Search Results for author:
Found 36 papers, 12 papers with code
Guarantees of confidentiality via Hammersley-Chapman-Robbins bounds
The HCR bounds appear to be insufficient on their own to guarantee confidentiality of the inputs to inference with standard deep neural nets, "ResNet-18" and "Swin-T," pre-trained on the data set, "ImageNet-1000," which contains 1000 classes.
Privacy Amplification for the Gaussian Mechanism via Bounded Support
Data-dependent privacy accounting frameworks such as per-instance differential privacy (pDP) and Fisher information loss (FIL) confer fine-grained privacy guarantees for individuals in a fixed training dataset.
Private Fine-tuning of Large Language Models with Zeroth-order Optimization
We introduce DP-ZO, a new method for fine-tuning large language models that preserves the privacy of training data by privatizing zeroth-order optimization.
Publicly Detectable Watermarking for Language Models
We construct the first provable watermarking scheme for language models with public detectability or verifiability: we use a private key for watermarking and a public key for watermark detection.
A Randomized Approach for Tight Privacy Accounting
In this paper, we propose a new differential privacy paradigm called estimate-verify-release (EVR), which addresses the challenges of providing a strict upper bound for privacy parameter in DP compositions by converting an estimate of privacy parameter into a formal guarantee.
MultiRobustBench: Benchmarking Robustness Against Multiple Attacks
Using our framework, we present the first leaderboard, MultiRobustBench, for benchmarking multiattack evaluation which captures performance across attack types and attack strengths.
Revisiting the Assumption of Latent Separability for Backdoor Defenses
This latent separation is so pervasive that a family of backdoor defenses directly take it as a default assumption (dubbed latent separability assumption), based on which to identify poison samples via cluster analysis in the latent space.
Uncovering Adversarial Risks of Test-Time Adaptation
Recently, test-time adaptation (TTA) has been proposed as a promising solution for addressing distribution shifts.
DP-RAFT: A Differentially Private Recipe for Accelerated Fine-Tuning
A major direction in differentially private machine learning is differentially private fine-tuning: pretraining a model on a source of "public data" and transferring the extracted features to downstream tasks.
Renyi Differential Privacy of Propose-Test-Release and Applications to Private and Robust Machine Learning
As an application of our analysis, we show that PTR and our theoretical results can be used to design differentially private variants for byzantine robust training algorithms that use robust statistics for gradients aggregation.
Overparameterization from Computational Constraints
In particular, for computationally bounded learners, we extend the recent result of Bubeck and Sellke [NeurIPS'2021] which shows that robust models might need more parameters, to the computational regime and show that bounded learners could provably need an even larger number of parameters.
Just Rotate it: Deploying Backdoor Attacks via Rotation Transformation
Our attack can be easily deployed in the real world since it only requires rotating the object, as we show in both image classification and object detection applications.
Towards A Proactive ML Approach for Detecting Backdoor Poison Samples
First, we uncover a post-hoc workflow underlying most prior work, where defenders passively allow the attack to proceed and then leverage the characteristics of the post-attacked model to uncover poison samples.
Circumventing Backdoor Defenses That Are Based on Latent Separability
This latent separation is so pervasive that a family of backdoor defenses directly take it as a default assumption (dubbed latent separability assumption), based on which to identify poison samples via cluster analysis in the latent space.
Formulating Robustness Against Unforeseen Attacks
Based on our generalization bound, we propose variation regularization (VR) which reduces variation of the feature extractor across the source threat model during training.
Optimal Membership Inference Bounds for Adaptive Composition of Sampled Gaussian Mechanisms
A common countermeasure against MI attacks is to utilize differential privacy (DP) during model training to mask the presence of individual examples.
ObjectSeeker: Certifiably Robust Object Detection against Patch Hiding Attacks via Patch-agnostic Masking
An attacker can use a single physically-realizable adversarial patch to make the object detector miss the detection of victim objects and undermine the functionality of object detection applications.
SparseFed: Mitigating Model Poisoning Attacks in Federated Learning with Sparsification
Federated learning is inherently vulnerable to model poisoning attacks because its decentralized nature allows attackers to participate with compromised devices.
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture
The goal of this work is to train ML models that have high membership privacy while largely preserving their utility; we therefore aim for an empirical membership privacy guarantee as opposed to the provable privacy guarantees provided by techniques like differential privacy, as such techniques are shown to deteriorate model utility.
Parameterizing Activation Functions for Adversarial Robustness
To address this, we analyze the direct impact of activation shape on robustness through PAFs and observe that activation shapes with positive outputs on negative inputs and with high finite curvature can increase robustness.
PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier
Remarkably, PatchCleanser achieves 83. 9% top-1 clean accuracy and 62. 1% top-1 certified robust accuracy against a 2%-pixel square patch anywhere on the image for the 1000-class ImageNet dataset.
Membership Inference on Word Embedding and Beyond
Indeed, our attack is a cheaper membership inference attack on text-generative models, which does not require the knowledge of the target model or any expensive training of text-generative models as shadow models.
Robust Learning Meets Generative Models: Can Proxy Distributions Improve Adversarial Robustness?
We circumvent this challenge by using additional data from proxy distributions learned by advanced generative models.
Property Inference From Poisoning
In this work, we study property inference in scenarios where the adversary can maliciously control part of the training data (poisoning data) with the goal of increasing the leakage.
Is Private Learning Possible with Instance Encoding?
A private machine learning algorithm hides as much as possible about its training data while still preserving accuracy.
Model-Targeted Poisoning Attacks with Provable Convergence
Our attack is the first model-targeted poisoning attack that provides provable convergence for convex models, and in our experiments, it either exceeds or matches state-of-the-art attacks in terms of attack success rate and distance to the target model.
A Separation Result Between Data-oblivious and Data-aware Poisoning Attacks
Some of the stronger poisoning attacks require the full knowledge of the training data.
Computational Concentration of Measure: Optimal Bounds, Reductions, and More
Product measures of dimension $n$ are known to be concentrated in Hamming distance: for any set $S$ in the product space of probability $\epsilon$, a random point in the space, with probability $1-\delta$, has a neighbor in $S$ that is different from the original point in only $O(\sqrt{n\ln(1/(\epsilon\delta))})$ coordinates.
Lower Bounds for Adversarially Robust PAC Learning
In this work, we initiate a formal study of probably approximately correct (PAC) learning under evasion attacks, where the adversary's goal is to \emph{misclassify} the adversarially perturbed sample point $\widetilde{x}$, i. e., $h(\widetilde{x})\neq c(\widetilde{x})$, where $c$ is the ground truth concept and $h$ is the learned hypothesis.
Empirically Measuring Concentration: Fundamental Limits on Intrinsic Robustness
Many recent works have shown that adversarial examples that fool classifiers can be found by minimally perturbing a normal input.
Adversarially Robust Learning Could Leverage Computational Hardness
On the reverse directions, we also show that the existence of such learning task in which computational robustness beats information theoretic robustness requires computational hardness by implying (average-case) hardness of NP.
Adversarial Risk and Robustness: General Definitions and Implications for the Uniform Distribution
We study both "inherent" bounds that apply to any problem and any classifier for such a problem as well as bounds that apply to specific problems and specific hypothesis classes.
Can Adversarially Robust Learning Leverage Computational Hardness?
Making learners robust to adversarial perturbation at test time (i. e., evasion attacks) or training time (i. e., poisoning attacks) has emerged as a challenging task.
Universal Multi-Party Poisoning Attacks
In this work, we demonstrate universal multi-party poisoning attacks that adapt and apply to any multi-party learning process with arbitrary interaction pattern between the parties.
The Curse of Concentration in Robust Learning: Evasion and Poisoning Attacks from Concentration of Measure
We show that if the metric probability space of the test instance is concentrated, any classifier with some initial constant error is inherently vulnerable to adversarial perturbations.
Learning under $p$-Tampering Attacks
They obtained $p$-tampering attacks that increase the error probability in the so called targeted poisoning model in which the adversary's goal is to increase the loss of the trained hypothesis over a particular test example.
