3 research outputs found
Differentially Private Federated Learning for Cancer Prediction
Since 2014, the NIH funded iDASH (integrating Data for Analysis,
Anonymization, SHaring) National Center for Biomedical Computing has hosted
yearly competitions on the topic of private computing for genomic data. For one
track of the 2020 iteration of this competition, participants were challenged
to produce an approach to federated learning (FL) training of genomic cancer
prediction models using differential privacy (DP), with submissions ranked
according to held-out test accuracy for a given set of DP budgets. More
precisely, in this track, we are tasked with training a supervised model for
the prediction of breast cancer occurrence from genomic data split between two
virtual centers while ensuring data privacy with respect to model transfer via
DP. In this article, we present our 3rd place submission to this competition.
During the competition, we encountered two main challenges discussed in this
article: i) ensuring correctness of the privacy budget evaluation and ii)
achieving an acceptable trade-off between prediction performance and privacy
budget
Adversarial Robustness of Deep Sensor Fusion Models
We experimentally study the robustness of deep camera-LiDAR fusion
architectures for 2D object detection in autonomous driving. First, we find
that the fusion model is usually both more accurate, and more robust against
single-source attacks than single-sensor deep neural networks. Furthermore, we
show that without adversarial training, early fusion is more robust than late
fusion, whereas the two perform similarly after adversarial training. However,
we note that single-channel adversarial training of deep fusion is often
detrimental even to robustness. Moreover, we observe cross-channel
externalities, where single-channel adversarial training reduces robustness to
attacks on the other channel. Additionally, we observe that the choice of
adversarial model in adversarial training is critical: using attacks restricted
to cars' bounding boxes is more effective in adversarial training and exhibits
less significant cross-channel externalities. Finally, we find that
joint-channel adversarial training helps mitigate many of the issues above, but
does not significantly boost adversarial robustness
Best-Effort Adversarial Approximation of Black-Box Malware Classifiers
An adversary who aims to steal a black-box model repeatedly queries the model
via a prediction API to learn a function that approximates its decision
boundary. Adversarial approximation is non-trivial because of the enormous
combinations of model architectures, parameters, and features to explore. In
this context, the adversary resorts to a best-effort strategy that yields the
closest approximation. This paper explores best-effort adversarial
approximation of a black-box malware classifier in the most challenging
setting, where the adversary's knowledge is limited to a prediction label for a
given input. Beginning with a limited input set for the black-box classifier,
we leverage feature representation mapping and cross-domain transferability to
approximate a black-box malware classifier by locally training a substitute.
Our approach approximates the target model with different feature types for the
target and the substitute model while also using non-overlapping data for
training the target, training the substitute, and the comparison of the two. We
evaluate the effectiveness of our approach against two black-box classifiers
trained on Windows Portable Executables (PEs). Against a Convolutional Neural
Network (CNN) trained on raw byte sequences of PEs, our approach achieves a 92%
accurate substitute (trained on pixel representations of PEs), and nearly 90%
prediction agreement between the target and the substitute model. Against a
97.8% accurate gradient boosted decision tree trained on static PE features,
our 91% accurate substitute agrees with the black-box on 90% of predictions,
suggesting the strength of our purely black-box approximation.Comment: 24 pages, 19 figures, 5 tables, to appear in the proceedings of the
16th EAI International Conference on Security and Privacy in Communication
Networks (SECURECOMM'20