1,665 research outputs found
Measuring Membership Privacy on Aggregate Location Time-Series
While location data is extremely valuable for various applications,
disclosing it prompts serious threats to individuals' privacy. To limit such
concerns, organizations often provide analysts with aggregate time-series that
indicate, e.g., how many people are in a location at a time interval, rather
than raw individual traces. In this paper, we perform a measurement study to
understand Membership Inference Attacks (MIAs) on aggregate location
time-series, where an adversary tries to infer whether a specific user
contributed to the aggregates.
We find that the volume of contributed data, as well as the regularity and
particularity of users' mobility patterns, play a crucial role in the attack's
success. We experiment with a wide range of defenses based on generalization,
hiding, and perturbation, and evaluate their ability to thwart the attack
vis-a-vis the utility loss they introduce for various mobility analytics tasks.
Our results show that some defenses fail across the board, while others work
for specific tasks on aggregate location time-series. For instance, suppressing
small counts can be used for ranking hotspots, data generalization for
forecasting traffic, hotspot discovery, and map inference, while sampling is
effective for location labeling and anomaly detection when the dataset is
sparse. Differentially private techniques provide reasonable accuracy only in
very specific settings, e.g., discovering hotspots and forecasting their
traffic, and more so when using weaker privacy notions like crowd-blending
privacy. Overall, our measurements show that there does not exist a unique
generic defense that can preserve the utility of the analytics for arbitrary
applications, and provide useful insights regarding the disclosure of sanitized
aggregate location time-series
The Effects of JPEG and JPEG2000 Compression on Attacks using Adversarial Examples
Adversarial examples are known to have a negative effect on the performance
of classifiers which have otherwise good performance on undisturbed images.
These examples are generated by adding non-random noise to the testing samples
in order to make classifier misclassify the given data. Adversarial attacks use
these intentionally generated examples and they pose a security risk to the
machine learning based systems. To be immune to such attacks, it is desirable
to have a pre-processing mechanism which removes these effects causing
misclassification while keeping the content of the image. JPEG and JPEG2000 are
well-known image compression techniques which suppress the high-frequency
content taking the human visual system into account. JPEG has been also shown
to be an effective method for reducing adversarial noise. In this paper, we
propose applying JPEG2000 compression as an alternative and systematically
compare the classification performance of adversarial images compressed using
JPEG and JPEG2000 at different target PSNR values and maximum compression
levels. Our experiments show that JPEG2000 is more effective in reducing
adversarial noise as it allows higher compression rates with less distortion
and it does not introduce blocking artifacts
Practical Hidden Voice Attacks against Speech and Speaker Recognition Systems
Voice Processing Systems (VPSes), now widely deployed, have been made
significantly more accurate through the application of recent advances in
machine learning. However, adversarial machine learning has similarly advanced
and has been used to demonstrate that VPSes are vulnerable to the injection of
hidden commands - audio obscured by noise that is correctly recognized by a VPS
but not by human beings. Such attacks, though, are often highly dependent on
white-box knowledge of a specific machine learning model and limited to
specific microphones and speakers, making their use across different acoustic
hardware platforms (and thus their practicality) limited. In this paper, we
break these dependencies and make hidden command attacks more practical through
model-agnostic (blackbox) attacks, which exploit knowledge of the signal
processing algorithms commonly used by VPSes to generate the data fed into
machine learning systems. Specifically, we exploit the fact that multiple
source audio samples have similar feature vectors when transformed by acoustic
feature extraction algorithms (e.g., FFTs). We develop four classes of
perturbations that create unintelligible audio and test them against 12 machine
learning models, including 7 proprietary models (e.g., Google Speech API, Bing
Speech API, IBM Speech API, Azure Speaker API, etc), and demonstrate successful
attacks against all targets. Moreover, we successfully use our maliciously
generated audio samples in multiple hardware configurations, demonstrating
effectiveness across both models and real systems. In so doing, we demonstrate
that domain-specific knowledge of audio signal processing represents a
practical means of generating successful hidden voice command attacks
Defending Against Local Adversarial Attacks through Empirical Gradient Optimization
Deep neural networks (DNNs) are susceptible to adversarial attacks, including the recently introduced locally visible adversarial patch attack, which achieves a success rate exceeding 96%. These attacks pose significant challenges to DNN security. Various defense methods, such as adversarial training, robust attention modules, watermarking, and gradient smoothing, have been proposed to enhance empirical robustness against patch attacks. However, these methods often have limitations concerning patch location requirements, randomness, and their impact on recognition accuracy for clean images.To address these challenges, we propose a novel defense algorithm called Local Adversarial Attack Empirical Defense using Gradient Optimization (LAAGO). The algorithm incorporates a low-pass filter before noise suppression to effectively mitigate the interference of high-frequency noise on the classifier while preserving the low-frequency areas of the images. Additionally, it emphasizes the original target features by enhancing the image gradients. Extensive experimental results demonstrate that the proposed method improves defense performance by 3.69% for 80 × 80 noise patches (representing approximately 4% of the images), while experiencing only a negligible 0.3% accuracy drop on clean images. The LAAGO algorithm provides a robust defense mechanism against local adversarial attacks, overcoming the limitations of previous methods. Our approach leverages gradient optimization, noise suppression, and feature enhancement, resulting in significant improvements in defense performance while maintaining high accuracy for clean images. This work contributes to the advancement of defense strategies against emerging adversarial attacks, thereby enhancing the security and reliability of deep neural networks
Towards Adversarial Robustness of Deep Vision Algorithms
Deep learning methods have achieved great success in solving computer vision
tasks, and they have been widely utilized in artificially intelligent systems
for image processing, analysis, and understanding. However, deep neural
networks have been shown to be vulnerable to adversarial perturbations in input
data. The security issues of deep neural networks have thus come to the fore.
It is imperative to study the adversarial robustness of deep vision algorithms
comprehensively. This talk focuses on the adversarial robustness of image
classification models and image denoisers. We will discuss the robustness of
deep vision algorithms from three perspectives: 1) robustness evaluation (we
propose the ObsAtk to evaluate the robustness of denoisers), 2) robustness
improvement (HAT, TisODE, and CIFS are developed to robustify vision models),
and 3) the connection between adversarial robustness and generalization
capability to new domains (we find that adversarially robust denoisers can deal
with unseen types of real-world noise).Comment: PhD thesi
Wavelet Integrated CNNs for Noise-Robust Image Classification
Convolutional Neural Networks (CNNs) are generally prone to noise
interruptions, i.e., small image noise can cause drastic changes in the output.
To suppress the noise effect to the final predication, we enhance CNNs by
replacing max-pooling, strided-convolution, and average-pooling with Discrete
Wavelet Transform (DWT). We present general DWT and Inverse DWT (IDWT) layers
applicable to various wavelets like Haar, Daubechies, and Cohen, etc., and
design wavelet integrated CNNs (WaveCNets) using these layers for image
classification. In WaveCNets, feature maps are decomposed into the
low-frequency and high-frequency components during the down-sampling. The
low-frequency component stores main information including the basic object
structures, which is transmitted into the subsequent layers to extract robust
high-level features. The high-frequency components, containing most of the data
noise, are dropped during inference to improve the noise-robustness of the
WaveCNets. Our experimental results on ImageNet and ImageNet-C (the noisy
version of ImageNet) show that WaveCNets, the wavelet integrated versions of
VGG, ResNets, and DenseNet, achieve higher accuracy and better noise-robustness
than their vanilla versions.Comment: CVPR accepted pape
- …