secure

Title: Real-World Chaos-Based Cryptography Using Synchronised Chua Chaotic Circuits. (arXiv:2210.11299v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11299
• Code URL: null
• Copy Paste: [[2210.11299] Real-World Chaos-Based Cryptography Using Synchronised Chua Chaotic Circuits](http://arxiv.org/abs/2210.11299)
• Summary:

  This work presents the hardware demonstrator of a secure encryption system based on synchronised Chua chaotic circuits. In particular, the presented encryption system comprises two Chua circuits that are synchronised using a dedicated bidirectional synchronisation line. One of them forms part of the transmitter, while the other of the receiver. Both circuits are tuned to operate in a chaotic mode. The output (chaotic) signal of the first circuit (transmitter) is digitised and then combined with the message to be encrypted, through an XOR gate. The second Chua circuit (receiver) is used for the decryption; the output chaotic signal of this circuit is similarly digitised and combined with the encrypted message to retrieve the original message. Our hardware demonstrator proves that this method can be used in order to provide extremely lightweight real-world, chaos-based cryptographic solutions.

Title: Towards cryptographically-authenticated in-memory data structures. (arXiv:2210.11340v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11340
• Code URL: null
• Copy Paste: [[2210.11340] Towards cryptographically-authenticated in-memory data structures](http://arxiv.org/abs/2210.11340)
• Summary:

  Modern processors include high-performance cryptographic functionalities such as Intel's AES-NI and ARM's Pointer Authentication that allow programs to efficiently authenticate data held by the program. Pointer Authentication is already used to protect return addresses in recent Apple devices, but as yet these structures have seen little use for the protection of general program data.

In this paper, we show how cryptographically-authenticated data structures can be used to protect against attacks based on memory corruption, and show how they can be efficiently realized using widely available hardware-assisted cryptographic mechanisms. We present realizations of secure stacks and queues with minimal overall performance overhead (3.4%-6.4% slowdown of the OpenCV core performance tests), and provide proofs of correctness.

security

Title: A Comprehensive Survey on Edge Data Integrity Verification: Fundamentals and Future Trends. (arXiv:2210.10978v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.10978
• Code URL: null
• Copy Paste: [[2210.10978] A Comprehensive Survey on Edge Data Integrity Verification: Fundamentals and Future Trends](http://arxiv.org/abs/2210.10978)
• Summary:

  Recent advances in edge computing have pushed cloud-based data caching services to edge, however, such emerging edge storage comes with numerous challenging and unique security issues. One of them is the problem of edge data integrity verification (EDIV) which coordinates multiple participants (e.g., data owners and edge nodes) to inspect whether data cached on edge is authentic. To date, various solutions have been proposed to address the EDIV problem, while there is no systematic review. Thus, we offer a comprehensive survey for the first time, aiming to show current research status, open problems, and potentially promising insights for readers to further investigate this under-explored field. Specifically, we begin with stating the significance of the EDIV problem, the integrity verification difference between data cached on cloud and edge, and three typical system models with corresponding inspection processes. Then, we synthesize a universal criteria framework that an effective verification approach should satisfy. Subsequently, we adopt a schematic development timeline to reveal the research advance on EDIV in a sequential manner, followed by a detailed review on the existing EDIV solutions. Finally, we highlight intriguing research challenges and possible directions for future research.

Title: Demystifying Hidden Sensitive Operations in Android apps. (arXiv:2210.10997v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.10997
• Code URL: null
• Copy Paste: [[2210.10997] Demystifying Hidden Sensitive Operations in Android apps](http://arxiv.org/abs/2210.10997)
• Summary:

  Security of Android devices is now paramount, given their wide adoption among consumers. As researchers develop tools for statically or dynamically detecting suspicious apps, malware writers regularly update their attack mechanisms to hide malicious behavior implementation. This poses two problems to current research techniques: static analysis approaches, given their over-approximations, can report an overwhelming number of false alarms, while dynamic approaches will miss those behaviors that are hidden through evasion techniques. We propose in this work a static approach specifically targeted at highlighting hidden sensitive operations, mainly sensitive data flows. The prototype version of HiSenDroid has been evaluated on a large-scale dataset of thousands of malware and goodware samples on which it successfully revealed anti-analysis code snippets aiming at evading detection by dynamic analysis. We further experimentally show that, with FlowDroid, some of the hidden sensitive behaviors would eventually lead to private data leaks. Those leaks would have been hard to spot either manually among the large number of false positives reported by the state of the art static analyzers, or by dynamic tools. Overall, by putting the light on hidden sensitive operations, HiSenDroid helps security analysts in validating potential sensitive data operations, which would be previously unnoticed.

Title: Development of a hardware-In-the-Loop (HIL) testbed for cyber-physical security in smart buildings. (arXiv:2210.11234v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11234
• Code URL: null
• Copy Paste: [[2210.11234] Development of a hardware-In-the-Loop (HIL) testbed for cyber-physical security in smart buildings](http://arxiv.org/abs/2210.11234)
• Summary:

  As smart buildings move towards open communication technologies, providing access to the Building Automation System (BAS) through the intranet, or even remotely through the Internet, has become a common practice. However, BAS was historically developed as a closed environment and designed with limited cyber-security considerations. Thus, smart buildings are vulnerable to cyber-attacks with the increased accessibility. This study introduces the development and capability of a Hardware-in-the-Loop (HIL) testbed for testing and evaluating the cyber-physical security of typical BASs in smart buildings. The testbed consists of three subsystems: (1) a real-time HIL emulator simulating the behavior of a virtual building as well as the Heating, Ventilation, and Air Conditioning (HVAC) equipment via a dynamic simulation in Modelica; (2) a set of real HVAC controllers monitoring the virtual building operation and providing local control signals to control HVAC equipment in the HIL emulator; and (3) a BAS server along with a web-based service for users to fully access the schedule, setpoints, trends, alarms, and other control functions of the HVAC controllers remotely through the BACnet network. The server generates rule-based setpoints to local HVAC controllers. Based on these three subsystems, the HIL testbed supports attack/fault-free and attack/fault-injection experiments at various levels of the building system. The resulting test data can be used to inform the building community and support the cyber-physical security technology transfer to the building industry.

Title: Emerging Threats in Deep Learning-Based Autonomous Driving: A Comprehensive Survey. (arXiv:2210.11237v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11237
• Code URL: null
• Copy Paste: [[2210.11237] Emerging Threats in Deep Learning-Based Autonomous Driving: A Comprehensive Survey](http://arxiv.org/abs/2210.11237)
• Summary:

  Since the 2004 DARPA Grand Challenge, the autonomous driving technology has witnessed nearly two decades of rapid development. Particularly, in recent years, with the application of new sensors and deep learning technologies extending to the autonomous field, the development of autonomous driving technology has continued to make breakthroughs. Thus, many carmakers and high-tech giants dedicated to research and system development of autonomous driving. However, as the foundation of autonomous driving, the deep learning technology faces many new security risks. The academic community has proposed deep learning countermeasures against the adversarial examples and AI backdoor, and has introduced them into the autonomous driving field for verification. Deep learning security matters to autonomous driving system security, and then matters to personal safety, which is an issue that deserves attention and research.This paper provides an summary of the concepts, developments and recent research in deep learning security technologies in autonomous driving. Firstly, we briefly introduce the deep learning framework and pipeline in the autonomous driving system, which mainly include the deep learning technologies and algorithms commonly used in this field. Moreover, we focus on the potential security threats of the deep learning based autonomous driving system in each functional layer in turn. We reviews the development of deep learning attack technologies to autonomous driving, investigates the State-of-the-Art algorithms, and reveals the potential risks. At last, we provides an outlook on deep learning security in the autonomous driving field and proposes recommendations for building a safe and trustworthy autonomous driving system.

Title: The State-of-the-Art in AI-Based Malware Detection Techniques: A Review. (arXiv:2210.11239v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11239
• Code URL: null
• Copy Paste: [[2210.11239] The State-of-the-Art in AI-Based Malware Detection Techniques: A Review](http://arxiv.org/abs/2210.11239)
• Summary:

  Artificial Intelligence techniques have evolved rapidly in recent years, revolutionising the approaches used to fight against cybercriminals. But as the cyber security field has progressed, so has malware development, making it an economic imperative to strengthen businesses' defensive capability against malware attacks. This review aims to outline the state-of-the-art AI techniques used in malware detection and prevention, providing an in-depth analysis of the latest studies in this field. The algorithms investigated consist of Shallow Learning, Deep Learning and Bio-Inspired Computing, applied to a variety of platforms, such as PC, cloud, Android and IoT. This survey also touches on the rapid adoption of AI by cybercriminals as a means to create ever more advanced malware and exploit the AI algorithms designed to defend against them.

Title: Uncovering Fingerprinting Networks. An Analysis of In-Browser Tracking using a Behavior-based Approach. (arXiv:2210.11300v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11300
• Code URL: null
• Copy Paste: [[2210.11300] Uncovering Fingerprinting Networks](http://arxiv.org/abs/2210.11300)
• Summary:

  Throughout recent years, the importance of internet-privacy has continuously risen. [...] Browser fingerprinting is a technique that does not require cookies or persistent identifiers. It derives a sufficiently unique identifier from the various browser or device properties. Academic work has covered offensive and defensive fingerprinting methods for almost a decade, observing a rise in popularity. This thesis explores the current state of browser fingerprinting on the internet. For that, we implement FPNET - a scalable & reliable tool based on FPMON, to identify fingerprinting scripts on large sets of websites by observing their behavior. By scanning the Alexa Top 10,000 websites, we spot several hundred networks of equally behaving scripts. For each network, we determine the actor behind it. We track down companies like Google, Yandex, Maxmind, Sift, or FingerprintJS, to name a few. In three complementary studies, we further investigate the uncovered networks with regards to I) randomization of filenames or domains, II) behavior changes, III) security. Two consecutive scans reveal that only less than 12.5% of the pages do not change script files. With our behavior-based approach, we successfully re-identify almost 9,000 scripts whose filename or domain changed, and over 86% of the scripts without URL changes. The security analysis shows an adoption of TLS/SSL to over 98% and specific web security headers set for over 30% of the scripts. Finally, we voice concerns about the unavoidability of modern fingerprinting and its implications for internet users' privacy since we believe that many users are unaware of being fingerprinted or have insufficient possibilities to protect against it.

Title: Proof of Unlearning: Definitions and Instantiation. (arXiv:2210.11334v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11334
• Code URL: null
• Copy Paste: [[2210.11334] Proof of Unlearning: Definitions and Instantiation](http://arxiv.org/abs/2210.11334)
• Summary:

  The "Right to be Forgotten" rule in machine learning (ML) practice enables some individual data to be deleted from a trained model, as pursued by recently developed machine unlearning techniques. To truly comply with the rule, a natural and necessary step is to verify if the individual data are indeed deleted after unlearning. Yet, previous parameter-space verification metrics may be easily evaded by a distrustful model trainer. Thus, Thudi et al. recently present a call to action on algorithm-level verification in USENIX Security'22.

We respond to the call, by reconsidering the unlearning problem in the scenario of machine learning as a service (MLaaS), and proposing a new definition framework for Proof of Unlearning (PoUL) on algorithm level. Specifically, our PoUL definitions (i) enforce correctness properties on both the pre and post phases of unlearning, so as to prevent the state-of-the-art forging attacks; (ii) highlight proper practicality requirements of both the prover and verifier sides with minimal invasiveness to the off-the-shelf service pipeline and computational workloads. Under the definition framework, we subsequently present a trusted hardware-empowered instantiation using SGX enclave, by logically incorporating an authentication layer for tracing the data lineage with a proving layer for supporting the audit of learning. We customize authenticated data structures to support large out-of-enclave storage with simple operation logic, and meanwhile, enable proving complex unlearning logic with affordable memory footprints in the enclave. We finally validate the feasibility of the proposed instantiation with a proof-of-concept implementation and multi-dimensional performance evaluation.

privacy

Title: Content-based Graph Privacy Advisor. (arXiv:2210.11169v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11169
• Code URL: null
• Copy Paste: [[2210.11169] Content-based Graph Privacy Advisor](http://arxiv.org/abs/2210.11169)
• Summary:

  People may be unaware of the privacy risks of uploading an image online. In this paper, we present an image privacy classifier that uses scene information and object cardinality as cues for the prediction of image privacy. Our Graph Privacy Advisor (GPA) model simplifies a state-of-the-art graph model and improves its performance by refining the relevance of the content-based information extracted from the image. We determine the most informative visual features to be used for the privacy classification task and reduce the complexity of the model by replacing high-dimensional image-based feature vectors with lower-dimensional, more effective features. We also address the biased prior information by modelling object co-occurrences instead of the frequency of object occurrences in each class.

Title: How Does a Deep Learning Model Architecture Impact Its Privacy?. (arXiv:2210.11049v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11049
• Code URL: null
• Copy Paste: [[2210.11049] How Does a Deep Learning Model Architecture Impact Its Privacy?](http://arxiv.org/abs/2210.11049)
• Summary:

  As a booming research area in the past decade, deep learning technologies have been driven by big data collected and processed on an unprecedented scale. However, the sensitive information in the collected training data raises privacy concerns. Recent research indicated that deep learning models are vulnerable to various privacy attacks, including membership inference attacks, attribute inference attacks, and gradient inversion attacks. It is noteworthy that the performance of the attacks varies from model to model. In this paper, we conduct empirical analyses to answer a fundamental question: Does model architecture affect model privacy? We investigate several representative model architectures from CNNs to Transformers, and show that Transformers are generally more vulnerable to privacy attacks than CNNs. We further demonstrate that the micro design of activation layers, stem layers, and bias parameters, are the major reasons why CNNs are more resilient to privacy attacks than Transformers. We also find that the presence of attention modules is another reason why Transformers are more vulnerable to privacy attacks. We hope our discovery can shed some new light on how to defend against the investigated privacy attacks and help the community build privacy-friendly model architectures.

Title: Private Algorithms with Private Predictions. (arXiv:2210.11222v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11222
• Code URL: null
• Copy Paste: [[2210.11222] Private Algorithms with Private Predictions](http://arxiv.org/abs/2210.11222)
• Summary:

  When applying differential privacy to sensitive data, a common way of getting improved performance is to use external information such as other sensitive data, public data, or human priors. We propose to use the algorithms with predictions framework -- previously applied largely to improve time complexity or competitive ratios -- as a powerful way of designing and analyzing privacy-preserving methods that can take advantage of such external information to improve utility. For four important tasks -- quantile release, its extension to multiple quantiles, covariance estimation, and data release -- we construct prediction-dependent differentially private methods whose utility scales with natural measures of prediction quality. The analyses enjoy several advantages, including minimal assumptions about the data, natural ways of adding robustness to noisy predictions, and novel "meta" algorithms that can learn predictions from other (potentially sensitive) data. Overall, our results demonstrate how to enable differentially private algorithms to make use of and learn noisy predictions, which holds great promise for improving utility while preserving privacy across a variety of tasks.

protect

Title: Thwarting Piracy: Anti-debugging Using GPU-assisted Self-healing Codes. (arXiv:2210.11047v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11047
• Code URL: null
• Copy Paste: [[2210.11047] Thwarting Piracy: Anti-debugging Using GPU-assisted Self-healing Codes](http://arxiv.org/abs/2210.11047)
• Summary:

  Software piracy is one of the concerns in the IT sector. Pirates leverage the debugger tools to reverse engineer the logic that verifies the license keys or bypass the entire verification process. Anti-debugging techniques are used to defeat piracy using self-healing codes. However, anti-debugging methods can be defeated when the licensing protections are limited to CPU-based implementation by writing custom codes to deactivate the anti-debugging methods. In the paper, we demonstrate how GPU implementation can prevent pirates from deactivating the anti-debugging methods by using the limitations of debugging on GPU. Generally, GPUs do not support debugging directly on the hardware, and therefore all the debugging is limited to CPU-based emulation. Also, a process running on CPU generally does not have any visibility on codes running on GPU, which comes as an added benefit for our work. We provide an implementation on GPU to show the feasibility of our method. As GPUs are getting widespread with the raise in popularity of gaming software, our technique provides a method to protect against piracy. Our method thwarts any attempts to bypass the license verification step thus offering a better anti-piracy mechanism.

defense

Title: Backdoor Attack and Defense in Federated Generative Adversarial Network-based Medical Image Synthesis. (arXiv:2210.10886v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.10886
• Code URL: null
• Copy Paste: [[2210.10886] Backdoor Attack and Defense in Federated Generative Adversarial Network-based Medical Image Synthesis](http://arxiv.org/abs/2210.10886)
• Summary:

  Deep Learning-based image synthesis techniques have been applied in healthcare research for generating medical images to support open research and augment medical datasets. Training generative adversarial neural networks (GANs) usually require large amounts of training data. Federated learning (FL) provides a way of training a central model using distributed data while keeping raw data locally. However, given that the FL server cannot access the raw data, it is vulnerable to backdoor attacks, an adversarial by poisoning training data. Most backdoor attack strategies focus on classification models and centralized domains. It is still an open question if the existing backdoor attacks can affect GAN training and, if so, how to defend against the attack in the FL setting. In this work, we investigate the overlooked issue of backdoor attacks in federated GANs (FedGANs). The success of this attack is subsequently determined to be the result of some local discriminators overfitting the poisoned data and corrupting the local GAN equilibrium, which then further contaminates other clients when averaging the generator's parameters and yields high generator loss. Therefore, we proposed FedDetect, an efficient and effective way of defending against the backdoor attack in the FL setting, which allows the server to detect the client's adversarial behavior based on their losses and block the malicious clients. Our extensive experiments on two medical datasets with different modalities demonstrate the backdoor attack on FedGANs can result in synthetic images with low fidelity. After detecting and suppressing the detected malicious clients using the proposed defense strategy, we show that FedGANs can synthesize high-quality medical datasets (with labels) for data augmentation to improve classification models' performance.

attack

Title: Attacking Motion Estimation with Adversarial Snow. (arXiv:2210.11242v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11242
• Code URL: null
• Copy Paste: [[2210.11242] Attacking Motion Estimation with Adversarial Snow](http://arxiv.org/abs/2210.11242)
• Summary:

  Current adversarial attacks for motion estimation (optical flow) optimize small per-pixel perturbations, which are unlikely to appear in the real world. In contrast, we exploit a real-world weather phenomenon for a novel attack with adversarially optimized snow. At the core of our attack is a differentiable renderer that consistently integrates photorealistic snowflakes with realistic motion into the 3D scene. Through optimization we obtain adversarial snow that significantly impacts the optical flow while being indistinguishable from ordinary snow. Surprisingly, the impact of our novel attack is largest on methods that previously showed a high robustness to small L_p perturbations.

Title: Similarity of Neural Architectures Based on Input Gradient Transferability. (arXiv:2210.11407v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11407
• Code URL: null
• Copy Paste: [[2210.11407] Similarity of Neural Architectures Based on Input Gradient Transferability](http://arxiv.org/abs/2210.11407)
• Summary:

  In this paper, we aim to design a quantitative similarity function between two neural architectures. Specifically, we define a model similarity using input gradient transferability. We generate adversarial samples of two networks and measure the average accuracy of the networks on adversarial samples of each other. If two networks are highly correlated, then the attack transferability will be high, resulting in high similarity. Using the similarity score, we investigate two topics: (1) Which network component contributes to the model diversity? (2) How does model diversity affect practical scenarios? We answer the first question by providing feature importance analysis and clustering analysis. The second question is validated by two different scenarios: model ensemble and knowledge distillation. Our findings show that model diversity takes a key role when interacting with different neural architectures. For example, we found that more diversity leads to better ensemble performance. We also observe that the relationship between teacher and student networks and distillation performance depends on the choice of the base architecture of the teacher and student networks. We expect our analysis tool helps a high-level understanding of differences between various neural architectures as well as practical guidance when using multiple architectures.

Title: Apple of Sodom: Hidden Backdoors in Superior Sentence Embeddings via Contrastive Learning. (arXiv:2210.11082v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.11082
• Code URL: null
• Copy Paste: [[2210.11082] Apple of Sodom: Hidden Backdoors in Superior Sentence Embeddings via Contrastive Learning](http://arxiv.org/abs/2210.11082)
• Summary:

  This paper finds that contrastive learning can produce superior sentence embeddings for pre-trained models but is also vulnerable to backdoor attacks. We present the first backdoor attack framework, BadCSE, for state-of-the-art sentence embeddings under supervised and unsupervised learning settings. The attack manipulates the construction of positive and negative pairs so that the backdoored samples have a similar embedding with the target sample (targeted attack) or the negative embedding of its clean version (non-targeted attack). By injecting the backdoor in sentence embeddings, BadCSE is resistant against downstream fine-tuning. We evaluate BadCSE on both STS tasks and other downstream tasks. The supervised non-targeted attack obtains a performance degradation of 194.86%, and the targeted attack maps the backdoored samples to the target embedding with a 97.70% success rate while maintaining the model utility.

Title: Learning to Invert: Simple Adaptive Attacks for Gradient Inversion in Federated Learning. (arXiv:2210.10880v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10880
• Code URL: null
• Copy Paste: [[2210.10880] Learning to Invert: Simple Adaptive Attacks for Gradient Inversion in Federated Learning](http://arxiv.org/abs/2210.10880)
• Summary:

  Gradient inversion attack enables recovery of training samples from model updates in federated learning (FL) and constitutes a serious threat to data privacy. To mitigate this vulnerability, prior work proposed both principled defenses based on differential privacy, as well as heuristic defenses based on gradient compression as countermeasures. These defenses have so far been very effective, in particular those based on gradient compression that allow the model to maintain high accuracy while greatly reducing the attack's effectiveness. In this work, we argue that such findings do not accurately reflect the privacy risk in FL, and show that existing defenses can be broken by a simple adaptive attack that trains a model using auxiliary data to learn how to invert gradients on both vision and language tasks.

Title: FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information. (arXiv:2210.10936v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.10936
• Code URL: null
• Copy Paste: [[2210.10936] FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information](http://arxiv.org/abs/2210.10936)
• Summary:

  Federated learning is vulnerable to poisoning attacks in which malicious clients poison the global model via sending malicious model updates to the server. Existing defenses focus on preventing a small number of malicious clients from poisoning the global model via robust federated learning methods and detecting malicious clients when there are a large number of them. However, it is still an open challenge how to recover the global model from poisoning attacks after the malicious clients are detected. A naive solution is to remove the detected malicious clients and train a new global model from scratch, which incurs large cost that may be intolerable for resource-constrained clients such as smartphones and IoT devices.

In this work, we propose FedRecover, which can recover an accurate global model from poisoning attacks with small cost for the clients. Our key idea is that the server estimates the clients' model updates instead of asking the clients to compute and communicate them during the recovery process. In particular, the server stores the global models and clients' model updates in each round, when training the poisoned global model. During the recovery process, the server estimates a client's model update in each round using its stored historical information. Moreover, we further optimize FedRecover to recover a more accurate global model using warm-up, periodic correction, abnormality fixing, and final tuning strategies, in which the server asks the clients to compute and communicate their exact model updates. Theoretically, we show that the global model recovered by FedRecover is close to or the same as that recovered by train-from-scratch under some assumptions. Empirically, our evaluation on four datasets, three federated learning methods, as well as untargeted and targeted poisoning attacks (e.g., backdoor attacks) shows that FedRecover is both accurate and efficient.

Title: Interpretable Machine Learning for Detection and Classification of Ransomware Families Based on API Calls. (arXiv:2210.11235v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11235
• Code URL: null
• Copy Paste: [[2210.11235] Interpretable Machine Learning for Detection and Classification of Ransomware Families Based on API Calls](http://arxiv.org/abs/2210.11235)
• Summary:

  Ransomware has appeared as one of the major global threats in recent days The alarming increasing rate of ransomware attacks and new ransomware variants intrigue the researchers to constantly examine the distinguishing traits of ransomware and refine their detection strategies Application Programming Interface API is a way for one program to collaborate with another API calls are the medium by which they communicate Ransomware uses this strategy to interact with the OS and makes a significantly higher number of calls in different sequences to ask for taking action This research work utilizes the frequencies of different API calls to detect and classify ransomware families First a WebCrawler is developed to automate collecting the Windows Portable Executable PE files of 15 different ransomware families By extracting different frequencies of 68 API calls we develop our dataset in the first phase of the two phase feature engineering process After selecting the most significant features in the second phase of the feature engineering process we deploy six Supervised Machine Learning models Naive Bayes Logistic Regression Random Forest Stochastic Gradient Descent K Nearest Neighbor and Support Vector Machine Then the performances of all the classifiers are compared to select the best model The results reveal that Logistic Regression can efficiently classify ransomware into their corresponding families securing 9915 accuracy Finally instead of relying on the Black box characteristic of the Machine Learning models we present the interpretability of our best performing model using SHAP values to ascertain the transparency and trustworthiness of the models prediction

Title: Detecting Backdoors in Deep Text Classifiers. (arXiv:2210.11264v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.11264
• Code URL: null
• Copy Paste: [[2210.11264] Detecting Backdoors in Deep Text Classifiers](http://arxiv.org/abs/2210.11264)
• Summary:

  Deep neural networks are vulnerable to adversarial attacks, such as backdoor attacks in which a malicious adversary compromises a model during training such that specific behaviour can be triggered at test time by attaching a specific word or phrase to an input. This paper considers the problem of diagnosing whether a model has been compromised and if so, identifying the backdoor trigger. We present the first robust defence mechanism that generalizes to several backdoor attacks against text classification models, without prior knowledge of the attack type, nor does our method require access to any (potentially compromised) training resources. Our experiments show that our technique is highly accurate at defending against state-of-the-art backdoor attacks, including data poisoning and weight poisoning, across a range of text classification tasks and model architectures. Our code will be made publicly available upon acceptance.

robust

Title: Does Decentralized Learning with Non-IID Unlabeled Data Benefit from Self Supervision?. (arXiv:2210.10947v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10947
• Code URL: https://github.com/liruiw/dec-ssl
• Copy Paste: [[2210.10947] Does Decentralized Learning with Non-IID Unlabeled Data Benefit from Self Supervision?](http://arxiv.org/abs/2210.10947)
• Summary:

  Decentralized learning has been advocated and widely deployed to make efficient use of distributed datasets, with an extensive focus on supervised learning (SL) problems. Unfortunately, the majority of real-world data are unlabeled and can be highly heterogeneous across sources. In this work, we carefully study decentralized learning with unlabeled data through the lens of self-supervised learning (SSL), specifically contrastive visual representation learning. We study the effectiveness of a range of contrastive learning algorithms under decentralized learning settings, on relatively large-scale datasets including ImageNet-100, MS-COCO, and a new real-world robotic warehouse dataset. Our experiments show that the decentralized SSL (Dec-SSL) approach is robust to the heterogeneity of decentralized datasets, and learns useful representation for object classification, detection, and segmentation tasks. This robustness makes it possible to significantly reduce communication and reduce the participation ratio of data sources with only minimal drops in performance. Interestingly, using the same amount of data, the representation learned by Dec-SSL can not only perform on par with that learned by centralized SSL which requires communication and excessive data storage costs, but also sometimes outperform representations extracted from decentralized SL which requires extra knowledge about the data labels. Finally, we provide theoretical insights into understanding why data heterogeneity is less of a concern for Dec-SSL objectives, and introduce feature alignment and clustering techniques to develop a new Dec-SSL algorithm that further improves the performance, in the face of highly non-IID data. Our study presents positive evidence to embrace unlabeled data in decentralized learning, and we hope to provide new insights into whether and why decentralized SSL is effective.

Title: Diffusion Models already have a Semantic Latent Space. (arXiv:2210.10960v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.10960
• Code URL: null
• Copy Paste: [[2210.10960] Diffusion Models already have a Semantic Latent Space](http://arxiv.org/abs/2210.10960)
• Summary:

  Diffusion models achieve outstanding generative performance in various domains. Despite their great success, they lack semantic latent space which is essential for controlling the generative process. To address the problem, we propose asymmetric reverse process (Asyrp) which discovers the semantic latent space in frozen pretrained diffusion models. Our semantic latent space, named h-space, has nice properties for accommodating semantic image manipulation: homogeneity, linearity, robustness, and consistency across timesteps. In addition, we introduce a principled design of the generative process for versatile editing and quality boost ing by quantifiable measures: editing strength of an interval and quality deficiency at a timestep. Our method is applicable to various architectures (DDPM++, iD- DPM, and ADM) and datasets (CelebA-HQ, AFHQ-dog, LSUN-church, LSUN- bedroom, and METFACES). Project page: https://kwonminki.github.io/Asyrp/

Title: RAIS: Robust and Accurate Interactive Segmentation via Continual Learning. (arXiv:2210.10984v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.10984
• Code URL: null
• Copy Paste: [[2210.10984] RAIS: Robust and Accurate Interactive Segmentation via Continual Learning](http://arxiv.org/abs/2210.10984)
• Summary:

  Interactive image segmentation aims at segmenting a target region through a way of human-computer interaction. Recent works based on deep learning have achieved excellent performance, while most of them focus on improving the accuracy of the training set and ignore potential improvement on the test set. In the inference phase, they tend to have a good performance on similar domains to the training set, and lack adaptability to domain shift, so they require more user efforts to obtain satisfactory results. In this work, we propose RAIS, a robust and accurate architecture for interactive segmentation with continuous learning, where the model can learn from both train and test data sets. For efficient learning on the test set, we propose a novel optimization strategy to update global and local parameters with a basic segmentation module and adaptation module, respectively. Moreover, we perform extensive experiments on several benchmarks that show our method can handle data distribution shifts and achieves SOTA performance compared with recent interactive segmentation methods. Besides, our method also shows its robustness in the datasets of remote sensing and medical imaging where the data domains are completely different between training and testing.

Title: Robustcaps: a transformation-robust capsule network for image classification. (arXiv:2210.11092v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11092
• Code URL: null
• Copy Paste: [[2210.11092] Robustcaps: a transformation-robust capsule network for image classification](http://arxiv.org/abs/2210.11092)
• Summary:

  Geometric transformations of the training data as well as the test data present challenges to the use of deep neural networks to vision-based learning tasks. In order to address this issue, we present a deep neural network model that exhibits the desirable property of transformation-robustness. Our model, termed RobustCaps, uses group-equivariant convolutions in an improved capsule network model. RobustCaps uses a global context-normalised procedure in its routing algorithm to learn transformation-invariant part-whole relationships within image data. This learning of such relationships allows our model to outperform both capsule and convolutional neural network baselines on transformation-robust classification tasks. Specifically, RobustCaps achieves state-of-the-art accuracies on CIFAR-10, FashionMNIST, and CIFAR-100 when the images in these datasets are subjected to train and test-time rotations and translations.

Title: Iterative collaborative routing among equivariant capsules for transformation-robust capsule networks. (arXiv:2210.11095v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11095
• Code URL: null
• Copy Paste: [[2210.11095] Iterative collaborative routing among equivariant capsules for transformation-robust capsule networks](http://arxiv.org/abs/2210.11095)
• Summary:

  Transformation-robustness is an important feature for machine learning models that perform image classification. Many methods aim to bestow this property to models by the use of data augmentation strategies, while more formal guarantees are obtained via the use of equivariant models. We recognise that compositional, or part-whole structure is also an important aspect of images that has to be considered for building transformation-robust models. Thus, we propose a capsule network model that is, at once, equivariant and compositionality-aware. Equivariance of our capsule network model comes from the use of equivariant convolutions in a carefully-chosen novel architecture. The awareness of compositionality comes from the use of our proposed novel, iterative, graph-based routing algorithm, termed Iterative collaborative routing (ICR). ICR, the core of our contribution, weights the predictions made for capsules based on an iteratively averaged score of the degree-centralities of its nearest neighbours. Experiments on transformed image classification on FashionMNIST, CIFAR-10, and CIFAR-100 show that our model that uses ICR outperforms convolutional and capsule baselines to achieve state-of-the-art performance.

Title: Coordinates Are NOT Lonely -- Codebook Prior Helps Implicit Neural 3D Representations. (arXiv:2210.11170v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11170
• Code URL: https://github.com/fukunyin/coco-nerf
• Copy Paste: [[2210.11170] Coordinates Are NOT Lonely -- Codebook Prior Helps Implicit Neural 3D Representations](http://arxiv.org/abs/2210.11170)
• Summary:

  Implicit neural 3D representation has achieved impressive results in surface or scene reconstruction and novel view synthesis, which typically uses the coordinate-based multi-layer perceptrons (MLPs) to learn a continuous scene representation. However, existing approaches, such as Neural Radiance Field (NeRF) and its variants, usually require dense input views (i.e. 50-150) to obtain decent results. To relive the over-dependence on massive calibrated images and enrich the coordinate-based feature representation, we explore injecting the prior information into the coordinate-based network and introduce a novel coordinate-based model, CoCo-INR, for implicit neural 3D representation. The cores of our method are two attention modules: codebook attention and coordinate attention. The former extracts the useful prototypes containing rich geometry and appearance information from the prior codebook, and the latter propagates such prior information into each coordinate and enriches its feature representation for a scene or object surface. With the help of the prior information, our method can render 3D views with more photo-realistic appearance and geometries than the current methods using fewer calibrated images available. Experiments on various scene reconstruction datasets, including DTU and BlendedMVS, and the full 3D head reconstruction dataset, H3DS, demonstrate the robustness under fewer input views and fine detail-preserving capability of our proposed method.

Title: Context-driven Visual Object Recognition based on Knowledge Graphs. (arXiv:2210.11233v1 [cs.AI])

• Paper URL: http://arxiv.org/abs/2210.11233
• Code URL: null
• Copy Paste: [[2210.11233] Context-driven Visual Object Recognition based on Knowledge Graphs](http://arxiv.org/abs/2210.11233)
• Summary:

  Current deep learning methods for object recognition are purely data-driven and require a large number of training samples to achieve good results. Due to their sole dependence on image data, these methods tend to fail when confronted with new environments where even small deviations occur. Human perception, however, has proven to be significantly more robust to such distribution shifts. It is assumed that their ability to deal with unknown scenarios is based on extensive incorporation of contextual knowledge. Context can be based either on object co-occurrences in a scene or on memory of experience. In accordance with the human visual cortex which uses context to form different object representations for a seen image, we propose an approach that enhances deep learning methods by using external contextual knowledge encoded in a knowledge graph. Therefore, we extract different contextual views from a generic knowledge graph, transform the views into vector space and infuse it into a DNN. We conduct a series of experiments to investigate the impact of different contextual views on the learned object representations for the same image dataset. The experimental results provide evidence that the contextual views influence the image representations in the DNN differently and therefore lead to different predictions for the same images. We also show that context helps to strengthen the robustness of object recognition models for out-of-distribution images, usually occurring in transfer learning tasks or real-world scenarios.

Title: TANGO: Text-driven Photorealistic and Robust 3D Stylization via Lighting Decomposition. (arXiv:2210.11277v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11277
• Code URL: null
• Copy Paste: [[2210.11277] TANGO: Text-driven Photorealistic and Robust 3D Stylization via Lighting Decomposition](http://arxiv.org/abs/2210.11277)
• Summary:

  Creation of 3D content by stylization is a promising yet challenging problem in computer vision and graphics research. In this work, we focus on stylizing photorealistic appearance renderings of a given surface mesh of arbitrary topology. Motivated by the recent surge of cross-modal supervision of the Contrastive Language-Image Pre-training (CLIP) model, we propose TANGO, which transfers the appearance style of a given 3D shape according to a text prompt in a photorealistic manner. Technically, we propose to disentangle the appearance style as the spatially varying bidirectional reflectance distribution function, the local geometric variation, and the lighting condition, which are jointly optimized, via supervision of the CLIP loss, by a spherical Gaussians based differentiable renderer. As such, TANGO enables photorealistic 3D style transfer by automatically predicting reflectance effects even for bare, low-quality meshes, without training on a task-specific dataset. Extensive experiments show that TANGO outperforms existing methods of text-driven 3D style transfer in terms of photorealistic quality, consistency of 3D geometry, and robustness when stylizing low-quality meshes. Our codes and results are available at our project webpage https://cyw-3d.github.io/tango/.

Title: On Feature Learning in the Presence of Spurious Correlations. (arXiv:2210.11369v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11369
• Code URL: https://github.com/izmailovpavel/spurious_feature_learning
• Copy Paste: [[2210.11369] On Feature Learning in the Presence of Spurious Correlations](http://arxiv.org/abs/2210.11369)
• Summary:

  Deep classifiers are known to rely on spurious features $\unicode{x2013}$ patterns which are correlated with the target on the training data but not inherently relevant to the learning problem, such as the image backgrounds when classifying the foregrounds. In this paper we evaluate the amount of information about the core (non-spurious) features that can be decoded from the representations learned by standard empirical risk minimization (ERM) and specialized group robustness training. Following recent work on Deep Feature Reweighting (DFR), we evaluate the feature representations by re-training the last layer of the model on a held-out set where the spurious correlation is broken. On multiple vision and NLP problems, we show that the features learned by simple ERM are highly competitive with the features learned by specialized group robustness methods targeted at reducing the effect of spurious correlations. Moreover, we show that the quality of learned feature representations is greatly affected by the design decisions beyond the training method, such as the model architecture and pre-training strategy. On the other hand, we find that strong regularization is not necessary for learning high quality feature representations. Finally, using insights from our analysis, we significantly improve upon the best results reported in the literature on the popular Waterbirds, CelebA hair color prediction and WILDS-FMOW problems, achieving 97%, 92% and 50% worst-group accuracies, respectively.

Title: Transformer-based Global 3D Hand Pose Estimation in Two Hands Manipulating Objects Scenarios. (arXiv:2210.11384v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11384
• Code URL: null
• Copy Paste: [[2210.11384] Transformer-based Global 3D Hand Pose Estimation in Two Hands Manipulating Objects Scenarios](http://arxiv.org/abs/2210.11384)
• Summary:

  This report describes our 1st place solution to ECCV 2022 challenge on Human Body, Hands, and Activities (HBHA) from Egocentric and Multi-view Cameras (hand pose estimation). In this challenge, we aim to estimate global 3D hand poses from the input image where two hands and an object are interacting on the egocentric viewpoint. Our proposed method performs end-to-end multi-hand pose estimation via transformer architecture. In particular, our method robustly estimates hand poses in a scenario where two hands interact. Additionally, we propose an algorithm that considers hand scales to robustly estimate the absolute depth. The proposed algorithm works well even when the hand sizes are various for each person. Our method attains 14.4 mm (left) and 15.9 mm (right) errors for each hand in the test set.

Title: VIBUS: Data-efficient 3D Scene Parsing with VIewpoint Bottleneck and Uncertainty-Spectrum Modeling. (arXiv:2210.11472v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11472
• Code URL: https://github.com/air-discover/vibus
• Copy Paste: [[2210.11472] VIBUS: Data-efficient 3D Scene Parsing with VIewpoint Bottleneck and Uncertainty-Spectrum Modeling](http://arxiv.org/abs/2210.11472)
• Summary:

  Recently, 3D scenes parsing with deep learning approaches has been a heating topic. However, current methods with fully-supervised models require manually annotated point-wise supervision which is extremely user-unfriendly and time-consuming to obtain. As such, training 3D scene parsing models with sparse supervision is an intriguing alternative. We term this task as data-efficient 3D scene parsing and propose an effective two-stage framework named VIBUS to resolve it by exploiting the enormous unlabeled points. In the first stage, we perform self-supervised representation learning on unlabeled points with the proposed Viewpoint Bottleneck loss function. The loss function is derived from an information bottleneck objective imposed on scenes under different viewpoints, making the process of representation learning free of degradation and sampling. In the second stage, pseudo labels are harvested from the sparse labels based on uncertainty-spectrum modeling. By combining data-driven uncertainty measures and 3D mesh spectrum measures (derived from normal directions and geodesic distances), a robust local affinity metric is obtained. Finite gamma/beta mixture models are used to decompose category-wise distributions of these measures, leading to automatic selection of thresholds. We evaluate VIBUS on the public benchmark ScanNet and achieve state-of-the-art results on both validation set and online test server. Ablation studies show that both Viewpoint Bottleneck and uncertainty-spectrum modeling bring significant improvements. Codes and models are publicly available at https://github.com/AIR-DISCOVER/VIBUS.

Title: G-Augment: Searching For The Meta-Structure Of Data Augmentation Policies For ASR. (arXiv:2210.10879v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10879
• Code URL: null
• Copy Paste: [[2210.10879] G-Augment: Searching For The Meta-Structure Of Data Augmentation Policies For ASR](http://arxiv.org/abs/2210.10879)
• Summary:

  Data augmentation is a ubiquitous technique used to provide robustness to automatic speech recognition (ASR) training. However, even as so much of the ASR training process has become automated and more "end-to-end", the data augmentation policy (what augmentation functions to use, and how to apply them) remains hand-crafted. We present Graph-Augment, a technique to define the augmentation space as directed acyclic graphs (DAGs) and search over this space to optimize the augmentation policy itself. We show that given the same computational budget, policies produced by G-Augment are able to perform better than SpecAugment policies obtained by random search on fine-tuning tasks on CHiME-6 and AMI. G-Augment is also able to establish a new state-of-the-art ASR performance on the CHiME-6 evaluation set (30.7% WER). We further demonstrate that G-Augment policies show better transfer properties across warm-start to cold-start training and model size compared to random-searched SpecAugment policies.

Title: Pre-training Language Models with Deterministic Factual Knowledge. (arXiv:2210.11165v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.11165
• Code URL: null
• Copy Paste: [[2210.11165] Pre-training Language Models with Deterministic Factual Knowledge](http://arxiv.org/abs/2210.11165)
• Summary:

  Previous works show that Pre-trained Language Models (PLMs) can capture factual knowledge. However, some analyses reveal that PLMs fail to perform it robustly, e.g., being sensitive to the changes of prompts when extracting factual knowledge. To mitigate this issue, we propose to let PLMs learn the deterministic relationship between the remaining context and the masked content. The deterministic relationship ensures that the masked factual content can be deterministically inferable based on the existing clues in the context. That would provide more stable patterns for PLMs to capture factual knowledge than randomly masking. Two pre-training tasks are further introduced to motivate PLMs to rely on the deterministic relationship when filling masks. Specifically, we use an external Knowledge Base (KB) to identify deterministic relationships and continuously pre-train PLMs with the proposed methods. The factual knowledge probing experiments indicate that the continuously pre-trained PLMs achieve better robustness in factual knowledge capturing. Further experiments on question-answering datasets show that trying to learn a deterministic relationship with the proposed methods can also help other knowledge-intensive tasks.

Title: Evidence > Intuition: Transferability Estimation for Encoder Selection. (arXiv:2210.11255v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.11255
• Code URL: https://github.com/mainlp/logme-nlp
• Copy Paste: [[2210.11255] Evidence > Intuition: Transferability Estimation for Encoder Selection](http://arxiv.org/abs/2210.11255)
• Summary:

  With the increase in availability of large pre-trained language models (LMs) in Natural Language Processing (NLP), it becomes critical to assess their fit for a specific target task a priori - as fine-tuning the entire space of available LMs is computationally prohibitive and unsustainable. However, encoder transferability estimation has received little to no attention in NLP. In this paper, we propose to generate quantitative evidence to predict which LM, out of a pool of models, will perform best on a target task without having to fine-tune all candidates. We provide a comprehensive study on LM ranking for 10 NLP tasks spanning the two fundamental problem types of classification and structured prediction. We adopt the state-of-the-art Logarithm of Maximum Evidence (LogME) measure from Computer Vision (CV) and find that it positively correlates with final LM performance in 94% of the setups. In the first study of its kind, we further compare transferability measures with the de facto standard of human practitioner ranking, finding that evidence from quantitative metrics is more robust than pure intuition and can help identify unexpected LM candidates.

Title: Deep Learning-Derived Optimal Aviation Strategies to Control Pandemics. (arXiv:2210.10888v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10888
• Code URL: null
• Copy Paste: [[2210.10888] Deep Learning-Derived Optimal Aviation Strategies to Control Pandemics](http://arxiv.org/abs/2210.10888)
• Summary:

  The COVID-19 pandemic has affected countries across the world, demanding drastic public health policies to mitigate the spread of infection, leading to economic crisis as a collateral damage. In this work, we investigated the impact of human mobility (described via international commercial flights) on COVID-19 infection dynamics at the global scale. For this, we developed a graph neural network-based framework referred to as Dynamic Connectivity GraphSAGE (DCSAGE), which operates over spatiotemporal graphs and is well-suited for dynamically changing adjacency information. To obtain insights on the relative impact of different geographical locations, due to their associated air traffic, on the evolution of the pandemic, we conducted local sensitivity analysis on our model through node perturbation experiments. From our analyses, we identified Western Europe, North America, and Middle East as the leading geographical locations fueling the pandemic, attributed to the enormity of air traffic originating or transiting through these regions. We used these observations to identify tangible air traffic reduction strategies that can have a high impact on controlling the pandemic, with minimal interference to human mobility. Our work provides a robust deep learning-based tool to study global pandemics and is of key relevance to policy makers to take informed decisions regarding air traffic restrictions during future outbreaks.

Title: Safe Policy Improvement in Constrained Markov Decision Processes. (arXiv:2210.11259v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11259
• Code URL: null
• Copy Paste: [[2210.11259] Safe Policy Improvement in Constrained Markov Decision Processes](http://arxiv.org/abs/2210.11259)
• Summary:

  The automatic synthesis of a policy through reinforcement learning (RL) from a given set of formal requirements depends on the construction of a reward signal and consists of the iterative application of many policy-improvement steps. The synthesis algorithm has to balance target, safety, and comfort requirements in a single objective and to guarantee that the policy improvement does not increase the number of safety-requirements violations, especially for safety-critical applications. In this work, we present a solution to the synthesis problem by solving its two main challenges: reward-shaping from a set of formal requirements and safe policy update. For the former, we propose an automatic reward-shaping procedure, defining a scalar reward signal compliant with the task specification. For the latter, we introduce an algorithm ensuring that the policy is improved in a safe fashion with high-confidence guarantees. We also discuss the adoption of a model-based RL algorithm to efficiently use the collected data and train a model-free agent on the predicted trajectories, where the safety violation does not have the same impact as in the real world. Finally, we demonstrate in standard control benchmarks that the resulting learning procedure is effective and robust even under heavy perturbations of the hyperparameters.

Title: Analyzing the Robustness of Decentralized Horizontal and Vertical Federated Learning Architectures in a Non-IID Scenario. (arXiv:2210.11061v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11061
• Code URL: null
• Copy Paste: [[2210.11061] Analyzing the Robustness of Decentralized Horizontal and Vertical Federated Learning Architectures in a Non-IID Scenario](http://arxiv.org/abs/2210.11061)
• Summary:

  Federated learning (FL) allows participants to collaboratively train machine and deep learning models while protecting data privacy. However, the FL paradigm still presents drawbacks affecting its trustworthiness since malicious participants could launch adversarial attacks against the training process. Related work has studied the robustness of horizontal FL scenarios under different attacks. However, there is a lack of work evaluating the robustness of decentralized vertical FL and comparing it with horizontal FL architectures affected by adversarial attacks. Thus, this work proposes three decentralized FL architectures, one for horizontal and two for vertical scenarios, namely HoriChain, VertiChain, and VertiComb. These architectures present different neural networks and training protocols suitable for horizontal and vertical scenarios. Then, a decentralized, privacy-preserving, and federated use case with non-IID data to classify handwritten digits is deployed to evaluate the performance of the three architectures. Finally, a set of experiments computes and compares the robustness of the proposed architectures when they are affected by different data poisoning based on image watermarks and gradient poisoning adversarial attacks. The experiments show that even though particular configurations of both attacks can destroy the classification performance of the architectures, HoriChain is the most robust one.

Title: Robust Imitation via Mirror Descent Inverse Reinforcement Learning. (arXiv:2210.11201v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11201
• Code URL: null
• Copy Paste: [[2210.11201] Robust Imitation via Mirror Descent Inverse Reinforcement Learning](http://arxiv.org/abs/2210.11201)
• Summary:

  Recently, adversarial imitation learning has shown a scalable reward acquisition method for inverse reinforcement learning (IRL) problems. However, estimated reward signals often become uncertain and fail to train a reliable statistical model since the existing methods tend to solve hard optimization problems directly. Inspired by a first-order optimization method called mirror descent, this paper proposes to predict a sequence of reward functions, which are iterative solutions for a constrained convex problem. IRL solutions derived by mirror descent are tolerant to the uncertainty incurred by target density estimation since the amount of reward learning is regulated with respect to local geometric constraints. We prove that the proposed mirror descent update rule ensures robust minimization of a Bregman divergence in terms of a rigorous regret bound of $\mathcal{O}(1/T)$ for step sizes ${\eta_t}_{t=1}^{T}$. Our IRL method was applied on top of an adversarial framework, and it outperformed existing adversarial methods in an extensive suite of benchmarks.

Title: Solving Reasoning Tasks with a Slot Transformer. (arXiv:2210.11394v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11394
• Code URL: null
• Copy Paste: [[2210.11394] Solving Reasoning Tasks with a Slot Transformer](http://arxiv.org/abs/2210.11394)
• Summary:

  The ability to carve the world into useful abstractions in order to reason about time and space is a crucial component of intelligence. In order to successfully perceive and act effectively using senses we must parse and compress large amounts of information for further downstream reasoning to take place, allowing increasingly complex concepts to emerge. If there is any hope to scale representation learning methods to work with real world scenes and temporal dynamics then there must be a way to learn accurate, concise, and composable abstractions across time. We present the Slot Transformer, an architecture that leverages slot attention, transformers and iterative variational inference on video scene data to infer such representations. We evaluate the Slot Transformer on CLEVRER, Kinetics-600 and CATER datesets and demonstrate that the approach allows us to develop robust modeling and reasoning around complex behaviours as well as scores on these datasets that compare favourably to existing baselines. Finally we evaluate the effectiveness of key components of the architecture, the model's representational capacity and its ability to predict from incomplete input.

Title: Learning and Retrieval from Prior Data for Skill-based Imitation Learning. (arXiv:2210.11435v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11435
• Code URL: null
• Copy Paste: [[2210.11435] Learning and Retrieval from Prior Data for Skill-based Imitation Learning](http://arxiv.org/abs/2210.11435)
• Summary:

  Imitation learning offers a promising path for robots to learn general-purpose behaviors, but traditionally has exhibited limited scalability due to high data supervision requirements and brittle generalization. Inspired by recent advances in multi-task imitation learning, we investigate the use of prior data from previous tasks to facilitate learning novel tasks in a robust, data-efficient manner. To make effective use of the prior data, the robot must internalize knowledge from past experiences and contextualize this knowledge in novel tasks. To that end, we develop a skill-based imitation learning framework that extracts temporally extended sensorimotor skills from prior data and subsequently learns a policy for the target task that invokes these learned skills. We identify several key design choices that significantly improve performance on novel tasks, namely representation learning objectives to enable more predictable skill representations and a retrieval-based data augmentation mechanism to increase the scope of supervision for policy training. On a collection of simulated and real-world manipulation domains, we demonstrate that our method significantly outperforms existing imitation learning and offline reinforcement learning approaches. Videos and code are available at https://ut-austin-rpl.github.io/sailor

biometric

steal

extraction

Title: DeepRING: Learning Roto-translation Invariant Representation for LiDAR based Place Recognition. (arXiv:2210.11029v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11029
• Code URL: null
• Copy Paste: [[2210.11029] DeepRING: Learning Roto-translation Invariant Representation for LiDAR based Place Recognition](http://arxiv.org/abs/2210.11029)
• Summary:

  LiDAR based place recognition is popular for loop closure detection and re-localization. In recent years, deep learning brings improvements to place recognition by learnable feature extraction. However, these methods degenerate when the robot re-visits previous places with large perspective difference. To address the challenge, we propose DeepRING to learn the roto-translation invariant representation from LiDAR scan, so that robot visits the same place with different perspective can have similar representations. There are two keys in DeepRING: the feature is extracted from sinogram, and the feature is aggregated by magnitude spectrum. The two steps keeps the final representation with both discrimination and roto-translation invariance. Moreover, we state the place recognition as a one-shot learning problem with each place being a class, leveraging relation learning to build representation similarity. Substantial experiments are carried out on public datasets, validating the effectiveness of each proposed component, and showing that DeepRING outperforms the comparative methods, especially in dataset level generalization.

Title: Frequency of Interest-based Noise Attenuation Method to Improve Anomaly Detection Performance. (arXiv:2210.11068v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11068
• Code URL: null
• Copy Paste: [[2210.11068] Frequency of Interest-based Noise Attenuation Method to Improve Anomaly Detection Performance](http://arxiv.org/abs/2210.11068)
• Summary:

  Accurately extracting driving events is the way to maximize computational efficiency and anomaly detection performance in the tire frictional nose-based anomaly detection task. This study proposes a concise and highly useful method for improving the precision of the event extraction that is hindered by extra noise such as wind noise, which is difficult to characterize clearly due to its randomness. The core of the proposed method is based on the identification of the road friction sound corresponding to the frequency of interest and removing the opposite characteristics with several frequency filters. Our method enables precision maximization of driving event extraction while improving anomaly detection performance by an average of 8.506%. Therefore, we conclude our method is a practical solution suitable for road surface anomaly detection purposes in outdoor edge computing environments.

Title: Facial Expression Video Generation Based-On Spatio-temporal Convolutional GAN: FEV-GAN. (arXiv:2210.11182v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11182
• Code URL: null
• Copy Paste: [[2210.11182] Facial Expression Video Generation Based-On Spatio-temporal Convolutional GAN: FEV-GAN](http://arxiv.org/abs/2210.11182)
• Summary:

  Facial expression generation has always been an intriguing task for scientists and researchers all over the globe. In this context, we present our novel approach for generating videos of the six basic facial expressions. Starting from a single neutral facial image and a label indicating the desired facial expression, we aim to synthesize a video of the given identity performing the specified facial expression. Our approach, referred to as FEV-GAN (Facial Expression Video GAN), is based on Spatio-temporal Convolutional GANs, that are known to model both content and motion in the same network. Previous methods based on such a network have shown a good ability to generate coherent videos with smooth temporal evolution. However, they still suffer from low image quality and low identity preservation capability. In this work, we address this problem by using a generator composed of two image encoders. The first one is pre-trained for facial identity feature extraction and the second for spatial feature extraction. We have qualitatively and quantitatively evaluated our model on two international facial expression benchmark databases: MUG and Oulu-CASIA NIR&VIS. The experimental results analysis demonstrates the effectiveness of our approach in generating videos of the six basic facial expressions while preserving the input identity. The analysis also proves that the use of both identity and spatial features enhances the decoder ability to better preserve the identity and generate high-quality videos. The code and the pre-trained model will soon be made publicly available.

Title: Knowledge Graph Enhanced Relation Extraction Datasets. (arXiv:2210.11231v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11231
• Code URL: null
• Copy Paste: [[2210.11231] Knowledge Graph Enhanced Relation Extraction Datasets](http://arxiv.org/abs/2210.11231)
• Summary:

  Knowledge-enhanced methods that take advantage of auxiliary knowledge graphs recently emerged in relation extraction, and they surpass traditional text-based relation extraction methods. However, there are no unified public benchmarks that currently involve evidence sentences and knowledge graphs for knowledge-enhanced relation extraction. To combat these issues, we propose KGRED, a knowledge graph enhanced relation extraction dataset with features as follows: (1) the benchmarks are based on widely-used distantly supervised relation extraction datasets; (2) we refine these existing datasets to improve the data quality, and we also construct auxiliary knowledge graphs for these existing datasets through entity linking to support knowledge-enhanced relation extraction tasks; (3) with the new benchmarks we curated, we build baselines in two popular relation extraction settings including sentence-level and bag-level relation extraction, and we also make comparisons among the latest knowledge-enhanced relation extraction methods. KGRED provides high-quality relation extraction datasets with auxiliary knowledge graphs for evaluating the performance of knowledge-enhanced relation extraction methods. Meanwhile, our experiments on KGRED reveal the influence of knowledge graph information on relation extraction tasks.

membership infer

federate

Title: Vertical Federated Linear Contextual Bandits. (arXiv:2210.11050v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.11050
• Code URL: null
• Copy Paste: [[2210.11050] Vertical Federated Linear Contextual Bandits](http://arxiv.org/abs/2210.11050)
• Summary:

  In this paper, we investigate a novel problem of building contextual bandits in the vertical federated setting, i.e., contextual information is vertically distributed over different departments. This problem remains largely unexplored in the research community. To this end, we carefully design a customized encryption scheme named orthogonal matrix-based mask mechanism(O3M) for encrypting local contextual information while avoiding expensive conventional cryptographic techniques. We further apply the mechanism to two commonly-used bandit algorithms, LinUCB and LinTS, and instantiate two practical protocols for online recommendation under the vertical federated setting. The proposed protocols can perfectly recover the service quality of centralized bandit algorithms while achieving a satisfactory runtime efficiency, which is theoretically proved and analyzed in this paper. By conducting extensive experiments on both synthetic and real-world datasets, we show the superiority of the proposed method in terms of privacy protection and recommendation performance.

fair

interpretability

Title: i-MAE: Are Latent Representations in Masked Autoencoders Linearly Separable?. (arXiv:2210.11470v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.11470
• Code URL: https://github.com/vision-learning-acceleration-lab/i-mae
• Copy Paste: [[2210.11470] i-MAE: Are Latent Representations in Masked Autoencoders Linearly Separable?](http://arxiv.org/abs/2210.11470)
• Summary:

  Masked image modeling (MIM) has been recognized as a strong and popular self-supervised pre-training approach in the vision domain. However, the interpretability of the mechanism and properties of the learned representations by such a scheme are so far not well-explored. In this work, through comprehensive experiments and empirical studies on Masked Autoencoders (MAE), we address two critical questions to explore the behaviors of the learned representations: (i) Are the latent representations in Masked Autoencoders linearly separable if the input is a mixture of two images instead of one? This can be concrete evidence used to explain why MAE-learned representations have superior performance on downstream tasks, as proven by many literature impressively. (ii) What is the degree of semantics encoded in the latent feature space by Masked Autoencoders? To explore these two problems, we propose a simple yet effective Interpretable MAE (i-MAE) framework with a two-way image reconstruction and a latent feature reconstruction with distillation loss to help us understand the behaviors inside MAE's structure. Extensive experiments are conducted on CIFAR-10/100, Tiny-ImageNet and ImageNet-1K datasets to verify the observations we discovered. Furthermore, in addition to qualitatively analyzing the characteristics of the latent representations, we examine the existence of linear separability and the degree of semantics in the latent space by proposing two novel metrics. The surprising and consistent results across the qualitative and quantitative experiments demonstrate that i-MAE is a superior framework design for interpretability research of MAE frameworks, as well as achieving better representational ability. Code is available at https://github.com/vision-learning-acceleration-lab/i-mae.

Title: Black Box Model Explanations and the Human Interpretability Expectations -- An Analysis in the Context of Homicide Prediction. (arXiv:2210.10849v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10849
• Code URL: null
• Copy Paste: [[2210.10849] Black Box Model Explanations and the Human Interpretability Expectations -- An Analysis in the Context of Homicide Prediction](http://arxiv.org/abs/2210.10849)
• Summary:

  Strategies based on Explainable Artificial Intelligence - XAI have promoted better human interpretability of the results of black box machine learning models. The XAI measures being currently used (Ciu, Dalex, Eli5, Lofo, Shap, and Skater) provide various forms of explanations, including global rankings of relevance of attributes. Current research points to the need for further studies on how these explanations meet the Interpretability Expectations of human experts and how they can be used to make the model even more transparent while taking into account specific complexities of the model and dataset being analyzed, as well as important human factors of sensitive real-world contexts/problems. Intending to shed light on the explanations generated by XAI measures and their interpretabilities, this research addresses a real-world classification problem related to homicide prediction, duly endorsed by the scientific community, replicated its proposed black box model and used 6 different XAI measures to generate explanations and 6 different human experts to generate what this research referred to as Interpretability Expectations - IE. The results were computed by means of comparative analysis and identification of relationships among all the attribute ranks produced, and ~49% concordance was found among attributes indicated by means of XAI measures and human experts, ~41% exclusively by XAI measures and ~10% exclusively by human experts. The results allow for answering: "Do the different XAI measures generate similar explanations for the proposed problem?", "Are the interpretability expectations generated among different human experts similar?", "Do the explanations generated by XAI measures meet the interpretability expectations of human experts?" and "Can Interpretability Explanations and Expectations work together?", all of which concerning the context of homicide prediction.

Title: Causally-guided Regularization of Graph Attention Improves Generalizability. (arXiv:2210.10946v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10946
• Code URL: null
• Copy Paste: [[2210.10946] Causally-guided Regularization of Graph Attention Improves Generalizability](http://arxiv.org/abs/2210.10946)
• Summary:

  However, the inferred attentions are vulnerable to spurious correlations and connectivity in the training data, hampering the generalizability of the model. We introduce CAR, a general-purpose regularization framework for graph attention networks. Embodying a causal inference approach, \methodname aligns the attention mechanism with the causal effects of active interventions on graph connectivity in a scalable manner. CAR is compatible with a variety of graph attention architectures, and we show that it systematically improves generalizability on various node classification tasks. Our ablation studies indicate that \methodname hones in on the aspects of graph structure most pertinent to the prediction (e.g., homophily), and does so more effectively than alternative approaches. Finally, we also show that CAR enhances interpretability of attention weights by accentuating node-neighbor relations that point to causal hypotheses. For social media network-sized graphs, a CAR-guided graph rewiring approach could allow us to combine the scalability of graph convolutional methods with the higher performance of graph attention.

Title: Uncertainty Disentanglement with Non-stationary Heteroscedastic Gaussian Processes for Active Learning. (arXiv:2210.10964v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.10964
• Code URL: null
• Copy Paste: [[2210.10964] Uncertainty Disentanglement with Non-stationary Heteroscedastic Gaussian Processes for Active Learning](http://arxiv.org/abs/2210.10964)
• Summary:

  Gaussian processes are Bayesian non-parametric models used in many areas. In this work, we propose a Non-stationary Heteroscedastic Gaussian process model which can be learned with gradient-based techniques. We demonstrate the interpretability of the proposed model by separating the overall uncertainty into aleatoric (irreducible) and epistemic (model) uncertainty. We illustrate the usability of derived epistemic uncertainty on active learning problems. We demonstrate the efficacy of our model with various ablations on multiple datasets.

exlainability

watermark