secure

Title: An Effective and Differentially Private Protocol for Secure Distributed Cardinality Estimation. (arXiv:2302.02158v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02158
• Code URL: null
• Copy Paste: [[2302.02158] An Effective and Differentially Private Protocol for Secure Distributed Cardinality Estimation](http://arxiv.org/abs/2302.02158) #secure
• Summary:

  Counting the number of distinct elements distributed over multiple data holders is a fundamental problem with many real-world applications ranging from crowd counting to network monitoring. Although a number of space and computational efficient sketch methods (e.g., the Flajolet-Martin sketch and the HyperLogLog sketch) for cardinality estimation have been proposed to solve the above problem, these sketch methods are insecure when considering privacy concerns related to the use of each data holder's personal dataset. Despite a recently proposed protocol that successfully implements the well-known Flajolet-Martin (FM) sketch on a secret-sharing based multiparty computation (MPC) framework for solving the problem of private distributed cardinality estimation (PDCE), we observe that this MPC-FM protocol is not differentially private. In addition, the MPC-FM protocol is computationally expensive, which limits its applications to data holders with limited computation resources. To address the above issues, in this paper we propose a novel protocol DP-DICE, which is computationally efficient and differentially private for solving the problem of PDCE. Experimental results show that our DP-DICE achieves orders of magnitude speedup and reduces the estimation error by several times in comparison with state-of-the-arts under the same security requirements.

Title: RRNet: Towards ReLU-Reduced Neural Network for Two-party Computation Based Private Inference. (arXiv:2302.02292v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02292
• Code URL: null
• Copy Paste: [[2302.02292] RRNet: Towards ReLU-Reduced Neural Network for Two-party Computation Based Private Inference](http://arxiv.org/abs/2302.02292) #secure
• Summary:

  The proliferation of deep learning (DL) has led to the emergence of privacy and security concerns. To address these issues, secure Two-party computation (2PC) has been proposed as a means of enabling privacy-preserving DL computation. However, in practice, 2PC methods often incur high computation and communication overhead, which can impede their use in large-scale systems. To address this challenge, we introduce RRNet, a systematic framework that aims to jointly reduce the overhead of MPC comparison protocols and accelerate computation through hardware acceleration. Our approach integrates the hardware latency of cryptographic building blocks into the DNN loss function, resulting in improved energy efficiency, accuracy, and security guarantees. Furthermore, we propose a cryptographic hardware scheduler and corresponding performance model for Field Programmable Gate Arrays (FPGAs) to further enhance the efficiency of our framework. Experiments show RRNet achieved a much higher ReLU reduction performance than all SOTA works on CIFAR-10 dataset.

security

Title: IoT Botnet Detection Using an Economic Deep Learning Model. (arXiv:2302.02013v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02013
• Code URL: null
• Copy Paste: [[2302.02013] IoT Botnet Detection Using an Economic Deep Learning Model](http://arxiv.org/abs/2302.02013) #security
• Summary:

  The rapid progress in technology innovation usage and distribution has increased in the last decade. The rapid growth of the Internet of Things (IoT) systems worldwide has increased network security challenges created by malicious third parties. Thus, reliable intrusion detection and network forensics systems that consider security concerns and IoT systems limitations are essential to protect such systems. IoT botnet attacks are one of the significant threats to enterprises and individuals. Thus, this paper proposed an economic deep learning-based model for detecting IoT botnet attacks along with different types of attacks. The proposed model achieved higher accuracy than the state-of-the-art detection models using a smaller implementation budget and accelerating the training and detecting processes.

Title: Detecting Security Patches via Behavioral Data in Code Repositories. (arXiv:2302.02112v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02112
• Code URL: null
• Copy Paste: [[2302.02112] Detecting Security Patches via Behavioral Data in Code Repositories](http://arxiv.org/abs/2302.02112) #security
• Summary:

  The absolute majority of software today is developed collaboratively using collaborative version control tools such as Git. It is a common practice that once a vulnerability is detected and fixed, the developers behind the software issue a Common Vulnerabilities and Exposures or CVE record to alert the user community of the security hazard and urge them to integrate the security patch. However, some companies might not disclose their vulnerabilities and just update their repository. As a result, users are unaware of the vulnerability and may remain exposed. In this paper, we present a system to automatically identify security patches using only the developer behavior in the Git repository without analyzing the code itself or the remarks that accompanied the fix (commit message). We showed we can reveal concealed security patches with an accuracy of 88.3% and F1 Score of 89.8%. This is the first time that a language-oblivious solution for this problem is presented.

Title: A theoretical basis for Blockchain Extractable Value. (arXiv:2302.02154v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02154
• Code URL: null
• Copy Paste: [[2302.02154] A theoretical basis for Blockchain Extractable Value](http://arxiv.org/abs/2302.02154) #security
• Summary:

  Extractable Value refers to a wide class of economic attacks to public blockchains, where adversaries with the power to reorder, drop or insert transactions in a block can "extract" value from user transactions. Empirical research has shown that mainstream protocols, like e.g. decentralized exchanges, are massively targeted by these attacks, with detrimental effects on their users and on the blockchain network. Despite the growing impact of these attacks in the real world, theoretical foundations are still missing. In this paper we propose a formal theory of Extractable Value, based on a general, abstract model of blockchains and smart contracts. Our theory is the basis for formal proofs of security against Extractable Value attacks.

privacy

Title: Human-Imperceptible Identification with Learnable Lensless Imaging. (arXiv:2302.02255v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02255
• Code URL: null
• Copy Paste: [[2302.02255] Human-Imperceptible Identification with Learnable Lensless Imaging](http://arxiv.org/abs/2302.02255) #privacy
• Summary:

  Lensless imaging protects visual privacy by capturing heavily blurred images that are imperceptible for humans to recognize the subject but contain enough information for machines to infer information. Unfortunately, protecting visual privacy comes with a reduction in recognition accuracy and vice versa. We propose a learnable lensless imaging framework that protects visual privacy while maintaining recognition accuracy. To make captured images imperceptible to humans, we designed several loss functions based on total variation, invertibility, and the restricted isometry property. We studied the effect of privacy protection with blurriness on the identification of personal identity via a quantitative method based on a subjective evaluation. Moreover, we validate our simulation by implementing a hardware realization of lensless imaging with photo-lithographically printed masks.

protect

Title: Towards Scalable EM-based Anomaly Detection For Embedded Devices Through Synthetic Fingerprinting. (arXiv:2302.02324v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02324
• Code URL: null
• Copy Paste: [[2302.02324] Towards Scalable EM-based Anomaly Detection For Embedded Devices Through Synthetic Fingerprinting](http://arxiv.org/abs/2302.02324) #protect
• Summary:

  Embedded devices are omnipresent in modern networks including the ones operating inside critical environments. However, due to their constrained nature, novel mechanisms are required to provide external, and non-intrusive anomaly detection. Among such approaches, one that has gained traction is based on the analysis of the electromagnetic (EM) signals that get emanated during a device's operation. However, one of the most neglected challenges of this approach is the requirement for manually gathering and fingerprinting the signals that correspond to each execution path of the software/firmware. Indeed, even simple programs are comprised of hundreds if not thousands of branches thus, making the fingerprinting stage an extremely time-consuming process that involves the manual labor of a human specialist. To address this issue, we propose a framework for generating synthetic EM signals directly from the machine code. The synthetic signals can be used to train a Machine Learning based (ML) system for anomaly detection. The main advantage of the proposed approach is that it completely removes the need for an elaborate and error-prone fingerprinting stage, thus, dramatically increasing the scalability of the corresponding protection mechanisms. The experimental evaluations indicate that our method provides high detection accuracy (above 90% AUC score) when employed for the detection of injection attacks. Moreover, the proposed methodology inflicts only a small penalty (-1.3%) in accuracy for the detection of the injection of as little as four malicious instructions when compared to the same methods if real signals were to be used.

Title: GAN-based federated learning for label protection in binary classification. (arXiv:2302.02245v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02245
• Code URL: null
• Copy Paste: [[2302.02245] GAN-based federated learning for label protection in binary classification](http://arxiv.org/abs/2302.02245) #protect
• Summary:

  As an emerging technique, vertical federated learning collaborates with different data sources to jointly train a machine learning model without data exchange. However, federated learning is computationally expensive and inefficient in modeling due to complex encryption algorithms and secure computation protocols. Split learning offers an alternative solution to circumvent these challenges. Despite this, vanilla split learning still suffers privacy leakage. Here, we propose the Generative Adversarial Federated Model (GAFM), which integrates the vanilla split learning framework with the Generative Adversarial Network (GAN) for protection against label leakage from gradients in binary classification tasks. We compare our proposal to existing models, including Marvell, Max Norm, and SplitNN, on three publicly available datasets, where GAFM shows significant improvement regarding the trade-off between classification accuracy and label privacy protection. We also provide heuristic justification for why GAFM can improve over baselines and demonstrate that GAFM offers label protection through gradient perturbation compared to SplitNN.

defense

Title: TextShield: Beyond Successfully Detecting Adversarial Sentences in Text Classification. (arXiv:2302.02023v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.02023
• Code URL: null
• Copy Paste: [[2302.02023] TextShield: Beyond Successfully Detecting Adversarial Sentences in Text Classification](http://arxiv.org/abs/2302.02023) #defense
• Summary:

  Adversarial attack serves as a major challenge for neural network models in NLP, which precludes the model's deployment in safety-critical applications. A recent line of work, detection-based defense, aims to distinguish adversarial sentences from benign ones. However, {the core limitation of previous detection methods is being incapable of giving correct predictions on adversarial sentences unlike defense methods from other paradigms.} To solve this issue, this paper proposes TextShield: (1) we discover a link between text attack and saliency information, and then we propose a saliency-based detector, which can effectively detect whether an input sentence is adversarial or not. (2) We design a saliency-based corrector, which converts the detected adversary sentences to benign ones. By combining the saliency-based detector and corrector, TextShield extends the detection-only paradigm to a detection-correction paradigm, thus filling the gap in the existing detection-based defense. Comprehensive experiments show that (a) TextShield consistently achieves higher or comparable performance than state-of-the-art defense methods across various attacks on different benchmarks. (b) our saliency-based detector outperforms existing detectors for detecting adversarial sentences.

Title: DeTorrent: An Adversarial Padding-only Traffic Analysis Defense. (arXiv:2302.02012v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02012
• Code URL: null
• Copy Paste: [[2302.02012] DeTorrent: An Adversarial Padding-only Traffic Analysis Defense](http://arxiv.org/abs/2302.02012) #defense
• Summary:

  While anonymity networks like Tor aim to protect the privacy of their users, they are vulnerable to traffic analysis attacks such as Website Fingerprinting (WF) and Flow Correlation (FC). Recent implementations of WF and FC attacks, such as Tik-Tok and DeepCoFFEA, have shown that the attacks can be effectively carried out, threatening user privacy. Consequently, there is a need for effective traffic analysis defense.

There are a variety of existing defenses, but most are either ineffective, incur high latency and bandwidth overhead, or require additional infrastructure. As a result, we aim to design a traffic analysis defense that is efficient and highly resistant to both WF and FC attacks. We propose DeTorrent, which uses competing neural networks to generate and evaluate traffic analysis defenses that insert 'dummy' traffic into real traffic flows. DeTorrent operates with moderate overhead and without delaying traffic. In a closed-world WF setting, it reduces an attacker's accuracy by 60.5%, a reduction 9.5% better than the next-best padding-only defense. Against the state-of-the-art FC attacker, DeTorrent reduces the true positive rate for a $10^{-4}$ false positive rate to about .30, which is less than half that of the next-best defense. We also demonstrate DeTorrent's practicality by deploying it alongside the Tor network and find that it maintains its performance when applied to live traffic.

Title: Run-Off Election: Improved Provable Defense against Data Poisoning Attacks. (arXiv:2302.02300v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02300
• Code URL: https://github.com/k1rezaei/DPA-election
• Copy Paste: [[2302.02300] Run-Off Election: Improved Provable Defense against Data Poisoning Attacks](http://arxiv.org/abs/2302.02300) #defense
• Summary:

  In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a majority vote across multiple base models. In this work, we show that merely considering the majority vote in ensemble defenses is wasteful as it does not effectively utilize available information in the logits layers of the base models. Instead, we propose Run-Off Election (ROE), a novel aggregation method based on a two-round election across the base models: In the first round, models vote for their preferred class and then a second, Run-Off election is held between the top two classes in the first round. Based on this approach, we propose DPA+ROE and FA+ROE defense methods based on Deep Partition Aggregation (DPA) and Finite Aggregation (FA) approaches from prior work. We show how to obtain robustness for these methods using ideas inspired by dynamic programming and duality. We evaluate our methods on MNIST, CIFAR-10, and GTSRB and obtain improvements in certified accuracy by up to 4.73%, 3.63%, and 3.54%, respectively, establishing a new state-of-the-art in (pointwise) certified robustness against data poisoning. In many cases, our approach outperforms the state-of-the-art, even when using 32 times less computational power.

attack

Title: CosPGD: a unified white-box adversarial attack for pixel-wise prediction tasks. (arXiv:2302.02213v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02213
• Code URL: null
• Copy Paste: [[2302.02213] CosPGD: a unified white-box adversarial attack for pixel-wise prediction tasks](http://arxiv.org/abs/2302.02213) #attack
• Summary:

  While neural networks allow highly accurate predictions in many tasks, their lack in robustness towards even slight input perturbations hampers their deployment in many real-world applications. Recent research towards evaluating the robustness of neural networks such as the seminal \emph{projected gradient descent} (PGD) attack and subsequent works and benchmarks have therefore drawn significant attention. Yet, such methods focus predominantly on classification tasks, while only a few approaches specifically address the analysis of pixel-wise prediction tasks such as semantic segmentation, optical flow, or disparity estimation. One notable exception is the recently proposed SegPGD attack, which could showcase the importance of pixel-wise attacks for evaluating semantic segmentation. While SegPGD is limited to pixel-wise classification (i.e. segmentation), in this work, we propose CosPGD, a novel white-box adversarial attack that allows to optimize dedicated attacks for any pixel-wise prediction task in a unified setting. It leverages the cosine similarity between the predictions and ground truth to extend directly from classification tasks to regression settings. Further, we empirically show the superior performance of CosPGD for semantic segmentation as well as for optical flow and disparity estimation.

Title: A Minimax Approach Against Multi-Armed Adversarial Attacks Detection. (arXiv:2302.02216v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02216
• Code URL: null
• Copy Paste: [[2302.02216] A Minimax Approach Against Multi-Armed Adversarial Attacks Detection](http://arxiv.org/abs/2302.02216) #attack
• Summary:

  Multi-armed adversarial attacks, in which multiple algorithms and objective loss functions are simultaneously used at evaluation time, have been shown to be highly successful in fooling state-of-the-art adversarial examples detectors while requiring no specific side information about the detection mechanism. By formalizing the problem at hand, we can propose a solution that aggregates the soft-probability outputs of multiple pre-trained detectors according to a minimax approach. The proposed framework is mathematically sound, easy to implement, and modular, allowing for integrating existing or future detectors. Through extensive evaluation on popular datasets (e.g., CIFAR10 and SVHN), we show that our aggregation consistently outperforms individual state-of-the-art detectors against multi-armed adversarial attacks, making it an effective solution to improve the resilience of available methods.

Title: DCA: Delayed Charging Attack on the Electric Shared Mobility System. (arXiv:2302.01972v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.01972
• Code URL: null
• Copy Paste: [[2302.01972] DCA: Delayed Charging Attack on the Electric Shared Mobility System](http://arxiv.org/abs/2302.01972) #attack
• Summary:

  An efficient operation of the electric shared mobility system (ESMS) relies heavily on seamless interconnections between shared electric vehicles (SEV), electric vehicle supply equipment (EVSE), and the grid. Nevertheless, this interconnectivity also makes the ESMS vulnerable to cyberattacks that may cause short-term breakdowns or long-term degradation of the ESMS. This study focuses on one such attack with long-lasting effects, the Delayed Charge Attack (DCA), that stealthily delays the charging service by exploiting the physical and communication vulnerabilities. To begin, we present the ESMS threat model by highlighting the assets, information flow, and access points. We next identify a linked sequence of vulnerabilities as a viable attack vector for launching DCA. Then, we detail the implementation of DCA, which can effectively bypass the detection in the SEV's battery management system and the cross-verification in the cloud environment. We test the DCA model against various Anomaly Detection (AD) algorithms by simulating the DCA dynamics in a Susceptible-Infectious-Removed-Susceptible (SIRS) process, where the EVSE can be compromised by the DCA or detected for repair. Using real-world taxi trip data and EVSE locations in New York City, the DCA model allows us to explore the long-term impacts and validate the system consequences. The results show that a 10-min delay will result in 12-min longer queuing times and 8% more unfulfilled requests, leading to a 10.7% (\$311.7) weekly revenue loss per driver. With the AD algorithms, the weekly revenue loss remains at 3.8% (\$111.8), suggesting the robustness of the DCA.

Title: BarrierBypass: Out-of-Sight Clean Voice Command Injection Attacks through Physical Barriers. (arXiv:2302.02042v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02042
• Code URL: null
• Copy Paste: [[2302.02042] BarrierBypass: Out-of-Sight Clean Voice Command Injection Attacks through Physical Barriers](http://arxiv.org/abs/2302.02042) #attack
• Summary:

  The growing adoption of voice-enabled devices (e.g., smart speakers), particularly in smart home environments, has introduced many security vulnerabilities that pose significant threats to users' privacy and safety. When multiple devices are connected to a voice assistant, an attacker can cause serious damage if they can gain control of these devices. We ask where and how can an attacker issue clean voice commands stealthily across a physical barrier, and perform the first academic measurement study of this nature on the command injection attack. We present the BarrierBypass attack that can be launched against three different barrier-based scenarios termed across-door, across-window, and across-wall. We conduct a broad set of experiments to observe the command injection attack success rates for multiple speaker samples (TTS and live human recorded) at different command audio volumes (65, 75, 85 dB), and smart speaker locations (0.1-4.0m from barrier). Against Amazon Echo Dot 2, BarrierBypass is able to achieve 100% wake word and command injection success for the across-wall and across-window attacks, and for the across-door attack (up to 2 meters). At 4 meters for the across-door attack, BarrierBypass can achieve 90% and 80% injection accuracy for the wake word and command, respectively. Against Google Home mini BarrierBypass is able to achieve 100% wake word injection accuracy for all attack scenarios. For command injection BarrierBypass can achieve 100% accuracy for all the three barrier settings (up to 2 meters). For the across-door attack at 4 meters, BarrierBypass can achieve 80% command injection accuracy. Further, our demonstration using drones yielded high command injection success, up to 100%. Overall, our results demonstrate the potentially devastating nature of this vulnerability to control a user's device from outside of the device's physical space.

Title: AUTOLYCUS: Exploiting Explainable AI (XAI) for Model Extraction Attacks against Decision Tree Models. (arXiv:2302.02162v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02162
• Code URL: null
• Copy Paste: [[2302.02162] AUTOLYCUS: Exploiting Explainable AI (XAI) for Model Extraction Attacks against Decision Tree Models](http://arxiv.org/abs/2302.02162) #attack
• Summary:

  Model extraction attack is one of the most prominent adversarial techniques to target machine learning models along with membership inference attack and model inversion attack. On the other hand, Explainable Artificial Intelligence (XAI) is a set of techniques and procedures to explain the decision making process behind AI. XAI is a great tool to understand the reasoning behind AI models but the data provided for such revelation creates security and privacy vulnerabilities. In this poster, we propose AUTOLYCUS, a model extraction attack that exploits the explanations provided by LIME to infer the decision boundaries of decision tree models and create extracted surrogate models that behave similar to a target model.

Title: Resilient Consensus Sustained Collaboratively. (arXiv:2302.02325v1 [cs.CR])

• Paper URL: http://arxiv.org/abs/2302.02325
• Code URL: null
• Copy Paste: [[2302.02325] Resilient Consensus Sustained Collaboratively](http://arxiv.org/abs/2302.02325) #attack
• Summary:

  The recent growth of blockchain technology has accelerated research on decentralized platforms. Initial such platforms decide on what should be added to the ledger based on the Proof-of-Work (PoW) consensus protocol. PoW protocol requires its participants to perform massive computations and leads to massive energy wastage. Existing solutions to replace the PoW protocol make use of the Proof-of-Stake (PoS) protocol or classical fault-tolerant consensus protocols. However, the safety of the ledger created by these protocols is at the mercy of the long-term safe-keeping of the private keys of participants subject to long-range attacks. To ameliorate this situation, we present the design of our novel HybridChain architecture, which requires each client transaction to undergo two consensus protocols: a fault-tolerant consensus followed by our novel Power-of-Collaboration (PoC) protocol. Despite this, we observe that our HybridChain system outperforms state-of-the-art blockchain systems yielding up to 2000x higher throughput and 10^5 times less energy costs.

Title: Unsupervised Ensemble Methods for Anomaly Detection in PLC-based Process Control. (arXiv:2302.02097v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02097
• Code URL: null
• Copy Paste: [[2302.02097] Unsupervised Ensemble Methods for Anomaly Detection in PLC-based Process Control](http://arxiv.org/abs/2302.02097) #attack
• Summary:

  Programmable logic controller (PLC) based industrial control systems (ICS) are used to monitor and control critical infrastructure. Integration of communication networks and an Internet of Things approach in ICS has increased ICS vulnerability to cyber-attacks. This work proposes novel unsupervised machine learning ensemble methods for anomaly detection in PLC-based ICS. The work presents two broad approaches to anomaly detection: a weighted voting ensemble approach with a learning algorithm based on coefficient of determination and a stacking-based ensemble approach using isolation forest meta-detector. The two ensemble methods were analyzed via an open-source PLC-based ICS subjected to multiple attack scenarios as a case study. The work considers four different learning models for the weighted voting ensemble method. Comparative performance analyses of five ensemble methods driven diverse base detectors are presented. Results show that stacking-based ensemble method using isolation forest meta-detector achieves superior performance to previous work on all performance metrics. Results also suggest that effective unsupervised ensemble methods, such as stacking-based ensemble having isolation forest meta-detector, can robustly detect anomalies in arbitrary ICS datasets. Finally, the presented results were validated by using statistical hypothesis tests.

Title: Conformalized semi-supervised random forest for classification and abnormality detection. (arXiv:2302.02237v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02237
• Code URL: null
• Copy Paste: [[2302.02237] Conformalized semi-supervised random forest for classification and abnormality detection](http://arxiv.org/abs/2302.02237) #attack
• Summary:

  Traditional classifiers infer labels under the premise that the training and test samples are generated from the same distribution. This assumption can be problematic for safety-critical applications such as medical diagnosis and network attack detection. In this paper, we consider the multi-class classification problem when the training data and the test data may have different distributions. We propose conformalized semi-supervised random forest (CSForest), which constructs set-valued predictions $C(x)$ to include the correct class label with desired probability while detecting outliers efficiently. We compare the proposed method to other state-of-art methods in both a synthetic example and a real data application to demonstrate the strength of our proposal.

robust

Title: Guaranteed Tensor Recovery Fused Low-rankness and Smoothness. (arXiv:2302.02155v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02155
• Code URL: https://github.com/wanghailin97/Guaranteed-Tensor-Recovery-Fused-Low-rankness-and-Smoothness
• Copy Paste: [[2302.02155] Guaranteed Tensor Recovery Fused Low-rankness and Smoothness](http://arxiv.org/abs/2302.02155) #robust
• Summary:

  The tensor data recovery task has thus attracted much research attention in recent years. Solving such an ill-posed problem generally requires to explore intrinsic prior structures underlying tensor data, and formulate them as certain forms of regularization terms for guiding a sound estimate of the restored tensor. Recent research have made significant progress by adopting two insightful tensor priors, i.e., global low-rankness (L) and local smoothness (S) across different tensor modes, which are always encoded as a sum of two separate regularization terms into the recovery models. However, unlike the primary theoretical developments on low-rank tensor recovery, these joint L+S models have no theoretical exact-recovery guarantees yet, making the methods lack reliability in real practice. To this crucial issue, in this work, we build a unique regularization term, which essentially encodes both L and S priors of a tensor simultaneously. Especially, by equipping this single regularizer into the recovery models, we can rigorously prove the exact recovery guarantees for two typical tensor recovery tasks, i.e., tensor completion (TC) and tensor robust principal component analysis (TRPCA). To the best of our knowledge, this should be the first exact-recovery results among all related L+S methods for tensor recovery. Significant recovery accuracy improvements over many other SOTA methods in several TC and TRPCA tasks with various kinds of visual tensor data are observed in extensive experiments. Typically, our method achieves a workable performance when the missing rate is extremely large, e.g., 99.5%, for the color image inpainting task, while all its peers totally fail in such challenging case.

Title: Laplacian ICP for Progressive Registration of 3D Human Head Meshes. (arXiv:2302.02194v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02194
• Code URL: null
• Copy Paste: [[2302.02194] Laplacian ICP for Progressive Registration of 3D Human Head Meshes](http://arxiv.org/abs/2302.02194) #robust
• Summary:

  We present a progressive 3D registration framework that is a highly-efficient variant of classical non-rigid Iterative Closest Points (N-ICP). Since it uses the Laplace-Beltrami operator for deformation regularisation, we view the overall process as Laplacian ICP (L-ICP). This exploits a `small deformation per iteration' assumption and is progressively coarse-to-fine, employing an increasingly flexible deformation model, an increasing number of correspondence sets, and increasingly sophisticated correspondence estimation. Correspondence matching is only permitted within predefined vertex subsets derived from domain-specific feature extractors. Additionally, we present a new benchmark and a pair of evaluation metrics for 3D non-rigid registration, based on annotation transfer. We use this to evaluate our framework on a publicly-available dataset of 3D human head scans (Headspace). The method is robust and only requires a small fraction of the computation time compared to the most popular classical approach, yet has comparable registration performance.

Title: Oscillation-free Quantization for Low-bit Vision Transformers. (arXiv:2302.02210v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02210
• Code URL: null
• Copy Paste: [[2302.02210] Oscillation-free Quantization for Low-bit Vision Transformers](http://arxiv.org/abs/2302.02210) #robust
• Summary:

  Weight oscillation is an undesirable side effect of quantization-aware training, in which quantized weights frequently jump between two quantized levels, resulting in training instability and a sub-optimal final model. We discover that the learnable scaling factor, a widely-used $\textit{de facto}$ setting in quantization aggravates weight oscillation. In this study, we investigate the connection between the learnable scaling factor and quantized weight oscillation and use ViT as a case driver to illustrate the findings and remedies. In addition, we also found that the interdependence between quantized weights in $\textit{query}$ and $\textit{key}$ of a self-attention layer makes ViT vulnerable to oscillation. We, therefore, propose three techniques accordingly: statistical weight quantization ($\rm StatsQ$) to improve quantization robustness compared to the prevalent learnable-scale-based method; confidence-guided annealing ($\rm CGA$) that freezes the weights with $\textit{high confidence}$ and calms the oscillating weights; and $\textit{query}$-$\textit{key}$ reparameterization ($\rm QKR$) to resolve the query-key intertwined oscillation and mitigate the resulting gradient misestimation. Extensive experiments demonstrate that these proposed techniques successfully abate weight oscillation and consistently achieve substantial accuracy improvement on ImageNet. Specifically, our 2-bit DeiT-T/DeiT-S algorithms outperform the previous state-of-the-art by 9.8% and 7.7%, respectively. The code is included in the supplementary material and will be released.

Title: A Disparity Refinement Framework for Learning-based Stereo Matching Methods in Cross-domain Setting for Laparoscopic Images. (arXiv:2302.02294v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02294
• Code URL: null
• Copy Paste: [[2302.02294] A Disparity Refinement Framework for Learning-based Stereo Matching Methods in Cross-domain Setting for Laparoscopic Images](http://arxiv.org/abs/2302.02294) #robust
• Summary:

  Purpose: Stereo matching methods that enable depth estimation are crucial for visualization enhancement applications in computer-assisted surgery (CAS). Learning-based stereo matching methods are promising to predict accurate results on laparoscopic images. However, they require a large amount of training data, and their performance may be degraded due to domain shifts.

Methods: Maintaining robustness and improving the accuracy of learning-based methods are still open problems. To overcome the limitations of learning-based methods, we propose a disparity refinement framework consisting of a local disparity refinement method and a global disparity refinement method to improve the results of learning-based stereo matching methods in a cross-domain setting. Those learning-based stereo matching methods are pre-trained on a large public dataset of natural images and are tested on two datasets of laparoscopic images.

Results: Qualitative and quantitative results suggest that our proposed disparity framework can effectively refine disparity maps when they are noise-corrupted on an unseen dataset, without compromising prediction accuracy when the network can generalize well on an unseen dataset.

Conclusion: Our proposed disparity refinement framework could work with learning-based methods to achieve robust and accurate disparity prediction. Yet, as a large laparoscopic dataset for training learning-based methods does not exist and the generalization ability of networks remains to be improved, the incorporation of the proposed disparity refinement framework into existing networks will contribute to improving their overall accuracy and robustness associated with depth estimation.

Title: Semi-Supervised Domain Adaptation with Source Label Adaptation. (arXiv:2302.02335v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02335
• Code URL: null
• Copy Paste: [[2302.02335] Semi-Supervised Domain Adaptation with Source Label Adaptation](http://arxiv.org/abs/2302.02335) #robust
• Summary:

  Semi-Supervised Domain Adaptation (SSDA) involves learning to classify unseen target data with a few labeled and lots of unlabeled target data, along with many labeled source data from a related domain. Current SSDA approaches usually aim at aligning the target data to the labeled source data with feature space mapping and pseudo-label assignments. Nevertheless, such a source-oriented model can sometimes align the target data to source data of the wrong classes, degrading the classification performance. This paper presents a novel source-adaptive paradigm that adapts the source data to match the target data. Our key idea is to view the source data as a noisily-labeled version of the ideal target data. Then, we propose an SSDA model that cleans up the label noise dynamically with the help of a robust cleaner component designed from the target perspective. Since the paradigm is very different from the core ideas behind existing SSDA approaches, our proposed model can be easily coupled with them to improve their performance. Empirical results on two state-of-the-art SSDA approaches demonstrate that the proposed model effectively cleans up the noise within the source labels and exhibits superior performance over those approaches across benchmark datasets.

Title: How Many and Which Training Points Would Need to be Removed to Flip this Prediction?. (arXiv:2302.02169v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02169
• Code URL: https://github.com/ecielyang/smallest_set
• Copy Paste: [[2302.02169] How Many and Which Training Points Would Need to be Removed to Flip this Prediction?](http://arxiv.org/abs/2302.02169) #robust
• Summary:

  We consider the problem of identifying a minimal subset of training data $\mathcal{S}_t$ such that if the instances comprising $\mathcal{S}_t$ had been removed prior to training, the categorization of a given test point $x_t$ would have been different. Identifying such a set may be of interest for a few reasons. First, the cardinality of $\mathcal{S}_t$ provides a measure of robustness (if $|\mathcal{S}_t|$ is small for $x_t$, we might be less confident in the corresponding prediction), which we show is correlated with but complementary to predicted probabilities. Second, interrogation of $\mathcal{S}_t$ may provide a novel mechanism for contesting a particular model prediction: If one can make the case that the points in $\mathcal{S}_t$ are wrongly labeled or irrelevant, this may argue for overturning the associated prediction. Identifying $\mathcal{S}_t$ via brute-force is intractable. We propose comparatively fast approximation methods to find $\mathcal{S}_t$ based on influence functions, and find that -- for simple convex text classification models -- these approaches can often successfully identify relatively small sets of training examples which, if removed, would flip the prediction. To our knowledge, this is the first work in to investigate the problem of identifying a minimal training set necessary to flip a given prediction in the context of machine learning.

Title: Asymmetric Certified Robustness via Feature-Convex Neural Networks. (arXiv:2302.01961v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01961
• Code URL: null
• Copy Paste: [[2302.01961] Asymmetric Certified Robustness via Feature-Convex Neural Networks](http://arxiv.org/abs/2302.01961) #robust
• Summary:

  Recent works have introduced input-convex neural networks (ICNNs) as learning models with advantageous training, inference, and generalization properties linked to their convex structure. In this paper, we propose a novel feature-convex neural network architecture as the composition of an ICNN with a Lipschitz feature map in order to achieve adversarial robustness. We consider the asymmetric binary classification setting with one "sensitive" class, and for this class we prove deterministic, closed-form, and easily-computable certified robust radii for arbitrary $\ell_p$-norms. We theoretically justify the use of these models by characterizing their decision region geometry, extending the universal approximation theorem for ICNN regression to the classification setting, and proving a lower bound on the probability that such models perfectly fit even unstructured uniformly distributed data in sufficiently high dimensions. Experiments on Malimg malware classification and subsets of MNIST, Fashion-MNIST, and CIFAR-10 datasets show that feature-convex classifiers attain state-of-the-art certified $\ell_1$-radii as well as substantial $\ell_2$- and $\ell_{\infty}$-radii while being far more computationally efficient than any competitive baseline.

Title: Robust Budget Pacing with a Single Sample. (arXiv:2302.02006v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02006
• Code URL: null
• Copy Paste: [[2302.02006] Robust Budget Pacing with a Single Sample](http://arxiv.org/abs/2302.02006) #robust
• Summary:

  Major Internet advertising platforms offer budget pacing tools as a standard service for advertisers to manage their ad campaigns. Given the inherent non-stationarity in an advertiser's value and also competing advertisers' values over time, a commonly used approach is to learn a target expenditure plan that specifies a target spend as a function of time, and then run a controller that tracks this plan. This raises the question: how many historical samples are required to learn a good expenditure plan? We study this question by considering an advertiser repeatedly participating in $T$ second-price auctions, where the tuple of her value and the highest competing bid is drawn from an unknown time-varying distribution. The advertiser seeks to maximize her total utility subject to her budget constraint. Prior work has shown the sufficiency of $T\log T$ samples per distribution to achieve the optimal $O(\sqrt{T})$-regret. We dramatically improve this state-of-the-art and show that just one sample per distribution is enough to achieve the near-optimal $\tilde O(\sqrt{T})$-regret, while still being robust to noise in the sampling distributions.

Title: Interpolation for Robust Learning: Data Augmentation on Geodesics. (arXiv:2302.02092v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02092
• Code URL: null
• Copy Paste: [[2302.02092] Interpolation for Robust Learning: Data Augmentation on Geodesics](http://arxiv.org/abs/2302.02092) #robust
• Summary:

  We propose to study and promote the robustness of a model as per its performance through the interpolation of training data distributions. Specifically, (1) we augment the data by finding the worst-case Wasserstein barycenter on the geodesic connecting subpopulation distributions of different categories. (2) We regularize the model for smoother performance on the continuous geodesic path connecting subpopulation distributions. (3) Additionally, we provide a theoretical guarantee of robustness improvement and investigate how the geodesic location and the sample size contribute, respectively. Experimental validations of the proposed strategy on four datasets, including CIFAR-100 and ImageNet, establish the efficacy of our method, e.g., our method improves the baselines' certifiable robustness on CIFAR10 up to $7.7\%$, with $16.8\%$ on empirical robustness on CIFAR-100. Our work provides a new perspective of model robustness through the lens of Wasserstein geodesic-based interpolation with a practical off-the-shelf strategy that can be combined with existing robust training methods.

Title: Certified Robust Control under Adversarial Perturbations. (arXiv:2302.02208v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02208
• Code URL: null
• Copy Paste: [[2302.02208] Certified Robust Control under Adversarial Perturbations](http://arxiv.org/abs/2302.02208) #robust
• Summary:

  Autonomous systems increasingly rely on machine learning techniques to transform high-dimensional raw inputs into predictions that are then used for decision-making and control. However, it is often easy to maliciously manipulate such inputs and, as a result, predictions. While effective techniques have been proposed to certify the robustness of predictions to adversarial input perturbations, such techniques have been disembodied from control systems that make downstream use of the predictions. We propose the first approach for composing robustness certification of predictions with respect to raw input perturbations with robust control to obtain certified robustness of control to adversarial input perturbations. We use a case study of adaptive vehicle control to illustrate our approach and show the value of the resulting end-to-end certificates through extensive experiments.

biometric

steal

extraction

Title: GDB: Gated convolutions-based Document Binarization. (arXiv:2302.02073v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02073
• Code URL: null
• Copy Paste: [[2302.02073] GDB: Gated convolutions-based Document Binarization](http://arxiv.org/abs/2302.02073) #extraction
• Summary:

  Document binarization is a key pre-processing step for many document analysis tasks. However, existing methods can not extract stroke edges finely, mainly due to the fair-treatment nature of vanilla convolutions and the extraction of stroke edges without adequate supervision by boundary-related information. In this paper, we formulate text extraction as the learning of gating values and propose an end-to-end gated convolutions-based network (GDB) to solve the problem of imprecise stroke edge extraction. The gated convolutions are applied to selectively extract the features of strokes with different attention. Our proposed framework consists of two stages. Firstly, a coarse sub-network with an extra edge branch is trained to get more precise feature maps by feeding a priori mask and edge. Secondly, a refinement sub-network is cascaded to refine the output of the first stage by gated convolutions based on the sharp edge. For global information, GDB also contains a multi-scale operation to combine local and global features. We conduct comprehensive experiments on ten Document Image Binarization Contest (DIBCO) datasets from 2009 to 2019. Experimental results show that our proposed methods outperform the state-of-the-art methods in terms of all metrics on average and achieve top ranking on six benchmark datasets.

Title: This Intestine Does Not Exist: Multiscale Residual Variational Autoencoder for Realistic Wireless Capsule Endoscopy Image Generation. (arXiv:2302.02150v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02150
• Code URL: null
• Copy Paste: [[2302.02150] This Intestine Does Not Exist: Multiscale Residual Variational Autoencoder for Realistic Wireless Capsule Endoscopy Image Generation](http://arxiv.org/abs/2302.02150) #extraction
• Summary:

  Medical image synthesis has emerged as a promising solution to address the limited availability of annotated medical data needed for training machine learning algorithms in the context of image-based Clinical Decision Support (CDS) systems. To this end, Generative Adversarial Networks (GANs) have been mainly applied to support the algorithm training process by generating synthetic images for data augmentation. However, in the field of Wireless Capsule Endoscopy (WCE), the limited content diversity and size of existing publicly available annotated datasets, adversely affect both the training stability and synthesis performance of GANs. Aiming to a viable solution for WCE image synthesis, a novel Variational Autoencoder architecture is proposed, namely "This Intestine Does not Exist" (TIDE). The proposed architecture comprises multiscale feature extraction convolutional blocks and residual connections, which enable the generation of high-quality and diverse datasets even with a limited number of training images. Contrary to the current approaches, which are oriented towards the augmentation of the available datasets, this study demonstrates that using TIDE, real WCE datasets can be fully substituted by artificially generated ones, without compromising classification performance. Furthermore, qualitative and user evaluation studies by experienced WCE specialists, validate from a medical viewpoint that both the normal and abnormal WCE images synthesized by TIDE are sufficiently realistic.

Title: Variational multichannel multiclass segmentation\endgraf using unsupervised lifting with CNNs. (arXiv:2302.02214v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02214
• Code URL: null
• Copy Paste: [[2302.02214] Variational multichannel multiclass segmentation\endgraf using unsupervised lifting with CNNs](http://arxiv.org/abs/2302.02214) #extraction
• Summary:

  We propose an unsupervised image segmentation approach, that combines a variational energy functional and deep convolutional neural networks. The variational part is based on a recent multichannel multiphase Chan-Vese model, which is capable to extract useful information from multiple input images simultaneously. We implement a flexible multiclass segmentation method that divides a given image into $K$ different regions. We use convolutional neural networks (CNNs) targeting a pre-decomposition of the image. By subsequently minimising the segmentation functional, the final segmentation is obtained in a fully unsupervised manner. Special emphasis is given to the extraction of informative feature maps serving as a starting point for the segmentation. The initial results indicate that the proposed method is able to decompose and segment the different regions of various types of images, such as texture and medical images and compare its performance with another multiphase segmentation method.

Title: CLiNet: Joint Detection of Road Network Centerlines in 2D and 3D. (arXiv:2302.02259v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02259
• Code URL: null
• Copy Paste: [[2302.02259] CLiNet: Joint Detection of Road Network Centerlines in 2D and 3D](http://arxiv.org/abs/2302.02259) #extraction
• Summary:

  This work introduces a new approach for joint detection of centerlines based on image data by localizing the features jointly in 2D and 3D. In contrast to existing work that focuses on detection of visual cues, we explore feature extraction methods that are directly amenable to the urban driving task. To develop and evaluate our approach, a large urban driving dataset dubbed AV Breadcrumbs is automatically labeled by leveraging vector map representations and projective geometry to annotate over 900,000 images. Our results demonstrate potential for dynamic scene modeling across various urban driving scenarios. Our model achieves an F1 score of 0.684 and an average normalized depth error of 2.083. The code and data annotations are publicly available.

Title: FGSI: Distant Supervision for Relation Extraction method based on Fine-Grained Semantic Information. (arXiv:2302.02078v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.02078
• Code URL: null
• Copy Paste: [[2302.02078] FGSI: Distant Supervision for Relation Extraction method based on Fine-Grained Semantic Information](http://arxiv.org/abs/2302.02078) #extraction
• Summary:

  The main purpose of relation extraction is to extract the semantic relationships between tagged pairs of entities in a sentence, which plays an important role in the semantic understanding of sentences and the construction of knowledge graphs. In this paper, we propose that the key semantic information within a sentence plays a key role in the relationship extraction of entities. We propose the hypothesis that the key semantic information inside the sentence plays a key role in entity relationship extraction. And based on this hypothesis, we split the sentence into three segments according to the location of the entity from the inside of the sentence, and find the fine-grained semantic features inside the sentence through the intra-sentence attention mechanism to reduce the interference of irrelevant noise information. The proposed relational extraction model can make full use of the available positive semantic information. The experimental results show that the proposed relation extraction model improves the accuracy-recall curves and P@N values compared with existing methods, which proves the effectiveness of this model.

membership infer

federate

Title: Heterogeneous Federated Knowledge Graph Embedding Learning and Unlearning. (arXiv:2302.02069v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02069
• Code URL: null
• Copy Paste: [[2302.02069] Heterogeneous Federated Knowledge Graph Embedding Learning and Unlearning](http://arxiv.org/abs/2302.02069) #federate
• Summary:

  Federated Learning (FL) recently emerges as a paradigm to train a global machine learning model across distributed clients without sharing raw data. Knowledge Graph (KG) embedding represents KGs in a continuous vector space, serving as the backbone of many knowledge-driven applications. As a promising combination, federated KG embedding can fully take advantage of knowledge learned from different clients while preserving the privacy of local data. However, realistic problems such as data heterogeneity and knowledge forgetting still remain to be concerned. In this paper, we propose FedLU, a novel FL framework for heterogeneous KG embedding learning and unlearning. To cope with the drift between local optimization and global convergence caused by data heterogeneity, we propose mutual knowledge distillation to transfer local knowledge to global, and absorb global knowledge back. Moreover, we present an unlearning method based on cognitive neuroscience, which combines retroactive interference and passive decay to erase specific knowledge from local clients and propagate to the global model by reusing knowledge distillation. We construct new datasets for assessing realistic performance of the state-of-the-arts. Extensive experiments show that FedLU achieves superior results in both link prediction and knowledge forgetting.

Title: FedSpectral+: Spectral Clustering using Federated Learning. (arXiv:2302.02137v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02137
• Code URL: null
• Copy Paste: [[2302.02137] FedSpectral+: Spectral Clustering using Federated Learning](http://arxiv.org/abs/2302.02137) #federate
• Summary:

  Clustering in graphs has been a well-known research problem, particularly because most Internet and social network data is in the form of graphs. Organizations widely use spectral clustering algorithms to find clustering in graph datasets. However, applying spectral clustering to a large dataset is challenging due to computational overhead. While the distributed spectral clustering algorithm exists, they face the problem of data privacy and increased communication costs between the clients. Thus, in this paper, we propose a spectral clustering algorithm using federated learning (FL) to overcome these issues. FL is a privacy-protecting algorithm that accumulates model parameters from each local learner rather than collecting users' raw data, thus providing both scalability and data privacy. We developed two approaches: FedSpectral and FedSpectral+. FedSpectral is a baseline approach that uses local spectral clustering labels to aggregate the global spectral clustering by creating a similarity graph. FedSpectral+, a state-of-the-art approach, uses the power iteration method to learn the global spectral embedding by incorporating the entire graph data without access to the raw information distributed among the clients. We further designed our own similarity metric to check the clustering quality of the distributed approach to that of the original/non-FL clustering. The proposed approach FedSpectral+ obtained a similarity of 98.85% and 99.8%, comparable to that of global clustering on the ego-Facebook and email-Eu-core dataset.

Title: Federated Temporal Difference Learning with Linear Function Approximation under Environmental Heterogeneity. (arXiv:2302.02212v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02212
• Code URL: null
• Copy Paste: [[2302.02212] Federated Temporal Difference Learning with Linear Function Approximation under Environmental Heterogeneity](http://arxiv.org/abs/2302.02212) #federate
• Summary:

  We initiate the study of federated reinforcement learning under environmental heterogeneity by considering a policy evaluation problem. Our setup involves $N$ agents interacting with environments that share the same state and action space but differ in their reward functions and state transition kernels. Assuming agents can communicate via a central server, we ask: Does exchanging information expedite the process of evaluating a common policy? To answer this question, we provide the first comprehensive finite-time analysis of a federated temporal difference (TD) learning algorithm with linear function approximation, while accounting for Markovian sampling, heterogeneity in the agents' environments, and multiple local updates to save communication. Our analysis crucially relies on several novel ingredients: (i) deriving perturbation bounds on TD fixed points as a function of the heterogeneity in the agents' underlying Markov decision processes (MDPs); (ii) introducing a virtual MDP to closely approximate the dynamics of the federated TD algorithm; and (iii) using the virtual MDP to make explicit connections to federated optimization. Putting these pieces together, we rigorously prove that in a low-heterogeneity regime, exchanging model estimates leads to linear convergence speedups in the number of agents.

fair

Title: Matrix Estimation for Individual Fairness. (arXiv:2302.02096v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02096
• Code URL: null
• Copy Paste: [[2302.02096] Matrix Estimation for Individual Fairness](http://arxiv.org/abs/2302.02096) #fair
• Summary:

  In recent years, multiple notions of algorithmic fairness have arisen. One such notion is individual fairness (IF), which requires that individuals who are similar receive similar treatment. In parallel, matrix estimation (ME) has emerged as a natural paradigm for handling noisy data with missing values. In this work, we connect the two concepts. We show that pre-processing data using ME can improve an algorithm's IF without sacrificing performance. Specifically, we show that using a popular ME method known as singular value thresholding (SVT) to pre-process the data provides a strong IF guarantee under appropriate conditions. We then show that, under analogous conditions, SVT pre-processing also yields estimates that are consistent and approximately minimax optimal. As such, the ME pre-processing step does not, under the stated conditions, increase the prediction error of the base algorithm, i.e., does not impose a fairness-performance trade-off. We verify these results on synthetic and real data.

Title: Fair Spatial Indexing: A paradigm for Group Spatial Fairness. (arXiv:2302.02306v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02306
• Code URL: null
• Copy Paste: [[2302.02306] Fair Spatial Indexing: A paradigm for Group Spatial Fairness](http://arxiv.org/abs/2302.02306) #fair
• Summary:

  Machine learning (ML) is playing an increasing role in decision-making tasks that directly affect individuals, e.g., loan approvals, or job applicant screening. Significant concerns arise that, without special provisions, individuals from under-privileged backgrounds may not get equitable access to services and opportunities. Existing research studies fairness with respect to protected attributes such as gender, race or income, but the impact of location data on fairness has been largely overlooked. With the widespread adoption of mobile apps, geospatial attributes are increasingly used in ML, and their potential to introduce unfair bias is significant, given their high correlation with protected attributes. We propose techniques to mitigate location bias in machine learning. Specifically, we consider the issue of miscalibration when dealing with geospatial attributes. We focus on spatial group fairness and we propose a spatial indexing algorithm that accounts for fairness. Our KD-tree inspired approach significantly improves fairness while maintaining high learning accuracy, as shown by extensive experimental results on real data.

Title: Improving Fair Training under Correlation Shifts. (arXiv:2302.02323v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02323
• Code URL: null
• Copy Paste: [[2302.02323] Improving Fair Training under Correlation Shifts](http://arxiv.org/abs/2302.02323) #fair
• Summary:

  Model fairness is an essential element for Trustworthy AI. While many techniques for model fairness have been proposed, most of them assume that the training and deployment data distributions are identical, which is often not true in practice. In particular, when the bias between labels and sensitive groups changes, the fairness of the trained model is directly influenced and can worsen. We make two contributions for solving this problem. First, we analytically show that existing in-processing fair algorithms have fundamental limits in accuracy and group fairness. We introduce the notion of correlation shifts, which can explicitly capture the change of the above bias. Second, we propose a novel pre-processing step that samples the input data to reduce correlation shifts and thus enables the in-processing approaches to overcome their limitations. We formulate an optimization problem for adjusting the data ratio among labels and sensitive groups to reflect the shifted correlation. A key benefit of our approach lies in decoupling the roles of pre- and in-processing approaches: correlation adjustment via pre-processing and unfairness mitigation on the processed data via in-processing. Experiments show that our framework effectively improves existing in-processing fair algorithms w.r.t. accuracy and fairness, both on synthetic and real datasets.

interpretability

Title: Improving Interpretability via Explicit Word Interaction Graph Layer. (arXiv:2302.02016v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.02016
• Code URL: https://github.com/qdata/wigraph
• Copy Paste: [[2302.02016] Improving Interpretability via Explicit Word Interaction Graph Layer](http://arxiv.org/abs/2302.02016) #interpretability
• Summary:

  Recent NLP literature has seen growing interest in improving model interpretability. Along this direction, we propose a trainable neural network layer that learns a global interaction graph between words and then selects more informative words using the learned word interactions. Our layer, we call WIGRAPH, can plug into any neural network-based NLP text classifiers right after its word embedding layer. Across multiple SOTA NLP models and various NLP datasets, we demonstrate that adding the WIGRAPH layer substantially improves NLP models' interpretability and enhances models' prediction performance at the same time.

Title: Fixed-kinetic Neural Hamiltonian Flows for enhanced interpretability and reduced complexity. (arXiv:2302.01955v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01955
• Code URL: null
• Copy Paste: [[2302.01955] Fixed-kinetic Neural Hamiltonian Flows for enhanced interpretability and reduced complexity](http://arxiv.org/abs/2302.01955) #interpretability
• Summary:

  Normalizing Flows (NF) are Generative models which are particularly robust and allow for exact sampling of the learned distribution. They however require the design of an invertible mapping, whose Jacobian determinant has to be computable. Recently introduced, Neural Hamiltonian Flows (NHF) are based on Hamiltonian dynamics-based Flows, which are continuous, volume-preserving and invertible and thus make for natural candidates for robust NF architectures. In particular, their similarity to classical Mechanics could lead to easier interpretability of the learned mapping. However, despite being Physics-inspired architectures, the originally introduced NHF architecture still poses a challenge to interpretability. For this reason, in this work, we introduce a fixed kinetic energy version of the NHF model. Inspired by physics, our approach improves interpretability and requires less parameters than previously proposed architectures. We then study the robustness of the NHF architectures to the choice of hyperparameters. We analyze the impact of the number of leapfrog steps, the integration time and the number of neurons per hidden layer, as well as the choice of prior distribution, on sampling a multimodal 2D mixture. The NHF architecture is robust to these choices, especially the fixed-kinetic energy model. Finally, we adapt NHF to the context of Bayesian inference and illustrate our method on sampling the posterior distribution of two cosmological parameters knowing type Ia supernovae observations.

Title: SPARLING: Learning Latent Representations with Extremely Sparse Activations. (arXiv:2302.01976v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.01976
• Code URL: null
• Copy Paste: [[2302.01976] SPARLING: Learning Latent Representations with Extremely Sparse Activations](http://arxiv.org/abs/2302.01976) #interpretability
• Summary:

  Real-world processes often contain intermediate state that can be modeled as an extremely sparse tensor. We introduce Sparling, a new kind of informational bottleneck that explicitly models this state by enforcing extreme activation sparsity. We additionally demonstrate that this technique can be used to learn the true intermediate representation with no additional supervision (i.e., from only end-to-end labeled examples), and thus improve the interpretability of the resulting models. On our DigitCircle domain, we are able to get an intermediate state prediction accuracy of 98.84%, even as we only train end-to-end.

Title: Structural Explanations for Graph Neural Networks using HSIC. (arXiv:2302.02139v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02139
• Code URL: null
• Copy Paste: [[2302.02139] Structural Explanations for Graph Neural Networks using HSIC](http://arxiv.org/abs/2302.02139) #interpretability
• Summary:

  Graph neural networks (GNNs) are a type of neural model that tackle graphical tasks in an end-to-end manner. Recently, GNNs have been receiving increased attention in machine learning and data mining communities because of the higher performance they achieve in various tasks, including graph classification, link prediction, and recommendation. However, the complicated dynamics of GNNs make it difficult to understand which parts of the graph features contribute more strongly to the predictions. To handle the interpretability issues, recently, various GNN explanation methods have been proposed. In this study, a flexible model agnostic explanation method is proposed to detect significant structures in graphs using the Hilbert-Schmidt independence criterion (HSIC), which captures the nonlinear dependency between two variables through kernels. More specifically, we extend the GraphLIME method for node explanation with a group lasso and a fused lasso-based node explanation method. The group and fused regularization with GraphLIME enables the interpretation of GNNs in substructure units. Then, we show that the proposed approach can be used for the explanation of sequential graph classification tasks. Through experiments, it is demonstrated that our method can identify crucial structures in a target graph in various settings.

Title: Augmenting Interpretable Knowledge Tracing by Ability Attribute and Attention Mechanism. (arXiv:2302.02146v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02146
• Code URL: null
• Copy Paste: [[2302.02146] Augmenting Interpretable Knowledge Tracing by Ability Attribute and Attention Mechanism](http://arxiv.org/abs/2302.02146) #interpretability
• Summary:

  Knowledge tracing aims to model students' past answer sequences to track the change in their knowledge acquisition during exercise activities and to predict their future learning performance. Most existing approaches ignore the fact that students' abilities are constantly changing or vary between individuals, and lack the interpretability of model predictions. To this end, in this paper, we propose a novel model based on ability attributes and attention mechanism. We first segment the interaction sequences and captures students' ability attributes, then dynamically assign students to groups with similar abilities, and quantify the relevance of the exercises to the skill by calculating the attention weights between the exercises and the skill to enhance the interpretability of the model. We conducted extensive experiments and evaluate real online education datasets. The results confirm that the proposed model is better at predicting performance than five well-known representative knowledge tracing models, and the model prediction results are explained through an inference path.

explainability

Title: A New cross-domain strategy based XAI models for fake news detection. (arXiv:2302.02122v1 [cs.CL])

• Paper URL: http://arxiv.org/abs/2302.02122
• Code URL: null
• Copy Paste: [[2302.02122] A New cross-domain strategy based XAI models for fake news detection](http://arxiv.org/abs/2302.02122) #explainability
• Summary:

  In this study, we presented a four-level cross-domain strategy for fake news detection on pre-trained models. Cross-domain text classification is a task of a model adopting a target domain by using the knowledge of the source domain. Explainability is crucial in understanding the behaviour of these complex models. A fine-tune BERT model is used to. perform cross-domain classification with several experiments using datasets from different domains. Explanatory models like Anchor, ELI5, LIME and SHAP are used to design a novel explainable approach to cross-domain levels. The experimental analysis has given an ideal pair of XAI models on different levels of cross-domain.

watermark

diffusion

Title: Semantic Diffusion Network for Semantic Segmentation. (arXiv:2302.02057v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02057
• Code URL: null
• Copy Paste: [[2302.02057] Semantic Diffusion Network for Semantic Segmentation](http://arxiv.org/abs/2302.02057) #diffusion
• Summary:

  Precise and accurate predictions over boundary areas are essential for semantic segmentation. However, the commonly-used convolutional operators tend to smooth and blur local detail cues, making it difficult for deep models to generate accurate boundary predictions. In this paper, we introduce an operator-level approach to enhance semantic boundary awareness, so as to improve the prediction of the deep semantic segmentation model. Specifically, we first formulate the boundary feature enhancement as an anisotropic diffusion process. We then propose a novel learnable approach called semantic diffusion network (SDN) to approximate the diffusion process, which contains a parameterized semantic difference convolution operator followed by a feature fusion module. Our SDN aims to construct a differentiable mapping from the original feature to the inter-class boundary-enhanced feature. The proposed SDN is an efficient and flexible module that can be easily plugged into existing encoder-decoder segmentation models. Extensive experiments show that our approach can achieve consistent improvements over several typical and state-of-the-art segmentation baseline models on challenging public benchmarks. The code will be released soon.

Title: Semantic-Guided Image Augmentation with Pre-trained Models. (arXiv:2302.02070v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02070
• Code URL: null
• Copy Paste: [[2302.02070] Semantic-Guided Image Augmentation with Pre-trained Models](http://arxiv.org/abs/2302.02070) #diffusion
• Summary:

  Image augmentation is a common mechanism to alleviate data scarcity in computer vision. Existing image augmentation methods often apply pre-defined transformations or mixup to augment the original image, but only locally vary the image. This makes them struggle to find a balance between maintaining semantic information and improving the diversity of augmented images. In this paper, we propose a Semantic-guided Image augmentation method with Pre-trained models (SIP). Specifically, SIP constructs prompts with image labels and captions to better guide the image-to-image generation process of the pre-trained Stable Diffusion model. The semantic information contained in the original images can be well preserved, and the augmented images still maintain diversity. Experimental results show that SIP can improve two commonly used backbones, i.e., ResNet-50 and ViT, by 12.60% and 2.07% on average over seven datasets, respectively. Moreover, SIP not only outperforms the best image augmentation baseline RandAugment by 4.46% and 1.23% on two backbones, but also further improves the performance by integrating naturally with the baseline. A detailed analysis of SIP is presented, including the diversity of augmented images, an ablation study on textual prompts, and a case study on the generated images.

Title: Divide and Compose with Score Based Generative Models. (arXiv:2302.02272v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02272
• Code URL: null
• Copy Paste: [[2302.02272] Divide and Compose with Score Based Generative Models](http://arxiv.org/abs/2302.02272) #diffusion
• Summary:

  While score based generative models, or diffusion models, have found success in image synthesis, they are often coupled with text data or image label to be able to manipulate and conditionally generate images. Even though manipulation of images by changing the text prompt is possible, our understanding of the text embedding and our ability to modify it to edit images is quite limited. Towards the direction of having more control over image manipulation and conditional generation, we propose to learn image components in an unsupervised manner so that we can compose those components to generate and manipulate images in informed manner. Taking inspiration from energy based models, we interpret different score components as the gradient of different energy functions. We show how score based learning allows us to learn interesting components and we can visualize them through generation. We also show how this novel decomposition allows us to compose, generate and modify images in interesting ways akin to dreaming. We make our code available at https://github.com/sandeshgh/Score-based-disentanglement

Title: Design Booster: A Text-Guided Diffusion Model for Image Translation with Spatial Layout Preservation. (arXiv:2302.02284v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02284
• Code URL: null
• Copy Paste: [[2302.02284] Design Booster: A Text-Guided Diffusion Model for Image Translation with Spatial Layout Preservation](http://arxiv.org/abs/2302.02284) #diffusion
• Summary:

  Diffusion models are able to generate photorealistic images in arbitrary scenes. However, when applying diffusion models to image translation, there exists a trade-off between maintaining spatial structure and high-quality content. Besides, existing methods are mainly based on test-time optimization or fine-tuning model for each input image, which are extremely time-consuming for practical applications. To address these issues, we propose a new approach for flexible image translation by learning a layout-aware image condition together with a text condition. Specifically, our method co-encodes images and text into a new domain during the training phase. In the inference stage, we can choose images/text or both as the conditions for each time step, which gives users more flexible control over layout and content. Experimental comparisons of our method with state-of-the-art methods demonstrate our model performs best in both style image translation and semantic image translation and took the shortest time.

Title: ReDi: Efficient Learning-Free Diffusion Inference via Trajectory Retrieval. (arXiv:2302.02285v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02285
• Code URL: null
• Copy Paste: [[2302.02285] ReDi: Efficient Learning-Free Diffusion Inference via Trajectory Retrieval](http://arxiv.org/abs/2302.02285) #diffusion
• Summary:

  Diffusion models show promising generation capability for a variety of data. Despite their high generation quality, the inference for diffusion models is still time-consuming due to the numerous sampling iterations required. To accelerate the inference, we propose ReDi, a simple yet learning-free Retrieval-based Diffusion sampling framework. From a precomputed knowledge base, ReDi retrieves a trajectory similar to the partially generated trajectory at an early stage of generation, skips a large portion of intermediate steps, and continues sampling from a later step in the retrieved trajectory. We theoretically prove that the generation performance of ReDi is guaranteed. Our experiments demonstrate that ReDi improves the model inference efficiency by 2x speedup. Furthermore, ReDi is able to generalize well in zero-shot cross-domain image generation such as image stylization.

Title: ShiftDDPMs: Exploring Conditional Diffusion Models by Shifting Diffusion Trajectories. (arXiv:2302.02373v1 [cs.CV])

• Paper URL: http://arxiv.org/abs/2302.02373
• Code URL: null
• Copy Paste: [[2302.02373] ShiftDDPMs: Exploring Conditional Diffusion Models by Shifting Diffusion Trajectories](http://arxiv.org/abs/2302.02373) #diffusion
• Summary:

  Diffusion models have recently exhibited remarkable abilities to synthesize striking image samples since the introduction of denoising diffusion probabilistic models (DDPMs). Their key idea is to disrupt images into noise through a fixed forward process and learn its reverse process to generate samples from noise in a denoising way. For conditional DDPMs, most existing practices relate conditions only to the reverse process and fit it to the reversal of unconditional forward process. We find this will limit the condition modeling and generation in a small time window. In this paper, we propose a novel and flexible conditional diffusion model by introducing conditions into the forward process. We utilize extra latent space to allocate an exclusive diffusion trajectory for each condition based on some shifting rules, which will disperse condition modeling to all timesteps and improve the learning capacity of model. We formulate our method, which we call \textbf{ShiftDDPMs}, and provide a unified point of view on existing related methods. Extensive qualitative and quantitative experiments on image synthesis demonstrate the feasibility and effectiveness of ShiftDDPMs.

Title: SE(3) diffusion model with application to protein backbone generation. (arXiv:2302.02277v1 [cs.LG])

• Paper URL: http://arxiv.org/abs/2302.02277
• Code URL: null
• Copy Paste: [[2302.02277] SE(3) diffusion model with application to protein backbone generation](http://arxiv.org/abs/2302.02277) #diffusion
• Summary:

  The design of novel protein structures remains a challenge in protein engineering for applications across biomedicine and chemistry. In this line of work, a diffusion model over rigid bodies in 3D (referred to as frames) has shown success in generating novel, functional protein backbones that have not been observed in nature. However, there exists no principled methodological framework for diffusion on SE(3), the space of orientation preserving rigid motions in R3, that operates on frames and confers the group invariance. We address these shortcomings by developing theoretical foundations of SE(3) invariant diffusion models on multiple frames followed by a novel framework, FrameDiff, for learning the SE(3) equivariant score over multiple frames. We apply FrameDiff on monomer backbone generation and find it can generate designable monomers up to 500 amino acids without relying on a pretrained protein structure prediction network that has been integral to previous methods. We find our samples are capable of generalizing beyond any known protein structure.