391 research outputs found
Essential Features: Reducing the Attack Surface of Adversarial Perturbations with Robust Content-Aware Image Preprocessing
Adversaries are capable of adding perturbations to an image to fool machine
learning models into incorrect predictions. One approach to defending against
such perturbations is to apply image preprocessing functions to remove the
effects of the perturbation. Existing approaches tend to be designed
orthogonally to the content of the image and can be beaten by adaptive attacks.
We propose a novel image preprocessing technique called Essential Features that
transforms the image into a robust feature space that preserves the main
content of the image while significantly reducing the effects of the
perturbations. Specifically, an adaptive blurring strategy that preserves the
main edge features of the original object along with a k-means color reduction
approach is employed to simplify the image to its k most representative colors.
This approach significantly limits the attack surface for adversaries by
limiting the ability to adjust colors while preserving pertinent features of
the original image. We additionally design several adaptive attacks and find
that our approach remains more robust than previous baselines. On CIFAR-10 we
achieve 64% robustness and 58.13% robustness on RESISC45, raising robustness by
over 10% versus state-of-the-art adversarial training techniques against
adaptive white-box and black-box attacks. The results suggest that strategies
that retain essential features in images by adaptive processing of the content
hold promise as a complement to adversarial training for boosting robustness
against adversarial inputs
Evaluating the Robustness of Trigger Set-Based Watermarks Embedded in Deep Neural Networks
Trigger set-based watermarking schemes have gained emerging attention as they
provide a means to prove ownership for deep neural network model owners. In
this paper, we argue that state-of-the-art trigger set-based watermarking
algorithms do not achieve their designed goal of proving ownership. We posit
that this impaired capability stems from two common experimental flaws that the
existing research practice has committed when evaluating the robustness of
watermarking algorithms: (1) incomplete adversarial evaluation and (2)
overlooked adaptive attacks.
We conduct a comprehensive adversarial evaluation of 10 representative
watermarking schemes against six of the existing attacks and demonstrate that
each of these watermarking schemes lacks robustness against at least two
attacks. We also propose novel adaptive attacks that harness the adversary's
knowledge of the underlying watermarking algorithm of a target model. We
demonstrate that the proposed attacks effectively break all of the 10
watermarking schemes, consequently allowing adversaries to obscure the
ownership of any watermarked model. We encourage follow-up studies to consider
our guidelines when evaluating the robustness of their watermarking schemes via
conducting comprehensive adversarial evaluation that include our adaptive
attacks to demonstrate a meaningful upper bound of watermark robustness
Vertical Federated Learning
Vertical Federated Learning (VFL) is a federated learning setting where
multiple parties with different features about the same set of users jointly
train machine learning models without exposing their raw data or model
parameters. Motivated by the rapid growth in VFL research and real-world
applications, we provide a comprehensive review of the concept and algorithms
of VFL, as well as current advances and challenges in various aspects,
including effectiveness, efficiency, and privacy. We provide an exhaustive
categorization for VFL settings and privacy-preserving protocols and
comprehensively analyze the privacy attacks and defense strategies for each
protocol. In the end, we propose a unified framework, termed VFLow, which
considers the VFL problem under communication, computation, privacy, and
effectiveness constraints. Finally, we review the most recent advances in
industrial applications, highlighting open challenges and future directions for
VFL
- …