Breaking the Black-Box: Confidence-Guided Model Inversion Attack for Distribution Shift

Model inversion attacks (MIAs) seek to infer the private training data of a target classifier by generating synthetic images that reflect the characteristics of the target class through querying the model. However, prior studies have relied on full access to the target model, which is not practical in real-world scenarios. Additionally, existing black-box MIAs assume that the image prior and target model follow the same distribution. However, when confronted with diverse data distribution settings, these methods may result in suboptimal performance in conducting attacks. To address these limitations, this paper proposes a \textbf{C}onfidence-\textbf{G}uided \textbf{M}odel \textbf{I}nversion attack method called CG-MI, which utilizes the latent space of a pre-trained publicly available generative adversarial network (GAN) as prior information and gradient-free optimizer, enabling high-resolution MIAs across different data distributions in a black-box setting. Our experiments demonstrate that our method significantly \textbf{outperforms the SOTA black-box MIA by more than 49\% for Celeba and 58\% for Facescrub in different distribution settings}. Furthermore, our method exhibits the ability to generate high-quality images \textbf{comparable to those produced by white-box attacks}. Our method provides a practical and effective solution for black-box model inversion attacks.Comment: 8pages,5 figure

A deep learning approach to predict collateral flow in stroke patients using radiomic features from perfusion images.

Collateral circulation results from specialized anastomotic channels which are capable of providing oxygenated blood to regions with compromised blood flow caused by arterial obstruction. The quality of collateral circulation has been established as a key factor in determining the likelihood of a favorable clinical outcome and goes a long way to determining the choice of a stroke care model. Though many imaging and grading methods exist for quantifying collateral blood flow, the actual grading is mostly done through manual inspection. This approach is associated with a number of challenges. First, it is time-consuming. Second, there is a high tendency for bias and inconsistency in the final grade assigned to a patient depending on the experience level of the clinician. We present a multi-stage deep learning approach to predict collateral flow grading in stroke patients based on radiomic features extracted from MR perfusion data. First, we formulate a region of interest detection task as a reinforcement learning problem and train a deep learning network to automatically detect the occluded region within the 3D MR perfusion volumes. Second, we extract radiomic features from the obtained region of interest through local image descriptors and denoising auto-encoders. Finally, we apply a convolutional neural network and other machine learning classifiers to the extracted radiomic features to automatically predict the collateral flow grading of the given patient volume as one of three severity classes - no flow (0), moderate flow (1), and good flow (2). Results from our experiments show an overall accuracy of 72% in the three-class prediction task. With an inter-observer agreement of 16% and a maximum intra-observer agreement of 74% in a similar experiment, our automated deep learning approach demonstrates a performance comparable to expert grading, is faster than visual inspection, and eliminates the problem of grading bias

Autonomous science for an ExoMars Rover-like mission

In common with other Mars exploration missions, human supervision of Europe's ExoMars Rover will be mostly indirect via orbital relay spacecraft and thus far from immediate. The gap between issuing commands and witnessing the results of the consequent rover actions will typically be on the order of several hours or even sols. In addition, it will not be possible to observe the external environment at the time of action execution. This lengthens the time required to carry out scientific exploration and limits the mission's ability to respond quickly to favorable science events. To increase potential science return for such missions, it will be necessary to deploy autonomous systems that include science target selection and active data acquisition. In this work, we have developed and integrated technologies that we explored in previous studies and used the resulting test bed to demonstrate an autonomous, opportunistic science concept on a representative robotic platform. In addition to progressing the system design approach and individual autonomy components, we have introduced a methodology for autonomous science assessment based on terrestrial field science practice

Recessive Social Networking:Preventing Privacy Leakage against Reverse Image Search

This work investigates the image privacy problem in the context of social networking under the threat of reverse image search. We introduce a new concept called recessive social networking. Unlike conventional privacy-preserving social networking, in our setting, the aim is to deceive machine learning algorithms that used in reverse image search, while still enabling unaffected ubiquitous social networking among humans. We, for the first time, ultilize adversarial example technique as a defensive mechanism to protect image privacy against content-based image search algorithms in the context of social networking. Finally, rigorous evaluations are conducted to demonstrate the effectiveness, transferability, and robustness of the proposed countermeasure

End-to-end learning, and audio-visual human-centric video understanding

The field of machine learning has seen tremendous progress in the last decade, largely due to the advent of deep neural networks. When trained on large-scale labelled datasets, these machine learning algorithms can learn powerful semantic representations directly from the input data, end-to-end. End-to-end learning requires the availability of three core components: useful input data, target outputs, and an objective function for measuring how well the model's predictions match the target outputs. In this thesis, we explore and overcome a series of challenges as related to assembling these three components in the sufficient format and scale for end-to-end learning. The first key idea presented in this thesis is to learn representations by enabling end-to-end learning for tasks where such challenges exist. We first explore whether better representations can be learnt for the image retrieval task by directly optimising the evaluation metric, Average Precision. This is notoriously challenging task, because such rank-based metrics are non-differentiable. We introduce a simple objective function that optimises a smoothed approximation of Average Precision, termed Smooth-AP, and demonstrate the benefits of training end-to-end over prior approaches. Secondly, we explore whether a representation can be learnt end-to-end for the task of image editing, where target data does not exist in sufficient scale. We propose a self-supervised approach that simulates target data by augmenting off-the-shelf image data, giving remarkable benefits over prior work. The second idea presented in this thesis is focused on how to use the rich multi-modal signals that are essential for human perceptual systems as input data for deep neural networks. More specifically, we explore the use of audio-visual input data for the human-centric video understanding task. Here, we first explore if highly optimised speaker verification representations can transfer to the domain of movies where humans intentionally disguise their voice. We do this by collecting an audio-visual dataset of humans speaking in movies. Second, given strong identity discriminating representations, we present two methods that harness the complementarity and redundancy between multi-modal signals in order to build robust perceptual systems for determining who is present in a scene. These methods include an automated pipeline for labelling people in unlabelled video archives, and an approach for clustering people by identity in videos

Machine learning and image processing

Dissertação de mestrado em Matemática e ComputaçãoPortuguese legislation states the compulsory reporting of the addition of amenities, such as swimming pools, to the Portuguese tax authority. The purpose is to update the property tax value, to be charged annually to the owner of each real estate. According to Technavio and Market- Watch, this decade will bring a global rise to the number of swimming pools due to certain factors such as: cost reduction, increasing health consciousness, and others. The need for inspections to ensure that all new constructions are communicated to the competent authorities is therefore rapidly increasing and new solutions are needed to address this problem. Typically, supervision is done by sending human resources to the field, involving huge time and resource consumption, and preventing the catalogue from updating at a rate close to the speed of construction. Automation is rapidly becoming an absolute requirement to improve task efficiency and affordability. Recently, Deep Learning algorithms have shown incredible performance results when used for object detection tasks. Based on the above, the objective of this thesis is to study the various existing object detection algorithms and implement a Deep Learning model capable of recognising swimming pools from satellite images. To achieve the best results for this specific task, the RetinaNet algorithm was chosen. To provide a smooth user experience with the developed model, a simple graphical user interface was also created.A legislação Portuguesa declara a obrigatoriedade da comunicação de novas construções, como piscinas, à Autoridade Tributária e Aduaneira. Esta comunição permite o ajustamento do Imposto Municipal sobre Imóveis a pagar anualmente pelo proprietário. De acordo com o Technavio e o MarketWatch, irá ocorrer um aumento significativo do número de piscinas devido a vários fatores como a redução do custo da construção, o aumento da consciência para a adoção de um estilo de vida saudável, entre outros. Isto leva à necessidade de um reforço na inspeção de forma a garantir que todas as novas construções foram devidamente comunicadas à autoridade competente. Atualmente, estas inspeções são realizadas com a distribuição de recursos humanos pelo terreno, o que tráz um elevado custo operacional e temporal, impedindo uma catalogação a uma taxa próxima da de construção. Hoje em dia, a automatação de tarefas está a tornar-se muito requisitada devido a permitir o aumento da eficiência e a redução de custos. Recentemente, os algoritmos de Deep Learning tem demonstrado resultados incriveis quando usados para deteção de objetos. O objetivo desta dissertação é o estudo dos vários algoritmos de deteção de objetos existentes e a implementação de um modelo de Deep Learning capaz de detetar piscinas em imagens satélite. De forma a obter os melhores resultados na tarefa em questão, o algoritmo RetinaNet foi usado. Além disso e com o intuito de melhorar a experiência na utilização do modelo desenvolvido, foi construída uma interface gráfica simples

손실함수 탐색을 통한 딥러닝 모델의 강건성과 일반화 향상

학위논문(박사) -- 서울대학교대학원 : 공과대학 산업공학과, 2023. 2. 이재욱.딥러닝은 다양한 분야에서 뛰어난 성능향상을 보이며, 음성 인식, 자율주행 및 의료 산업 등 많은 분야에 활용되고 있다. 딥러닝 모델은 수많은 가중치를 기반으로, 주어진 학습 데이터에 대한 손실함수를 줄이도록 학습된다. 그러나, 최근 학습 데이터에 대한 맹목적인 손실함수의 최소화는 크게 두 가지의 논의점이 있음이 밝혀졌다. 첫 번째 논의점은 딥러닝 모델의 강건성이다. 강건성이란 딥러닝 모델의 적대적 공격에 대한 방어 능력을 말한다. 적대적 공격은 학습된 딥러닝 모델의 가중치와 기 울기 정보 등을 활용하여 비정상적인 데이터를 만들어내는 방법으로, 딥러닝 모델의 성능을 현저하게 저하시킨다. 현재까지 밝혀진 바로는 아주 작은 크기의 섭동도 비정상 데이터를 생성하기에 충분하여, 사람에게는 정상 데이터로 인식되나 딥러닝 모델은 치 명적으로 오작동하는 적대적 예제를 쉽게 만들 수 있다. 따라서 딥러닝 모델의 안전한 상용화를 위해 강건성은 필수적으로 연구되어야 할 요소이다. 두 번째 논의점은 딥러닝 모델의 일반화이다. 일반화란 딥러닝 모델의 학습 데이터 에 대한 성능과 평가 데이터에 대한 성능의 차이를 의미한다. 차이가 작을수록 일반화 성능이 높으며, 이는 곧 딥러닝 모델의 높은 상용화 가능성을 내포한다. 그러나 학습 데이터에 대한 손실함수만을 줄이는 학습 방법은 학습 데이터에 대한 과적합 현상을 불러오며, 이는 곧 평가 데이터에 대한 성능 감소로 이어짐이 여러 선행 연구에 의해 밝혀진 바 있다. 딥러닝 모델의 성능 향상은 학습 데이터가 아닌 평가 데이터에 대해 판단되므로, 일반화 성능의 달성은 모든 딥러닝 모델의 궁극적인 목표라고 할 수 있다. 본 연구에서는 손실함수평면의 탐색을 통해 두 논의점에 대한 분석과 각 논의점에 대응하는 지표를 향상시킬 수 있는 학습 방법을 제안한다. 우선, 강건성의 이해와 향상 을 위해 입력값에 대한 손실함수를 분석한다. 적대적 공격은 입력값에 대해 손실함수를 최대화하는 섭동을 생성하므로, 비정상적인 섭동이 더해진 입력값에 대해서 손실함수 를 최소화할 수 있는 방어 방법에 대해 연구한다. 그 시작으로, 적대적 방어 기법의 하나인 단일 단계 적대적 학습에서 손실함수평면이 쉽게 뒤틀릴 수 있음을 밝혀낸다. 제안된 연구에서 뒤틀린 손실함수평면이 모델의 강건성을 심각하게 손상할 수 있음을 보이고, 이를 기반으로 매끄러운 손실함수를 갖는 것의 중요성을 증명한다. 손실함수 평면의 특성을 기반으로 다양한 영역에서의 적대적 공격과 방어 기법에 대한 분석과 성능 향상을 연구한다. 첫 번째로, 구조나 가중치가 상이한 모델에서 적대적 예제를 생 성하여 대상 모델로 공격하는 전이 공격의 세기가 손실함수평면과 깊이 관련이 있음을 증명한다. 이를 기반으로 강력한 적대적 소리 예제를 생성하고, 딥러닝 모델의 신뢰할 수 있는 강건성 수준을 제안한다. 이어 적대적 학습의 특징과 학습된 모델의 손실함수평 면을 탐색한다. 입력값에 대한 손실함수평면을 부드럽게 만들기 위하여, 적대적 학습에 중앙점을 고려한 손실함수를 도입하여 모델의 강건성을 높인다. 다음으로, 일반화의 이해와 향상을 위해 가중치에 대한 손실함수를 분석한다. 최근 일련의 연구에서는 딥러닝 모델의 일반화 성능은 손실함수평면의 평평함과 긴밀하게 연결되어 있음이 증명된 바 있다. 이를 기반으로 제안된 첨예 기반 학습은 첨예한 최적점 을 기피하고 평평한 최적점을 찾음으로써 높은 일반화 성능을 달성한다. 본 연구에서는 첨예 기반 학습 방법의 손실함수평면에 대한 분석을 진행한다. 우선 첨예 기반 학습이 손실함수평면에 안장점이 존재할 경우 수렴이 불안정함을 밝힌다. 불안정한 수렴 때 문에 최적점이 아닌 안장점에 갇히는 경우가 발생하며, 이는 첨예 기반 학습의 성능을 저해함을 보인다. 불안정한 수렴을 개선하고 더 높은 일반화 성능을 달성하기 위해, 가중치 공간에서의 섭동을 구하는 단계에서 도출되는 모든 중앙점의 기울기 정보를 활용하는 방법을 제안한다. 본 연구는 손실함수평면에 대한 탐색과 고찰을 바탕으로 강건성과 일반화에 대한 더 깊은 이해를 제시하고, 이를 통해서 각 지표의 향상을 위한 새로운 적대적 공격 방법, 적대적 방어 방법, 첨예 기반 학습 방법을 제안하였다. 연구 결과는 향후 딥러닝 모델의 실현을 위한 추후 연구에 확장성 있는 모델이며, 강건성과 일반화에 있어 손실함수평 면에 대한 심도 있는 분석이 선행되어야 한다는 함의점을 제공한다.Recent advances in deep learning have demonstrated significant performance improvements in various domains, such as computer vision and speech recognition, yielding numerous industrial applications. Compared to other machine learning models, deep learning models have a large number of parameters and this brings near zero training loss that was previously considered impossible. To train these overparameterized models, we generally minimize the loss on training data, which we call empirical risk minimization (ERM). However, recent studies have demonstrated that these deep learning models trained by ERM may suffer from two major problems: adversarial vulnerability and poor generalization. Adversarial vulnerability is an intriguing property of deep learning models that makes them susceptible to adversarial attacks that create malicious examples with slight modifications (Szegedy et al., 2013; Goodfellow et al., 2014). Prior studies have also confirmed that there exist the potential risks of deep learning models in real-world applications (Papernot et al., 2017; Kurakin et al., 2016). Adversarial attacks entail severe hazards in real-world applications, e.g., causing autonomous vehicle accidents by manipulating decision-making or extracting private information by circumventing voice authorization. Thus, to prevent these malicious cases arisen from the existence of adversarial attacks, many researchers proposed various methods to enhance the robustness of deep learning models against adversarial attacks. Poor generalization, another issue with current deep learning models, is a large discrepancy between training accuracy and test accuracy. In other words, existing methods can successfully minimize loss on train datasets, but this does not guarantee high performance on test datasets (Ishida et al., 2020; Foret et al., 2020). To achieve an ideal performance over various domains, improving the generalization of neural networks has been a core challenge in deep learning. In this dissertation, focusing on the fact that both robustness and generalization are heavily related to the loss landscape, we aim to gain a deeper understanding of adversarial robustness and generalization performance of deep learning models by analyzing their loss landscape. First, we investigate the adversarial robustness with respect to its loss landscape. Through analyzing the loss landscape of adversarially trained models, we discover that the distortion of the loss landscape can occur, resulting in poor adversarial robustness. Based on this observation, we extend the loss landscape analysis to adversarial attacks and defenses to improve the adversarial robustness of deep learning models. We further analyze sharpness-aware minimization with its loss landscape and reveal that there exists a convergence instability problem due to its inherent algorithm. Specifically, whether the loss landscape in the parameter space has a saddle point can heavily affect the optimization and its generalization performance. Given this phenomenon, we investigate the loss landscape with respect to perturbation in the parameter space and improve generalization performance by exploring a wider loss landscape.Chapter 1 Introduction 1 1.1 Motivation of the Dissertation 1 1.2 Aims of the Dissertation 4 1.3 Organization of the Dissertation 6 Chapter 2 Adversarial Robustness and Loss Landscape 8 2.1 Chapter Overview 8 2.2 Preliminaries 11 2.2.1 Adversarial Robustness 11 2.2.2 Single-step and Multi-step Adversarial Attack 12 2.2.3 Catastrophic Overfitting 13 2.3 Methodology 15 2.3.1 Revisiting Catastrophic Overfitting 15 2.3.2 Stable Single-Step Adversarial Training 19 2.4 Experiments . 24 2.4.1 Experimental Setup 24 2.4.2 Visualizing Decision Boundary Distortion 27 2.4.3 Distortion and Nonlinearity of the Loss Function 31 2.4.4 Adversarial Robustness 33 2.5 Chapter Summary 35 Chapter 3 Geometry-Aware Adversarial Attack and Defense 36 3.1 Chapter Overview 36 3.2 Preliminaries 37 3.2.1 Adversarial Attack 37 3.2.2 Adversarial Defense 41 3.3 Methodology 43 3.3.1 Transferable Adversarial Examples 43 3.3.2 Improved Adversarial Training 55 3.4 Experiments . 68 3.4.1 Transferability 68 3.4.2 Adversarial Robustness 74 3.5 Chapter Summary 85 Chapter 4 Generalization and Loss Landscape 86 4.1 Chapter Overview 86 4.2 Preliminaries 89 4.2.1 Generliazation and Sharpness-Aware Minimization 89 4.2.2 Escaping Saddle Points 91 4.3 Methodology 92 4.3.1 Asymptotic Behavior of SAM Dynamics 92 4.3.2 Saddle Point Becomes Attractor in SAM Dynamics 97 4.4 Experiments . 101 4.4.1 Stochastic Behavior of SAM Dynamics 101 4.4.2 Convergence Instability and Training Tricks 107 4.5 Chapter Summary 111 Chapter 5 Sharpness-Aware Minimization with Multi-Ascent 113 5.1 Chapter Overview 113 5.2 Preliminaries 115 5.3 Methodology 118 5.3.1 Revisiting Number of Ascent Steps in SAM 118 5.3.2 Multi-ascent Sharpness-Aware Minimization 122 5.4 Experiments . 125 5.4.1 Experimental Setup 125 5.4.2 Generalization Performance 126 5.4.3 Escaping Local Minima 127 5.5 Chapter Summary 128 Chapter 6 Conclusion 129 6.1 Contributions 129 6.2 Future Work 130 Bibliography 131 국문초록 171박

Electronic Imaging & the Visual Arts. EVA 2013 Florence

Important Information Technology topics are presented: multimedia systems, data-bases, protection of data, access to the content. Particular reference is reserved to digital images (2D, 3D) regarding Cultural Institutions (Museums, Libraries, Palace – Monuments, Archaeological Sites). The main parts of the Conference Proceedings regard: Strategic Issues, EC Projects and Related Networks & Initiatives, International Forum on “Culture & Technology”, 2D – 3D Technologies & Applications, Virtual Galleries – Museums and Related Initiatives, Access to the Culture Information. Three Workshops are related to: International Cooperation, Innovation and Enterprise, Creative Industries and Cultural Tourism

Virtual Worlds and Conservational Channel Evolution and Pollutant Transport Systems (Concepts)

Many models exist that predict channel morphology. Channel morphology is defined as the change in geometric parameters of a river. Channel morphology is affected by many factors. Some of these factors are caused either by man or by nature. To combat the adverse effects that man and nature may cause to a water system, scientists and engineers develop stream rehabilitation plans. Stream rehabilitation as defined by Shields et al., states that restoration is the return from a degraded ecosystem back to a close approximation of its remaining natural potential [Shields et al., 2003]. Engineers construct plans that will restore streams back to their natural state by using techniques such as field investigation, analytical models, or numerical models. Each of these techniques is applied to projects based on specified criteria, objectives, and the expertise of the individuals devising the plan. The utilization of analytical and numerical models can be difficult, for many reasons, one of which is the intuitiveness of the modeling process. Many numerical models exist in the field of hydraulic engineering, fluvial geomorphology, landscape architecture, and stream ecology that evaluate and formulate stream rehabilitation plans. This dissertation will explore, in the field of Hydroscience , the creation of models that are not only accurate but also span the different disciplines. The goal of this dissertation is to transform a discrete numerical model (CONCEPTS) into a realistic 3D environment using open source game engines, while at the same time, conveying at least the equivalent information that was presented in the 1D numerical model