1,015 research outputs found
Scattered Mosaic Rendering Using Unit Images
An image mosaic method that can be used when creating advertisements or posters is proposed in this study. Mosaic is a method that expresses an entire image using an arbitrary number of cells. Photomosaic generates new images using a combination of photos. In this paper, we propose a new mosaic algorithm that generates an abstract artistic mosaic image by filling a region that is divided by a boundary using a unit image, which is an image that only has a shape and no allocated color. A unit image can be changed diversely through rotation or shifting, and the corresponding region is filled by using the gradient direction and edge information of the input image. For this, we extract and use information from input image such as color, edge and gradient. In result we can generate various abstractive images which can be used in advertisement and multimedia contents market
Building Secure and Reliable Deep Learning Systems from a Systems Security Perspective
As deep learning (DL) is becoming a key component in many business and safety-critical systems, such as self-driving cars or AI-assisted robotic surgery, adversaries have started placing them on their radar. To understand their potential threats, recent work studied the worst-case behaviors of deep neural networks (DNNs), such as mispredictions caused by adversarial examples or models altered by data poisoning attacks. However, most of the prior work narrowly considers DNNs as an isolated mathematical concept, and this perspective overlooks a holistic picture—leaving out the security threats that involve vulnerable interactions between DNNs and hardware or system-level components.
In this dissertation, on three separate projects, I conduct a study on how DL systems, owing to the computational properties of DNNs, become particularly vulnerable to existing well-studied attacks. First, I study how over-parameterization hurts a system’s resilience to fault-injection attacks. Even with a single bit-flip, when chosen carefully, an attacker can inflict an accuracy drop up to 100%, and half of a DNN’s parameters have at least one bit that degrades its accuracy over 10%. An adversary who wields Rowhammer, a fault attack that flips random or targeted bits in the physical memory (DRAM), can exploit this graceless degradation in practice. Second, I study how computational regularities compromise the confidentiality of a system. Leveraging the information leaked by a DNN processing a single sample, an adversary can steal the DNN’s often proprietary architecture. An attacker armed with Flush+Reload, a remote side-channel attack, can accurately perform this reconstruction against a DNN deployed in the cloud. Third, I will show how input-adaptive DNNs, e.g., multi-exit networks, fail to promise computational efficiency in an adversarial setting. By adding imperceptible input perturbations, an attacker can significantly increase a multi-exit network’s computations to have predictions on an input. This vulnerability also leads to exploitation in resource-constrained settings such as an IoT scenario, where input-adaptive networks are gaining traction. Finally, building on the lessons learned from my projects, I conclude my dissertation by outlining future research directions for designing secure and reliable DL systems
Handcrafted Backdoors in Deep Neural Networks
Deep neural networks (DNNs), while accurate, are expensive to train. Many
practitioners, therefore, outsource the training process to third parties or
use pre-trained DNNs. This practice makes DNNs vulnerable to
: the third party who trains the model may act maliciously to inject
hidden behaviors into the otherwise accurate model. Until now, the mechanism to
inject backdoors has been limited to .
We argue that such a supply-chain attacker has more attack techniques
available. To study this hypothesis, we introduce a handcrafted attack that
directly manipulates the parameters of a pre-trained model to inject backdoors.
Our handcrafted attacker has more degrees of freedom in manipulating model
parameters than poisoning. This makes it difficult for a defender to identify
or remove the manipulations with straightforward methods, such as statistical
analysis, adding random noises to model parameters, or clipping their values
within a certain range. Further, our attacker can combine the handcrafting
process with additional techniques, , jointly optimizing a trigger
pattern, to inject backdoors into complex networks effectivelythe
meet-in-the-middle attack.
In evaluations, our handcrafted backdoors remain effective across four
datasets and four network architectures with a success rate above 96%. Our
backdoored models are resilient to both parameter-level backdoor removal
techniques and can evade existing defenses by slightly changing the backdoor
attack configurations. Moreover, we demonstrate the feasibility of suppressing
unwanted behaviors otherwise caused by poisoning. Our results suggest that
further research is needed for understanding the complete space of supply-chain
backdoor attacks.Comment: 16 pages, 13 figures, 11 table
Publishing Efficient On-device Models Increases Adversarial Vulnerability
Recent increases in the computational demands of deep neural networks (DNNs)
have sparked interest in efficient deep learning mechanisms, e.g., quantization
or pruning. These mechanisms enable the construction of a small, efficient
version of commercial-scale models with comparable accuracy, accelerating their
deployment to resource-constrained devices.
In this paper, we study the security considerations of publishing on-device
variants of large-scale models. We first show that an adversary can exploit
on-device models to make attacking the large models easier. In evaluations
across 19 DNNs, by exploiting the published on-device models as a transfer
prior, the adversarial vulnerability of the original commercial-scale models
increases by up to 100x. We then show that the vulnerability increases as the
similarity between a full-scale and its efficient model increase. Based on the
insights, we propose a defense, -, that fine-tunes
on-device models with the objective of reducing the similarity. We evaluated
our defense on all the 19 DNNs and found that it reduces the transferability up
to 90% and the number of queries required by a factor of 10-100x. Our results
suggest that further research is needed on the security (or even privacy)
threats caused by publishing those efficient siblings.Comment: Accepted to IEEE SaTML 202
BERT Lost Patience Won't Be Robust to Adversarial Slowdown
In this paper, we systematically evaluate the robustness of multi-exit
language models against adversarial slowdown. To audit their robustness, we
design a slowdown attack that generates natural adversarial text bypassing
early-exit points. We use the resulting WAFFLE attack as a vehicle to conduct a
comprehensive evaluation of three multi-exit mechanisms with the GLUE benchmark
against adversarial slowdown. We then show our attack significantly reduces the
computational savings provided by the three methods in both white-box and
black-box settings. The more complex a mechanism is, the more vulnerable it is
to adversarial slowdown. We also perform a linguistic analysis of the perturbed
text inputs, identifying common perturbation patterns that our attack
generates, and comparing them with standard adversarial text attacks. Moreover,
we show that adversarial training is ineffective in defeating our slowdown
attack, but input sanitization with a conversational model, e.g., ChatGPT, can
remove perturbations effectively. This result suggests that future work is
needed for developing efficient yet robust multi-exit models. Our code is
available at: https://github.com/ztcoalson/WAFFLEComment: Accepted to NeurIPS 2023 [Poster
Will SOC telemetry data improve predictive models of user riskiness? A work in progress
Security Operation Centers (SOC) play a key role in protecting organizations from many cybersecurity threats, such as system intrusion or information breaches. A major challenge in improving SOC operations is the adequacy of the data used to identify such threats. Detection tools employed by SOCs are largely based on observable telemetry indicators (e.g., network traffic patterns or system logs and activities collected from user devices). However, the use of such telemetry data without understanding human behaviors in-depth can lead to increasing false-positive alerts. Prior work shows that it can even be a more significant problem when analysts largely ignore alerts if they are overwhelmingly false-positive. These false positive alerts raise SOC analysts’ cognitive workload, diminish conscious cognitive processing, and decrease their trust in future alerts
- …