secure

Title: Encrypted machine learning of molecular quantum properties. (arXiv:2212.04322v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04322
• Code URL: null
• Copy Paste: [[2212.04322] Encrypted machine learning of molecular quantum properties](http://arxiv.org/abs/2212.04322) #secure
• Summary:

  Large machine learning models with improved predictions have become widely available in the chemical sciences. Unfortunately, these models do not protect the privacy necessary within commercial settings, prohibiting the use of potentially extremely valuable data by others. Encrypting the prediction process can solve this problem by double-blind model evaluation and prohibits the extraction of training or query data. However, contemporary ML models based on fully homomorphic encryption or federated learning are either too expensive for practical use or have to trade higher speed for weaker security. We have implemented secure and computationally feasible encrypted machine learning models using oblivious transfer enabling and secure predictions of molecular quantum properties across chemical compound space. However, we find that encrypted predictions using kernel ridge regression models are a million times more expensive than without encryption. This demonstrates a dire need for a compact machine learning model architecture, including molecular representation and kernel matrix size, that minimizes model evaluation costs.

Title: Secure communication using low dimensional topological elements. (arXiv:2212.04350v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04350
• Code URL: null
• Copy Paste: [[2212.04350] Secure communication using low dimensional topological elements](http://arxiv.org/abs/2212.04350) #secure
• Summary:

  Low-dimensional topological objects, such as knots and braids, have become prevalent in multiple areas of physics, such as fluid dynamics, optics, and quantum information processing. Such objects also now play a role in cryptography, where a framed knot can store encoded information using its braid representation for communications purposes. The greater resilience of low-dimensional topological elements under deformations allows them to be employed as a reliable framework for information exchange. Here, we introduce a challenge-response protocol as an application of this construction for authentication. We provide illustrative examples of both procedures showing how framed links and braids may help to enhance secure communication.

Title: Device identification using optimized digital footprints. (arXiv:2212.04354v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04354
• Code URL: null
• Copy Paste: [[2212.04354] Device identification using optimized digital footprints](http://arxiv.org/abs/2212.04354) #secure
• Summary:

  The rapidly increasing number of internet of things (IoT) and non-IoT devices has imposed new security challenges to network administrators. Accurate device identification in the increasingly complex network structures is necessary. In this paper, a device fingerprinting (DFP) method has been proposed for device identification, based on digital footprints, which devices use for communication over a network. A subset of nine features have been selected from the network and transport layers of a single transmission control protocol/internet protocol packet based on attribute evaluators in Weka, to generate device-specific signatures. The method has been evaluated on two online datasets, and an experimental dataset, using different supervised machine learning (ML) algorithms. Results have shown that the method is able to distinguish device type with up to 100% precision using the random forest (RF) classifier, and classify individual devices with up to 95.7% precision. These results demonstrate the applicability of the proposed DFP method for device identification, in order to provide a more secure and robust network.

security

Title: Elixir: A system to enhance data quality for multiple analytics on a video stream. (arXiv:2212.04061v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04061
• Code URL: null
• Copy Paste: [[2212.04061] Elixir: A system to enhance data quality for multiple analytics on a video stream](http://arxiv.org/abs/2212.04061) #security
• Summary:

  IoT sensors, especially video cameras, are ubiquitously deployed around the world to perform a variety of computer vision tasks in several verticals including retail, healthcare, safety and security, transportation, manufacturing, etc. To amortize their high deployment effort and cost, it is desirable to perform multiple video analytics tasks, which we refer to as Analytical Units (AUs), off the video feed coming out of every camera. In this paper, we first show that in a multi-AU setting, changing the camera setting has disproportionate impact on different AUs performance. In particular, the optimal setting for one AU may severely degrade the performance for another AU, and further the impact on different AUs varies as the environmental condition changes. We then present Elixir, a system to enhance the video stream quality for multiple analytics on a video stream. Elixir leverages Multi-Objective Reinforcement Learning (MORL), where the RL agent caters to the objectives from different AUs and adjusts the camera setting to simultaneously enhance the performance of all AUs. To define the multiple objectives in MORL, we develop new AU-specific quality estimator values for each individual AU. We evaluate Elixir through real-world experiments on a testbed with three cameras deployed next to each other (overlooking a large enterprise parking lot) running Elixir and two baseline approaches, respectively. Elixir correctly detects 7.1% (22,068) and 5.0% (15,731) more cars, 94% (551) and 72% (478) more faces, and 670.4% (4975) and 158.6% (3507) more persons than the default-setting and time-sharing approaches, respectively. It also detects 115 license plates, far more than the time-sharing approach (7) and the default setting (0).

Title: A Novel Hierarchical-Classification-Block Based Convolutional Neural Network for Source Camera Model Identification. (arXiv:2212.04161v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04161
• Code URL: null
• Copy Paste: [[2212.04161] A Novel Hierarchical-Classification-Block Based Convolutional Neural Network for Source Camera Model Identification](http://arxiv.org/abs/2212.04161) #security
• Summary:

  Digital security has been an active area of research interest due to the rapid adaptation of internet infrastructure, the increasing popularity of social media, and digital cameras. Due to inherent differences in working principles to generate an image, different camera brands left behind different intrinsic processing noises which can be used to identify the camera brand. In the last decade, many signal processing and deep learning-based methods have been proposed to identify and isolate this noise from the scene details in an image to detect the source camera brand. One prominent solution is to utilize a hierarchical classification system rather than the traditional single-classifier approach. Different individual networks are used for brand-level and model-level source camera identification. This approach allows for better scaling and requires minimal modifications for adding a new camera brand/model to the solution. However, using different full-fledged networks for both brand and model-level classification substantially increases memory consumption and training complexity. Moreover, extracted low-level features from the different network's initial layers often coincide, resulting in redundant weights. To mitigate the training and memory complexity, we propose a classifier-block-level hierarchical system instead of a network-level one for source camera model classification. Our proposed approach not only results in significantly fewer parameters but also retains the capability to add a new camera model with minimal modification. Thorough experimentation on the publicly available Dresden dataset shows that our proposed approach can achieve the same level of state-of-the-art performance but requires fewer parameters compared to a state-of-the-art network-level hierarchical-based system.

Title: Sound Verification of Security Protocols: From Design to Interoperable Implementations (extended version). (arXiv:2212.04171v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04171
• Code URL: null
• Copy Paste: [[2212.04171] Sound Verification of Security Protocols: From Design to Interoperable Implementations (extended version)](http://arxiv.org/abs/2212.04171) #security
• Summary:

  We provide a framework consisting of tools and metatheorems for the end-to-end verification of security protocols, which bridges the gap between automated protocol verification and code-level proofs. We automatically translate a Tamarin protocol model into a set of I/O specifications expressed in separation logic. Each such specification describes a protocol role's intended I/O behavior against which the role's implementation is then verified. Our soundness result guarantees that the verified implementation inherits all security (trace) properties proved for the Tamarin model. Our framework thus enables us to leverage the substantial body of prior verification work in Tamarin to verify new and existing implementations. The possibility to use any separation logic code verifier provides flexibility regarding the target language. To validate our approach and show that it scales to real-world protocols, we verify a substantial part of the official Go implementation of the WireGuard VPN key exchange protocol.

Title: HyperEnclave: An Open and Cross-platform Trusted Execution Environment. (arXiv:2212.04197v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04197
• Code URL: null
• Copy Paste: [[2212.04197] HyperEnclave: An Open and Cross-platform Trusted Execution Environment](http://arxiv.org/abs/2212.04197) #security
• Summary:

  A number of trusted execution environments (TEEs) have been proposed by both academia and industry. However, most of them require specific hardware or firmware changes and are bound to specific hardware vendors (such as Intel, AMD, ARM, and IBM). In this paper, we propose HyperEnclave, an open and cross-platform process-based TEE that relies on the widely-available virtualization extension to create the isolated execution environment. In particular, HyperEnclave is designed to support the flexible enclave operation modes to fulfill the security and performance demands under various enclave workloads. We provide the enclave SDK to run existing SGX programs on HyperEnclave with little or no source code changes. We have implemented HyperEnclave on commodity AMD servers and deployed the system in a world-leading FinTech company to support real-world privacy-preserving computations. The evaluation on both micro-benchmarks and application benchmarks shows the design of HyperEnclave introduces only a small overhead.

Title: A Novel Efficient Signcryption Scheme for Resource-Constrained Smart Terminals in Cyber-Physical Power Systems. (arXiv:2212.04198v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04198
• Code URL: null
• Copy Paste: [[2212.04198] A Novel Efficient Signcryption Scheme for Resource-Constrained Smart Terminals in Cyber-Physical Power Systems](http://arxiv.org/abs/2212.04198) #security
• Summary:

  Most of the existing signcryption schemes generate pseudonym by key generation center (KGC) and usually choose bilinear pairing to construct authentication schemes. The drawback is that these schemes not only consume heavy computation and communication costs during information exchange, but also can not eliminate security risks due to not updating pseudonym, which do not work well for resource-constrained smart terminals in cyber-physical power systems (CPPSs). The main objective of this paper is to propose a novel efficient signcryption scheme for resource-constrained smart terminals. First, a dynamical pseudonym self-generation mechanism (DPSGM) is explored to achieve privacy preservation and avoid the source being linked. Second, combined with DPSGM, an efficient signcryption scheme based on certificateless cryptography (CLC) and elliptic curve cryptography (ECC) is designed, which reduces importantly computation and communication burden. Furthermore, under random oracle model (ROM), the confidentiality and non-repudiation of the proposed signcryption scheme are transformed into elliptic curve discrete logarithm and computational Diffie-Hellman problems that cannot be solved in polynomial time, which guarantees the security. Finally, the effectiveness and feasibility of the proposed signcryption scheme are confirmed by experimental analyses.

Title: ICSPatch: Automated Vulnerability Localization and Non-Intrusive Hotpatching in Industrial Control Systems using Data Dependence Graphs. (arXiv:2212.04229v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04229
• Code URL: null
• Copy Paste: [[2212.04229] ICSPatch: Automated Vulnerability Localization and Non-Intrusive Hotpatching in Industrial Control Systems using Data Dependence Graphs](http://arxiv.org/abs/2212.04229) #security
• Summary:

  The paradigm shift of enabling extensive intercommunication between the Operational Technology (OT) and Information Technology (IT) devices allows vulnerabilities typical to the IT world to propagate to the OT side. Therefore, the security layer offered in the past by air gapping is removed, making security patching for OT devices a hard requirement. Conventional patching involves a device reboot to load the patched code in the main memory, which does not apply to OT devices controlling critical processes due to downtime, necessitating in-memory vulnerability patching. Furthermore, these control binaries are often compiled by in-house proprietary compilers, further hindering the patching process and placing reliance on OT vendors for rapid vulnerability discovery and patch development. The current state-of-the-art hotpatching approaches only focus on firmware and/or RTOS. Therefore, in this work, we develop ICSPatch, a framework to automate control logic vulnerability localization using Data Dependence Graphs (DDGs). With the help of DDGs, ICSPatch pinpoints the vulnerability in the control application. As an independent second step, ICSPatch can non-intrusively hotpatch vulnerabilities in the control application directly in the main memory of Programmable Logic Controllers while maintaining reliable continuous operation. To evaluate our framework, we test ICSPatch on a synthetic dataset of 24 vulnerable control application binaries from diverse critical infrastructure sectors. Results show that ICSPatch could successfully localize all vulnerabilities and generate patches accordingly. Furthermore, the patch added negligible latency increase in the execution cycle while maintaining correctness and protection against the vulnerability.

Title: Simulation of Attacker Defender Interaction in a Noisy Security Game. (arXiv:2212.04281v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04281
• Code URL: null
• Copy Paste: [[2212.04281] Simulation of Attacker Defender Interaction in a Noisy Security Game](http://arxiv.org/abs/2212.04281) #security
• Summary:

  In the cybersecurity setting, defenders are often at the mercy of their detection technologies and subject to the information and experiences that individual analysts have. In order to give defenders an advantage, it is important to understand an attacker's motivation and their likely next best action. As a first step in modeling this behavior, we introduce a security game framework that simulates interplay between attackers and defenders in a noisy environment, focusing on the factors that drive decision making for attackers and defenders in the variants of the game with full knowledge and observability, knowledge of the parameters but no observability of the state (partial knowledge''), and zero knowledge or observability (zero knowledge''). We demonstrate the importance of making the right assumptions about attackers, given significant differences in outcomes. Furthermore, there is a measurable trade-off between false-positives and true-positives in terms of attacker outcomes, suggesting that a more false-positive prone environment may be acceptable under conditions where true-positives are also higher.

privacy

Title: FSID: Fully Synthetic Image Denoising via Procedural Scene Generation. (arXiv:2212.03961v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.03961
• Code URL: https://github.com/megvii-research/NAFNet
• Copy Paste: [[2212.03961] FSID: Fully Synthetic Image Denoising via Procedural Scene Generation](http://arxiv.org/abs/2212.03961) #privacy
• Summary:

  For low-level computer vision and image processing ML tasks, training on large datasets is critical for generalization. However, the standard practice of relying on real-world images primarily from the Internet comes with image quality, scalability, and privacy issues, especially in commercial contexts. To address this, we have developed a procedural synthetic data generation pipeline and dataset tailored to low-level vision tasks. Our Unreal engine-based synthetic data pipeline populates large scenes algorithmically with a combination of random 3D objects, materials, and geometric transformations. Then, we calibrate the camera noise profiles to synthesize the noisy images. From this pipeline, we generated a fully synthetic image denoising dataset (FSID) which consists of 175,000 noisy/clean image pairs. We then trained and validated a CNN-based denoising model, and demonstrated that the model trained on this synthetic data alone can achieve competitive denoising results when evaluated on real-world noisy images captured with smartphone cameras.

Title: Re-purposing Perceptual Hashing based Client Side Scanning for Physical Surveillance. (arXiv:2212.04107v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04107
• Code URL: null
• Copy Paste: [[2212.04107] Re-purposing Perceptual Hashing based Client Side Scanning for Physical Surveillance](http://arxiv.org/abs/2212.04107) #privacy
• Summary:

  Content scanning systems employ perceptual hashing algorithms to scan user content for illegal material, such as child pornography or terrorist recruitment flyers. Perceptual hashing algorithms help determine whether two images are visually similar while preserving the privacy of the input images. Several efforts from industry and academia propose to conduct content scanning on client devices such as smartphones due to the impending roll out of end-to-end encryption that will make server-side content scanning difficult. However, these proposals have met with strong criticism because of the potential for the technology to be misused and re-purposed. Our work informs this conversation by experimentally characterizing the potential for one type of misuse -- attackers manipulating the content scanning system to perform physical surveillance on target locations. Our contributions are threefold: (1) we offer a definition of physical surveillance in the context of client-side image scanning systems; (2) we experimentally characterize this risk and create a surveillance algorithm that achieves physical surveillance rates of >40% by poisoning 5% of the perceptual hash database; (3) we experimentally study the trade-off between the robustness of client-side image scanning systems and surveillance, showing that more robust detection of illegal material leads to increased potential for physical surveillance.

Title: Self-training via Metric Learning for Source-Free Domain Adaptation of Semantic Segmentation. (arXiv:2212.04227v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04227
• Code URL: null
• Copy Paste: [[2212.04227] Self-training via Metric Learning for Source-Free Domain Adaptation of Semantic Segmentation](http://arxiv.org/abs/2212.04227) #privacy
• Summary:

  Unsupervised source-free domain adaptation methods aim to train a model to be used in the target domain utilizing the pretrained source-domain model and unlabeled target-domain data, where the source data may not be accessible due to intellectual property or privacy issues. These methods frequently utilize self-training with pseudo-labeling thresholded by prediction confidence. In a source-free scenario, only supervision comes from target data, and thresholding limits the contribution of the self-training. In this study, we utilize self-training with a mean-teacher approach. The student network is trained with all predictions of the teacher network. Instead of thresholding the predictions, the gradients calculated from the pseudo-labels are weighted based on the reliability of the teacher's predictions. We propose a novel method that uses proxy-based metric learning to estimate reliability. We train a metric network on the encoder features of the teacher network. Since the teacher is updated with the moving average, the encoder feature space is slowly changing. Therefore, the metric network can be updated in training time, which enables end-to-end training. We also propose a metric-based online ClassMix method to augment the input of the student network where the patches to be mixed are decided based on the metric reliability. We evaluated our method in synthetic-to-real and cross-city scenarios. The benchmarks show that our method significantly outperforms the existing state-of-the-art methods.

Title: A Systematic Literature Review On Privacy Of Deep Learning Systems. (arXiv:2212.04003v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04003
• Code URL: null
• Copy Paste: [[2212.04003] A Systematic Literature Review On Privacy Of Deep Learning Systems](http://arxiv.org/abs/2212.04003) #privacy
• Summary:

  The last decade has seen a rise of Deep Learning with its applications ranging across diverse domains. But usually, the datasets used to drive these systems contain data which is highly confidential and sensitive. Though, Deep Learning models can be stolen, or reverse engineered, confidential training data can be inferred, and other privacy and security concerns have been identified. Therefore, these systems are highly prone to security attacks. This study highlights academic research that highlights the several types of security attacks and provides a comprehensive overview of the most widely used privacy-preserving solutions. This relevant systematic evaluation also illuminates potential future possibilities for study, instruction, and usage in the fields of privacy and deep learning.

Title: Tumult Analytics: a robust, easy-to-use, scalable, and expressive framework for differential privacy. (arXiv:2212.04133v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04133
• Code URL: null
• Copy Paste: [[2212.04133] Tumult Analytics: a robust, easy-to-use, scalable, and expressive framework for differential privacy](http://arxiv.org/abs/2212.04133) #privacy
• Summary:

  In this short paper, we outline the design of Tumult Analytics, a Python framework for differential privacy used at institutions such as the U.S. Census Bureau, the Wikimedia Foundation, or the Internal Revenue Service.

Title: Differentially-Private Bayes Consistency. (arXiv:2212.04216v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04216
• Code URL: null
• Copy Paste: [[2212.04216] Differentially-Private Bayes Consistency](http://arxiv.org/abs/2212.04216) #privacy
• Summary:

  We construct a universally Bayes consistent learning rule that satisfies differential privacy (DP). We first handle the setting of binary classification and then extend our rule to the more general setting of density estimation (with respect to the total variation metric). The existence of a universally consistent DP learner reveals a stark difference with the distribution-free PAC model. Indeed, in the latter DP learning is extremely limited: even one-dimensional linear classifiers are not privately learnable in this stringent model. Our result thus demonstrates that by allowing the learning rate to depend on the target distribution, one can circumvent the above-mentioned impossibility result and in fact, learn \emph{arbitrary} distributions by a single DP algorithm. As an application, we prove that any VC class can be privately learned in a semi-supervised setting with a near-optimal \emph{labeled} sample complexity of $\tilde{O}(d/\varepsilon)$ labeled examples (and with an unlabeled sample complexity that can depend on the target distribution).

Title: A Fine-grained Chinese Software Privacy Policy Dataset for Sequence Labeling and Regulation Compliant Identification. (arXiv:2212.04357v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04357
• Code URL: null
• Copy Paste: [[2212.04357] A Fine-grained Chinese Software Privacy Policy Dataset for Sequence Labeling and Regulation Compliant Identification](http://arxiv.org/abs/2212.04357) #privacy
• Summary:

  Privacy protection raises great attention on both legal levels and user awareness. To protect user privacy, countries enact laws and regulations requiring software privacy policies to regulate their behavior. However, privacy policies are written in natural languages with many legal terms and software jargon that prevent users from understanding and even reading them. It is desirable to use NLP techniques to analyze privacy policies for helping users understand them. Furthermore, existing datasets ignore law requirements and are limited to English. In this paper, we construct the first Chinese privacy policy dataset, namely CA4P-483, to facilitate the sequence labeling tasks and regulation compliance identification between privacy policies and software. Our dataset includes 483 Chinese Android application privacy policies, over 11K sentences, and 52K fine-grained annotations. We evaluate families of robust and representative baseline models on our dataset. Based on baseline performance, we provide findings and potential research directions on our dataset. Finally, we investigate the potential applications of CA4P-483 combing regulation requirements and program analysis.

Title: Skellam Mixture Mechanism: a Novel Approach to Federated Learning with Differential Privacy. (arXiv:2212.04371v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04371
• Code URL: null
• Copy Paste: [[2212.04371] Skellam Mixture Mechanism: a Novel Approach to Federated Learning with Differential Privacy](http://arxiv.org/abs/2212.04371) #privacy
• Summary:

  Deep neural networks have strong capabilities of memorizing the underlying training data, which can be a serious privacy concern. An effective solution to this problem is to train models with differential privacy, which provides rigorous privacy guarantees by injecting random noise to the gradients. This paper focuses on the scenario where sensitive data are distributed among multiple participants, who jointly train a model through federated learning (FL), using both secure multiparty computation (MPC) to ensure the confidentiality of each gradient update, and differential privacy to avoid data leakage in the resulting model. A major challenge in this setting is that common mechanisms for enforcing DP in deep learning, which inject real-valued noise, are fundamentally incompatible with MPC, which exchanges finite-field integers among the participants. Consequently, most existing DP mechanisms require rather high noise levels, leading to poor model utility. Motivated by this, we propose Skellam mixture mechanism (SMM), an approach to enforce DP on models built via FL. Compared to existing methods, SMM eliminates the assumption that the input gradients must be integer-valued, and, thus, reduces the amount of noise injected to preserve DP. Further, SMM allows tight privacy accounting due to the nice composition and sub-sampling properties of the Skellam distribution, which are key to accurate deep learning with DP. The theoretical analysis of SMM is highly non-trivial, especially considering (i) the complicated math of differentially private deep learning in general and (ii) the fact that the mixture of two Skellam distributions is rather complex, and to our knowledge, has not been studied in the DP literature. Extensive experiments on various practical settings demonstrate that SMM consistently and significantly outperforms existing solutions in terms of the utility of the resulting model.

protect

Title: Better Hit the Nail on the Head than Beat around the Bush: Removing Protected Attributes with a Single Projection. (arXiv:2212.04273v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04273
• Code URL: null
• Copy Paste: [[2212.04273] Better Hit the Nail on the Head than Beat around the Bush: Removing Protected Attributes with a Single Projection](http://arxiv.org/abs/2212.04273) #protect
• Summary:

  Bias elimination and recent probing studies attempt to remove specific information from embedding spaces. Here it is important to remove as much of the target information as possible, while preserving any other information present. INLP is a popular recent method which removes specific information through iterative nullspace projections. Multiple iterations, however, increase the risk that information other than the target is negatively affected. We introduce two methods that find a single targeted projection: Mean Projection (MP, more efficient) and Tukey Median Projection (TMP, with theoretical guarantees). Our comparison between MP and INLP shows that (1) one MP projection removes linear separability based on the target and (2) MP has less impact on the overall space. Further analysis shows that applying random projections after MP leads to the same overall effects on the embedding space as the multiple projections of INLP. Applying one targeted (MP) projection hence is methodologically cleaner than applying multiple (INLP) projections that introduce random effects.

defense

Title: XRand: Differentially Private Defense against Explanation-Guided Attacks. (arXiv:2212.04454v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04454
• Code URL: null
• Copy Paste: [[2212.04454] XRand: Differentially Private Defense against Explanation-Guided Attacks](http://arxiv.org/abs/2212.04454) #defense
• Summary:

  Recent development in the field of explainable artificial intelligence (XAI) has helped improve trust in Machine-Learning-as-a-Service (MLaaS) systems, in which an explanation is provided together with the model prediction in response to each query. However, XAI also opens a door for adversaries to gain insights into the black-box models in MLaaS, thereby making the models more vulnerable to several attacks. For example, feature-based explanations (e.g., SHAP) could expose the top important features that a black-box model focuses on. Such disclosure has been exploited to craft effective backdoor triggers against malware classifiers. To address this trade-off, we introduce a new concept of achieving local differential privacy (LDP) in the explanations, and from that we establish a defense, called XRand, against such attacks. We show that our mechanism restricts the information that the adversary can learn about the top important features, while maintaining the faithfulness of the explanations.

attack

Title: Learning Polysemantic Spoof Trace: A Multi-Modal Disentanglement Network for Face Anti-spoofing. (arXiv:2212.03943v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.03943
• Code URL: null
• Copy Paste: [[2212.03943] Learning Polysemantic Spoof Trace: A Multi-Modal Disentanglement Network for Face Anti-spoofing](http://arxiv.org/abs/2212.03943) #attack
• Summary:

  Along with the widespread use of face recognition systems, their vulnerability has become highlighted. While existing face anti-spoofing methods can be generalized between attack types, generic solutions are still challenging due to the diversity of spoof characteristics. Recently, the spoof trace disentanglement framework has shown great potential for coping with both seen and unseen spoof scenarios, but the performance is largely restricted by the single-modal input. This paper focuses on this issue and presents a multi-modal disentanglement model which targetedly learns polysemantic spoof traces for more accurate and robust generic attack detection. In particular, based on the adversarial learning mechanism, a two-stream disentangling network is designed to estimate spoof patterns from the RGB and depth inputs, respectively. In this case, it captures complementary spoofing clues inhering in different attacks. Furthermore, a fusion module is exploited, which recalibrates both representations at multiple stages to promote the disentanglement in each individual modality. It then performs cross-modality aggregation to deliver a more comprehensive spoof trace representation for prediction. Extensive evaluations are conducted on multiple benchmarks, demonstrating that learning polysemantic spoof traces favorably contributes to anti-spoofing with more perceptible and interpretable results.

Title: Targeted Adversarial Attacks against Neural Network Trajectory Predictors. (arXiv:2212.04138v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04138
• Code URL: null
• Copy Paste: [[2212.04138] Targeted Adversarial Attacks against Neural Network Trajectory Predictors](http://arxiv.org/abs/2212.04138) #attack
• Summary:

  Trajectory prediction is an integral component of modern autonomous systems as it allows for envisioning future intentions of nearby moving agents. Due to the lack of other agents' dynamics and control policies, deep neural network (DNN) models are often employed for trajectory forecasting tasks. Although there exists an extensive literature on improving the accuracy of these models, there is a very limited number of works studying their robustness against adversarially crafted input trajectories. To bridge this gap, in this paper, we propose a targeted adversarial attack against DNN models for trajectory forecasting tasks. We call the proposed attack TA4TP for Targeted adversarial Attack for Trajectory Prediction. Our approach generates adversarial input trajectories that are capable of fooling DNN models into predicting user-specified target/desired trajectories. Our attack relies on solving a nonlinear constrained optimization problem where the objective function captures the deviation of the predicted trajectory from a target one while the constraints model physical requirements that the adversarial input should satisfy. The latter ensures that the inputs look natural and they are safe to execute (e.g., they are close to nominal inputs and away from obstacles). We demonstrate the effectiveness of TA4TP on two state-of-the-art DNN models and two datasets. To the best of our knowledge, we propose the first targeted adversarial attack against DNN models used for trajectory forecasting.

Title: Vicious Classifiers: Data Reconstruction Attack at Inference Time. (arXiv:2212.04223v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04223
• Code URL: https://github.com/mmalekzadeh/vicious-classifiers
• Copy Paste: [[2212.04223] Vicious Classifiers: Data Reconstruction Attack at Inference Time](http://arxiv.org/abs/2212.04223) #attack
• Summary:

  Privacy-preserving inference via edge or encrypted computing paradigms encourages users of machine learning services to confidentially run a model on their personal data for a target task and only share the model's outputs with the service provider; e.g., to activate further services. Nevertheless, despite all confidentiality efforts, we show that a ''vicious'' service provider can approximately reconstruct its users' personal data by observing only the model's outputs, while keeping the target utility of the model very close to that of a ''honest'' service provider. We show the possibility of jointly training a target model (to be run at users' side) and an attack model for data reconstruction (to be secretly used at server's side). We introduce the ''reconstruction risk'': a new measure for assessing the quality of reconstructed data that better captures the privacy risk of such attacks. Experimental results on 6 benchmark datasets show that for low-complexity data types, or for tasks with larger number of classes, a user's personal data can be approximately reconstructed from the outputs of a single target inference task. We propose a potential defense mechanism that helps to distinguish vicious vs. honest classifiers at inference time. We conclude this paper by discussing current challenges and open directions for future studies. We open-source our code and results, as a benchmark for future work.

Title: Scalable Edge Blocking Algorithms for Defending Active Directory Style Attack Graphs. (arXiv:2212.04326v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2212.04326
• Code URL: null
• Copy Paste: [[2212.04326] Scalable Edge Blocking Algorithms for Defending Active Directory Style Attack Graphs](http://arxiv.org/abs/2212.04326) #attack
• Summary:

  Active Directory (AD) is the default security management system for Windows domain networks. An AD environment naturally describes an attack graph where nodes represent computers/accounts/security groups, and edges represent existing accesses/known exploits that allow the attacker to gain access from one node to another. Motivated by practical AD use cases, we study a Stackelberg game between one attacker and one defender. There are multiple entry nodes for the attacker to choose from and there is a single target (Domain Admin). Every edge has a failure rate. The attacker chooses the attack path with the maximum success rate. The defender can block a limited number of edges (i.e., revoke accesses) from a set of blockable edges, limited by budget. The defender's aim is to minimize the attacker's success rate.

We exploit the tree-likeness of practical AD graphs to design scalable algorithms. We propose two novel methods that combine theoretical fixed parameter analysis and practical optimisation techniques.

For graphs with small tree widths, we propose a tree decomposition based dynamic program. We then propose a general method for converting tree decomposition based dynamic programs to reinforcement learning environments, which leads to an anytime algorithm that scales better, but loses the optimality guarantee.

For graphs with small numbers of non-splitting paths (a parameter we invent specifically for AD graphs), we propose a kernelization technique that significantly downsizes the model, which is then solved via mixed-integer programming.

Experimentally, our algorithms scale to handle synthetic AD graphs with tens of thousands of nodes.

robust

Title: Occlusion-Robust FAU Recognition by Mining Latent Space of Masked Autoencoders. (arXiv:2212.04029v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04029
• Code URL: null
• Copy Paste: [[2212.04029] Occlusion-Robust FAU Recognition by Mining Latent Space of Masked Autoencoders](http://arxiv.org/abs/2212.04029) #robust
• Summary:

  Facial action units (FAUs) are critical for fine-grained facial expression analysis. Although FAU detection has been actively studied using ideally high quality images, it was not thoroughly studied under heavily occluded conditions. In this paper, we propose the first occlusion-robust FAU recognition method to maintain FAU detection performance under heavy occlusions. Our novel approach takes advantage of rich information from the latent space of masked autoencoder (MAE) and transforms it into FAU features. Bypassing the occlusion reconstruction step, our model efficiently extracts FAU features of occluded faces by mining the latent space of a pretrained masked autoencoder. Both node and edge-level knowledge distillation are also employed to guide our model to find a mapping between latent space vectors and FAU features. Facial occlusion conditions, including random small patches and large blocks, are thoroughly studied. Experimental results on BP4D and DISFA datasets show that our method can achieve state-of-the-art performances under the studied facial occlusion, significantly outperforming existing baseline methods. In particular, even under heavy occlusion, the proposed method can achieve comparable performance as state-of-the-art methods under normal conditions.

Title: MixBoost: Improving the Robustness of Deep Neural Networks by Boosting Data Augmentation. (arXiv:2212.04059v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04059
• Code URL: null
• Copy Paste: [[2212.04059] MixBoost: Improving the Robustness of Deep Neural Networks by Boosting Data Augmentation](http://arxiv.org/abs/2212.04059) #robust
• Summary:

  As more and more artificial intelligence (AI) technologies move from the laboratory to real-world applications, the open-set and robustness challenges brought by data from the real world have received increasing attention. Data augmentation is a widely used method to improve model performance, and some recent works have also confirmed its positive effect on the robustness of AI models. However, most of the existing data augmentation methods are heuristic, lacking the exploration of their internal mechanisms. We apply the explainable artificial intelligence (XAI) method, explore the internal mechanisms of popular data augmentation methods, analyze the relationship between game interactions and some widely used robustness metrics, and propose a new proxy for model robustness in the open-set environment. Based on the analysis of the internal mechanisms, we develop a mask-based boosting method for data augmentation that comprehensively improves several robustness measures of AI models and beats state-of-the-art data augmentation approaches. Experiments show that our method can be widely applied to many popular data augmentation methods. Different from the adversarial training, our boosting method not only significantly improves the robustness of models, but also improves the accuracy of test sets. Our code is available at \url{https://github.com/Anonymous_for_submission}.

Title: Graph Matching with Bi-level Noisy Correspondence. (arXiv:2212.04085v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04085
• Code URL: null
• Copy Paste: [[2212.04085] Graph Matching with Bi-level Noisy Correspondence](http://arxiv.org/abs/2212.04085) #robust
• Summary:

  In this paper, we study a novel and widely existing problem in graph matching (GM), namely, Bi-level Noisy Correspondence (BNC), which refers to node-level noisy correspondence (NNC) and edge-level noisy correspondence (ENC). In brief, on the one hand, due to the poor recognizability and viewpoint differences between images, it is inevitable to inaccurately annotate some keypoints with offset and confusion, leading to the mismatch between two associated nodes, i.e., NNC. On the other hand, the noisy node-to-node correspondence will further contaminate the edge-to-edge correspondence, thus leading to ENC. For the BNC challenge, we propose a novel method termed Contrastive Matching with Momentum Distillation. Specifically, the proposed method is with a robust quadratic contrastive loss which enjoys the following merits: i) better exploring the node-to-node and edge-to-edge correlations through a GM customized quadratic contrastive learning paradigm; ii) adaptively penalizing the noisy assignments based on the confidence estimated by the momentum teacher. Extensive experiments on three real-world datasets show the robustness of our model compared with 12 competitive baselines.

Title: Evaluating Zero-cost Active Learning for Object Detection. (arXiv:2212.04211v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04211
• Code URL: null
• Copy Paste: [[2212.04211] Evaluating Zero-cost Active Learning for Object Detection](http://arxiv.org/abs/2212.04211) #robust
• Summary:

  Object detection requires substantial labeling effort for learning robust models. Active learning can reduce this effort by intelligently selecting relevant examples to be annotated. However, selecting these examples properly without introducing a sampling bias with a negative impact on the generalization performance is not straightforward and most active learning techniques can not hold their promises on real-world benchmarks. In our evaluation paper, we focus on active learning techniques without a computational overhead besides inference, something we refer to as zero-cost active learning. In particular, we show that a key ingredient is not only the score on a bounding box level but also the technique used for aggregating the scores for ranking images. We outline our experimental setup and also discuss practical considerations when using active learning for object detection.

Title: An Empirical Study on Multi-Domain Robust Semantic Segmentation. (arXiv:2212.04221v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04221
• Code URL: null
• Copy Paste: [[2212.04221] An Empirical Study on Multi-Domain Robust Semantic Segmentation](http://arxiv.org/abs/2212.04221) #robust
• Summary:

  How to effectively leverage the plentiful existing datasets to train a robust and high-performance model is of great significance for many practical applications. However, a model trained on a naive merge of different datasets tends to obtain poor performance due to annotation conflicts and domain divergence.In this paper, we attempt to train a unified model that is expected to perform well across domains on several popularity segmentation datasets.We conduct a detailed analysis of the impact on model generalization from three aspects of data augmentation, training strategies, and model capacity.Based on the analysis, we propose a robust solution that is able to improve model generalization across domains.Our solution ranks 2nd on RVC 2022 semantic segmentation task, with a dataset only 1/3 size of the 1st model used.

Title: Towards Accurate Ground Plane Normal Estimation from Ego-Motion. (arXiv:2212.04224v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04224
• Code URL: https://github.com/manymuch/ground_normal_filter
• Copy Paste: [[2212.04224] Towards Accurate Ground Plane Normal Estimation from Ego-Motion](http://arxiv.org/abs/2212.04224) #robust
• Summary:

  In this paper, we introduce a novel approach for ground plane normal estimation of wheeled vehicles. In practice, the ground plane is dynamically changed due to braking and unstable road surface. As a result, the vehicle pose, especially the pitch angle, is oscillating from subtle to obvious. Thus, estimating ground plane normal is meaningful since it can be encoded to improve the robustness of various autonomous driving tasks (e.g., 3D object detection, road surface reconstruction, and trajectory planning). Our proposed method only uses odometry as input and estimates accurate ground plane normal vectors in real time. Particularly, it fully utilizes the underlying connection between the ego pose odometry (ego-motion) and its nearby ground plane. Built on that, an Invariant Extended Kalman Filter (IEKF) is designed to estimate the normal vector in the sensor's coordinate. Thus, our proposed method is simple yet efficient and supports both camera- and inertial-based odometry algorithms. Its usability and the marked improvement of robustness are validated through multiple experiments on public datasets. For instance, we achieve state-of-the-art accuracy on KITTI dataset with the estimated vector error of 0.39{\deg}. Our code is available at github.com/manymuch/ground_normal_filter.

Title: Fruit Quality Assessment with Densely Connected Convolutional Neural Network. (arXiv:2212.04255v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04255
• Code URL: null
• Copy Paste: [[2212.04255] Fruit Quality Assessment with Densely Connected Convolutional Neural Network](http://arxiv.org/abs/2212.04255) #robust
• Summary:

  Accurate recognition of food items along with quality assessment is of paramount importance in the agricultural industry. Such automated systems can speed up the wheel of the food processing sector and save tons of manual labor. In this connection, the recent advancement of Deep learning-based architectures has introduced a wide variety of solutions offering remarkable performance in several classification tasks. In this work, we have exploited the concept of Densely Connected Convolutional Neural Networks (DenseNets) for fruit quality assessment. The feature propagation towards the deeper layers has enabled the network to tackle the vanishing gradient problems and ensured the reuse of features to learn meaningful insights. Evaluating on a dataset of 19,526 images containing six fruits having three quality grades for each, the proposed pipeline achieved a remarkable accuracy of 99.67%. The robustness of the model was further tested for fruit classification and quality assessment tasks where the model produced a similar performance, which makes it suitable for real-life applications.

Title: On the Robustness of Normalizing Flows for Inverse Problems in Imaging. (arXiv:2212.04319v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04319
• Code URL: null
• Copy Paste: [[2212.04319] On the Robustness of Normalizing Flows for Inverse Problems in Imaging](http://arxiv.org/abs/2212.04319) #robust
• Summary:

  Conditional normalizing flows can generate diverse image samples for solving inverse problems. Most normalizing flows for inverse problems in imaging employ the conditional affine coupling layer that can generate diverse images quickly. However, unintended severe artifacts are occasionally observed in the output of them. In this work, we address this critical issue by investigating the origins of these artifacts and proposing the conditions to avoid them. First of all, we empirically and theoretically reveal that these problems are caused by ``exploding variance'' in the conditional affine coupling layer for certain out-of-distribution (OOD) conditional inputs. Then, we further validated that the probability of causing erroneous artifacts in pixels is highly correlated with a Mahalanobis distance-based OOD score for inverse problems in imaging. Lastly, based on our investigations, we propose a remark to avoid exploding variance and then based on it, we suggest a simple remedy that substitutes the affine coupling layers with the modified rational quadratic spline coupling layers in normalizing flows, to encourage the robustness of generated image samples. Our experimental results demonstrated that our suggested methods effectively suppressed critical artifacts occurring in normalizing flows for super-resolution space generation and low-light image enhancement without compromising performance.

Title: Few-View Object Reconstruction with Unknown Categories and Camera Poses. (arXiv:2212.04492v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04492
• Code URL: null
• Copy Paste: [[2212.04492] Few-View Object Reconstruction with Unknown Categories and Camera Poses](http://arxiv.org/abs/2212.04492) #robust
• Summary:

  While object reconstruction has made great strides in recent years, current methods typically require densely captured images and/or known camera poses, and generalize poorly to novel object categories. To step toward object reconstruction in the wild, this work explores reconstructing general real-world objects from a few images without known camera poses or object categories. The crux of our work is solving two fundamental 3D vision problems -- shape reconstruction and pose estimation -- in a unified approach. Our approach captures the synergies of these two problems: reliable camera pose estimation gives rise to accurate shape reconstruction, and the accurate reconstruction, in turn, induces robust correspondence between different views and facilitates pose estimation. Our method FORGE predicts 3D features from each view and leverages them in conjunction with the input images to establish cross-view correspondence for estimating relative camera poses. The 3D features are then transformed by the estimated poses into a shared space and are fused into a neural radiance field. The reconstruction results are rendered by volume rendering techniques, enabling us to train the model without 3D shape ground-truth. Our experiments show that FORGE reliably reconstructs objects from five views. Our pose estimation method outperforms existing ones by a large margin. The reconstruction results under predicted poses are comparable to the ones using ground-truth poses. The performance on novel testing categories matches the results on categories seen during training. Project page: https://ut-austin-rpl.github.io/FORGE/

Title: Logit Clipping for Robust Learning against Label Noise. (arXiv:2212.04055v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04055
• Code URL: null
• Copy Paste: [[2212.04055] Logit Clipping for Robust Learning against Label Noise](http://arxiv.org/abs/2212.04055) #robust
• Summary:

  In the presence of noisy labels, designing robust loss functions is critical for securing the generalization performance of deep neural networks. Cross Entropy (CE) loss has been shown to be not robust to noisy labels due to its unboundedness. To alleviate this issue, existing works typically design specialized robust losses with the symmetric condition, which usually lead to the underfitting issue. In this paper, our key idea is to induce a loss bound at the logit level, thus universally enhancing the noise robustness of existing losses. Specifically, we propose logit clipping (LogitClip), which clamps the norm of the logit vector to ensure that it is upper bounded by a constant. In this manner, CE loss equipped with our LogitClip method is effectively bounded, mitigating the overfitting to examples with noisy labels. Moreover, we present theoretical analyses to certify the noise-tolerant ability of LogitClip. Extensive experiments show that LogitClip not only significantly improves the noise robustness of CE loss, but also broadly enhances the generalization performance of popular robust losses.

Title: Physics-guided Data Augmentation for Learning the Solution Operator of Linear Differential Equations. (arXiv:2212.04100v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04100
• Code URL: null
• Copy Paste: [[2212.04100] Physics-guided Data Augmentation for Learning the Solution Operator of Linear Differential Equations](http://arxiv.org/abs/2212.04100) #robust
• Summary:

  Neural networks, especially the recent proposed neural operator models, are increasingly being used to find the solution operator of differential equations. Compared to traditional numerical solvers, they are much faster and more efficient in practical applications. However, one critical issue is that training neural operator models require large amount of ground truth data, which usually comes from the slow numerical solvers. In this paper, we propose a physics-guided data augmentation (PGDA) method to improve the accuracy and generalization of neural operator models. Training data is augmented naturally through the physical properties of differential equations such as linearity and translation. We demonstrate the advantage of PGDA on a variety of linear differential equations, showing that PGDA can improve the sample complexity and is robust to distributional shift.

Title: Leveraging Unlabeled Data to Track Memorization. (arXiv:2212.04461v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04461
• Code URL: https://github.com/mahf93/tracking-memorization
• Copy Paste: [[2212.04461] Leveraging Unlabeled Data to Track Memorization](http://arxiv.org/abs/2212.04461) #robust
• Summary:

  Deep neural networks may easily memorize noisy labels present in real-world data, which degrades their ability to generalize. It is therefore important to track and evaluate the robustness of models against noisy label memorization. We propose a metric, called susceptibility, to gauge such memorization for neural networks. Susceptibility is simple and easy to compute during training. Moreover, it does not require access to ground-truth labels and it only uses unlabeled data. We empirically show the effectiveness of our metric in tracking memorization on various architectures and datasets and provide theoretical insights into the design of the susceptibility metric. Finally, we show through extensive experiments on datasets with synthetic and real-world label noise that one can utilize susceptibility and the overall training accuracy to distinguish models that maintain a low memorization on the training set and generalize well to unseen clean data.

Title: Spatio-Temporal Self-Supervised Learning for Traffic Flow Prediction. (arXiv:2212.04475v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04475
• Code URL: https://github.com/echo-ji/st-ssl
• Copy Paste: [[2212.04475] Spatio-Temporal Self-Supervised Learning for Traffic Flow Prediction](http://arxiv.org/abs/2212.04475) #robust
• Summary:

  Robust prediction of citywide traffic flows at different time periods plays a crucial role in intelligent transportation systems. While previous work has made great efforts to model spatio-temporal correlations, existing methods still suffer from two key limitations: i) Most models collectively predict all regions' flows without accounting for spatial heterogeneity, i.e., different regions may have skewed traffic flow distributions. ii) These models fail to capture the temporal heterogeneity induced by time-varying traffic patterns, as they typically model temporal correlations with a shared parameterized space for all time periods. To tackle these challenges, we propose a novel Spatio-Temporal Self-Supervised Learning (ST-SSL) traffic prediction framework which enhances the traffic pattern representations to be reflective of both spatial and temporal heterogeneity, with auxiliary self-supervised learning paradigms. Specifically, our ST-SSL is built over an integrated module with temporal and spatial convolutions for encoding the information across space and time. To achieve the adaptive spatio-temporal self-supervised learning, our ST-SSL first performs the adaptive augmentation over the traffic flow graph data at both attribute- and structure-levels. On top of the augmented traffic graph, two SSL auxiliary tasks are constructed to supplement the main traffic prediction task with spatial and temporal heterogeneity-aware augmentation. Experiments on four benchmark datasets demonstrate that ST-SSL consistently outperforms various state-of-the-art baselines. Since spatio-temporal heterogeneity widely exists in practical datasets, the proposed framework may also cast light on other spatial-temporal applications. Model implementation is available at https://github.com/Echo-Ji/ST-SSL.

biometric

steal

extraction

Title: Multimodal Vision Transformers with Forced Attention for Behavior Analysis. (arXiv:2212.03968v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.03968
• Code URL: null
• Copy Paste: [[2212.03968] Multimodal Vision Transformers with Forced Attention for Behavior Analysis](http://arxiv.org/abs/2212.03968) #extraction
• Summary:

  Human behavior understanding requires looking at minute details in the large context of a scene containing multiple input modalities. It is necessary as it allows the design of more human-like machines. While transformer approaches have shown great improvements, they face multiple challenges such as lack of data or background noise. To tackle these, we introduce the Forced Attention (FAt) Transformer which utilize forced attention with a modified backbone for input encoding and a use of additional inputs. In addition to improving the performance on different tasks and inputs, the modification requires less time and memory resources. We provide a model for a generalised feature extraction for tasks concerning social signals and behavior analysis. Our focus is on understanding behavior in videos where people are interacting with each other or talking into the camera which simulates the first person point of view in social interaction. FAt Transformers are applied to two downstream tasks: personality recognition and body language recognition. We achieve state-of-the-art results for Udiva v0.5, First Impressions v2 and MPII Group Interaction datasets. We further provide an extensive ablation study of the proposed architecture.

membership infer

federate

Title: Federated Learning for Inference at Anytime and Anywhere. (arXiv:2212.04084v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04084
• Code URL: null
• Copy Paste: [[2212.04084] Federated Learning for Inference at Anytime and Anywhere](http://arxiv.org/abs/2212.04084) #federate
• Summary:

  Federated learning has been predominantly concerned with collaborative training of deep networks from scratch, and especially the many challenges that arise, such as communication cost, robustness to heterogeneous data, and support for diverse device capabilities. However, there is no unified framework that addresses all these problems together. This paper studies the challenges and opportunities of exploiting pre-trained Transformer models in FL. In particular, we propose to efficiently adapt such pre-trained models by injecting a novel attention-based adapter module at each transformer block that both modulates the forward pass and makes an early prediction. Training only the lightweight adapter by FL leads to fast and communication-efficient learning even in the presence of heterogeneous data and devices. Extensive experiments on standard FL benchmarks, including CIFAR-100, FEMNIST and SpeechCommandsv2 demonstrate that this simple framework provides fast and accurate FL while supporting heterogenous device capabilities, efficient personalization, and scalable-cost anytime inference.

Title: GTFLAT: Game Theory Based Add-On For Empowering Federated Learning Aggregation Techniques. (arXiv:2212.04103v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04103
• Code URL: null
• Copy Paste: [[2212.04103] GTFLAT: Game Theory Based Add-On For Empowering Federated Learning Aggregation Techniques](http://arxiv.org/abs/2212.04103) #federate
• Summary:

  GTFLAT, as a game theory-based add-on, addresses an important research question: How can a federated learning algorithm achieve better performance and training efficiency by setting more effective adaptive weights for averaging in the model aggregation phase? The main objectives for the ideal method of answering the question are: (1) empowering federated learning algorithms to reach better performance in fewer communication rounds, notably in the face of heterogeneous scenarios, and last but not least, (2) being easy to use alongside the state-of-the-art federated learning algorithms as a new module. To this end, GTFLAT models the averaging task as a strategic game among active users. Then it proposes a systematic solution based on the population game and evolutionary dynamics to find the equilibrium. In contrast with existing approaches that impose the weights on the participants, GTFLAT concludes a self-enforcement agreement among clients in a way that none of them is motivated to deviate from it individually. The results reveal that, on average, using GTFLAT increases the top-1 test accuracy by 1.38%, while it needs 21.06% fewer communication rounds to reach the accuracy.

fair

Title: Montague semantics and modifier consistency measurement in neural language models. (arXiv:2212.04310v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2212.04310
• Code URL: null
• Copy Paste: [[2212.04310] Montague semantics and modifier consistency measurement in neural language models](http://arxiv.org/abs/2212.04310) #fair
• Summary:

  The recent dominance of distributional language representation models has elicited a variety of questions regarding their capabilities and intrinsic properties, one of which is the manifestation of compositional phenomena in natural language, which has significant implications towards explainability and safety/fairness in the use of such models. While most current research on compositionality has been directed towards improving performance of the representations on similarity tasks, this work proposes a methodology for measuring the presence of compositional behaviour in contemporary language models related to adjectival modifier phenomena in adjective-noun phrases. Our results show that current neural language models do not behave consistently according to the linguistic theories with regard to the evaluated intersective property, but on the other hand, the differences between adjective categories are noticeable in single adjective interactions, indicating that such differences are encoded in individual word representations, but they do not transfer generally in the expected way to the compositions. This raises the question of whether current language models are not capable of capturing the true underlying distributional properties of language, or whether linguistic theories from Montagovian tradition do not hold to distributional scrutiny.

interpretability

Title: A Modality-level Explainable Framework for Misinformation Checking in Social Networks. (arXiv:2212.04272v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2212.04272
• Code URL: null
• Copy Paste: [[2212.04272] A Modality-level Explainable Framework for Misinformation Checking in Social Networks](http://arxiv.org/abs/2212.04272) #interpretability
• Summary:

  The widespread of false information is a rising concern worldwide with critical social impact, inspiring the emergence of fact-checking organizations to mitigate misinformation dissemination. However, human-driven verification leads to a time-consuming task and a bottleneck to have checked trustworthy information at the same pace they emerge. Since misinformation relates not only to the content itself but also to other social features, this paper addresses automatic misinformation checking in social networks from a multimodal perspective. Moreover, as simply naming a piece of news as incorrect may not convince the citizen and, even worse, strengthen confirmation bias, the proposal is a modality-level explainable-prone misinformation classifier framework. Our framework comprises a misinformation classifier assisted by explainable methods to generate modality-oriented explainable inferences. Preliminary findings show that the misinformation classifier does benefit from multimodal information encoding and the modality-oriented explainable mechanism increases both inferences' interpretability and completeness.

explainability

watermark

diffusion

Title: Executing your Commands via Motion Diffusion in Latent Space. (arXiv:2212.04048v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04048
• Code URL: https://github.com/chenfengye/motion-latent-diffusion
• Copy Paste: [[2212.04048] Executing your Commands via Motion Diffusion in Latent Space](http://arxiv.org/abs/2212.04048) #diffusion
• Summary:

  We study a challenging task, conditional human motion generation, which produces plausible human motion sequences according to various conditional inputs, such as action classes or textual descriptors. Since human motions are highly diverse and have a property of quite different distribution from conditional modalities, such as textual descriptors in natural languages, it is hard to learn a probabilistic mapping from the desired conditional modality to the human motion sequences. Besides, the raw motion data from the motion capture system might be redundant in sequences and contain noises; directly modeling the joint distribution over the raw motion sequences and conditional modalities would need a heavy computational overhead and might result in artifacts introduced by the captured noises. To learn a better representation of the various human motion sequences, we first design a powerful Variational AutoEncoder (VAE) and arrive at a representative and low-dimensional latent code for a human motion sequence. Then, instead of using a diffusion model to establish the connections between the raw motion sequences and the conditional inputs, we perform a diffusion process on the motion latent space. Our proposed Motion Latent-based Diffusion model (MLD) could produce vivid motion sequences conforming to the given conditional inputs and substantially reduce the computational overhead in both the training and inference stages. Extensive experiments on various human motion generation tasks demonstrate that our MLD achieves significant improvements over the state-of-the-art methods among extensive human motion generation tasks, with two orders of magnitude faster than previous diffusion models on raw motion sequences.

Title: Diffusion Guided Domain Adaptation of Image Generators. (arXiv:2212.04473v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04473
• Code URL: null
• Copy Paste: [[2212.04473] Diffusion Guided Domain Adaptation of Image Generators](http://arxiv.org/abs/2212.04473) #diffusion
• Summary:

  Can a text-to-image diffusion model be used as a training objective for adapting a GAN generator to another domain? In this paper, we show that the classifier-free guidance can be leveraged as a critic and enable generators to distill knowledge from large-scale text-to-image diffusion models. Generators can be efficiently shifted into new domains indicated by text prompts without access to groundtruth samples from target domains. We demonstrate the effectiveness and controllability of our method through extensive experiments. Although not trained to minimize CLIP loss, our model achieves equally high CLIP scores and significantly lower FID than prior work on short prompts, and outperforms the baseline qualitatively and quantitatively on long and complicated prompts. To our best knowledge, the proposed method is the first attempt at incorporating large-scale pre-trained diffusion models and distillation sampling for text-driven image generator domain adaptation and gives a quality previously beyond possible. Moreover, we extend our work to 3D-aware style-based generators and DreamBooth guidance.

Title: Multi-Concept Customization of Text-to-Image Diffusion. (arXiv:2212.04488v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04488
• Code URL: null
• Copy Paste: [[2212.04488] Multi-Concept Customization of Text-to-Image Diffusion](http://arxiv.org/abs/2212.04488) #diffusion
• Summary:

  While generative models produce high-quality images of concepts learned from a large-scale database, a user often wishes to synthesize instantiations of their own concepts (for example, their family, pets, or items). Can we teach a model to quickly acquire a new concept, given a few examples? Furthermore, can we compose multiple new concepts together? We propose Custom Diffusion, an efficient method for augmenting existing text-to-image models. We find that only optimizing a few parameters in the text-to-image conditioning mechanism is sufficiently powerful to represent new concepts while enabling fast tuning (~6 minutes). Additionally, we can jointly train for multiple concepts or combine multiple fine-tuned models into one via closed-form constrained optimization. Our fine-tuned model generates variations of multiple, new concepts and seamlessly composes them with existing concepts in novel settings. Our method outperforms several baselines and concurrent works, regarding both qualitative and quantitative evaluations, while being memory and computationally efficient.

Title: SINE: SINgle Image Editing with Text-to-Image Diffusion Models. (arXiv:2212.04489v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04489
• Code URL: https://github.com/zhang-zx/sine
• Copy Paste: [[2212.04489] SINE: SINgle Image Editing with Text-to-Image Diffusion Models](http://arxiv.org/abs/2212.04489) #diffusion
• Summary:

  Recent works on diffusion models have demonstrated a strong capability for conditioning image generation, e.g., text-guided image synthesis. Such success inspires many efforts trying to use large-scale pre-trained diffusion models for tackling a challenging problem--real image editing. Works conducted in this area learn a unique textual token corresponding to several images containing the same object. However, under many circumstances, only one image is available, such as the painting of the Girl with a Pearl Earring. Using existing works on fine-tuning the pre-trained diffusion models with a single image causes severe overfitting issues. The information leakage from the pre-trained diffusion models makes editing can not keep the same content as the given image while creating new features depicted by the language guidance. This work aims to address the problem of single-image editing. We propose a novel model-based guidance built upon the classifier-free guidance so that the knowledge from the model trained on a single image can be distilled into the pre-trained diffusion model, enabling content creation even with one given image. Additionally, we propose a patch-based fine-tuning that can effectively help the model generate images of arbitrary resolution. We provide extensive experiments to validate the design choices of our approach and show promising editing capabilities, including changing style, content addition, and object manipulation. The code is available for research purposes at https://github.com/zhang-zx/SINE.git .

Title: SDFusion: Multimodal 3D Shape Completion, Reconstruction, and Generation. (arXiv:2212.04493v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04493
• Code URL: null
• Copy Paste: [[2212.04493] SDFusion: Multimodal 3D Shape Completion, Reconstruction, and Generation](http://arxiv.org/abs/2212.04493) #diffusion
• Summary:

  In this work, we present a novel framework built to simplify 3D asset generation for amateur users. To enable interactive generation, our method supports a variety of input modalities that can be easily provided by a human, including images, text, partially observed shapes and combinations of these, further allowing to adjust the strength of each input. At the core of our approach is an encoder-decoder, compressing 3D shapes into a compact latent representation, upon which a diffusion model is learned. To enable a variety of multi-modal inputs, we employ task-specific encoders with dropout followed by a cross-attention mechanism. Due to its flexibility, our model naturally supports a variety of tasks, outperforming prior works on shape completion, image-based 3D reconstruction, and text-to-3D. Most interestingly, our model can combine all these tasks into one swiss-army-knife tool, enabling the user to perform shape generation using incomplete shapes, images, and textual descriptions at the same time, providing the relative weights for each input and facilitating interactivity. Despite our approach being shape-only, we further show an efficient method to texture the generated shape using large-scale text-to-image models.

Title: MoFusion: A Framework for Denoising-Diffusion-based Motion Synthesis. (arXiv:2212.04495v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2212.04495
• Code URL: null
• Copy Paste: [[2212.04495] MoFusion: A Framework for Denoising-Diffusion-based Motion Synthesis](http://arxiv.org/abs/2212.04495) #diffusion
• Summary:

  Conventional methods for human motion synthesis are either deterministic or struggle with the trade-off between motion diversity and motion quality. In response to these limitations, we introduce MoFusion, i.e., a new denoising-diffusion-based framework for high-quality conditional human motion synthesis that can generate long, temporally plausible, and semantically accurate motions based on a range of conditioning contexts (such as music and text). We also present ways to introduce well-known kinematic losses for motion plausibility within the motion diffusion framework through our scheduled weighting strategy. The learned latent space can be used for several interactive motion editing applications -- like inbetweening, seed conditioning, and text-based editing -- thus, providing crucial abilities for virtual character animation and robotics. Through comprehensive quantitative evaluations and a perceptual user study, we demonstrate the effectiveness of MoFusion compared to the state of the art on established benchmarks in the literature. We urge the reader to watch our supplementary video and visit https://vcai.mpi-inf.mpg.de/projects/MoFusion.