no code implementations • 11 Oct 2024 • Zain Sarwar, Van Tran, Arjun Nitin Bhagoji, Nick Feamster, Ben Y. Zhao, Supriyo Chakraborty
Machine learning (ML) models often require large amounts of data to perform well.
no code implementations • 17 Jan 2024 • Wenxin Ding, Arjun Nitin Bhagoji, Ben Y. Zhao, Haitao Zheng
In this paper, we explore the feasibility of generating multiple versions of a model that possess different attack properties, without acquiring new training data or changing model architecture.
no code implementations • 21 Feb 2023 • Sihui Dai, Wenxin Ding, Arjun Nitin Bhagoji, Daniel Cullina, Ben Y. Zhao, Haitao Zheng, Prateek Mittal
Finding classifiers robust to adversarial examples is critical for their safe deployment.
1 code implementation • 3 Feb 2023 • Jacob Brown, Xi Jiang, Van Tran, Arjun Nitin Bhagoji, Nguyen Phong Hoang, Nick Feamster, Prateek Mittal, Vinod Yegneswaran
In this paper, we explore how machine learning (ML) models can (1) help streamline the detection process, (2) improve the potential of using large-scale datasets for censorship detection, and (3) discover new censorship instances and blocking signatures missed by existing heuristic methods.
1 code implementation • 21 Jun 2022 • Emily Wenger, Roma Bhattacharjee, Arjun Nitin Bhagoji, Josephine Passananti, Emilio Andere, Haitao Zheng, Ben Y. Zhao
Research on physical backdoors is limited by access to large datasets containing real images of physical objects co-located with targets of classification.
1 code implementation • 20 Jun 2022 • Christian Cianfarani, Arjun Nitin Bhagoji, Vikash Sehwag, Ben Y. Zhao, Prateek Mittal, Haitao Zheng
Representation learning, i. e. the generation of representations useful for downstream applications, is a task of fundamental importance that underlies much of the success of deep neural networks (DNNs).
no code implementations • 8 Jun 2022 • Huiying Li, Arjun Nitin Bhagoji, Yuxin Chen, Haitao Zheng, Ben Y. Zhao
Existing research on training-time attacks for deep neural networks (DNNs), such as backdoors, largely assume that models are static once trained, and hidden backdoors trained into models remain active indefinitely.
no code implementations • 13 Oct 2021 • Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, Ben Y. Zhao
We propose a novel iterative clustering and pruning solution that trims "innocent" training samples, until all that remains is the set of poisoned data responsible for the attack.
no code implementations • 29 Sep 2021 • Arjun Nitin Bhagoji, Daniel Cullina, Ben Zhao
In this paper, we develop a methodology to analyze the robustness of fixed feature extractors, which in turn provide bounds on the robustness of any classifier trained on top of it.
no code implementations • 7 Sep 2021 • Shinan Liu, Francesco Bronzino, Paul Schmitt, Arjun Nitin Bhagoji, Nick Feamster, Hector Garcia Crespo, Timothy Coyle, Brian Ward
We then show that frequent model retraining with newly available data is not sufficient to mitigate concept drift, and can even degrade model accuracy further.
1 code implementation • 16 Apr 2021 • Arjun Nitin Bhagoji, Daniel Cullina, Vikash Sehwag, Prateek Mittal
In particular, it is critical to determine classifier-agnostic bounds on the training loss to establish when learning is possible.
no code implementations • 8 Feb 2021 • Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, Ben Y. Zhao
We experimentally demonstrate that Dolos provides 94+% protection against state-of-the-art WF attacks under a variety of settings.
Website Fingerprinting Attacks
Cryptography and Security
no code implementations • 8 Jul 2020 • Liwei Song, Vikash Sehwag, Arjun Nitin Bhagoji, Prateek Mittal
With our evaluation across 6 OOD detectors, we find that the choice of in-distribution data, model architecture and OOD data have a strong impact on OOD detection performance, inducing false positive rates in excess of $70\%$.
BIG-bench Machine Learning
Out of Distribution (OOD) Detection
2 code implementations • 17 May 2020 • Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, Prateek Mittal
In this paper, we propose a general defense framework called PatchGuard that can achieve high provable robustness while maintaining high clean accuracy against localized adversarial patches.
9 code implementations • 10 Dec 2019 • Peter Kairouz, H. Brendan McMahan, Brendan Avent, Aurélien Bellet, Mehdi Bennis, Arjun Nitin Bhagoji, Kallista Bonawitz, Zachary Charles, Graham Cormode, Rachel Cummings, Rafael G. L. D'Oliveira, Hubert Eichner, Salim El Rouayheb, David Evans, Josh Gardner, Zachary Garrett, Adrià Gascón, Badih Ghazi, Phillip B. Gibbons, Marco Gruteser, Zaid Harchaoui, Chaoyang He, Lie He, Zhouyuan Huo, Ben Hutchinson, Justin Hsu, Martin Jaggi, Tara Javidi, Gauri Joshi, Mikhail Khodak, Jakub Konečný, Aleksandra Korolova, Farinaz Koushanfar, Sanmi Koyejo, Tancrède Lepoint, Yang Liu, Prateek Mittal, Mehryar Mohri, Richard Nock, Ayfer Özgür, Rasmus Pagh, Mariana Raykova, Hang Qi, Daniel Ramage, Ramesh Raskar, Dawn Song, Weikang Song, Sebastian U. Stich, Ziteng Sun, Ananda Theertha Suresh, Florian Tramèr, Praneeth Vepakomma, Jianyu Wang, Li Xiong, Zheng Xu, Qiang Yang, Felix X. Yu, Han Yu, Sen Zhao
FL embodies the principles of focused data collection and minimization, and can mitigate many of the systemic privacy risks and costs resulting from traditional, centralized machine learning and data science approaches.
1 code implementation • NeurIPS 2019 • Arjun Nitin Bhagoji, Daniel Cullina, Prateek Mittal
In this paper, we use optimal transport to characterize the minimum possible loss in an adversarial classification scenario.
no code implementations • 5 May 2019 • Vikash Sehwag, Arjun Nitin Bhagoji, Liwei Song, Chawin Sitawarin, Daniel Cullina, Mung Chiang, Prateek Mittal
A large body of recent work has investigated the phenomenon of evasion attacks using adversarial examples for deep learning systems, where the addition of norm-bounded perturbations to the test inputs leads to incorrect output classification.
no code implementations • NeurIPS 2018 • Daniel Cullina, Arjun Nitin Bhagoji, Prateek Mittal
We then explicitly derive the adversarial VC-dimension for halfspace classifiers in the presence of a sample-wise norm-constrained adversary of the type commonly studied for evasion attacks and show that it is the same as the standard VC-dimension, closing an open question.
2 code implementations • ICLR 2019 • Arjun Nitin Bhagoji, Supriyo Chakraborty, Prateek Mittal, Seraphin Calo
Federated learning distributes model training among a multitude of agents, who, guided by privacy concerns, perform training using their local data but share only model parameter updates, for iterative aggregation at the server.
no code implementations • ECCV 2018 • Arjun Nitin Bhagoji, Warren He, Bo Li, Dawn Song
An iterative variant of our attack achieves close to 100% attack success rates for both targeted and untargeted attacks on DNNs.
no code implementations • 5 Jun 2018 • Daniel Cullina, Arjun Nitin Bhagoji, Prateek Mittal
We then explicitly derive the adversarial VC-dimension for halfspace classifiers in the presence of a sample-wise norm-constrained adversary of the type commonly studied for evasion attacks and show that it is the same as the standard VC-dimension, closing an open question.
1 code implementation • 18 Feb 2018 • Chawin Sitawarin, Arjun Nitin Bhagoji, Arsalan Mosenia, Mung Chiang, Prateek Mittal
In this paper, we propose and examine security attacks against sign recognition systems for Deceiving Autonomous caRs with Toxic Signs (we call the proposed attacks DARTS).
1 code implementation • 9 Jan 2018 • Chawin Sitawarin, Arjun Nitin Bhagoji, Arsalan Mosenia, Prateek Mittal, Mung Chiang
Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world.
1 code implementation • ICLR 2018 • Arjun Nitin Bhagoji, Warren He, Bo Li, Dawn Song
An iterative variant of our attack achieves close to 100% adversarial success rates for both targeted and untargeted attacks on DNNs.
no code implementations • 9 Apr 2017 • Arjun Nitin Bhagoji, Daniel Cullina, Chawin Sitawarin, Prateek Mittal
We propose the use of data transformations as a defense against evasion attacks on ML classifiers.