Search Results for author:
Found 92 papers, 31 papers with code
Explainer-guided Targeted Adversarial Attacks against Binary Code Similarity Detection Models
In this work, we propose a novel optimization for adversarial attacks against BCSD models.
PRUNE: A Patching Based Repair Framework for Certifiable Unlearning of Neural Networks
unlearn) a specific part of the training data from a trained neural network model.
WMCopier: Forging Invisible Image Watermarks on Arbitrary Images
Invisible Image Watermarking is crucial for ensuring content provenance and accountability in generative AI.
Towards LLM Guardrails via Sparse Representation Steering
By leveraging sparse autoencoding, our approach isolates and adjusts only task-specific sparse feature dimensions, enabling precise and interpretable steering of model behavior while preserving content quality.
Harnessing Frequency Spectrum Insights for Image Copyright Protection Against Diffusion Models
Diffusion models have achieved remarkable success in novel view synthesis, but their reliance on large, diverse, and often untraceable Web datasets has raised pressing concerns about image copyright protection.
Sparse Autoencoder as a Zero-Shot Classifier for Concept Erasing in Text-to-Image Diffusion Models
ItD first employs a sparse autoencoder (SAE) to interpret each concept as a combination of multiple features.
Can Small Language Models Reliably Resist Jailbreak Attacks? A Comprehensive Evaluation
Through systematically evaluation on 63 SLMs from 15 mainstream SLM families against 8 state-of-the-art jailbreak methods, we demonstrate that 47. 6% of evaluated SLMs show high susceptibility to jailbreak attacks (ASR > 40%) and 38. 1% of them can not even resist direct harmful query (ASR > 50%).
Towards Collaborative Anti-Money Laundering Among Financial Institutions
The experimental results demonstrate that our methods can effectively identify cross-institution money laundering subgroups.
Towards Label-Only Membership Inference Attack against Pre-trained Large Language Models
Membership Inference Attacks (MIAs) aim to predict whether a data sample belongs to the model's training set or not.
REFINE: Inversion-Free Backdoor Defense via Model Reprogramming
Backdoor attacks on deep neural networks (DNNs) have emerged as a significant security threat, allowing adversaries to implant hidden malicious behaviors during the model training phase.
CoKV: Optimizing KV Cache Allocation via Cooperative Game
Large language models (LLMs) have achieved remarkable success on various aspects of human life.
Robust Watermarks Leak: Channel-Aware Feature Extraction Enables Adversarial Watermark Manipulation
Watermarking plays a key role in the provenance and detection of AI-generated content.
Activation Approximations Can Incur Safety Vulnerabilities Even in Aligned LLMs: Comprehensive Analysis and Defense
Large Language Models (LLMs) have showcased remarkable capabilities across various domains.
Membership Inference Attacks Against Vision-Language Models
Vision-Language Models (VLMs), built on pre-trained vision encoders and large language models (LLMs), have shown exceptional multi-modal understanding and dialog capabilities, positioning them as catalysts for the next technological revolution.
FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
Building on the principles of FIT-Print, we develop bit-wise and list-wise black-box model fingerprinting methods, i. e., FIT-ModelDiff and FIT-LIME, which exploit the distance between model outputs and the feature attribution of specific samples as the fingerprint, respectively.
Robust Representation Consistency Model via Contrastive Denoising
For example, our method outperforms the certified accuracy of diffusion-based methods on ImageNet across all perturbation radii by 5. 3% on average, with up to 11. 6% at larger radii, while reducing inference costs by 85$\times$ on average.
Mitigating Social Bias in Large Language Models: A Multi-Objective Approach within a Multi-Agent Framework
Our experiments conducted on two datasets and two models demonstrate that MOMA reduces bias scores by up to 87. 7%, with only a marginal performance degradation of up to 6. 8% in the BBQ dataset.
FSFM: A Generalizable Face Security Foundation Model via Self-Supervised Facial Representation Learning
This work asks: with abundant, unlabeled real faces, how to learn a robust and transferable facial representation that boosts various face security tasks with respect to generalization performance?
Sampling with Adaptive Variance for Multimodal Distributions
We then show that a derivative-free version of the dynamics can be used for sampling without gradient information of the Gibbs potential and that for Gibbs distributions with nonconvex potentials, this approach could achieve significantly faster convergence than the classical overdamped Langevin dynamics.
Attributed Graph Clustering in Collaborative Settings
Graph clustering is an unsupervised machine learning method that partitions the nodes in a graph into different groups.
Mitigating Privacy Risks in LLM Embeddings from Embedding Inversion
Embeddings have become a cornerstone in the functionality of large language models (LLMs) due to their ability to transform text data into rich, dense numerical representations that capture semantic and syntactic properties.
Cora: Accelerating Stateful Network Applications with SmartNICs
With the growing performance requirements on networked applications, there is a new trend of offloading stateful network applications to SmartNICs to improve performance and reduce the total cost of ownership.
ALIF: Low-Cost Adversarial Audio Attacks on Black-Box Speech Platforms using Linguistic Features
Based on the ALIF pipeline, we present the ALIF-OTL and ALIF-OTA schemes for launching attacks in both the digital domain and the physical playback environment on four commercial ASRs and voice assistants.
Automatic Speech Recognition
Automatic Speech Recognition (ASR)
+3
RedAgent: Red Teaming Large Language Models with Context-aware Autonomous Language Agent
To enable context-aware and efficient red teaming, we abstract and model existing attacks into a coherent concept called "jailbreak strategy" and propose a multi-agent LLM system named RedAgent that leverages these strategies to generate context-aware jailbreak prompts.
Releasing Malevolence from Benevolence: The Menace of Benign Data on Machine Unlearning
Our evaluation demonstrates that unlearning this benign data, comprising no more than 1% of the total training data, can reduce model accuracy by up to 50%.
Prompt-Consistency Image Generation (PCIG): A Unified Framework Integrating LLMs, Knowledge Graphs, and Controllable Diffusion Models
To address this problem, we introduce a novel diffusion-based framework to significantly enhance the alignment of generated images with their corresponding descriptions, addressing the inconsistency between visual output and textual input.
Do As I Do: Pose Guided Human Motion Copy
Human motion copy is an intriguing yet challenging task in artificial intelligence and computer vision, which strives to generate a fake video of a target person performing the motion of a source person.
Breaking Secure Aggregation: Label Leakage from Aggregated Gradients in Federated Learning
To preset the embeddings and logits of FCL, we craft a fishing model by solely modifying the parameters of a single batch normalization (BN) layer in the original model.
TabularMark: Watermarking Tabular Datasets for Machine Learning
Data noise partitioning is utilized for data perturbation during embedding, which is adaptable for numerical and categorical attributes while preserving the data utility.
Textual Unlearning Gives a False Sense of Unlearning
Language Models (LMs) are prone to ''memorizing'' training data, including substantial sensitive user information.
A Survey on Medical Large Language Models: Technology, Application, Trustworthiness, and Future Directions
With the advent of Large Language Models (LLMs), medical artificial intelligence (AI) has experienced substantial technological progress and paradigm shifts, highlighting the potential of LLMs to streamline healthcare delivery and improve patient outcomes.
Towards Real-world Debiasing: Rethinking Evaluation, Challenge, and Solution
To tackle the problem, we propose a fine-grained framework for analyzing biased distributions, based on which we empirically and theoretically identify key characteristics of biased distributions in the real world that are poorly represented by existing benchmarks.
S-Eval: Towards Automated and Comprehensive Safety Evaluation for Large Language Models
${M}_t$ is responsible for automatically generating test cases in accordance with the proposed risk taxonomy.
Explanation as a Watermark: Towards Harmless and Multi-bit Model Ownership Verification via Watermarking Feature Attribution
Motivated by this understanding, we design a new watermarking paradigm, $i. e.$, Explanation as a Watermark (EaaW), that implants verification behaviors into the explanation of feature attribution instead of model predictions.
Combating Concept Drift with Explanatory Detection and Adaptation for Android Malware Classification
Our evaluation shows that DREAM effectively improves the drift detection accuracy and reduces the expert analysis effort in adaptation across different malware datasets and classifiers.
Sora Detector: A Unified Hallucination Detection for Large Text-to-Video Models
Leveraging the state-of-the-art keyframe extraction techniques and multimodal large language models, SoraDetector first evaluates the consistency between extracted video content summary and textual prompts, then constructs static and dynamic knowledge graphs (KGs) from frames to detect hallucination both in single frames and across frames.
A Causal Explainable Guardrails for Large Language Models
Large Language Models (LLMs) have shown impressive performance in natural language tasks, but their outputs can exhibit undesirable attributes or biases.
SoK: On Gradient Leakage in Federated Learning
However, recent studies have shown that clients' private training data can be reconstructed from shared gradients in FL, a vulnerability known as gradient inversion attacks (GIAs).
Exposing the Deception: Uncovering More Forgery Clues for Deepfake Detection
In this paper, we try to tackle these challenges through three designs: (1) We present a novel framework to capture broader forgery clues by extracting multiple non-overlapping local representations and fusing them into a global semantic-rich feature.
FoolSDEdit: Deceptively Steering Your Edits Towards Targeted Attribute-aware Distribution
To expose this potential vulnerability, we aim to build an adversarial attack forcing SDEdit to generate a specific data distribution aligned with a specified attribute (e. g., female), without changing the input's attribute characteristics.
LLM-Guided Multi-View Hypergraph Learning for Human-Centric Explainable Recommendation
As personalized recommendation systems become vital in the age of information overload, traditional methods relying solely on historical user interactions often fail to fully capture the multifaceted nature of human interests.
Prompt Valuation Based on Shapley Values
Large language models (LLMs) excel on new tasks without additional training, simply by providing natural language prompts that demonstrate how the task should be performed.
Certified Minimax Unlearning with Generalization Rates and Deletion Capacity
In addition, our rates of generalization and deletion capacity match the state-of-the-art rates derived previously for standard statistical learning models.
ERASER: Machine Unlearning in MLaaS via an Inference Serving-Aware Approach
However, despite their promising efficiency, almost all existing machine unlearning methods handle unlearning requests independently from inference requests, which unfortunately introduces a new security issue of inference service obsolescence and a privacy vulnerability of undesirable exposure for machine unlearning in MLaaS.
FLTracer: Accurate Poisoning Attack Provenance in Federated Learning
In this paper, we first conduct a comprehensive study on prior FL attacks and detection methods.
SurrogatePrompt: Bypassing the Safety Filter of Text-to-Image Models via Substitution
Evaluation results disclose an 88% success rate in bypassing Midjourney's proprietary safety filter with our attack prompts, leading to the generation of counterfeit images depicting political figures in violent scenarios.
Locate and Verify: A Two-Stream Network for Improved Deepfake Detection
Deepfake has taken the world by storm, triggering a trust crisis.
DFIL: Deepfake Incremental Learning by Exploiting Domain-invariant Forgery Clues
However, the accuracy of detection models degrades significantly on images generated by new deepfake methods due to the difference in data distribution.
Enabling Runtime Verification of Causal Discovery Algorithms with Automated Conditional Independence Reasoning (Extended Version)
Based on the decision procedure to CIR, CICheck includes two variants: ED-CICheck and ED-CICheck, which detect erroneous CI tests (to enhance reliability) and prune excessive CI tests (to enhance privacy), respectively.
RemovalNet: DNN Fingerprint Removal Attacks
After our DNN fingerprint removal attack, the model distance between the target and surrogate models is x100 times higher than that of the baseline attacks, (2) the RemovalNet is efficient.
FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis
Although feature attribution (FA) methods can be used to explain deep learning, the underlying classifier is still blind to what behavior is suspicious, and the generated explanation cannot adapt to downstream tasks, incurring poor explanation fidelity and intelligibility.
Text-CRS: A Generalized Certified Robustness Framework against Textual Adversarial Attacks
The language models, especially the basic text classification models, have been shown to be susceptible to textual adversarial attacks such as synonym substitution and word insertion attacks.
FDINet: Protecting against DNN Model Extraction via Feature Distortion Index
FDINET exhibits the capability to identify colluding adversaries with an accuracy exceeding 91%.
Masked Diffusion Models Are Fast Distribution Learners
In the pre-training stage, we propose to mask a high proportion (e. g., up to 90\%) of input images to approximately represent the primer distribution and introduce a masked denoising score matching objective to train a model to denoise visible areas.
Action Recognition with Multi-stream Motion Modeling and Mutual Information Maximization
However, the vanilla Euclidean space is not efficient for modeling important motion characteristics such as the joint-wise angular acceleration, which reveals the driving force behind the motion.
Ranked #16 on
Skeleton Based Action Recognition
on NTU RGB+D 120
Privacy-preserving Adversarial Facial Features
In this paper, we propose an adversarial features-based face privacy protection (AdvFace) approach to generate privacy-preserving adversarial features, which can disrupt the mapping from adversarial features to facial images to defend against reconstruction attacks.
ANetQA: A Large-scale Benchmark for Fine-grained Compositional Reasoning over Untrimmed Videos
A recent benchmark AGQA poses a promising paradigm to generate QA pairs automatically from pre-annotated scene graphs, enabling it to measure diverse reasoning abilities with granular control.
False Claims against Model Ownership Resolution
Our core idea is that a malicious accuser can deviate (without detection) from the specified MOR process by finding (transferable) adversarial examples that successfully serve as evidence against independent suspect models.
GLOW: Global Layout Aware Attacks on Object Detection
More desired attacks, to this end, should be able to fool defenses with such consistency checks.
Adaptive State-Dependent Diffusion for Derivative-Free Optimization
This paper develops and analyzes a stochastic derivative-free optimization strategy.
Towards Fairness-aware Adversarial Network Pruning
Network pruning aims to compress models while minimizing loss in accuracy.
Towards Transferable Targeted Adversarial Examples
In this paper, we propose the Transferable Targeted Adversarial Attack (TTAA), which can capture the distribution information of the target class from both label-wise and feature-wise perspectives, to generate highly transferable targeted adversarial examples.
Counterfactual-based Saliency Map: Towards Visual Contrastive Explanations for Neural Networks
Considering the insufficient study on such complex causal questions, we make the first attempt to explain different causal questions by contrastive explanations in a unified framework, ie., Counterfactual Contrastive Explanation (CCE), which visually and intuitively explains the aforementioned questions via a novel positive-negative saliency-based explanation scheme.
Purifier: Defending Data Inference Attacks via Transforming Confidence Scores
Besides, our further experiments show that PURIFIER is also effective in defending adversarial model inversion attacks and attribute inference attacks.
Masked Autoencoders for Egocentric Video Understanding @ Ego4D Challenge 2022
In this report, we present our approach and empirical results of applying masked autoencoders in two egocentric video understanding tasks, namely, Object State Change Classification and PNR Temporal Localization, of Ego4D Challenge 2022.
FedTracker: Furnishing Ownership Verification and Traceability for Federated Learning Model
To deter such misbehavior, it is essential to establish a mechanism for verifying the ownership of the model and as well tracing its origin to the leaker among the FL participants.
Privacy-Utility Balanced Voice De-Identification Using Adversarial Examples
In this paper, we propose a voice de-identification system, which uses adversarial examples to balance the privacy and utility of voice services.
A Model-Consistent Data-Driven Computational Strategy for PDE Joint Inversion Problems
The task of simultaneously reconstructing multiple physical coefficients in partial differential equations (PDEs) from observed data is ubiquitous in applications.
OpBoost: A Vertical Federated Tree Boosting Framework Based on Order-Preserving Desensitization
Although the solution based on Local Differential Privacy (LDP) addresses the above problems, it leads to the low accuracy of the trained model.
MOVE: Effective and Harmless Ownership Verification via Embedded External Features
In general, we conduct the ownership verification by verifying whether a suspicious model contains the knowledge of defender-specified external features.
Task-aware Similarity Learning for Event-triggered Time Series
The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series.
Vanilla Feature Distillation for Improving the Accuracy-Robustness Trade-Off in Adversarial Training
However, most existing works are still trapped in the dilemma between higher accuracy and stronger robustness since they tend to fit a model towards robust features (not easily tampered with by adversaries) while ignoring those non-robust but highly predictive features.
An Algebraically Converging Stochastic Gradient Descent Algorithm for Global Optimization
We propose a new gradient descent algorithm with added stochastic terms for finding the global optimizers of nonconvex optimization problems.
Fairness-aware Adversarial Perturbation Towards Bias Mitigation for Deployed Deep Models
Prioritizing fairness is of central importance in artificial intelligence (AI) systems, especially for those societal applications, e. g., hiring systems should recommend applicants equally from different demographic groups, and risk assessment systems must eliminate racism in criminal justice.
Backdoor Defense via Decoupling the Training Process
Recent studies have revealed that deep neural networks (DNNs) are vulnerable to backdoor attacks, where attackers embed hidden backdoors in the DNN model by poisoning a few training samples.
A Generalized Weighted Optimization Method for Computational Learning and Inversion
The generalization capacity of various machine learning models exhibits different phenomena in the under- and over-parameterized regimes.
"Adversarial Examples" for Proof-of-Learning
Jia et al. claimed that an adversary merely knowing the final model and training dataset cannot efficiently find a set of intermediate models with correct data points.
Feature Importance-aware Transferable Adversarial Attacks
More specifically, we obtain feature importance by introducing the aggregate gradient, which averages the gradients with respect to feature maps of the source model, computed on a batch of random transforms of the original clean image.
A range characterization of the single-quadrant ADRT
The range characterization is obtained by first showing that the ADRT is a bijection between images supported on infinite half-strips, then identifying the linear subspaces that stay finitely supported under the inversion formula.
Injecting Reliable Radio Frequency Fingerprints Using Metasurface for The Internet of Things
Our proposed solution, Metasurface RF-Fingerprinting Injection (MeRFFI), is to inject a carefully-designed radio frequency fingerprint into the wireless physical layer that can increase the security of a stationary IoT device with minimal overhead.
Towards Understanding the Adversarial Vulnerability of Skeleton-based Action Recognition
We first formulate generation of adversarial skeleton actions as a constrained optimization problem by representing or approximating the physiological and physical constraints with mathematical formulations.
Adversary Helps: Gradient-based Device-Free Domain-Independent Gesture Recognition
Wireless signal-based gesture recognition has promoted the developments of VR game, smart home, etc.
Learn to Forget: Machine Unlearning via Neuron Masking
To this end, machine unlearning becomes a popular research topic, which allows users to eliminate memorization of their private data from a trained machine learning model. In this paper, we propose the first uniform metric called for-getting rate to measure the effectiveness of a machine unlearning method.
The quadratic Wasserstein metric for inverse data matching
This work characterizes, analytically and numerically, two major effects of the quadratic Wasserstein ($W_2$) distance as the measure of data discrepancy in computational solutions of inverse problems.
Data Poisoning Attack against Knowledge Graph Embedding
Knowledge graph embedding (KGE) is a technique for learning continuous embeddings for entities and relations in the knowledge graph. Due to its benefit to a variety of downstream tasks such as knowledge graph completion, question answering and recommendation, KGE has gained significant attention recently.
PointCloud Saliency Maps
Our motivation for constructing a saliency map is by point dropping, which is a non-differentiable operator.
Towards Differentially Private Truth Discovery for Crowd Sensing Systems
To better utilize sensory data, the problem of truth discovery, whose goal is to estimate user quality and infer reliable aggregated results through quality-aware data aggregation, has emerged as a hot topic.
Is PGD-Adversarial Training Necessary? Alternative Training via a Soft-Quantization Network with Noisy-Natural Samples Only
In this paper, we give a negative answer by proposing a training paradigm that is comparable to PGD adversarial training on several standard datasets, while only using noisy-natural samples.
WiPIN: Operation-free Passive Person Identification Using Wi-Fi Signals
Wi-Fi signals-based person identification attracts increasing attention in the booming Internet-of-Things era mainly due to its pervasiveness and passiveness.
Distributionally Adversarial Attack
Recent work on adversarial attack has shown that Projected Gradient Descent (PGD) Adversary is a universal first-order adversary, and the classifier adversarially trained by PGD is robust against a wide range of first-order attacks.
Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection
In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph.
Cryptography and Security
