-
Robust width: A lightweight and certifiable adversarial defense
Authors:
Jonathan Peck,
Bart Goossens
Abstract:
Deep neural networks are vulnerable to so-called adversarial examples: inputs which are intentionally constructed to cause the model to make incorrect predictions or classifications. Adversarial examples are often visually indistinguishable from natural data samples, making them hard to detect. As such, they pose significant threats to the reliability of deep learning systems. In this work, we stu…
▽ More
Deep neural networks are vulnerable to so-called adversarial examples: inputs which are intentionally constructed to cause the model to make incorrect predictions or classifications. Adversarial examples are often visually indistinguishable from natural data samples, making them hard to detect. As such, they pose significant threats to the reliability of deep learning systems. In this work, we study an adversarial defense based on the robust width property (RWP), which was recently introduced for compressed sensing. We show that a specific input purification scheme based on the RWP gives theoretical robustness guarantees for images that are approximately sparse. The defense is easy to implement and can be applied to any existing model without additional training or finetuning. We empirically validate the defense on ImageNet against $L^\infty$ perturbations at perturbation budgets ranging from $4/255$ to $32/255$. In the black-box setting, our method significantly outperforms the state-of-the-art, especially for large perturbations. In the white-box setting, depending on the choice of base classifier, we closely match the state of the art in robust ImageNet classification while avoiding the need for additional data, larger models or expensive adversarial training routines. Our code is available at https://github.com/peck94/robust-width-defense.
△ Less
Submitted 24 May, 2024;
originally announced May 2024.
-
Distilling Deep RL Models Into Interpretable Neuro-Fuzzy Systems
Authors:
Arne Gevaert,
Jonathan Peck,
Yvan Saeys
Abstract:
Deep Reinforcement Learning uses a deep neural network to encode a policy, which achieves very good performance in a wide range of applications but is widely regarded as a black box model. A more interpretable alternative to deep networks is given by neuro-fuzzy controllers. Unfortunately, neuro-fuzzy controllers often need a large number of rules to solve relatively simple tasks, making them diff…
▽ More
Deep Reinforcement Learning uses a deep neural network to encode a policy, which achieves very good performance in a wide range of applications but is widely regarded as a black box model. A more interpretable alternative to deep networks is given by neuro-fuzzy controllers. Unfortunately, neuro-fuzzy controllers often need a large number of rules to solve relatively simple tasks, making them difficult to interpret. In this work, we present an algorithm to distill the policy from a deep Q-network into a compact neuro-fuzzy controller. This allows us to train compact neuro-fuzzy controllers through distillation to solve tasks that they are unable to solve directly, combining the flexibility of deep reinforcement learning and the interpretability of compact rule bases. We demonstrate the algorithm on three well-known environments from OpenAI Gym, where we nearly match the performance of a DQN agent using only 2 to 6 fuzzy rules.
△ Less
Submitted 7 September, 2022;
originally announced September 2022.
-
Data Driven Prediction of Battery Cycle Life Before Capacity Degradation
Authors:
Anmol Singh,
Caitlin Feltner,
Jamie Peck,
Kurt I. Kuhn
Abstract:
Ubiquitous use of lithium-ion batteries across multiple industries presents an opportunity to explore cost saving initiatives as the price to performance ratio continually decreases in a competitive environment. Manufacturers using lithium-ion batteries ranging in applications from mobile phones to electric vehicles need to know how long batteries will last for a given service life. To understand…
▽ More
Ubiquitous use of lithium-ion batteries across multiple industries presents an opportunity to explore cost saving initiatives as the price to performance ratio continually decreases in a competitive environment. Manufacturers using lithium-ion batteries ranging in applications from mobile phones to electric vehicles need to know how long batteries will last for a given service life. To understand this, expensive testing is required.
This paper utilizes the data and methods implemented by Kristen A. Severson, et al, to explore the methodologies that the research team used and presents another method to compare predicted results vs. actual test data for battery capacity fade. The fundamental effort is to find out if machine learning techniques may be trained to use early life cycle data in order to accurately predict battery capacity over the battery life cycle. Results show comparison of methods between Gaussian Process Regression (GPR) and Elastic Net Regression (ENR) and highlight key data features used from the extensive dataset found in the work of Severson, et al.
△ Less
Submitted 18 October, 2021;
originally announced October 2021.
-
Making existing software quantum safe: a case study on IBM Db2
Authors:
Lei Zhang,
Andriy Miranskyy,
Walid Rjaibi,
Greg Stager,
Michael Gray,
John Peck
Abstract:
The software engineering community is facing challenges from quantum computers (QCs). In the era of quantum computing, Shor's algorithm running on QCs can break asymmetric encryption algorithms that classical computers practically cannot. Though the exact date when QCs will become "dangerous" for practical problems is unknown, the consensus is that this future is near. Thus, the software engineeri…
▽ More
The software engineering community is facing challenges from quantum computers (QCs). In the era of quantum computing, Shor's algorithm running on QCs can break asymmetric encryption algorithms that classical computers practically cannot. Though the exact date when QCs will become "dangerous" for practical problems is unknown, the consensus is that this future is near. Thus, the software engineering community needs to start making software ready for quantum attacks and ensure quantum safety proactively.
We argue that the problem of evolving existing software to quantum-safe software is very similar to the Y2K bug. Thus, we leverage some best practices from the Y2K bug and propose our roadmap, called 7E, which gives developers a structured way to prepare for quantum attacks. It is intended to help developers start planning for the creation of new software and the evolution of cryptography in existing software.
In this paper, we use a case study to validate the viability of 7E. Our software under study is the IBM Db2 database system. We upgrade the current cryptographic schemes to post-quantum cryptographic ones (using Kyber and Dilithium schemes) and report our findings and lessons learned.
We show that the 7E roadmap effectively plans the evolution of existing software security features towards quantum safety, but it does require minor revisions. We incorporate our experience with IBM Db2 into the revised 7E roadmap.
The U.S. Department of Commerce's National Institute of Standards and Technology is finalizing the post-quantum cryptographic standard. The software engineering community needs to start getting prepared for the quantum advantage era. We hope that our experiential study with IBM Db2 and the 7E roadmap will help the community prepare existing software for quantum attacks in a structured manner.
△ Less
Submitted 2 April, 2023; v1 submitted 16 October, 2021;
originally announced October 2021.
-
Homogenizing Entropy Across Different Environmental Conditions: A Universally Applicable Method for Transforming Continuous Variables
Authors:
Joel R. Peck,
David Waxman
Abstract:
In classical information theory, a causal relationship between two variables is typically modelled by assuming that, for every possible state of one of the variables, there exists a particular distribution of states of the second variable. Let us call these two variables the causal and caused variables, respectively. We shall assume that both variables are continuous and one-dimensional. In this w…
▽ More
In classical information theory, a causal relationship between two variables is typically modelled by assuming that, for every possible state of one of the variables, there exists a particular distribution of states of the second variable. Let us call these two variables the causal and caused variables, respectively. We shall assume that both variables are continuous and one-dimensional. In this work we consider a procedure to transform each variable, using transformations that are differentiable and strictly increasing. We call these increasing transformations. Any causal relationship (as defined here) is associated with a channel capacity, which is the maximum rate that information could be sent if the causal relationship was used as a signalling system. Channel capacity is unaffected when the two variables are changed by use of increasing transformations. For any causal relationship we show that there is always a way to transform the caused variable such that the entropy associated with the caused variable is independent of the value of the causal variable. Furthermore, the resulting universal entropy has an absolute value that is equal to the channel capacity associated with the causal relationship. This observation may be useful in statistical applications. Also, for any causal relationship, it implies that there is a 'natural' way to transform a continuous caused variable. We also show that, with additional constraints on the causal relationship, a natural increasing transformation of both variables leads to a transformed causal relationship that has properties that might be expected from a well-engineered measuring device.
△ Less
Submitted 24 February, 2023; v1 submitted 8 July, 2021;
originally announced July 2021.
-
Regional Image Perturbation Reduces $L_p$ Norms of Adversarial Examples While Maintaining Model-to-model Transferability
Authors:
Utku Ozbulak,
Jonathan Peck,
Wesley De Neve,
Bart Goossens,
Yvan Saeys,
Arnout Van Messem
Abstract:
Regional adversarial attacks often rely on complicated methods for generating adversarial perturbations, making it hard to compare their efficacy against well-known attacks. In this study, we show that effective regional perturbations can be generated without resorting to complex methods. We develop a very simple regional adversarial perturbation attack method using cross-entropy sign, one of the…
▽ More
Regional adversarial attacks often rely on complicated methods for generating adversarial perturbations, making it hard to compare their efficacy against well-known attacks. In this study, we show that effective regional perturbations can be generated without resorting to complex methods. We develop a very simple regional adversarial perturbation attack method using cross-entropy sign, one of the most commonly used losses in adversarial machine learning. Our experiments on ImageNet with multiple models reveal that, on average, $76\%$ of the generated adversarial examples maintain model-to-model transferability when the perturbation is applied to local image regions. Depending on the selected region, these localized adversarial examples require significantly less $L_p$ norm distortion (for $p \in \{0, 2, \infty\}$) compared to their non-local counterparts. These localized attacks therefore have the potential to undermine defenses that claim robustness under the aforementioned norms.
△ Less
Submitted 18 July, 2020; v1 submitted 7 July, 2020;
originally announced July 2020.
-
Simulating COVID-19 in a University Environment
Authors:
Philip T. Gressman,
Jennifer R. Peck
Abstract:
Residential colleges and universities face unique challenges in providing in-person instruction during the COVID-19 pandemic. Administrators are currently faced with decisions about whether to open during the pandemic and what modifications of their normal operations might be necessary to protect students, faculty and staff. There is little information, however, on what measures are likely to be m…
▽ More
Residential colleges and universities face unique challenges in providing in-person instruction during the COVID-19 pandemic. Administrators are currently faced with decisions about whether to open during the pandemic and what modifications of their normal operations might be necessary to protect students, faculty and staff. There is little information, however, on what measures are likely to be most effective and whether existing interventions could contain the spread of an outbreak on campus. We develop a full-scale stochastic agent-based model to determine whether in-person instruction could safely continue during the pandemic and evaluate the necessity of various interventions. Simulation results indicate that large scale randomized testing, contact-tracing, and quarantining are important components of a successful strategy for containing campus outbreaks. High test specificity is critical for keeping the size of the quarantine population manageable. Moving the largest classes online is also crucial for controlling both the size of outbreaks and the number of students in quarantine. Increased residential exposure can significantly impact the size of an outbreak, but it is likely more important to control non-residential social exposure among students. Finally, necessarily high quarantine rates even in controlled outbreaks imply significant absenteeism, indicating a need to plan for remote instruction of quarantined students.
△ Less
Submitted 28 June, 2020; v1 submitted 4 June, 2020;
originally announced June 2020.
-
Inline Detection of DGA Domains Using Side Information
Authors:
Raaghavi Sivaguru,
Jonathan Peck,
Femi Olumofin,
Anderson Nascimento,
Martine De Cock
Abstract:
Malware applications typically use a command and control (C&C) server to manage bots to perform malicious activities. Domain Generation Algorithms (DGAs) are popular methods for generating pseudo-random domain names that can be used to establish a communication between an infected bot and the C&C server. In recent years, machine learning based systems have been widely used to detect DGAs. There ar…
▽ More
Malware applications typically use a command and control (C&C) server to manage bots to perform malicious activities. Domain Generation Algorithms (DGAs) are popular methods for generating pseudo-random domain names that can be used to establish a communication between an infected bot and the C&C server. In recent years, machine learning based systems have been widely used to detect DGAs. There are several well known state-of-the-art classifiers in the literature that can detect DGA domain names in real-time applications with high predictive performance. However, these DGA classifiers are highly vulnerable to adversarial attacks in which adversaries purposely craft domain names to evade DGA detection classifiers. In our work, we focus on hardening DGA classifiers against adversarial attacks. To this end, we train and evaluate state-of-the-art deep learning and random forest (RF) classifiers for DGA detection using side information that is harder for adversaries to manipulate than the domain name itself. Additionally, the side information features are selected such that they are easily obtainable in practice to perform inline DGA detection. The performance and robustness of these models is assessed by exposing them to one day of real-traffic data as well as domains generated by adversarial attack algorithms. We found that the DGA classifiers that rely on both the domain name and side information have high performance and are more robust against adversaries.
△ Less
Submitted 12 March, 2020;
originally announced March 2020.
-
CharBot: A Simple and Effective Method for Evading DGA Classifiers
Authors:
Jonathan Peck,
Claire Nie,
Raaghavi Sivaguru,
Charles Grumer,
Femi Olumofin,
Bin Yu,
Anderson Nascimento,
Martine De Cock
Abstract:
Domain generation algorithms (DGAs) are commonly leveraged by malware to create lists of domain names which can be used for command and control (C&C) purposes. Approaches based on machine learning have recently been developed to automatically detect generated domain names in real-time. In this work, we present a novel DGA called CharBot which is capable of producing large numbers of unregistered d…
▽ More
Domain generation algorithms (DGAs) are commonly leveraged by malware to create lists of domain names which can be used for command and control (C&C) purposes. Approaches based on machine learning have recently been developed to automatically detect generated domain names in real-time. In this work, we present a novel DGA called CharBot which is capable of producing large numbers of unregistered domain names that are not detected by state-of-the-art classifiers for real-time detection of DGAs, including the recently published methods FANCI (a random forest based on human-engineered features) and LSTM.MI (a deep learning approach). CharBot is very simple, effective and requires no knowledge of the targeted DGA classifiers. We show that retraining the classifiers on CharBot samples is not a viable defense strategy. We believe these findings show that DGA classifiers are inherently vulnerable to adversarial attacks if they rely only on the domain name string to make a decision. Designing a robust DGA classifier may, therefore, necessitate the use of additional information besides the domain name alone. To the best of our knowledge, CharBot is the simplest and most efficient black-box adversarial attack against DGA classifiers proposed to date.
△ Less
Submitted 30 May, 2019; v1 submitted 3 May, 2019;
originally announced May 2019.
-
Textual Paralanguage and its Implications for Marketing Communications
Authors:
Andrea Webb Luangrath,
Joann Peck,
Victor A. Barger
Abstract:
Both face-to-face communication and communication in online environments convey information beyond the actual verbal message. In a traditional face-to-face conversation, paralanguage, or the ancillary meaning- and emotion-laden aspects of speech that are not actual verbal prose, gives contextual information that allows interactors to more appropriately understand the message being conveyed. In thi…
▽ More
Both face-to-face communication and communication in online environments convey information beyond the actual verbal message. In a traditional face-to-face conversation, paralanguage, or the ancillary meaning- and emotion-laden aspects of speech that are not actual verbal prose, gives contextual information that allows interactors to more appropriately understand the message being conveyed. In this paper, we conceptualize textual paralanguage (TPL), which we define as written manifestations of nonverbal audible, tactile, and visual elements that supplement or replace written language and that can be expressed through words, symbols, images, punctuation, demarcations, or any combination of these elements. We develop a typology of textual paralanguage using data from Twitter, Facebook, and Instagram. We present a conceptual framework of antecedents and consequences of brands' use of textual paralanguage. Implications for theory and practice are discussed.
△ Less
Submitted 22 May, 2016;
originally announced May 2016.