secure

Title: BackdoorBox: A Python Toolbox for Backdoor Learning. (arXiv:2302.01762v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01762
• Code URL: https://github.com/thuyimingli/backdoorbox
• Copy Paste: [[2302.01762] BackdoorBox: A Python Toolbox for Backdoor Learning](http://arxiv.org/abs/2302.01762) #secure
• Summary:

  Third-party resources ($e.g.$, samples, backbones, and pre-trained models) are usually involved in the training of deep neural networks (DNNs), which brings backdoor attacks as a new training-phase threat. In general, backdoor attackers intend to implant hidden backdoor in DNNs, so that the attacked DNNs behave normally on benign samples whereas their predictions will be maliciously changed to a pre-defined target label if hidden backdoors are activated by attacker-specified trigger patterns. To facilitate the research and development of more secure training schemes and defenses, we design an open-sourced Python toolbox that implements representative and advanced backdoor attacks and defenses under a unified and flexible framework. Our toolbox has four important and promising characteristics, including consistency, simplicity, flexibility, and co-development. It allows researchers and developers to easily implement and compare different methods on benchmark or their local datasets. This Python toolbox, namely \texttt{BackdoorBox}, is available at \url{https://github.com/THUYimingLi/BackdoorBox}.

Title: A Transcontinental Analysis of Account Remediation Protocols of Popular Websites. (arXiv:2302.01401v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01401
• Code URL: null
• Copy Paste: [[2302.01401] A Transcontinental Analysis of Account Remediation Protocols of Popular Websites](http://arxiv.org/abs/2302.01401) #secure
• Summary:

  Websites are used regularly in our day-today lives, yet research has shown that it is challenging for many users to use them securely, e.g., most prominently due to weak passwords through which they access their accounts. At the same time, many services employ low-security measures, making their users even more prone to account compromises with little to no means of remediating compromised accounts. Additionally, remediating compromised accounts requires users to complete a series of steps, ideally all provided and explained by the service. However, for U.S.-based websites, prior research has shown that the advice provided by many services is often incomplete. To further understand the underlying issue and its implications, this paper reports on a study that analyzes the account remediation procedure covering the 50 most popular websites in 30 countries, 6 each in Africa, the Americas, Asia, Europe, and Oceania. We conducted the first transcontinental analysis on the account remediation protocols of popular websites. The analysis is based on 5 steps websites need to provide advice for: compromise discovery, account recovery, access limitation, service restoration, and prevention. We find that the lack of advice prior work identified for websites from the U.S. also holds across continents, with the presence ranging from 37% to 77% on average. Additionally, we identified considerable differences when comparing countries and continents, with countries in Africa and Oceania significantly more affected by the lack of advice. To address this, we suggest providing publicly available and easy-to-follow remediation advice for users and guidance for website providers so they can provide all the necessary information.

security

Title: Command Line Interface Risk Modeling. (arXiv:2302.01749v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01749
• Code URL: null
• Copy Paste: [[2302.01749] Command Line Interface Risk Modeling](http://arxiv.org/abs/2302.01749) #security
• Summary:

  Protecting sensitive data is an essential part of security in cloud computing. However, only specific privileged individuals have access to view or interact with this data; therefore, it is unscalable to depend on these individuals also to maintain the software. A solution to this is to allow non-privileged individuals access to maintain these systems but mask sensitive information from egressing. To this end, we have created a machine-learning model to predict and redact fields with sensitive data. This work concentrates on Azure PowerShell, showing how it applies to other command-line interfaces and APIs. Using the F5-score as a weighted metric, we demonstrate different transformation techniques to map this problem from an unknown field to the well-researched area of natural language processing.

Title: MAVERICK: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime. (arXiv:2302.01452v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01452
• Code URL: null
• Copy Paste: [[2302.01452] MAVERICK: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime](http://arxiv.org/abs/2302.01452) #security
• Summary:

  Safety and security issues in programmable IoT systems are still a pressing problem. Many solutions have been proposed to curb unexpected behavior of automation apps installed on IoT platforms by enforcing safety and security policies at runtime. However, all prior work addresses a weaker version of the actual problem as they consider a simple threat model, which is far from the reality. Moreover, these solutions are heavily dependent on the installed apps and catered to specific IoT platforms, which can unfortunately result in inaccurate runtime enforcement of policies. In this paper, we address a stronger version of the problem by considering a realistic threat model, where (i) undesired cyber actions (e.g., lock()/unlock()) can come from not only automation platform backends (e.g., SmartThings) but also close-sourced thirdparty services (e.g., IFTTT), and (ii) physical actions (e.g., user interactions) on devices can move the IoT system to an unsafe state. We propose a runtime mechanism, dubbed Maverick, which employs an app-independent, platform-agnostic mediator to enforce policies against all undesired cyber actions and applies corrective-actions to bring the IoT system back to a safe state if it ever transitions to an unsafe state. To assist users for writing policies, Maverick is equipped with a policy language capable of expressing rich temporal invariants and an automated toolchain that includes a policy synthesizer and a policy analyzer. We implemented Maverick in a prototype and showed its efficacy in both physical and virtual testbeds where it incurred minimal overhead.

Title: Defensive ML: Defending Architectural Side-channels with Adversarial Obfuscation. (arXiv:2302.01474v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01474
• Code URL: null
• Copy Paste: [[2302.01474] Defensive ML: Defending Architectural Side-channels with Adversarial Obfuscation](http://arxiv.org/abs/2302.01474) #security
• Summary:

  Side-channel attacks that use machine learning (ML) for signal analysis have become prominent threats to computer security, as ML models easily find patterns in signals. To address this problem, this paper explores using Adversarial Machine Learning (AML) methods as a defense at the computer architecture layer to obfuscate side channels. We call this approach Defensive ML, and the generator to obfuscate signals, defender. Defensive ML is a workflow to design, implement, train, and deploy defenders for different environments. First, we design a defender architecture given the physical characteristics and hardware constraints of the side-channel. Next, we use our DefenderGAN structure to train the defender. Finally, we apply defensive ML to thwart two side-channel attacks: one based on memory contention and the other on application power. The former uses a hardware defender with ns-level response time that attains a high level of security with half the performance impact of a traditional scheme; the latter uses a software defender with ms-level response time that provides better security than a traditional scheme with only 70% of its power overhead.

Title: TT-TFHE: a Torus Fully Homomorphic Encryption-Friendly Neural Network Architecture. (arXiv:2302.01584v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01584
• Code URL: null
• Copy Paste: [[2302.01584] TT-TFHE: a Torus Fully Homomorphic Encryption-Friendly Neural Network Architecture](http://arxiv.org/abs/2302.01584) #security
• Summary:

  This paper presents TT-TFHE, a deep neural network Fully Homomorphic Encryption (FHE) framework that effectively scales Torus FHE (TFHE) usage to tabular and image datasets using a recent family of convolutional neural networks called Truth-Table Neural Networks (TTnet). The proposed framework provides an easy-to-implement, automated TTnet-based design toolbox with an underlying (python-based) open-source Concrete implementation (CPU-based and implementing lookup tables) for inference over encrypted data. Experimental evaluation shows that TT-TFHE greatly outperforms in terms of time and accuracy all Homomorphic Encryption (HE) set-ups on three tabular datasets, all other features being equal. On image datasets such as MNIST and CIFAR-10, we show that TT-TFHE consistently and largely outperforms other TFHE set-ups and is competitive against other HE variants such as BFV or CKKS (while maintaining the same level of 128-bit encryption security guarantees). In addition, our solutions present a very low memory footprint (down to dozens of MBs for MNIST), which is in sharp contrast with other HE set-ups that typically require tens to hundreds of GBs of memory per user (in addition to their communication overheads). This is the first work presenting a fully practical solution of private inference (i.e. a few seconds for inference time and a few dozens MBs of memory) on both tabular datasets and MNIST, that can easily scale to multiple threads and users on server side.

Title: Communication Security in the Internet of Vehicles based Industrial Value Chain. (arXiv:2302.01744v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01744
• Code URL: null
• Copy Paste: [[2302.01744] Communication Security in the Internet of Vehicles based Industrial Value Chain](http://arxiv.org/abs/2302.01744) #security
• Summary:

  The Internet of Vehicles (IoV) is formed by connecting vehicles to Internet of Things. It enables vehicles to ubiquitously access to the information of customers (drivers), suppliers, and even producers to structure an IoV-based industrial value chain. Nevertheless, with the increase in vehicle networking and the information exchange among drivers, suppliers, and producers, communication security is emerging as a serious issue. In this article, we provide an overview of the communication security, and a summary of security requirements. Moreover, we clarify how security solutions can be used to conquer security challenges in the value chain. Finally, an example of attack detection and identification in Electronic Control Units (ECUs) of vehicles is used to concretely illustrate the challenges.

Title: Covert D2D Communication Underlaying Cellular Network: A System-Level Security Perspective. (arXiv:2302.01745v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01745
• Code URL: null
• Copy Paste: [[2302.01745] Covert D2D Communication Underlaying Cellular Network: A System-Level Security Perspective](http://arxiv.org/abs/2302.01745) #security
• Summary:

  In this paper, we aim to secure the D2D communication of the D2D-underlaid cellular network by leveraging covert communication to hide its presence from the vigilant adversary. In particular, there are adversaries aiming to detect D2D communications based on their received signal powers. To avoid being detected, the legitimate entity, i.e., D2D-underlaid cellular network, performs power control so as to hide the presence of the D2D communication. We model the combat between the adversaries and the legitimate entity as a two-stage Stackelberg game. Therein, the adversaries are the followers and aim to minimize their detection errors at the lower stage while the legitimate entity is the leader and aims to maximize its utility constrained by the D2D communication covertness and the cellular quality of service (QoS) at the upper stage. Different from the conventional works, the study of the combat is conducted from the system-level perspective, where the scenario that a large-scale D2D-underlaid cellular network threatened by massive spatially distributed adversaries is considered and the network spatial configuration is modeled by stochastic geometry. We obtain the adversary's optimal strategy as the best response from the lower stage and also both analytically and numerically verify its optimality. Taking into account the best response from the lower stage, we design a bi-level algorithm based on the successive convex approximation (SCA) method to search for the optimal strategy of the legitimate entity, which together with the best response from the lower stage constitute the Stackelberg equilibrium. Numerical results are presented to evaluate the network performance and reveal practical insights that instead of improving the legitimate utility by strengthening the D2D link reliability, increasing D2D transmission power will degrade it due to the security concern.

Title: A Process Model to Improve Information Security Governance in Organisations. (arXiv:2302.01753v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01753
• Code URL: null
• Copy Paste: [[2302.01753] A Process Model to Improve Information Security Governance in Organisations](http://arxiv.org/abs/2302.01753) #security
• Summary:

  Information security governance (ISG) is a relatively new and under-researched topic. A review of literature shows the lack of an ISG framework or model that can help the implementation of ISG. This research aims to introduce an empirically grounded ISG process model as a practical reference to facilitate the implementation of ISG in organisations.

This research has adopted an exploratory research approach where a conceptual ISG process model was proposed based on synthesis of extant literature and detailed review of relevant frameworks and models. The conceptual ISG process model was subsequently refined based on empirical data gathered from 3 case study organisations. The refined ISG process model was finally validated in 6 expert interviews.

This research has developed an empirically grounded ISG process model identifying stakeholder groups and explaining how core ISG processes and sub-processes interact. Specifically, the research contributes by: (1) developing ISG process theory, as ISG is a series of events occurring within an organisational context; and (2) developing an information-processing perspective on ISG, as the process model identifies the information and communication flows, and the relationships among stakeholder groups. In addition, the research has: (3) empirically examined and validated the ISG process model based on how ISG is practised in real-world organisations; (4) examined corporate governance theories to provide additional perspectives to ensure that the ISG process model is aligned with corporate governance objectives; (5) identified additional factors that influence the implementation of ISG requiring further research; and finally (6) expanded existing seminal research by introducing an empirically grounded ISG process model that has been developed based on synthesis of cumulative knowledge from previous research and validated with empirical data.

privacy

Title: Statistical Verification of Traffic Systems with Expected Differential Privacy. (arXiv:2302.01388v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01388
• Code URL: https://github.com/SmartAutonomyLab/SMC-EDP
• Copy Paste: [[2302.01388] Statistical Verification of Traffic Systems with Expected Differential Privacy](http://arxiv.org/abs/2302.01388) #privacy
• Summary:

  Traffic systems are multi-agent cyber-physical systems whose performance is closely related to human welfare. They work in open environments and are subject to uncertainties from various sources, making their performance hard to verify by traditional model-based approaches. Alternatively, statistical model checking (SMC) can verify their performance by sequentially drawing sample data until the correctness of a performance specification can be inferred with desired statistical accuracy. This work aims to verify traffic systems with privacy, motivated by the fact that the data used may include personal information (e.g., daily itinerary) and get leaked unintendedly by observing the execution of the SMC algorithm. To formally capture data privacy in SMC, we introduce the concept of expected differential privacy (EDP), which constrains how much the algorithm execution can change in the expectation sense when data change. Accordingly, we introduce an exponential randomization mechanism for the SMC algorithm to achieve the EDP. Our case study on traffic intersections by Vissim simulation shows the high accuracy of SMC in traffic model verification without significantly sacrificing computing efficiency. The case study also shows EDP successfully bounding the algorithm outputs to guarantee privacy.

Title: Committed Private Information Retrieval. (arXiv:2302.01733v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01733
• Code URL: https://github.com/pir-pixr/cpir
• Copy Paste: [[2302.01733] Committed Private Information Retrieval](http://arxiv.org/abs/2302.01733) #privacy
• Summary:

  A private information retrieval (PIR) scheme allows a client to retrieve a data item $x_i$ among $n$ items $x_1,x_2,...,x_n$ from $k$ servers, without revealing what $i$ is even when $t < k$ servers collude and try to learn $i$. Such a PIR scheme is said to be $t$-private. A PIR scheme is $v$-verifiable if the client can verify the correctness of the retrieved $x_i$ even when $v \leq k$ servers collude and try to fool the client by sending manipulated data. Most of the previous works in the literature on PIR assumed that $v < k$, leaving the case of all-colluding servers open. We propose a generic construction that combines a linear map commitment (LMC) and an arbitrary linear PIR scheme to produce a $k$-verifiable PIR scheme, termed a committed PIR scheme. Such a scheme guarantees that even in the worst scenario, when all servers are under the control of an attacker, although the privacy is unavoidably lost, the client won't be fooled into accepting an incorrect $x_i$. We demonstrate the practicality of our proposal by implementing the committed PIR schemes based on the Lai-Malavolta LMC and three well-known PIR schemes using the GMP library and \texttt{blst}, the current fastest C library for elliptic curve pairings.

Title: Enabling Trade-offs in Privacy and Utility in Genomic Data Beacons and Summary Statistics. (arXiv:2302.01763v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01763
• Code URL: null
• Copy Paste: [[2302.01763] Enabling Trade-offs in Privacy and Utility in Genomic Data Beacons and Summary Statistics](http://arxiv.org/abs/2302.01763) #privacy
• Summary:

  The collection and sharing of genomic data are becoming increasingly commonplace in research, clinical, and direct-to-consumer settings. The computational protocols typically adopted to protect individual privacy include sharing summary statistics, such as allele frequencies, or limiting query responses to the presence/absence of alleles of interest using web-services called Beacons. However, even such limited releases are susceptible to likelihood-ratio-based membership-inference attacks. Several approaches have been proposed to preserve privacy, which either suppress a subset of genomic variants or modify query responses for specific variants (e.g., adding noise, as in differential privacy). However, many of these approaches result in a significant utility loss, either suppressing many variants or adding a substantial amount of noise. In this paper, we introduce optimization-based approaches to explicitly trade off the utility of summary data or Beacon responses and privacy with respect to membership-inference attacks based on likelihood-ratios, combining variant suppression and modification. We consider two attack models. In the first, an attacker applies a likelihood-ratio test to make membership-inference claims. In the second model, an attacker uses a threshold that accounts for the effect of the data release on the separation in scores between individuals in the dataset and those who are not. We further introduce highly scalable approaches for approximately solving the privacy-utility tradeoff problem when information is either in the form of summary statistics or presence/absence queries. Finally, we show that the proposed approaches outperform the state of the art in both utility and privacy through an extensive evaluation with public datasets.

Title: Android OS Privacy Under the Loupe -- A Tale from the East. (arXiv:2302.01890v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01890
• Code URL: null
• Copy Paste: [[2302.01890] Android OS Privacy Under the Loupe -- A Tale from the East](http://arxiv.org/abs/2302.01890) #privacy
• Summary:

  China is currently the country with the largest number of Android smartphone users. We use a combination of static and dynamic code analysis techniques to study the data transmitted by the preinstalled system apps on Android smartphones from three of the most popular vendors in China. We find that an alarming number of preinstalled system, vendor and third-party apps are granted dangerous privileges. Through traffic analysis, we find these packages transmit to many third-party domains privacy sensitive information related to the user's device (persistent identifiers), geolocation (GPS coordinates, network-related identifiers), user profile (phone number, app usage) and social relationships (e.g., call history), without consent or even notification. This poses serious deanonymization and tracking risks that extend outside China when the user leaves the country, and calls for a more rigorous enforcement of the recently adopted data privacy legislation.

Title: Convergence of Gradient Descent with Linearly Correlated Noise and Applications to Differentially Private Learning. (arXiv:2302.01463v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01463
• Code URL: null
• Copy Paste: [[2302.01463] Convergence of Gradient Descent with Linearly Correlated Noise and Applications to Differentially Private Learning](http://arxiv.org/abs/2302.01463) #privacy
• Summary:

  We study stochastic optimization with linearly correlated noise. Our study is motivated by recent methods for optimization with differential privacy (DP), such as DP-FTRL, which inject noise via matrix factorization mechanisms. We propose an optimization problem that distils key facets of these DP methods and that involves perturbing gradients by linearly correlated noise. We derive improved convergence rates for gradient descent in this framework for convex and non-convex loss functions. Our theoretical analysis is novel and might be of independent interest. We use these convergence rates to develop new, effective matrix factorizations for differentially private optimization, and highlight the benefits of these factorizations theoretically and empirically.

Title: From Robustness to Privacy and Back. (arXiv:2302.01855v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01855
• Code URL: null
• Copy Paste: [[2302.01855] From Robustness to Privacy and Back](http://arxiv.org/abs/2302.01855) #privacy
• Summary:

  We study the relationship between two desiderata of algorithms in statistical inference and machine learning: differential privacy and robustness to adversarial data corruptions. Their conceptual similarity was first observed by Dwork and Lei (STOC 2009), who observed that private algorithms satisfy robustness, and gave a general method for converting robust algorithms to private ones. However, all general methods for transforming robust algorithms into private ones lead to suboptimal error rates. Our work gives the first black-box transformation that converts any adversarially robust algorithm into one that satisfies pure differential privacy. Moreover, we show that for any low-dimensional estimation task, applying our transformation to an optimal robust estimator results in an optimal private estimator. Thus, we conclude that for any low-dimensional task, the optimal error rate for $\varepsilon$-differentially private estimators is essentially the same as the optimal error rate for estimators that are robust to adversarially corrupting $1/\varepsilon$ training samples. We apply our transformation to obtain new optimal private estimators for several high-dimensional tasks, including Gaussian (sparse) linear regression and PCA. Finally, we present an extension of our transformation that leads to approximate differentially private algorithms whose error does not depend on the range of the output space, which is impossible under pure differential privacy.

protect

defense

Title: A Systematic Evaluation of Backdoor Trigger Characteristics in Image Classification. (arXiv:2302.01740v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01740
• Code URL: null
• Copy Paste: [[2302.01740] A Systematic Evaluation of Backdoor Trigger Characteristics in Image Classification](http://arxiv.org/abs/2302.01740) #defense
• Summary:

  Deep learning achieves outstanding results in many machine learning tasks. Nevertheless, it is vulnerable to backdoor attacks that modify the training set to embed a secret functionality in the trained model. The modified training samples have a secret property, i.e., a trigger. At inference time, the secret functionality is activated when the input contains the trigger, while the model functions correctly in other cases. While there are many known backdoor attacks (and defenses), deploying a stealthy attack is still far from trivial. Successfully creating backdoor triggers heavily depends on numerous parameters. Unfortunately, research has not yet determined which parameters contribute most to the attack performance.

This paper systematically analyzes the most relevant parameters for the backdoor attacks, i.e., trigger size, position, color, and poisoning rate. Using transfer learning, which is very common in computer vision, we evaluate the attack on numerous state-of-the-art models (ResNet, VGG, AlexNet, and GoogLeNet) and datasets (MNIST, CIFAR10, and TinyImageNet). Our attacks cover the majority of backdoor settings in research, providing concrete directions for future works. Our code is publicly available to facilitate the reproducibility of our results.

Title: Deep Reinforcement Learning for Cyber System Defense under Dynamic Adversarial Uncertainties. (arXiv:2302.01595v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01595
• Code URL: null
• Copy Paste: [[2302.01595] Deep Reinforcement Learning for Cyber System Defense under Dynamic Adversarial Uncertainties](http://arxiv.org/abs/2302.01595) #defense
• Summary:

  Development of autonomous cyber system defense strategies and action recommendations in the real-world is challenging, and includes characterizing system state uncertainties and attack-defense dynamics. We propose a data-driven deep reinforcement learning (DRL) framework to learn proactive, context-aware, defense countermeasures that dynamically adapt to evolving adversarial behaviors while minimizing loss of cyber system operations. A dynamic defense optimization problem is formulated with multiple protective postures against different types of adversaries with varying levels of skill and persistence. A custom simulation environment was developed and experiments were devised to systematically evaluate the performance of four model-free DRL algorithms against realistic, multi-stage attack sequences. Our results suggest the efficacy of DRL algorithms for proactive cyber defense under multi-stage attack profiles and system uncertainties.

attack

Title: A sliced-Wasserstein distance-based approach for out-of-class-distribution detection. (arXiv:2302.01459v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01459
• Code URL: null
• Copy Paste: [[2302.01459] A sliced-Wasserstein distance-based approach for out-of-class-distribution detection](http://arxiv.org/abs/2302.01459) #attack
• Summary:

  There exist growing interests in intelligent systems for numerous medical imaging, image processing, and computer vision applications, such as face recognition, medical diagnosis, character recognition, and self-driving cars, among others. These applications usually require solving complex classification problems involving complex images with unknown data generative processes. In addition to recent successes of the current classification approaches relying on feature engineering and deep learning, several shortcomings of them, such as the lack of robustness, generalizability, and interpretability, have also been observed. These methods often require extensive training data, are computationally expensive, and are vulnerable to out-of-distribution samples, e.g., adversarial attacks. Recently, an accurate, data-efficient, computationally efficient, and robust transport-based classification approach has been proposed, which describes a generative model-based problem formulation and closed-form solution for a specific category of classification problems. However, all these approaches lack mechanisms to detect test samples outside the class distributions used during training. In real-world settings, where the collected training samples are unable to exhaust or cover all classes, the traditional classification schemes are unable to handle the unseen classes effectively, which is especially an important issue for safety-critical systems, such as self-driving and medical imaging diagnosis. In this work, we propose a method for detecting out-of-class distributions based on the distribution of sliced-Wasserstein distance from the Radon Cumulative Distribution Transform (R-CDT) subspace. We tested our method on the MNIST and two medical image datasets and reported better accuracy than the state-of-the-art methods without an out-of-class distribution detection procedure.

Title: MorDIFF: Recognition Vulnerability and Attack Detectability of Face Morphing Attacks Created by Diffusion Autoencoders. (arXiv:2302.01843v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01843
• Code URL: https://github.com/naserdamer/mordiff
• Copy Paste: [[2302.01843] MorDIFF: Recognition Vulnerability and Attack Detectability of Face Morphing Attacks Created by Diffusion Autoencoders](http://arxiv.org/abs/2302.01843) #attack
• Summary:

  Investigating new methods of creating face morphing attacks is essential to foresee novel attacks and help mitigate them. Creating morphing attacks is commonly either performed on the image-level or on the representation-level. The representation-level morphing has been performed so far based on generative adversarial networks (GAN) where the encoded images are interpolated in the latent space to produce a morphed image based on the interpolated vector. Such a process was constrained by the limited reconstruction fidelity of GAN architectures. Recent advances in the diffusion autoencoder models have overcome the GAN limitations, leading to high reconstruction fidelity. This theoretically makes them a perfect candidate to perform representation-level face morphing. This work investigates using diffusion autoencoders to create face morphing attacks by comparing them to a wide range of image-level and representation-level morphs. Our vulnerability analyses on four state-of-the-art face recognition models have shown that such models are highly vulnerable to the created attacks, the MorDIFF, especially when compared to existing representation-level morphs. Detailed detectability analyses are also performed on the MorDIFF, showing that they are as challenging to detect as other morphing attacks created on the image- or representation-level. Data and morphing script are made public.

Title: Revisiting Personalized Federated Learning: Robustness Against Backdoor Attacks. (arXiv:2302.01677v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01677
• Code URL: null
• Copy Paste: [[2302.01677] Revisiting Personalized Federated Learning: Robustness Against Backdoor Attacks](http://arxiv.org/abs/2302.01677) #attack
• Summary:

  In this work, besides improving prediction accuracy, we study whether personalization could bring robustness benefits to backdoor attacks. We conduct the first study of backdoor attacks in the pFL framework, testing 4 widely used backdoor attacks against 6 pFL methods on benchmark datasets FEMNIST and CIFAR-10, a total of 600 experiments. The study shows that pFL methods with partial model-sharing can significantly boost robustness against backdoor attacks. In contrast, pFL methods with full model-sharing do not show robustness. To analyze the reasons for varying robustness performances, we provide comprehensive ablation studies on different pFL methods. Based on our findings, we further propose a lightweight defense method, Simple-Tuning, which empirically improves defense performance against backdoor attacks. We believe that our work could provide both guidance for pFL application in terms of its robustness and offer valuable insights to design more robust FL methods in the future.

Title: Dataset Distillation Fixes Dataset Reconstruction Attacks. (arXiv:2302.01428v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01428
• Code URL: null
• Copy Paste: [[2302.01428] Dataset Distillation Fixes Dataset Reconstruction Attacks](http://arxiv.org/abs/2302.01428) #attack
• Summary:

  Modern deep learning requires large volumes of data, which could contain sensitive or private information which cannot be leaked. Recent work has shown for homogeneous neural networks a large portion of this training data could be reconstructed with only access to the trained network parameters. While the attack was shown to work empirically, there exists little formal understanding of its effectiveness regime, and ways to defend against it. In this work, we first build a stronger version of the dataset reconstruction attack and show how it can provably recover its entire training set in the infinite width regime. We then empirically study the characteristics of this attack on two-layer networks and reveal that its success heavily depends on deviations from the frozen infinite-width Neural Tangent Kernel limit. More importantly, we formally show for the first time that dataset reconstruction attacks are a variation of dataset distillation. This key theoretical result on the unification of dataset reconstruction and distillation not only sheds more light on the characteristics of the attack but enables us to design defense mechanisms against them via distillation algorithms.

robust

Title: Effective Robustness against Natural Distribution Shifts for Models with Different Training Data. (arXiv:2302.01381v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01381
• Code URL: null
• Copy Paste: [[2302.01381] Effective Robustness against Natural Distribution Shifts for Models with Different Training Data](http://arxiv.org/abs/2302.01381) #robust
• Summary:

  ``Effective robustness'' measures the extra out-of-distribution (OOD) robustness beyond what can be predicted from the in-distribution (ID) performance. Existing effective robustness evaluations typically use a single test set such as ImageNet to evaluate ID accuracy. This becomes problematic when evaluating models trained on different data distributions, e.g., comparing models trained on ImageNet vs. zero-shot language-image pre-trained models trained on LAION. In this paper, we propose a new effective robustness evaluation metric to compare the effective robustness of models trained on different data distributions. To do this we control for the accuracy on multiple ID test sets that cover the training distributions for all the evaluated models. Our new evaluation metric provides a better estimate of the effectiveness robustness and explains the surprising effective robustness gains of zero-shot CLIP-like models exhibited when considering only one ID dataset, while the gains diminish under our evaluation.

Title: Hyperbolic Contrastive Learning. (arXiv:2302.01409v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01409
• Code URL: null
• Copy Paste: [[2302.01409] Hyperbolic Contrastive Learning](http://arxiv.org/abs/2302.01409) #robust
• Summary:

  Learning good image representations that are beneficial to downstream tasks is a challenging task in computer vision. As such, a wide variety of self-supervised learning approaches have been proposed. Among them, contrastive learning has shown competitive performance on several benchmark datasets. The embeddings of contrastive learning are arranged on a hypersphere that results in using the inner (dot) product as a distance measurement in Euclidean space. However, the underlying structure of many scientific fields like social networks, brain imaging, and computer graphics data exhibit highly non-Euclidean latent geometry. We propose a novel contrastive learning framework to learn semantic relationships in the hyperbolic space. Hyperbolic space is a continuous version of trees that naturally owns the ability to model hierarchical structures and is thus beneficial for efficient contrastive representation learning. We also extend the proposed Hyperbolic Contrastive Learning (HCL) to the supervised domain and studied the adversarial robustness of HCL. The comprehensive experiments show that our proposed method achieves better results on self-supervised pretraining, supervised classification, and higher robust accuracy than baseline methods.

Title: Revisiting Long-tailed Image Classification: Survey and Benchmarks with New Evaluation Metrics. (arXiv:2302.01507v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01507
• Code URL: null
• Copy Paste: [[2302.01507] Revisiting Long-tailed Image Classification: Survey and Benchmarks with New Evaluation Metrics](http://arxiv.org/abs/2302.01507) #robust
• Summary:

  Recently, long-tailed image classification harvests lots of research attention, since the data distribution is long-tailed in many real-world situations. Piles of algorithms are devised to address the data imbalance problem by biasing the training process towards less frequent classes. However, they usually evaluate the performance on a balanced testing set or multiple independent testing sets having distinct distributions with the training data. Considering the testing data may have arbitrary distributions, existing evaluation strategies are unable to reflect the actual classification performance objectively. We set up novel evaluation benchmarks based on a series of testing sets with evolving distributions. A corpus of metrics are designed for measuring the accuracy, robustness, and bounds of algorithms for learning with long-tailed distribution. Based on our benchmarks, we re-evaluate the performance of existing methods on CIFAR10 and CIFAR100 datasets, which is valuable for guiding the selection of data rebalancing techniques. We also revisit existing methods and categorize them into four types including data balancing, feature balancing, loss balancing, and prediction balancing, according the focused procedure during the training pipeline.

Title: Robust Camera Pose Refinement for Multi-Resolution Hash Encoding. (arXiv:2302.01571v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01571
• Code URL: null
• Copy Paste: [[2302.01571] Robust Camera Pose Refinement for Multi-Resolution Hash Encoding](http://arxiv.org/abs/2302.01571) #robust
• Summary:

  Multi-resolution hash encoding has recently been proposed to reduce the computational cost of neural renderings, such as NeRF. This method requires accurate camera poses for the neural renderings of given scenes. However, contrary to previous methods jointly optimizing camera poses and 3D scenes, the naive gradient-based camera pose refinement method using multi-resolution hash encoding severely deteriorates performance. We propose a joint optimization algorithm to calibrate the camera pose and learn a geometric representation using efficient multi-resolution hash encoding. Showing that the oscillating gradient flows of hash encoding interfere with the registration of camera poses, our method addresses the issue by utilizing smooth interpolation weighting to stabilize the gradient oscillation for the ray samplings across hash grids. Moreover, the curriculum training procedure helps to learn the level-wise hash encoding, further increasing the pose refinement. Experiments on the novel-view synthesis datasets validate that our learning frameworks achieve state-of-the-art performance and rapid convergence of neural rendering, even when initial camera poses are unknown.

Title: CVTNet: A Cross-View Transformer Network for Place Recognition Using LiDAR Data. (arXiv:2302.01665v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01665
• Code URL: https://github.com/bit-mjy/cvtnet
• Copy Paste: [[2302.01665] CVTNet: A Cross-View Transformer Network for Place Recognition Using LiDAR Data](http://arxiv.org/abs/2302.01665) #robust
• Summary:

  LiDAR-based place recognition (LPR) is one of the most crucial components of autonomous vehicles to identify previously visited places in GPS-denied environments. Most existing LPR methods use mundane representations of the input point cloud without considering different views, which may not fully exploit the information from LiDAR sensors. In this paper, we propose a cross-view transformer-based network, dubbed CVTNet, to fuse the range image views (RIVs) and bird's eye views (BEVs) generated from the LiDAR data. It extracts correlations within the views themselves using intra-transformers and between the two different views using inter-transformers. Based on that, our proposed CVTNet generates a yaw-angle-invariant global descriptor for each laser scan end-to-end online and retrieves previously seen places by descriptor matching between the current query scan and the pre-built database. We evaluate our approach on three datasets collected with different sensor setups and environmental conditions. The experimental results show that our method outperforms the state-of-the-art LPR methods with strong robustness to viewpoint changes and long-time spans. Furthermore, our approach has a good real-time performance that can run faster than the typical LiDAR frame rate. The implementation of our method is released as open source at: https://github.com/BIT-MJY/CVTNet.

Title: Leveraging weak complementary labels to improve semantic segmentation of hepatocellular carcinoma and cholangiocarcinoma in H&E-stained slides. (arXiv:2302.01813v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01813
• Code URL: null
• Copy Paste: [[2302.01813] Leveraging weak complementary labels to improve semantic segmentation of hepatocellular carcinoma and cholangiocarcinoma in H&E-stained slides](http://arxiv.org/abs/2302.01813) #robust
• Summary:

  In this paper, we present a deep learning segmentation approach to classify and quantify the two most prevalent primary liver cancers - hepatocellular carcinoma and intrahepatic cholangiocarcinoma - from hematoxylin and eosin (H&E) stained whole slide images. While semantic segmentation of medical images typically requires costly pixel-level annotations by domain experts, there often exists additional information which is routinely obtained in clinical diagnostics but rarely utilized for model training. We propose to leverage such weak information from patient diagnoses by deriving complementary labels that indicate to which class a sample cannot belong to. To integrate these labels, we formulate a complementary loss for segmentation. Motivated by the medical application, we demonstrate for general segmentation tasks that including additional patches with solely weak complementary labels during model training can significantly improve the predictive performance and robustness of a model. On the task of diagnostic differentiation between hepatocellular carcinoma and intrahepatic cholangiocarcinoma, we achieve a balanced accuracy of 0.91 (CI 95%: 0.86 - 0.95) at case level for 165 hold-out patients. Furthermore, we also show that leveraging complementary labels improves the robustness of segmentation and increases performance at case level.

Title: Certified Robustness of Learning-based Static Malware Detectors. (arXiv:2302.01757v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01757
• Code URL: null
• Copy Paste: [[2302.01757] Certified Robustness of Learning-based Static Malware Detectors](http://arxiv.org/abs/2302.01757) #robust
• Summary:

  Certified defenses are a recent development in adversarial machine learning (ML), which aim to rigorously guarantee the robustness of ML models to adversarial perturbations. A large body of work studies certified defenses in computer vision, where $\ell_p$ norm-bounded evasion attacks are adopted as a tractable threat model. However, this threat model has known limitations in vision, and is not applicable to other domains -- e.g., where inputs may be discrete or subject to complex constraints. Motivated by this gap, we study certified defenses for malware detection, a domain where attacks against ML-based systems are a real and current threat. We consider static malware detection systems that operate on byte-level data. Our certified defense is based on the approach of randomized smoothing which we adapt by: (1) replacing the standard Gaussian randomization scheme with a novel deletion randomization scheme that operates on bytes or chunks of an executable; and (2) deriving a certificate that measures robustness to evasion attacks in terms of generalized edit distance. To assess the size of robustness certificates that are achievable while maintaining high accuracy, we conduct experiments on malware datasets using a popular convolutional malware detection model, MalConv. We are able to accurately classify 91% of the inputs while being certifiably robust to any adversarial perturbations of edit distance 128 bytes or less. By comparison, an existing certification of up to 128 bytes of substitutions (without insertions or deletions) achieves an accuracy of 78%. In addition, given that robustness certificates are conservative, we evaluate practical robustness to several recently published evasion attacks and, in some cases, find robustness beyond certified guarantees.

Title: On the Robustness of Randomized Ensembles to Adversarial Perturbations. (arXiv:2302.01375v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01375
• Code URL: null
• Copy Paste: [[2302.01375] On the Robustness of Randomized Ensembles to Adversarial Perturbations](http://arxiv.org/abs/2302.01375) #robust
• Summary:

  Randomized ensemble classifiers (RECs), where one classifier is randomly selected during inference, have emerged as an attractive alternative to traditional ensembling methods for realizing adversarially robust classifiers with limited compute requirements. However, recent works have shown that existing methods for constructing RECs are more vulnerable than initially claimed, casting major doubts on their efficacy and prompting fundamental questions such as: "When are RECs useful?", "What are their limits?", and "How do we train them?". In this work, we first demystify RECs as we derive fundamental results regarding their theoretical limits, necessary and sufficient conditions for them to be useful, and more. Leveraging this new understanding, we propose a new boosting algorithm (BARRE) for training robust RECs, and empirically demonstrate its effectiveness at defending against strong $\ell_\infty$ norm-bounded adversaries across various network architectures and datasets.

Title: Generalized Uncertainty of Deep Neural Networks: Taxonomy and Applications. (arXiv:2302.01440v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01440
• Code URL: null
• Copy Paste: [[2302.01440] Generalized Uncertainty of Deep Neural Networks: Taxonomy and Applications](http://arxiv.org/abs/2302.01440) #robust
• Summary:

  Deep neural networks have seen enormous success in various real-world applications. Beyond their predictions as point estimates, increasing attention has been focused on quantifying the uncertainty of their predictions. In this review, we show that the uncertainty of deep neural networks is not only important in a sense of interpretability and transparency, but also crucial in further advancing their performance, particularly in learning systems seeking robustness and efficiency. We will generalize the definition of the uncertainty of deep neural networks to any number or vector that is associated with an input or an input-label pair, and catalog existing methods on ``mining'' such uncertainty from a deep model. We will include those methods from the classic field of uncertainty quantification as well as those methods that are specific to deep neural networks. We then show a wide spectrum of applications of such generalized uncertainty in realistic learning tasks including robust learning such as noisy learning, adversarially robust learning; data-efficient learning such as semi-supervised and weakly-supervised learning; and model-efficient learning such as model compression and knowledge distillation.

Title: Fixing by Mixing: A Recipe for Optimal Byzantine ML under Heterogeneity. (arXiv:2302.01772v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01772
• Code URL: null
• Copy Paste: [[2302.01772] Fixing by Mixing: A Recipe for Optimal Byzantine ML under Heterogeneity](http://arxiv.org/abs/2302.01772) #robust
• Summary:

  Byzantine machine learning (ML) aims to ensure the resilience of distributed learning algorithms to misbehaving (or Byzantine) machines. Although this problem received significant attention, prior works often assume the data held by the machines to be homogeneous, which is seldom true in practical settings. Data heterogeneity makes Byzantine ML considerably more challenging, since a Byzantine machine can hardly be distinguished from a non-Byzantine outlier. A few solutions have been proposed to tackle this issue, but these provide suboptimal probabilistic guarantees and fare poorly in practice. This paper closes the theoretical gap, achieving optimality and inducing good empirical results. In fact, we show how to automatically adapt existing solutions for (homogeneous) Byzantine ML to the heterogeneous setting through a powerful mechanism, we call nearest neighbor mixing (NNM), which boosts any standard robust distributed gradient descent variant to yield optimal Byzantine resilience under heterogeneity. We obtain similar guarantees (in expectation) by plugging NNM in the distributed stochastic heavy ball method, a practical substitute to distributed gradient descent. We obtain empirical results that significantly outperform state-of-the-art Byzantine ML solutions.

Title: Online Ad Allocation with Predictions. (arXiv:2302.01827v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01827
• Code URL: null
• Copy Paste: [[2302.01827] Online Ad Allocation with Predictions](http://arxiv.org/abs/2302.01827) #robust
• Summary:

  Display Ads and the generalized assignment problem are two well-studied online packing problems with important applications in ad allocation and other areas. In both problems, ad impressions arrive online and have to be allocated immediately to budget-constrained advertisers. Worst-case algorithms that achieve the ideal competitive ratio are known, but might act overly conservative given the predictable and usually tame nature of real-world input. Given this discrepancy, we develop an algorithm for both problems that incorporate machine-learned predictions and can thus improve the performance beyond the worst-case. Our algorithm is based on the work of Feldman et al. (2009) and similar in nature to Mahdian et al. (2007) who were the first to develop a learning-augmented algorithm for the related, but more structured Ad Words problem. We use a novel analysis to show that our algorithm is able to capitalize on a good prediction, while being robust against poor predictions. We experimentally evaluate our algorithm on synthetic and real-world data on a wide range of predictions. Our algorithm is consistently outperforming the worst-case algorithm without predictions.

biometric

Title: Motion ID: Human Authentication Approach. (arXiv:2302.01751v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01751
• Code URL: null
• Copy Paste: [[2302.01751] Motion ID: Human Authentication Approach](http://arxiv.org/abs/2302.01751) #biometric
• Summary:

  We introduce a novel approach to user authentication called Motion ID. The method employs motion sensing provided by inertial measurement units (IMUs), using it to verify the persons identity via short time series of IMU data captured by the mobile device. The paper presents two labeled datasets with unlock events: the first features IMU measurements, provided by six users who continuously collected data on six different smartphones for a period of 12 weeks. The second one contains 50 hours of IMU data for one specific motion pattern, provided by 101 users. Moreover, we present a two-stage user authentication process that employs motion pattern identification and user verification and is based on data preprocessing and machine learning. The Results section details the assessment of the method proposed, comparing it with existing biometric authentication methods and the Android biometric standard. The method has demonstrated high accuracy, indicating that it could be successfully used in combination with existing methods. Furthermore, the method exhibits significant promise as a standalone solution. We provide the datasets to the scholarly community and share our project code.

steal

extraction

Title: Object Dimension Extraction for Environment Mapping with Low Cost Cameras Fused with Laser Ranging. (arXiv:2302.01387v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01387
• Code URL: null
• Copy Paste: [[2302.01387] Object Dimension Extraction for Environment Mapping with Low Cost Cameras Fused with Laser Ranging](http://arxiv.org/abs/2302.01387) #extraction
• Summary:

  It is essential to have a method to map an unknown terrain for various applications. For places where human access is not possible, a method should be proposed to identify the environment. Exploration, disaster relief, transportation and many other purposes would be convenient if a map of the environment is available. Replicating the human vision system using stereo cameras would be an optimum solution. In this work, we have used laser ranging based technique fused with stereo cameras to extract dimension of objects for mapping. The distortions were calibrated using mathematical model of the camera. By means of Semi Global Block Matching [1] disparity map was generated and reduces the noise using novel noise reduction method of disparity map by dilation. The Data from the Laser Range Finder (LRF) and noise reduced vision data has been used to identify the object parameters.

Title: CTE: A Dataset for Contextualized Table Extraction. (arXiv:2302.01451v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.01451
• Code URL: https://github.com/ailab-unifi/cte-dataset
• Copy Paste: [[2302.01451] CTE: A Dataset for Contextualized Table Extraction](http://arxiv.org/abs/2302.01451) #extraction
• Summary:

  Relevant information in documents is often summarized in tables, helping the reader to identify useful facts. Most benchmark datasets support either document layout analysis or table understanding, but lack in providing data to apply both tasks in a unified way. We define the task of Contextualized Table Extraction (CTE), which aims to extract and define the structure of tables considering the textual context of the document. The dataset comprises 75k fully annotated pages of scientific papers, including more than 35k tables. Data are gathered from PubMed Central, merging the information provided by annotations in the PubTables-1M and PubLayNet datasets. The dataset can support CTE and adds new classes to the original ones. The generated annotations can be used to develop end-to-end pipelines for various tasks, including document layout analysis, table detection, structure recognition, and functional analysis. We formally define CTE and evaluation metrics, showing which subtasks can be tackled, describing advantages, limitations, and future works of this collection of data. Annotations and code will be accessible a https://github.com/AILab-UniFI/cte-dataset.

Title: Bioformer: an efficient transformer language model for biomedical text mining. (arXiv:2302.01588v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.01588
• Code URL: null
• Copy Paste: [[2302.01588] Bioformer: an efficient transformer language model for biomedical text mining](http://arxiv.org/abs/2302.01588) #extraction
• Summary:

  Pretrained language models such as Bidirectional Encoder Representations from Transformers (BERT) have achieved state-of-the-art performance in natural language processing (NLP) tasks. Recently, BERT has been adapted to the biomedical domain. Despite the effectiveness, these models have hundreds of millions of parameters and are computationally expensive when applied to large-scale NLP applications. We hypothesized that the number of parameters of the original BERT can be dramatically reduced with minor impact on performance. In this study, we present Bioformer, a compact BERT model for biomedical text mining. We pretrained two Bioformer models (named Bioformer8L and Bioformer16L) which reduced the model size by 60% compared to BERTBase. Bioformer uses a biomedical vocabulary and was pre-trained from scratch on PubMed abstracts and PubMed Central full-text articles. We thoroughly evaluated the performance of Bioformer as well as existing biomedical BERT models including BioBERT and PubMedBERT on 15 benchmark datasets of four different biomedical NLP tasks: named entity recognition, relation extraction, question answering and document classification. The results show that with 60% fewer parameters, Bioformer16L is only 0.1% less accurate than PubMedBERT while Bioformer8L is 0.9% less accurate than PubMedBERT. Both Bioformer16L and Bioformer8L outperformed BioBERTBase-v1.1. In addition, Bioformer16L and Bioformer8L are 2-3 fold as fast as PubMedBERT/BioBERTBase-v1.1. Bioformer has been successfully deployed to PubTator Central providing gene annotations over 35 million PubMed abstracts and 5 million PubMed Central full-text articles. We make Bioformer publicly available via https://github.com/WGLab/bioformer, including pre-trained models, datasets, and instructions for downstream use.

membership infer

federate

Title: Vertical Federated Learning: Taxonomies, Threats, and Prospects. (arXiv:2302.01550v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01550
• Code URL: null
• Copy Paste: [[2302.01550] Vertical Federated Learning: Taxonomies, Threats, and Prospects](http://arxiv.org/abs/2302.01550) #federate
• Summary:

  Federated learning (FL) is the most popular distributed machine learning technique. FL allows machine-learning models to be trained without acquiring raw data to a single point for processing. Instead, local models are trained with local data; the models are then shared and combined. This approach preserves data privacy as locally trained models are shared instead of the raw data themselves. Broadly, FL can be divided into horizontal federated learning (HFL) and vertical federated learning (VFL). For the former, different parties hold different samples over the same set of features; for the latter, different parties hold different feature data belonging to the same set of samples. In a number of practical scenarios, VFL is more relevant than HFL as different companies (e.g., bank and retailer) hold different features (e.g., credit history and shopping history) for the same set of customers. Although VFL is an emerging area of research, it is not well-established compared to HFL. Besides, VFL-related studies are dispersed, and their connections are not intuitive. Thus, this survey aims to bring these VFL-related studies to one place. Firstly, we classify existing VFL structures and algorithms. Secondly, we present the threats from security and privacy perspectives to VFL. Thirdly, for the benefit of future researchers, we discussed the challenges and prospects of VFL in detail.

Title: Convergence Analysis of Split Learning on Non-IID Data. (arXiv:2302.01633v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01633
• Code URL: null
• Copy Paste: [[2302.01633] Convergence Analysis of Split Learning on Non-IID Data](http://arxiv.org/abs/2302.01633) #federate
• Summary:

  Split Learning (SL) is one promising variant of Federated Learning (FL), where the AI model is split and trained at the clients and the server collaboratively. By offloading the computation-intensive portions to the server, SL enables efficient model training on resource-constrained clients. Despite its booming applications, SL still lacks rigorous convergence analysis on non-IID data, which is critical for hyperparameter selection. In this paper, we first prove that SL exhibits an $\mathcal{O}(1/\sqrt{R})$ convergence rate for non-convex objectives on non-IID data, where $R$ is the number of total training rounds. The derived convergence results can facilitate understanding the effect of some crucial factors in SL (e.g., data heterogeneity and synchronization interval). Furthermore, comparing with the convergence result of FL, we show that the guarantee of SL is worse than FL in terms of training rounds on non-IID data. The experimental results verify our theory. More findings on the comparison between FL and SL in cross-device settings are also reported.

Title: GTV: Generating Tabular Data via Vertical Federated Learning. (arXiv:2302.01706v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01706
• Code URL: null
• Copy Paste: [[2302.01706] GTV: Generating Tabular Data via Vertical Federated Learning](http://arxiv.org/abs/2302.01706) #federate
• Summary:

  Generative Adversarial Networks (GANs) have achieved state-of-the-art results in tabular data synthesis, under the presumption of direct accessible training data. Vertical Federated Learning (VFL) is a paradigm which allows to distributedly train machine learning model with clients possessing unique features pertaining to the same individuals, where the tabular data learning is the primary use case. However, it is unknown if tabular GANs can be learned in VFL. Demand for secure data transfer among clients and GAN during training and data synthesizing poses extra challenge. Conditional vector for tabular GANs is a valuable tool to control specific features of generated data. But it contains sensitive information from real data - risking privacy guarantees. In this paper, we propose GTV, a VFL framework for tabular GANs, whose key components are generator, discriminator and the conditional vector. GTV proposes an unique distributed training architecture for generator and discriminator to access training data in a privacy-preserving manner. To accommodate conditional vector into training without privacy leakage, GTV designs a mechanism training-with-shuffling to ensure that no party can reconstruct training data with conditional vector. We evaluate the effectiveness of GTV in terms of synthetic data quality, and overall training scalability. Results show that GTV can consistently generate high-fidelity synthetic tabular data of comparable quality to that generated by centralized GAN algorithm. The difference on machine learning utility can be as low as to 2.7%, even under extremely imbalanced data distributions across clients and different number of clients.

fair

Title: Hyper-parameter Tuning for Fair Classification without Sensitive Attribute Access. (arXiv:2302.01385v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01385
• Code URL: null
• Copy Paste: [[2302.01385] Hyper-parameter Tuning for Fair Classification without Sensitive Attribute Access](http://arxiv.org/abs/2302.01385) #fair
• Summary:

  Fair machine learning methods seek to train models that balance model performance across demographic subgroups defined over sensitive attributes like race and gender. Although sensitive attributes are typically assumed to be known during training, they may not be available in practice due to privacy and other logistical concerns. Recent work has sought to train fair models without sensitive attributes on training data. However, these methods need extensive hyper-parameter tuning to achieve good results, and hence assume that sensitive attributes are known on validation data. However, this assumption too might not be practical. Here, we propose Antigone, a framework to train fair classifiers without access to sensitive attributes on either training or validation data. Instead, we generate pseudo sensitive attributes on the validation data by training a biased classifier and using the classifier's incorrectly (correctly) labeled examples as proxies for minority (majority) groups. Since fairness metrics like demographic parity, equal opportunity and subgroup accuracy can be estimated to within a proportionality constant even with noisy sensitive attribute information, we show theoretically and empirically that these proxy labels can be used to maximize fairness under average accuracy constraints. Key to our results is a principled approach to select the hyper-parameters of the biased classifier in a completely unsupervised fashion (meaning without access to ground truth sensitive attributes) that minimizes the gap between fairness estimated using noisy versus ground-truth sensitive labels.

Title: Out of Context: Investigating the Bias and Fairness Concerns of "Artificial Intelligence as a Service". (arXiv:2302.01448v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01448
• Code URL: null
• Copy Paste: [[2302.01448] Out of Context: Investigating the Bias and Fairness Concerns of "Artificial Intelligence as a Service"](http://arxiv.org/abs/2302.01448) #fair
• Summary:

  "AI as a Service" (AIaaS) is a rapidly growing market, offering various plug-and-play AI services and tools. AIaaS enables its customers (users) - who may lack the expertise, data, and/or resources to develop their own systems - to easily build and integrate AI capabilities into their applications. Yet, it is known that AI systems can encapsulate biases and inequalities that can have societal impact. This paper argues that the context-sensitive nature of fairness is often incompatible with AIaaS' 'one-size-fits-all' approach, leading to issues and tensions. Specifically, we review and systematise the AIaaS space by proposing a taxonomy of AI services based on the levels of autonomy afforded to the user. We then critically examine the different categories of AIaaS, outlining how these services can lead to biases or be otherwise harmful in the context of end-user applications. In doing so, we seek to draw research attention to the challenges of this emerging area.

Title: Group Fairness in Non-monotone Submodular Maximization. (arXiv:2302.01546v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01546
• Code URL: null
• Copy Paste: [[2302.01546] Group Fairness in Non-monotone Submodular Maximization](http://arxiv.org/abs/2302.01546) #fair
• Summary:

  Maximizing a submodular function has a wide range of applications in machine learning and data mining. One such application is data summarization whose goal is to select a small set of representative and diverse data items from a large dataset. However, data items might have sensitive attributes such as race or gender, in this setting, it is important to design \emph{fairness-aware} algorithms to mitigate potential algorithmic bias that may cause over- or under- representation of particular groups. Motivated by that, we propose and study the classic non-monotone submodular maximization problem subject to novel group fairness constraints. Our goal is to select a set of items that maximizes a non-monotone submodular function, while ensuring that the number of selected items from each group is proportionate to its size, to the extent specified by the decision maker. We develop the first constant-factor approximation algorithms for this problem. We also extend the basic model to incorporate an additional global size constraint on the total number of selected items.

Title: An Operational Perspective to Fairness Interventions: Where and How to Intervene. (arXiv:2302.01574v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01574
• Code URL: null
• Copy Paste: [[2302.01574] An Operational Perspective to Fairness Interventions: Where and How to Intervene](http://arxiv.org/abs/2302.01574) #fair
• Summary:

  As AI-based decision systems proliferate, their successful operationalization requires balancing multiple desiderata: predictive performance, disparity across groups, safeguarding sensitive group attributes (e.g., race), and engineering cost. We present a holistic framework for evaluating and contextualizing fairness interventions with respect to the above desiderata. The two key points of practical consideration are where (pre-, in-, post-processing) and how (in what way the sensitive group data is used) the intervention is introduced. We demonstrate our framework using a thorough benchmarking study on predictive parity; we study close to 400 methodological variations across two major model types (XGBoost vs. Neural Net) and ten datasets. Methodological insights derived from our empirical study inform the practical design of ML workflow with fairness as a central concern. We find predictive parity is difficult to achieve without using group data, and despite requiring group data during model training (but not inference), distributionally robust methods provide significant Pareto improvement. Moreover, a plain XGBoost model often Pareto-dominates neural networks with fairness interventions, highlighting the importance of model inductive bias.

Title: Learning to Decouple Complex Systems. (arXiv:2302.01581v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01581
• Code URL: null
• Copy Paste: [[2302.01581] Learning to Decouple Complex Systems](http://arxiv.org/abs/2302.01581) #fair
• Summary:

  A complex system with cluttered observations may be a coupled mixture of multiple simple sub-systems corresponding to latent entities. Such sub-systems may hold distinct dynamics in the continuous-time domain; therein, complicated interactions between sub-systems also evolve over time. This setting is fairly common in the real world but has been less considered. In this paper, we propose a sequential learning approach under this setting by decoupling a complex system for handling irregularly sampled and cluttered sequential observations. Such decoupling brings about not only subsystems describing the dynamics of each latent entity but also a meta-system capturing the interaction between entities over time. Specifically, we argue that the meta-system evolving within a simplex is governed by projected differential equations (ProjDEs). We further analyze and provide neural-friendly projection operators in the context of Bregman divergence. Experimental results on synthetic and real-world datasets show the advantages of our approach when facing complex and cluttered sequential data compared to the state-of-the-art.

interpretability

Title: Spectral Aware Softmax for Visible-Infrared Person Re-Identification. (arXiv:2302.01512v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01512
• Code URL: null
• Copy Paste: [[2302.01512] Spectral Aware Softmax for Visible-Infrared Person Re-Identification](http://arxiv.org/abs/2302.01512) #interpretability
• Summary:

  Visible-infrared person re-identification (VI-ReID) aims to match specific pedestrian images from different modalities. Although suffering an extra modality discrepancy, existing methods still follow the softmax loss training paradigm, which is widely used in single-modality classification tasks. The softmax loss lacks an explicit penalty for the apparent modality gap, which adversely limits the performance upper bound of the VI-ReID task. In this paper, we propose the spectral-aware softmax (SA-Softmax) loss, which can fully explore the embedding space with the modality information and has clear interpretability. Specifically, SA-Softmax loss utilizes an asynchronous optimization strategy based on the modality prototype instead of the synchronous optimization based on the identity prototype in the original softmax loss. To encourage a high overlapping between two modalities, SA-Softmax optimizes each sample by the prototype from another spectrum. Based on the observation and analysis of SA-Softmax, we modify the SA-Softmax with the Feature Mask and Absolute-Similarity Term to alleviate the ambiguous optimization during model training. Extensive experimental evaluations conducted on RegDB and SYSU-MM01 demonstrate the superior performance of the SA-Softmax over the state-of-the-art methods in such a cross-modality condition.

Title: SCCAM: Supervised Contrastive Convolutional Attention Mechanism for Ante-hoc Interpretable Fault Diagnosis with Limited Fault Samples. (arXiv:2302.01599v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01599
• Code URL: null
• Copy Paste: [[2302.01599] SCCAM: Supervised Contrastive Convolutional Attention Mechanism for Ante-hoc Interpretable Fault Diagnosis with Limited Fault Samples](http://arxiv.org/abs/2302.01599) #interpretability
• Summary:

  In real industrial processes, fault diagnosis methods are required to learn from limited fault samples since the procedures are mainly under normal conditions and the faults rarely occur. Although attention mechanisms have become popular in the field of fault diagnosis, the existing attention-based methods are still unsatisfying for the above practical applications. First, pure attention-based architectures like transformers need a large number of fault samples to offset the lack of inductive biases thus performing poorly under limited fault samples. Moreover, the poor fault classification dilemma further leads to the failure of the existing attention-based methods to identify the root causes. To address the aforementioned issues, we innovatively propose a supervised contrastive convolutional attention mechanism (SCCAM) with ante-hoc interpretability, which solves the root cause analysis problem under limited fault samples for the first time. The proposed SCCAM method is tested on a continuous stirred tank heater and the Tennessee Eastman industrial process benchmark. Three common fault diagnosis scenarios are covered, including a balanced scenario for additional verification and two scenarios with limited fault samples (i.e., imbalanced scenario and long-tail scenario). The comprehensive results demonstrate that the proposed SCCAM method can achieve better performance compared with the state-of-the-art methods on fault classification and root cause analysis.

explainability

Title: From slides (through tiles) to pixels: an explainability framework for weakly supervised models in pre-clinical pathology. (arXiv:2302.01653v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01653
• Code URL: null
• Copy Paste: [[2302.01653] From slides (through tiles) to pixels: an explainability framework for weakly supervised models in pre-clinical pathology](http://arxiv.org/abs/2302.01653) #explainability
• Summary:

  In pre-clinical pathology, there is a paradox between the abundance of raw data (whole slide images from many organs of many individual animals) and the lack of pixel-level slide annotations done by pathologists. Due to time constraints and requirements from regulatory authorities, diagnoses are instead stored as slide labels. Weakly supervised training is designed to take advantage of those data, and the trained models can be used by pathologists to rank slides by their probability of containing a given lesion of interest. In this work, we propose a novel contextualized eXplainable AI (XAI) framework and its application to deep learning models trained on Whole Slide Images (WSIs) in Digital Pathology. Specifically, we apply our methods to a multi-instance-learning (MIL) model, which is trained solely on slide-level labels, without the need for pixel-level annotations. We validate quantitatively our methods by quantifying the agreements of our explanations' heatmaps with pathologists' annotations, as well as with predictions from a segmentation model trained on such annotations. We demonstrate the stability of the explanations with respect to input shifts, and the fidelity with respect to increased model performance. We quantitatively evaluate the correlation between available pixel-wise annotations and explainability heatmaps. We show that the explanations on important tiles of the whole slide correlate with tissue changes between healthy regions and lesions, but do not exactly behave like a human annotator. This result is coherent with the model training strategy.

watermark

Title: A Framework to Allow a Third Party to Watermark Numerical Data in an Encrypted Domain while Preserving its Statistical Properties. (arXiv:2302.01336v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01336
• Code URL: null
• Copy Paste: [[2302.01336] A Framework to Allow a Third Party to Watermark Numerical Data in an Encrypted Domain while Preserving its Statistical Properties](http://arxiv.org/abs/2302.01336) #watermark
• Summary:

  Watermarking data for source tracking applications by its owner can be unfair for recipients because the data owner may redistribute the same watermarked data to many users. Hence, each data recipient should know the watermark embedded in their data; however, this may enable them to remove it, which violates the watermark security. To overcome this problem, this research develops a framework that allows the cloud to watermark numerical data taking into consideration: the correctness of the results of selected statistics, data privacy, the recipient's right to know the watermark that is embedded in their data, and the security of the watermark against passive attacks. The proposed framework contains two irreversible watermarking algorithms, each can preserve the correctness of the results for certain statistical operations. To preserve data privacy, the framework allows the cloud to watermark data while it is encrypted. Furthermore, the framework robustifies the security of the chosen algorithms to nominate the cloud as the only neutral judge able to verify the data ownership even if other users know the watermark. The security is enhanced in a way that does not affect the data usability. The time complexity to find the watermark is $\mathcal{O}(\frac{n!}{r!(n-r)!})$.

diffusion

Title: Understanding and contextualising diffusion models. (arXiv:2302.01394v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01394
• Code URL: null
• Copy Paste: [[2302.01394] Understanding and contextualising diffusion models](http://arxiv.org/abs/2302.01394) #diffusion
• Summary:

  The latest developments in Artificial Intelligence include diffusion generative models, quite popular tools which can produce original images both unconditionally and, in some cases, conditioned by some inputs provided by the user. Apart from implementation details, which are outside the scope of this work, all of the main models used to generate images are substantially based on a common theory which restores a new image from a completely degraded one. In this work we explain how this is possible by focusing on the mathematical theory behind them, i.e. without analyzing in detail the specific implementations and related methods. The aim of this work is to clarify to the interested reader what all this means mathematically and intuitively.

Title: TEXTure: Text-Guided Texturing of 3D Shapes. (arXiv:2302.01721v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.01721
• Code URL: https://github.com/TEXTurePaper/TEXTurePaper
• Copy Paste: [[2302.01721] TEXTure: Text-Guided Texturing of 3D Shapes](http://arxiv.org/abs/2302.01721) #diffusion
• Summary:

  In this paper, we present TEXTure, a novel method for text-guided generation, editing, and transfer of textures for 3D shapes. Leveraging a pretrained depth-to-image diffusion model, TEXTure applies an iterative scheme that paints a 3D model from different viewpoints. Yet, while depth-to-image models can create plausible textures from a single viewpoint, the stochastic nature of the generation process can cause many inconsistencies when texturing an entire 3D object. To tackle these problems, we dynamically define a trimap partitioning of the rendered image into three progression states, and present a novel elaborated diffusion sampling process that uses this trimap representation to generate seamless textures from different views. We then show that one can transfer the generated texture maps to new 3D geometries without requiring explicit surface-to-surface mapping, as well as extract semantic textures from a set of images without requiring any explicit reconstruction. Finally, we show that TEXTure can be used to not only generate new textures but also edit and refine existing textures using either a text prompt or user-provided scribbles. We demonstrate that our TEXTuring method excels at generating, transferring, and editing textures through extensive evaluation, and further close the gap between 2D image generation and 3D texturing.

Title: A Lipschitz Bandits Approach for Continuous Hyperparameter Optimization. (arXiv:2302.01539v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01539
• Code URL: null
• Copy Paste: [[2302.01539] A Lipschitz Bandits Approach for Continuous Hyperparameter Optimization](http://arxiv.org/abs/2302.01539) #diffusion
• Summary:

  One of the most critical problems in machine learning is HyperParameter Optimization (HPO), since choice of hyperparameters has a significant impact on final model performance. Although there are many HPO algorithms, they either have no theoretical guarantees or require strong assumptions. To this end, we introduce BLiE -- a Lipschitz-bandit-based algorithm for HPO that only assumes Lipschitz continuity of the objective function. BLiE exploits the landscape of the objective function to adaptively search over the hyperparameter space. Theoretically, we show that $(i)$ BLiE finds an $\epsilon$-optimal hyperparameter with $O \left( \frac{1}{\epsilon} \right)^{d_z + \beta}$ total budgets, where $d_z$ and $\beta$ are problem intrinsic; $(ii)$ BLiE is highly parallelizable. Empirically, we demonstrate that BLiE outperforms the state-of-the-art HPO algorithms on benchmark tasks. We also apply BLiE to search for noise schedule of diffusion models. Comparison with the default schedule shows that BLiE schedule greatly improves the sampling speed.

Title: AdaptDiffuser: Diffusion Models as Adaptive Self-evolving Planners. (arXiv:2302.01877v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01877
• Code URL: null
• Copy Paste: [[2302.01877] AdaptDiffuser: Diffusion Models as Adaptive Self-evolving Planners](http://arxiv.org/abs/2302.01877) #diffusion
• Summary:

  Diffusion models have demonstrated their powerful generative capability in many tasks, with great potential to serve as a paradigm for offline reinforcement learning. However, the quality of the diffusion model is limited by the insufficient diversity of training data, which hinders the performance of planning and the generalizability to new tasks. This paper introduces AdaptDiffuser, an evolutionary planning method with diffusion that can self-evolve to improve the diffusion model hence a better planner, not only for seen tasks but can also adapt to unseen tasks. AdaptDiffuser enables the generation of rich synthetic expert data for goal-conditioned tasks using guidance from reward gradients. It then selects high-quality data via a discriminator to finetune the diffusion model, which improves the generalization ability to unseen tasks. Empirical experiments on two benchmark environments and two carefully designed unseen tasks in KUKA industrial robot arm and Maze2D environments demonstrate the effectiveness of AdaptDiffuser. For example, AdaptDiffuser not only outperforms the previous art Diffuser by 20.8% on Maze2D and 7.5% on MuJoCo locomotion, but also adapts better to new tasks, e.g., KUKA pick-and-place, by 27.9% without requiring additional expert data.