-
Aeroengine performance prediction using a physical-embedded data-driven method
Authors:
Tong Mo,
Shiran Dai,
An Fu,
Xiaomeng Zhu,
Shuxiao Li
Abstract:
Accurate and efficient prediction of aeroengine performance is of paramount importance for engine design, maintenance, and optimization endeavours. However, existing methodologies often struggle to strike an optimal balance among predictive accuracy, computational efficiency, modelling complexity, and data dependency. To address these challenges, we propose a strategy that synergistically combines…
▽ More
Accurate and efficient prediction of aeroengine performance is of paramount importance for engine design, maintenance, and optimization endeavours. However, existing methodologies often struggle to strike an optimal balance among predictive accuracy, computational efficiency, modelling complexity, and data dependency. To address these challenges, we propose a strategy that synergistically combines domain knowledge from both the aeroengine and neural network realms to enable real-time prediction of engine performance parameters. Leveraging aeroengine domain knowledge, we judiciously design the network structure and regulate the internal information flow. Concurrently, drawing upon neural network domain expertise, we devise four distinct feature fusion methods and introduce an innovative loss function formulation. To rigorously evaluate the effectiveness and robustness of our proposed strategy, we conduct comprehensive validation across two distinct datasets. The empirical results demonstrate :(1) the evident advantages of our tailored loss function; (2) our model's ability to maintain equal or superior performance with a reduced parameter count; (3) our model's reduced data dependency compared to generalized neural network architectures; (4)Our model is more interpretable than traditional black box machine learning methods.
△ Less
Submitted 29 June, 2024;
originally announced July 2024.
-
Decaf: Data Distribution Decompose Attack against Federated Learning
Authors:
Zhiyang Dai,
Chunyi Zhou,
Anmin Fu
Abstract:
In contrast to prevalent Federated Learning (FL) privacy inference techniques such as generative adversarial networks attacks, membership inference attacks, property inference attacks, and model inversion attacks, we devise an innovative privacy threat: the Data Distribution Decompose Attack on FL, termed Decaf. This attack enables an honest-but-curious FL server to meticulously profile the propor…
▽ More
In contrast to prevalent Federated Learning (FL) privacy inference techniques such as generative adversarial networks attacks, membership inference attacks, property inference attacks, and model inversion attacks, we devise an innovative privacy threat: the Data Distribution Decompose Attack on FL, termed Decaf. This attack enables an honest-but-curious FL server to meticulously profile the proportion of each class owned by the victim FL user, divulging sensitive information like local market item distribution and business competitiveness. The crux of Decaf lies in the profound observation that the magnitude of local model gradient changes closely mirrors the underlying data distribution, including the proportion of each class. Decaf addresses two crucial challenges: accurately identify the missing/null class(es) given by any victim user as a premise and then quantify the precise relationship between gradient changes and each remaining non-null class. Notably, Decaf operates stealthily, rendering it entirely passive and undetectable to victim users regarding the infringement of their data distribution privacy. Experimental validation on five benchmark datasets (MNIST, FASHION-MNIST, CIFAR-10, FER-2013, and SkinCancer) employing diverse model architectures, including customized convolutional networks, standardized VGG16, and ResNet18, demonstrates Decaf's efficacy. Results indicate its ability to accurately decompose local user data distribution, regardless of whether it is IID or non-IID distributed. Specifically, the dissimilarity measured using $L_{\infty}$ distance between the distribution decomposed by Decaf and ground truth is consistently below 5\% when no null classes exist. Moreover, Decaf achieves 100\% accuracy in determining any victim user's null classes, validated through formal proof.
△ Less
Submitted 24 May, 2024;
originally announced May 2024.
-
Efficient Radiation Treatment Planning based on Voxel Importance
Authors:
Sebastian Mair,
Anqi Fu,
Jens Sjölund
Abstract:
Optimization is a time-consuming part of radiation treatment planning. We propose to reduce the optimization problem by only using a representative subset of informative voxels. This way, we improve planning efficiency while maintaining or enhancing the plan quality. To reduce the computational complexity of the optimization problem, we propose to subsample the set of voxels via importance samplin…
▽ More
Optimization is a time-consuming part of radiation treatment planning. We propose to reduce the optimization problem by only using a representative subset of informative voxels. This way, we improve planning efficiency while maintaining or enhancing the plan quality. To reduce the computational complexity of the optimization problem, we propose to subsample the set of voxels via importance sampling. We derive a sampling distribution based on an importance score that we obtain from pre-solving an easy optimization problem involving a simplified probing objective. By solving a reduced version of the original optimization problem using this subset, we effectively reduce the problem's size and computational demands while accounting for regions in which satisfactory dose deliveries are challenging. In contrast to other stochastic (sub-)sampling methods, our technique only requires a single sampling step to define a reduced optimization problem. This problem can be efficiently solved using established solvers. Empirical experiments on open benchmark data highlight substantially reduced optimization times, up to 50 times faster than the original ones, for intensity-modulated radiation therapy (IMRT), all while upholding plan quality comparable to traditional methods. Our approach has the potential to significantly accelerate radiation treatment planning by addressing its inherent computational challenges. We reduce the treatment planning time by reducing the size of the optimization problem rather than improving the optimization method. Our efforts are thus complementary to much of the previous developments.
△ Less
Submitted 6 May, 2024;
originally announced May 2024.
-
Machine Unlearning: Taxonomy, Metrics, Applications, Challenges, and Prospects
Authors:
Na Li,
Chunyi Zhou,
Yansong Gao,
Hui Chen,
Anmin Fu,
Zhi Zhang,
Yu Shui
Abstract:
Personal digital data is a critical asset, and governments worldwide have enforced laws and regulations to protect data privacy. Data users have been endowed with the right to be forgotten of their data. In the course of machine learning (ML), the forgotten right requires a model provider to delete user data and its subsequent impact on ML models upon user requests. Machine unlearning emerges to a…
▽ More
Personal digital data is a critical asset, and governments worldwide have enforced laws and regulations to protect data privacy. Data users have been endowed with the right to be forgotten of their data. In the course of machine learning (ML), the forgotten right requires a model provider to delete user data and its subsequent impact on ML models upon user requests. Machine unlearning emerges to address this, which has garnered ever-increasing attention from both industry and academia. While the area has developed rapidly, there is a lack of comprehensive surveys to capture the latest advancements. Recognizing this shortage, we conduct an extensive exploration to map the landscape of machine unlearning including the (fine-grained) taxonomy of unlearning algorithms under centralized and distributed settings, debate on approximate unlearning, verification and evaluation metrics, challenges and solutions for unlearning under different applications, as well as attacks targeting machine unlearning. The survey concludes by outlining potential directions for future research, hoping to serve as a guide for interested scholars.
△ Less
Submitted 13 March, 2024;
originally announced March 2024.
-
CPSOR-GCN: A Vehicle Trajectory Prediction Method Powered by Emotion and Cognitive Theory
Authors:
L. Tang,
Y. Li,
J. Yuan,
A. Fu,
J. Sun
Abstract:
Active safety systems on vehicles often face problems with false alarms. Most active safety systems predict the driver's trajectory with the assumption that the driver is always in a normal emotion, and then infer risks. However, the driver's trajectory uncertainty increases under abnormal emotions. This paper proposes a new trajectory prediction model: CPSOR-GCN, which predicts vehicle trajectori…
▽ More
Active safety systems on vehicles often face problems with false alarms. Most active safety systems predict the driver's trajectory with the assumption that the driver is always in a normal emotion, and then infer risks. However, the driver's trajectory uncertainty increases under abnormal emotions. This paper proposes a new trajectory prediction model: CPSOR-GCN, which predicts vehicle trajectories under abnormal emotions. At the physical level, the interaction features between vehicles are extracted by the physical GCN module. At the cognitive level, SOR cognitive theory is used as prior knowledge to build a Dynamic Bayesian Network (DBN) structure. The conditional probability and state transition probability of nodes from the calibrated SOR-DBN quantify the causal relationship between cognitive factors, which is embedded into the cognitive GCN module to extract the characteristics of the influence mechanism of emotions on driving behavior. The CARLA-SUMO joint driving simulation platform was built to develop dangerous pre-crash scenarios. Methods of recreating traffic scenes were used to naturally induce abnormal emotions. The experiment collected data from 26 participants to verify the proposed model. Compared with the model that only considers physical motion features, the prediction accuracy of the proposed model is increased by 68.70%. Furthermore,considering the SOR-DBN reduces the prediction error of the trajectory by 15.93%. Compared with other advanced trajectory prediction models, the results of CPSOR-GCN also have lower errors. This model can be integrated into active safety systems to better adapt to the driver's emotions, which could effectively reduce false alarms.
△ Less
Submitted 14 November, 2023;
originally announced November 2023.
-
Vault: Decentralized Storage Made Durable
Authors:
Guangda Sun,
Michael Hu Yiqing,
Arun Fu,
Akasha Zhu,
Jialin Li
Abstract:
The lack of centralized control, combined with highly dynamic adversarial behaviors, makes data durability a challenge in decentralized storage systems. In this work, we introduce a new storage system, Vault, that offers strong data durability guarantees in a fully decentralized, permission-less setting. Vault leverages the rateless property of erasure code to encode each data object into an infin…
▽ More
The lack of centralized control, combined with highly dynamic adversarial behaviors, makes data durability a challenge in decentralized storage systems. In this work, we introduce a new storage system, Vault, that offers strong data durability guarantees in a fully decentralized, permission-less setting. Vault leverages the rateless property of erasure code to encode each data object into an infinite stream of encoding fragments. To ensure durability in the presence of dynamic Byzantine behaviors and targeted attacks, an infinite sequence of storage nodes are randomly selected to store encoding fragments. Encoding generation and candidate selection are fully decentralized: When necessary, Vault nodes use a gossip protocol and a publically verifiable selection proof to determine new fragments. Simulations and large-scale EC2 experiments demonstrate that Vault provides close-to-ideal mean-time-to-data-loss (MTTDL) with low storage redundancy, scales to more than 10,000 nodes, and attains performance comparable to IPFS
△ Less
Submitted 12 October, 2023;
originally announced October 2023.
-
Chrono: A Peer-to-Peer Network with Verifiable Causality
Authors:
Michael Hu Yiqing,
Guangda Sun,
Arun Fu,
Akasha Zhu,
Jialin Li
Abstract:
Logical clocks are a fundamental tool to establish causal ordering of events in a distributed system. They have been used as the building block in weakly consistent storage systems, causally ordered broadcast, distributed snapshots, deadlock detection, and distributed system debugging. However, prior logical clock constructs fail to work in a permissionless setting with Byzantine participants. In…
▽ More
Logical clocks are a fundamental tool to establish causal ordering of events in a distributed system. They have been used as the building block in weakly consistent storage systems, causally ordered broadcast, distributed snapshots, deadlock detection, and distributed system debugging. However, prior logical clock constructs fail to work in a permissionless setting with Byzantine participants. In this work, we introduce Chrono, a novel logical clock system that targets an open and decentralized network. Chrono introduces a new logical clock construct, the Decaying Onion Bloom Clock (DOBC), that scales independently to the size of the network. To tolerate Byzantine behaviors, Chrono leverages non-uniform incrementally verifiable computation (IVC) to efficiently prove and verify the construction of DOBC clocks. We have applied Chrono to build two decentralized applications, a weakly consistent key-value store and an anti-censorship social network, demonstrating the power of scalable, verifiable causality in a decentralized network.
△ Less
Submitted 12 October, 2023;
originally announced October 2023.
-
Watch Out! Simple Horizontal Class Backdoor Can Trivially Evade Defense
Authors:
Hua Ma,
Shang Wang,
Yansong Gao,
Zhi Zhang,
Huming Qiu,
Minhui Xue,
Alsharif Abuadbba,
Anmin Fu,
Surya Nepal,
Derek Abbott
Abstract:
All current backdoor attacks on deep learning (DL) models fall under the category of a vertical class backdoor (VCB) -- class-dependent. In VCB attacks, any sample from a class activates the implanted backdoor when the secret trigger is present. Existing defense strategies overwhelmingly focus on countering VCB attacks, especially those that are source-class-agnostic. This narrow focus neglects th…
▽ More
All current backdoor attacks on deep learning (DL) models fall under the category of a vertical class backdoor (VCB) -- class-dependent. In VCB attacks, any sample from a class activates the implanted backdoor when the secret trigger is present. Existing defense strategies overwhelmingly focus on countering VCB attacks, especially those that are source-class-agnostic. This narrow focus neglects the potential threat of other simpler yet general backdoor types, leading to false security implications. This study introduces a new, simple, and general type of backdoor attack coined as the horizontal class backdoor (HCB) that trivially breaches the class dependence characteristic of the VCB, bringing a fresh perspective to the community. HCB is now activated when the trigger is presented together with an innocuous feature, regardless of class. For example, the facial recognition model misclassifies a person who wears sunglasses with a smiling innocuous feature into the targeted person, such as an administrator, regardless of which person. The key is that these innocuous features are horizontally shared among classes but are only exhibited by partial samples per class. Extensive experiments on attacking performance across various tasks, including MNIST, facial recognition, traffic sign recognition, object detection, and medical diagnosis, confirm the high efficiency and effectiveness of the HCB. We rigorously evaluated the evasiveness of the HCB against a series of eleven representative countermeasures, including Fine-Pruning (RAID 18'), STRIP (ACSAC 19'), Neural Cleanse (Oakland 19'), ABS (CCS 19'), Februus (ACSAC 20'), NAD (ICLR 21'), MNTD (Oakland 21'), SCAn (USENIX SEC 21'), MOTH (Oakland 22'), Beatrix (NDSS 23'), and MM-BD (Oakland 24'). None of these countermeasures prove robustness, even when employing a simplistic trigger, such as a small and static white-square patch.
△ Less
Submitted 18 June, 2024; v1 submitted 30 September, 2023;
originally announced October 2023.
-
DeepTheft: Stealing DNN Model Architectures through Power Side Channel
Authors:
Yansong Gao,
Huming Qiu,
Zhi Zhang,
Binghui Wang,
Hua Ma,
Alsharif Abuadbba,
Minhui Xue,
Anmin Fu,
Surya Nepal
Abstract:
Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference services.To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS.
Also targeting MLaaS, we propose a new end-to-end atta…
▽ More
Deep Neural Network (DNN) models are often deployed in resource-sharing clouds as Machine Learning as a Service (MLaaS) to provide inference services.To steal model architectures that are of valuable intellectual properties, a class of attacks has been proposed via different side-channel leakage, posing a serious security challenge to MLaaS.
Also targeting MLaaS, we propose a new end-to-end attack, DeepTheft, to accurately recover complex DNN model architectures on general processors via the RAPL-based power side channel. However, an attacker can acquire only a low sampling rate (1 KHz) of the time-series energy traces from the RAPL interface, rendering existing techniques ineffective in stealing large and deep DNN models. To this end, we design a novel and generic learning-based framework consisting of a set of meta-models, based on which DeepTheft is demonstrated to have high accuracy in recovering a large number (thousands) of models architectures from different model families including the deepest ResNet152. Particularly, DeepTheft has achieved a Levenshtein Distance Accuracy of 99.75% in recovering network structures, and a weighted average F1 score of 99.60% in recovering diverse layer-wise hyperparameters. Besides, our proposed learning framework is general to other time-series side-channel signals. To validate its generalization, another existing side channel is exploited, i.e., CPU frequency. Different from RAPL, CPU frequency is accessible to unprivileged users in bare-metal OSes. By using our generic learning framework trained against CPU frequency traces, DeepTheft has shown similarly high attack performance in stealing model architectures.
△ Less
Submitted 21 September, 2023;
originally announced September 2023.
-
Leveraging Learning Metrics for Improved Federated Learning
Authors:
Andre Fu
Abstract:
Currently in the federated setting, no learning schemes leverage the emerging research of explainable artificial intelligence (XAI) in particular the novel learning metrics that help determine how well a model is learning. One of these novel learning metrics is termed `Effective Rank' (ER) which measures the Shannon Entropy of the singular values of a matrix, thus enabling a metric determining how…
▽ More
Currently in the federated setting, no learning schemes leverage the emerging research of explainable artificial intelligence (XAI) in particular the novel learning metrics that help determine how well a model is learning. One of these novel learning metrics is termed `Effective Rank' (ER) which measures the Shannon Entropy of the singular values of a matrix, thus enabling a metric determining how well a layer is mapping. By joining federated learning and the learning metric, effective rank, this work will \textbf{(1)} give the first federated learning metric aggregation method \textbf{(2)} show that effective rank is well-suited to federated problems by out-performing baseline Federated Averaging \cite{konevcny2016federated} and \textbf{(3)} develop a novel weight-aggregation scheme relying on effective rank.
△ Less
Submitted 1 September, 2023;
originally announced September 2023.
-
PanGu-Coder2: Boosting Large Language Models for Code with Ranking Feedback
Authors:
Bo Shen,
Jiaxin Zhang,
Taihong Chen,
Daoguang Zan,
Bing Geng,
An Fu,
Muhan Zeng,
Ailun Yu,
Jichuan Ji,
Jingyang Zhao,
Yuenan Guo,
Qianxiang Wang
Abstract:
Large Language Models for Code (Code LLM) are flourishing. New and powerful models are released on a weekly basis, demonstrating remarkable performance on the code generation task. Various approaches have been proposed to boost the code generation performance of pre-trained Code LLMs, such as supervised fine-tuning, instruction tuning, reinforcement learning, etc. In this paper, we propose a novel…
▽ More
Large Language Models for Code (Code LLM) are flourishing. New and powerful models are released on a weekly basis, demonstrating remarkable performance on the code generation task. Various approaches have been proposed to boost the code generation performance of pre-trained Code LLMs, such as supervised fine-tuning, instruction tuning, reinforcement learning, etc. In this paper, we propose a novel RRTF (Rank Responses to align Test&Teacher Feedback) framework, which can effectively and efficiently boost pre-trained large language models for code generation. Under this framework, we present PanGu-Coder2, which achieves 62.20% pass@1 on the OpenAI HumanEval benchmark. Furthermore, through an extensive evaluation on CoderEval and LeetCode benchmarks, we show that PanGu-Coder2 consistently outperforms all previous Code LLMs.
△ Less
Submitted 27 July, 2023;
originally announced July 2023.
-
Distributed and Scalable Optimization for Robust Proton Treatment Planning
Authors:
Anqi Fu,
Vicki T. Taasti,
Masoud Zarepisheh
Abstract:
Purpose: The importance of robust proton treatment planning to mitigate the impact of uncertainty is well understood. However, its computational cost grows with the number of uncertainty scenarios, prolonging the treatment planning process. We developed a fast and scalable distributed optimization platform that parallelizes this computation over the scenarios. Methods: We modeled the robust proton…
▽ More
Purpose: The importance of robust proton treatment planning to mitigate the impact of uncertainty is well understood. However, its computational cost grows with the number of uncertainty scenarios, prolonging the treatment planning process. We developed a fast and scalable distributed optimization platform that parallelizes this computation over the scenarios. Methods: We modeled the robust proton treatment planning problem as a weighted least-squares problem. To solve it, we employed an optimization technique called the Alternating Direction Method of Multipliers with Barzilai-Borwein step size (ADMM-BB). We reformulated the problem in such a way as to split the main problem into smaller subproblems, one for each proton therapy uncertainty scenario. The subproblems can be solved in parallel, allowing the computational load to be distributed across multiple processors (e.g., CPU threads/cores). We evaluated ADMM-BB on four head-and-neck proton therapy patients, each with 13 scenarios accounting for 3 mm setup and 3:5% range uncertainties. We then compared the performance of ADMM-BB with projected gradient descent (PGD) applied to the same problem. Results: For each patient, ADMM-BB generated a robust proton treatment plan that satisfied all clinical criteria with comparable or better dosimetric quality than the plan generated by PGD. However, ADMM-BB's total runtime averaged about 6 to 7 times faster. This speedup increased with the number of scenarios. Conclusion: ADMM-BB is a powerful distributed optimization method that leverages parallel processing platforms, such as multi-core CPUs, GPUs, and cloud servers, to accelerate the computationally intensive work of robust proton treatment planning. This results in 1) a shorter treatment planning process and 2) the ability to consider more uncertainty scenarios, which improves plan quality.
△ Less
Submitted 27 April, 2023;
originally announced April 2023.
-
CurveCloudNet: Processing Point Clouds with 1D Structure
Authors:
Colton Stearns,
Davis Rempe,
Jiateng Liu,
Alex Fu,
Sebastien Mascha,
Jeong Joon Park,
Despoina Paschalidou,
Leonidas J. Guibas
Abstract:
Modern depth sensors such as LiDAR operate by sweeping laser-beams across the scene, resulting in a point cloud with notable 1D curve-like structures. In this work, we introduce a new point cloud processing scheme and backbone, called CurveCloudNet, which takes advantage of the curve-like structure inherent to these sensors. While existing backbones discard the rich 1D traversal patterns and rely…
▽ More
Modern depth sensors such as LiDAR operate by sweeping laser-beams across the scene, resulting in a point cloud with notable 1D curve-like structures. In this work, we introduce a new point cloud processing scheme and backbone, called CurveCloudNet, which takes advantage of the curve-like structure inherent to these sensors. While existing backbones discard the rich 1D traversal patterns and rely on generic 3D operations, CurveCloudNet parameterizes the point cloud as a collection of polylines (dubbed a "curve cloud"), establishing a local surface-aware ordering on the points. By reasoning along curves, CurveCloudNet captures lightweight curve-aware priors to efficiently and accurately reason in several diverse 3D environments. We evaluate CurveCloudNet on multiple synthetic and real datasets that exhibit distinct 3D size and structure. We demonstrate that CurveCloudNet outperforms both point-based and sparse-voxel backbones in various segmentation settings, notably scaling to large scenes better than point-based alternatives while exhibiting improved single-object performance over sparse-voxel alternatives. In all, CurveCloudNet is an efficient and accurate backbone that can handle a larger variety of 3D environments than past works.
△ Less
Submitted 1 February, 2024; v1 submitted 21 March, 2023;
originally announced March 2023.
-
Real-time SLAM Pipeline in Dynamics Environment
Authors:
Alex Fu,
Lingjie Kong
Abstract:
Inspired by the recent success of application of dense data approach by using ORB-SLAM and RGB-D SLAM, we propose a better pipeline of real-time SLAM in dynamics environment. Different from previous SLAM which can only handle static scenes, we are presenting a solution which use RGB-D SLAM as well as YOLO real-time object detection to segment and remove dynamic scene and then construct static scen…
▽ More
Inspired by the recent success of application of dense data approach by using ORB-SLAM and RGB-D SLAM, we propose a better pipeline of real-time SLAM in dynamics environment. Different from previous SLAM which can only handle static scenes, we are presenting a solution which use RGB-D SLAM as well as YOLO real-time object detection to segment and remove dynamic scene and then construct static scene 3D. We gathered a dataset which allows us to jointly consider semantics, geometry, and physics and thus enables us to reconstruct the static scene while filtering out all dynamic objects.
△ Less
Submitted 3 March, 2023;
originally announced March 2023.
-
Vertical Federated Learning: Taxonomies, Threats, and Prospects
Authors:
Qun Li,
Chandra Thapa,
Lawrence Ong,
Yifeng Zheng,
Hua Ma,
Seyit A. Camtepe,
Anmin Fu,
Yansong Gao
Abstract:
Federated learning (FL) is the most popular distributed machine learning technique. FL allows machine-learning models to be trained without acquiring raw data to a single point for processing. Instead, local models are trained with local data; the models are then shared and combined. This approach preserves data privacy as locally trained models are shared instead of the raw data themselves. Broad…
▽ More
Federated learning (FL) is the most popular distributed machine learning technique. FL allows machine-learning models to be trained without acquiring raw data to a single point for processing. Instead, local models are trained with local data; the models are then shared and combined. This approach preserves data privacy as locally trained models are shared instead of the raw data themselves. Broadly, FL can be divided into horizontal federated learning (HFL) and vertical federated learning (VFL). For the former, different parties hold different samples over the same set of features; for the latter, different parties hold different feature data belonging to the same set of samples. In a number of practical scenarios, VFL is more relevant than HFL as different companies (e.g., bank and retailer) hold different features (e.g., credit history and shopping history) for the same set of customers. Although VFL is an emerging area of research, it is not well-established compared to HFL. Besides, VFL-related studies are dispersed, and their connections are not intuitive. Thus, this survey aims to bring these VFL-related studies to one place. Firstly, we classify existing VFL structures and algorithms. Secondly, we present the threats from security and privacy perspectives to VFL. Thirdly, for the benefit of future researchers, we discussed the challenges and prospects of VFL in detail.
△ Less
Submitted 3 February, 2023;
originally announced February 2023.
-
TransCAB: Transferable Clean-Annotation Backdoor to Object Detection with Natural Trigger in Real-World
Authors:
Hua Ma,
Yinshan Li,
Yansong Gao,
Zhi Zhang,
Alsharif Abuadbba,
Anmin Fu,
Said F. Al-Sarawi,
Nepal Surya,
Derek Abbott
Abstract:
Object detection is the foundation of various critical computer-vision tasks such as segmentation, object tracking, and event detection. To train an object detector with satisfactory accuracy, a large amount of data is required. However, due to the intensive workforce involved with annotating large datasets, such a data curation task is often outsourced to a third party or relied on volunteers. Th…
▽ More
Object detection is the foundation of various critical computer-vision tasks such as segmentation, object tracking, and event detection. To train an object detector with satisfactory accuracy, a large amount of data is required. However, due to the intensive workforce involved with annotating large datasets, such a data curation task is often outsourced to a third party or relied on volunteers. This work reveals severe vulnerabilities of such data curation pipeline. We propose MACAB that crafts clean-annotated images to stealthily implant the backdoor into the object detectors trained on them even when the data curator can manually audit the images. We observe that the backdoor effect of both misclassification and the cloaking are robustly achieved in the wild when the backdoor is activated with inconspicuously natural physical triggers. Backdooring non-classification object detection with clean-annotation is challenging compared to backdooring existing image classification tasks with clean-label, owing to the complexity of having multiple objects within each frame, including victim and non-victim objects. The efficacy of the MACAB is ensured by constructively i abusing the image-scaling function used by the deep learning framework, ii incorporating the proposed adversarial clean image replica technique, and iii combining poison data selection criteria given constrained attacking budget. Extensive experiments demonstrate that MACAB exhibits more than 90% attack success rate under various real-world scenes. This includes both cloaking and misclassification backdoor effect even restricted with a small attack budget. The poisoned samples cannot be effectively identified by state-of-the-art detection techniques.The comprehensive video demo is at https://youtu.be/MA7L_LpXkp4, which is based on a poison rate of 0.14% for YOLOv4 cloaking backdoor and Faster R-CNN misclassification backdoor.
△ Less
Submitted 2 September, 2023; v1 submitted 6 September, 2022;
originally announced September 2022.
-
MLMSA: Multi-Label Multi-Side-Channel-Information enabled Deep Learning Attacks on APUF Variants
Authors:
Yansong Gao,
Jianrong Yao,
Lihui Pang,
Wei Yang,
Anmin Fu,
Said F. Al-Sarawi,
Derek Abbott
Abstract:
To improve the modeling resilience of silicon strong physical unclonable functions (PUFs), in particular, the APUFs, that yield a very large number of challenge response pairs (CRPs), a number of composited APUF variants such as XOR-APUF, interpose-PUF (iPUF), feed-forward APUF (FF-APUF),and OAX-APUF have been devised. When examining their security in terms of modeling resilience, utilizing multip…
▽ More
To improve the modeling resilience of silicon strong physical unclonable functions (PUFs), in particular, the APUFs, that yield a very large number of challenge response pairs (CRPs), a number of composited APUF variants such as XOR-APUF, interpose-PUF (iPUF), feed-forward APUF (FF-APUF),and OAX-APUF have been devised. When examining their security in terms of modeling resilience, utilizing multiple information sources such as power side channel information (SCI) or/and reliability SCI given a challenge is under-explored, which poses a challenge to their supposed modeling resilience in practice. Building upon multi-label/head deep learning model architecture,this work proposes Multi-Label Multi-Side-channel-information enabled deep learning Attacks (MLMSA) to thoroughly evaluate the modeling resilience of aforementioned APUF variants. Despite its simplicity, MLMSA can successfully break large-scaled APUF variants, which has not previously been achieved. More precisely, the MLMSA breaks 128-stage 30-XOR-APUF, (9, 9)- and (2, 18)-iPUFs, and (2, 2, 30)-OAX-APUF when CRPs, power SCI and reliability SCI are concurrently used. It breaks 128-stage 12-XOR-APUF and (2, 2, 9)-OAX-APUF even when only the easy-to-obtain reliability SCI and CRPs are exploited. The 128-stage six-loop FF-APUF and one-loop 20-XOR-FF-APUF can be broken by simultaneously using reliability SCI and CRPs. All these attacks are normally completed within an hour with a standard personalcomputer. Therefore, MLMSA is a useful technique for evaluating other existing or any emerging strong PUF designs.
△ Less
Submitted 10 January, 2023; v1 submitted 20 July, 2022;
originally announced July 2022.
-
CASSOCK: Viable Backdoor Attacks against DNN in The Wall of Source-Specific Backdoor Defences
Authors:
Shang Wang,
Yansong Gao,
Anmin Fu,
Zhi Zhang,
Yuqing Zhang,
Willy Susilo,
Dongxi Liu
Abstract:
As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer…
▽ More
As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn). To address the limitations above, we propose a new class of viable source-specific backdoor attacks, coined as CASSOCK. Our key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement $CASSOCK_{Trans}$ and $CASSOCK_{Cont}$. While both they are orthogonal, they are complementary to each other, generating a more powerful attack, called $CASSOCK_{Comp}$, with further improved attack performance and stealthiness. We perform a comprehensive evaluation of the three $CASSOCK$-based attacks on four popular datasets and three SOTA defenses. Compared with a representative SSBA as a baseline ($SSBA_{Base}$), $CASSOCK$-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, $CASSOCK$-based attacks have effectively bypassed the SOTA defenses, and $SSBA_{Base}$ cannot.
△ Less
Submitted 18 December, 2022; v1 submitted 31 May, 2022;
originally announced June 2022.
-
Towards A Critical Evaluation of Robustness for Deep Learning Backdoor Countermeasures
Authors:
Huming Qiu,
Hua Ma,
Zhi Zhang,
Alsharif Abuadbba,
Wei Kang,
Anmin Fu,
Yansong Gao
Abstract:
Since Deep Learning (DL) backdoor attacks have been revealed as one of the most insidious adversarial attacks, a number of countermeasures have been developed with certain assumptions defined in their respective threat models. However, the robustness of these countermeasures is inadvertently ignored, which can introduce severe consequences, e.g., a countermeasure can be misused and result in a fal…
▽ More
Since Deep Learning (DL) backdoor attacks have been revealed as one of the most insidious adversarial attacks, a number of countermeasures have been developed with certain assumptions defined in their respective threat models. However, the robustness of these countermeasures is inadvertently ignored, which can introduce severe consequences, e.g., a countermeasure can be misused and result in a false implication of backdoor detection.
For the first time, we critically examine the robustness of existing backdoor countermeasures with an initial focus on three influential model-inspection ones that are Neural Cleanse (S&P'19), ABS (CCS'19), and MNTD (S&P'21). Although the three countermeasures claim that they work well under their respective threat models, they have inherent unexplored non-robust cases depending on factors such as given tasks, model architectures, datasets, and defense hyper-parameter, which are \textit{not even rooted from delicate adaptive attacks}. We demonstrate how to trivially bypass them aligned with their respective threat models by simply varying aforementioned factors. Particularly, for each defense, formal proofs or empirical studies are used to reveal its two non-robust cases where it is not as robust as it claims or expects, especially the recent MNTD. This work highlights the necessity of thoroughly evaluating the robustness of backdoor countermeasures to avoid their misleading security implications in unknown non-robust cases.
△ Less
Submitted 13 April, 2022;
originally announced April 2022.
-
Towards Explainable Meta-Learning for DDoS Detection
Authors:
Qianru Zhou,
Rongzhen Li,
Lei Xu,
Arumugam Nallanathan,
Jian Yang,
Anmin Fu
Abstract:
The Internet is the most complex machine humankind has ever built, and how to defense it from intrusions is even more complex. With the ever increasing of new intrusions, intrusion detection task rely on Artificial Intelligence more and more. Interpretability and transparency of the machine learning model is the foundation of trust in AI-driven intrusion detection results. Current interpretation A…
▽ More
The Internet is the most complex machine humankind has ever built, and how to defense it from intrusions is even more complex. With the ever increasing of new intrusions, intrusion detection task rely on Artificial Intelligence more and more. Interpretability and transparency of the machine learning model is the foundation of trust in AI-driven intrusion detection results. Current interpretation Artificial Intelligence technologies in intrusion detection are heuristic, which is neither accurate nor sufficient. This paper proposed a rigorous interpretable Artificial Intelligence driven intrusion detection approach, based on artificial immune system. Details of rigorous interpretation calculation process for a decision tree model is presented. Prime implicant explanation for benign traffic flow are given in detail as rule for negative selection of the cyber immune system. Experiments are carried out in real-life traffic.
△ Less
Submitted 16 August, 2022; v1 submitted 5 April, 2022;
originally announced April 2022.
-
Towards Privacy-Preserving and Verifiable Federated Matrix Factorization
Authors:
Xicheng Wan,
Yifeng Zheng,
Qun Li,
Anmin Fu,
Mang Su,
Yansong Gao
Abstract:
Recent years have witnessed the rapid growth of federated learning (FL), an emerging privacy-aware machine learning paradigm that allows collaborative learning over isolated datasets distributed across multiple participants. The salient feature of FL is that the participants can keep their private datasets local and only share model updates. Very recently, some research efforts have been initiated…
▽ More
Recent years have witnessed the rapid growth of federated learning (FL), an emerging privacy-aware machine learning paradigm that allows collaborative learning over isolated datasets distributed across multiple participants. The salient feature of FL is that the participants can keep their private datasets local and only share model updates. Very recently, some research efforts have been initiated to explore the applicability of FL for matrix factorization (MF), a prevalent method used in modern recommendation systems and services. It has been shown that sharing the gradient updates in federated MF entails privacy risks on revealing users' personal ratings, posing a demand for protecting the shared gradients. Prior art is limited in that they incur notable accuracy loss, or rely on heavy cryptosystem, with a weak threat model assumed. In this paper, we propose VPFedMF, a new design aimed at privacy-preserving and verifiable federated MF. VPFedMF provides guarantees on the confidentiality of individual gradient updates through lightweight and secure aggregation. Moreover, VPFedMF ambitiously and newly supports correctness verification of the aggregation results produced by the coordinating server in federated MF. Experiments on a real-world movie rating dataset demonstrate the practical performance of VPFedMF in terms of computation, communication, and accuracy.
△ Less
Submitted 11 June, 2022; v1 submitted 4 April, 2022;
originally announced April 2022.
-
Systematically Evaluation of Challenge Obfuscated APUFs
Authors:
Yansong Gao,
Jianrong Yao,
Lihui Pang,
Zhi Zhang,
Anmin Fu,
Naixue Xiong,
Hyoungshick Kim
Abstract:
As a well-known physical unclonable function that can provide huge number of challenge response pairs (CRP) with a compact design and fully compatibility with current electronic fabrication process, the arbiter PUF (APUF) has attracted great attention. To improve its resilience against modeling attacks, many APUF variants have been proposed so far. Though the modeling resilience of response obfusc…
▽ More
As a well-known physical unclonable function that can provide huge number of challenge response pairs (CRP) with a compact design and fully compatibility with current electronic fabrication process, the arbiter PUF (APUF) has attracted great attention. To improve its resilience against modeling attacks, many APUF variants have been proposed so far. Though the modeling resilience of response obfuscated APUF variants such as XOR-APUF and lightweight secure APUF (LSPUF) have been well studied, the challenge obfuscated APUFs (CO-APUFs) such as feed-forward APUF (FF-APUF), and XOR-FF-APUF are less elucidated, especially, with the deep learning (DL) methods. This work systematically evaluates five CO-APUFs including three influential designs of FF-APUF, XOR-FF-APUF, iPUF, one very recently design and our newly optimized design (dubbed as OAX-FF-APUF), in terms of their reliability, uniformity (related to uniqueness), and modeling resilience. Three DL techniques of GRU, TCN and MLP are employed to examine these CO-APUFs' modeling resilience -- the first two are newly explored. With computation resource of a common personal computer, we show that all five CO-APUFs with relatively large scale can be successfully modeled -- attacking accuracy higher or close to its reliability. The hyper-parameter tuning of DL technique is crucial for implementing efficient attacks. Increasing the scale of the CO-APUF is validated to be able to improve the resilience but should be done with minimizing the reliability degradation. As the powerful capability of DL technique affirmed by us, we recommend the DL, specifically the MLP technique always demonstrating best efficacy, to be always considered for examining the modeling resilience when newly composited APUFs are devised or to a large extent, other strong PUFs are constructed.
△ Less
Submitted 29 March, 2022;
originally announced March 2022.
-
PPA: Preference Profiling Attack Against Federated Learning
Authors:
Chunyi Zhou,
Yansong Gao,
Anmin Fu,
Kai Chen,
Zhiyang Dai,
Zhi Zhang,
Minhui Xue,
Yuqing Zhang
Abstract:
Federated learning (FL) trains a global model across a number of decentralized users, each with a local dataset. Compared to traditional centralized learning, FL does not require direct access to local datasets and thus aims to mitigate data privacy concerns. However, data privacy leakage in FL still exists due to inference attacks, including membership inference, property inference, and data inve…
▽ More
Federated learning (FL) trains a global model across a number of decentralized users, each with a local dataset. Compared to traditional centralized learning, FL does not require direct access to local datasets and thus aims to mitigate data privacy concerns. However, data privacy leakage in FL still exists due to inference attacks, including membership inference, property inference, and data inversion. In this work, we propose a new type of privacy inference attack, coined Preference Profiling Attack (PPA), that accurately profiles the private preferences of a local user, e.g., most liked (disliked) items from the client's online shopping and most common expressions from the user's selfies. In general, PPA can profile top-k (i.e., k = 1, 2, 3 and k = 1 in particular) preferences contingent on the local client (user)'s characteristics. Our key insight is that the gradient variation of a local user's model has a distinguishable sensitivity to the sample proportion of a given class, especially the majority (minority) class. By observing a user model's gradient sensitivity to a class, PPA can profile the sample proportion of the class in the user's local dataset, and thus the user's preference of the class is exposed. The inherent statistical heterogeneity of FL further facilitates PPA. We have extensively evaluated the PPA's effectiveness using four datasets (MNIST, CIFAR10, RAF-DB and Products-10K). Our results show that PPA achieves 90% and 98% top-1 attack accuracy to the MNIST and CIFAR10, respectively. More importantly, in real-world commercial scenarios of shopping (i.e., Products-10K) and social network (i.e., RAF-DB), PPA gains a top-1 attack accuracy of 78% in the former case to infer the most ordered items (i.e., as a commercial competitor), and 88% in the latter case to infer a victim user's most often facial expressions, e.g., disgusted.
△ Less
Submitted 8 August, 2022; v1 submitted 10 February, 2022;
originally announced February 2022.
-
Dangerous Cloaking: Natural Trigger based Backdoor Attacks on Object Detectors in the Physical World
Authors:
Hua Ma,
Yinshan Li,
Yansong Gao,
Alsharif Abuadbba,
Zhi Zhang,
Anmin Fu,
Hyoungshick Kim,
Said F. Al-Sarawi,
Nepal Surya,
Derek Abbott
Abstract:
Deep learning models have been shown to be vulnerable to recent backdoor attacks. A backdoored model behaves normally for inputs containing no attacker-secretly-chosen trigger and maliciously for inputs with the trigger. To date, backdoor attacks and countermeasures mainly focus on image classification tasks. And most of them are implemented in the digital world with digital triggers. Besides the…
▽ More
Deep learning models have been shown to be vulnerable to recent backdoor attacks. A backdoored model behaves normally for inputs containing no attacker-secretly-chosen trigger and maliciously for inputs with the trigger. To date, backdoor attacks and countermeasures mainly focus on image classification tasks. And most of them are implemented in the digital world with digital triggers. Besides the classification tasks, object detection systems are also considered as one of the basic foundations of computer vision tasks. However, there is no investigation and understanding of the backdoor vulnerability of the object detector, even in the digital world with digital triggers. For the first time, this work demonstrates that existing object detectors are inherently susceptible to physical backdoor attacks. We use a natural T-shirt bought from a market as a trigger to enable the cloaking effect--the person bounding-box disappears in front of the object detector. We show that such a backdoor can be implanted from two exploitable attack scenarios into the object detector, which is outsourced or fine-tuned through a pretrained model. We have extensively evaluated three popular object detection algorithms: anchor-based Yolo-V3, Yolo-V4, and anchor-free CenterNet. Building upon 19 videos shot in real-world scenes, we confirm that the backdoor attack is robust against various factors: movement, distance, angle, non-rigid deformation, and lighting. Specifically, the attack success rate (ASR) in most videos is 100% or close to it, while the clean data accuracy of the backdoored model is the same as its clean counterpart. The latter implies that it is infeasible to detect the backdoor behavior merely through a validation set. The averaged ASR still remains sufficiently high to be 78% in the transfer learning attack scenarios evaluated on CenterNet. See the demo video on https://youtu.be/Q3HOF4OobbY.
△ Less
Submitted 29 May, 2022; v1 submitted 21 January, 2022;
originally announced January 2022.
-
P4AI: Approaching AI Ethics through Principlism
Authors:
Andre Fu,
Elisa Ding,
Mahdi S. Hosseini,
Konstantinos N. Plataniotis
Abstract:
The field of computer vision is rapidly evolving, particularly in the context of new methods of neural architecture design. These models contribute to (1) the Climate Crisis - increased CO2 emissions and (2) the Privacy Crisis - data leakage concerns. To address the often overlooked impact the Computer Vision (CV) community has on these crises, we outline a novel ethical framework, \textit{P4AI}:…
▽ More
The field of computer vision is rapidly evolving, particularly in the context of new methods of neural architecture design. These models contribute to (1) the Climate Crisis - increased CO2 emissions and (2) the Privacy Crisis - data leakage concerns. To address the often overlooked impact the Computer Vision (CV) community has on these crises, we outline a novel ethical framework, \textit{P4AI}: Principlism for AI, an augmented principlistic view of ethical dilemmas within AI. We then suggest using P4AI to make concrete recommendations to the community to mitigate the climate and privacy crises.
△ Less
Submitted 28 November, 2021;
originally announced November 2021.
-
NoFADE: Analyzing Diminishing Returns on CO2 Investment
Authors:
Andre Fu,
Justin Tran,
Andy Xie,
Jonathan Spraggett,
Elisa Ding,
Chang-Won Lee,
Kanav Singla,
Mahdi S. Hosseini,
Konstantinos N. Plataniotis
Abstract:
Climate change continues to be a pressing issue that currently affects society at-large. It is important that we as a society, including the Computer Vision (CV) community take steps to limit our impact on the environment. In this paper, we (a) analyze the effect of diminishing returns on CV methods, and (b) propose a \textit{``NoFADE''}: a novel entropy-based metric to quantify model--dataset--co…
▽ More
Climate change continues to be a pressing issue that currently affects society at-large. It is important that we as a society, including the Computer Vision (CV) community take steps to limit our impact on the environment. In this paper, we (a) analyze the effect of diminishing returns on CV methods, and (b) propose a \textit{``NoFADE''}: a novel entropy-based metric to quantify model--dataset--complexity relationships. We show that some CV tasks are reaching saturation, while others are almost fully saturated. In this light, NoFADE allows the CV community to compare models and datasets on a similar basis, establishing an agnostic platform.
△ Less
Submitted 28 November, 2021;
originally announced November 2021.
-
NTD: Non-Transferability Enabled Backdoor Detection
Authors:
Yinshan Li,
Hua Ma,
Zhi Zhang,
Yansong Gao,
Alsharif Abuadbba,
Anmin Fu,
Yifeng Zheng,
Said F. Al-Sarawi,
Derek Abbott
Abstract:
A backdoor deep learning (DL) model behaves normally upon clean inputs but misbehaves upon trigger inputs as the backdoor attacker desires, posing severe consequences to DL model deployments. State-of-the-art defenses are either limited to specific backdoor attacks (source-agnostic attacks) or non-user-friendly in that machine learning (ML) expertise or expensive computing resources are required.…
▽ More
A backdoor deep learning (DL) model behaves normally upon clean inputs but misbehaves upon trigger inputs as the backdoor attacker desires, posing severe consequences to DL model deployments. State-of-the-art defenses are either limited to specific backdoor attacks (source-agnostic attacks) or non-user-friendly in that machine learning (ML) expertise or expensive computing resources are required. This work observes that all existing backdoor attacks have an inevitable intrinsic weakness, non-transferability, that is, a trigger input hijacks a backdoored model but cannot be effective to another model that has not been implanted with the same backdoor. With this key observation, we propose non-transferability enabled backdoor detection (NTD) to identify trigger inputs for a model-under-test (MUT) during run-time.Specifically, NTD allows a potentially backdoored MUT to predict a class for an input. In the meantime, NTD leverages a feature extractor (FE) to extract feature vectors for the input and a group of samples randomly picked from its predicted class, and then compares similarity between the input and the samples in the FE's latent space. If the similarity is low, the input is an adversarial trigger input; otherwise, benign. The FE is a free pre-trained model privately reserved from open platforms. As the FE and MUT are from different sources, the attacker is very unlikely to insert the same backdoor into both of them. Because of non-transferability, a trigger effect that does work on the MUT cannot be transferred to the FE, making NTD effective against different types of backdoor attacks. We evaluate NTD on three popular customized tasks such as face recognition, traffic sign recognition and general animal classification, results of which affirm that NDT has high effectiveness (low false acceptance rate) and usability (low false rejection rate) with low detection latency.
△ Less
Submitted 22 November, 2021;
originally announced November 2021.
-
Design and Evaluate Recomposited OR-AND-XOR-PUF
Authors:
Jianrong Yao,
Lihui Pang,
Zhi Zhang,
Wei Yang,
Anmin Fu,
Yansong Gao
Abstract:
Physical Unclonable Function (PUF) is a hardware security primitive with a desirable feature of low-cost. Based on the space of challenge-response pairs (CRPs), it has two categories:weak PUF and strong PUF. Though designing a reliable and secure lightweight strong PUF is challenging, there is continuing efforts to fulfill this gap due to wide range of applications enabled by strong PUF. It was pr…
▽ More
Physical Unclonable Function (PUF) is a hardware security primitive with a desirable feature of low-cost. Based on the space of challenge-response pairs (CRPs), it has two categories:weak PUF and strong PUF. Though designing a reliable and secure lightweight strong PUF is challenging, there is continuing efforts to fulfill this gap due to wide range of applications enabled by strong PUF. It was prospected that the combination of MAX and MIN bit-wise operation is promising for improving the modeling resilience when MAX and MIN are employed in the PUF recomposition. The main rationale lies on the fact that each bit-wise might be mainly vulnerable to one specific type of modeling attack, combining them can have an improved holistic resilience. This work is to first evaluate the main PUF performance, in particular,uniformity and reliability of the OR-AND-XOR-PUF(OAX-PUF)-(x, y, z)-OAX-PUF. Compared with the most used l-XOR-PUF, the (x, y, z)-OAX-PUF eventually exhibits better reliability given l=x+y+z without degrading the uniformity retaining to be 50%. We further examine the modeling resilience of the (x, y, z)-OAX-PUF with four powerful attacking strategies to date, which are Logistic Regression (LR) attack, reliability assisted CMA-ES attack, multilayer perceptron (MLP) attack, and the most recent hybrid LR-reliability attack. In comparison with the XOR-APUF, the OAX-APUF successfully defeats the CAM-ES attack. However, it shows no notable modeling accuracy drop against other three attacks, though the attacking times have been greatly prolonged to LR and hybrid LR-reliability attacks. Overall, the OAX recomposition could be an alternative lightweight recomposition method compared to XOR towards constructing strong PUFs if the underlying PUF, e.g., FF-APUF, has exhibited improved resilience to modeling attack, because the OAX incurs smaller reliability degradation compared to XOR.
△ Less
Submitted 25 April, 2022; v1 submitted 2 October, 2021;
originally announced October 2021.
-
Quantization Backdoors to Deep Learning Commercial Frameworks
Authors:
Hua Ma,
Huming Qiu,
Yansong Gao,
Zhi Zhang,
Alsharif Abuadbba,
Minhui Xue,
Anmin Fu,
Zhang Jiliang,
Said Al-Sarawi,
Derek Abbott
Abstract:
Currently, there is a burgeoning demand for deploying deep learning (DL) models on ubiquitous edge Internet of Things (IoT) devices attributed to their low latency and high privacy preservation. However, DL models are often large in size and require large-scale computation, which prevents them from being placed directly onto IoT devices, where resources are constrained and 32-bit floating-point (f…
▽ More
Currently, there is a burgeoning demand for deploying deep learning (DL) models on ubiquitous edge Internet of Things (IoT) devices attributed to their low latency and high privacy preservation. However, DL models are often large in size and require large-scale computation, which prevents them from being placed directly onto IoT devices, where resources are constrained and 32-bit floating-point (float-32) operations are unavailable. Commercial framework (i.e., a set of toolkits) empowered model quantization is a pragmatic solution that enables DL deployment on mobile devices and embedded systems by effortlessly post-quantizing a large high-precision model (e.g., float-32) into a small low-precision model (e.g., int-8) while retaining the model inference accuracy. However, their usability might be threatened by security vulnerabilities.
This work reveals that the standard quantization toolkits can be abused to activate a backdoor. We demonstrate that a full-precision backdoored model which does not have any backdoor effect in the presence of a trigger -- as the backdoor is dormant -- can be activated by the default i) TensorFlow-Lite (TFLite) quantization, the only product-ready quantization framework to date, and ii) the beta released PyTorch Mobile framework. When each of the float-32 models is converted into an int-8 format model through the standard TFLite or Pytorch Mobile framework's post-training quantization, the backdoor is activated in the quantized model, which shows a stable attack success rate close to 100% upon inputs with the trigger, while it behaves normally upon non-trigger inputs. This work highlights that a stealthy security threat occurs when an end user utilizes the on-device post-training model quantization frameworks, informing security researchers of cross-platform overhaul of DL models post quantization even if these models pass front-end backdoor inspections.
△ Less
Submitted 27 April, 2023; v1 submitted 20 August, 2021;
originally announced August 2021.
-
CONet: Channel Optimization for Convolutional Neural Networks
Authors:
Mahdi S. Hosseini,
Jia Shu Zhang,
Zhe Liu,
Andre Fu,
Jingxuan Su,
Mathieu Tuli,
Sepehr Hosseini,
Arsh Kadakia,
Haoran Wang,
Konstantinos N. Plataniotis
Abstract:
Neural Architecture Search (NAS) has shifted network design from using human intuition to leveraging search algorithms guided by evaluation metrics. We study channel size optimization in convolutional neural networks (CNN) and identify the role it plays in model accuracy and complexity. Current channel size selection methods are generally limited by discrete sample spaces while suffering from manu…
▽ More
Neural Architecture Search (NAS) has shifted network design from using human intuition to leveraging search algorithms guided by evaluation metrics. We study channel size optimization in convolutional neural networks (CNN) and identify the role it plays in model accuracy and complexity. Current channel size selection methods are generally limited by discrete sample spaces while suffering from manual iteration and simple heuristics. To solve this, we introduce an efficient dynamic scaling algorithm -- CONet -- that automatically optimizes channel sizes across network layers for a given CNN. Two metrics -- "\textit{Rank}" and "\textit{Rank Average Slope}" -- are introduced to identify the information accumulated in training. The algorithm dynamically scales channel sizes up or down over a fixed searching phase. We conduct experiments on CIFAR10/100 and ImageNet datasets and show that CONet can find efficient and accurate architectures searched in ResNet, DARTS, and DARTS+ spaces that outperform their baseline models.
This document supersedes previously published paper in ICCV2021-NeurArch workshop. An additional section is included on manual scaling of channel size in CNNs to numerically validate of the metrics used in searching optimum channel configurations in CNNs.
△ Less
Submitted 7 April, 2022; v1 submitted 15 August, 2021;
originally announced August 2021.
-
RBNN: Memory-Efficient Reconfigurable Deep Binary Neural Network with IP Protection for Internet of Things
Authors:
Huming Qiu,
Hua Ma,
Zhi Zhang,
Yifeng Zheng,
Anmin Fu,
Pan Zhou,
Yansong Gao,
Derek Abbott,
Said F. Al-Sarawi
Abstract:
Though deep neural network models exhibit outstanding performance for various applications, their large model size and extensive floating-point operations render deployment on mobile computing platforms a major challenge, and, in particular, on Internet of Things devices. One appealing solution is model quantization that reduces the model size and uses integer operations commonly supported by micr…
▽ More
Though deep neural network models exhibit outstanding performance for various applications, their large model size and extensive floating-point operations render deployment on mobile computing platforms a major challenge, and, in particular, on Internet of Things devices. One appealing solution is model quantization that reduces the model size and uses integer operations commonly supported by microcontrollers . To this end, a 1-bit quantized DNN model or deep binary neural network maximizes the memory efficiency, where each parameter in a BNN model has only 1-bit. In this paper, we propose a reconfigurable BNN (RBNN) to further amplify the memory efficiency for resource-constrained IoT devices. Generally, the RBNN can be reconfigured on demand to achieve any one of M (M>1) distinct tasks with the same parameter set, thus only a single task determines the memory requirements. In other words, the memory utilization is improved by times M. Our extensive experiments corroborate that up to seven commonly used tasks can co-exist (the value of M can be larger). These tasks with a varying number of classes have no or negligible accuracy drop-off on three binarized popular DNN architectures including VGG, ResNet, and ReActNet. The tasks span across different domains, e.g., computer vision and audio domains validated herein, with the prerequisite that the model architecture can serve those cross-domain tasks. To protect the intellectual property of an RBNN model, the reconfiguration can be controlled by both a user key and a device-unique root key generated by the intrinsic hardware fingerprint. By doing so, an RBNN model can only be used per paid user per authorized device, thus benefiting both the user and the model provider.
△ Less
Submitted 2 August, 2022; v1 submitted 8 May, 2021;
originally announced May 2021.
-
Operator Splitting for Adaptive Radiation Therapy with Nonlinear Health Dynamics
Authors:
Anqi Fu,
Lei Xing,
Stephen Boyd
Abstract:
We present an optimization-based approach to radiation treatment planning over time. Our approach formulates treatment planning as an optimal control problem with nonlinear patient health dynamics derived from the standard linear-quadratic cell survival model. As the formulation is nonconvex, we propose a method for obtaining an approximate solution by solving a sequence of convex optimization pro…
▽ More
We present an optimization-based approach to radiation treatment planning over time. Our approach formulates treatment planning as an optimal control problem with nonlinear patient health dynamics derived from the standard linear-quadratic cell survival model. As the formulation is nonconvex, we propose a method for obtaining an approximate solution by solving a sequence of convex optimization problems. This method is fast, efficient, and robust to model error, adapting readily to changes in the patient's health between treatment sessions. Moreover, we show that it can be combined with the operator splitting method ADMM to produce an algorithm that is highly scalable and can handle large clinical cases. We introduce an open-source Python implementation of our algorithm, AdaRad, and demonstrate its performance on several examples.
△ Less
Submitted 13 May, 2022; v1 submitted 4 May, 2021;
originally announced May 2021.
-
Reconsidering CO2 emissions from Computer Vision
Authors:
Andre Fu,
Mahdi S. Hosseini,
Konstantinos N. Plataniotis
Abstract:
Climate change is a pressing issue that is currently affecting and will affect every part of our lives. It's becoming incredibly vital we, as a society, address the climate crisis as a universal effort, including those in the Computer Vision (CV) community. In this work, we analyze the total cost of CO2 emissions by breaking it into (1) the architecture creation cost and (2) the life-time evaluati…
▽ More
Climate change is a pressing issue that is currently affecting and will affect every part of our lives. It's becoming incredibly vital we, as a society, address the climate crisis as a universal effort, including those in the Computer Vision (CV) community. In this work, we analyze the total cost of CO2 emissions by breaking it into (1) the architecture creation cost and (2) the life-time evaluation cost. We show that over time, these costs are non-negligible and are having a direct impact on our future. Importantly, we conduct an ethical analysis of how the CV-community is unintentionally overlooking its own ethical AI principles by emitting this level of CO2. To address these concerns, we propose adding "enforcement" as a pillar of ethical AI and provide some recommendations for how architecture designers and broader CV community can curb the climate crisis.
△ Less
Submitted 18 April, 2021;
originally announced April 2021.
-
Control Communication Co-Design for Wide Area Cyber-Physical Systems
Authors:
Laksh Bhatia,
Ivana Tomić,
Anqi Fu,
Michael Breza,
Julie A. McCann
Abstract:
Wide Area Cyber-Physical Systems (WA-CPSs) are a class of control systems that integrate low-powered sensors, heterogeneous actuators and computer controllers into large infrastructure that span multi-kilometre distances. Current wireless communication technologies are incapable of meeting the communication requirements of range and bounded delays needed for the control of WA-CPSs. To solve this p…
▽ More
Wide Area Cyber-Physical Systems (WA-CPSs) are a class of control systems that integrate low-powered sensors, heterogeneous actuators and computer controllers into large infrastructure that span multi-kilometre distances. Current wireless communication technologies are incapable of meeting the communication requirements of range and bounded delays needed for the control of WA-CPSs. To solve this problem, we use a Control-Communication Co-design approach for WA-CPSs, that we refer to as the $C^3$ approach, to design a novel Low-Power Wide Area (LPWA) MAC protocol called \textit{Ctrl-MAC} and its associated event-triggered controller that can guarantee the closed-loop stability of a WA-CPS. This is the first paper to show that LPWA wireless communication technologies can support the control of WA-CPSs. LPWA technologies are designed to support one-way communication for monitoring and are not appropriate for control. We present this work using an example of a water distribution network application which we evaluate both through a co-simulator (modelling both physical and cyber subsystems) and testbed deployments. Our evaluation demonstrates full control stability, with up to $50$\% better packet delivery ratios and $80$\% less average end-to-end delays when compared to a state of the art LPWA technology. We also evaluate our scheme against an idealised, wired, centralised, control architecture and show that the controller maintains stability and the overshoots remain within bounds.
△ Less
Submitted 17 August, 2020;
originally announced August 2020.
-
VFL: A Verifiable Federated Learning with Privacy-Preserving for Big Data in Industrial IoT
Authors:
Anmin Fu,
Xianglong Zhang,
Naixue Xiong,
Yansong Gao,
Huaqun Wang
Abstract:
Due to the strong analytical ability of big data, deep learning has been widely applied to train the collected data in industrial IoT. However, for privacy issues, traditional data-gathering centralized learning is not applicable to industrial scenarios sensitive to training sets. Recently, federated learning has received widespread attention, since it trains a model by only relying on gradient ag…
▽ More
Due to the strong analytical ability of big data, deep learning has been widely applied to train the collected data in industrial IoT. However, for privacy issues, traditional data-gathering centralized learning is not applicable to industrial scenarios sensitive to training sets. Recently, federated learning has received widespread attention, since it trains a model by only relying on gradient aggregation without accessing training sets. But existing researches reveal that the shared gradient still retains the sensitive information of the training set. Even worse, a malicious aggregation server may return forged aggregated gradients. In this paper, we propose the VFL, verifiable federated learning with privacy-preserving for big data in industrial IoT. Specifically, we use Lagrange interpolation to elaborately set interpolation points for verifying the correctness of the aggregated gradients. Compared with existing schemes, the verification overhead of VFL remains constant regardless of the number of participants. Moreover, we employ the blinding technology to protect the privacy of the gradients submitted by the participants. If no more than n-2 of n participants collude with the aggregation server, VFL could guarantee the encrypted gradients of other participants not being inverted. Experimental evaluations corroborate the practical performance of the presented VFL framework with high accuracy and efficiency.
△ Less
Submitted 30 July, 2020; v1 submitted 27 July, 2020;
originally announced July 2020.
-
Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review
Authors:
Yansong Gao,
Bao Gia Doan,
Zhi Zhang,
Siqi Ma,
Jiliang Zhang,
Anmin Fu,
Surya Nepal,
Hyoungshick Kim
Abstract:
This work provides the community with a timely comprehensive review of backdoor attacks and countermeasures on deep learning. According to the attacker's capability and affected stage of the machine learning pipeline, the attack surfaces are recognized to be wide and then formalized into six categorizations: code poisoning, outsourcing, pretrained, data collection, collaborative learning and post-…
▽ More
This work provides the community with a timely comprehensive review of backdoor attacks and countermeasures on deep learning. According to the attacker's capability and affected stage of the machine learning pipeline, the attack surfaces are recognized to be wide and then formalized into six categorizations: code poisoning, outsourcing, pretrained, data collection, collaborative learning and post-deployment. Accordingly, attacks under each categorization are combed. The countermeasures are categorized into four general classes: blind backdoor removal, offline backdoor inspection, online backdoor inspection, and post backdoor removal. Accordingly, we review countermeasures, and compare and analyze their advantages and disadvantages. We have also reviewed the flip side of backdoor attacks, which are explored for i) protecting intellectual property of deep learning models, ii) acting as a honeypot to catch adversarial example attacks, and iii) verifying data deletion requested by the data contributor.Overall, the research on defense is far behind the attack, and there is no single defense that can prevent all types of backdoor attacks. In some cases, an attacker can intelligently bypass existing defenses with an adaptive attack. Drawing the insights from the systematic review, we also present key areas for future research on the backdoor, such as empirical security evaluations from physical trigger attacks, and in particular, more efficient and practical countermeasures are solicited.
△ Less
Submitted 2 August, 2020; v1 submitted 21 July, 2020;
originally announced July 2020.
-
Authentication, Access Control, Privacy, Threats and Trust Management Towards Securing Fog Computing Environments: A Review
Authors:
Abdullah Al-Noman Patwary,
Anmin Fu,
Ranesh Kumar Naha,
Sudheer Kumar Battula,
Saurabh Garg,
Md Anwarul Kaium Patwary,
Erfan Aghasian
Abstract:
Fog computing is an emerging computing paradigm that has come into consideration for the deployment of IoT applications amongst researchers and technology industries over the last few years. Fog is highly distributed and consists of a wide number of autonomous end devices, which contribute to the processing. However, the variety of devices offered across different users are not audited. Hence, the…
▽ More
Fog computing is an emerging computing paradigm that has come into consideration for the deployment of IoT applications amongst researchers and technology industries over the last few years. Fog is highly distributed and consists of a wide number of autonomous end devices, which contribute to the processing. However, the variety of devices offered across different users are not audited. Hence, the security of Fog devices is a major concern in the Fog computing environment. Furthermore, mitigating and preventing those security measures is a research issue. Therefore, to provide the necessary security for Fog devices, we need to understand what the security concerns are with regards to Fog. All aspects of Fog security, which have not been covered by other literature works needs to be identified and need to be aggregate all issues in Fog security. It needs to be noted that computation devices consist of many ordinary users, and are not managed by any central entity or managing body. Therefore, trust and privacy is also a key challenge to gain market adoption for Fog. To provide the required trust and privacy, we need to also focus on authentication, threats and access control mechanisms as well as techniques in Fog computing. In this paper, we perform a survey and propose a taxonomy, which presents an overview of existing security concerns in the context of the Fog computing paradigm. We discuss the Blockchain-based solutions towards a secure Fog computing environment and presented various research challenges and directions for future research.
△ Less
Submitted 29 February, 2020;
originally announced March 2020.
-
The Separator, a Two-Phase Oil and Water Gravity CPS Separator Testbed
Authors:
Michael Breza,
Laksh Bhatia,
Ivana Tomic,
Anqi Fu,
Waqas Ikram,
Valentinos Kongezos,
Julie A. McCann
Abstract:
Industrial Control Systems (ICS) are evolving with advances in new technology. The addition of wireless sensors and actuators and new control techniques means that engineering practices from communication systems are being integrated into those used for control systems. The two are engineered in very different ways. Neither engineering approach is capable of accounting for the subtle interactions…
▽ More
Industrial Control Systems (ICS) are evolving with advances in new technology. The addition of wireless sensors and actuators and new control techniques means that engineering practices from communication systems are being integrated into those used for control systems. The two are engineered in very different ways. Neither engineering approach is capable of accounting for the subtle interactions and interdependence that occur when the two are combined. This paper describes our first steps to bridge this gap, and push the boundaries of both computer communication system and control system design. We present The Separator testbed, a Cyber-Physical testbed enabling our search for a suitable way to engineer systems that combine both computer networks and control systems.
△ Less
Submitted 1 February, 2020;
originally announced February 2020.
-
MRPC: An R package for accurate inference of causal graphs
Authors:
Md. Bahadur Badsha,
Evan A Martin,
Audrey Qiuyan Fu
Abstract:
We present MRPC, an R package that learns causal graphs with improved accuracy over existing packages, such as pcalg and bnlearn. Our algorithm builds on the powerful PC algorithm, the canonical algorithm in computer science for learning directed acyclic graphs. The improvement in accuracy results from online control of the false discovery rate (FDR) that reduces false positive edges, a more accur…
▽ More
We present MRPC, an R package that learns causal graphs with improved accuracy over existing packages, such as pcalg and bnlearn. Our algorithm builds on the powerful PC algorithm, the canonical algorithm in computer science for learning directed acyclic graphs. The improvement in accuracy results from online control of the false discovery rate (FDR) that reduces false positive edges, a more accurate approach to identifying v-structures (i.e., $T_1 \rightarrow T_2 \leftarrow T_3$), and robust estimation of the correlation matrix among nodes. For genomic data that contain genotypes and gene expression for each sample, MRPC incorporates the principle of Mendelian randomization to orient the edges. Our package can be applied to continuous and discrete data.
△ Less
Submitted 5 June, 2018;
originally announced June 2018.
-
Finding Multiple New Optimal Locations in a Road Network
Authors:
Ruifeng Liu,
Ada WaiChee Fu,
Zitong Chen,
Silu Huang,
Yubao Liu
Abstract:
We study the problem of optimal location querying for location based services in road networks, which aims to find locations for new servers or facilities. The existing optimal solutions on this problem consider only the cases with one new server. When two or more new servers are to be set up, the problem with minmax cost criteria, MinMax, becomes NP-hard. In this work we identify some useful prop…
▽ More
We study the problem of optimal location querying for location based services in road networks, which aims to find locations for new servers or facilities. The existing optimal solutions on this problem consider only the cases with one new server. When two or more new servers are to be set up, the problem with minmax cost criteria, MinMax, becomes NP-hard. In this work we identify some useful properties about the potential locations for the new servers, from which we derive a novel algorithm for MinMax, and show that it is efficient when the number of new servers is small. When the number of new servers is large, we propose an efficient 3-approximate algorithm. We verify with experiments on real road networks that our solutions are effective and attains significantly better result quality compared to the existing greedy algorithms.
△ Less
Submitted 13 June, 2016; v1 submitted 4 June, 2016;
originally announced June 2016.
-
(α, k)-Minimal Sorting and Skew Join in MPI and MapReduce
Authors:
Silu Huang,
Ada Wai-Chee Fu
Abstract:
As computer clusters are found to be highly effective for handling massive datasets, the design of efficient parallel algorithms for such a computing model is of great interest. We consider (α, k)-minimal algorithms for such a purpose, where α is the number of rounds in the algorithm, and k is a bound on the deviation from perfect workload balance. We focus on new (α, k)-minimal algorithms for sor…
▽ More
As computer clusters are found to be highly effective for handling massive datasets, the design of efficient parallel algorithms for such a computing model is of great interest. We consider (α, k)-minimal algorithms for such a purpose, where α is the number of rounds in the algorithm, and k is a bound on the deviation from perfect workload balance. We focus on new (α, k)-minimal algorithms for sorting and skew equijoin operations for computer clusters. To the best of our knowledge the proposed sorting and skew join algorithms achieve the best workload balancing guarantee when compared to previous works. Our empirical study shows that they are close to optimal in workload balancing. In particular, our proposed sorting algorithm is around 25% more efficient than the state-of-the-art Terasort algorithm and achieves significantly more even workload distribution by over 50%.
△ Less
Submitted 21 March, 2014;
originally announced March 2014.
-
Hop Doubling Label Indexing for Point-to-Point Distance Querying on Scale-Free Networks
Authors:
Minhao Jiang,
Ada Wai-Chee Fu,
Raymond Chi-Wing Wong,
Yanyan Xu
Abstract:
We study the problem of point-to-point distance querying for massive scale-free graphs, which is important for numerous applications. Given a directed or undirected graph, we propose to build an index for answering such queries based on a hop-doubling labeling technique. We derive bounds on the index size, the computation costs and I/O costs based on the properties of unweighted scale-free graphs.…
▽ More
We study the problem of point-to-point distance querying for massive scale-free graphs, which is important for numerous applications. Given a directed or undirected graph, we propose to build an index for answering such queries based on a hop-doubling labeling technique. We derive bounds on the index size, the computation costs and I/O costs based on the properties of unweighted scale-free graphs. We show that our method is much more efficient compared to the state-of-the-art technique, in terms of both querying time and indexing time. Our empirical study shows that our method can handle graphs that are orders of magnitude larger than existing methods.
△ Less
Submitted 2 May, 2014; v1 submitted 4 March, 2014;
originally announced March 2014.
-
Beyond the Min-Cut Bound: Deterministic Network Coding for Asynchronous Multirate Broadcast
Authors:
Amy Fu,
Parastoo Sadeghi,
Muriel Medard
Abstract:
In a single hop broadcast packet erasure network, we demonstrate that it is possible to provide multirate packet delivery outside of what is given by the network min-cut. This is achieved by using a deterministic non-block-based network coding scheme, which allows us to sidestep some of the limitations put in place by the block coding model used to determine the network capacity.
Under the netwo…
▽ More
In a single hop broadcast packet erasure network, we demonstrate that it is possible to provide multirate packet delivery outside of what is given by the network min-cut. This is achieved by using a deterministic non-block-based network coding scheme, which allows us to sidestep some of the limitations put in place by the block coding model used to determine the network capacity.
Under the network coding scheme we outline, the sender is able to transmit network coded packets above the channel rate of some receivers, while ensuring that they still experience nonzero delivery rates. Interestingly, in this generalised form of asynchronous network coded broadcast, receivers are not required to obtain knowledge of all packets transmitted so far. Instead, causal feedback from the receivers about packet erasures is used by the sender to determine a network coded transmission that will allow at least one, but often multiple receivers, to deliver their next needed packet.
Although the analysis of deterministic coding schemes is generally a difficult problem, by making some approximations we are able to obtain tractable estimates of the receivers' delivery rates, which are shown to match reasonably well with simulation. Using these estimates, we design a fairness algorithm that allocates the sender's resources so all receivers will experience fair delivery rate performance.
△ Less
Submitted 2 January, 2014;
originally announced January 2014.
-
IS-LABEL: an Independent-Set based Labeling Scheme for Point-to-Point Distance Querying on Large Graphs
Authors:
Ada Wai-Chee Fu,
Huanhuan Wu,
James Cheng,
Shumo Chu,
Raymond Chi-Wing Wong
Abstract:
We study the problem of computing shortest path or distance between two query vertices in a graph, which has numerous important applications. Quite a number of indexes have been proposed to answer such distance queries. However, all of these indexes can only process graphs of size barely up to 1 million vertices, which is rather small in view of many of the fast-growing real-world graphs today suc…
▽ More
We study the problem of computing shortest path or distance between two query vertices in a graph, which has numerous important applications. Quite a number of indexes have been proposed to answer such distance queries. However, all of these indexes can only process graphs of size barely up to 1 million vertices, which is rather small in view of many of the fast-growing real-world graphs today such as social networks and Web graphs. We propose an efficient index, which is a novel labeling scheme based on the independent set of a graph. We show that our method can handle graphs of size three orders of magnitude larger than those existing indexes.
△ Less
Submitted 10 November, 2012;
originally announced November 2012.
-
Dynamic Rate Adaptation for Improved Throughput and Delay in Wireless Network Coded Broadcast
Authors:
Amy Fu,
Parastoo Sadeghi,
Muriel Medard
Abstract:
In this paper we provide theoretical and simulation-based study of the delivery delay performance of a number of existing throughput optimal coding schemes and use the results to design a new dynamic rate adaptation scheme that achieves improved overall throughput-delay performance.
Under a baseline rate control scheme, the receivers' delay performance is examined. Based on their Markov states,…
▽ More
In this paper we provide theoretical and simulation-based study of the delivery delay performance of a number of existing throughput optimal coding schemes and use the results to design a new dynamic rate adaptation scheme that achieves improved overall throughput-delay performance.
Under a baseline rate control scheme, the receivers' delay performance is examined. Based on their Markov states, the knowledge difference between the sender and receiver, three distinct methods for packet delivery are identified: zero state, leader state and coefficient-based delivery. We provide analyses of each of these and show that, in many cases, zero state delivery alone presents a tractable approximation of the expected packet delivery behaviour. Interestingly, while coefficient-based delivery has so far been treated as a secondary effect in the literature, we find that the choice of coefficients is extremely important in determining the delay, and a well chosen encoding scheme can, in fact, contribute a significant improvement to the delivery delay.
Based on our delivery delay model, we develop a dynamic rate adaptation scheme which uses performance prediction models to determine the sender transmission rate. Surprisingly, taking this approach leads us to the simple conclusion that the sender should regulate its addition rate based on the total number of undelivered packets stored at the receivers. We show that despite its simplicity, our proposed dynamic rate adaptation scheme results in noticeably improved throughput-delay performance over existing schemes in the literature.
△ Less
Submitted 28 September, 2013; v1 submitted 19 August, 2012;
originally announced August 2012.
-
Inferential or Differential: Privacy Laws Dictate
Authors:
Ke Wang,
Peng Wang,
Ada Waichee Fu,
Raywong Chi-Wing Wong
Abstract:
So far, privacy models follow two paradigms. The first paradigm, termed inferential privacy in this paper, focuses on the risk due to statistical inference of sensitive information about a target record from other records in the database. The second paradigm, known as differential privacy, focuses on the risk to an individual when included in, versus when not included in, the database. The contrib…
▽ More
So far, privacy models follow two paradigms. The first paradigm, termed inferential privacy in this paper, focuses on the risk due to statistical inference of sensitive information about a target record from other records in the database. The second paradigm, known as differential privacy, focuses on the risk to an individual when included in, versus when not included in, the database. The contribution of this paper consists of two parts. The first part presents a critical analysis on differential privacy with two results: (i) the differential privacy mechanism does not provide inferential privacy, (ii) the impossibility result about achieving Dalenius's privacy goal [5] is based on an adversary simulated by a Turing machine, but a human adversary may behave differently; consequently, the practical implication of the impossibility result remains unclear. The second part of this work is devoted to a solution addressing three major drawbacks in previous approaches to inferential privacy: lack of flexibility for handling variable sensitivity, poor utility, and vulnerability to auxiliary information.
△ Less
Submitted 16 February, 2012;
originally announced February 2012.
-
Small Count Privacy and Large Count Utility in Data Publishing
Authors:
Ada Wai-Chee Fu,
Jia Wang,
Ke Wang,
Raymond Chi-Wing Wong
Abstract:
While the introduction of differential privacy has been a major breakthrough in the study of privacy preserving data publication, some recent work has pointed out a number of cases where it is not possible to limit inference about individuals. The dilemma that is intrinsic in the problem is the simultaneous requirement of data utility in the published data. Differential privacy does not aim to pro…
▽ More
While the introduction of differential privacy has been a major breakthrough in the study of privacy preserving data publication, some recent work has pointed out a number of cases where it is not possible to limit inference about individuals. The dilemma that is intrinsic in the problem is the simultaneous requirement of data utility in the published data. Differential privacy does not aim to protect information about an individual that can be uncovered even without the participation of the individual. However, this lack of coverage may violate the principle of individual privacy. Here we propose a solution by providing protection to sensitive information, by which we refer to the answers for aggregate queries with small counts. Previous works based on $\ell$-diversity can be seen as providing a special form of this kind of protection. Our method is developed with another goal which is to provide differential privacy guarantee, and for that we introduce a more refined form of differential privacy to deal with certain practical issues. Our empirical studies show that our method can preserve better utilities than a number of state-of-the-art methods although these methods do not provide the protections that we provide.
△ Less
Submitted 15 February, 2012;
originally announced February 2012.
-
Randomization Resilient To Sensitive Reconstruction
Authors:
Ke Wang,
Chao Han,
Ada Waichee Fu
Abstract:
With the randomization approach, sensitive data items of records are randomized to protect privacy of individuals while allowing the distribution information to be reconstructed for data analysis. In this paper, we distinguish between reconstruction that has potential privacy risk, called micro reconstruction, and reconstruction that does not, called aggregate reconstruction. We show that the form…
▽ More
With the randomization approach, sensitive data items of records are randomized to protect privacy of individuals while allowing the distribution information to be reconstructed for data analysis. In this paper, we distinguish between reconstruction that has potential privacy risk, called micro reconstruction, and reconstruction that does not, called aggregate reconstruction. We show that the former could disclose sensitive information about a target individual, whereas the latter is more useful for data analysis than for privacy breaches. To limit the privacy risk of micro reconstruction, we propose a privacy definition, called (epsilon,delta)-reconstruction-privacy. Intuitively, this privacy notion requires that micro reconstruction has a large error with a large probability. The promise of this approach is that micro reconstruction is more sensitive to the number of independent trials in the randomization process than aggregate reconstruction is; therefore, reducing the number of independent trials helps achieve (epsilon,delta)-reconstruction-privacy while preserving the accuracy of aggregate reconstruction. We present an algorithm based on this idea and evaluate the effectiveness of this approach using real life data sets.
△ Less
Submitted 14 February, 2012;
originally announced February 2012.
-
Anonymization with Worst-Case Distribution-Based Background Knowledge
Authors:
Raymond Chi-Wing Wong,
Ada Wai-Chee Fu,
Ke Wang,
Yabo Xu,
Jian Pei,
Philip S. Yu
Abstract:
Background knowledge is an important factor in privacy preserving data publishing. Distribution-based background knowledge is one of the well studied background knowledge. However, to the best of our knowledge, there is no existing work considering the distribution-based background knowledge in the worst case scenario, by which we mean that the adversary has accurate knowledge about the distribu…
▽ More
Background knowledge is an important factor in privacy preserving data publishing. Distribution-based background knowledge is one of the well studied background knowledge. However, to the best of our knowledge, there is no existing work considering the distribution-based background knowledge in the worst case scenario, by which we mean that the adversary has accurate knowledge about the distribution of sensitive values according to some tuple attributes. Considering this worst case scenario is essential because we cannot overlook any breaching possibility. In this paper, we propose an algorithm to anonymize dataset in order to protect individual privacy by considering this background knowledge. We prove that the anonymized datasets generated by our proposed algorithm protects individual privacy. Our empirical studies show that our method preserves high utility for the published data at the same time.
△ Less
Submitted 6 September, 2009;
originally announced September 2009.
-
Can the Utility of Anonymized Data be used for Privacy Breaches?
Authors:
Raymond Chi-Wing Wong,
Ada Wai-Chee Fu,
Ke Wang,
Yabo Xu,
Philip S. Yu
Abstract:
Group based anonymization is the most widely studied approach for privacy preserving data publishing. This includes k-anonymity, l-diversity, and t-closeness, to name a few. The goal of this paper is to raise a fundamental issue on the privacy exposure of the current group based approach. This has been overlooked in the past. The group based anonymization approach basically hides each individual…
▽ More
Group based anonymization is the most widely studied approach for privacy preserving data publishing. This includes k-anonymity, l-diversity, and t-closeness, to name a few. The goal of this paper is to raise a fundamental issue on the privacy exposure of the current group based approach. This has been overlooked in the past. The group based anonymization approach basically hides each individual record behind a group to preserve data privacy. If not properly anonymized, patterns can actually be derived from the published data and be used by the adversary to breach individual privacy. For example, from the medical records released, if patterns such as people from certain countries rarely suffer from some disease can be derived, then the information can be used to imply linkage of other people in an anonymized group with this disease with higher likelihood. We call the derived patterns from the published data the foreground knowledge. This is in contrast to the background knowledge that the adversary may obtain from other channels as studied in some previous work. Finally, we show by experiments that the attack is realistic in the privacy benchmark dataset under the traditional group based anonymization approach.
△ Less
Submitted 11 May, 2009;
originally announced May 2009.