secure

Title: Secure Multiparty Computation for Synthetic Data Generation from Distributed Data. (arXiv:2210.07332v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07332
• Code URL: null
• Copy Paste: [[2210.07332] Secure Multiparty Computation for Synthetic Data Generation from Distributed Data](http://arxiv.org/abs/2210.07332)
• Summary:

  Legal and ethical restrictions on accessing relevant data inhibit data science research in critical domains such as health, finance, and education. Synthetic data generation algorithms with privacy guarantees are emerging as a paradigm to break this data logjam. Existing approaches, however, assume that the data holders supply their raw data to a trusted curator, who uses it as fuel for synthetic data generation. This severely limits the applicability, as much of the valuable data in the world is locked up in silos, controlled by entities who cannot show their data to each other or a central aggregator without raising privacy concerns.

To overcome this roadblock, we propose the first solution in which data holders only share encrypted data for differentially private synthetic data generation. Data holders send shares to servers who perform Secure Multiparty Computation (MPC) computations while the original data stays encrypted.

We instantiate this idea in an MPC protocol for the Multiplicative Weights with Exponential Mechanism (MWEM) algorithm to generate synthetic data based on real data originating from many data holders without reliance on a single point of failure.

Title: ScionFL: Secure Quantized Aggregation for Federated Learning. (arXiv:2210.07376v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07376
• Code URL: null
• Copy Paste: [[2210.07376] ScionFL: Secure Quantized Aggregation for Federated Learning](http://arxiv.org/abs/2210.07376)
• Summary:

  Privacy concerns in federated learning (FL) are commonly addressed with secure aggregation schemes that prevent a central party from observing plaintext client updates. However, most such schemes neglect orthogonal FL research that aims at reducing communication between clients and the aggregator and is instrumental in facilitating cross-device FL with thousands and even millions of (mobile) participants. In particular, quantization techniques can typically reduce client-server communication by a factor of 32x.

In this paper, we unite both research directions by introducing an efficient secure aggregation framework based on outsourced multi-party computation (MPC) that supports any linear quantization scheme. Specifically, we design a novel approximate version of an MPC-based secure aggregation protocol with support for multiple stochastic quantization schemes, including ones that utilize the randomized Hadamard transform and Kashin's representation. In our empirical performance evaluation, we show that with no additional overhead for clients and moderate inter-server communication, we achieve similar training accuracy as insecure schemes for standard FL benchmarks.

Beyond this, we present an efficient extension to our secure quantized aggregation framework that effectively defends against state-of-the-art untargeted poisoning attacks.

Title: A Unified Cryptoprocessor for Lattice-based Signature and Key-exchange. (arXiv:2210.07412v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07412
• Code URL: null
• Copy Paste: [[2210.07412] A Unified Cryptoprocessor for Lattice-based Signature and Key-exchange](http://arxiv.org/abs/2210.07412)
• Summary:

  We propose design methodologies for building a compact, unified and programmable cryptoprocessor architecture that computes post-quantum key agreement and digital signature. Synergies in the two types of cryptographic primitives are used to make the cryptoprocessor compact. As a case study, the cryptoprocessor architecture has been optimized targeting the signature scheme 'CRYSTALS-Dilithium' and the key encapsulation mechanism (KEM) 'Saber', both finalists in the NIST's post-quantum cryptography standardization project. The programmable cryptoprocessor executes key generations, encapsulations, decapsulations, signature generations, and signature verifications for all the security levels of Dilithium and Saber. On a Xilinx Ultrascale+ FPGA, the proposed cryptoprocessor consumes 18,406 LUTs, 9,323 FFs, 4 DSPs, and 24 BRAMs. It achieves 200 MHz clock frequency and finishes CCA-secure key-generation/encapsulation/decapsulation operations for LightSaber in 29.6/40.4/58.3$\mu$s; for Saber in 54.9/69.7/94.9$\mu$s; and for FireSaber in 87.6/108.0/139.4$\mu$s, respectively. It finishes key-generation/sign/verify operations for Dilithium-2 in 70.9/151.6/75.2$\mu$s; for Dilithium-3 in 114.7/237/127.6$\mu$s; and for Dilithium-5 in 194.2/342.1/228.9$\mu$s, respectively, for the best-case scenario. On UMC 65nm library for ASIC the latency is improved by a factor of two due to a 2x increase in clock frequency.

Title: An atom's worth of anonymity. (arXiv:2210.07834v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07834
• Code URL: null
• Copy Paste: [[2210.07834] An atom's worth of anonymity](http://arxiv.org/abs/2210.07834)
• Summary:

  Anonymity has gained notoriety in modern times as data about our actions and choices accumulates in the internet partly unbeknownst to us and partly by our own choice. Usually people wish some data about themselves were private while some other date may be public or is even wanted to be public for publicity reasons. There are different criteria which characterize the degree of anonymity of data. Given data can also be anonymized by different techniques in order to increase its degree of anonymity. In this paper we take a very simple "atomic" degree of anonymity as our starting place. We axiomatize these atoms and propose the investigation of first order logic based on these atoms. Considering the vast literature and the huge importance of anonymity our investigation may seem quite modest. However, it is about the logic of anonymity, not about how to secure, create or break anonymity.

Title: SealClub: Computer-aided Paper Document Authentication. (arXiv:2210.07884v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07884
• Code URL: null
• Copy Paste: [[2210.07884] SealClub: Computer-aided Paper Document Authentication](http://arxiv.org/abs/2210.07884)
• Summary:

  Digital authentication is a mature field, offering a range of solutions with rigorous mathematical guarantees. Nevertheless, paper documents, where cryptographic techniques are not directly applicable, are still widely utilized due to usability and legal reasons. We propose a novel approach to authenticating paper documents using smartphones by taking short videos of them. Our solution combines cryptographic and image comparison techniques to detect and highlight subtle semantic-changing attacks on rich documents, containing text and graphics, that could go unnoticed by humans. We rigorously analyze our approach, proving that it is secure against strong adversaries capable of compromising different system components. We also measure its accuracy empirically on a set of 128 videos of paper documents, half containing subtle forgeries. Our algorithm finds all forgeries accurately (no false alarms) after analyzing 5.13 frames on average (corresponding to 1.28 seconds of video). Highlighted regions are large enough to be visible to users, but small enough to precisely locate forgeries. Thus, our approach provides a promising way for users to authenticate paper documents using conventional smartphones under realistic conditions.

security

Title: Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods. (arXiv:2210.07321v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07321
• Code URL: null
• Copy Paste: [[2210.07321] Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods](http://arxiv.org/abs/2210.07321)
• Summary:

  Advances in natural language generation (NLG) have resulted in machine generated text that is increasingly difficult to distinguish from human authored text. Powerful open-source models are freely available, and user-friendly tools democratizing access to generative models are proliferating. The great potential of state-of-the-art NLG systems is tempered by the multitude of avenues for abuse. Detection of machine generated text is a key countermeasure for reducing abuse of NLG models, with significant technical challenges and numerous open problems. We provide a survey that includes both 1) an extensive analysis of threat models posed by contemporary NLG systems, and 2) the most complete review of machine generated text detection methods to date. This survey places machine generated text within its cybersecurity and social context, and provides strong guidance for future work addressing the most critical threat models, and ensuring detection systems themselves demonstrate trustworthiness through fairness, robustness, and accountability.

Title: Learning Algorithms in Static Analysis of Web Applications. (arXiv:2210.07465v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07465
• Code URL: null
• Copy Paste: [[2210.07465] Learning Algorithms in Static Analysis of Web Applications](http://arxiv.org/abs/2210.07465)
• Summary:

  Web applications are distributed applications, they are programs that run on more than one computer and communicate through a network or server. This very distributed nature of web applications, combined with the scale and sheer complexity of modern software systems complicate manual security auditing, while also creating a huge attack surface of potential hackers. These factors are making automated analysis a necessity. Static Application Security Testing (SAST) is a method devised to automatically analyze application source code of large code bases without compiling it, and design conditions that are indicative of security vulnerabilities. However, the problem lies in the fact that the most widely used Static Application Security Testing Tools often yield unreliable results, owing to the false positive classification of vulnerabilities grossly outnumbering the classification of true positive vulnerabilities. This is one of the biggest hindrances to the proliferation of SAST testing, which leaves the user to review hundreds, if not thousands, of potential warnings, and classify them as either actionable or spurious. We try to minimize the problem of false positives by introducing a technique to filter the output of SAST tools. The aim of the project is to apply learning algorithms to the output by analyzing the true and false positives classified by OWASP Benchmark, and eliminate, or reduce the number of false positives presented to the user of the SAST Tool.

Title: Cargo Ecosystem Dependency-Vulnerability Knowledge Graph Construction and Vulnerability Propagation Study. (arXiv:2210.07482v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07482
• Code URL: null
• Copy Paste: [[2210.07482] Cargo Ecosystem Dependency-Vulnerability Knowledge Graph Construction and Vulnerability Propagation Study](http://arxiv.org/abs/2210.07482)
• Summary:

  Currently, little is known about the structure of the Cargo ecosystem and the potential for vulnerability propagation. Many empirical studies generalize third-party dependency governance strategies from a single software ecosystem to other ecosystems but ignore the differences in the technical structures of different software ecosystems, making it difficult to directly generalize security governance strategies from other ecosystems to the Cargo ecosystem. To fill the gap in this area, this paper constructs a knowledge graph of dependency vulnerabilities for the Cargo ecosystem using techniques related to knowledge graphs to address this challenge. This paper is the first large-scale empirical study in a related research area to address vulnerability propagation in the Cargo ecosystem. This paper proposes a dependency-vulnerability knowledge graph parsing algorithm to determine the vulnerability propagation path and propagation range and empirically studies the characteristics of vulnerabilities in the Cargo ecosystem, the propagation range, and the factors that cause vulnerability propagation. Our research has found that the Cargo ecosystem's security vulnerabilities are primarily memory-related. 18% of the libraries affected by the vulnerability is still affected by the vulnerability in the latest version of the library. The number of versions affected by the propagation of the vulnerabilities is 19.78% in the entire Cargo ecosystem. This paper looks at the characteristics and propagation factors triggering vulnerabilities in the Cargo ecosystem. It provides some practical resolution strategies for administrators of the Cargo community, developers who use Cargo to manage third-party libraries, and library owners. This paper provides new ideas for improving the overall security of the Cargo ecosystem.

Title: A Location-Based Global Authorization Method for Underwater Security. (arXiv:2210.07666v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07666
• Code URL: null
• Copy Paste: [[2210.07666] A Location-Based Global Authorization Method for Underwater Security](http://arxiv.org/abs/2210.07666)
• Summary:

  National or international maritime authorities are used to handle requests for licenses for all kinds of marine activities. These licenses constitute authorizations limited in time and space, but there is no technical security service to check for the authorization of a wide range of marine assets. We have noted secure AIS solutions suitable for more or less constantly internet-connected assets such as ships with satellite connections. The additional constraints posed by underwater autonomous assets, namely less power and connectivity, can be mitigated by using symmetric cryptography. We propose a security service that allows the automatized check of asset authorization status based on large symmetric keys. Key generation can take place at a central authority according to the time and space limitations of a license, i.e. timestamped and geocoded. Our solution harnesses the exceptionally large key size of the RC5 cipher and the standardized encoding of geocells in the Open Location Code system. While we developed and described our solution for offshore underwater use, aerial and terrestrial environments could also make use of it if they are similarly bandwidth constrained or want to rely on quantum-resistant and computationally economic symmetric methods.

Title: G2A2: An Automated Graph Generator with Attributes and Anomalies. (arXiv:2210.07449v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07449
• Code URL: null
• Copy Paste: [[2210.07449] G2A2: An Automated Graph Generator with Attributes and Anomalies](http://arxiv.org/abs/2210.07449)
• Summary:

  Many data-mining applications use dynamic attributed graphs to represent relational information; but due to security and privacy concerns, there is a dearth of available datasets that can be represented as dynamic attributed graphs. Even when such datasets are available, they do not have ground truth that can be used to train deep-learning models. Thus, we present G2A2, an automated graph generator with attributes and anomalies, which encompasses (1) probabilistic models to generate a dynamic bipartite graph, representing time-evolving connections between two independent sets of entities, (2) realistic injection of anomalies using a novel algorithm that captures the general properties of graph anomalies across domains, and (3) a deep generative model to produce realistic attributes, learned from an existing real-world dataset. Using the maximum mean discrepancy (MMD) metric to evaluate the realism of a G2A2-generated graph against three real-world graphs, G2A2 outperforms Kronecker graph generation by reducing the MMD distance by up to six-fold (6x).

privacy

protect

Title: InFIP: An Explainable DNN Intellectual Property Protection Method based on Intrinsic Features. (arXiv:2210.07481v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07481
• Code URL: null
• Copy Paste: [[2210.07481] InFIP: An Explainable DNN Intellectual Property Protection Method based on Intrinsic Features](http://arxiv.org/abs/2210.07481)
• Summary:

  Intellectual property (IP) protection for Deep Neural Networks (DNNs) has raised serious concerns in recent years. Most existing works embed watermarks in the DNN model for IP protection, which need to modify the model and lack of interpretability. In this paper, for the first time, we propose an interpretable intellectual property protection method for DNN based on explainable artificial intelligence. Compared with existing works, the proposed method does not modify the DNN model, and the decision of the ownership verification is interpretable. We extract the intrinsic features of the DNN model by using Deep Taylor Decomposition. Since the intrinsic feature is composed of unique interpretation of the model's decision, the intrinsic feature can be regarded as fingerprint of the model. If the fingerprint of a suspected model is the same as the original model, the suspected model is considered as a pirated model. Experimental results demonstrate that the fingerprints can be successfully used to verify the ownership of the model and the test accuracy of the model is not affected. Furthermore, the proposed method is robust to fine-tuning attack, pruning attack, watermark overwriting attack, and adaptive attack.

defense

Title: Expose Backdoors on the Way: A Feature-Based Efficient Defense against Textual Backdoor Attacks. (arXiv:2210.07907v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07907
• Code URL: https://github.com/lancopku/dan
• Copy Paste: [[2210.07907] Expose Backdoors on the Way: A Feature-Based Efficient Defense against Textual Backdoor Attacks](http://arxiv.org/abs/2210.07907)
• Summary:

  Natural language processing (NLP) models are known to be vulnerable to backdoor attacks, which poses a newly arisen threat to NLP models. Prior online backdoor defense methods for NLP models only focus on the anomalies at either the input or output level, still suffering from fragility to adaptive attacks and high computational cost. In this work, we take the first step to investigate the unconcealment of textual poisoned samples at the intermediate-feature level and propose a feature-based efficient online defense method. Through extensive experiments on existing attacking methods, we find that the poisoned samples are far away from clean samples in the intermediate feature space of a poisoned NLP model. Motivated by this observation, we devise a distance-based anomaly score (DAN) to distinguish poisoned samples from clean samples at the feature level. Experiments on sentiment analysis and offense detection tasks demonstrate the superiority of DAN, as it substantially surpasses existing online defense methods in terms of defending performance and enjoys lower inference costs. Moreover, we show that DAN is also resistant to adaptive attacks based on feature-level regularization. Our code is available at https://github.com/lancopku/DAN.

Title: A Lightweight Moving Target Defense Framework for Multi-purpose Malware Affecting IoT Devices. (arXiv:2210.07719v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07719
• Code URL: null
• Copy Paste: [[2210.07719] A Lightweight Moving Target Defense Framework for Multi-purpose Malware Affecting IoT Devices](http://arxiv.org/abs/2210.07719)
• Summary:

  Malware affecting Internet of Things (IoT) devices is rapidly growing due to the relevance of this paradigm in real-world scenarios. Specialized literature has also detected a trend towards multi-purpose malware able to execute different malicious actions such as remote control, data leakage, encryption, or code hiding, among others. Protecting IoT devices against this kind of malware is challenging due to their well-known vulnerabilities and limitation in terms of CPU, memory, and storage. To improve it, the moving target defense (MTD) paradigm was proposed a decade ago and has shown promising results, but there is a lack of IoT MTD solutions dealing with multi-purpose malware. Thus, this work proposes four MTD mechanisms changing IoT devices' network, data, and runtime environment to mitigate multi-purpose malware. Furthermore, it presents a lightweight and IoT-oriented MTD framework to decide what, when, and how the MTD mechanisms are deployed. Finally, the efficiency and effectiveness of the framework and MTD mechanisms are evaluated in a real-world scenario with one IoT spectrum sensor affected by multi-purpose malware.

attack

Title: Demystifying Self-supervised Trojan Attacks. (arXiv:2210.07346v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07346
• Code URL: null
• Copy Paste: [[2210.07346] Demystifying Self-supervised Trojan Attacks](http://arxiv.org/abs/2210.07346)
• Summary:

  As an emerging machine learning paradigm, self-supervised learning (SSL) is able to learn high-quality representations for complex data without data labels. Prior work shows that, besides obviating the reliance on labeling, SSL also benefits adversarial robustness by making it more challenging for the adversary to manipulate model prediction. However, whether this robustness benefit generalizes to other types of attacks remains an open question.

We explore this question in the context of trojan attacks by showing that SSL is comparably vulnerable as supervised learning to trojan attacks. Specifically, we design and evaluate CTRL, an extremely simple self-supervised trojan attack. By polluting a tiny fraction of training data (less than 1%) with indistinguishable poisoning samples, CTRL causes any trigger-embedded input to be misclassified to the adversary's desired class with a high probability (over 99%) at inference. More importantly, through the lens of CTRL, we study the mechanisms underlying self-supervised trojan attacks. With both empirical and analytical evidence, we reveal that the representation invariance property of SSL, which benefits adversarial robustness, may also be the very reason making SSL highly vulnerable to trojan attacks. We further discuss the fundamental challenges to defending against self-supervised trojan attacks, pointing to promising directions for future research.

Title: When Adversarial Training Meets Vision Transformers: Recipes from Training to Architecture. (arXiv:2210.07540v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07540
• Code URL: https://github.com/mo666666/when-adversarial-training-meets-vision-transformers
• Copy Paste: [[2210.07540] When Adversarial Training Meets Vision Transformers: Recipes from Training to Architecture](http://arxiv.org/abs/2210.07540)
• Summary:

  Vision Transformers (ViTs) have recently achieved competitive performance in broad vision tasks. Unfortunately, on popular threat models, naturally trained ViTs are shown to provide no more adversarial robustness than convolutional neural networks (CNNs). Adversarial training is still required for ViTs to defend against such adversarial attacks. In this paper, we provide the first and comprehensive study on the adversarial training recipe of ViTs via extensive evaluation of various training techniques across benchmark datasets. We find that pre-training and SGD optimizer are necessary for ViTs' adversarial training. Further considering ViT as a new type of model architecture, we investigate its adversarial robustness from the perspective of its unique architectural components. We find, when randomly masking gradients from some attention blocks or masking perturbations on some patches during adversarial training, the adversarial robustness of ViTs can be remarkably improved, which may potentially open up a line of work to explore the architectural information inside the newly designed models like ViTs. Our code is available at https://github.com/mo666666/When-Adversarial-Training-Meets-Vision-Transformers.

Title: Synthesis of Proactive Sensor Placement In Probabilistic Attack Graphs. (arXiv:2210.07385v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07385
• Code URL: null
• Copy Paste: [[2210.07385] Synthesis of Proactive Sensor Placement In Probabilistic Attack Graphs](http://arxiv.org/abs/2210.07385)
• Summary:

  This paper studies the deployment of joint moving target defense (MTD) and deception against multi-stage cyberattacks. Given the system equipped with MTD that randomizes between different configurations, we investigate how to allocate a bounded number of sensors in each configuration to optimize the attack detection rate before the attacker achieves its objective. Specifically, two types of sensors are considered: intrusion detectors that are observable by the attacker and stealthy sensors that are not observable to the attacker. We propose a two-step optimization-based approach for allocating intrusion detectors and stealthy sensors: Firstly, the defender allocates intrusion detectors assuming the attacker will best respond to evade detection by intrusion detectors. Secondly, the defender will allocate stealthy sensors, given the best response attack strategy computed in the first step, to further reduce the attacker's chance of success. We illustrate the effectiveness of the proposed methods using a cyber defense example.

Title: Let's Talk Through Physics! Covert Cyber-Physical Data Exfiltration on Air-Gapped Edge Devices. (arXiv:2210.07531v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07531
• Code URL: null
• Copy Paste: [[2210.07531] Let's Talk Through Physics! Covert Cyber-Physical Data Exfiltration on Air-Gapped Edge Devices](http://arxiv.org/abs/2210.07531)
• Summary:

  Although organizations are continuously making concerted efforts to harden their systems against network attacks by air-gapping critical systems, attackers continuously adapt and uncover covert channels to exfiltrate data from air-gapped systems. For instance, attackers have demonstrated the feasibility of exfiltrating data from a computer sitting in a Faraday cage by exfiltrating data using magnetic fields. Although a large body of work has recently emerged highlighting various physical covert channels, these attacks have mostly targeted open-loop cyber-physical systems where the covert channels exist on physical channels that are not being monitored by the victim. Network architectures such as fog computing push sensitive data to cyber-physical edge devices--whose physical side channels are typically monitored via state estimation. In this paper, we formalize covert data exfiltration that uses existing cyber-physical models and infrastructure of individual devices to exfiltrate data in a stealthy manner, i.e., we propose a method to circumvent cyber-physical state estimation intrusion detection techniques while exfiltrating sensitive data from the network. We propose a generalized model for encoding and decoding sensitive data within cyber-physical control loops. We evaluate our approach on a distributed IoT network that includes computation nodes residing on physical drones as well as on an industrial control system for the control of a robotic arm. Unlike prior works, we formalize the constraints of covert cyber-physical channel exfiltration in the presence of a defender performing state estimation.

Title: Characterizing the Influence of Graph Elements. (arXiv:2210.07441v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07441
• Code URL: null
• Copy Paste: [[2210.07441] Characterizing the Influence of Graph Elements](http://arxiv.org/abs/2210.07441)
• Summary:

  Influence function, a method from robust statistics, measures the changes of model parameters or some functions about model parameters concerning the removal or modification of training instances. It is an efficient and useful post-hoc method for studying the interpretability of machine learning models without the need for expensive model re-training. Recently, graph convolution networks (GCNs), which operate on graph data, have attracted a great deal of attention. However, there is no preceding research on the influence functions of GCNs to shed light on the effects of removing training nodes/edges from an input graph. Since the nodes/edges in a graph are interdependent in GCNs, it is challenging to derive influence functions for GCNs. To fill this gap, we started with the simple graph convolution (SGC) model that operates on an attributed graph and formulated an influence function to approximate the changes in model parameters when a node or an edge is removed from an attributed graph. Moreover, we theoretically analyzed the error bound of the estimated influence of removing an edge. We experimentally validated the accuracy and effectiveness of our influence estimation function. In addition, we showed that the influence function of an SGC model could be used to estimate the impact of removing training nodes/edges on the test performance of the SGC without re-training the model. Finally, we demonstrated how to use influence functions to guide the adversarial attacks on GCNs effectively.

robust

Title: Caption supervision enables robust learners. (arXiv:2210.07396v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07396
• Code URL: https://github.com/penfever/vlhub
• Copy Paste: [[2210.07396] Caption supervision enables robust learners](http://arxiv.org/abs/2210.07396)
• Summary:

  Vision language models like CLIP are robust to natural distribution shifts, in part because CLIP learns on unstructured data using a technique called caption supervision; the model inteprets image-linked texts as ground-truth labels. In a carefully controlled comparison study, we show that CNNs trained on a standard cross-entropy loss can also benefit from caption supervision, in some cases even more than VL models, on the same data. To facilitate future experiments with high-accuracy caption-supervised models, we introduce CaptionNet (https://github.com/penfever/CaptionNet/), which includes a class-balanced, fully supervised dataset with over 50,000 new human-labeled ImageNet-compliant samples which includes web-scraped captions. In a series of experiments on CaptionNet, we show how the choice of loss function, data filtration and supervision strategy enable robust computer vision. We also provide the codebase necessary to reproduce our experiments at https://github.com/penfever/vlhub/

Title: Evaluating Out-of-Distribution Performance on Document Image Classifiers. (arXiv:2210.07448v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07448
• Code URL: null
• Copy Paste: [[2210.07448] Evaluating Out-of-Distribution Performance on Document Image Classifiers](http://arxiv.org/abs/2210.07448)
• Summary:

  The ability of a document classifier to handle inputs that are drawn from a distribution different from the training distribution is crucial for robust deployment and generalizability. The RVL-CDIP corpus is the de facto standard benchmark for document classification, yet to our knowledge all studies that use this corpus do not include evaluation on out-of-distribution documents. In this paper, we curate and release a new out-of-distribution benchmark for evaluating out-of-distribution performance for document classifiers. Our new out-of-distribution benchmark consists of two types of documents: those that are not part of any of the 16 in-domain RVL-CDIP categories (RVL-CDIP-O), and those that are one of the 16 in-domain categories yet are drawn from a distribution different from that of the original RVL-CDIP dataset (RVL-CDIP-N). While prior work on document classification for in-domain RVL-CDIP documents reports high accuracy scores, we find that these models exhibit accuracy drops of between roughly 15-30% on our new out-of-domain RVL-CDIP-N benchmark, and further struggle to distinguish between in-domain RVL-CDIP-N and out-of-domain RVL-CDIP-O inputs. Our new benchmark provides researchers with a valuable new resource for analyzing out-of-distribution performance on document classifiers. Our new out-of-distribution data can be found at https://tinyurl.com/4he6my23.

Title: Polycentric Clustering and Structural Regularization for Source-free Unsupervised Domain Adaptation. (arXiv:2210.07463v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07463
• Code URL: https://github.com/gxinuu/pcsr
• Copy Paste: [[2210.07463] Polycentric Clustering and Structural Regularization for Source-free Unsupervised Domain Adaptation](http://arxiv.org/abs/2210.07463)
• Summary:

  Source-Free Domain Adaptation (SFDA) aims to solve the domain adaptation problem by transferring the knowledge learned from a pre-trained source model to an unseen target domain. Most existing methods assign pseudo-labels to the target data by generating feature prototypes. However, due to the discrepancy in the data distribution between the source domain and the target domain and category imbalance in the target domain, there are severe class biases in the generated feature prototypes and noisy pseudo-labels. Besides, the data structure of the target domain is often ignored, which is crucial for clustering. In this paper, a novel framework named PCSR is proposed to tackle SFDA via a novel intra-class Polycentric Clustering and Structural Regularization strategy. Firstly, an inter-class balanced sampling strategy is proposed to generate representative feature prototypes for each class. Furthermore, k-means clustering is introduced to generate multiple clustering centers for each class in the target domain to obtain robust pseudo-labels. Finally, to enhance the model's generalization, structural regularization is introduced for the target domain. Extensive experiments on three UDA benchmark datasets show that our method performs better or similarly against the other state of the art methods, demonstrating our approach's superiority for visual domain adaptation problems.

Title: A Survey of Parameters Associated with the Quality of Benchmarks in NLP. (arXiv:2210.07566v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07566
• Code URL: null
• Copy Paste: [[2210.07566] A Survey of Parameters Associated with the Quality of Benchmarks in NLP](http://arxiv.org/abs/2210.07566)
• Summary:

  Several benchmarks have been built with heavy investment in resources to track our progress in NLP. Thousands of papers published in response to those benchmarks have competed to top leaderboards, with models often surpassing human performance. However, recent studies have shown that models triumph over several popular benchmarks just by overfitting on spurious biases, without truly learning the desired task. Despite this finding, benchmarking, while trying to tackle bias, still relies on workarounds, which do not fully utilize the resources invested in benchmark creation, due to the discarding of low quality data, and cover limited sets of bias. A potential solution to these issues -- a metric quantifying quality -- remains underexplored. Inspired by successful quality indices in several domains such as power, food, and water, we take the first step towards a metric by identifying certain language properties that can represent various possible interactions leading to biases in a benchmark. We look for bias related parameters which can potentially help pave our way towards the metric. We survey existing works and identify parameters capturing various properties of bias, their origins, types and impact on performance, generalization, and robustness. Our analysis spans over datasets and a hierarchy of tasks ranging from NLI to Summarization, ensuring that our parameters are generic and are not overfitted towards a specific task or dataset. We also develop certain parameters in this process.

Title: Mix and Reason: Reasoning over Semantic Topology with Data Mixing for Domain Generalization. (arXiv:2210.07571v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07571
• Code URL: null
• Copy Paste: [[2210.07571] Mix and Reason: Reasoning over Semantic Topology with Data Mixing for Domain Generalization](http://arxiv.org/abs/2210.07571)
• Summary:

  Domain generalization (DG) enables generalizing a learning machine from multiple seen source domains to an unseen target one. The general objective of DG methods is to learn semantic representations that are independent of domain labels, which is theoretically sound but empirically challenged due to the complex mixture of common and domain-specific factors. Although disentangling the representations into two disjoint parts has been gaining momentum in DG, the strong presumption over the data limits its efficacy in many real-world scenarios. In this paper, we propose Mix and Reason (\mire), a new DG framework that learns semantic representations via enforcing the structural invariance of semantic topology. \mire\ consists of two key components, namely, Category-aware Data Mixing (CDM) and Adaptive Semantic Topology Refinement (ASTR). CDM mixes two images from different domains in virtue of activation maps generated by two complementary classification losses, making the classifier focus on the representations of semantic objects. ASTR introduces relation graphs to represent semantic topology, which is progressively refined via the interactions between local feature aggregation and global cross-domain relational reasoning. Experiments on multiple DG benchmarks validate the effectiveness and robustness of the proposed \mire.

Title: Deep PatchMatch MVS with Learned Patch Coplanarity, Geometric Consistency and Adaptive Pixel Sampling. (arXiv:2210.07582v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07582
• Code URL: null
• Copy Paste: [[2210.07582] Deep PatchMatch MVS with Learned Patch Coplanarity, Geometric Consistency and Adaptive Pixel Sampling](http://arxiv.org/abs/2210.07582)
• Summary:

  Recent work in multi-view stereo (MVS) combines learnable photometric scores and regularization with PatchMatch-based optimization to achieve robust pixelwise estimates of depth, normals, and visibility. However, non-learning based methods still outperform for large scenes with sparse views, in part due to use of geometric consistency constraints and ability to optimize over many views at high resolution. In this paper, we build on learning-based approaches to improve photometric scores by learning patch coplanarity and encourage geometric consistency by learning a scaled photometric cost that can be combined with reprojection error. We also propose an adaptive pixel sampling strategy for candidate propagation that reduces memory to enable training on larger resolution with more views and a larger encoder. These modifications lead to 6-15% gains in accuracy and completeness on the challenging ETH3D benchmark, resulting in higher F1 performance than the widely used state-of-the-art non-learning approaches ACMM and ACMP.

Title: MCTNet: A Multi-Scale CNN-Transformer Network for Change Detection in Optical Remote Sensing Images. (arXiv:2210.07601v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07601
• Code URL: null
• Copy Paste: [[2210.07601] MCTNet: A Multi-Scale CNN-Transformer Network for Change Detection in Optical Remote Sensing Images](http://arxiv.org/abs/2210.07601)
• Summary:

  For the task of change detection (CD) in remote sensing images, deep convolution neural networks (CNNs)-based methods have recently aggregated transformer modules to improve the capability of global feature extraction. However, they suffer degraded CD performance on small changed areas due to the simple single-scale integration of deep CNNs and transformer modules. To address this issue, we propose a hybrid network based on multi-scale CNN-transformer structure, termed MCTNet, where the multi-scale global and local information are exploited to enhance the robustness of the CD performance on changed areas with different sizes. Especially, we design the ConvTrans block to adaptively aggregate global features from transformer modules and local features from CNN layers, which provides abundant global-local features with different scales. Experimental results demonstrate that our MCTNet achieves better detection performance than existing state-of-the-art CD methods.

Title: Vision Transformer Visualization: What Neurons Tell and How Neurons Behave?. (arXiv:2210.07646v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07646
• Code URL: https://github.com/bym1902/vit_visualization
• Copy Paste: [[2210.07646] Vision Transformer Visualization: What Neurons Tell and How Neurons Behave?](http://arxiv.org/abs/2210.07646)
• Summary:

  Recently vision transformers (ViT) have been applied successfully for various tasks in computer vision. However, important questions such as why they work or how they behave still remain largely unknown. In this paper, we propose an effective visualization technique, to assist us in exposing the information carried in neurons and feature embeddings across the ViT's layers. Our approach departs from the computational process of ViTs with a focus on visualizing the local and global information in input images and the latent feature embeddings at multiple levels. Visualizations at the input and embeddings at level 0 reveal interesting findings such as providing support as to why ViTs are rather generally robust to image occlusions and patch shuffling; or unlike CNNs, level 0 embeddings already carry rich semantic details. Next, we develop a rigorous framework to perform effective visualizations across layers, exposing the effects of ViTs filters and grouping/clustering behaviors to object patches. Finally, we provide comprehensive experiments on real datasets to qualitatively and quantitatively demonstrate the merit of our proposed methods as well as our findings. https://github.com/byM1902/ViT_visualization

Title: Pretrained Transformers Do not Always Improve Robustness. (arXiv:2210.07663v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07663
• Code URL: null
• Copy Paste: [[2210.07663] Pretrained Transformers Do not Always Improve Robustness](http://arxiv.org/abs/2210.07663)
• Summary:

  Pretrained Transformers (PT) have been shown to improve Out of Distribution (OOD) robustness than traditional models such as Bag of Words (BOW), LSTMs, Convolutional Neural Networks (CNN) powered by Word2Vec and Glove embeddings. How does the robustness comparison hold in a real world setting where some part of the dataset can be noisy? Do PT also provide more robust representation than traditional models on exposure to noisy data? We perform a comparative study on 10 models and find an empirical evidence that PT provide less robust representation than traditional models on exposure to noisy data. We investigate further and augment PT with an adversarial filtering (AF) mechanism that has been shown to improve OOD generalization. However, increase in generalization does not necessarily increase robustness, as we find that noisy data fools the AF method powered by PT.

Title: Quo Vadis: Is Trajectory Forecasting the Key Towards Long-Term Multi-Object Tracking?. (arXiv:2210.07681v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07681
• Code URL: null
• Copy Paste: [[2210.07681] Quo Vadis: Is Trajectory Forecasting the Key Towards Long-Term Multi-Object Tracking?](http://arxiv.org/abs/2210.07681)
• Summary:

  Recent developments in monocular multi-object tracking have been very successful in tracking visible objects and bridging short occlusion gaps, mainly relying on data-driven appearance models. While we have significantly advanced short-term tracking performance, bridging longer occlusion gaps remains elusive: state-of-the-art object trackers only bridge less than 10% of occlusions longer than three seconds. We suggest that the missing key is reasoning about future trajectories over a longer time horizon. Intuitively, the longer the occlusion gap, the larger the search space for possible associations. In this paper, we show that even a small yet diverse set of trajectory predictions for moving agents will significantly reduce this search space and thus improve long-term tracking robustness. Our experiments suggest that the crucial components of our approach are reasoning in a bird's-eye view space and generating a small yet diverse set of forecasts while accounting for their localization uncertainty. This way, we can advance state-of-the-art trackers on the MOTChallenge dataset and significantly improve their long-term tracking performance. This paper's source code and experimental data are available at https://github.com/dendorferpatrick/QuoVadis.

Title: Joint Reasoning on Hybrid-knowledge sources for Task-Oriented Dialog. (arXiv:2210.07295v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07295
• Code URL: null
• Copy Paste: [[2210.07295] Joint Reasoning on Hybrid-knowledge sources for Task-Oriented Dialog](http://arxiv.org/abs/2210.07295)
• Summary:

  Traditional systems designed for task oriented dialog utilize knowledge present only in structured knowledge sources to generate responses. However, relevant information required to generate responses may also reside in unstructured sources, such as documents. Recent state of the art models such as HyKnow and SeKnow aimed at overcoming these challenges make limiting assumptions about the knowledge sources. For instance, these systems assume that certain types of information, such as a phone number, is always present in a structured KB while information about aspects such as entrance ticket prices would always be available in documents.

In this paper, we create a modified version of the MutliWOZ based dataset prepared by SeKnow to demonstrate how current methods have significant degradation in performance when strict assumptions about the source of information are removed. Then, in line with recent work exploiting pre-trained language models, we fine-tune a BART based model using prompts for the tasks of querying knowledge sources, as well as, for response generation, without making assumptions about the information present in each knowledge source. Through a series of experiments, we demonstrate that our model is robust to perturbations to knowledge modality (source of information), and that it can fuse information from structured as well as unstructured knowledge to generate responses.

Title: Mind the Labels: Describing Relations in Knowledge Graphs With Pretrained Models. (arXiv:2210.07373v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07373
• Code URL: null
• Copy Paste: [[2210.07373] Mind the Labels: Describing Relations in Knowledge Graphs With Pretrained Models](http://arxiv.org/abs/2210.07373)
• Summary:

  Pretrained language models (PLMs) for data-to-text (D2T) generation can use human-readable data labels such as column headings, keys, or relation names to generalize to out-of-domain examples. However, the models are well-known in producing semantically inaccurate outputs if these labels are ambiguous or incomplete, which is often the case in D2T datasets. In this paper, we expose this issue on the task of descibing a relation between two entities. For our experiments, we collect a novel dataset for verbalizing a diverse set of 1,522 unique relations from three large-scale knowledge graphs (Wikidata, DBPedia, YAGO). We find that although PLMs for D2T generation expectedly fail on unclear cases, models trained with a large variety of relation labels are surprisingly robust in verbalizing novel, unseen relations. We argue that using data with a diverse set of clear and meaningful labels is key to training D2T generation systems capable of generalizing to novel domains.

Title: Early Discovery of Disappearing Entities in Microblogs. (arXiv:2210.07404v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07404
• Code URL: null
• Copy Paste: [[2210.07404] Early Discovery of Disappearing Entities in Microblogs](http://arxiv.org/abs/2210.07404)
• Summary:

  We make decisions by reacting to changes in the real world, in particular, the emergence and disappearance of impermanent entities such as events, restaurants, and services. Because we want to avoid missing out on opportunities or making fruitless actions after they have disappeared, it is important to know when entities disappear as early as possible. We thus tackle the task of detecting disappearing entities from microblogs, whose posts mention various entities, in a timely manner. The major challenge is detecting uncertain contexts of disappearing entities from noisy microblog posts. To collect these disappearing contexts, we design time-sensitive distant supervision, which utilizes entities from the knowledge base and time-series posts, for this task to build large-scale Twitter datasets\footnote{We will release the datasets (tweet IDs) used in the experiments to promote reproducibility.} for English and Japanese. To ensure robust detection in noisy environments, we refine pretrained word embeddings of the detection model on microblog streams of the target day. Experimental results on the Twitter datasets confirmed the effectiveness of the collected labeled data and refined word embeddings; more than 70\% of the detected disappearing entities in Wikipedia are discovered earlier than the update on Wikipedia, and the average lead-time is over one month.

Title: Robust Candidate Generation for Entity Linking on Short Social Media Texts. (arXiv:2210.07472v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07472
• Code URL: null
• Copy Paste: [[2210.07472] Robust Candidate Generation for Entity Linking on Short Social Media Texts](http://arxiv.org/abs/2210.07472)
• Summary:

  Entity Linking (EL) is the gateway into Knowledge Bases. Recent advances in EL utilize dense retrieval approaches for Candidate Generation, which addresses some of the shortcomings of the Lookup based approach of matching NER mentions against pre-computed dictionaries. In this work, we show that in the domain of Tweets, such methods suffer as users often include informal spelling, limited context, and lack of specificity, among other issues. We investigate these challenges on a large and recent Tweets benchmark for EL, empirically evaluate lookup and dense retrieval approaches, and demonstrate a hybrid solution using long contextual representation from Wikipedia is necessary to achieve considerable gains over previous work, achieving 0.93 recall.

Title: Can Language Representation Models Think in Bets?. (arXiv:2210.07519v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07519
• Code URL: null
• Copy Paste: [[2210.07519] Can Language Representation Models Think in Bets?](http://arxiv.org/abs/2210.07519)
• Summary:

  In recent years, transformer-based language representation models (LRMs) have achieved state-of-the-art results on difficult natural language understanding problems, such as question answering and text summarization. As these models are integrated into real-world applications, evaluating their ability to make rational decisions is an important research agenda, with practical ramifications. This article investigates LRMs' rational decision-making ability through a carefully designed set of decision-making benchmarks and experiments. Inspired by classic work in cognitive science, we model the decision-making problem as a bet. We then investigate an LRM's ability to choose outcomes that have optimal, or at minimum, positive expected gain. Through a robust body of experiments on four established LRMs, we show that a model is only able to `think in bets' if it is first fine-tuned on bet questions with an identical structure. Modifying the bet question's structure, while still retaining its fundamental characteristics, decreases an LRM's performance by more than 25\%, on average, although absolute performance remains well above random. LRMs are also found to be more rational when selecting outcomes with non-negative expected gain, rather than optimal or strictly positive expected gain. Our results suggest that LRMs could potentially be applied to tasks that rely on cognitive decision-making skills, but that more research is necessary before they can robustly make rational decisions.

Title: Extracting Cultural Commonsense Knowledge at Scale. (arXiv:2210.07763v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07763
• Code URL: https://github.com/cultural-csk/candle
• Copy Paste: [[2210.07763] Extracting Cultural Commonsense Knowledge at Scale](http://arxiv.org/abs/2210.07763)
• Summary:

  Structured knowledge is important for many AI applications. Commonsense knowledge, which is crucial for robust human-centric AI, is covered by a small number of structured knowledge projects. However, they lack knowledge about human traits and behaviors conditioned on socio-cultural contexts, which is crucial for situative AI. This paper presents CANDLE, an end-to-end methodology for extracting high-quality cultural commonsense knowledge (CCSK) at scale. CANDLE extracts CCSK assertions from a huge web corpus and organizes them into coherent clusters, for 3 domains of subjects (geography, religion, occupation) and several cultural facets (food, drinks, clothing, traditions, rituals, behaviors). CANDLE includes judicious techniques for classification-based filtering and scoring of interestingness. Experimental evaluations show the superiority of the CANDLE CCSK collection over prior works, and an extrinsic use case demonstrates the benefits of CCSK for the GPT-3 language model. Code and data can be accessed at https://cultural-csk.herokuapp.com/.

Title: Robust Preference Learning for Storytelling via Contrastive Reinforcement Learning. (arXiv:2210.07792v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07792
• Code URL: null
• Copy Paste: [[2210.07792] Robust Preference Learning for Storytelling via Contrastive Reinforcement Learning](http://arxiv.org/abs/2210.07792)
• Summary:

  Controlled automated story generation seeks to generate natural language stories satisfying constraints from natural language critiques or preferences. Existing methods to control for story preference utilize prompt engineering which is labor intensive and often inconsistent. They may also use logit-manipulation methods which require annotated datasets to exist for the desired attributes. To address these issues, we first train a contrastive bi-encoder model to align stories with corresponding human critiques, named CARP, building a general purpose preference model. This is subsequently used as a reward function to fine-tune a generative language model via reinforcement learning. However, simply fine-tuning a generative language model with a contrastive reward model does not always reliably result in a story generation system capable of generating stories that meet user preferences. To increase story generation robustness we further fine-tune the contrastive reward model using a prompt-learning technique. A human participant study is then conducted comparing generations from our full system, ablations, and two baselines. We show that the full fine-tuning pipeline results in a story generator preferred over a LLM 20x as large as well as logit-based methods. This motivates the use of contrastive learning for general purpose human preference modeling.

Title: Distributed Distributionally Robust Optimization with Non-Convex Objectives. (arXiv:2210.07588v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07588
• Code URL: null
• Copy Paste: [[2210.07588] Distributed Distributionally Robust Optimization with Non-Convex Objectives](http://arxiv.org/abs/2210.07588)
• Summary:

  Distributionally Robust Optimization (DRO), which aims to find an optimal decision that minimizes the worst case cost over the ambiguity set of probability distribution, has been widely applied in diverse applications, e.g., network behavior analysis, risk management, etc. However, existing DRO techniques face three key challenges: 1) how to deal with the asynchronous updating in a distributed environment; 2) how to leverage the prior distribution effectively; 3) how to properly adjust the degree of robustness according to different scenarios. To this end, we propose an asynchronous distributed algorithm, named Asynchronous Single-looP alternatIve gRadient projEction (ASPIRE) algorithm with the itErative Active SEt method (EASE) to tackle the distributed distributionally robust optimization (DDRO) problem. Furthermore, a new uncertainty set, i.e., constrained D-norm uncertainty set, is developed to effectively leverage the prior distribution and flexibly control the degree of robustness. Finally, our theoretical analysis elucidates that the proposed algorithm is guaranteed to converge and the iteration complexity is also analyzed. Extensive empirical studies on real-world datasets demonstrate that the proposed method can not only achieve fast convergence, and remain robust against data heterogeneity as well as malicious attacks, but also tradeoff robustness with performance.

Title: The Invariant Ground Truth of Affect. (arXiv:2210.07630v1 [cs.AI])

• Paper URL: http://arxiv.org/abs/2210.07630
• Code URL: null
• Copy Paste: [[2210.07630] The Invariant Ground Truth of Affect](http://arxiv.org/abs/2210.07630)
• Summary:

  Affective computing strives to unveil the unknown relationship between affect elicitation, manifestation of affect and affect annotations. The ground truth of affect, however, is predominately attributed to the affect labels which inadvertently include biases inherent to the subjective nature of emotion and its labeling. The response to such limitations is usually augmenting the dataset with more annotations per data point; however, this is not possible when we are interested in self-reports via first-person annotation. Moreover, outlier detection methods based on inter-annotator agreement only consider the annotations themselves and ignore the context and the corresponding affect manifestation. This paper reframes the ways one may obtain a reliable ground truth of affect by transferring aspects of causation theory to affective computing. In particular, we assume that the ground truth of affect can be found in the causal relationships between elicitation, manifestation and annotation that remain \emph{invariant} across tasks and participants. To test our assumption we employ causation inspired methods for detecting outliers in affective corpora and building affect models that are robust across participants and tasks. We validate our methodology within the domain of digital games, with experimental results showing that it can successfully detect outliers and boost the accuracy of affect models. To the best of our knowledge, this study presents the first attempt to integrate causation tools in affective computing, making a crucial and decisive step towards general affect modeling.

Title: Object-Category Aware Reinforcement Learning. (arXiv:2210.07802v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07802
• Code URL: null
• Copy Paste: [[2210.07802] Object-Category Aware Reinforcement Learning](http://arxiv.org/abs/2210.07802)
• Summary:

  Object-oriented reinforcement learning (OORL) is a promising way to improve the sample efficiency and generalization ability over standard RL. Recent works that try to solve OORL tasks without additional feature engineering mainly focus on learning the object representations and then solving tasks via reasoning based on these object representations. However, none of these works tries to explicitly model the inherent similarity between different object instances of the same category. Objects of the same category should share similar functionalities; therefore, the category is the most critical property of an object. Following this insight, we propose a novel framework named Object-Category Aware Reinforcement Learning (OCARL), which utilizes the category information of objects to facilitate both perception and reasoning. OCARL consists of three parts: (1) Category-Aware Unsupervised Object Discovery (UOD), which discovers the objects as well as their corresponding categories; (2) Object-Category Aware Perception, which encodes the category information and is also robust to the incompleteness of (1) at the same time; (3) Object-Centric Modular Reasoning, which adopts multiple independent and object-category-specific networks when reasoning based on objects. Our experiments show that OCARL can improve both the sample efficiency and generalization in the OORL domain.

Title: Disentanglement of Correlated Factors via Hausdorff Factorized Support. (arXiv:2210.07347v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07347
• Code URL: null
• Copy Paste: [[2210.07347] Disentanglement of Correlated Factors via Hausdorff Factorized Support](http://arxiv.org/abs/2210.07347)
• Summary:

  A grand goal in deep learning research is to learn representations capable of generalizing across distribution shifts. Disentanglement is one promising direction aimed at aligning a models representations with the underlying factors generating the data (e.g. color or background). Existing disentanglement methods, however, rely on an often unrealistic assumption: that factors are statistically independent. In reality, factors (like object color and shape) are correlated. To address this limitation, we propose a relaxed disentanglement criterion - the Hausdorff Factorized Support (HFS) criterion - that encourages a factorized support, rather than a factorial distribution, by minimizing a Hausdorff distance. This allows for arbitrary distributions of the factors over their support, including correlations between them. We show that the use of HFS consistently facilitates disentanglement and recovery of ground-truth factors across a variety of correlation settings and benchmarks, even under severe training correlations and correlation shifts, with in parts over +60% in relative improvement over existing disentanglement methods. In addition, we find that leveraging HFS for representation learning can even facilitate transfer to downstream tasks such as classification under distribution shifts. We hope our original approach and positive empirical results inspire further progress on the open problem of robust generalization.

Title: Efficiently Computing Local Lipschitz Constants of Neural Networks via Bound Propagation. (arXiv:2210.07394v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07394
• Code URL: https://github.com/shizhouxing/local-lipschitz-constants
• Copy Paste: [[2210.07394] Efficiently Computing Local Lipschitz Constants of Neural Networks via Bound Propagation](http://arxiv.org/abs/2210.07394)
• Summary:

  Lipschitz constants are connected to many properties of neural networks, such as robustness, fairness, and generalization. Existing methods for computing Lipschitz constants either produce relatively loose upper bounds or are limited to small networks. In this paper, we develop an efficient framework for computing the $\ell_\infty$ local Lipschitz constant of a neural network by tightly upper bounding the norm of Clarke Jacobian via linear bound propagation. We formulate the computation of local Lipschitz constants with a linear bound propagation process on a high-order backward graph induced by the chain rule of Clarke Jacobian. To enable linear bound propagation, we derive tight linear relaxations for specific nonlinearities in Clarke Jacobian. This formulate unifies existing ad-hoc approaches such as RecurJac, which can be seen as a special case of ours with weaker relaxations. The bound propagation framework also allows us to easily borrow the popular Branch-and-Bound (BaB) approach from neural network verification to further tighten Lipschitz constants. Experiments show that on tiny models, our method produces comparable bounds compared to exact methods that cannot scale to slightly larger models; on larger models, our method efficiently produces tighter results than existing relaxed or naive methods, and our method scales to much larger practical models that previous works could not handle. We also demonstrate an application on provable monotonicity analysis. Code is available at https://github.com/shizhouxing/Local-Lipschitz-Constants.

Title: Distributional Reward Estimation for Effective Multi-Agent Deep Reinforcement Learning. (arXiv:2210.07636v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07636
• Code URL: https://github.com/jf-hu/dre-marl
• Copy Paste: [[2210.07636] Distributional Reward Estimation for Effective Multi-Agent Deep Reinforcement Learning](http://arxiv.org/abs/2210.07636)
• Summary:

  Multi-agent reinforcement learning has drawn increasing attention in practice, e.g., robotics and automatic driving, as it can explore optimal policies using samples generated by interacting with the environment. However, high reward uncertainty still remains a problem when we want to train a satisfactory model, because obtaining high-quality reward feedback is usually expensive and even infeasible. To handle this issue, previous methods mainly focus on passive reward correction. At the same time, recent active reward estimation methods have proven to be a recipe for reducing the effect of reward uncertainty. In this paper, we propose a novel Distributional Reward Estimation framework for effective Multi-Agent Reinforcement Learning (DRE-MARL). Our main idea is to design the multi-action-branch reward estimation and policy-weighted reward aggregation for stabilized training. Specifically, we design the multi-action-branch reward estimation to model reward distributions on all action branches. Then we utilize reward aggregation to obtain stable updating signals during training. Our intuition is that consideration of all possible consequences of actions could be useful for learning policies. The superiority of the DRE-MARL is demonstrated using benchmark multi-agent scenarios, compared with the SOTA baselines in terms of both effectiveness and robustness.

biometric

steal

extraction

Title: Superpixel Perception Graph Neural Network for Intelligent Defect Detection. (arXiv:2210.07539v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07539
• Code URL: https://github.com/githbshang/spgnn
• Copy Paste: [[2210.07539] Superpixel Perception Graph Neural Network for Intelligent Defect Detection](http://arxiv.org/abs/2210.07539)
• Summary:

  Aero-engine is the core component of aircraft and other spacecraft. The high-speed rotating blades provide power by sucking in air and fully combusting, and various defects will inevitably occur, threatening the operation safety of aero-engine. Therefore, regular inspections are essential for such a complex system. However, existing traditional technology which is borescope inspection is labor-intensive, time-consuming, and experience-dependent. To endow this technology with intelligence, a novel superpixel perception graph neural network (SPGNN) is proposed by utilizing a multi-stage graph convolutional network (MSGCN) for feature extraction and superpixel perception region proposal network (SPRPN) for region proposal. First, to capture complex and irregular textures, the images are transformed into a series of patches, to obtain their graph representations. Then, MSGCN composed of several GCN blocks extracts graph structure features and performs graph information processing at graph level. Last but not least, the SPRPN is proposed to generate perceptual bounding boxes by fusing graph representation features and superpixel perception features. Therefore, the proposed SPGNN always implements feature extraction and information transmission at the graph level in the whole SPGNN pipeline, and SPRPN and MSGNN mutually benefit from each other. To verify the effectiveness of SPGNN, we meticulously construct a simulated blade dataset with 3000 images. A public aluminum dataset is also used to validate the performances of different methods. The experimental results demonstrate that the proposed SPGNN has superior performance compared with the state-of-the-art methods. The source code will be available at https://github.com/githbshang/SPGNN.

Title: Cross-Scale Context Extracted Hashing for Fine-Grained Image Binary Encoding. (arXiv:2210.07572v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07572
• Code URL: https://github.com/netease-media/csce-net
• Copy Paste: [[2210.07572] Cross-Scale Context Extracted Hashing for Fine-Grained Image Binary Encoding](http://arxiv.org/abs/2210.07572)
• Summary:

  Deep hashing has been widely applied to large-scale image retrieval tasks owing to efficient computation and low storage cost by encoding high-dimensional image data into binary codes. Since binary codes do not contain as much information as float features, the essence of binary encoding is preserving the main context to guarantee retrieval quality. However, the existing hashing methods have great limitations on suppressing redundant background information and accurately encoding from Euclidean space to Hamming space by a simple sign function. In order to solve these problems, a Cross-Scale Context Extracted Hashing Network (CSCE-Net) is proposed in this paper. Firstly, we design a two-branch framework to capture fine-grained local information while maintaining high-level global semantic information. Besides, Attention guided Information Extraction module (AIE) is introduced between two branches, which suppresses areas of low context information cooperated with global sliding windows. Unlike previous methods, our CSCE-Net learns a content-related Dynamic Sign Function (DSF) to replace the original simple sign function. Therefore, the proposed CSCE-Net is context-sensitive and able to perform well on accurate image binary encoding. We further demonstrate that our CSCE-Net is superior to the existing hashing methods, which improves retrieval performance on standard benchmarks.

Title: Lightweight Stepless Super-Resolution of Remote Sensing Images via Saliency-Aware Dynamic Routing Strategy. (arXiv:2210.07598v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.07598
• Code URL: https://github.com/hanlinwu/saldrn
• Copy Paste: [[2210.07598] Lightweight Stepless Super-Resolution of Remote Sensing Images via Saliency-Aware Dynamic Routing Strategy](http://arxiv.org/abs/2210.07598)
• Summary:

  Deep learning-based algorithms have greatly improved the performance of remote sensing image (RSI) super-resolution (SR). However, increasing network depth and parameters cause a huge burden of computing and storage. Directly reducing the depth or width of existing models results in a large performance drop. We observe that the SR difficulty of different regions in an RSI varies greatly, and existing methods use the same deep network to process all regions in an image, resulting in a waste of computing resources. In addition, existing SR methods generally predefine integer scale factors and cannot perform stepless SR, i.e., a single model can deal with any potential scale factor. Retraining the model on each scale factor wastes considerable computing resources and model storage space. To address the above problems, we propose a saliency-aware dynamic routing network (SalDRN) for lightweight and stepless SR of RSIs. First, we introduce visual saliency as an indicator of region-level SR difficulty and integrate a lightweight saliency detector into the SalDRN to capture pixel-level visual characteristics. Then, we devise a saliency-aware dynamic routing strategy that employs path selection switches to adaptively select feature extraction paths of appropriate depth according to the SR difficulty of sub-image patches. Finally, we propose a novel lightweight stepless upsampling module whose core is an implicit feature function for realizing mapping from low-resolution feature space to high-resolution feature space. Comprehensive experiments verify that the SalDRN can achieve a good trade-off between performance and complexity. The code is available at \url{https://github.com/hanlinwu/SalDRN}.

Title: Confidence estimation of classification based on the distribution of the neural network output layer. (arXiv:2210.07745v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07745
• Code URL: null
• Copy Paste: [[2210.07745] Confidence estimation of classification based on the distribution of the neural network output layer](http://arxiv.org/abs/2210.07745)
• Summary:

  One of the most common problems preventing the application of prediction models in the real world is lack of generalization: The accuracy of models, measured in the benchmark does repeat itself on future data, e.g. in the settings of real business. There is relatively little methods exist that estimate the confidence of prediction models. In this paper, we propose novel methods that, given a neural network classification model, estimate uncertainty of particular predictions generated by this model. Furthermore, we propose a method that, given a model and a confidence level, calculates a threshold that separates prediction generated by this model into two subsets, one of them meets the given confidence level. In contrast to other methods, the proposed methods do not require any changes on existing neural networks, because they simply build on the output logit layer of a common neural network. In particular, the methods infer the confidence of a particular prediction based on the distribution of the logit values corresponding to this prediction. The proposed methods constitute a tool that is recommended for filtering predictions in the process of knowledge extraction, e.g. based on web scrapping, where predictions subsets are identified that maximize the precision on cost of the recall, which is less important due to the availability of data. The method has been tested on different tasks including relation extraction, named entity recognition and image classification to show the significant increase of accuracy achieved.

Title: Automated dysgraphia detection by deep learning with SensoGrip. (arXiv:2210.07659v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07659
• Code URL: null
• Copy Paste: [[2210.07659] Automated dysgraphia detection by deep learning with SensoGrip](http://arxiv.org/abs/2210.07659)
• Summary:

  Dysgraphia, a handwriting learning disability, has a serious negative impact on children's academic results, daily life and overall wellbeing. Early detection of dysgraphia allows for an early start of a targeted intervention. Several studies have investigated dysgraphia detection by machine learning algorithms using a digital tablet. However, these studies deployed classical machine learning algorithms with manual feature extraction and selection as well as binary classification: either dysgraphia or no dysgraphia. In this work, we investigated fine grading of handwriting capabilities by predicting SEMS score (between 0 and 12) with deep learning. Our approach provide accuracy more than 99% and root mean square error lower than one, with automatic instead of manual feature extraction and selection. Furthermore, we used smart pen called SensoGrip, a pen equipped with sensors to capture handwriting dynamics, instead of a tablet, enabling writing evaluation in more realistic scenarios.

membership infer

federate

Title: Close the Gate: Detecting Backdoored Models in Federated Learning based on Client-Side Deep Layer Output Analysis. (arXiv:2210.07714v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07714
• Code URL: null
• Copy Paste: [[2210.07714] Close the Gate: Detecting Backdoored Models in Federated Learning based on Client-Side Deep Layer Output Analysis](http://arxiv.org/abs/2210.07714)
• Summary:

  Federated Learning (FL) is a scheme for collaboratively training Deep Neural Networks (DNNs) with multiple data sources from different clients. Instead of sharing the data, each client trains the model locally, resulting in improved privacy. However, recently so-called targeted poisoning attacks have been proposed that allow individual clients to inject a backdoor into the trained model. Existing defenses against these backdoor attacks either rely on techniques like Differential Privacy to mitigate the backdoor, or analyze the weights of the individual models and apply outlier detection methods that restricts these defenses to certain data distributions. However, adding noise to the models' parameters or excluding benign outliers might also reduce the accuracy of the collaboratively trained model. Additionally, allowing the server to inspect the clients' models creates a privacy risk due to existing knowledge extraction methods.

We propose \textit{CrowdGuard}, a model filtering defense, that mitigates backdoor attacks by leveraging the clients' data to analyze the individual models before the aggregation. To prevent data leaks, the server sends the individual models to secure enclaves, running in client-located Trusted Execution Environments. To effectively distinguish benign and poisoned models, even if the data of different clients are not independently and identically distributed (non-IID), we introduce a novel metric called \textit{HLBIM} to analyze the outputs of the DNN's hidden layers. We show that the applied significance-based detection algorithm combined can effectively detect poisoned models, even in non-IID scenarios.

Title: FedFM: Anchor-based Feature Matching for Data Heterogeneity in Federated Learning. (arXiv:2210.07615v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07615
• Code URL: null
• Copy Paste: [[2210.07615] FedFM: Anchor-based Feature Matching for Data Heterogeneity in Federated Learning](http://arxiv.org/abs/2210.07615)
• Summary:

  One of the key challenges in federated learning (FL) is local data distribution heterogeneity across clients, which may cause inconsistent feature spaces across clients. To address this issue, we propose a novel method FedFM, which guides each client's features to match shared category-wise anchors (landmarks in feature space). This method attempts to mitigate the negative effects of data heterogeneity in FL by aligning each client's feature space. Besides, we tackle the challenge of varying objective function and provide convergence guarantee for FedFM. In FedFM, to mitigate the phenomenon of overlapping feature spaces across categories and enhance the effectiveness of feature matching, we further propose a more precise and effective feature matching loss called contrastive-guiding (CG), which guides each local feature to match with the corresponding anchor while keeping away from non-corresponding anchors. Additionally, to achieve higher efficiency and flexibility, we propose a FedFM variant, called FedFM-Lite, where clients communicate with server with fewer synchronization times and communication bandwidth costs. Through extensive experiments, we demonstrate that FedFM with CG outperforms several works by quantitative and qualitative comparisons. FedFM-Lite can achieve better performance than state-of-the-art methods with five to ten times less communication costs.

Title: Federated Best Arm Identification with Heterogeneous Clients. (arXiv:2210.07780v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07780
• Code URL: null
• Copy Paste: [[2210.07780] Federated Best Arm Identification with Heterogeneous Clients](http://arxiv.org/abs/2210.07780)
• Summary:

  We study best arm identification in a federated multi-armed bandit setting with a central server and multiple clients, when each client has access to a {\em subset} of arms and each arm yields independent Gaussian observations. The {\em reward} from an arm at any given time is defined as the average of the observations generated at this time across all the clients that have access to the arm. The end goal is to identify the best arm (the arm with the largest mean reward) of each client with the least expected stopping time, subject to an upper bound on the error probability (i.e., the {\em fixed-confidence regime}). We provide a lower bound on the growth rate of the expected time to find the best arm of each client. Furthermore, we show that for any algorithm whose upper bound on the expected time to find the best arms matches with the lower bound up to a multiplicative constant, the ratio of any two consecutive communication time instants must be bounded, a result that is of independent interest. We then provide the first-known lower bound on the expected number of {\em communication rounds} required to find the best arms. We propose a novel algorithm based on the well-known {\em Track-and-Stop} strategy that communicates only at exponential time instants, and derive asymptotic upper bounds on its expected time to find the best arms and the expected number of communication rounds, where the asymptotics is one of vanishing error probabilities.

fair

Title: InterFair: Debiasing with Natural Language Feedback for Fair Interpretable Predictions. (arXiv:2210.07440v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07440
• Code URL: null
• Copy Paste: [[2210.07440] InterFair: Debiasing with Natural Language Feedback for Fair Interpretable Predictions](http://arxiv.org/abs/2210.07440)
• Summary:

  Debiasing methods in NLP models traditionally focus on isolating information related to a sensitive attribute (like gender or race). We instead argue that a favorable debiasing method should use sensitive information 'fairly,' with explanations, rather than blindly eliminating it. This fair balance is often subjective and can be challenging to achieve algorithmically. We show that an interactive setup with users enabled to provide feedback can achieve a better and fair balance between task performance and bias mitigation, supported by faithful explanations.

Title: Controlling Bias Exposure for Fair Interpretable Predictions. (arXiv:2210.07455v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07455
• Code URL: null
• Copy Paste: [[2210.07455] Controlling Bias Exposure for Fair Interpretable Predictions](http://arxiv.org/abs/2210.07455)
• Summary:

  Recent work on reducing bias in NLP models usually focuses on protecting or isolating information related to a sensitive attribute (like gender or race). However, when sensitive information is semantically entangled with the task information of the input, e.g., the gender information is predictive for a profession, a fair trade-off between task performance and bias mitigation is difficult to achieve. Existing approaches perform this trade-off by eliminating bias information from the latent space, lacking control over how much bias is necessarily required to be removed. We argue that a favorable debiasing method should use sensitive information 'fairly' rather than blindly eliminating it (Caliskan et al., 2017; Sun et al., 2019). In this work, we provide a novel debiasing algorithm by adjusting the predictive model's belief to (1) ignore the sensitive information if it is not useful for the task; (2) use sensitive information minimally as necessary for the prediction (while also incurring a penalty). Experimental results on two text classification tasks (influenced by gender) and an open-ended generation task (influenced by race) indicate that our model achieves a desirable trade-off between debiasing and task performance along with producing debiased rationales as evidence.

Title: BERTScore is Unfair: On Social Bias in Language Model-Based Metrics for Text Generation. (arXiv:2210.07626v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07626
• Code URL: https://github.com/txsun1997/metric-fairness
• Copy Paste: [[2210.07626] BERTScore is Unfair: On Social Bias in Language Model-Based Metrics for Text Generation](http://arxiv.org/abs/2210.07626)
• Summary:

  Automatic evaluation metrics are crucial to the development of generative systems. In recent years, pre-trained language model (PLM) based metrics, such as BERTScore, have been commonly adopted in various generation tasks. However, it has been demonstrated that PLMs encode a range of stereotypical societal biases, leading to a concern on the fairness of PLMs as metrics. To that end, this work presents the first systematic study on the social bias in PLM-based metrics. We demonstrate that popular PLM-based metrics exhibit significantly higher social bias than traditional metrics on 6 sensitive attributes, namely race, gender, religion, physical appearance, age, and socioeconomic status. In-depth analysis suggests that choosing paradigms (matching, regression, or generation) of the metric has a greater impact on fairness than choosing PLMs. In addition, we develop debiasing adapters that are injected into PLM layers, mitigating bias in PLM-based metrics while retaining high performance for evaluating text generation.

Title: Language Generation Models Can Cause Harm: So What Can We Do About It? An Actionable Survey. (arXiv:2210.07700v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07700
• Code URL: null
• Copy Paste: [[2210.07700] Language Generation Models Can Cause Harm: So What Can We Do About It? An Actionable Survey](http://arxiv.org/abs/2210.07700)
• Summary:

  Recent advances in the capacity of large language models to generate human-like text have resulted in their increased adoption in user-facing settings. In parallel, these improvements have prompted a heated discourse around the risks of societal harms they introduce, whether inadvertent or malicious. Several studies have identified potential causes of these harms and called for their mitigation via development of safer and fairer models. Going beyond enumerating the risks of harms, this work provides a survey of practical methods for addressing potential threats and societal harms from language generation models. We draw on several prior works' taxonomies of language model risks to present a structured overview of strategies for detecting and ameliorating different kinds of risks/harms of language generators. Bridging diverse strands of research, this survey aims to serve as a practical guide for both LM researchers and practitioners with explanations of motivations behind different mitigation strategies, their limitations, and open problems for future research.

Title: A Comprehensive Study on Large-Scale Graph Training: Benchmarking and Rethinking. (arXiv:2210.07494v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.07494
• Code URL: https://github.com/vita-group/large_scale_gcn_benchmarking
• Copy Paste: [[2210.07494] A Comprehensive Study on Large-Scale Graph Training: Benchmarking and Rethinking](http://arxiv.org/abs/2210.07494)
• Summary:

  Large-scale graph training is a notoriously challenging problem for graph neural networks (GNNs). Due to the nature of evolving graph structures into the training process, vanilla GNNs usually fail to scale up, limited by the GPU memory space. Up to now, though numerous scalable GNN architectures have been proposed, we still lack a comprehensive survey and fair benchmark of this reservoir to find the rationale for designing scalable GNNs. To this end, we first systematically formulate the representative methods of large-scale graph training into several branches and further establish a fair and consistent benchmark for them by a greedy hyperparameter searching. In addition, regarding efficiency, we theoretically evaluate the time and space complexity of various branches and empirically compare them w.r.t GPU memory usage, throughput, and convergence. Furthermore, We analyze the pros and cons for various branches of scalable GNNs and then present a new ensembling training manner, named EnGCN, to address the existing issues. Remarkably, our proposed method has achieved new state-of-the-art (SOTA) performance on large-scale datasets. Our code is available at https://github.com/VITA-Group/Large_Scale_GCN_Benchmarking.

interpretability

exlainability

watermark

Title: Watermarking Pre-trained Language Models with Backdooring. (arXiv:2210.07543v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.07543
• Code URL: null
• Copy Paste: [[2210.07543] Watermarking Pre-trained Language Models with Backdooring](http://arxiv.org/abs/2210.07543)
• Summary:

  Large pre-trained language models (PLMs) have proven to be a crucial component of modern natural language processing systems. PLMs typically need to be fine-tuned on task-specific downstream datasets, which makes it hard to claim the ownership of PLMs and protect the developer's intellectual property due to the catastrophic forgetting phenomenon. We show that PLMs can be watermarked with a multi-task learning framework by embedding backdoors triggered by specific inputs defined by the owners, and those watermarks are hard to remove even though the watermarked PLMs are fine-tuned on multiple downstream tasks. In addition to using some rare words as triggers, we also show that the combination of common words can be used as backdoor triggers to avoid them being easily detected. Extensive experiments on multiple datasets demonstrate that the embedded watermarks can be robustly extracted with a high success rate and less influenced by the follow-up fine-tuning.

Title: Free Fine-tuning: A Plug-and-Play Watermarking Scheme for Deep Neural Networks. (arXiv:2210.07809v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.07809
• Code URL: https://github.com/antigonerandy/ptynet
• Copy Paste: [[2210.07809] Free Fine-tuning: A Plug-and-Play Watermarking Scheme for Deep Neural Networks](http://arxiv.org/abs/2210.07809)
• Summary:

  Watermarking has been widely adopted for protecting the intellectual property (IP) of Deep Neural Networks (DNN) to defend the unauthorized distribution. Unfortunately, the popular data-poisoning DNN watermarking scheme relies on target model fine-tuning to embed watermarks, which limits its practical applications in tackling real-world tasks. Specifically, the learning of watermarks via tedious model fine-tuning on a poisoned dataset (carefully-crafted sample-label pairs) is not efficient in tackling the tasks on challenging datasets and production-level DNN model protection. To address the aforementioned limitations, in this paper, we propose a plug-and-play watermarking scheme for DNN models by injecting an independent proprietary model into the target model to serve the watermark embedding and ownership verification. In contrast to the prior studies, our proposed method by incorporating a proprietary model is free of target model fine-tuning without involving any parameters update of the target model, thus the fidelity is well preserved. Our research findings reveal that model fine-tuning with poisoned data is not prepared for the IP protection of DNN models deployed in real-world tasks and poses a new research direction toward a more thorough understanding and investigation of adopting the proprietary model for DNN watermarking. The source code and models are available at https://github.com/AntigoneRandy/PTYNet.