks faces a fundamental graph construction gap between training and inference - the golden graph structure only available during training, which causes that most methods adopt heuristic or syntactic rules to construct a prior graph as a pseudo proxy. In this paper, we propose $\textbf{ConstGCN}$, a novel graph convolutional network which performs knowledge-based information propagation between entities along with all specific relation spaces without any prior graph construction. Specifically, it updates the entity representation by aggregating information from all other entities along with each relation space, thus modeling the relation-aware spatial information. To control the information flow passing through the indeterminate relation spaces, we propose to constrain the propagation using transmitting scores learned from the Noise Contrastive Estimation between fact triples. Experimental results show that our method outperforms the previous state-of-the-art (SOTA) approaches on the DocRE dataset.

membership infer

federate

Title: FedPC: Federated Learning for Language Generation with Personal and Context Preference Embeddings. (arXiv:2210.03766v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03766
• Code URL: null
• Copy Paste: [[2210.03766] FedPC: Federated Learning for Language Generation with Personal and Context Preference Embeddings](http://arxiv.org/abs/2210.03766)
• Summary:

  Federated learning is a training paradigm that learns from multiple distributed users without aggregating data on a centralized server. Such a paradigm promises the ability to deploy machine-learning at-scale to a diverse population of end-users without first collecting a large, labeled dataset for all possible tasks. As federated learning typically averages learning updates across a decentralized population, there is a growing need for personalization of federated learning systems (i.e conversational agents must be able to personalize to a specific user's preferences). In this work, we propose a new direction for personalization research within federated learning, leveraging both personal embeddings and shared context embeddings. We also present an approach to predict these ``preference'' embeddings, enabling personalization without backpropagation. Compared to state-of-the-art personalization baselines, our approach achieves a 50\% improvement in test-time perplexity using 0.001\% of the memory required by baseline approaches, and achieving greater sample- and compute-efficiency.

Title: Collaborative Domain Blocking: Using federated NLP To Detect Malicious Domains. (arXiv:2210.04088v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.04088
• Code URL: null
• Copy Paste: [[2210.04088] Collaborative Domain Blocking: Using federated NLP To Detect Malicious Domains](http://arxiv.org/abs/2210.04088)
• Summary:

  Current content filtering and blocking methods are susceptible to various circumvention techniques and are relatively slow in dealing with new threats. This is due to these methods using shallow pattern recognition that is based on regular expression rules found in crowdsourced block lists. We propose a novel system that aims to remedy the aforementioned issues by examining deep textual patterns of network-oriented content relating to the domain being interacted with. Moreover, we propose to use federated learning that allows users to take advantage of each other's localized knowledge/experience regarding what should or should not be blocked on a network without compromising privacy. Our experiments show the promise of our proposed approach in real world settings. We also provide data-driven recommendations on how to best implement the proposed system.

fair

Title: An Analysis of the Effects of Decoding Algorithms on Fairness in Open-Ended Language Generation. (arXiv:2210.03826v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.03826
• Code URL: null
• Copy Paste: [[2210.03826] An Analysis of the Effects of Decoding Algorithms on Fairness in Open-Ended Language Generation](http://arxiv.org/abs/2210.03826)
• Summary:

  Several prior works have shown that language models (LMs) can generate text containing harmful social biases and stereotypes. While decoding algorithms play a central role in determining properties of LM generated text, their impact on the fairness of the generations has not been studied. We present a systematic analysis of the impact of decoding algorithms on LM fairness, and analyze the trade-off between fairness, diversity and quality. Our experiments with top-$p$, top-$k$ and temperature decoding algorithms, in open-ended language generation, show that fairness across demographic groups changes significantly with change in decoding algorithm's hyper-parameters. Notably, decoding algorithms that output more diverse text also output more texts with negative sentiment and regard. We present several findings and provide recommendations on standardized reporting of decoding details in fairness evaluations and optimization of decoding algorithms for fairness alongside quality and diversity.

interpretability

Title: Improving Fine-Grain Segmentation via Interpretable Modifications: A Case Study in Fossil Segmentation. (arXiv:2210.03879v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03879
• Code URL: null
• Copy Paste: [[2210.03879] Improving Fine-Grain Segmentation via Interpretable Modifications: A Case Study in Fossil Segmentation](http://arxiv.org/abs/2210.03879)
• Summary:

  Most interpretability research focuses on datasets containing thousands of images of commonplace objects. However, many high-impact datasets, such as those in medicine and the geosciences, contain fine-grain objects that require domain-expert knowledge to recognize and are time-consuming to collect and annotate. As a result, these datasets contain few annotated images, and current machine vision models cannot train intensively on them. Thus, adapting interpretability techniques to maximize the amount of information that models can learn from small, fine-grain datasets is an important endeavor.

Using a Mask R-CNN to segment ancient reef fossils in rock sample images, we present a general paradigm for identifying and mitigating model weaknesses. Specifically, we apply image perturbations to expose the Mask R-CNN's inability to distinguish between different classes of fossils and its inconsistency in segmenting fossils with different textures. To address these shortcomings, we extend an existing model-editing method for correcting systematic mistakes in image classification to image segmentation and introduce a novel application of the technique: encouraging a greater separation between positive and negative pixels for a given class. Through extensive experiments, we find that editing the model by perturbing all pixels for a given class in one image is most effective (compared to using multiple images and/or fewer pixels). Our paradigm may also generalize to other segmentation models trained on small, fine-grain datasets.

Title: CLIP-PAE: Projection-Augmentation Embedding to Extract Relevant Features for a Disentangled, Interpretable, and Controllable Text-Guided Image Manipulation. (arXiv:2210.03919v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.03919
• Code URL: null
• Copy Paste: [[2210.03919] CLIP-PAE: Projection-Augmentation Embedding to Extract Relevant Features for a Disentangled, Interpretable, and Controllable Text-Guided Image Manipulation](http://arxiv.org/abs/2210.03919)
• Summary:

  Recently introduced Contrastive Language-Image Pre-Training (CLIP) bridges images and text by embedding them into a joint latent space. This opens the door to ample literature that aims to manipulate an input image by providing a textual explanation. However, due to the discrepancy between image and text embeddings in the joint space, using text embeddings as the optimization target often introduces undesired artifacts in the resulting images. Disentanglement, interpretability, and controllability are also hard to guarantee for manipulation. To alleviate these problems, we propose to define corpus subspaces spanned by relevant prompts to capture specific image characteristics. We introduce CLIP Projection-Augmentation Embedding (PAE) as an optimization target to improve the performance of text-guided image manipulation. Our method is a simple and general paradigm that can be easily computed and adapted, and smoothly incorporated into any CLIP-based image manipulation algorithm. To demonstrate the effectiveness of our method, we conduct several theoretical and empirical studies. As a case study, we utilize the method for text-guided semantic face editing. We quantitatively and qualitatively demonstrate that PAE facilitates a more disentangled, interpretable, and controllable image manipulation with state-of-the-art quality and accuracy.

Title: Accurate Small Models using Adaptive Sampling. (arXiv:2210.03921v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.03921
• Code URL: null
• Copy Paste: [[2210.03921] Accurate Small Models using Adaptive Sampling](http://arxiv.org/abs/2210.03921)
• Summary:

  We highlight the utility of a certain property of model training: instead of drawing training data from the same distribution as test data, learning a different training distribution often improves accuracy, especially at small model sizes. This provides a way to build accurate small models, which are attractive for interpretability and resource-constrained environments. Here we empirically show that this principle is both general and effective: it may be used across tasks/model families, and it can augment prediction accuracy of traditional models to the extent they are competitive with specialized techniques. The tasks we consider are explainable clustering and prototype-based classification. We also look at Random Forests to illustrate how this principle may be applied to accommodate multiple size constraints, e.g., number of trees and maximum depth per tree. Results using multiple datasets are presented and are shown to be statistically significant.

exlainability

watermark