Evaluating Explanation Methods for Deep Learning in Security

Deep learning is increasingly used as a building block of security systems. Unfortunately, neural networks are hard to interpret and typically opaque to the practitioner. The machine learning community has started to address this problem by developing methods for explaining the predictions of neural networks. While several of these approaches have been successfully applied in the area of computer vision, their application in security has received little attention so far. It is an open question which explanation methods are appropriate for computer security and what requirements they need to satisfy. In this paper, we introduce criteria for comparing and evaluating explanation methods in the context of computer security. These cover general properties, such as the accuracy of explanations, as well as security-focused aspects, such as the completeness, efficiency, and robustness. Based on our criteria, we investigate six popular explanation methods and assess their utility in security systems for malware detection and vulnerability discovery. We observe significant differences between the methods and build on these to derive general recommendations for selecting and applying explanation methods in computer security.Comment: IEEE European Symposium on Security and Privacy, 202

Machine Unlearning of Features and Labels

Removing information from a machine learning model is a non-trivial task that requires to partially revert the training process. This task is unavoidable when sensitive data, such as credit card numbers or passwords, accidentally enter the model and need to be removed afterwards. Recently, different concepts for machine unlearning have been proposed to address this problem. While these approaches are effective in removing individual data points, they do not scale to scenarios where larger groups of features and labels need to be reverted. In this paper, we propose the first method for unlearning features and labels. Our approach builds on the concept of influence functions and realizes unlearning through closed-form updates of model parameters. It enables to adapt the influence of training data on a learning model retrospectively, thereby correcting data leaks and privacy issues. For learning models with strongly convex loss functions, our method provides certified unlearning with theoretical guarantees. For models with non-convex losses, we empirically show that unlearning features and labels is effective and significantly faster than other strategies.Comment: Network and Distributed System Security Symposium (NDSS) 202

Lessons Learned on Machine Learning for Computer Security

We identify 10 generic pitfalls that can affect the experimental outcome of AI driven solutions in computer security. We find that they are prevalent in the literature and provide recommendations for overcoming them in the future

Dos and Don'ts of Machine Learning in Computer Security

With the growing processing power of computing systems and the increasing availability of massive datasets, machine learning algorithms have led to major breakthroughs in many different areas. This development has influenced computer security, spawning a series of work on learning-based security systems, such as for malware detection, vulnerability discovery, and binary code analysis. Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance and render learning-based systems potentially unsuitable for security tasks and practical deployment. In this paper, we look at this problem with critical eyes. First, we identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We conduct a study of 30 papers from top-tier security conferences within the past 10 years, confirming that these pitfalls are widespread in the current security literature. In an empirical analysis, we further demonstrate how individual pitfalls can lead to unrealistic performance and interpretations, obstructing the understanding of the security problem at hand. As a remedy, we propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible. Furthermore, we identify open problems when applying machine learning in security and provide directions for further research.Comment: to appear at USENIX Security Symposium 202

Chest CT in patients after lung transplantation: A retrospective analysis to evaluate impact on image quality and radiation dose using spectral filtration tin-filtered imaging.

OBJECTIVES: The purpose of this study was to investigate the impact of a 150kV spectral filtration chest imaging protocol (Sn150kVp) combined with advanced modeled iterative reconstruction (ADMIRE) on radiation dose and image quality in patients after lung-transplantation. METHODS: This study included 102 patients who had unenhanced chest-CT examinations available on both, a second-generation dual-source CT (DSCT) using standard protocol (100kVp, filtered-back-projection) and, on a third-generation DSCT using Sn150kVp protocol with ADMIRE. Signal-to-noise-ratio (SNR) was measured in 6 standardized regions. A 5-point Likert scale was used to evaluate subjective image quality. Radiation metrics were compared. RESULTS: The mean time interval between the two acquisitions was 1.1±0.7 years. Mean-volume-CT-dose-index, dose-length-product and effective dose were significantly lower for Sn150kVp protocol (2.1±0.5mGy;72.6±16.9mGy*cm;1.3±0.3mSv) compared to 100kVp protocol (6.2±1.8mGy;203.6±55.6mGy*cm;3.7±1.0mSv) (p<0.001), equaling a 65% dose reduction. All studies were considered of diagnostic quality. SNR measured in lung tissue, air inside trachea, vertebral body and air outside the body was significantly higher in 100kVp protocol compared to Sn150kVp protocol (12.5±2.7vs.9.6±1.5;17.4±3.6vs.11.8±1.8;0.7±0.3vs.0.4±0.2;25.2±6.9vs.14.9±3.3;p<0.001). SNR measured in muscle tissue was significantly higher in Sn150kVp protocol (3.2±0.9vs.2.6±1.0;p<0.001). For SNR measured in descending aorta there was a trend towards higher values for Sn150kVp protocol (2.8±0.6 vs. 2.7±0.9;p = 0.3). Overall SNR was significantly higher in 100kVp protocol (5.0±4.0vs.4.0±4.0;p<0.001). On subjective analysis both protocols achieved a median Likert rating of 1 (25th-75th-percentile:1-1;p = 0.122). Interobserver agreement was good (intraclass correlation coefficient = 0.73). CONCLUSIONS: Combined use of 150kVp tin-filtered chest CT protocol with ADMIRE allows for significant dose reduction while maintaining highly diagnostic image quality in the follow up after lung transplantation when compared to a standard chest CT protocol using filtered back projection

Self-expanding nitinol stents of high versus low chronic outward force in de novo femoropopliteal occlusive arterial lesions (BIOFLEX-COF trial): study protocol for a randomized controlled trial

Abstract Background Self-expanding nitinol stents must be oversized at least by a minimal amount to ensure contact with the vessel wall and prevent migration. Once the stent is deployed it exerts a continuous force upon the vascular wall, termed chronic outward force (COF). Animal studies have found an increased neointimal hyperplasia in stents with high oversizing and thus high COF. Data about correlation between COF and neointimal hyperplasia in humans are currently lacking. The objective of the BIOFLEX-COF trial is to prospectively investigate differences in formation of intimal hyperplasia at 1 and 2 years after implantation of nitinol stents with high versus low COF in de novo femoropopliteal occlusive arterial lesions. Methods The BIOFLEX-COF trial is a prospective, quantitative, randomized study. Eighty subjects with symptomatic peripheral arterial lesions eligible for endovascular stent implantation will be enrolled and randomly assigned to either a high COF group (LifeStent Flexstar, Bard Peripheral Vascular Inc., Tempe, AZ, USA) or low COF group (Pulsar, Biotronik AG, Bülach, Switzerland) using an online randomization program to generate a random 1:1 group allocation (block randomization). After implantation and dilatation, COF at every 2 mm along the stent axis will be calculated from the actual stent diameter versus its nominal diameter. There will be two follow-up evaluations at 12 and 24 months. Primary endpoint is the amount of in-stent neointima at 1 year, assessed by contrast-enhanced CT angiography (CTA). In the control examinations, stent diameter and true lumen diameter will be measured on DICOM images every 2 mm along the stent axis to quantify the relative amount of in-stent restenosis. Secondary objectives are the amount of in-stent neointima at 2 years, device- and procedure-related adverse events and target lesion revascularization (TLR) rate. The scheduled time for recruitment is 2 years. Recruitment is expected to be complete in October 2017. Discussion This trial is the first to prospectively investigate the influence of COF on stent patency. If successful, the results will aid in a more precise selection of stent type and size in a given target vessel. The present study is challenging in that it compares two different self-expanding nitinol stents head-to-head against each other. To optimize the power of this study, traditional binary outcome parameters such as TLR and restenosis at Doppler ultrasound were dropped as primary endpoints. Instead, the amount of neointima inside the stent accessed by CTA was selected as (continuous) outcome parameter. Trial registration ClinicalTrials.gov Identifier: NCT03097679 . Date of registration: 14 March 2017 (retrospectively registered)

Additional file 2: of Self-expanding nitinol stents of high versus low chronic outward force in de novo femoropopliteal occlusive arterial lesions (BIOFLEX-COF trial): study protocol for a randomized controlled trial

SPIRIT 2013 checklist. (DOC 123 kb

Sally: A Tool for Embedding Strings in Vector Spaces (0.8.3)

<p>Sally is a small tool for mapping a set of strings to a set of vectors. This mapping is referred to as embedding and allows for applying techniques of machine learning and data mining for analysis of string data. Sally can be applied to several types of strings, such as text documents, DNA sequences or log files, where it can handle common formats such as directories, archives and text files of string data.</p> <p>Sally implements a standard technique for mapping strings to a vector space that is often referred to as vector space model or bag-of-words model. The strings are characterized by a set of features, where each feature is associated with one dimension of the vector space. The following types of features are supported by Sally: bytes, words, n-grams of bytes and n-grams of words.</p> <p>Sally proceeds by counting the occurrences of the specified features in each string and generating a sparse vector of count values. Alternatively, binary or TF-IDF values can be computed and stored in the vectors. Sally then normalizes the vector, for example using the L1 or L2 norm, and outputs it in a specified format, such as plain text or in LibSVM or Matlab format.</p> <p>The following technical articles detail the background of the embeddeding implemented in Sally, starting with the design and extraction of string features and reaching over to computation of distance and kernel functions for strings</p> <ul> <li><em>Sally: A Tool for Embedding Strings in Vector Spaces</em><br> Konrad Rieck, Christian Wressnegger, and Alexander Bikadorov.<br> Journal of Machine Learning Research (JMLR), 13(Nov):3247-3251, 2012.</li> </ul

Long-Term Outcome and Comparison of Treatment Modalities of Temporal Bone Paragangliomas

Introduction: Temporal bone paragangliomas are rare tumors with high vascularization and usually benign entity. A variety of modalities, including gross total resection, subtotal resection, conventional or stereotactic radiotherapy including gamma-knife, embolization, and wait-and-scan strategy can be considered. The aim of this study was to compare long-term outcomes of different primary treatment modalities in temporal bone paragangliomas. Materials and Methods: Patients with temporal bone paragangliomas treated between 1976 and 2018 at a tertiary referral center were retrospectively analyzed in this study. Collected patient data of 42 years were analyzed and long-term results including interdisciplinary management were assessed. Patient outcomes were compared within the different therapy modalities according to tumor control rate and complications. Clinical characteristics, radiological imaging, tumor extent and location (according to Fisch classification), symptoms, and follow-up were evaluated and a descriptive analysis for each treatment modality was performed. Tumor recurrence or growth progression and respective cranial nerve function before and after therapy were described. Results: A total of 59 patients were treated with a single or combined treatment modality and clinical follow-up was 7 (13) years (median, interquartile range). Of the included patients 45 (76%) were female and 14 (24%) male (ratio 3:1) with a patient age range from 18 to 83 years. Total resection was performed on 31 patients, while 14 patients underwent subtotal resection. Eleven patients were treated with conventional primary radiotherapy or gamma-knife radiosurgery. Pulsatile tinnitus (n = 17, 29%) and hearing impairment (n = 16, 27%) were the most common symptoms in our patient group. Permanent lower cranial nerve deficits were observed only in patients with large tumors (Fisch C and D, n = 14, 24%). Among the 45 patients who were treated surgically, 88% of patients with Fisch A and B paragangliomas had no recurrent disease, while no tumor growth was perceived in 83% of patients with Fisch C and D paragangliomas. Conclusion: In conclusion, we propose surgery as a treatment option for patients with small tumors, due to a high control rate and less cranial nerve deficits compared to larger tumors. Although patients with Fisch C and D temporal bone paraganglioma can be treated surgically, only subtotal resections are possible in many cases. Additionally, frequent occurrence of cranial nerve deficits in those patients and tumor growth progression in long-term follow-up examinations make a combination of the therapy modalities or a primary radiotherapy more suitable in larger tumors