secure

Title: EIPSIM: Modeling Secure IP Address Allocation at Cloud Scale. (arXiv:2210.14999v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.14999
• Code URL: null
• Copy Paste: [[2210.14999] EIPSIM: Modeling Secure IP Address Allocation at Cloud Scale](http://arxiv.org/abs/2210.14999)
• Summary:

  Public clouds provide impressive capability through resource sharing. However, recent works have shown that the reuse of IP addresses can allow adversaries to exploit the latent configurations left by previous tenants. In this work, we perform a comprehensive analysis of the effect of cloud IP address allocation on exploitation of latent configuration. We first develop a statistical model of cloud tenant behavior and latent configuration based on literature and deployed systems. Through these, we analyze IP allocation policies under existing and novel threat models. Our resulting framework, EIPSim, simulates our models in representative public cloud scenarios, evaluating adversarial objectives against pool policies. In response to our stronger proposed threat model, we also propose IP scan segmentation, an IP allocation policy that protects the IP pool against adversarial scanning even when an adversary is not limited by number of cloud tenants. Our evaluation shows that IP scan segmentation reduces latent configuration exploitability by 97.1% compared to policies proposed in literature and 99.8% compared to those currently deployed by cloud providers. Finally, we evaluate our statistical assumptions by analyzing real allocation and configuration data, showing that results generalize to deployed cloud workloads. In this way, we show that principled analysis of cloud IP address allocation can lead to substantial security gains for tenants and their users.

Title: Partially Oblivious Neural Network Inference. (arXiv:2210.15189v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15189
• Code URL: null
• Copy Paste: [[2210.15189] Partially Oblivious Neural Network Inference](http://arxiv.org/abs/2210.15189)
• Summary:

  Oblivious inference is the task of outsourcing a ML model, like neural-networks, without disclosing critical and sensitive information, like the model's parameters. One of the most prominent solutions for secure oblivious inference is based on a powerful cryptographic tools, like Homomorphic Encryption (HE) and/or multi-party computation (MPC). Even though the implementation of oblivious inference systems schemes has impressively improved the last decade, there are still significant limitations on the ML models that they can practically implement. Especially when both the ML model and the input data's confidentiality must be protected. In this paper, we introduce the notion of partially oblivious inference. We empirically show that for neural network models, like CNNs, some information leakage can be acceptable. We therefore propose a novel trade-off between security and efficiency. In our research, we investigate the impact on security and inference runtime performance from the CNN model's weights partial leakage. We experimentally demonstrate that in a CIFAR-10 network we can leak up to $80\%$ of the model's weights with practically no security impact, while the necessary HE-mutliplications are performed four times faster.

security

Title: Rethinking the Reverse-engineering of Trojan Triggers. (arXiv:2210.15127v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15127
• Code URL: https://github.com/ru-system-software-and-security/featurere
• Copy Paste: [[2210.15127] Rethinking the Reverse-engineering of Trojan Triggers](http://arxiv.org/abs/2210.15127)
• Summary:

  Deep Neural Networks are vulnerable to Trojan (or backdoor) attacks. Reverse-engineering methods can reconstruct the trigger and thus identify affected models. Existing reverse-engineering methods only consider input space constraints, e.g., trigger size in the input space. Expressly, they assume the triggers are static patterns in the input space and fail to detect models with feature space triggers such as image style transformations. We observe that both input-space and feature-space Trojans are associated with feature space hyperplanes. Based on this observation, we design a novel reverse-engineering method that exploits the feature space constraint to reverse-engineer Trojan triggers. Results on four datasets and seven different attacks demonstrate that our solution effectively defends both input-space and feature-space Trojans. It outperforms state-of-the-art reverse-engineering methods and other types of defenses in both Trojaned model detection and mitigation tasks. On average, the detection accuracy of our method is 93\%. For Trojan mitigation, our method can reduce the ASR (attack success rate) to only 0.26\% with the BA (benign accuracy) remaining nearly unchanged. Our code can be found at https://github.com/RU-System-Software-and-Security/FeatureRE.

Title: On the Role of Risk Perceptions in Cyber Insurance Contracts. (arXiv:2210.15010v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15010
• Code URL: null
• Copy Paste: [[2210.15010] On the Role of Risk Perceptions in Cyber Insurance Contracts](http://arxiv.org/abs/2210.15010)
• Summary:

  Risk perceptions are essential in cyber insurance contracts. With the recent surge of information, human risk perceptions are exposed to the influences from both beneficial knowledge and fake news. In this paper, we study the role of the risk perceptions of the insurer and the user in cyber insurance contracts. We formulate the cyber insurance problem into a principal-agent problem where the insurer designs the contract containing a premium payment and a coverage plan. The risk perceptions of the insurer and the user are captured by coherent risk measures. Our framework extends the cyber insurance problem containing a risk-neutral insurer and a possibly risk-averse user, which is often considered in the literature. The explicit characterizations of both the insurer's and the user's risk perceptions allow us to show that cyber insurance has the potential to incentivize the user to invest more on system protection. This possibility to increase cyber security relies on the facts that the insurer is more risk-averse than the user (in a minimization setting) and that the insurer's risk perception is more sensitive to the changes in the user's actions than the user himself. We investigate the properties of feasible contracts in a case study on the insurance of a computer system against ransomware.

Title: Accountable Safety for Rollups. (arXiv:2210.15017v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15017
• Code URL: null
• Copy Paste: [[2210.15017] Accountable Safety for Rollups](http://arxiv.org/abs/2210.15017)
• Summary:

  Accountability, the ability to provably identify protocol violators, gained prominence as the main economic argument for the security of proof-of-stake (PoS) protocols. Rollups, the most popular scaling solution for blockchains, typically use PoS protocols as their parent chain. We define accountability for rollups, and present an attack that shows the absence of accountability on existing designs. We provide an accountable rollup design and prove its security, both for the traditional `enshrined' rollups and for sovereign rollups, an emergent alternative built on lazy blockchains, tasked only with ordering and availability of the rollup data.

Title: A Unified Blockchain-Semantic Framework for Wireless Edge Intelligence Enabled Web 3.0. (arXiv:2210.15130v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15130
• Code URL: null
• Copy Paste: [[2210.15130] A Unified Blockchain-Semantic Framework for Wireless Edge Intelligence Enabled Web 3](http://arxiv.org/abs/2210.15130)
• Summary:

  Web 3.0 enables user-generated contents and user-selected authorities. With decentralized wireless edge computing architectures, Web 3.0 allows users to read, write, and own contents. A core technology that enables Web 3.0 goals is blockchain, which provides security services by recording content in a decentralized and transparent manner. However, the explosion of on-chain recorded contents and the fast-growing number of users cause increasingly unaffordable computing and storage resource consumption. A promising paradigm is to analyze the semantic information of contents that can convey precisely the desired meanings without consuming many resources. In this article, we propose a unified blockchain-semantic ecosystems framework for wireless edge intelligence-enabled Web 3.0. Our framework consists of six key components to exchange semantic demands. We then introduce an Oracle-based proof of semantic mechanism to implement on-chain and off-chain interactions of Web 3.0 ecosystems on semantic verification algorithms while maintaining service security. An adaptive Deep Reinforcement Learning-based sharding mechanism on Oracle is designed to improve interaction efficiency, which can facilitate Web 3.0 ecosystems to deal with varied semantic demands. Finally, a case study is presented to show that the proposed framework can dynamically adjust Oracle settings according to varied semantic demands.

privacy

Title: EW-Tune: A Framework for Privately Fine-Tuning Large Language Models with Differential Privacy. (arXiv:2210.15042v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15042
• Code URL: null
• Copy Paste: [[2210.15042] EW-Tune: A Framework for Privately Fine-Tuning Large Language Models with Differential Privacy](http://arxiv.org/abs/2210.15042)
• Summary:

  Pre-trained Large Language Models (LLMs) are an integral part of modern AI that have led to breakthrough performances in complex AI tasks. Major AI companies with expensive infrastructures are able to develop and train these large models with billions and millions of parameters from scratch. Third parties, researchers, and practitioners are increasingly adopting these pre-trained models and fine-tuning them on their private data to accomplish their downstream AI tasks. However, it has been shown that an adversary can extract/reconstruct the exact training samples from these LLMs, which can lead to revealing personally identifiable information. The issue has raised deep concerns about the privacy of LLMs. Differential privacy (DP) provides a rigorous framework that allows adding noise in the process of training or fine-tuning LLMs such that extracting the training data becomes infeasible (i.e., with a cryptographically small success probability). While the theoretical privacy guarantees offered in most extant studies assume learning models from scratch through many training iterations in an asymptotic setting, this assumption does not hold in fine-tuning scenarios in which the number of training iterations is significantly smaller. To address the gap, we present \ewtune, a DP framework for fine-tuning LLMs based on Edgeworth accountant with finite-sample privacy guarantees. Our results across four well-established natural language understanding (NLU) tasks show that while \ewtune~adds privacy guarantees to LLM fine-tuning process, it directly contributes to decreasing the induced noise to up to 5.6\% and improves the state-of-the-art LLMs performance by up to 1.1\% across all NLU tasks. We have open-sourced our implementations for wide adoption and public testing purposes.

Title: TraVaS: Differentially Private Trace Variant Selection for Process Mining. (arXiv:2210.14951v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.14951
• Code URL: null
• Copy Paste: [[2210.14951] TraVaS: Differentially Private Trace Variant Selection for Process Mining](http://arxiv.org/abs/2210.14951)
• Summary:

  In the area of industrial process mining, privacy-preserving event data publication is becoming increasingly relevant. Consequently, the trade-off between high data utility and quantifiable privacy poses new challenges. State-of-the-art research mainly focuses on differentially private trace variant construction based on prefix expansion methods. However, these algorithms face several practical limitations such as high computational complexity, introducing fake variants, removing frequent variants, and a bounded variant length. In this paper, we introduce a new approach for direct differentially private trace variant release which uses anonymized \textit{partition selection} strategies to overcome the aforementioned restraints. Experimental results on real-life event data show that our algorithm outperforms state-of-the-art methods in terms of both plain data utility and result utility preservation.

Title: Annotating Privacy Policies in the Sharing Economy. (arXiv:2210.14993v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.14993
• Code URL: null
• Copy Paste: [[2210.14993] Annotating Privacy Policies in the Sharing Economy](http://arxiv.org/abs/2210.14993)
• Summary:

  Applications (apps) of the Digital Sharing Economy (DSE), such as Uber, Airbnb, and TaskRabbit, have become a main enabler of economic growth and shared prosperity in modern-day societies. However, the complex exchange of goods, services, and data that takes place over these apps frequently puts their end-users' privacy at risk. Privacy policies of DSE apps are provided to disclose how private user data is being collected and handled. However, in reality, such policies are verbose and difficult to understand, leaving DSE users vulnerable to privacy intrusive practices. To address these concerns, in this paper, we propose an automated approach for annotating privacy policies in the DSE market. Our approach identifies data collection claims in these policies and maps them to the quality features of their apps. Visual and textual annotations are then used to further explain and justify these claims. The proposed approach is evaluated with 18 DSE app users. The results show that annotating privacy policies can significantly enhance their comprehensibility to the average DSE user. Our findings are intended to help DSE app developers to draft more comprehensible privacy policies as well as help their end-users to make more informed decisions in one of the fastest growing software ecosystems in the world.

Title: Local Graph-homomorphic Processing for Privatized Distributed Systems. (arXiv:2210.15414v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15414
• Code URL: null
• Copy Paste: [[2210.15414] Local Graph-homomorphic Processing for Privatized Distributed Systems](http://arxiv.org/abs/2210.15414)
• Summary:

  We study the generation of dependent random numbers in a distributed fashion in order to enable privatized distributed learning by networked agents. We propose a method that we refer to as local graph-homomorphic processing; it relies on the construction of particular noises over the edges to ensure a certain level of differential privacy. We show that the added noise does not affect the performance of the learned model. This is a significant improvement to previous works on differential privacy for distributed algorithms, where the noise was added in a less structured manner without respecting the graph topology and has often led to performance deterioration. We illustrate the theoretical results by considering a linear regression problem over a network of agents.

Title: Learning Location from Shared Elevation Profiles in Fitness Apps: A Privacy Perspective. (arXiv:2210.15529v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15529
• Code URL: null
• Copy Paste: [[2210.15529] Learning Location from Shared Elevation Profiles in Fitness Apps: A Privacy Perspective](http://arxiv.org/abs/2210.15529)
• Summary:

  The extensive use of smartphones and wearable devices has facilitated many useful applications. For example, with Global Positioning System (GPS)-equipped smart and wearable devices, many applications can gather, process, and share rich metadata, such as geolocation, trajectories, elevation, and time. For example, fitness applications, such as Runkeeper and Strava, utilize the information for activity tracking and have recently witnessed a boom in popularity. Those fitness tracker applications have their own web platforms and allow users to share activities on such platforms or even with other social network platforms. To preserve the privacy of users while allowing sharing, several of those platforms may allow users to disclose partial information, such as the elevation profile for an activity, which supposedly would not leak the location of the users. In this work, and as a cautionary tale, we create a proof of concept where we examine the extent to which elevation profiles can be used to predict the location of users. To tackle this problem, we devise three plausible threat settings under which the city or borough of the targets can be predicted. Those threat settings define the amount of information available to the adversary to launch the prediction attacks. Establishing that simple features of elevation profiles, e.g., spectral features, are insufficient, we devise both natural language processing (NLP)-inspired text-like representation and computer vision-inspired image-like representation of elevation profiles, and we convert the problem at hand into text and image classification problem. We use both traditional machine learning- and deep learning-based techniques and achieve a prediction success rate ranging from 59.59\% to 99.80\%. The findings are alarming, highlighting that sharing elevation information may have significant location privacy risks.

Title: Private and Reliable Neural Network Inference. (arXiv:2210.15614v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15614
• Code URL: null
• Copy Paste: [[2210.15614] Private and Reliable Neural Network Inference](http://arxiv.org/abs/2210.15614)
• Summary:

  Reliable neural networks (NNs) provide important inference-time reliability guarantees such as fairness and robustness. Complementarily, privacy-preserving NN inference protects the privacy of client data. So far these two emerging areas have been largely disconnected, yet their combination will be increasingly important. In this work, we present the first system which enables privacy-preserving inference on reliable NNs. Our key idea is to design efficient fully homomorphic encryption (FHE) counterparts for the core algorithmic building blocks of randomized smoothing, a state-of-the-art technique for obtaining reliable models. The lack of required control flow in FHE makes this a demanding task, as na\"ive solutions lead to unacceptable runtime. We employ these building blocks to enable privacy-preserving NN inference with robustness and fairness guarantees in a system called Phoenix. Experimentally, we demonstrate that Phoenix achieves its goals without incurring prohibitive latencies. To our knowledge, this is the first work which bridges the areas of client data privacy and reliability guarantees for NNs.

protect

defense

Title: Efficient and Effective Augmentation Strategy for Adversarial Training. (arXiv:2210.15318v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15318
• Code URL: https://github.com/val-iisc/dajat
• Copy Paste: [[2210.15318] Efficient and Effective Augmentation Strategy for Adversarial Training](http://arxiv.org/abs/2210.15318)
• Summary:

  Adversarial training of Deep Neural Networks is known to be significantly more data-hungry when compared to standard training. Furthermore, complex data augmentations such as AutoAugment, which have led to substantial gains in standard training of image classifiers, have not been successful with Adversarial Training. We first explain this contrasting behavior by viewing augmentation during training as a problem of domain generalization, and further propose Diverse Augmentation-based Joint Adversarial Training (DAJAT) to use data augmentations effectively in adversarial training. We aim to handle the conflicting goals of enhancing the diversity of the training dataset and training with data that is close to the test distribution by using a combination of simple and complex augmentations with separate batch normalization layers during training. We further utilize the popular Jensen-Shannon divergence loss to encourage the joint learning of the diverse augmentations, thereby allowing simple augmentations to guide the learning of complex ones. Lastly, to improve the computational efficiency of the proposed method, we propose and utilize a two-step defense, Ascending Constraint Adversarial Training (ACAT), that uses an increasing epsilon schedule and weight-space smoothing to prevent gradient masking. The proposed method DAJAT achieves substantially better robustness-accuracy trade-off when compared to existing methods on the RobustBench Leaderboard on ResNet-18 and WideResNet-34-10. The code for implementing DAJAT is available here: https://github.com/val-iisc/DAJAT.

Title: Multi-view Representation Learning from Malware to Defend Against Adversarial Variants. (arXiv:2210.15429v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15429
• Code URL: null
• Copy Paste: [[2210.15429] Multi-view Representation Learning from Malware to Defend Against Adversarial Variants](http://arxiv.org/abs/2210.15429)
• Summary:

  Deep learning-based adversarial malware detectors have yielded promising results in detecting never-before-seen malware executables without relying on expensive dynamic behavior analysis and sandbox. Despite their abilities, these detectors have been shown to be vulnerable to adversarial malware variants - meticulously modified, functionality-preserving versions of original malware executables generated by machine learning. Due to the nature of these adversarial modifications, these adversarial methods often use a \textit{single view} of malware executables (i.e., the binary/hexadecimal view) to generate adversarial malware variants. This provides an opportunity for the defenders (i.e., malware detectors) to detect the adversarial variants by utilizing more than one view of a malware file (e.g., source code view in addition to the binary view). The rationale behind this idea is that while the adversary focuses on the binary view, certain characteristics of the malware file in the source code view remain untouched which leads to the detection of the adversarial malware variants. To capitalize on this opportunity, we propose Adversarially Robust Multiview Malware Defense (ARMD), a novel multi-view learning framework to improve the robustness of DL-based malware detectors against adversarial variants. Our experiments on three renowned open-source deep learning-based malware detectors across six common malware categories show that ARMD is able to improve the adversarial robustness by up to seven times on these malware detectors.

attack

Title: Isometric 3D Adversarial Examples in the Physical World. (arXiv:2210.15291v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15291
• Code URL: null
• Copy Paste: [[2210.15291] Isometric 3D Adversarial Examples in the Physical World](http://arxiv.org/abs/2210.15291)
• Summary:

  3D deep learning models are shown to be as vulnerable to adversarial examples as 2D models. However, existing attack methods are still far from stealthy and suffer from severe performance degradation in the physical world. Although 3D data is highly structured, it is difficult to bound the perturbations with simple metrics in the Euclidean space. In this paper, we propose a novel $\epsilon$-isometric ($\epsilon$-ISO) attack to generate natural and robust 3D adversarial examples in the physical world by considering the geometric properties of 3D objects and the invariance to physical transformations. For naturalness, we constrain the adversarial example to be $\epsilon$-isometric to the original one by adopting the Gaussian curvature as a surrogate metric guaranteed by a theoretical analysis. For invariance to physical transformations, we propose a maxima over transformation (MaxOT) method that actively searches for the most harmful transformations rather than random ones to make the generated adversarial example more robust in the physical world. Experiments on typical point cloud recognition models validate that our approach can significantly improve the attack success rate and naturalness of the generated 3D adversarial examples than the state-of-the-art attack methods.

Title: Fusion-based Few-Shot Morphing Attack Detection and Fingerprinting. (arXiv:2210.15510v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15510
• Code URL: https://github.com/nz0001na/mad_maf
• Copy Paste: [[2210.15510] Fusion-based Few-Shot Morphing Attack Detection and Fingerprinting](http://arxiv.org/abs/2210.15510)
• Summary:

  The vulnerability of face recognition systems to morphing attacks has posed a serious security threat due to the wide adoption of face biometrics in the real world. Most existing morphing attack detection (MAD) methods require a large amount of training data and have only been tested on a few predefined attack models. The lack of good generalization properties, especially in view of the growing interest in developing novel morphing attacks, is a critical limitation with existing MAD research. To address this issue, we propose to extend MAD from supervised learning to few-shot learning and from binary detection to multiclass fingerprinting in this paper. Our technical contributions include: 1) We propose a fusion-based few-shot learning (FSL) method to learn discriminative features that can generalize to unseen morphing attack types from predefined presentation attacks; 2) The proposed FSL based on the fusion of the PRNU model and Noiseprint network is extended from binary MAD to multiclass morphing attack fingerprinting (MAF). 3) We have collected a large-scale database, which contains five face datasets and eight different morphing algorithms, to benchmark the proposed few-shot MAF (FS-MAF) method. Extensive experimental results show the outstanding performance of our fusion-based FS-MAF. The code and data will be publicly available at https://github.com/nz0001na/mad maf.

Title: TASA: Deceiving Question Answering Models by Twin Answer Sentences Attack. (arXiv:2210.15221v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15221
• Code URL: https://github.com/caoyu-noob/tasa
• Copy Paste: [[2210.15221] TASA: Deceiving Question Answering Models by Twin Answer Sentences Attack](http://arxiv.org/abs/2210.15221)
• Summary:

  We present Twin Answer Sentences Attack (TASA), an adversarial attack method for question answering (QA) models that produces fluent and grammatical adversarial contexts while maintaining gold answers. Despite phenomenal progress on general adversarial attacks, few works have investigated the vulnerability and attack specifically for QA models. In this work, we first explore the biases in the existing models and discover that they mainly rely on keyword matching between the question and context, and ignore the relevant contextual relations for answer prediction. Based on two biases above, TASA attacks the target model in two folds: (1) lowering the model's confidence on the gold answer with a perturbed answer sentence; (2) misguiding the model towards a wrong answer with a distracting answer sentence. Equipped with designed beam search and filtering methods, TASA can generate more effective attacks than existing textual attack methods while sustaining the quality of contexts, in extensive experiments on five QA datasets and human evaluations.

Title: Detection and Prevention Against Poisoning Attacks in Federated Learning. (arXiv:2210.14944v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.14944
• Code URL: null
• Copy Paste: [[2210.14944] Detection and Prevention Against Poisoning Attacks in Federated Learning](http://arxiv.org/abs/2210.14944)
• Summary:

  This paper proposes and investigates a new approach for detecting and preventing several different types of poisoning attacks from affecting a centralized Federated Learning model via average accuracy deviation detection (AADD). By comparing each client's accuracy to all clients' average accuracy, AADD detect clients with an accuracy deviation. The implementation is further able to blacklist clients that are considered poisoned, securing the global model from being affected by the poisoned nodes. The proposed implementation shows promising results in detecting poisoned clients and preventing the global model's accuracy from deteriorating.

Title: LP-BFGS attack: An adversarial attack based on the Hessian with limited pixels. (arXiv:2210.15446v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15446
• Code URL: https://github.com/wowotou1998/LP-BFGS-attack
• Copy Paste: [[2210.15446] LP-BFGS attack: An adversarial attack based on the Hessian with limited pixels](http://arxiv.org/abs/2210.15446)
• Summary:

  Deep neural networks are vulnerable to adversarial attacks. Most white-box attacks are based on the gradient of models to the input. Since the computation and memory budget, adversarial attacks based on the Hessian information are not paid enough attention. In this work, we study the attack performance and computation cost of the attack method based on the Hessian with a limited perturbation pixel number. Specifically, we propose the Limited Pixel BFGS (LP-BFGS) attack method by incorporating the BFGS algorithm. Some pixels are selected as perturbation pixels by the Integrated Gradient algorithm, which are regarded as optimization variables of the LP-BFGS attack. Experimental results across different networks and datasets with various perturbation pixel numbers demonstrate our approach has a comparable attack with an acceptable computation compared with existing solutions.

robust

Title: Fast and Efficient Scene Categorization for Autonomous Driving using VAEs. (arXiv:2210.14981v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.14981
• Code URL: null
• Copy Paste: [[2210.14981] Fast and Efficient Scene Categorization for Autonomous Driving using VAEs](http://arxiv.org/abs/2210.14981)
• Summary:

  Scene categorization is a useful precursor task that provides prior knowledge for many advanced computer vision tasks with a broad range of applications in content-based image indexing and retrieval systems. Despite the success of data driven approaches in the field of computer vision such as object detection, semantic segmentation, etc., their application in learning high-level features for scene recognition has not achieved the same level of success. We propose to generate a fast and efficient intermediate interpretable generalized global descriptor that captures coarse features from the image and use a classification head to map the descriptors to 3 scene categories: Rural, Urban and Suburban. We train a Variational Autoencoder in an unsupervised manner and map images to a constrained multi-dimensional latent space and use the latent vectors as compact embeddings that serve as global descriptors for images. The experimental results evidence that the VAE latent vectors capture coarse information from the image, supporting their usage as global descriptors. The proposed global descriptor is very compact with an embedding length of 128, significantly faster to compute, and is robust to seasonal and illuminational changes, while capturing sufficient scene information required for scene categorization.

Title: Generalization Differences between End-to-End and Neuro-Symbolic Vision-Language Reasoning Systems. (arXiv:2210.15037v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15037
• Code URL: null
• Copy Paste: [[2210.15037] Generalization Differences between End-to-End and Neuro-Symbolic Vision-Language Reasoning Systems](http://arxiv.org/abs/2210.15037)
• Summary:

  For vision-and-language reasoning tasks, both fully connectionist, end-to-end methods and hybrid, neuro-symbolic methods have achieved high in-distribution performance. In which out-of-distribution settings does each paradigm excel? We investigate this question on both single-image and multi-image visual question-answering through four types of generalization tests: a novel segment-combine test for multi-image queries, contrast set, compositional generalization, and cross-benchmark transfer. Vision-and-language end-to-end trained systems exhibit sizeable performance drops across all these tests. Neuro-symbolic methods suffer even more on cross-benchmark transfer from GQA to VQA, but they show smaller accuracy drops on the other generalization tests and their performance quickly improves by few-shot training. Overall, our results demonstrate the complementary benefits of these two paradigms, and emphasize the importance of using a diverse suite of generalization tests to fully characterize model robustness to distribution shift.

Title: Improving Adversarial Robustness with Self-Paced Hard-Class Pair Reweighting. (arXiv:2210.15068v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15068
• Code URL: null
• Copy Paste: [[2210.15068] Improving Adversarial Robustness with Self-Paced Hard-Class Pair Reweighting](http://arxiv.org/abs/2210.15068)
• Summary:

  Deep Neural Networks are vulnerable to adversarial attacks. Among many defense strategies, adversarial training with untargeted attacks is one of the most recognized methods. Theoretically, the predicted labels of untargeted attacks should be unpredictable and uniformly-distributed overall false classes. However, we find that the naturally imbalanced inter-class semantic similarity makes those hard-class pairs to become the virtual targets of each other. This study investigates the impact of such closely-coupled classes on adversarial attacks and develops a self-paced reweighting strategy in adversarial training accordingly. Specifically, we propose to upweight hard-class pair loss in model optimization, which prompts learning discriminative features from hard classes. We further incorporate a term to quantify hard-class pair consistency in adversarial training, which greatly boost model robustness. Extensive experiments show that the proposed adversarial training method achieves superior robustness performance over state-of-the-art defenses against a wide range of adversarial attacks.

Title: MMFL-Net: Multi-scale and Multi-granularity Feature Learning for Cross-domain Fashion Retrieval. (arXiv:2210.15128v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15128
• Code URL: null
• Copy Paste: [[2210.15128] MMFL-Net: Multi-scale and Multi-granularity Feature Learning for Cross-domain Fashion Retrieval](http://arxiv.org/abs/2210.15128)
• Summary:

  Instance-level image retrieval in fashion is a challenging issue owing to its increasing importance in real-scenario visual fashion search. Cross-domain fashion retrieval aims to match the unconstrained customer images as queries for photographs provided by retailers; however, it is a difficult task due to a wide range of consumer-to-shop (C2S) domain discrepancies and also considering that clothing image is vulnerable to various non-rigid deformations. To this end, we propose a novel multi-scale and multi-granularity feature learning network (MMFL-Net), which can jointly learn global-local aggregation feature representations of clothing images in a unified framework, aiming to train a cross-domain model for C2S fashion visual similarity. First, a new semantic-spatial feature fusion part is designed to bridge the semantic-spatial gap by applying top-down and bottom-up bidirectional multi-scale feature fusion. Next, a multi-branch deep network architecture is introduced to capture global salient, part-informed, and local detailed information, and extracting robust and discrimination feature embedding by integrating the similarity learning of coarse-to-fine embedding with the multiple granularities. Finally, the improved trihard loss, center loss, and multi-task classification loss are adopted for our MMFL-Net, which can jointly optimize intra-class and inter-class distance and thus explicitly improve intra-class compactness and inter-class discriminability between its visual representations for feature learning. Furthermore, our proposed model also combines the multi-task attribute recognition and classification module with multi-label semantic attributes and product ID labels. Experimental results demonstrate that our proposed MMFL-Net achieves significant improvement over the state-of-the-art methods on the two datasets, DeepFashion-C2S and Street2Shop.

Title: Open-vocabulary Semantic Segmentation with Frozen Vision-Language Models. (arXiv:2210.15138v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15138
• Code URL: null
• Copy Paste: [[2210.15138] Open-vocabulary Semantic Segmentation with Frozen Vision-Language Models](http://arxiv.org/abs/2210.15138)
• Summary:

  When trained at a sufficient scale, self-supervised learning has exhibited a notable ability to solve a wide range of visual or language understanding tasks. In this paper, we investigate simple, yet effective approaches for adapting the pre-trained foundation models to the downstream task of interest, namely, open-vocabulary semantic segmentation. To this end, we make the following contributions: (i) we introduce Fusioner, with a lightweight, transformer-based fusion module, that pairs the frozen visual representation with language concept through a handful of image segmentation data. As a consequence, the model gains the capability of zero-shot transfer to segment novel categories; (ii) without loss of generality, we experiment on a broad range of self-supervised models that have been pre-trained with different schemes, e.g. visual-only models (MoCo v3, DINO), language-only models (BERT), visual-language model (CLIP), and show that, the proposed fusion approach is effective to any pair of visual and language models, even those pre-trained on a corpus of uni-modal data; (iii) we conduct thorough ablation studies to analyze the critical components in our proposed Fusioner, while evaluating on standard benchmarks, e.g. PASCAL-5i and COCO-20i , it surpasses existing state-of-the-art models by a large margin, despite only being trained on frozen visual and language features; (iv) to measure the model's robustness on learning visual-language correspondence, we further evaluate on synthetic dataset, named Mosaic-4, where images are constructed by mosaicking the samples from FSS-1000. Fusioner demonstrates superior performance over previous models.

Title: Exploiting modality-invariant feature for robust multimodal emotion recognition with missing modalities. (arXiv:2210.15359v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15359
• Code URL: https://github.com/zhuoyulang/if-mmin
• Copy Paste: [[2210.15359] Exploiting modality-invariant feature for robust multimodal emotion recognition with missing modalities](http://arxiv.org/abs/2210.15359)
• Summary:

  Multimodal emotion recognition leverages complementary information across modalities to gain performance. However, we cannot guarantee that the data of all modalities are always present in practice. In the studies to predict the missing data across modalities, the inherent difference between heterogeneous modalities, namely the modality gap, presents a challenge. To address this, we propose to use invariant features for a missing modality imagination network (IF-MMIN) which includes two novel mechanisms: 1) an invariant feature learning strategy that is based on the central moment discrepancy (CMD) distance under the full-modality scenario; 2) an invariant feature based imagination module (IF-IM) to alleviate the modality gap during the missing modalities prediction, thus improving the robustness of multimodal joint representation. Comprehensive experiments on the benchmark dataset IEMOCAP demonstrate that the proposed model outperforms all baselines and invariantly improves the overall emotion recognition performance under uncertain missing-modality conditions. We release the code at: https://github.com/ZhuoYulang/IF-MMIN.

Title: 2T-UNET: A Two-Tower UNet with Depth Clues for Robust Stereo Depth Estimation. (arXiv:2210.15374v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15374
• Code URL: null
• Copy Paste: [[2210.15374] 2T-UNET: A Two-Tower UNet with Depth Clues for Robust Stereo Depth Estimation](http://arxiv.org/abs/2210.15374)
• Summary:

  Stereo correspondence matching is an essential part of the multi-step stereo depth estimation process. This paper revisits the depth estimation problem, avoiding the explicit stereo matching step using a simple two-tower convolutional neural network. The proposed algorithm is entitled as 2T-UNet. The idea behind 2T-UNet is to replace cost volume construction with twin convolution towers. These towers have an allowance for different weights between them. Additionally, the input for twin encoders in 2T-UNet are different compared to the existing stereo methods. Generally, a stereo network takes a right and left image pair as input to determine the scene geometry. However, in the 2T-UNet model, the right stereo image is taken as one input and the left stereo image along with its monocular depth clue information, is taken as the other input. Depth clues provide complementary suggestions that help enhance the quality of predicted scene geometry. The 2T-UNet surpasses state-of-the-art monocular and stereo depth estimation methods on the challenging Scene flow dataset, both quantitatively and qualitatively. The architecture performs incredibly well on complex natural scenes, highlighting its usefulness for various real-time applications. Pretrained weights and code will be made readily available.

Title: LeNo: Adversarial Robust Salient Object Detection Networks with Learnable Noise. (arXiv:2210.15392v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15392
• Code URL: null
• Copy Paste: [[2210.15392] LeNo: Adversarial Robust Salient Object Detection Networks with Learnable Noise](http://arxiv.org/abs/2210.15392)
• Summary:

  Pixel-wise predction with deep neural network has become an effective paradigm for salient object detection (SOD) and achieved remakable performance. However, very few SOD models are robust against adversarial attacks which are visually imperceptible for human visual attention. The previous work robust salient object detection against adversarial attacks (ROSA) shuffles the pre-segmented superpixels and then refines the coarse saliency map by the densely connected CRF. Different from ROSA that rely on various pre- and post-processings, this paper proposes a light-weight Learnble Noise (LeNo) to against adversarial attacks for SOD models. LeNo preserves accuracy of SOD models on both adversarial and clean images, as well as inference speed. In general, LeNo consists of a simple shallow noise and noise estimation that embedded in the encoder and decoder of arbitrary SOD networks respectively. Inspired by the center prior of human visual attention mechanism, we initialize the shallow noise with a cross-shaped gaussian distribution for better defense against adversarial attacks. Instead of adding additional network components for post-processing, the proposed noise estimation modifies only one channel of the decoder. With the deeply-supervised noise-decoupled training on state-of-the-art RGB and RGB-D SOD networks, LeNo outperforms previous works not only on adversarial images but also clean images, which contributes stronger robustness for SOD.

Title: GaitMixer: skeleton-based gait representation learning via wide-spectrum multi-axial mixer. (arXiv:2210.15491v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15491
• Code URL: null
• Copy Paste: [[2210.15491] GaitMixer: skeleton-based gait representation learning via wide-spectrum multi-axial mixer](http://arxiv.org/abs/2210.15491)
• Summary:

  Most existing gait recognition methods are appearance-based, which rely on the silhouettes extracted from the video data of human walking activities. The less-investigated skeleton-based gait recognition methods directly learn the gait dynamics from 2D/3D human skeleton sequences, which are theoretically more robust solutions in the presence of appearance changes caused by clothes, hairstyles, and carrying objects. However, the performance of skeleton-based solutions is still largely behind the appearance-based ones. This paper aims to close such performance gap by proposing a novel network model, GaitMixer, to learn more discriminative gait representation from skeleton sequence data. In particular, GaitMixer follows a heterogeneous multi-axial mixer architecture, which exploits the spatial self-attention mixer followed by the temporal large-kernel convolution mixer to learn rich multi-frequency signals in the gait feature maps. Experiments on the widely used gait database, CASIA-B, demonstrate that GaitMixer outperforms the previous SOTA skeleton-based methods by a large margin while achieving a competitive performance compared with the representative appearance-based solutions. Code will be available at https://github.com/exitudio/gaitmixer

Title: Point-Voxel Adaptive Feature Abstraction for Robust Point Cloud Classification. (arXiv:2210.15514v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15514
• Code URL: https://github.com/zhulf0804/pv-ada
• Copy Paste: [[2210.15514] Point-Voxel Adaptive Feature Abstraction for Robust Point Cloud Classification](http://arxiv.org/abs/2210.15514)
• Summary:

  Great progress has been made in point cloud classification with learning-based methods. However, complex scene and sensor inaccuracy in real-world application make point cloud data suffer from corruptions, such as occlusion, noise and outliers. In this work, we propose Point-Voxel based Adaptive (PV-Ada) feature abstraction for robust point cloud classification under various corruptions. Specifically, the proposed framework iteratively voxelize the point cloud and extract point-voxel feature with shared local encoding and Transformer. Then, adaptive max-pooling is proposed to robustly aggregate the point cloud feature for classification. Experiments on ModelNet-C dataset demonstrate that PV-Ada outperforms the state-of-the-art methods. In particular, we rank the $2^{nd}$ place in ModelNet-C classification track of PointCloud-C Challenge 2022, with Overall Accuracy (OA) being 0.865. Code will be available at https://github.com/zhulf0804/PV-Ada.

Title: Hyperspectral Images Classification and Dimensionality Reduction using spectral interaction and SVM classifier. (arXiv:2210.15546v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15546
• Code URL: null
• Copy Paste: [[2210.15546] Hyperspectral Images Classification and Dimensionality Reduction using spectral interaction and SVM classifier](http://arxiv.org/abs/2210.15546)
• Summary:

  Over the past decades, the hyperspectral remote sensing technology development has attracted growing interest among scientists in various domains. The rich and detailed spectral information provided by the hyperspectral sensors has improved the monitoring and detection capabilities of the earth surface substances. However, the high dimensionality of the hyperspectral images (HSI) is one of the main challenges for the analysis of the collected data. The existence of noisy, redundant and irrelevant bands increases the computational complexity, induce the Hughes phenomenon and decrease the target's classification accuracy. Hence, the dimensionality reduction is an essential step to face the dimensionality challenges. In this paper, we propose a novel filter approach based on the maximization of the spectral interaction measure and the support vector machines for dimensionality reduction and classification of the HSI. The proposed Max Relevance Max Synergy (MRMS) algorithm evaluates the relevance of every band through the combination of spectral synergy, redundancy and relevance measures. Our objective is to select the optimal subset of synergistic bands providing accurate classification of the supervised scene materials. Experimental results have been performed using three different hyperspectral datasets: "Indiana Pine", "Pavia University" and "Salinas" provided by the "NASA-AVIRIS" and the "ROSIS" spectrometers. Furthermore, a comparison with the state of the art band selection methods has been carried out in order to demonstrate the robustness and efficiency of the proposed approach.

Keywords: Hyperspectral images, remote sensing, dimensionality reduction, classification, synergic, correlation, spectral interaction information, mutual inform

Title: Robust Monocular Localization of Drones by Adapting Domain Maps to Depth Prediction Inaccuracies. (arXiv:2210.15559v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15559
• Code URL: null
• Copy Paste: [[2210.15559] Robust Monocular Localization of Drones by Adapting Domain Maps to Depth Prediction Inaccuracies](http://arxiv.org/abs/2210.15559)
• Summary:

  We present a novel monocular localization framework by jointly training deep learning-based depth prediction and Bayesian filtering-based pose reasoning. The proposed cross-modal framework significantly outperforms deep learning-only predictions with respect to model scalability and tolerance to environmental variations. Specifically, we show little-to-no degradation of pose accuracy even with extremely poor depth estimates from a lightweight depth predictor. Our framework also maintains high pose accuracy in extreme lighting variations compared to standard deep learning, even without explicit domain adaptation. By openly representing the map and intermediate feature maps (such as depth estimates), our framework also allows for faster updates and reusing intermediate predictions for other tasks, such as obstacle avoidance, resulting in much higher resource efficiency.

Title: Disentangled Text Representation Learning with Information-Theoretic Perspective for Adversarial Robustness. (arXiv:2210.14957v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.14957
• Code URL: null
• Copy Paste: [[2210.14957] Disentangled Text Representation Learning with Information-Theoretic Perspective for Adversarial Robustness](http://arxiv.org/abs/2210.14957)
• Summary:

  Adversarial vulnerability remains a major obstacle to constructing reliable NLP systems. When imperceptible perturbations are added to raw input text, the performance of a deep learning model may drop dramatically under attacks. Recent work argues the adversarial vulnerability of the model is caused by the non-robust features in supervised training. Thus in this paper, we tackle the adversarial robustness challenge from the view of disentangled representation learning, which is able to explicitly disentangle robust and non-robust features in text. Specifically, inspired by the variation of information (VI) in information theory, we derive a disentangled learning objective composed of mutual information to represent both the semantic representativeness of latent embeddings and differentiation of robust and non-robust features. On the basis of this, we design a disentangled learning network to estimate these mutual information. Experiments on text classification and entailment tasks show that our method significantly outperforms the representative methods under adversarial attacks, indicating that discarding non-robust features is critical for improving adversarial robustness.

Title: Robust Domain Adaptation for Pre-trained Multilingual Neural Machine Translation Models. (arXiv:2210.14979v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.14979
• Code URL: null
• Copy Paste: [[2210.14979] Robust Domain Adaptation for Pre-trained Multilingual Neural Machine Translation Models](http://arxiv.org/abs/2210.14979)
• Summary:

  Recent literature has demonstrated the potential of multilingual Neural Machine Translation (mNMT) models. However, the most efficient models are not well suited to specialized industries. In these cases, internal data is scarce and expensive to find in all language pairs. Therefore, fine-tuning a mNMT model on a specialized domain is hard. In this context, we decided to focus on a new task: Domain Adaptation of a pre-trained mNMT model on a single pair of language while trying to maintain model quality on generic domain data for all language pairs. The risk of loss on generic domain and on other pairs is high. This task is key for mNMT model adoption in the industry and is at the border of many others. We propose a fine-tuning procedure for the generic mNMT that combines embeddings freezing and adversarial loss. Our experiments demonstrated that the procedure improves performances on specialized data with a minimal loss in initial performances on generic domain for all languages pairs, compared to a naive standard approach (+10.0 BLEU score on specialized data, -0.01 to -0.5 BLEU on WMT and Tatoeba datasets on the other pairs with M2M100).

Title: Disentangled and Robust Representation Learning for Bragging Classification in Social Media. (arXiv:2210.15180v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15180
• Code URL: null
• Copy Paste: [[2210.15180] Disentangled and Robust Representation Learning for Bragging Classification in Social Media](http://arxiv.org/abs/2210.15180)
• Summary:

  Researching bragging behavior on social media arouses interest of computational (socio) linguists. However, existing bragging classification datasets suffer from a serious data imbalance issue. Because labeling a data-balance dataset is expensive, most methods introduce external knowledge to improve model learning. Nevertheless, such methods inevitably introduce noise and non-relevance information from external knowledge. To overcome the drawback, we propose a novel bragging classification method with disentangle-based representation augmentation and domain-aware adversarial strategy. Specifically, model learns to disentangle and reconstruct representation and generate augmented features via disentangle-based representation augmentation. Moreover, domain-aware adversarial strategy aims to constrain domain of augmented features to improve their robustness. Experimental results demonstrate that our method achieves state-of-the-art performance compared to other methods.

Title: COCO-DR: Combating Distribution Shifts in Zero-Shot Dense Retrieval with Contrastive and Distributionally Robust Learning. (arXiv:2210.15212v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15212
• Code URL: https://github.com/openmatch/coco-dr
• Copy Paste: [[2210.15212] COCO-DR: Combating Distribution Shifts in Zero-Shot Dense Retrieval with Contrastive and Distributionally Robust Learning](http://arxiv.org/abs/2210.15212)
• Summary:

  We present a new zero-shot dense retrieval (ZeroDR) method, COCO-DR, to improve the generalization ability of dense retrieval by combating the distribution shifts between source training tasks and target scenarios. To mitigate the impact of document differences, COCO-DR continues pretraining the language model on the target corpora to adapt the model to target distributions via COtinuous COtrastive learning. To prepare for unseen target queries, COCO-DR leverages implicit Distributionally Robust Optimization (iDRO) to reweight samples from different source query clusters for improving model robustness over rare queries during fine-tuning. COCO-DR achieves superior average performance on BEIR, the zero-shot retrieval benchmark. At BERT Base scale, COCO-DR Base outperforms other ZeroDR models with 60x larger size. At BERT Large scale, COCO-DR Large outperforms the giant GPT-3 embedding model which has 500x more parameters. Our analysis show the correlation between COCO-DR's effectiveness in combating distribution shifts and improving zero-shot accuracy. Our code and model can be found at \url{https://github.com/OpenMatch/COCO-DR}.

Title: Cross-Domain Neural Entity Linking. (arXiv:2210.15616v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15616
• Code URL: null
• Copy Paste: [[2210.15616] Cross-Domain Neural Entity Linking](http://arxiv.org/abs/2210.15616)
• Summary:

  Entity Linking is the task of matching a mention to an entity in a given knowledge base (KB). It contributes to annotating a massive amount of documents existing on the Web to harness new facts about their matched entities. However, existing Entity Linking systems focus on developing models that are typically domain-dependent and robust only to a particular knowledge base on which they have been trained. The performance is not as adequate when being evaluated on documents and knowledge bases from different domains.

Approaches based on pre-trained language models, such as Wu et al. (2020), attempt to solve the problem using a zero-shot setup, illustrating some potential when evaluated on a general-domain KB. Nevertheless, the performance is not equivalent when evaluated on a domain-specific KB. To allow for more accurate Entity Linking across different domains, we propose our framework: Cross-Domain Neural Entity Linking (CDNEL). Our objective is to have a single system that enables simultaneous linking to both the general-domain KB and the domain-specific KB. CDNEL works by learning a joint representation space for these knowledge bases from different domains. It is evaluated using the external Entity Linking dataset (Zeshel) constructed by Logeswaran et al. (2019) and the Reddit dataset collected by Botzer et al. (2021), to compare our proposed method with the state-of-the-art results. The proposed framework uses different types of datasets for fine-tuning, resulting in different model variants of CDNEL. When evaluated on four domains included in the Zeshel dataset, these variants achieve an average precision gain of 9%.

Title: Environment Design for Inverse Reinforcement Learning. (arXiv:2210.14972v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.14972
• Code URL: null
• Copy Paste: [[2210.14972] Environment Design for Inverse Reinforcement Learning](http://arxiv.org/abs/2210.14972)
• Summary:

  The task of learning a reward function from expert demonstrations suffers from high sample complexity as well as inherent limitations to what can be learned from demonstrations in a given environment. As the samples used for reward learning require human input, which is generally expensive, much effort has been dedicated towards designing more sample-efficient algorithms. Moreover, even with abundant data, current methods can still fail to learn insightful reward functions that are robust to minor changes in the environment dynamics. We approach these challenges differently than prior work by improving the sample-efficiency as well as the robustness of learned rewards through adaptively designing a sequence of demonstration environments for the expert to act in. We formalise a framework for this environment design process in which learner and expert repeatedly interact, and construct algorithms that actively seek information about the rewards by carefully curating environments for the human to demonstrate the task in.

Title: Multi-layered Discriminative Restricted Boltzmann Machine with Untrained Probabilistic Layer. (arXiv:2210.15434v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15434
• Code URL: null
• Copy Paste: [[2210.15434] Multi-layered Discriminative Restricted Boltzmann Machine with Untrained Probabilistic Layer](http://arxiv.org/abs/2210.15434)
• Summary:

  An extreme learning machine (ELM) is a three-layered feed-forward neural network having untrained parameters, which are randomly determined before training. Inspired by the idea of ELM, a probabilistic untrained layer called a probabilistic-ELM (PELM) layer is proposed, and it is combined with a discriminative restricted Boltzmann machine (DRBM), which is a probabilistic three-layered neural network for solving classification problems. The proposed model is obtained by stacking DRBM on the PELM layer. The resultant model (i.e., multi-layered DRBM (MDRBM)) forms a probabilistic four-layered neural network. In MDRBM, the parameters in the PELM layer can be determined using Gaussian-Bernoulli restricted Boltzmann machine. Owing to the PELM layer, MDRBM obtains a strong immunity against noise in inputs, which is one of the most important advantages of MDRBM. Numerical experiments using some benchmark datasets, MNIST, Fashion-MNIST, Urban Land Cover, and CIFAR-10, demonstrate that MDRBM is superior to other existing models, particularly, in terms of the noise-robustness property (or, in other words, the generalization property).

Title: A Hierarchical Approach to Conditional Random Fields for System Anomaly Detection. (arXiv:2210.15030v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15030
• Code URL: null
• Copy Paste: [[2210.15030] A Hierarchical Approach to Conditional Random Fields for System Anomaly Detection](http://arxiv.org/abs/2210.15030)
• Summary:

  Anomaly detection to recognize unusual events in large scale systems in a time sensitive manner is critical in many industries, eg. bank fraud, enterprise systems, medical alerts, etc. Large-scale systems often grow in size and complexity over time, and anomaly detection algorithms need to adapt to changing structures. A hierarchical approach takes advantage of the implicit relationships in complex systems and localized context. The features in complex systems may vary drastically in data distribution, capturing different aspects from multiple data sources, and when put together provide a more complete view of the system. In this paper, two datasets are considered, the 1st comprising of system metrics from machines running on a cloud service, and the 2nd of application metrics from a distributed software system with inherent hierarchies and interconnections amongst its system nodes. Comparing algorithms, across the changepoint based PELT algorithm, cognitive learning-based Hierarchical Temporal Memory algorithms, Support Vector Machines and Conditional Random Fields provides a basis for proposing a Hierarchical Global-Local Conditional Random Field approach to accurately capture anomalies in complex systems, and across various features. Hierarchical algorithms can learn both the intricacies of lower-level or specific features, and utilize these in the global abstracted representation to detect anomalous patterns robustly across multi-source feature data and distributed systems. A graphical network analysis on complex systems can further fine-tune datasets to mine relationships based on available features, which can benefit hierarchical models. Furthermore, hierarchical solutions can adapt well to changes at a localized level, learning on new data and changing environments when parts of a system are over-hauled, and translate these learnings to a global view of the system over time.

Title: Characterizing Datapoints via Second-Split Forgetting. (arXiv:2210.15031v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15031
• Code URL: null
• Copy Paste: [[2210.15031] Characterizing Datapoints via Second-Split Forgetting](http://arxiv.org/abs/2210.15031)
• Summary:

  Researchers investigating example hardness have increasingly focused on the dynamics by which neural networks learn and forget examples throughout training. Popular metrics derived from these dynamics include (i) the epoch at which examples are first correctly classified; (ii) the number of times their predictions flip during training; and (iii) whether their prediction flips if they are held out. However, these metrics do not distinguish among examples that are hard for distinct reasons, such as membership in a rare subpopulation, being mislabeled, or belonging to a complex subpopulation. In this paper, we propose $second$-$split$ $forgetting$ $time$ (SSFT), a complementary metric that tracks the epoch (if any) after which an original training example is forgotten as the network is fine-tuned on a randomly held out partition of the data. Across multiple benchmark datasets and modalities, we demonstrate that $mislabeled$ examples are forgotten quickly, and seemingly $rare$ examples are forgotten comparatively slowly. By contrast, metrics only considering the first split learning dynamics struggle to differentiate the two. At large learning rates, SSFT tends to be robust across architectures, optimizers, and random seeds. From a practical standpoint, the SSFT can (i) help to identify mislabeled samples, the removal of which improves generalization; and (ii) provide insights about failure modes. Through theoretical analysis addressing overparameterized linear models, we provide insights into how the observed phenomena may arise. Code for reproducing our experiments can be found here: https://github.com/pratyushmaini/ssft

Title: ViT-CAT: Parallel Vision Transformers with Cross Attention Fusion for Popularity Prediction in MEC Networks. (arXiv:2210.15125v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15125
• Code URL: null
• Copy Paste: [[2210.15125] ViT-CAT: Parallel Vision Transformers with Cross Attention Fusion for Popularity Prediction in MEC Networks](http://arxiv.org/abs/2210.15125)
• Summary:

  Mobile Edge Caching (MEC) is a revolutionary technology for the Sixth Generation (6G) of wireless networks with the promise to significantly reduce users' latency via offering storage capacities at the edge of the network. The efficiency of the MEC network, however, critically depends on its ability to dynamically predict/update the storage of caching nodes with the top-K popular contents. Conventional statistical caching schemes are not robust to the time-variant nature of the underlying pattern of content requests, resulting in a surge of interest in using Deep Neural Networks (DNNs) for time-series popularity prediction in MEC networks. However, existing DNN models within the context of MEC fail to simultaneously capture both temporal correlations of historical request patterns and the dependencies between multiple contents. This necessitates an urgent quest to develop and design a new and innovative popularity prediction architecture to tackle this critical challenge. The paper addresses this gap by proposing a novel hybrid caching framework based on the attention mechanism. Referred to as the parallel Vision Transformers with Cross Attention (ViT-CAT) Fusion, the proposed architecture consists of two parallel ViT networks, one for collecting temporal correlation, and the other for capturing dependencies between different contents. Followed by a Cross Attention (CA) module as the Fusion Center (FC), the proposed ViT-CAT is capable of learning the mutual information between temporal and spatial correlations, as well, resulting in improving the classification accuracy, and decreasing the model's complexity about 8 times. Based on the simulation results, the proposed ViT-CAT architecture outperforms its counterparts across the classification accuracy, complexity, and cache-hit ratio.

Title: Provable Sim-to-real Transfer in Continuous Domain with Partial Observations. (arXiv:2210.15598v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15598
• Code URL: null
• Copy Paste: [[2210.15598] Provable Sim-to-real Transfer in Continuous Domain with Partial Observations](http://arxiv.org/abs/2210.15598)
• Summary:

  Sim-to-real transfer trains RL agents in the simulated environments and then deploys them in the real world. Sim-to-real transfer has been widely used in practice because it is often cheaper, safer and much faster to collect samples in simulation than in the real world. Despite the empirical success of the sim-to-real transfer, its theoretical foundation is much less understood. In this paper, we study the sim-to-real transfer in continuous domain with partial observations, where the simulated environments and real-world environments are modeled by linear quadratic Gaussian (LQG) systems. We show that a popular robust adversarial training algorithm is capable of learning a policy from the simulated environment that is competitive to the optimal policy in the real-world environment. To achieve our results, we design a new algorithm for infinite-horizon average-cost LQGs and establish a regret bound that depends on the intrinsic complexity of the model class. Our algorithm crucially relies on a novel history clipping scheme, which might be of independent interest.

biometric

steal

Title: Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks. (arXiv:2210.15427v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2210.15427
• Code URL: null
• Copy Paste: [[2210.15427] Are You Stealing My Model? Sample Correlation for Fingerprinting Deep Neural Networks](http://arxiv.org/abs/2210.15427)
• Summary:

  An off-the-shelf model as a commercial service could be stolen by model stealing attacks, posing great threats to the rights of the model owner. Model fingerprinting aims to verify whether a suspect model is stolen from the victim model, which gains more and more attention nowadays. Previous methods always leverage the transferable adversarial examples as the model fingerprint, which is sensitive to adversarial defense or transfer learning scenarios. To address this issue, we consider the pairwise relationship between samples instead and propose a novel yet simple model stealing detection method based on SAmple Correlation (SAC). Specifically, we present SAC-w that selects wrongly classified normal samples as model inputs and calculates the mean correlation among their model outputs. To reduce the training time, we further develop SAC-m that selects CutMix Augmented samples as model inputs, without the need for training the surrogate models or generating adversarial examples. Extensive results validate that SAC successfully defends against various model stealing attacks, even including adversarial training or transfer learning, and detects the stolen models with the best performance in terms of AUC across different datasets and model architectures. The codes are available at https://github.com/guanjiyang/SAC.

extraction

Title: FAS-UNet: A Novel FAS-driven Unet to Learn Variational Image Segmentation. (arXiv:2210.15164v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15164
• Code URL: null
• Copy Paste: [[2210.15164] FAS-UNet: A Novel FAS-driven Unet to Learn Variational Image Segmentation](http://arxiv.org/abs/2210.15164)
• Summary:

  Solving variational image segmentation problems with hidden physics is often expensive and requires different algorithms and manually tunes model parameter. The deep learning methods based on the U-Net structure have obtained outstanding performances in many different medical image segmentation tasks, but designing such networks requires a lot of parameters and training data, not always available for practical problems. In this paper, inspired by traditional multi-phase convexity Mumford-Shah variational model and full approximation scheme (FAS) solving the nonlinear systems, we propose a novel variational-model-informed network (denoted as FAS-Unet) that exploits the model and algorithm priors to extract the multi-scale features. The proposed model-informed network integrates image data and mathematical models, and implements them through learning a few convolution kernels. Based on the variational theory and FAS algorithm, we first design a feature extraction sub-network (FAS-Solution module) to solve the model-driven nonlinear systems, where a skip-connection is employed to fuse the multi-scale features. Secondly, we further design a convolution block to fuse the extracted features from the previous stage, resulting in the final segmentation possibility. Experimental results on three different medical image segmentation tasks show that the proposed FAS-Unet is very competitive with other state-of-the-art methods in qualitative, quantitative and model complexity evaluations. Moreover, it may also be possible to train specialized network architectures that automatically satisfy some of the mathematical and physical laws in other image problems for better accuracy, faster training and improved generalization.

Title: Improved Feature Distillation via Projector Ensemble. (arXiv:2210.15274v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15274
• Code URL: https://github.com/chenyd7/pefd
• Copy Paste: [[2210.15274] Improved Feature Distillation via Projector Ensemble](http://arxiv.org/abs/2210.15274)
• Summary:

  In knowledge distillation, previous feature distillation methods mainly focus on the design of loss functions and the selection of the distilled layers, while the effect of the feature projector between the student and the teacher remains under-explored. In this paper, we first discuss a plausible mechanism of the projector with empirical evidence and then propose a new feature distillation method based on a projector ensemble for further performance improvement. We observe that the student network benefits from a projector even if the feature dimensions of the student and the teacher are the same. Training a student backbone without a projector can be considered as a multi-task learning process, namely achieving discriminative feature extraction for classification and feature matching between the student and the teacher for distillation at the same time. We hypothesize and empirically verify that without a projector, the student network tends to overfit the teacher's feature distributions despite having different architecture and weights initialization. This leads to degradation on the quality of the student's deep features that are eventually used in classification. Adding a projector, on the other hand, disentangles the two learning tasks and helps the student network to focus better on the main feature extraction task while still being able to utilize teacher features as a guidance through the projector. Motivated by the positive effect of the projector in feature distillation, we propose an ensemble of projectors to further improve the quality of student features. Experimental results on different datasets with a series of teacher-student pairs illustrate the effectiveness of the proposed method.

Title: arXivEdits: Understanding the Human Revision Process in Scientific Writing. (arXiv:2210.15067v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15067
• Code URL: null
• Copy Paste: [[2210.15067] arXivEdits: Understanding the Human Revision Process in Scientific Writing](http://arxiv.org/abs/2210.15067)
• Summary:

  Scientific publications are the primary means to communicate research discoveries, where the writing quality is of crucial importance. However, prior work studying the human editing process in this domain mainly focused on the abstract or introduction sections, resulting in an incomplete picture. In this work, we provide a complete computational framework for studying text revision in scientific writing. We first introduce arXivEdits, a new annotated corpus of 751 full papers from arXiv with gold sentence alignment across their multiple versions of revision, as well as fine-grained span-level edits and their underlying intentions for 1,000 sentence pairs. It supports our data-driven analysis to unveil the common strategies practiced by researchers for revising their papers. To scale up the analysis, we also develop automatic methods to extract revision at document-, sentence-, and word-levels. A neural CRF sentence alignment model trained on our corpus achieves 93.8 F1, enabling the reliable matching of sentences between different versions. We formulate the edit extraction task as a span alignment problem, and our proposed method extracts more fine-grained and explainable edits, compared to the commonly used diff algorithm. An intention classifier trained on our dataset achieves 78.9 F1 on the fine-grained intent classification task. Our data and system are released at tiny.one/arxivedits.

Title: Automatic Extraction of Materials and Properties from Superconductors Scientific Literature. (arXiv:2210.15600v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15600
• Code URL: https://github.com/lfoppiano/grobid-superconductors
• Copy Paste: [[2210.15600] Automatic Extraction of Materials and Properties from Superconductors Scientific Literature](http://arxiv.org/abs/2210.15600)
• Summary:

  The automatic extraction of materials and related properties from the scientific literature is gaining attention in data-driven materials science (Materials Informatics). In this paper, we discuss Grobid-superconductors, our solution for automatically extracting superconductor material names and respective properties from text. Built as a Grobid module, it combines machine learning and heuristic approaches in a multi-step architecture that supports input data as raw text or PDF documents. Using Grobid-superconductors, we built SuperCon2, a database of 40324 materials and properties records from 37700 papers. The material (or sample) information is represented by name, chemical formula, and material class, and is characterized by shape, doping, substitution variables for components, and substrate as adjoined information. The properties include the Tc superconducting critical temperature and, when available, applied pressure with the Tc measurement method.

membership infer

federate

Title: Addressing Heterogeneity in Federated Learning via Distributional Transformation. (arXiv:2210.15025v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15025
• Code URL: https://github.com/hyhmia/distrans
• Copy Paste: [[2210.15025] Addressing Heterogeneity in Federated Learning via Distributional Transformation](http://arxiv.org/abs/2210.15025)
• Summary:

  Federated learning (FL) allows multiple clients to collaboratively train a deep learning model. One major challenge of FL is when data distribution is heterogeneous, i.e., differs from one client to another. Existing personalized FL algorithms are only applicable to narrow cases, e.g., one or two data classes per client, and therefore they do not satisfactorily address FL under varying levels of data heterogeneity. In this paper, we propose a novel framework, called DisTrans, to improve FL performance (i.e., model accuracy) via train and test-time distributional transformations along with a double-input-channel model structure. DisTrans works by optimizing distributional offsets and models for each FL client to shift their data distribution, and aggregates these offsets at the FL server to further improve performance in case of distributional heterogeneity. Our evaluation on multiple benchmark datasets shows that DisTrans outperforms state-of-the-art FL methods and data augmentation methods under various settings and different degrees of client distributional heterogeneity.

Title: Federated Continual Learning to Detect Accounting Anomalies in Financial Auditing. (arXiv:2210.15051v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15051
• Code URL: null
• Copy Paste: [[2210.15051] Federated Continual Learning to Detect Accounting Anomalies in Financial Auditing](http://arxiv.org/abs/2210.15051)
• Summary:

  The International Standards on Auditing require auditors to collect reasonable assurance that financial statements are free of material misstatement. At the same time, a central objective of Continuous Assurance is the real-time assessment of digital accounting journal entries. Recently, driven by the advances in artificial intelligence, Deep Learning techniques have emerged in financial auditing to examine vast quantities of accounting data. However, learning highly adaptive audit models in decentralised and dynamic settings remains challenging. It requires the study of data distribution shifts over multiple clients and time periods. In this work, we propose a Federated Continual Learning framework enabling auditors to learn audit models from decentral clients continuously. We evaluate the framework's ability to detect accounting anomalies in common scenarios of organizational activity. Our empirical results, using real-world datasets and combined federated continual learning strategies, demonstrate the learned model's ability to detect anomalies in audit settings of data distribution shifts.

Title: Federated Graph Representation Learning using Self-Supervision. (arXiv:2210.15120v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15120
• Code URL: null
• Copy Paste: [[2210.15120] Federated Graph Representation Learning using Self-Supervision](http://arxiv.org/abs/2210.15120)
• Summary:

  Federated graph representation learning (FedGRL) brings the benefits of distributed training to graph structured data while simultaneously addressing some privacy and compliance concerns related to data curation. However, several interesting real-world graph data characteristics viz. label deficiency and downstream task heterogeneity are not taken into consideration in current FedGRL setups. In this paper, we consider a realistic and novel problem setting, wherein cross-silo clients have access to vast amounts of unlabeled data with limited or no labeled data and additionally have diverse downstream class label domains. We then propose a novel FedGRL formulation based on model interpolation where we aim to learn a shared global model that is optimized collaboratively using a self-supervised objective and gets downstream task supervision through local client models. We provide a specific instantiation of our general formulation using BGRL a SoTA self-supervised graph representation learning method and we empirically verify its effectiveness through realistic cross-slio datasets: (1) we adapt the Twitch Gamer Network which naturally simulates a cross-geo scenario and show that our formulation can provide consistent and avg. 6.1% gains over traditional supervised federated learning objectives and on avg. 1.7% gains compared to individual client specific self-supervised training and (2) we construct and introduce a new cross-silo dataset called Amazon Co-purchase Networks that have both the characteristics of the motivated problem setting. And, we witness on avg. 11.5% gains over traditional supervised federated learning and on avg. 1.9% gains over individually trained self-supervised models. Both experimental results point to the effectiveness of our proposed formulation. Finally, both our novel problem setting and dataset contributions provide new avenues for the research in FedGRL.

Title: Exploiting Features and Logits in Heterogeneous Federated Learning. (arXiv:2210.15527v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15527
• Code URL: https://github.com/ChanYunHin/Felo
• Copy Paste: [[2210.15527] Exploiting Features and Logits in Heterogeneous Federated Learning](http://arxiv.org/abs/2210.15527)
• Summary:

  Due to the rapid growth of IoT and artificial intelligence, deploying neural networks on IoT devices is becoming increasingly crucial for edge intelligence. Federated learning (FL) facilitates the management of edge devices to collaboratively train a shared model while maintaining training data local and private. However, a general assumption in FL is that all edge devices are trained on the same machine learning model, which may be impractical considering diverse device capabilities. For instance, less capable devices may slow down the updating process because they struggle to handle large models appropriate for ordinary devices. In this paper, we propose a novel data-free FL method that supports heterogeneous client models by managing features and logits, called Felo; and its extension with a conditional VAE deployed in the server, called Velo. Felo averages the mid-level features and logits from the clients at the server based on their class labels to provide the average features and logits, which are utilized for further training the client models. Unlike Felo, the server has a conditional VAE in Velo, which is used for training mid-level features and generating synthetic features according to the labels. The clients optimize their models based on the synthetic features and the average logits. We conduct experiments on two datasets and show satisfactory performances of our methods compared with the state-of-the-art methods.

fair

Title: IDEAL: Improved DEnse locAL Contrastive Learning for Semi-Supervised Medical Image Segmentation. (arXiv:2210.15075v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2210.15075
• Code URL: null
• Copy Paste: [[2210.15075] IDEAL: Improved DEnse locAL Contrastive Learning for Semi-Supervised Medical Image Segmentation](http://arxiv.org/abs/2210.15075)
• Summary:

  Due to the scarcity of labeled data, Contrastive Self-Supervised Learning (SSL) frameworks have lately shown great potential in several medical image analysis tasks. However, the existing contrastive mechanisms are sub-optimal for dense pixel-level segmentation tasks due to their inability to mine local features. To this end, we extend the concept of metric learning to the segmentation task, using a dense (dis)similarity learning for pre-training a deep encoder network, and employing a semi-supervised paradigm to fine-tune for the downstream task. Specifically, we propose a simple convolutional projection head for obtaining dense pixel-level features, and a new contrastive loss to utilize these dense projections thereby improving the local representations. A bidirectional consistency regularization mechanism involving two-stream model training is devised for the downstream task. Upon comparison, our IDEAL method outperforms the SoTA methods by fair margins on cardiac MRI segmentation.

Title: MABEL: Attenuating Gender Bias using Textual Entailment Data. (arXiv:2210.14975v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.14975
• Code URL: https://github.com/princeton-nlp/mabel
• Copy Paste: [[2210.14975] MABEL: Attenuating Gender Bias using Textual Entailment Data](http://arxiv.org/abs/2210.14975)
• Summary:

  Pre-trained language models encode undesirable social biases, which are further exacerbated in downstream use. To this end, we propose MABEL (a Method for Attenuating Gender Bias using Entailment Labels), an intermediate pre-training approach for mitigating gender bias in contextualized representations. Key to our approach is the use of a contrastive learning objective on counterfactually augmented, gender-balanced entailment pairs from natural language inference (NLI) datasets. We also introduce an alignment regularizer that pulls identical entailment pairs along opposite gender directions closer. We extensively evaluate our approach on intrinsic and extrinsic metrics, and show that MABEL outperforms previous task-agnostic debiasing approaches in terms of fairness. It also preserves task performance after fine-tuning on downstream tasks. Together, these findings demonstrate the suitability of NLI data as an effective means of bias mitigation, as opposed to only using unlabeled sentences in the literature. Finally, we identify that existing approaches often use evaluation settings that are insufficient or inconsistent. We make an effort to reproduce and compare previous methods, and call for unifying the evaluation settings across gender debiasing methods for better future comparison.

Title: COFFEE: Counterfactual Fairness for Personalized Text Generation in Explainable Recommendation. (arXiv:2210.15500v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2210.15500
• Code URL: null
• Copy Paste: [[2210.15500] COFFEE: Counterfactual Fairness for Personalized Text Generation in Explainable Recommendation](http://arxiv.org/abs/2210.15500)
• Summary:

  Personalized text generation has broad industrial applications, such as explanation generation for recommendations, conversational systems, etc. Personalized text generators are usually trained on user written text, e.g., reviews collected on e-commerce platforms. However, due to historical, social, or behavioral reasons, there may exist bias that associates certain linguistic quality of user written text with the users' protected attributes such as gender, race, etc. The generators can identify and inherit these correlations and generate texts discriminately w.r.t. the users' protected attributes. Without proper intervention, such bias can adversarially influence the users' trust and reliance on the system. From a broader perspective, bias in auto-generated contents can reinforce the social stereotypes about how online users write through interactions with the users.

In this work, we investigate the fairness of personalized text generation in the setting of explainable recommendation. We develop a general framework for achieving measure-specific counterfactual fairness on the linguistic quality of personalized explanations. We propose learning disentangled representations for counterfactual inference and develop a novel policy learning algorithm with carefully designed rewards for fairness optimization. The framework can be applied for achieving fairness on any given specifications of linguistic quality measures, and can be adapted to most of existing models and real-world settings. Extensive experiments demonstrate the superior ability of our method in achieving fairness while maintaining high generation performance.

interpretability

exlainability

watermark

Title: Watermarking for Out-of-distribution Detection. (arXiv:2210.15198v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2210.15198
• Code URL: https://github.com/qizhouwang/watermarking
• Copy Paste: [[2210.15198] Watermarking for Out-of-distribution Detection](http://arxiv.org/abs/2210.15198)
• Summary:

  Out-of-distribution (OOD) detection aims to identify OOD data based on representations extracted from well-trained deep models. However, existing methods largely ignore the reprogramming property of deep models and thus may not fully unleash their intrinsic strength: without modifying parameters of a well-trained deep model, we can reprogram this model for a new purpose via data-level manipulation (e.g., adding a specific feature perturbation to the data). This property motivates us to reprogram a classification model to excel at OOD detection (a new task), and thus we propose a general methodology named watermarking in this paper. Specifically, we learn a unified pattern that is superimposed onto features of original data, and the model's detection capability is largely boosted after watermarking. Extensive experiments verify the effectiveness of watermarking, demonstrating the significance of the reprogramming property of deep models in OOD detection.