1 code implementation • 27 Oct 2023 • Jaiden Fairoze, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Mingyuan Wang
We present a highly detectable, trustless watermarking scheme for LLMs: the detection algorithm contains no secret information, and it is executable by anyone.
no code implementations • 6 Oct 2022 • Steve Hanneke, Amin Karbasi, Mohammad Mahmoody, Idan Mehalel, Shay Moran
In this work we aim to characterize the smallest achievable error $\epsilon=\epsilon(\eta)$ by the learner in the presence of such an adversary in both realizable and agnostic settings.
no code implementations • 27 Aug 2022 • Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Mingyuan Wang
In particular, for computationally bounded learners, we extend the recent result of Bubeck and Sellke [NeurIPS'2021] which shows that robust models might need more parameters, to the computational regime and show that bounded learners could provably need an even larger number of parameters.
no code implementations • 7 Feb 2022 • Ji Gao, Sanjam Garg, Mohammad Mahmoody, Prashant Nalini Vasudevan
Privacy attacks on machine learning models aim to identify the data that is used to train such models.
no code implementations • 18 May 2021 • Ji Gao, Amin Karbasi, Mohammad Mahmoody
In this paper, we study PAC learnability and certification of predictions under instance-targeted poisoning attacks, where the adversary who knows the test instance may change a fraction of the training set with the goal of fooling the learner at the test instance.
2 code implementations • 10 Nov 2020 • Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, Florian Tramer
A private machine learning algorithm hides as much as possible about its training data while still preserving accuracy.
no code implementations • NeurIPS 2021 • Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Abhradeep Thakurta
Some of the stronger poisoning attacks require the full knowledge of the training data.
no code implementations • 11 Jul 2019 • Omid Etesami, Saeed Mahloujifar, Mohammad Mahmoody
Product measures of dimension $n$ are known to be concentrated in Hamming distance: for any set $S$ in the product space of probability $\epsilon$, a random point in the space, with probability $1-\delta$, has a neighbor in $S$ that is different from the original point in only $O(\sqrt{n\ln(1/(\epsilon\delta))})$ coordinates.
no code implementations • 13 Jun 2019 • Dimitrios I. Diochnos, Saeed Mahloujifar, Mohammad Mahmoody
In this work, we initiate a formal study of probably approximately correct (PAC) learning under evasion attacks, where the adversary's goal is to \emph{misclassify} the adversarially perturbed sample point $\widetilde{x}$, i. e., $h(\widetilde{x})\neq c(\widetilde{x})$, where $c$ is the ground truth concept and $h$ is the learned hypothesis.
1 code implementation • NeurIPS 2019 • Saeed Mahloujifar, Xiao Zhang, Mohammad Mahmoody, David Evans
Many recent works have shown that adversarial examples that fool classifiers can be found by minimally perturbing a normal input.
no code implementations • 28 May 2019 • Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody
On the reverse directions, we also show that the existence of such learning task in which computational robustness beats information theoretic robustness requires computational hardness by implying (average-case) hardness of NP.
no code implementations • NeurIPS 2018 • Dimitrios I. Diochnos, Saeed Mahloujifar, Mohammad Mahmoody
We study both "inherent" bounds that apply to any problem and any classifier for such a problem as well as bounds that apply to specific problems and specific hypothesis classes.
no code implementations • 2 Oct 2018 • Saeed Mahloujifar, Mohammad Mahmoody
Making learners robust to adversarial perturbation at test time (i. e., evasion attacks) or training time (i. e., poisoning attacks) has emerged as a challenging task.
no code implementations • 10 Sep 2018 • Saeed Mahloujifar, Mohammad Mahmoody, Ameer Mohammed
In this work, we demonstrate universal multi-party poisoning attacks that adapt and apply to any multi-party learning process with arbitrary interaction pattern between the parties.
no code implementations • 9 Sep 2018 • Saeed Mahloujifar, Dimitrios I. Diochnos, Mohammad Mahmoody
We show that if the metric probability space of the test instance is concentrated, any classifier with some initial constant error is inherently vulnerable to adversarial perturbations.
no code implementations • 10 Nov 2017 • Saeed Mahloujifar, Dimitrios I. Diochnos, Mohammad Mahmoody
They obtained $p$-tampering attacks that increase the error probability in the so called targeted poisoning model in which the adversary's goal is to increase the loss of the trained hypothesis over a particular test example.