secure

Title: DODEM: DOuble DEfense Mechanism Against Adversarial Attacks Towards Secure Industrial Internet of Things Analytics. (arXiv:2301.09740v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.09740
• Code URL: null
• Copy Paste: [[2301.09740] DODEM: DOuble DEfense Mechanism Against Adversarial Attacks Towards Secure Industrial Internet of Things Analytics](http://arxiv.org/abs/2301.09740) #secure
• Summary:

  Industrial Internet of Things (I-IoT) is a collaboration of devices, sensors, and networking equipment to monitor and collect data from industrial operations. Machine learning (ML) methods use this data to make high-level decisions with minimal human intervention. Data-driven predictive maintenance (PDM) is a crucial ML-based I-IoT application to find an optimal maintenance schedule for industrial assets. The performance of these ML methods can seriously be threatened by adversarial attacks where an adversary crafts perturbed data and sends it to the ML model to deteriorate its prediction performance. The models should be able to stay robust against these attacks where robustness is measured by how much perturbation in input data affects model performance. Hence, there is a need for effective defense mechanisms that can protect these models against adversarial attacks. In this work, we propose a double defense mechanism to detect and mitigate adversarial attacks in I-IoT environments. We first detect if there is an adversarial attack on a given sample using novelty detection algorithms. Then, based on the outcome of our algorithm, marking an instance as attack or normal, we select adversarial retraining or standard training to provide a secondary defense layer. If there is an attack, adversarial retraining provides a more robust model, while we apply standard training for regular samples. Since we may not know if an attack will take place, our adaptive mechanism allows us to consider irregular changes in data. The results show that our double defense strategy is highly efficient where we can improve model robustness by up to 64.6% and 52% compared to standard and adversarial retraining, respectively.

Title: $\textit{FairShare}$: Blockchain Enabled Fair, Accountable and Secure Data Sharing for Industrial IoT. (arXiv:2301.09761v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.09761
• Code URL: null
• Copy Paste: [[2301.09761] $\textit{FairShare}$: Blockchain Enabled Fair, Accountable and Secure Data Sharing for Industrial IoT](http://arxiv.org/abs/2301.09761) #secure
• Summary:

  Industrial Internet of Things (IIoT) opens up a challenging research area towards improving secure data sharing which currently has several limitations. Primarily, the lack of inbuilt guarantees of honest behavior of participating, such as end-users or cloud behaving maliciously may result in disputes. Given such challenges, we propose a fair, accountable, and secure data sharing scheme, $\textit{FairShare}$ for IIoT. In this scheme, data collected from IoT devices are processed and stored in cloud servers with intermediate fog nodes facilitating computation. Authorized clients can access this data against some fee to make strategic decisions for improving the operational services of the IIoT system. By enabling blockchain, $\textit{FairShare}$ prevents fraudulent activities and thereby achieves fairness such that each party gets their rightful outcome in terms of data or penalty/rewards while simultaneously ensuring accountability of the services provided by the parties. Additionally, smart contracts are designed to act as a mediator during any dispute by enforcing payment settlement. Further, security and privacy of data are ensured by suitably applying cryptographic techniques like proxy re-encryption. We prove $\textit{FairShare}$ to be secure as long as at least one of the parties is honest. We validate $\textit{FairShare}$ with a theoretical overhead analysis. We also build a prototype in Ethereum to estimate performance and justify comparable results with a state-of-the-art scheme both via simulation and a realistic testbed setup. We observe an additional communication overhead of 256 bytes and a cost of deployment of 1.01 USD in Ethereum which are constant irrespective of file size.

security

Title: PowerQuant: Automorphism Search for Non-Uniform Quantization. (arXiv:2301.09858v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.09858
• Code URL: null
• Copy Paste: [[2301.09858] PowerQuant: Automorphism Search for Non-Uniform Quantization](http://arxiv.org/abs/2301.09858) #security
• Summary:

  Deep neural networks (DNNs) are nowadays ubiquitous in many domains such as computer vision. However, due to their high latency, the deployment of DNNs hinges on the development of compression techniques such as quantization which consists in lowering the number of bits used to encode the weights and activations. Growing concerns for privacy and security have motivated the development of data-free techniques, at the expanse of accuracy. In this paper, we identity the uniformity of the quantization operator as a limitation of existing approaches, and propose a data-free non-uniform method. More specifically, we argue that to be readily usable without dedicated hardware and implementation, non-uniform quantization shall not change the nature of the mathematical operations performed by the DNN. This leads to search among the continuous automorphisms of $(\mathbb{R}_+^*,\times)$, which boils down to the power functions defined by their exponent. To find this parameter, we propose to optimize the reconstruction error of each layer: in particular, we show that this procedure is locally convex and admits a unique solution. At inference time, we show that our approach, dubbed PowerQuant, only require simple modifications in the quantized DNN activation functions. As such, with only negligible overhead, it significantly outperforms existing methods in a variety of configurations.

Title: Security of Electrical, Optical and Wireless On-Chip Interconnects: A Survey. (arXiv:2301.09738v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.09738
• Code URL: null
• Copy Paste: [[2301.09738] Security of Electrical, Optical and Wireless On-Chip Interconnects: A Survey](http://arxiv.org/abs/2301.09738) #security
• Summary:

  The advancement of manufacturing technologies has enabled the integration of more intellectual property (IP) cores on the same system-on-chip (SoC). Scalable and high throughput on-chip communication architecture has become a vital component in today's SoCs. Diverse technologies such as electrical, wireless, optical, and hybrid are available for on-chip communication with different architectures supporting them. Security of the on-chip communication is crucial because exploiting any vulnerability would be a goldmine for an attacker. In this survey, we provide a comprehensive review of threat models, attacks, and countermeasures over diverse on-chip communication technologies as well as sophisticated architectures.

Title: Demystifying NFT Promotion and Phishing Scams. (arXiv:2301.09806v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.09806
• Code URL: null
• Copy Paste: [[2301.09806] Demystifying NFT Promotion and Phishing Scams](http://arxiv.org/abs/2301.09806) #security
• Summary:

  The popularity and hype around purchasing digital assets such as art, video, and music in the form of Non-fungible tokens (NFTs) has rapidly made them a lucrative investment opportunity, with NFT-based sales surpassing $25B in 2021 alone. However, the volatility and scarcity of NFTs, combined with the general lack of familiarity with the technical aspects of this ecosystem, encourage the spread of several scams. The success of an NFT is majorly impacted by its online virality. There have been sparse reports about scammers emulating this virality by either promoting their fraudulent NFT projects on social media or imitating other popular NFT projects. This paper presents a longitudinal analysis of 439 unique Twitter accounts that consistently promote fraudulent NFT collections through giveaway competitions and 1,028 NFT phishing attacks. Our findings indicate that most accounts interacting with these promotions are bots, which can rapidly increase the popularity of the fraudulent NFT collections by inflating their likes, followers, and retweet counts. This leads to significant engagement from real users, who then proceed to invest in the scams. On the other hand, we identify two novel attack vectors which are utilized by NFT phishing scams to steal funds and digital assets from the victim's wallet. We also identify several gaps in the prevalent anti-phishing ecosystem by evaluating the performance of popular anti-phishing blocklists and security tools against NFT phishing attacks. We utilize our findings to develop a machine learning classifier that can automatically detect NFT phishing scams at scale.

privacy

Title: Applications and Challenges of Sentiment Analysis in Real-life Scenarios. (arXiv:2301.09912v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.09912
• Code URL: null
• Copy Paste: [[2301.09912] Applications and Challenges of Sentiment Analysis in Real-life Scenarios](http://arxiv.org/abs/2301.09912) #privacy
• Summary:

  Sentiment analysis has benefited from the availability of lexicons and benchmark datasets created over decades of research. However, its applications to the real world are a driving force for research in SA. This chapter describes some of these applications and related challenges in real-life scenarios. In this chapter, we focus on five applications of SA: health, social policy, e-commerce, digital humanities and other areas of NLP. This chapter is intended to equip an NLP researcher with the what',why' and `how' of applications of SA: what is the application about, why it is important and challenging and how current research in SA deals with the application. We note that, while the use of deep learning techniques is a popular paradigm that spans these applications, challenges around privacy and selection bias of datasets is a recurring theme across several applications.

Title: Database Reconstruction Is Not So Easy and Is Different from Reidentification. (arXiv:2301.10213v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.10213
• Code URL: null
• Copy Paste: [[2301.10213] Database Reconstruction Is Not So Easy and Is Different from Reidentification](http://arxiv.org/abs/2301.10213) #privacy
• Summary:

  In recent years, it has been claimed that releasing accurate statistical information on a database is likely to allow its complete reconstruction. Differential privacy has been suggested as the appropriate methodology to prevent these attacks. These claims have recently been taken very seriously by the U.S. Census Bureau and led them to adopt differential privacy for releasing U.S. Census data. This in turn has caused consternation among users of the Census data due to the lack of accuracy of the protected outputs. It has also brought legal action against the U.S. Department of Commerce. In this paper, we trace the origins of the claim that releasing information on a database automatically makes it vulnerable to being exposed by reconstruction attacks and we show that this claim is, in fact, incorrect. We also show that reconstruction can be averted by properly using traditional statistical disclosure control (SDC) techniques. We further show that the geographic level at which exact counts are released is even more relevant to protection than the actual SDC method employed. Finally, we caution against confusing reconstruction and reidentification: using the quality of reconstruction as a metric of reidentification results in exaggerated reidentification risk figures.

protect

defense

Title: Side Eye: Characterizing the Limits of POV Acoustic Eavesdropping from Smartphone Cameras with Rolling Shutters and Movable Lenses. (arXiv:2301.10056v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.10056
• Code URL: null
• Copy Paste: [[2301.10056] Side Eye: Characterizing the Limits of POV Acoustic Eavesdropping from Smartphone Cameras with Rolling Shutters and Movable Lenses](http://arxiv.org/abs/2301.10056) #defense
• Summary:

  Our research discovers how the rolling shutter and movable lens structures widely found in smartphone cameras modulate structure-borne sounds onto camera images, creating a point-of-view (POV) optical-acoustic side channel for acoustic eavesdropping. The movement of smartphone camera hardware leaks acoustic information because images unwittingly modulate ambient sound as imperceptible distortions. Our experiments find that the side channel is further amplified by intrinsic behaviors of Complementary metal-oxide-semiconductor (CMOS) rolling shutters and movable lenses such as in Optical Image Stabilization (OIS) and Auto Focus (AF). Our paper characterizes the limits of acoustic information leakage caused by structure-borne sound that perturbs the POV of smartphone cameras. In contrast with traditional optical-acoustic eavesdropping on vibrating objects, this side channel requires no line of sight and no object within the camera's field of view (images of a ceiling suffice). Our experiments test the limits of this side channel with a novel signal processing pipeline that extracts and recognizes the leaked acoustic information. Our evaluation with 10 smartphones on a spoken digit dataset reports 80.66%, 91.28%, and 99.67% accuracies on recognizing 10 spoken digits, 20 speakers, and 2 genders respectively. We further systematically discuss the possible defense strategies and implementations. By modeling, measuring, and demonstrating the limits of acoustic eavesdropping from smartphone camera image streams, our contributions explain the physics-based causality and possible ways to reduce the threat on current and future devices.

attack

Title: Backdoor Attacks in Peer-to-Peer Federated Learning. (arXiv:2301.09732v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.09732
• Code URL: null
• Copy Paste: [[2301.09732] Backdoor Attacks in Peer-to-Peer Federated Learning](http://arxiv.org/abs/2301.09732) #attack
• Summary:

  We study backdoor attacks in peer-to-peer federated learning systems on different graph topologies and datasets. We show that only 5% attacker nodes are sufficient to perform a backdoor attack with 42% attack success without decreasing the accuracy on clean data by more than 2%. We also demonstrate that the attack can be amplified by the attacker crashing a small number of nodes. We evaluate defenses proposed in the context of centralized federated learning and show they are ineffective in peer-to-peer settings. Finally, we propose a defense that mitigates the attacks by applying different clipping norms to the model updates received from peers and local model trained by a node.

Title: A Linear Reconstruction Approach for Attribute Inference Attacks against Synthetic Data. (arXiv:2301.10053v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10053
• Code URL: null
• Copy Paste: [[2301.10053] A Linear Reconstruction Approach for Attribute Inference Attacks against Synthetic Data](http://arxiv.org/abs/2301.10053) #attack
• Summary:

  Personal data collected at scale from surveys or digital devices offers important insights for statistical analysis and scientific research. Safely sharing such data while protecting privacy is however challenging. Anonymization allows data to be shared while minimizing privacy risks, but traditional anonymization techniques have been repeatedly shown to provide limited protection against re-identification attacks in practice. Among modern anonymization techniques, synthetic data generation (SDG) has emerged as a potential solution to find a good tradeoff between privacy and statistical utility. Synthetic data is typically generated using algorithms that learn the statistical distribution of the original records, to then generate "artificial" records that are structurally and statistically similar to the original ones. Yet, the fact that synthetic records are "artificial" does not, per se, guarantee that privacy is protected. In this work, we systematically evaluate the tradeoffs between protecting privacy and preserving statistical utility for a wide range of synthetic data generation algorithms. Modeling privacy as protection against attribute inference attacks (AIAs), we extend and adapt linear reconstruction attacks, which have not been previously studied in the context of synthetic data. While prior work suggests that AIAs may be effective only on few outlier records, we show they can be very effective even on randomly selected records. We evaluate attacks on synthetic datasets ranging from 10^3 to 10^6 records, showing that even for the same generative model, the attack effectiveness can drastically increase when a larger number of synthetic records is generated. Overall, our findings prove that synthetic data is subject to privacy-utility tradeoffs just like other anonymization techniques: when good utility is preserved, attribute inference can be a risk for many data subjects.

Title: Accurate Detection of Paroxysmal Atrial Fibrillation with Certified-GAN and Neural Architecture Search. (arXiv:2301.10173v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10173
• Code URL: null
• Copy Paste: [[2301.10173] Accurate Detection of Paroxysmal Atrial Fibrillation with Certified-GAN and Neural Architecture Search](http://arxiv.org/abs/2301.10173) #attack
• Summary:

  This paper presents a novel machine learning framework for detecting Paroxysmal Atrial Fibrillation (PxAF), a pathological characteristic of Electrocardiogram (ECG) that can lead to fatal conditions such as heart attack. To enhance the learning process, the framework involves a Generative Adversarial Network (GAN) along with a Neural Architecture Search (NAS) in the data preparation and classifier optimization phases. The GAN is innovatively invoked to overcome the class imbalance of the training data by producing the synthetic ECG for PxAF class in a certified manner. The effect of the certified GAN is statistically validated. Instead of using a general-purpose classifier, the NAS automatically designs a highly accurate convolutional neural network architecture customized for the PxAF classification task. Experimental results show that the accuracy of the proposed framework exhibits a high value of 99% which not only enhances state-of-the-art by up to 5.1%, but also improves the classification performance of the two widely-accepted baseline methods, ResNet-18, and Auto-Sklearn, by 2.2% and 6.1%.

robust

Title: Improving Performance of Object Detection using the Mechanisms of Visual Recognition in Humans. (arXiv:2301.09667v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.09667
• Code URL: null
• Copy Paste: [[2301.09667] Improving Performance of Object Detection using the Mechanisms of Visual Recognition in Humans](http://arxiv.org/abs/2301.09667) #robust
• Summary:

  Object recognition systems are usually trained and evaluated on high resolution images. However, in real world applications, it is common that the images have low resolutions or have small sizes. In this study, we first track the performance of the state-of-the-art deep object recognition network, Faster- RCNN, as a function of image resolution. The results reveals negative effects of low resolution images on recognition performance. They also show that different spatial frequencies convey different information about the objects in recognition process. It means multi-resolution recognition system can provides better insight into optimal selection of features that results in better recognition of objects. This is similar to the mechanisms of the human visual systems that are able to implement multi-scale representation of a visual scene simultaneously. Then, we propose a multi-resolution object recognition framework rather than a single-resolution network. The proposed framework is evaluated on the PASCAL VOC2007 database. The experimental results show the performance of our adapted multi-resolution Faster-RCNN framework outperforms the single-resolution Faster-RCNN on input images with various resolutions with an increase in the mean Average Precision (mAP) of 9.14% across all resolutions and 1.2% on the full-spectrum images. Furthermore, the proposed model yields robustness of the performance over a wide range of spatial frequencies.

Title: Data Augmentation Alone Can Improve Adversarial Training. (arXiv:2301.09879v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.09879
• Code URL: https://github.com/treelli/da-alone-improves-at
• Copy Paste: [[2301.09879] Data Augmentation Alone Can Improve Adversarial Training](http://arxiv.org/abs/2301.09879) #robust
• Summary:

  Adversarial training suffers from the issue of robust overfitting, which seriously impairs its generalization performance. Data augmentation, which is effective at preventing overfitting in standard training, has been observed by many previous works to be ineffective in mitigating overfitting in adversarial training. This work proves that, contrary to previous findings, data augmentation alone can significantly boost accuracy and robustness in adversarial training. We find that the hardness and the diversity of data augmentation are important factors in combating robust overfitting. In general, diversity can improve both accuracy and robustness, while hardness can boost robustness at the cost of accuracy within a certain limit and degrade them both over that limit. To mitigate robust overfitting, we first propose a new crop transformation, Cropshift, which has improved diversity compared to the conventional one (Padcrop). We then propose a new data augmentation scheme, based on Cropshift, with much improved diversity and well-balanced hardness. Empirically, our augmentation method achieves the state-of-the-art accuracy and robustness for data augmentations in adversarial training. Furthermore, when combined with weight averaging it matches, or even exceeds, the performance of the best contemporary regularization methods for alleviating robust overfitting. Code is available at: https://github.com/TreeLLi/DA-Alone-Improves-AT.

Title: Planar Object Tracking via Weighted Optical Flow. (arXiv:2301.10057v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.10057
• Code URL: https://github.com/serycjon/WOFT
• Copy Paste: [[2301.10057] Planar Object Tracking via Weighted Optical Flow](http://arxiv.org/abs/2301.10057) #robust
• Summary:

  We propose WOFT -- a novel method for planar object tracking that estimates a full 8 degrees-of-freedom pose, i.e. the homography w.r.t. a reference view. The method uses a novel module that leverages dense optical flow and assigns a weight to each optical flow correspondence, estimating a homography by weighted least squares in a fully differentiable manner. The trained module assigns zero weights to incorrect correspondences (outliers) in most cases, making the method robust and eliminating the need of the typically used non-differentiable robust estimators like RANSAC. The proposed weighted optical flow tracker (WOFT) achieves state-of-the-art performance on two benchmarks, POT-210 and POIC, tracking consistently well across a wide range of scenarios.

Title: Improving Open-Set Semi-Supervised Learning with Self-Supervision. (arXiv:2301.10127v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10127
• Code URL: null
• Copy Paste: [[2301.10127] Improving Open-Set Semi-Supervised Learning with Self-Supervision](http://arxiv.org/abs/2301.10127) #robust
• Summary:

  Open-set semi-supervised learning (OSSL) is a realistic setting of semi-supervised learning where the unlabeled training set contains classes that are not present in the labeled set. Many existing OSSL methods assume that these out-of-distribution data are harmful and put effort into excluding data from unknown classes from the training objective. In contrast, we propose an OSSL framework that facilitates learning from all unlabeled data through self-supervision. Additionally, we utilize an energy-based score to accurately recognize data belonging to the known classes, making our method well-suited for handling uncurated data in deployment. We show through extensive experimental evaluations on several datasets that our method shows overall unmatched robustness and performance in terms of closed-set accuracy and open-set recognition compared with state-of-the-art for OSSL. Our code will be released upon publication.

Title: Noisy Parallel Data Alignment. (arXiv:2301.09685v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.09685
• Code URL: null
• Copy Paste: [[2301.09685] Noisy Parallel Data Alignment](http://arxiv.org/abs/2301.09685) #robust
• Summary:

  An ongoing challenge in current natural language processing is how its major advancements tend to disproportionately favor resource-rich languages, leaving a significant number of under-resourced languages behind. Due to the lack of resources required to train and evaluate models, most modern language technologies are either nonexistent or unreliable to process endangered, local, and non-standardized languages. Optical character recognition (OCR) is often used to convert endangered language documents into machine-readable data. However, such OCR output is typically noisy, and most word alignment models are not built to work under such noisy conditions. In this work, we study the existing word-level alignment models under noisy settings and aim to make them more robust to noisy data. Our noise simulation and structural biasing method, tested on multiple language pairs, manages to reduce the alignment error rate on a state-of-the-art neural-based alignment model up to 59.6%.

Title: Transformer-Patcher: One Mistake worth One Neuron. (arXiv:2301.09785v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.09785
• Code URL: https://github.com/zeroyuhuang/transformer-patcher
• Copy Paste: [[2301.09785] Transformer-Patcher: One Mistake worth One Neuron](http://arxiv.org/abs/2301.09785) #robust
• Summary:

  Large Transformer-based Pretrained Language Models (PLMs) dominate almost all Natural Language Processing (NLP) tasks. Nevertheless, they still make mistakes from time to time. For a model deployed in an industrial environment, fixing these mistakes quickly and robustly is vital to improve user experiences. Previous works formalize such problems as Model Editing (ME) and mostly focus on fixing one mistake. However, the one-mistake-fixing scenario is not an accurate abstraction of the real-world challenge. In the deployment of AI services, there are ever-emerging mistakes, and the same mistake may recur if not corrected in time. Thus a preferable solution is to rectify the mistakes as soon as they appear nonstop. Therefore, we extend the existing ME into Sequential Model Editing (SME) to help develop more practical editing methods. Our study shows that most current ME methods could yield unsatisfying results in this scenario. We then introduce Transformer-Patcher, a novel model editor that can shift the behavior of transformer-based models by simply adding and training a few neurons in the last Feed-Forward Network layer. Experimental results on both classification and generation tasks show that Transformer-Patcher can successively correct up to thousands of errors (Reliability) and generalize to their equivalent inputs (Generality) while retaining the model's accuracy on irrelevant inputs (Locality). Our method outperforms previous fine-tuning and HyperNetwork-based methods and achieves state-of-the-art performance for Sequential Model Editing (SME). The code is available at https://github.com/ZeroYuHuang/Transformer-Patcher.

Title: Large Language Models as Fiduciaries: A Case Study Toward Robustly Communicating With Artificial Intelligence Through Legal Standards. (arXiv:2301.10095v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.10095
• Code URL: null
• Copy Paste: [[2301.10095] Large Language Models as Fiduciaries: A Case Study Toward Robustly Communicating With Artificial Intelligence Through Legal Standards](http://arxiv.org/abs/2301.10095) #robust
• Summary:

  Artificial Intelligence (AI) is taking on increasingly autonomous roles, e.g., browsing the web as a research assistant and managing money. But specifying goals and restrictions for AI behavior is difficult. Similar to how parties to a legal contract cannot foresee every potential "if-then" contingency of their future relationship, we cannot specify desired AI behavior for all circumstances. Legal standards facilitate the robust communication of inherently vague and underspecified goals. Instructions (in the case of language models, "prompts") that employ legal standards will allow AI agents to develop shared understandings of the spirit of a directive that can adapt to novel situations, and generalize expectations regarding acceptable actions to take in unspecified states of the world. Standards have built-in context that is lacking from other goal specification languages, such as plain language and programming languages. Through an empirical study on thousands of evaluation labels we constructed from U.S. court opinions, we demonstrate that large language models (LLMs) are beginning to exhibit an "understanding" of one of the most relevant legal standards for AI agents: fiduciary obligations. Performance comparisons across models suggest that, as LLMs continue to exhibit improved core capabilities, their legal standards understanding will also continue to improve. OpenAI's latest LLM has 78% accuracy on our data, their previous release has 73% accuracy, and a model from their 2020 GPT-3 paper has 27% accuracy (worse than random). Our research is an initial step toward a framework for evaluating AI understanding of legal standards more broadly, and for conducting reinforcement learning with legal feedback (RLLF).

Title: MTTN: Multi-Pair Text to Text Narratives for Prompt Generation. (arXiv:2301.10172v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.10172
• Code URL: https://github.com/mttn2023/mttn
• Copy Paste: [[2301.10172] MTTN: Multi-Pair Text to Text Narratives for Prompt Generation](http://arxiv.org/abs/2301.10172) #robust
• Summary:

  The explosive popularity of diffusion models[ 1][ 2][ 3 ] has provided a huge stage for further development in generative-text modelling. As prompt based models are very nuanced, such that a carefully generated prompt can produce truely breath taking images, on the contrary producing powerful or even meaningful prompt is a hit or a miss. To lavish on this we have introduced a large scale derived and synthesized dataset built with on real prompts and indexed with popular image-text datasets like MS-COCO[4 ], Flickr[ 5], etc. We have also introduced staging for these sentences that sequentially reduce the context and increase the complexity, that will further strengthen the output because of the complex annotations that are being created. MTTN consists of over 2.4M sentences that are divided over 5 stages creating a combination amounting to over 12M pairs, along with a vocab size of consisting more than 300 thousands unique words that creates an abundance of variations. The original 2.4M million pairs are broken down in such a manner that it produces a true scenario of internet lingo that is used globally thereby heightening the robustness of the dataset, and any model trained on it.

Title: Model Agnostic Sample Reweighting for Out-of-Distribution Learning. (arXiv:2301.09819v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.09819
• Code URL: https://github.com/x-zho14/maple
• Copy Paste: [[2301.09819] Model Agnostic Sample Reweighting for Out-of-Distribution Learning](http://arxiv.org/abs/2301.09819) #robust
• Summary:

  Distributionally robust optimization (DRO) and invariant risk minimization (IRM) are two popular methods proposed to improve out-of-distribution (OOD) generalization performance of machine learning models. While effective for small models, it has been observed that these methods can be vulnerable to overfitting with large overparameterized models. This work proposes a principled method, \textbf{M}odel \textbf{A}gnostic sam\textbf{PL}e r\textbf{E}weighting (\textbf{MAPLE}), to effectively address OOD problem, especially in overparameterized scenarios. Our key idea is to find an effective reweighting of the training samples so that the standard empirical risk minimization training of a large model on the weighted training data leads to superior OOD generalization performance. The overfitting issue is addressed by considering a bilevel formulation to search for the sample reweighting, in which the generalization complexity depends on the search space of sample weights instead of the model size. We present theoretical analysis in linear case to prove the insensitivity of MAPLE to model size, and empirically verify its superiority in surpassing state-of-the-art methods by a large margin. Code is available at \url{https://github.com/x-zho14/MAPLE}.

Title: Explainable Deep Reinforcement Learning: State of the Art and Challenges. (arXiv:2301.09937v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.09937
• Code URL: null
• Copy Paste: [[2301.09937] Explainable Deep Reinforcement Learning: State of the Art and Challenges](http://arxiv.org/abs/2301.09937) #robust
• Summary:

  Interpretability, explainability and transparency are key issues to introducing Artificial Intelligence methods in many critical domains: This is important due to ethical concerns and trust issues strongly connected to reliability, robustness, auditability and fairness, and has important consequences towards keeping the human in the loop in high levels of automation, especially in critical cases for decision making, where both (human and the machine) play important roles. While the research community has given much attention to explainability of closed (or black) prediction boxes, there are tremendous needs for explainability of closed-box methods that support agents to act autonomously in the real world. Reinforcement learning methods, and especially their deep versions, are such closed-box methods. In this article we aim to provide a review of state of the art methods for explainable deep reinforcement learning methods, taking also into account the needs of human operators - i.e., of those that take the actual and critical decisions in solving real-world problems. We provide a formal specification of the deep reinforcement learning explainability problems, and we identify the necessary components of a general explainable reinforcement learning framework. Based on these, we provide a comprehensive review of state of the art methods, categorizing them in classes according to the paradigm they follow, the interpretable models they use, and the surface representation of explanations provided. The article concludes identifying open questions and important challenges.

Title: A Robust Hypothesis Test for Tree Ensemble Pruning. (arXiv:2301.10115v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10115
• Code URL: null
• Copy Paste: [[2301.10115] A Robust Hypothesis Test for Tree Ensemble Pruning](http://arxiv.org/abs/2301.10115) #robust
• Summary:

  Gradient boosted decision trees are some of the most popular algorithms in applied machine learning. They are a flexible and powerful tool that can robustly fit to any tabular dataset in a scalable and computationally efficient way. One of the most critical parameters to tune when fitting these models are the various penalty terms used to distinguish signal from noise in the current model. These penalties are effective in practice, but are lacking in robust theoretical justifications. In this paper we develop and present a novel theoretically justified hypothesis test of split quality for gradient boosted tree ensembles and demonstrate that using this method instead of the common penalty terms leads to a significant reduction in out of sample loss. Additionally, this method provides a theoretically well-justified stopping condition for the tree growing algorithm. We also present several innovative extensions to the method, opening the door for a wide variety of novel tree pruning algorithms.

Title: Minimal Value-Equivalent Partial Models for Scalable and Robust Planning in Lifelong Reinforcement Learning. (arXiv:2301.10119v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10119
• Code URL: null
• Copy Paste: [[2301.10119] Minimal Value-Equivalent Partial Models for Scalable and Robust Planning in Lifelong Reinforcement Learning](http://arxiv.org/abs/2301.10119) #robust
• Summary:

  Learning models of the environment from pure interaction is often considered an essential component of building lifelong reinforcement learning agents. However, the common practice in model-based reinforcement learning is to learn models that model every aspect of the agent's environment, regardless of whether they are important in coming up with optimal decisions or not. In this paper, we argue that such models are not particularly well-suited for performing scalable and robust planning in lifelong reinforcement learning scenarios and we propose new kinds of models that only model the relevant aspects of the environment, which we call "minimal value-equivalent partial models". After providing a formal definition for these models, we provide theoretical results demonstrating the scalability advantages of performing planning with such models and then perform experiments to empirically illustrate our theoretical results. Then, we provide some useful heuristics on how to learn these kinds of models with deep learning architectures and empirically demonstrate that models learned in such a way can allow for performing planning that is robust to distribution shifts and compounding model errors. Overall, both our theoretical and empirical results suggest that minimal value-equivalent partial models can provide significant benefits to performing scalable and robust planning in lifelong reinforcement learning scenarios.

Title: Read the Signs: Towards Invariance to Gradient Descent's Hyperparameter Initialization. (arXiv:2301.10133v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10133
• Code URL: null
• Copy Paste: [[2301.10133] Read the Signs: Towards Invariance to Gradient Descent's Hyperparameter Initialization](http://arxiv.org/abs/2301.10133) #robust
• Summary:

  We propose ActiveLR, an optimization meta algorithm that localizes the learning rate, $\alpha$, and adapts them at each epoch according to whether the gradient at each epoch changes sign or not. This sign-conscious algorithm is aware of whether from the previous step to the current one the update of each parameter has been too large or too small and adjusts the $\alpha$ accordingly. We implement the Active version (ours) of widely used and recently published gradient descent optimizers, namely SGD with momentum, AdamW, RAdam, and AdaBelief. Our experiments on ImageNet, CIFAR-10, WikiText-103, WikiText-2, and PASCAL VOC using different model architectures, such as ResNet and Transformers, show an increase in generalizability and training set fit, and decrease in training time for the Active variants of the tested optimizers. The results also show robustness of the Active variant of these optimizers to different values of the initial learning rate. Furthermore, the detrimental effects of using large mini-batch sizes are mitigated. ActiveLR, thus, alleviates the need for hyper-parameter search for two of the most commonly tuned hyper-parameters that require heavy time and computational costs to pick. We encourage AI researchers and practitioners to use the Active variant of their optimizer of choice for faster training, better generalizability, and reducing carbon footprint of training deep neural networks.

Title: Spectral Cross-Domain Neural Network with Soft-adaptive Threshold Spectral Enhancement. (arXiv:2301.10171v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10171
• Code URL: null
• Copy Paste: [[2301.10171] Spectral Cross-Domain Neural Network with Soft-adaptive Threshold Spectral Enhancement](http://arxiv.org/abs/2301.10171) #robust
• Summary:

  Electrocardiography (ECG) signals can be considered as multi-variable time-series. The state-of-the-art ECG data classification approaches, based on either feature engineering or deep learning techniques, treat separately spectral and time domains in machine learning systems. No spectral-time domain communication mechanism inside the classifier model can be found in current approaches, leading to difficulties in identifying complex ECG forms. In this paper, we proposed a novel deep learning model named Spectral Cross-domain neural network (SCDNN) with a new block called Soft-adaptive threshold spectral enhancement (SATSE), to simultaneously reveal the key information embedded in spectral and time domains inside the neural network. More precisely, the domain-cross information is captured by a general Convolutional neural network (CNN) backbone, and different information sources are merged by a self-adaptive mechanism to mine the connection between time and spectral domains. In SATSE, the knowledge from time and spectral domains is extracted via the Fast Fourier Transformation (FFT) with soft trainable thresholds in modified Sigmoid functions. The proposed SCDNN is tested with several classification tasks implemented on the public ECG databases \textit{PTB-XL} and \textit{MIT-BIH}. SCDNN outperforms the state-of-the-art approaches with a low computational cost regarding a variety of metrics in all classification tasks on both databases, by finding appropriate domains from the infinite spectral mapping. The convergence of the trainable thresholds in the spectral domain is also numerically investigated in this paper. The robust performance of SCDNN provides a new perspective to exploit knowledge across deep learning models from time and spectral domains. The repository can be found: https://github.com/DL-WG/SCDNN-TS

biometric

steal

extraction

Title: Weakly-Supervised Questions for Zero-Shot Relation Extraction. (arXiv:2301.09640v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2301.09640
• Code URL: https://github.com/fyshelab/qa-zre
• Copy Paste: [[2301.09640] Weakly-Supervised Questions for Zero-Shot Relation Extraction](http://arxiv.org/abs/2301.09640) #extraction
• Summary:

  Zero-Shot Relation Extraction (ZRE) is the task of Relation Extraction where the training and test sets have no shared relation types. This very challenging domain is a good test of a model's ability to generalize. Previous approaches to ZRE reframed relation extraction as Question Answering (QA), allowing for the use of pre-trained QA models. However, this method required manually creating gold question templates for each new relation. Here, we do away with these gold templates and instead learn a model that can generate questions for unseen relations. Our technique can successfully translate relation descriptions into relevant questions, which are then leveraged to generate the correct tail entity. On tail entity extraction, we outperform the previous state-of-the-art by more than 16 F1 points without using gold question templates. On the RE-QA dataset where no previous baseline for relation extraction exists, our proposed algorithm comes within 0.7 F1 points of a system that uses gold question templates. Our model also outperforms the state-of-the-art ZRE baselines on the FewRel and WikiZSL datasets, showing that QA models no longer need template questions to match the performance of models specifically tailored to the ZRE task. Our implementation is available at https://github.com/fyshelab/QA-ZRE.

Title: Analysis of Arrhythmia Classification on ECG Dataset. (arXiv:2301.10174v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10174
• Code URL: null
• Copy Paste: [[2301.10174] Analysis of Arrhythmia Classification on ECG Dataset](http://arxiv.org/abs/2301.10174) #extraction
• Summary:

  The heart is one of the most vital organs in the human body. It supplies blood and nutrients in other parts of the body. Therefore, maintaining a healthy heart is essential. As a heart disorder, arrhythmia is a condition in which the heart's pumping mechanism becomes aberrant. The Electrocardiogram is used to analyze the arrhythmia problem from the ECG signals because of its fewer difficulties and cheapness. The heart peaks shown in the ECG graph are used to detect heart diseases, and the R peak is used to analyze arrhythmia disease. Arrhythmia is grouped into two groups - Tachycardia and Bradycardia for detection. In this paper, we discussed many different techniques such as Deep CNNs, LSTM, SVM, NN classifier, Wavelet, TQWT, etc., that have been used for detecting arrhythmia using various datasets throughout the previous decade. This work shows the analysis of some arrhythmia classification on the ECG dataset. Here, Data preprocessing, feature extraction, classification processes were applied on most research work and achieved better performance for classifying ECG signals to detect arrhythmia. Automatic arrhythmia detection can help cardiologists make the right decisions immediately to save human life. In addition, this research presents various previous research limitations with some challenges in detecting arrhythmia that will help in future research.

membership infer

Title: Membership Inference of Diffusion Models. (arXiv:2301.09956v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2301.09956
• Code URL: null
• Copy Paste: [[2301.09956] Membership Inference of Diffusion Models](http://arxiv.org/abs/2301.09956) #membership infer
• Summary:

  Recent years have witnessed the tremendous success of diffusion models in data synthesis. However, when diffusion models are applied to sensitive data, they also give rise to severe privacy concerns. In this paper, we systematically present the first study about membership inference attacks against diffusion models, which aims to infer whether a sample was used to train the model. Two attack methods are proposed, namely loss-based and likelihood-based attacks. Our attack methods are evaluated on several state-of-the-art diffusion models, over different datasets in relation to privacy-sensitive data. Extensive experimental evaluations show that our attacks can achieve remarkable performance. Furthermore, we exhaustively investigate various factors which can affect attack performance. Finally, we also evaluate the performance of our attack methods on diffusion models trained with differential privacy.

federate

Title: When does the student surpass the teacher? Federated Semi-supervised Learning with Teacher-Student EMA. (arXiv:2301.10114v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10114
• Code URL: null
• Copy Paste: [[2301.10114] When does the student surpass the teacher? Federated Semi-supervised Learning with Teacher-Student EMA](http://arxiv.org/abs/2301.10114) #federate
• Summary:

  Semi-Supervised Learning (SSL) has received extensive attention in the domain of computer vision, leading to development of promising approaches such as FixMatch. In scenarios where training data is decentralized and resides on client devices, SSL must be integrated with privacy-aware training techniques such as Federated Learning. We consider the problem of federated image classification and study the performance and privacy challenges with existing federated SSL (FSSL) approaches. Firstly, we note that even state-of-the-art FSSL algorithms can trivially compromise client privacy and other real-world constraints such as client statelessness and communication cost. Secondly, we observe that it is challenging to integrate EMA (Exponential Moving Average) updates into the federated setting, which comes at a trade-off between performance and communication cost. We propose a novel approach FedSwitch, that improves privacy as well as generalization performance through Exponential Moving Average (EMA) updates. FedSwitch utilizes a federated semi-supervised teacher-student EMA framework with two features - local teacher adaptation and adaptive switching between teacher and student for pseudo-label generation. Our proposed approach outperforms the state-of-the-art on federated image classification, can be adapted to real-world constraints, and achieves good generalization performance with minimal communication cost overhead.

fair

Title: Investigating Labeler Bias in Face Annotation for Machine Learning. (arXiv:2301.09902v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.09902
• Code URL: null
• Copy Paste: [[2301.09902] Investigating Labeler Bias in Face Annotation for Machine Learning](http://arxiv.org/abs/2301.09902) #fair
• Summary:

  In a world increasingly reliant on artificial intelligence, it is more important than ever to consider the ethical implications of artificial intelligence on humanity. One key under-explored challenge is labeler bias, which can create inherently biased datasets for training and subsequently lead to inaccurate or unfair decisions in healthcare, employment, education, and law enforcement. Hence, we conducted a study to investigate and measure the existence of labeler bias using images of people from different ethnicities and sexes in a labeling task. Our results show that participants possess stereotypes that influence their decision-making process and that labeler demographics impact assigned labels. We also discuss how labeler bias influences datasets and, subsequently, the models trained on them. Overall, a high degree of transparency must be maintained throughout the entire artificial intelligence training process to identify and correct biases in the data as early as possible.

Title: Fair and skill-diverse student group formation via constrained k-way graph partitioning. (arXiv:2301.09984v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.09984
• Code URL: null
• Copy Paste: [[2301.09984] Fair and skill-diverse student group formation via constrained k-way graph partitioning](http://arxiv.org/abs/2301.09984) #fair
• Summary:

  Forming the right combination of students in a group promises to enable a powerful and effective environment for learning and collaboration. However, defining a group of students is a complex task which has to satisfy multiple constraints. This work introduces an unsupervised algorithm for fair and skill-diverse student group formation. This is achieved by taking account of student course marks and sensitive attributes provided by the education office. The skill sets of students are determined using unsupervised dimensionality reduction of course mark data via the Laplacian eigenmap. The problem is formulated as a constrained graph partitioning problem, whereby the diversity of skill sets in each group are maximised, group sizes are upper and lower bounded according to available resources, and `balance' of a sensitive attribute is lower bounded to enforce fairness in group formation. This optimisation problem is solved using integer programming and its effectiveness is demonstrated on a dataset of student course marks from Imperial College London.

interpretability

Title: Explainable Data-Driven Optimization: From Context to Decision and Back Again. (arXiv:2301.10074v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10074
• Code URL: null
• Copy Paste: [[2301.10074] Explainable Data-Driven Optimization: From Context to Decision and Back Again](http://arxiv.org/abs/2301.10074) #interpretability
• Summary:

  Data-driven optimization uses contextual information and machine learning algorithms to find solutions to decision problems with uncertain parameters. While a vast body of work is dedicated to interpreting machine learning models in the classification setting, explaining decision pipelines involving learning algorithms remains unaddressed. This lack of interpretability can block the adoption of data-driven solutions as practitioners may not understand or trust the recommended decisions. We bridge this gap by introducing a counterfactual explanation methodology tailored to explain solutions to data-driven problems. We introduce two classes of explanations and develop methods to find nearest explanations of random forest and nearest-neighbor predictors. We demonstrate our approach by explaining key problems in operations management such as inventory management and routing.

explainability

watermark

Title: A Watermark for Large Language Models. (arXiv:2301.10226v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2301.10226
• Code URL: null
• Copy Paste: [[2301.10226] A Watermark for Large Language Models](http://arxiv.org/abs/2301.10226) #watermark
• Summary:

  Potential harms of large language models can be mitigated by watermarking model output, i.e., embedding signals into generated text that are invisible to humans but algorithmically detectable from a short span of tokens. We propose a watermarking framework for proprietary language models. The watermark can be embedded with negligible impact on text quality, and can be detected using an efficient open-source algorithm without access to the language model API or parameters. The watermark works by selecting a randomized set of whitelist tokens before a word is generated, and then softly promoting use of whitelist tokens during sampling. We propose a statistical test for detecting the watermark with interpretable p-values, and derive an information-theoretic framework for analyzing the sensitivity of the watermark. We test the watermark using a multi-billion parameter model from the Open Pretrained Transformer (OPT) family, and discuss robustness and security.

diffusion

Title: Bipartite Graph Diffusion Model for Human Interaction Generation. (arXiv:2301.10134v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2301.10134
• Code URL: null
• Copy Paste: [[2301.10134] Bipartite Graph Diffusion Model for Human Interaction Generation](http://arxiv.org/abs/2301.10134) #diffusion
• Summary:

  The generation of natural human motion interactions is a hot topic in computer vision and computer animation. It is a challenging task due to the diversity of possible human motion interactions. Diffusion models, which have already shown remarkable generative capabilities in other domains, are a good candidate for this task. In this paper, we introduce a novel bipartite graph diffusion method (BiGraphDiff) to generate human motion interactions between two persons. Specifically, bipartite node sets are constructed to model the inherent geometric constraints between skeleton nodes during interactions. The interaction graph diffusion model is transformer-based, combining some state-of-the-art motion methods. We show that the proposed achieves new state-of-the-art results on leading benchmarks for the human interaction generation task.