1,292 research outputs found
SSL-WM: A Black-Box Watermarking Approach for Encoders Pre-trained by Self-supervised Learning
Recent years have witnessed significant success in Self-Supervised Learning
(SSL), which facilitates various downstream tasks. However, attackers may steal
such SSL models and commercialize them for profit, making it crucial to protect
their Intellectual Property (IP). Most existing IP protection solutions are
designed for supervised learning models and cannot be used directly since they
require that the models' downstream tasks and target labels be known and
available during watermark embedding, which is not always possible in the
domain of SSL. To address such a problem especially when downstream tasks are
diverse and unknown during watermark embedding, we propose a novel black-box
watermarking solution, named SSL-WM, for protecting the ownership of SSL
models. SSL-WM maps watermarked inputs by the watermarked encoders into an
invariant representation space, which causes any downstream classifiers to
produce expected behavior, thus allowing the detection of embedded watermarks.
We evaluate SSL-WM on numerous tasks, such as Computer Vision (CV) and Natural
Language Processing (NLP), using different SSL models, including
contrastive-based and generative-based. Experimental results demonstrate that
SSL-WM can effectively verify the ownership of stolen SSL models in various
downstream tasks. Furthermore, SSL-WM is robust against model fine-tuning and
pruning attacks. Lastly, SSL-WM can also evade detection from evaluated
watermark detection approaches, demonstrating its promising application in
protecting the IP of SSL models
Towards a Robust Defense: A Multifaceted Approach to the Detection and Mitigation of Neural Backdoor Attacks through Feature Space Exploration and Analysis
From voice assistants to self-driving vehicles, machine learning(ML), especially deep learning, revolutionizes the way we work and live, through the wide adoption in a broad range of applications. Unfortunately, this widespread use makes deep learning-based systems a desirable target for cyberattacks, such as generating adversarial examples to fool a deep learning system to make wrong decisions. In particular, many recent studies have revealed that attackers can corrupt the training of a deep learning model, e.g., through data poisoning, or distribute a deep learning model they created with “backdoors” planted, e.g., distributed as part of a software library, so that the attacker can easily craft system inputs that grant unauthorized access or lead to catastrophic errors or failures.
This dissertation aims to develop a multifaceted approach for detecting and mitigating such neural backdoor attacks by exploiting their unique characteristics in the feature space. First of all, a framework called GangSweep is designed to utilize the capabilities of Generative Adversarial Networks (GAN) to approximate poisoned sample distributions in the feature space, to detect neural backdoor attacks. Unlike conventional methods, GangSweep exposes all attacker-induced artifacts, irrespective of their complexity or obscurity. By leveraging the statistical disparities between these artifacts and natural adversarial perturbations, an efficient detection scheme is devised. Accordingly, the backdoored model can be purified through label correction and fine-tuning
Secondly, this dissertation focuses on the sample-targeted backdoor attacks, a variant of neural backdoor that targets specific samples. Given the absence of explicit triggers in such models, traditional detection methods falter. Through extensive analysis, I have identified a unique feature space property of these attacks, where they induce boundary alterations, creating discernible “pockets” around target samples. Based on this critical observation, I introduce a novel defense scheme that encapsulates these malicious pockets within a tight convex hull in the feature space, and then design an algorithm to identify such hulls and remove the backdoor through model fine-tuning. The algorithm demonstrates high efficacy against a spectrum of sample-targeted backdoor attacks.
Lastly, I address the emerging challenge of backdoor attacks in multimodal deep neural networks, in particular vision-language model, a growing concern in real-world applications. Discovering that there is a strong association between the image trigger and the target text in the feature space of the backdoored vision-language model, I design an effective algorithm to expose the malicious text and image trigger by jointly searching in the shared feature space of the vision and language modalities
Recommended from our members
Neurons in Cat Primary Visual Cortex cluster by degree of tuning but not by absolute spatial phase or temporal response phase
Neighboring neurons in cat primary visual cortex (V1) have similar preferred orientation, direction, and spatial frequency. How diverse is their degree of tuning for these properties? Are they also clustered in their tuning for the spatial phase of a flashed grating ("absolute spatial phase") or the temporal phase of a drifting grating ("temporal response phase")? To address these questions, we used tetrode recordings to simultaneously isolate multiple cells at single recording sites and record their responses to flashed and drifting gratings of multiple orientations, spatial frequencies, and spatial/temporal phases.
We recorded the responses of 761 cells presented with drifting gratings and 409 cells presented with flashed gratings. We found that orientation tuning width, spatial frequency tuning width and direction selectivity index all showed significant clustering. Absolute spatial phase and temporal response phase, however, showed no clustering. We also present an algorithm that improves the performance of spike-sorting algorithms, for use in analyzing cells recorded using tetrodes. A cluster of spikes corresponding to a putative cell obtained through automatic or manual spike sorting algorithms may contain spikes from other cells with similarly-shaped waveforms.
Our algorithm preferentially removes contaminating spikes from other cells, thereby decreasing the level of contamination of each unit. We call this procedure "pruning", as it entails removing portions of the cluster that are determined to be more likely to contain contaminating spikes than the cluster as a whole. Testing of the algorithm on data in which "ground truth" is known shows excellent performance, for example on average giving a percentage reduction in false positive spikes 8.2 times the percentage reduction in true positive spikes, and reducing the degree of contamination by an average of about 13%
Learning Feature Matching via Matchable Keypoint-Assisted Graph Neural Network
Accurately matching local features between a pair of images is a challenging
computer vision task. Previous studies typically use attention based graph
neural networks (GNNs) with fully-connected graphs over keypoints within/across
images for visual and geometric information reasoning. However, in the context
of feature matching, considerable keypoints are non-repeatable due to occlusion
and failure of the detector, and thus irrelevant for message passing. The
connectivity with non-repeatable keypoints not only introduces redundancy,
resulting in limited efficiency, but also interferes with the representation
aggregation process, leading to limited accuracy. Targeting towards high
accuracy and efficiency, we propose MaKeGNN, a sparse attention-based GNN
architecture which bypasses non-repeatable keypoints and leverages matchable
ones to guide compact and meaningful message passing. More specifically, our
Bilateral Context-Aware Sampling Module first dynamically samples two small
sets of well-distributed keypoints with high matchability scores from the image
pair. Then, our Matchable Keypoint-Assisted Context Aggregation Module regards
sampled informative keypoints as message bottlenecks and thus constrains each
keypoint only to retrieve favorable contextual information from intra- and
inter- matchable keypoints, evading the interference of irrelevant and
redundant connectivity with non-repeatable ones. Furthermore, considering the
potential noise in initial keypoints and sampled matchable ones, the MKACA
module adopts a matchability-guided attentional aggregation operation for purer
data-dependent context propagation. By these means, we achieve the
state-of-the-art performance on relative camera estimation, fundamental matrix
estimation, and visual localization, while significantly reducing computational
and memory complexity compared to typical attentional GNNs
Generalizing Boolean Satisfiability III: Implementation
This is the third of three papers describing ZAP, a satisfiability engine
that substantially generalizes existing tools while retaining the performance
characteristics of modern high-performance solvers. The fundamental idea
underlying ZAP is that many problems passed to such engines contain rich
internal structure that is obscured by the Boolean representation used; our
goal has been to define a representation in which this structure is apparent
and can be exploited to improve computational performance. The first paper
surveyed existing work that (knowingly or not) exploited problem structure to
improve the performance of satisfiability engines, and the second paper showed
that this structure could be understood in terms of groups of permutations
acting on individual clauses in any particular Boolean theory. We conclude the
series by discussing the techniques needed to implement our ideas, and by
reporting on their performance on a variety of problem instances
Towards Accurate Data-free Quantization for Diffusion Models
In this paper, we propose an accurate data-free post-training quantization
framework of diffusion models (ADP-DM) for efficient image generation.
Conventional data-free quantization methods learn shared quantization functions
for tensor discretization regardless of the generation timesteps, while the
activation distribution differs significantly across various timesteps. The
calibration images are acquired in random timesteps which fail to provide
sufficient information for generalizable quantization function learning. Both
issues cause sizable quantization errors with obvious image generation
performance degradation. On the contrary, we design group-wise quantization
functions for activation discretization in different timesteps and sample the
optimal timestep for informative calibration image generation, so that our
quantized diffusion model can reduce the discretization errors with negligible
computational overhead. Specifically, we partition the timesteps according to
the importance weights of quantization functions in different groups, which are
optimized by differentiable search algorithms. We also select the optimal
timestep for calibration image generation by structural risk minimizing
principle in order to enhance the generalization ability in the deployment of
quantized diffusion model. Extensive experimental results show that our method
outperforms the state-of-the-art post-training quantization of diffusion model
by a sizable margin with similar computational cost
BeyondPixels: A Comprehensive Review of the Evolution of Neural Radiance Fields
Neural rendering combines ideas from classical computer graphics and machine
learning to synthesize images from real-world observations. NeRF, short for
Neural Radiance Fields, is a recent innovation that uses AI algorithms to
create 3D objects from 2D images. By leveraging an interpolation approach, NeRF
can produce new 3D reconstructed views of complicated scenes. Rather than
directly restoring the whole 3D scene geometry, NeRF generates a volumetric
representation called a ``radiance field,'' which is capable of creating color
and density for every point within the relevant 3D space. The broad appeal and
notoriety of NeRF make it imperative to examine the existing research on the
topic comprehensively. While previous surveys on 3D rendering have primarily
focused on traditional computer vision-based or deep learning-based approaches,
only a handful of them discuss the potential of NeRF. However, such surveys
have predominantly focused on NeRF's early contributions and have not explored
its full potential. NeRF is a relatively new technique continuously being
investigated for its capabilities and limitations. This survey reviews recent
advances in NeRF and categorizes them according to their architectural designs,
especially in the field of novel view synthesis.Comment: 22 page, 1 figure, 5 tabl
- …