secure

security

Title: Creating awareness about security and safety on highways to mitigate wildlife-vehicle collisions by detecting and recognizing wildlife fences using deep learning and drone technology. (arXiv:2301.07174v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07174
• Code URL: null
• Copy Paste: [[2301.07174] Creating awareness about security and safety on highways to mitigate wildlife-vehicle collisions by detecting and recognizing wildlife fences using deep learning and drone technology](http://arxiv.org/abs/2301.07174) #security
• Summary:

  In South Africa, it is a common practice for people to leave their vehicles beside the road when traveling long distances for a short comfort break. This practice might increase human encounters with wildlife, threatening their security and safety. Here we intend to create awareness about wildlife fencing, using drone technology and computer vision algorithms to recognize and detect wildlife fences and associated features. We collected data at Amakhala and Lalibela private game reserves in the Eastern Cape, South Africa. We used wildlife electric fence data containing single and double fences for the classification task. Additionally, we used aerial and still annotated images extracted from the drone and still cameras for the segmentation and detection tasks. The model training results from the drone camera outperformed those from the still camera. Generally, poor model performance is attributed to (1) over-decompression of images and (2) the ability of drone cameras to capture more details on images for the machine learning model to learn as compared to still cameras that capture only the front view of the wildlife fence. We argue that our model can be deployed on client-edge devices to inform people about the presence and significance of wildlife fencing, which minimizes human encounters with wildlife, thereby mitigating wildlife-vehicle collisions.

Title: Representing Noisy Image Without Denoising. (arXiv:2301.07409v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07409
• Code URL: https://github.com/shurenqi/fmr
• Copy Paste: [[2301.07409] Representing Noisy Image Without Denoising](http://arxiv.org/abs/2301.07409) #security
• Summary:

  A long-standing topic in artificial intelligence is the effective recognition of patterns from noisy images. In this regard, the recent data-driven paradigm considers 1) improving the representation robustness by adding noisy samples in training phase (i.e., data augmentation) or 2) pre-processing the noisy image by learning to solve the inverse problem (i.e., image denoising). However, such methods generally exhibit inefficient process and unstable result, limiting their practical applications. In this paper, we explore a non-learning paradigm that aims to derive robust representation directly from noisy images, without the denoising as pre-processing. Here, the noise-robust representation is designed as Fractional-order Moments in Radon space (FMR), with also beneficial properties of orthogonality and rotation invariance. Unlike earlier integer-order methods, our work is a more generic design taking such classical methods as special cases, and the introduced fractional-order parameter offers time-frequency analysis capability that is not available in classical methods. Formally, both implicit and explicit paths for constructing the FMR are discussed in detail. Extensive simulation experiments and an image security application are provided to demonstrate the uniqueness and usefulness of our FMR, especially for noise robustness, rotation invariance, and time-frequency discriminability.

Title: A Multi-Scale Framework for Out-of-Distribution Detection in Dermoscopic Images. (arXiv:2301.07533v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07533
• Code URL: null
• Copy Paste: [[2301.07533] A Multi-Scale Framework for Out-of-Distribution Detection in Dermoscopic Images](http://arxiv.org/abs/2301.07533) #security
• Summary:

  The automatic detection of skin diseases via dermoscopic images can improve the efficiency in diagnosis and help doctors make more accurate judgments. However, conventional skin disease recognition systems may produce high confidence for out-of-distribution (OOD) data, which may become a major security vulnerability in practical applications. In this paper, we propose a multi-scale detection framework to detect out-of-distribution skin disease image data to ensure the robustness of the system. Our framework extracts features from different layers of the neural network. In the early layers, rectified activation is used to make the output features closer to the well-behaved distribution, and then an one-class SVM is trained to detect OOD data; in the penultimate layer, an adapted Gram matrix is used to calculate the features after rectified activation, and finally the layer with the best performance is chosen to compute a normality score. Experiments show that the proposed framework achieves superior performance when compared with other state-of-the-art methods in the task of skin disease recognition.

Title: How Close is ChatGPT to Human Experts? Comparison Corpus, Evaluation, and Detection. (arXiv:2301.07597v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.07597
• Code URL: https://github.com/hello-simpleai/chatgpt-comparison-detection
• Copy Paste: [[2301.07597] How Close is ChatGPT to Human Experts? Comparison Corpus, Evaluation, and Detection](http://arxiv.org/abs/2301.07597) #security
• Summary:

  The introduction of ChatGPT has garnered widespread attention in both academic and industrial communities. ChatGPT is able to respond effectively to a wide range of human questions, providing fluent and comprehensive answers that significantly surpass previous public chatbots in terms of security and usefulness. On one hand, people are curious about how ChatGPT is able to achieve such strength and how far it is from human experts. On the other hand, people are starting to worry about the potential negative impacts that large language models (LLMs) like ChatGPT could have on society, such as fake news, plagiarism, and social security issues. In this work, we collected tens of thousands of comparison responses from both human experts and ChatGPT, with questions ranging from open-domain, financial, medical, legal, and psychological areas. We call the collected dataset the Human ChatGPT Comparison Corpus (HC3). Based on the HC3 dataset, we study the characteristics of ChatGPT's responses, the differences and gaps from human experts, and future directions for LLMs. We conducted comprehensive human evaluations and linguistic analyses of ChatGPT-generated content compared with that of humans, where many interesting results are revealed. After that, we conduct extensive experiments on how to effectively detect whether a certain text is generated by ChatGPT or humans. We build three different detection systems, explore several key factors that influence their effectiveness, and evaluate them in different scenarios. The dataset, code, and models are all publicly available at https://github.com/Hello-SimpleAI/chatgpt-comparison-detection.

Title: Are Home Security Systems Reliable?. (arXiv:2301.07202v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07202
• Code URL: null
• Copy Paste: [[2301.07202] Are Home Security Systems Reliable?](http://arxiv.org/abs/2301.07202) #security
• Summary:

  Home security systems have become increasingly popular since they provide an additional layer of protection and peace of mind. These systems typically include battery-powered motion sensors, contact sensors, and smart locks. Z-Wave is a very popular wireless communication technology for these low-power systems. In this paper, we demonstrate two new attacks targeting Z-Wave devices. First, we show how an attacker can remotely attack Z-Wave security devices to increase their power consumption by three orders of magnitude, reducing their battery life from a few years to just a few hours. Second, we show multiple Denial of Service (DoS) attacks which enables an attacker to interrupt the operation of security systems in just a few seconds. Our experiments show that these attacks are effective even when the attacker device is in a car 100 meters away from the targeted house.

Title: Review, Meta-Taxonomy, and Use Cases of Cyberattack Taxonomies of Manufacturing Cybersecurity Threat Attributes and Countermeasures. (arXiv:2301.07303v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07303
• Code URL: null
• Copy Paste: [[2301.07303] Review, Meta-Taxonomy, and Use Cases of Cyberattack Taxonomies of Manufacturing Cybersecurity Threat Attributes and Countermeasures](http://arxiv.org/abs/2301.07303) #security
• Summary:

  A thorough and systematic understanding of different elements of cyberattacks is essential for developing the necessary tools to prevent, detect, diagnose, and mitigate cyberattacks in manufacturing systems. In response, researchers have proposed several attack taxonomies as methods for recognizing and categorizing various cyberattack attributes. However, those taxonomies cover selected attack attributes depending on the research focus, sometimes accompanied by inconsistent naming and definitions. These seemingly different taxonomies often overlap and can complement each other to create a comprehensive knowledge base of cyberattack attributes that is currently missing in the literature. Additionally, there is a missing link from creating structured knowledge by using a taxonomy to applying this structure for cybersecurity tools development and aiding practitioners in using it. To tackle these challenges, this article highlights how cyberattack taxonomies can be used to better understand and characterize manufacturing cybersecurity threats. It also reviews and analyzes current taxonomical classifications of manufacturing cybersecurity threat attributes and countermeasures, as well as the proliferation of the scope and coverage in existing taxonomies. As a result, these taxonomies are compiled into a more comprehensive and consistent meta-taxonomy for the smart manufacturing space. The resulting meta-taxonomy provides a holistic analysis of current taxonomies and integrates them into a unified structure. Based on this structure, this paper identifies gaps in current attack taxonomies and provides directions for future improvements. Finally, the paper introduces potential use cases for attack taxonomies in smart manufacturing systems for assessing security threats and their associated risks, devising risk mitigation strategies, and informing the application of cybersecurity frameworks.

Title: Graph-Theoretic Approach for Manufacturing Cybersecurity Risk Modeling and Assessment. (arXiv:2301.07305v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07305
• Code URL: null
• Copy Paste: [[2301.07305] Graph-Theoretic Approach for Manufacturing Cybersecurity Risk Modeling and Assessment](http://arxiv.org/abs/2301.07305) #security
• Summary:

  Identifying, analyzing, and evaluating cybersecurity risks are essential to assess the vulnerabilities of modern manufacturing infrastructures and to devise effective decision-making strategies to secure critical manufacturing against potential cyberattacks. In response, this work proposes a graph-theoretic approach for risk modeling and assessment to address the lack of quantitative cybersecurity risk assessment frameworks for smart manufacturing systems. In doing so, first, threat attributes are represented using an attack graphical model derived from manufacturing cyberattack taxonomies. Attack taxonomies offer consistent structures to categorize threat attributes, and the graphical approach helps model their interdependence. Second, the graphs are analyzed to explore how threat events can propagate through the manufacturing value chain and identify the manufacturing assets that threat actors can access and compromise during a threat event. Third, the proposed method identifies the attack path that maximizes the likelihood of success and minimizes the attack detection probability, and then computes the associated cybersecurity risk. Finally, the proposed risk modeling and assessment framework is demonstrated via an interconnected smart manufacturing system illustrative example. Using the proposed approach, practitioners can identify critical connections and manufacturing assets requiring prioritized security controls and develop and deploy appropriate defense measures accordingly.

Title: One Size Does not Fit All: Quantifying the Risk of Malicious App Encounters for Different Android User Profiles. (arXiv:2301.07346v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07346
• Code URL: null
• Copy Paste: [[2301.07346] One Size Does not Fit All: Quantifying the Risk of Malicious App Encounters for Different Android User Profiles](http://arxiv.org/abs/2301.07346) #security
• Summary:

  Previous work has investigated the particularities of security practices within specific user communities defined based on country of origin, age, prior tech abuse, and economic status. Their results highlight that current security solutions that adopt a one-size-fits-all-users approach ignore the differences and needs of particular user communities. However, those works focus on a single community or cluster users into hard-to-interpret sub-populations.

In this work, we perform a large-scale quantitative analysis of the risk of encountering malware and other potentially unwanted applications (PUA) across user communities. At the core of our study is a dataset of app installation logs collected from 12M Android mobile devices. Leveraging user-installed apps, we define intuitive profiles based on users' interests (e.g., gamers and investors), and fit a subset of 5.4M devices to those profiles. Our analysis is structured in three parts. First, we perform risk analysis on the whole population to measure how the risk of malicious app encounters is affected by different factors. Next, we create different profiles to investigate whether risk differences across users may be due to their interests. Finally, we compare a per-profile approach for classifying clean and infected devices with the classical approach that considers the whole population.

We observe that features such as the diversity of the app signers and the use of alternative markets highly correlate with the risk of malicious app encounters. We also discover that some profiles such as gamers and social-media users are exposed to more than twice the risks experienced by the average users. We also show that the classification outcome has a marked accuracy improvement when using a per-profile approach to train the prediction models. Overall, our results confirm the inadequacy of one-size-fits-all protection solutions.

Title: Threats, Vulnerabilities, and Controls of Machine Learning Based Systems: A Survey and Taxonomy. (arXiv:2301.07474v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07474
• Code URL: null
• Copy Paste: [[2301.07474] Threats, Vulnerabilities, and Controls of Machine Learning Based Systems: A Survey and Taxonomy](http://arxiv.org/abs/2301.07474) #security
• Summary:

  In this article, we propose the Artificial Intelligence Security Taxonomy to systematize the knowledge of threats, vulnerabilities, and security controls of ML-based systems. We first classify the damage caused by attacks against ML-based systems, define ML-specific security, and discuss its characteristics. Next, we enumerate all relevant assets and stakeholders and provide a general taxonomy for ML-specific threats. Then, we collect a wide range of security controls against ML-specific threats through an extensive review of recent literature. Finally, we classify the vulnerabilities and controls of an ML-based system in terms of each vulnerable asset in the system's entire lifecycle.

Title: Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data. (arXiv:2301.07628v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07628
• Code URL: https://github.com/theadamproject/universalneuralcrackingmachines
• Copy Paste: [[2301.07628] Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data](http://arxiv.org/abs/2301.07628) #security
• Summary:

  We develop the first universal password model -- a password model that, once pre-trained, can automatically adapt to any password distribution. To achieve this result, the model does not need to access any plaintext passwords from the target set. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying target password distribution. The model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target community at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required. Besides defining a new state-of-the-art for password strength estimation, our model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirement of collecting suitable training data and fitting the underlying password model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions on a large scale.

privacy

Title: ACQ: Improving Generative Data-free Quantization Via Attention Correction. (arXiv:2301.07266v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07266
• Code URL: null
• Copy Paste: [[2301.07266] ACQ: Improving Generative Data-free Quantization Via Attention Correction](http://arxiv.org/abs/2301.07266) #privacy
• Summary:

  Data-free quantization aims to achieve model quantization without accessing any authentic sample. It is significant in an application-oriented context involving data privacy. Converting noise vectors into synthetic samples through a generator is a popular data-free quantization method, which is called generative data-free quantization. However, there is a difference in attention between synthetic samples and authentic samples. This is always ignored and restricts the quantization performance. First, since synthetic samples of the same class are prone to have homogenous attention, the quantized network can only learn limited modes of attention. Second, synthetic samples in eval mode and training mode exhibit different attention. Hence, the batch-normalization statistics matching tends to be inaccurate. ACQ is proposed in this paper to fix the attention of synthetic samples. An attention center position-condition generator is established regarding the homogenization of intra-class attention. Restricted by the attention center matching loss, the attention center position is treated as the generator's condition input to guide synthetic samples in obtaining diverse attention. Moreover, we design adversarial loss of paired synthetic samples under the same condition to prevent the generator from paying overmuch attention to the condition, which may result in mode collapse. To improve the attention similarity of synthetic samples in different network modes, we introduce a consistency penalty to guarantee accurate BN statistics matching. The experimental results demonstrate that ACQ effectively improves the attention problems of synthetic samples. Under various training settings, ACQ achieves the best quantization performance. For the 4-bit quantization of Resnet18 and Resnet50, ACQ reaches 67.55% and 72.23% accuracy, respectively.

Title: Distributed LSTM-Learning from Differentially Private Label Proportions. (arXiv:2301.07101v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07101
• Code URL: null
• Copy Paste: [[2301.07101] Distributed LSTM-Learning from Differentially Private Label Proportions](http://arxiv.org/abs/2301.07101) #privacy
• Summary:

  Data privacy and decentralised data collection has become more and more popular in recent years. In order to solve issues with privacy, communication bandwidth and learning from spatio-temporal data, we will propose two efficient models which use Differential Privacy and decentralized LSTM-Learning: One, in which a Long Short Term Memory (LSTM) model is learned for extracting local temporal node constraints and feeding them into a Dense-Layer (LabelProportionToLocal). The other approach extends the first one by fetching histogram data from the neighbors and joining the information with the LSTM output (LabelProportionToDense). For evaluation two popular datasets are used: Pems-Bay and METR-LA. Additionally, we provide an own dataset, which is based on LuST. The evaluation will show the tradeoff between performance and data privacy.

Title: Continuous Trajectory Generation Based on Two-Stage GAN. (arXiv:2301.07103v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07103
• Code URL: null
• Copy Paste: [[2301.07103] Continuous Trajectory Generation Based on Two-Stage GAN](http://arxiv.org/abs/2301.07103) #privacy
• Summary:

  Simulating the human mobility and generating large-scale trajectories are of great use in many real-world applications, such as urban planning, epidemic spreading analysis, and geographic privacy protect. Although many previous works have studied the problem of trajectory generation, the continuity of the generated trajectories has been neglected, which makes these methods useless for practical urban simulation scenarios. To solve this problem, we propose a novel two-stage generative adversarial framework to generate the continuous trajectory on the road network, namely TS-TrajGen, which efficiently integrates prior domain knowledge of human mobility with model-free learning paradigm. Specifically, we build the generator under the human mobility hypothesis of the A* algorithm to learn the human mobility behavior. For the discriminator, we combine the sequential reward with the mobility yaw reward to enhance the effectiveness of the generator. Finally, we propose a novel two-stage generation process to overcome the weak point of the existing stochastic generation process. Extensive experiments on two real-world datasets and two case studies demonstrate that our framework yields significant improvements over the state-of-the-art methods.

Title: Synthcity: facilitating innovative use cases of synthetic data in different data modalities. (arXiv:2301.07573v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07573
• Code URL: https://github.com/vanderschaarlab/synthcity
• Copy Paste: [[2301.07573] Synthcity: facilitating innovative use cases of synthetic data in different data modalities](http://arxiv.org/abs/2301.07573) #privacy
• Summary:

  Synthcity is an open-source software package for innovative use cases of synthetic data in ML fairness, privacy and augmentation across diverse tabular data modalities, including static data, regular and irregular time series, data with censoring, multi-source data, composite data, and more. Synthcity provides the practitioners with a single access point to cutting edge research and tools in synthetic data. It also offers the community a playground for rapid experimentation and prototyping, a one-stop-shop for SOTA benchmarks, and an opportunity for extending research impact. The library can be accessed on GitHub (https://github.com/vanderschaarlab/synthcity) and pip (https://pypi.org/project/synthcity/). We warmly invite the community to join the development effort by providing feedback, reporting bugs, and contributing code.

protect

Title: Semi-Supervised Semantic Segmentation via Gentle Teaching Assistant. (arXiv:2301.07340v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07340
• Code URL: https://github.com/Jin-Ying/GTA-Seg
• Copy Paste: [[2301.07340] Semi-Supervised Semantic Segmentation via Gentle Teaching Assistant](http://arxiv.org/abs/2301.07340) #protect
• Summary:

  Semi-Supervised Semantic Segmentation aims at training the segmentation model with limited labeled data and a large amount of unlabeled data. To effectively leverage the unlabeled data, pseudo labeling, along with the teacher-student framework, is widely adopted in semi-supervised semantic segmentation. Though proved to be effective, this paradigm suffers from incorrect pseudo labels which inevitably exist and are taken as auxiliary training data. To alleviate the negative impact of incorrect pseudo labels, we delve into the current Semi-Supervised Semantic Segmentation frameworks. We argue that the unlabeled data with pseudo labels can facilitate the learning of representative features in the feature extractor, but it is unreliable to supervise the mask predictor. Motivated by this consideration, we propose a novel framework, Gentle Teaching Assistant (GTA-Seg) to disentangle the effects of pseudo labels on feature extractor and mask predictor of the student model. Specifically, in addition to the original teacher-student framework, our method introduces a teaching assistant network which directly learns from pseudo labels generated by the teacher network. The gentle teaching assistant (GTA) is coined gentle since it only transfers the beneficial feature representation knowledge in the feature extractor to the student model in an Exponential Moving Average (EMA) manner, protecting the student model from the negative influences caused by unreliable pseudo labels in the mask predictor. The student model is also supervised by reliable labeled data to train an accurate mask predictor, further facilitating feature representation. Extensive experiment results on benchmark datasets validate that our method shows competitive performance against previous methods. Code is available at https://github.com/Jin-Ying/GTA-Seg.

defense

attack

Title: Face Recognition in the age of CLIP & Billion image datasets. (arXiv:2301.07315v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07315
• Code URL: null
• Copy Paste: [[2301.07315] Face Recognition in the age of CLIP & Billion image datasets](http://arxiv.org/abs/2301.07315) #attack
• Summary:

  CLIP (Contrastive Language-Image Pre-training) models developed by OpenAI have achieved outstanding results on various image recognition and retrieval tasks, displaying strong zero-shot performance. This means that they are able to perform effectively on tasks for which they have not been explicitly trained. Inspired by the success of OpenAI CLIP, a new publicly available dataset called LAION-5B was collected which resulted in the development of open ViT-H/14, ViT-G/14 models that outperform the OpenAI L/14 model. The LAION-5B dataset also released an approximate nearest neighbor index, with a web interface for search & subset creation.

In this paper, we evaluate the performance of various CLIP models as zero-shot face recognizers. Our findings show that CLIP models perform well on face recognition tasks, but increasing the size of the CLIP model does not necessarily lead to improved accuracy. Additionally, we investigate the robustness of CLIP models against data poisoning attacks by testing their performance on poisoned data. Through this analysis, we aim to understand the potential consequences and misuse of search engines built using CLIP models, which could potentially function as unintentional face recognition engines.

Title: Label Inference Attack against Split Learning under Regression Setting. (arXiv:2301.07284v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07284
• Code URL: null
• Copy Paste: [[2301.07284] Label Inference Attack against Split Learning under Regression Setting](http://arxiv.org/abs/2301.07284) #attack
• Summary:

  As a crucial building block in vertical Federated Learning (vFL), Split Learning (SL) has demonstrated its practice in the two-party model training collaboration, where one party holds the features of data samples and another party holds the corresponding labels. Such method is claimed to be private considering the shared information is only the embedding vectors and gradients instead of private raw data and labels. However, some recent works have shown that the private labels could be leaked by the gradients. These existing attack only works under the classification setting where the private labels are discrete. In this work, we step further to study the leakage in the scenario of the regression model, where the private labels are continuous numbers (instead of discrete labels in classification). This makes previous attacks harder to infer the continuous labels due to the unbounded output range. To address the limitation, we propose a novel learning-based attack that integrates gradient information and extra learning regularization objectives in aspects of model training properties, which can infer the labels under regression settings effectively. The comprehensive experiments on various datasets and models have demonstrated the effectiveness of our proposed attack. We hope our work can pave the way for future analyses that make the vFL framework more secure.

Title: Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing. (arXiv:2301.07642v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07642
• Code URL: null
• Copy Paste: [[2301.07642] Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing](http://arxiv.org/abs/2301.07642) #attack
• Summary:

  Attacks like Spectre abuse speculative execution, one of the key performance optimizations of modern CPUs. Recently, several testing tools have emerged to automatically detect speculative leaks in commercial (black-box) CPUs. However, the testing process is still slow, which has hindered in-depth testing campaigns, and so far prevented the discovery of new classes of leakage.

In this paper, we identify the root causes of the performance limitations in existing approaches, and propose techniques to overcome these limitations. With these techniques, we improve the testing speed over the state-of-the-art by up to two orders of magnitude.

These improvements enable us to run a testing campaign of unprecedented depth on Intel and AMD CPUs. As a highlight, we discover two types of previously unknown speculative leaks (affecting string comparison and division) that have escaped previous manual and automatic analyses.

Title: Adversarial AI in Insurance: Pervasiveness and Resilience. (arXiv:2301.07520v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07520
• Code URL: null
• Copy Paste: [[2301.07520] Adversarial AI in Insurance: Pervasiveness and Resilience](http://arxiv.org/abs/2301.07520) #attack
• Summary:

  The rapid and dynamic pace of Artificial Intelligence (AI) and Machine Learning (ML) is revolutionizing the insurance sector. AI offers significant, very much welcome advantages to insurance companies, and is fundamental to their customer-centricity strategy. It also poses challenges, in the project and implementation phase. Among those, we study Adversarial Attacks, which consist of the creation of modified input data to deceive an AI system and produce false outputs. We provide examples of attacks on insurance AI applications, categorize them, and argue on defence methods and precautionary systems, considering that they can involve few-shot and zero-shot multilabelling. A related topic, with growing interest, is the validation and verification of systems incorporating AI and ML components. These topics are discussed in various sections of this paper.

robust

Title: Improve Noise Tolerance of Robust Loss via Noise-Awareness. (arXiv:2301.07306v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07306
• Code URL: null
• Copy Paste: [[2301.07306] Improve Noise Tolerance of Robust Loss via Noise-Awareness](http://arxiv.org/abs/2301.07306) #robust
• Summary:

  Robust loss minimization is an important strategy for handling robust learning issue on noisy labels. Current robust losses, however, inevitably involve hyperparameters to be tuned for different datasets with noisy labels, manually or heuristically through cross validation, which makes them fairly hard to be generally applied in practice. Existing robust loss methods usually assume that all training samples share common hyperparameters, which are independent of instances. This limits the ability of these methods on distinguishing individual noise properties of different samples, making them hardly adapt to different noise structures. To address above issues, we propose to assemble robust loss with instance-dependent hyperparameters to improve their noise-tolerance with theoretical guarantee. To achieve setting such instance-dependent hyperparameters for robust loss, we propose a meta-learning method capable of adaptively learning a hyperparameter prediction function, called Noise-Aware-Robust-Loss-Adjuster (NARL-Adjuster). Specifically, through mutual amelioration between hyperparameter prediction function and classifier parameters in our method, both of them can be simultaneously finely ameliorated and coordinated to attain solutions with good generalization capability. Four kinds of SOTA robust losses are attempted to be integrated with our algorithm, and experiments substantiate the general availability and effectiveness of the proposed method in both its noise tolerance and generalization performance. Meanwhile, the explicit parameterized structure makes the meta-learned prediction function capable of being readily transferrable and plug-and-play to unseen datasets with noisy labels. Specifically, we transfer our meta-learned NARL-Adjuster to unseen tasks, including several real noisy datasets, and achieve better performance compared with conventional hyperparameter tuning strategy.

Title: Robust Knowledge Adaptation for Federated Unsupervised Person ReID. (arXiv:2301.07320v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07320
• Code URL: null
• Copy Paste: [[2301.07320] Robust Knowledge Adaptation for Federated Unsupervised Person ReID](http://arxiv.org/abs/2301.07320) #robust
• Summary:

  Person Re-identification (ReID) has been extensively studied in recent years due to the increasing demand in public security. However, collecting and dealing with sensitive personal data raises privacy concerns. Therefore, federated learning has been explored for Person ReID, which aims to share minimal sensitive data between different parties (clients). However, existing federated learning based person ReID methods generally rely on laborious and time-consuming data annotations and it is difficult to guarantee cross-domain consistency. Thus, in this work, a federated unsupervised cluster-contrastive (FedUCC) learning method is proposed for Person ReID. FedUCC introduces a three-stage modelling strategy following a coarse-to-fine manner. In detail, generic knowledge, specialized knowledge and patch knowledge are discovered using a deep neural network. This enables the sharing of mutual knowledge among clients while retaining local domain-specific knowledge based on the kinds of network layers and their parameters. Comprehensive experiments on 8 public benchmark datasets demonstrate the state-of-the-art performance of our proposed method.

Title: CLIPTER: Looking at the Bigger Picture in Scene Text Recognition. (arXiv:2301.07464v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07464
• Code URL: null
• Copy Paste: [[2301.07464] CLIPTER: Looking at the Bigger Picture in Scene Text Recognition](http://arxiv.org/abs/2301.07464) #robust
• Summary:

  Understanding the scene is often essential for reading text in real-world scenarios. However, current scene text recognizers operate on cropped text images, unaware of the bigger picture. In this work, we harness the representative power of recent vision-language models, such as CLIP, to provide the crop-based recognizer with scene, image-level information. Specifically, we obtain a rich representation of the entire image and fuse it with the recognizer word-level features via cross-attention. Moreover, a gated mechanism is introduced that gradually shifts to the context-enriched representation, enabling simply fine-tuning a pretrained recognizer. We implement our model-agnostic framework, named CLIPTER - CLIP Text Recognition, on several leading text recognizers and demonstrate consistent performance gains, achieving state-of-the-art results over multiple benchmarks. Furthermore, an in-depth analysis reveals improved robustness to out-of-vocabulary words and enhanced generalization in low-data regimes.

Title: OmniObject3D: Large-Vocabulary 3D Object Dataset for Realistic Perception, Reconstruction and Generation. (arXiv:2301.07525v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07525
• Code URL: null
• Copy Paste: [[2301.07525] OmniObject3D: Large-Vocabulary 3D Object Dataset for Realistic Perception, Reconstruction and Generation](http://arxiv.org/abs/2301.07525) #robust
• Summary:

  Recent advances in modeling 3D objects mostly rely on synthetic datasets due to the lack of large-scale realscanned 3D databases. To facilitate the development of 3D perception, reconstruction, and generation in the real world, we propose OmniObject3D, a large vocabulary 3D object dataset with massive high-quality real-scanned 3D objects. OmniObject3D has several appealing properties: 1) Large Vocabulary: It comprises 6,000 scanned objects in 190 daily categories, sharing common classes with popular 2D datasets (e.g., ImageNet and LVIS), benefiting the pursuit of generalizable 3D representations. 2) Rich Annotations: Each 3D object is captured with both 2D and 3D sensors, providing textured meshes, point clouds, multiview rendered images, and multiple real-captured videos. 3) Realistic Scans: The professional scanners support highquality object scans with precise shapes and realistic appearances. With the vast exploration space offered by OmniObject3D, we carefully set up four evaluation tracks: a) robust 3D perception, b) novel-view synthesis, c) neural surface reconstruction, and d) 3D object generation. Extensive studies are performed on these four benchmarks, revealing new observations, challenges, and opportunities for future research in realistic 3D vision.

Title: Active learning for medical image segmentation with stochastic batches. (arXiv:2301.07670v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07670
• Code URL: null
• Copy Paste: [[2301.07670] Active learning for medical image segmentation with stochastic batches](http://arxiv.org/abs/2301.07670) #robust
• Summary:

  The performance of learning-based algorithms improves with the amount of labelled data used for training. Yet, manually annotating data can be tedious and expensive, especially in medical image segmentation. To reduce manual labelling, active learning (AL) targets the most informative samples from the unlabelled set to annotate and add to the labelled training set. On one hand, most active learning works have focused on the classification or limited segmentation of natural images, despite active learning being highly desirable in the difficult task of medical image segmentation. On the other hand, uncertainty-based AL approaches notoriously offer sub-optimal batch-query strategies, while diversity-based methods tend to be computationally expensive. Over and above methodological hurdles, random sampling has proven an extremely difficult baseline to outperform when varying learning and sampling conditions. This work aims to take advantage of the diversity and speed offered by random sampling to improve the selection of uncertainty-based AL methods for segmenting medical images. More specifically, we propose to compute uncertainty at the level of batches instead of samples through an original use of stochastic batches during sampling in AL. Exhaustive experiments on medical image segmentation, with an illustration on MRI prostate imaging, show that the benefits of stochastic batches during sample selection are robust to a variety of changes in the training and sampling procedures.

Title: Adversarial Robust Deep Reinforcement Learning Requires Redefining Robustness. (arXiv:2301.07487v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07487
• Code URL: null
• Copy Paste: [[2301.07487] Adversarial Robust Deep Reinforcement Learning Requires Redefining Robustness](http://arxiv.org/abs/2301.07487) #robust
• Summary:

  Learning from raw high dimensional data via interaction with a given environment has been effectively achieved through the utilization of deep neural networks. Yet the observed degradation in policy performance caused by imperceptible worst-case policy dependent translations along high sensitivity directions (i.e. adversarial perturbations) raises concerns on the robustness of deep reinforcement learning policies. In our paper, we show that these high sensitivity directions do not lie only along particular worst-case directions, but rather are more abundant in the deep neural policy landscape and can be found via more natural means in a black-box setting. Furthermore, we show that vanilla training techniques intriguingly result in learning more robust policies compared to the policies learnt via the state-of-the-art adversarial training techniques. We believe our work lays out intriguing properties of the deep reinforcement learning policy manifold and our results can help to build robust and generalizable deep reinforcement learning policies.

Title: A variational autoencoder-based nonnegative matrix factorisation model for deep dictionary learning. (arXiv:2301.07272v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07272
• Code URL: null
• Copy Paste: [[2301.07272] A variational autoencoder-based nonnegative matrix factorisation model for deep dictionary learning](http://arxiv.org/abs/2301.07272) #robust
• Summary:

  Construction of dictionaries using nonnegative matrix factorisation (NMF) has extensive applications in signal processing and machine learning. With the advances in deep learning, training compact and robust dictionaries using deep neural networks, i.e., dictionaries of deep features, has been proposed. In this study, we propose a probabilistic generative model which employs a variational autoencoder (VAE) to perform nonnegative dictionary learning. In contrast to the existing VAE models, we cast the model under a statistical framework with latent variables obeying a Gamma distribution and design a new loss function to guarantee the nonnegative dictionaries. We adopt an acceptance-rejection sampling reparameterization trick to update the latent variables iteratively. We apply the dictionaries learned from VAE-NMF to two signal processing tasks, i.e., enhancement of speech and extraction of muscle synergies. Experimental results demonstrate that VAE-NMF performs better in learning the latent nonnegative dictionaries in comparison with state-of-the-art methods.

Title: A Robust Classification Framework for Byzantine-Resilient Stochastic Gradient Descent. (arXiv:2301.07498v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07498
• Code URL: https://github.com/nkalyanv/rgcf
• Copy Paste: [[2301.07498] A Robust Classification Framework for Byzantine-Resilient Stochastic Gradient Descent](http://arxiv.org/abs/2301.07498) #robust
• Summary:

  This paper proposes a Robust Gradient Classification Framework (RGCF) for Byzantine fault tolerance in distributed stochastic gradient descent. The framework consists of a pattern recognition filter which we train to be able to classify individual gradients as Byzantine by using their direction alone. This filter is robust to an arbitrary number of Byzantine workers for convex as well as non-convex optimisation settings, which is a significant improvement on the prior work that is robust to Byzantine faults only when up to 50% of the workers are Byzantine. This solution does not require an estimate of the number of Byzantine workers; its running time is not dependent on the number of workers and can scale up to training instances with a large number of workers without a loss in performance. We validate our solution by training convolutional neural networks on the MNIST dataset in the presence of Byzantine workers.

biometric

steal

extraction

Title: Gated-ViGAT: Efficient Bottom-Up Event Recognition and Explanation Using a New Frame Selection Policy and Gating Mechanism. (arXiv:2301.07565v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07565
• Code URL: https://github.com/bmezaris/gated-vigat
• Copy Paste: [[2301.07565] Gated-ViGAT: Efficient Bottom-Up Event Recognition and Explanation Using a New Frame Selection Policy and Gating Mechanism](http://arxiv.org/abs/2301.07565) #extraction
• Summary:

  In this paper, Gated-ViGAT, an efficient approach for video event recognition, utilizing bottom-up (object) information, a new frame sampling policy and a gating mechanism is proposed. Specifically, the frame sampling policy uses weighted in-degrees (WiDs), derived from the adjacency matrices of graph attention networks (GATs), and a dissimilarity measure to select the most salient and at the same time diverse frames representing the event in the video. Additionally, the proposed gating mechanism fetches the selected frames sequentially, and commits early-exiting when an adequately confident decision is achieved. In this way, only a few frames are processed by the computationally expensive branch of our network that is responsible for the bottom-up information extraction. The experimental evaluation on two large, publicly available video datasets (MiniKinetics, ActivityNet) demonstrates that Gated-ViGAT provides a large computational complexity reduction in comparison to our previous approach (ViGAT), while maintaining the excellent event recognition and explainability performance. Gated-ViGAT source code is made publicly available at https://github.com/bmezaris/Gated-ViGAT

Title: Learning a Formality-Aware Japanese Sentence Representation. (arXiv:2301.07209v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.07209
• Code URL: null
• Copy Paste: [[2301.07209] Learning a Formality-Aware Japanese Sentence Representation](http://arxiv.org/abs/2301.07209) #extraction
• Summary:

  While the way intermediate representations are generated in encoder-decoder sequence-to-sequence models typically allow them to preserve the semantics of the input sentence, input features such as formality might be left out. On the other hand, downstream tasks such as translation would benefit from working with a sentence representation that preserves formality in addition to semantics, so as to generate sentences with the appropriate level of social formality -- the difference between speaking to a friend versus speaking with a supervisor. We propose a sequence-to-sequence method for learning a formality-aware representation for Japanese sentences, where sentence generation is conditioned on both the original representation of the input sentence, and a side constraint which guides the sentence representation towards preserving formality information. Additionally, we propose augmenting the sentence representation with a learned representation of formality which facilitates the extraction of formality in downstream tasks. We address the lack of formality-annotated parallel data by adapting previous works on procedural formality classification of Japanese sentences. Experimental results suggest that our techniques not only helps the decoder recover the formality of the input sentence, but also slightly improves the preservation of input sentence semantics.

Title: Mortality Prediction with Adaptive Feature Importance Recalibration for Peritoneal Dialysis Patients: a deep-learning-based study on a real-world longitudinal follow-up dataset. (arXiv:2301.07107v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07107
• Code URL: https://github.com/accountable-machine-intelligence/aicare
• Copy Paste: [[2301.07107] Mortality Prediction with Adaptive Feature Importance Recalibration for Peritoneal Dialysis Patients: a deep-learning-based study on a real-world longitudinal follow-up dataset](http://arxiv.org/abs/2301.07107) #extraction
• Summary:

  Objective: Peritoneal Dialysis (PD) is one of the most widely used life-supporting therapies for patients with End-Stage Renal Disease (ESRD). Predicting mortality risk and identifying modifiable risk factors based on the Electronic Medical Records (EMR) collected along with the follow-up visits are of great importance for personalized medicine and early intervention. Here, our objective is to develop a deep learning model for a real-time, individualized, and interpretable mortality prediction model - AICare. Method and Materials: Our proposed model consists of a multi-channel feature extraction module and an adaptive feature importance recalibration module. AICare explicitly identifies the key features that strongly indicate the outcome prediction for each patient to build the health status embedding individually. This study has collected 13,091 clinical follow-up visits and demographic data of 656 PD patients. To verify the application universality, this study has also collected 4,789 visits of 1,363 hemodialysis dialysis (HD) as an additional experiment dataset to test the prediction performance, which will be discussed in the Appendix. Results: 1) Experiment results show that AICare achieves 81.6%/74.3% AUROC and 47.2%/32.5% AUPRC for the 1-year mortality prediction task on PD/HD dataset respectively, which outperforms the state-of-the-art comparative deep learning models. 2) This study first provides a comprehensive elucidation of the relationship between the causes of mortality in patients with PD and clinical features based on an end-to-end deep learning model. 3) This study first reveals the pattern of variation in the importance of each feature in the mortality prediction based on built-in interpretability. 4) We develop a practical AI-Doctor interaction system to visualize the trajectory of patients' health status and risk indicators.

membership infer

federate

Title: Private Federated Submodel Learning via Private Set Union. (arXiv:2301.07686v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.07686
• Code URL: null
• Copy Paste: [[2301.07686] Private Federated Submodel Learning via Private Set Union](http://arxiv.org/abs/2301.07686) #federate
• Summary:

  We consider the federated submodel learning (FSL) problem and propose an approach where clients are able to update the central model information theoretically privately. Our approach is based on private set union (PSU), which is further based on multi-message symmetric private information retrieval (MM-SPIR). The server has two non-colluding databases which keep the model in a replicated manner. With our scheme, the server does not get to learn anything further than the subset of submodels updated by the clients: the server does not get to know which client updated which submodel(s), or anything about the local client data. In comparison to the state-of-the-art private FSL schemes of Jia-Jafar and Vithana-Ulukus, our scheme does not require noisy storage of the model at the databases; and in comparison to the secure aggregation scheme of Zhao-Sun, our scheme does not require pre-distribution of client-side common randomness, instead, our scheme creates the required client-side common randomness via random SPIR and one-time pads. The protocol starts with a common randomness generation (CRG) phase where the two databases establish common randomness at the client-side using RSPIR and one-time pads (this phase is called FSL-CRG). Next, the clients utilize the established client-side common randomness to have the server determine privately the union of indices of submodels to be updated collectively by the clients (this phase is called FSL-PSU). Then, the two databases broadcast the current versions of the submodels in the set union to clients. The clients update the submodels based on their local training data. Finally, the clients use a variation of FSL-PSU to write the updates back to the databases privately (this phase is called FSL-write). Our proposed private FSL scheme is robust against client drop-outs, client late-arrivals, and database drop-outs.

fair

interpretability

explainability

Title: TAME: Attention Mechanism Based Feature Fusion for Generating Explanation Maps of Convolutional Neural Networks. (arXiv:2301.07407v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07407
• Code URL: https://github.com/bmezaris/tame
• Copy Paste: [[2301.07407] TAME: Attention Mechanism Based Feature Fusion for Generating Explanation Maps of Convolutional Neural Networks](http://arxiv.org/abs/2301.07407) #explainability
• Summary:

  The apparent ``black box'' nature of neural networks is a barrier to adoption in applications where explainability is essential. This paper presents TAME (Trainable Attention Mechanism for Explanations), a method for generating explanation maps with a multi-branch hierarchical attention mechanism. TAME combines a target model's feature maps from multiple layers using an attention mechanism, transforming them into an explanation map. TAME can easily be applied to any convolutional neural network (CNN) by streamlining the optimization of the attention mechanism's training method and the selection of target model's feature maps. After training, explanation maps can be computed in a single forward pass. We apply TAME to two widely used models, i.e. VGG-16 and ResNet-50, trained on ImageNet and show improvements over previous top-performing methods. We also provide a comprehensive ablation study comparing the performance of different variations of TAME's architecture. TAME source code is made publicly available at https://github.com/bmezaris/TAME

watermark

diffusion

Title: Image Embedding for Denoising Generative Models. (arXiv:2301.07485v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.07485
• Code URL: null
• Copy Paste: [[2301.07485] Image Embedding for Denoising Generative Models](http://arxiv.org/abs/2301.07485) #diffusion
• Summary:

  Denoising Diffusion models are gaining increasing popularity in the field of generative modeling for several reasons, including the simple and stable training, the excellent generative quality, and the solid probabilistic foundation. In this article, we address the problem of {\em embedding} an image into the latent space of Denoising Diffusion Models, that is finding a suitable ``noisy'' image whose denoising results in the original image. We particularly focus on Denoising Diffusion Implicit Models due to the deterministic nature of their reverse diffusion process. As a side result of our investigation, we gain a deeper insight into the structure of the latent space of diffusion models, opening interesting perspectives on its exploration, the definition of semantic trajectories, and the manipulation/conditioning of encodings for editing purposes. A particularly interesting property highlighted by our research, which is also characteristic of this class of generative models, is the independence of the latent representation from the networks implementing the reverse diffusion process. In other words, a common seed passed to different networks (each trained on the same dataset), eventually results in identical images.

Title: Targeted Image Reconstruction by Sampling Pre-trained Diffusion Model. (arXiv:2301.07557v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07557
• Code URL: null
• Copy Paste: [[2301.07557] Targeted Image Reconstruction by Sampling Pre-trained Diffusion Model](http://arxiv.org/abs/2301.07557) #diffusion
• Summary:

  A trained neural network model contains information on the training data. Given such a model, malicious parties can leverage the "knowledge" in this model and design ways to print out any usable information (known as model inversion attack). Therefore, it is valuable to explore the ways to conduct a such attack and demonstrate its severity. In this work, we proposed ways to generate a data point of the target class without prior knowledge of the exact target distribution by using a pre-trained diffusion model.

Title: Machine learning techniques for the Schizophrenia diagnosis: A comprehensive review and future research directions. (arXiv:2301.07496v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.07496
• Code URL: null
• Copy Paste: [[2301.07496] Machine learning techniques for the Schizophrenia diagnosis: A comprehensive review and future research directions](http://arxiv.org/abs/2301.07496) #diffusion
• Summary:

  Schizophrenia (SCZ) is a brain disorder where different people experience different symptoms, such as hallucination, delusion, flat-talk, disorganized thinking, etc. In the long term, this can cause severe effects and diminish life expectancy by more than ten years. Therefore, early and accurate diagnosis of SCZ is prevalent, and modalities like structural magnetic resonance imaging (sMRI), functional MRI (fMRI), diffusion tensor imaging (DTI), and electroencephalogram (EEG) assist in witnessing the brain abnormalities of the patients. Moreover, for accurate diagnosis of SCZ, researchers have used machine learning (ML) algorithms for the past decade to distinguish the brain patterns of healthy and SCZ brains using MRI and fMRI images. This paper seeks to acquaint SCZ researchers with ML and to discuss its recent applications to the field of SCZ study. This paper comprehensively reviews state-of-the-art techniques such as ML classifiers, artificial neural network (ANN), deep learning (DL) models, methodological fundamentals, and applications with previous studies. The motivation of this paper is to benefit from finding the research gaps that may lead to the development of a new model for accurate SCZ diagnosis. The paper concludes with the research finding, followed by the future scope that directly contributes to new research directions.