54 research outputs found
Easy Batch Normalization
It was shown that adversarial examples improve object recognition. But what
about their opposite side, easy examples? Easy examples are samples that the
machine learning model classifies correctly with high confidence. In our paper,
we are making the first step toward exploring the potential benefits of using
easy examples in the training procedure of neural networks. We propose to use
an auxiliary batch normalization for easy examples for the standard and robust
accuracy improvement
Efficiently Hardening SGX Enclaves against Memory Access Pattern Attacks via Dynamic Program Partitioning
Intel SGX is known to be vulnerable to a class of practical attacks
exploiting memory access pattern side-channels, notably page-fault attacks and
cache timing attacks. A promising hardening scheme is to wrap applications in
hardware transactions, enabled by Intel TSX, that return control to the
software upon unexpected cache misses and interruptions so that the existing
side-channel attacks exploiting these micro-architectural events can be
detected and mitigated. However, existing hardening schemes scale only to
small-data computation, with a typical working set smaller than one or few
times (e.g., times) of a CPU data cache.
This work tackles the data scalability and performance efficiency of security
hardening schemes of Intel SGX enclaves against memory-access pattern side
channels. The key insight is that the size of TSX transactions in the target
computation is critical, both performance- and security-wise. Unlike the
existing designs, this work dynamically partitions target computations to
enlarge transactions while avoiding aborts, leading to lower performance
overhead and improved side-channel security. We materialize the dynamic
partitioning scheme and build a C++ library to monitor and model cache
utilization at runtime. We further build a data analytical system using the
library and implement various external oblivious algorithms. Performance
evaluation shows that our work can effectively increase transaction size and
reduce the execution time by up to two orders of magnitude compared with the
state-of-the-art solutions
Watermarking Graph Neural Networks based on Backdoor Attacks
Graph Neural Networks (GNNs) have achieved promising performance in various
real-world applications. Building a powerful GNN model is not a trivial task,
as it requires a large amount of training data, powerful computing resources,
and human expertise in fine-tuning the model. What is more, with the
development of adversarial attacks, e.g., model stealing attacks, GNNs raise
challenges to model authentication. To avoid copyright infringement on GNNs, it
is necessary to verify the ownership of the GNN models.
In this paper, we present a watermarking framework for GNNs for both graph
and node classification tasks. We 1) design two strategies to generate
watermarked data for the graph classification task and one for the node
classification task, 2) embed the watermark into the host model through
training to obtain the watermarked GNN model, and 3) verify the ownership of
the suspicious model in a black-box setting. The experiments show that our
framework can verify the ownership of GNN models with a very high probability
(around ) for both tasks. Finally, we experimentally show that our
watermarking approach is robust against two model modifications and an input
reformation defense against backdoor attacks.Comment: 13 pages, 9 figure
On Adversarial Examples and Stealth Attacks in Artificial Intelligence Systems
In this work we present a formal theoretical framework for assessing and
analyzing two classes of malevolent action towards generic Artificial
Intelligence (AI) systems. Our results apply to general multi-class classifiers
that map from an input space into a decision space, including artificial neural
networks used in deep learning applications. Two classes of attacks are
considered. The first class involves adversarial examples and concerns the
introduction of small perturbations of the input data that cause
misclassification. The second class, introduced here for the first time and
named stealth attacks, involves small perturbations to the AI system itself.
Here the perturbed system produces whatever output is desired by the attacker
on a specific small data set, perhaps even a single input, but performs as
normal on a validation set (which is unknown to the attacker). We show that in
both cases, i.e., in the case of an attack based on adversarial examples and in
the case of a stealth attack, the dimensionality of the AI's decision-making
space is a major contributor to the AI's susceptibility. For attacks based on
adversarial examples, a second crucial parameter is the absence of local
concentrations in the data probability distribution, a property known as
Smeared Absolute Continuity. According to our findings, robustness to
adversarial examples requires either (a) the data distributions in the AI's
feature space to have concentrated probability density functions or (b) the
dimensionality of the AI's decision variables to be sufficiently small. We also
show how to construct stealth attacks on high-dimensional AI systems that are
hard to spot unless the validation set is made exponentially large
- …