Search Results for author:
Found 69 papers, 24 papers with code
Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification
Our key observation is that adversarial examples are close to the classification boundary.
Stealing Hyperparameters in Machine Learning
In this work, we propose attacks on stealing the hyperparameters that are learned by a learner.
AttriGuard: A Practical Defense Against Attribute Inference Attacks via Adversarial Machine Learning
Specifically, game-theoretic defenses require solving intractable optimization problems, while correlation-based defenses incur large utility loss of users' public data.
Poisoning Attacks to Graph-Based Recommender Systems
To address the challenge, we formulate the poisoning attacks as an optimization problem, solving which determines the rating scores for the fake users.
Graph-based Security and Privacy Analytics via Collective Classification with Joint Weight Learning and Propagation
To address the computational challenge, we propose to jointly learn the edge weights and propagate the reputation scores, which is essentially an approximate solution to the optimization problem.
Attacking Graph-based Classification via Manipulating the Graph Structure
Results show that our attacks 1) can effectively evade graph-based classification methods; 2) do not require access to the true parameters, true training dataset, and/or complete graph; and 3) outperform the existing attack for evading collective classification methods and some graph neural network methods.
Cryptography and Security
Defending against Machine Learning based Inference Attacks via Adversarial Examples: Opportunities and Challenges
To defend against inference attacks, we can add carefully crafted noise into the public data to turn them into adversarial examples, such that attackers' classifiers make incorrect predictions for the private data.
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples
Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of the target classifier's training dataset.
IPGuard: Protecting Intellectual Property of Deep Neural Networks via Fingerprinting the Classification Boundary
Our key observation is that a DNN classifier can be uniquely represented by its classification boundary.
Data Poisoning Attacks to Local Differential Privacy Protocols
Local Differential Privacy (LDP) protocols enable an untrusted data collector to perform privacy-preserving data analytics.
Data Poisoning
Cryptography and Security
Distributed, Parallel, and Cluster Computing
Local Model Poisoning Attacks to Byzantine-Robust Federated Learning
Our empirical results on four real-world datasets show that our attacks can substantially increase the error rates of the models learnt by the federated learning methods that were claimed to be robust against Byzantine failures of some client devices.
Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing
For example, our method can obtain an ImageNet classifier with a certified top-5 accuracy of 62. 8\% when the $\ell_2$-norms of the adversarial perturbations are less than 0. 5 (=127/255).
Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing
However, several recent studies showed that community detection is vulnerable to adversarial structural perturbation.
Influence Function based Data Poisoning Attacks to Top-N Recommender Systems
Given the number of fake users the attacker can inject, we formulate the crafting of rating scores for the fake users as an optimization problem.
On Certifying Robustness against Backdoor Attacks via Randomized Smoothing
Specifically, in this work, we study the feasibility and effectiveness of certifying robustness against backdoor attacks using a recent technique called randomized smoothing.
Stealing Links from Graph Neural Networks
In this work, we propose the first attacks to steal a graph from the outputs of a GNN model that is trained on the graph.
Backdoor Attacks to Graph Neural Networks
Specifically, we propose a \emph{subgraph based backdoor attack} to GNN for graph classification.
Intrinsic Certified Robustness of Bagging against Data Poisoning Attacks
Specifically, we show that bagging with an arbitrary base learning algorithm provably predicts the same label for a testing example when the number of modified, deleted, and/or inserted training examples is bounded by a threshold.
On the Intrinsic Differential Privacy of Bagging
Bagging, a popular ensemble learning framework, randomly creates some subsamples of the training data, trains a base model for each subsample using a base learner, and takes majority vote among the base models when making predictions.
Certified Robustness of Graph Neural Networks against Adversarial Structural Perturbation
Specifically, we prove the certified robustness guarantee of any GNN for both node and graph classifications against structural perturbation.
Cryptography and Security
Robust and Verifiable Information Embedding Attacks to Deep Neural Networks via Error-Correcting Codes
Moreover, to be robust against post-processing, we leverage Turbo codes, a type of error-correcting codes, to encode the message before embedding it to the DNN classifier.
Almost Tight L0-norm Certified Robustness of Top-k Predictions against Adversarial Perturbations
For instance, our method can build a classifier that achieves a certified top-3 accuracy of 69. 2\% on ImageNet when an attacker can arbitrarily perturb 5 pixels of a testing image.
Certified Robustness of Nearest Neighbors against Data Poisoning and Backdoor Attacks
Moreover, our evaluation results on MNIST and CIFAR10 show that the intrinsic certified robustness guarantees of kNN and rNN outperform those provided by state-of-the-art certified defenses.
Semi-Supervised Node Classification on Graphs: Markov Random Fields vs. Graph Neural Networks
In this work, we aim to address the key limitation of existing pMRF-based methods.
FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping
Finally, the service provider computes the average of the normalized local model updates weighted by their trust scores as a global model update, which is used to update the global model.
Practical Blind Membership Inference Attack via Differential Comparisons
The success of the former heavily depends on the quality of the shadow model, i. e., the transferability between the shadow and the target; the latter, given only blackbox probing access to the target model, cannot make an effective inference of unknowns, compared with MI attacks using shadow models, due to the insufficient number of qualified samples labeled with ground truth membership information.
Data Poisoning Attacks to Deep Learning Based Recommender Systems
Specifically, we formulate our attack as an optimization problem, such that the injected ratings would maximize the number of normal users to whom the target items are recommended.
Provably Secure Federated Learning against Malicious Clients
We show that our ensemble federated learning with any base federated learning algorithm is provably secure against malicious clients.
Data Poisoning Attacks and Defenses to Crowdsourcing Systems
Our empirical results show that the proposed defenses can substantially reduce the estimation errors of the data poisoning attacks.
PointGuard: Provably Robust 3D Point Cloud Classification
Our first major theoretical contribution is that we show PointGuard provably predicts the same label for a 3D point cloud when the number of adversarially modified, added, and/or deleted points is bounded.
Linear-Time Self Attention with Codeword Histogram for Efficient Recommendation
Inspired by the idea of vector quantization that uses cluster centroids to approximate items, we propose LISA (LInear-time Self Attention), which enjoys both the effectiveness of vanilla self-attention and the efficiency of sparse attention.
Rethinking Lifelong Sequential Recommendation with Incremental Multi-Interest Attention
With the rapid development of these services in the last two decades, users have accumulated a massive amount of behavior data.
Understanding the Security of Deepfake Detection
Existing studies mainly focused on improving the detection performance in non-adversarial settings, leaving security of deepfake detection in adversarial settings largely unexplored.
BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning
In particular, our BadEncoder injects backdoors into a pre-trained image encoder such that the downstream classifiers built based on the backdoored image encoder for different downstream tasks simultaneously inherit the backdoor behavior.
EncoderMI: Membership Inference against Pre-trained Encoders in Contrastive Learning
EncoderMI can be used 1) by a data owner to audit whether its (public) data was used to pre-train an image encoder without its authorization or 2) by an attacker to compromise privacy of the training data when it is private/sensitive.
FaceGuard: Proactive Deepfake Detection
A key limitation of passive detection is that it cannot detect fake faces that are generated by new deepfake generation methods.
10 Security and Privacy Problems in Large Foundation Models
A pre-trained foundation model is like an ``operating system'' of the AI ecosystem.
HERO: Hessian-Enhanced Robust Optimization for Unifying and Improving Generalization and Quantization Performance
We therefore propose HERO, a Hessian-enhanced robust optimization method, to minimize the Hessian eigenvalues through a gradient-based training process, simultaneously improving the generalization and quantization performance.
StolenEncoder: Stealing Pre-trained Encoders in Self-supervised Learning
A pre-trained encoder may be deemed confidential because its training requires lots of data and computation resources as well as its public release may facilitate misuse of AI, e. g., for deepfakes generation.
MPAF: Model Poisoning Attacks to Federated Learning based on Fake Clients
Specifically, we assume the attacker injects fake clients to a federated learning system and sends carefully crafted fake local model updates to the cloud server during training, such that the learnt global model has low accuracy for many indiscriminate test inputs.
PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning
In this work, we propose PoisonedEncoder, a data poisoning attack to contrastive learning.
FLDetector: Defending Federated Learning Against Model Poisoning Attacks via Detecting Malicious Clients
FLDetector aims to detect and remove the majority of the malicious clients such that a Byzantine-robust FL method can learn an accurate global model using the remaining clients.
Semi-Leak: Membership Inference Attacks Against Semi-supervised Learning
The results show that early stopping can mitigate the membership inference attack, but with the cost of model's utility degradation.
FLCert: Provably Secure Federated Learning against Poisoning Attacks
Our key idea is to divide the clients into groups, learn a global model for each group of clients using any existing federated learning method, and take a majority vote among the global models to classify a test input.
MultiGuard: Provably Robust Multi-label Classification against Adversarial Examples
In this work, we propose MultiGuard, the first provably robust defense against adversarial examples to multi-label classification.
FedRecover: Recovering from Poisoning Attacks in Federated Learning using Historical Information
Existing defenses focus on preventing a small number of malicious clients from poisoning the global model via robust federated learning methods and detecting malicious clients when there are a large number of them.
Addressing Heterogeneity in Federated Learning via Distributional Transformation
Federated learning (FL) allows multiple clients to collaboratively train a deep learning model.
CorruptEncoder: Data Poisoning based Backdoor Attacks to Contrastive Learning
In this work, we take the first step to analyze the limitations of existing backdoor attacks and propose new DPBAs called CorruptEncoder to CL.
Pre-trained Encoders in Self-Supervised Learning Improve Secure and Privacy-preserving Supervised Learning
In this work, we perform the first systematic, principled measurement study to understand whether and when a pre-trained encoder can address the limitations of secure or privacy-preserving supervised learning algorithms.
AFLGuard: Byzantine-robust Asynchronous Federated Learning
Asynchronous FL aims to address this challenge by enabling the server to update the model once any client's model update reaches it without waiting for other clients' model updates.
REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service
For the first question, we show that the cloud service only needs to provide two APIs, which we carefully design, to enable a client to certify the robustness of its downstream classifier with a minimal number of queries to the APIs.
PointCert: Point Cloud Classification with Deterministic Certified Robustness Guarantees
Existing certified defenses against adversarial point clouds suffer from a key limitation: their certified robustness guarantees are probabilistic, i. e., they produce an incorrect certified robustness guarantee with some probability.
PORE: Provably Robust Recommender Systems against Data Poisoning Attacks
PORE can transform any existing recommender system to be provably robust against any untargeted data poisoning attacks, which aim to reduce the overall performance of a recommender system.
Evading Watermark based Detection of AI-Generated Content
Specifically, a watermark is embedded into an AI-generated content before it is released.
PromptBench: Towards Evaluating the Robustness of Large Language Models on Adversarial Prompts
The increasing reliance on Large Language Models (LLMs) across academia and industry necessitates a comprehensive understanding of their robustness to prompts.
Cross-Lingual Paraphrase Identification
Machine Translation
+5
Securing Visually-Aware Recommender Systems: An Adversarial Image Reconstruction and Detection Framework
Our proposed method can simultaneously (1) secure VARS from adversarial attacks characterized by local perturbations by image reconstruction based on global vision transformers; and (2) accurately detect adversarial examples using a novel contrastive learning approach.
DyVal: Dynamic Evaluation of Large Language Models for Reasoning Tasks
Moreover, DyVal-generated samples are not only evaluation sets, but also helpful data for fine-tuning to improve the performance of LLMs on existing benchmarks.
MetaTool Benchmark for Large Language Models: Deciding Whether to Use Tools and Which to Use
However, in scenarios where LLMs serve as intelligent agents, as seen in applications like AutoGPT and MetaGPT, LLMs are expected to engage in intricate decision-making processes that involve deciding whether to employ a tool and selecting the most suitable tool(s) from a collection of available tools to fulfill user requests.
Prompt Injection Attacks and Defenses in LLM-Integrated Applications
As a result, the literature lacks a systematic understanding of prompt injection attacks and their defenses.
Competitive Advantage Attacks to Decentralized Federated Learning
In SelfishAttack, a set of selfish clients aim to achieve competitive advantages over the remaining non-selfish ones, i. e., the final learnt local models of the selfish clients are more accurate than those of the non-selfish ones.
Unlocking the Potential of Federated Learning: The Symphony of Dataset Distillation via Deep Generative Latents
This process allows local devices to train smaller surrogate models while enabling the training of a larger global model on the server, effectively minimizing resource utilization.
TrustLLM: Trustworthiness in Large Language Models
This paper introduces TrustLLM, a comprehensive study of trustworthiness in LLMs, including principles for different dimensions of trustworthiness, established benchmark, evaluation, and analysis of trustworthiness for mainstream LLMs, and discussion of open challenges and future directions.
Poisoning Federated Recommender Systems with Fake Users
Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity.
Visual Hallucinations of Multi-modal Large Language Models
We find that existing MLLMs such as GPT-4V, LLaVA-1. 5, and MiniGPT-v2 hallucinate for a large fraction of the instances in our benchmark.
Mudjacking: Patching Backdoor Vulnerabilities in Foundation Models
However, foundation models are vulnerable to backdoor attacks and a backdoored foundation model is a single-point-of-failure of the AI ecosystem, e. g., multiple downstream classifiers inherit the backdoor vulnerabilities simultaneously.
Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks
Recent studies have revealed that federated learning (FL), once considered secure due to clients not sharing their private data with the server, is vulnerable to attacks such as client-side training data distribution inference, where a malicious client can recreate the victim's data.
Optimization-based Prompt Injection Attack to LLM-as-a-Judge
LLM-as-a-Judge is a novel solution that can assess textual information with large language models (LLMs).
Watermark-based Detection and Attribution of AI-Generated Content
Several companies--such as Google, Microsoft, and OpenAI--have deployed techniques to watermark AI-generated content to enable proactive detection.
SoK: Gradient Leakage in Federated Learning
While GIAs have demonstrated effectiveness under \emph{ideal settings and auxiliary assumptions}, their actual efficacy against \emph{practical FL systems} remains under-explored.
