Keyed Non-Parametric Hypothesis Tests

The recent popularity of machine learning calls for a deeper understanding of AI security. Amongst the numerous AI threats published so far, poisoning attacks currently attract considerable attention. In a poisoning attack the opponent partially tampers the dataset used for learning to mislead the classifier during the testing phase. This paper proposes a new protection strategy against poisoning attacks. The technique relies on a new primitive called keyed non-parametric hypothesis tests allowing to evaluate under adversarial conditions the training input's conformance with a previously learned distribution $\mathfrak{D}$. To do so we use a secret key $\kappa$ unknown to the opponent. Keyed non-parametric hypothesis tests differs from classical tests in that the secrecy of $\kappa$ prevents the opponent from misleading the keyed test into concluding that a (significantly) tampered dataset belongs to $\mathfrak{D}$.Comment: Paper published in NSS 201

Antimicrobial activity of an iron triple helicate

The prevalence of antibiotic resistance has resulted in the need for new approaches to be developed to combat previously easily treatable infections. Here we investigated the potential of the synthetic metallomolecules [Fe2L3]4+ and [Cu2(L’)2]2+ as antibacterial agents. Both molecules have been shown to bind DNA; [Fe2L3]4+ binds in the major groove and causes DNA coiling, whilst [Cu2(L’)2]2+ can act as an artificial nuclease. The work described here shows that only [Fe2L3]4+ is bactericidal for Bacillus subtilis and Escherichia coli. We demonstrate that [Fe2L3]4+ binds bacterial DNA in vivo and, strikingly, that it kills B. subtilis cells very rapidly

Robustness of intra urban land-use regression models for ultrafine particles and black carbon based on mobile monitoring.

Land-use regression (LUR) models for ultrafine particles (UFP) and Black Carbon (BC) in urban areas have been developed using short-term stationary monitoring or mobile platforms in order to capture the high variability of these pollutants. However, little is known about the comparability of predictions of mobile and short-term stationary models and especially the validity of these models for assessing residential exposures and the robustness of model predictions developed in different campaigns. We used an electric car to collect mobile measurements (n = 5236 unique road segments) and short-term stationary measurements (3 × 30min, n = 240) of UFP and BC in three Dutch cities (Amsterdam, Utrecht, Maastricht) in 2014-2015. Predictions of LUR models based on mobile measurements were compared to (i) measured concentrations at the short-term stationary sites, (ii) LUR model predictions based on short-term stationary measurements at 1500 random addresses in the three cities, (iii) externally obtained home outdoor measurements (3 × 24h samples; n = 42) and (iv) predictions of a LUR model developed based upon a 2013 mobile campaign in two cities (Amsterdam, Rotterdam). Despite the poor model R(2) of 15%, the ability of mobile UFP models to predict measurements with longer averaging time increased substantially from 36% for short-term stationary measurements to 57% for home outdoor measurements. In contrast, the mobile BC model only predicted 14% of the variation in the short-term stationary sites and also 14% of the home outdoor sites. Models based upon mobile and short-term stationary monitoring provided fairly high correlated predictions of UFP concentrations at 1500 randomly selected addresses in the three Dutch cities (R(2) = 0.64). We found higher UFP predictions (of about 30%) based on mobile models opposed to short-term model predictions and home outdoor measurements with no clear geospatial patterns. The mobile model for UFP was stable over different settings as the model predicted concentration levels highly correlated to predictions made by a previously developed LUR model with another spatial extent and in a different year at the 1500 random addresses (R(2) = 0.80). In conclusion, mobile monitoring provided robust LUR models for UFP, valid to use in epidemiological studies

Integrating large-scale stationary and local mobile measurements to estimate hyperlocal long-term air pollution using transfer learning methods

Mobile air quality measurements are collected typically for several seconds per road segment and in specific timeslots (e.g., working hours). These short-term and on-road characteristics of mobile measurements become the ubiquitous shortcomings of applying land use regression (LUR) models to estimate long-term concentrations at residential addresses. This issue was previously found to be mitigated by transferring LUR models to the long-term residential domain using routine long-term measurements in the studied region as the transfer target (local scale). However, long-term measurements are generally sparse in individual cities. For this scenario, we propose an alternative by taking long-term measurements collected over a larger geographical area (global scale) as the transfer target and local mobile measurements as the source (Global2Local model). We empirically tested national, airshed countries (i.e., national plus neighboring countries) and Europe as the global scale in developing Global2Local models to map nitrogen dioxide (NO(2)) concentrations in Amsterdam. The airshed countries scale provided the lowest absolute errors, and the Europe-wide scale had the highest R(2). Compared to a "global" LUR model (trained exclusively with European-wide long-term measurements), and a local mobile LUR model (using mobile data from Amsterdam only), the Global2Local model significantly reduced the absolute error of the local mobile LUR model (root-mean-square error, 6.9 vs 12.6 mug/m(3)) and improved the percentage explained variances compared to the global model (R(2), 0.43 vs 0.28, assessed by independent long-term NO(2) measurements in Amsterdam, n = 90). The Global2Local method improves the generalizability of mobile measurements in mapping long-term residential concentrations with a fine spatial resolution, which is preferred in environmental epidemiological studies

Ion carrier modulated MRI contrast †

An ion-responsive MRI contrast agent based on a POPC liposomal scaffold is generated that displays a large amplitude relaxivity switch. Entrapment of MR active Gd-DOTA within cholesterol-doped, i.e., membrane rigidified, liposomes dampens the MR response through diminished water exchange across the lipid bilayer. Relaxivity is re-established by integration of ion carriers in the liposome membrane to mediate solvated ion flux

General Principles for the Design of Visible-Light-Responsive Photoswitches:Tetra-ortho-Chloro-Azobenzenes

Molecular photoswitches enable reversible external control of biological systems, nanomachines, and smart materials. Their development is driven by the need for low energy (green-red-NIR) light switching, to allow non-invasive operation with deep tissue penetration. The lack of clear design principles for the adaptation and optimization of such systems limits further applications. Here we provide a design rulebook for tetra-ortho-chloroazobenzenes, an emerging class of visible-light-responsive photochromes, by elucidating the role that substituents play in defining their key characteristics: absorption spectra, band overlap, photoswitching efficiencies, and half-lives of the unstable cis isomers. This is achieved through joint photochemical and theoretical analyses of a representative library of molecules featuring substituents of varying electronic nature. A set of guidelines is presented that enables tuning of properties to the desired application through informed photochrome engineering

Long-term exposure to ultrafine particles and natural and cause-specific mortality

BACKGROUND: Health implications of long-term exposure to ubiquitously present ultrafine particles (UFP) are uncertain. The aim of this study was to investigate the associations between long-term UFP exposure and natural and cause-specific mortality (including cardiovascular disease (CVD), respiratory disease, and lung cancer) in the Netherlands. METHODS: A Dutch national cohort of 10.8 million adults aged >/= 30 years was followed from 2013 until 2019. Annual average UFP concentrations were estimated at the home address at baseline, using land-use regression models based on a nationwide mobile monitoring campaign performed at the midpoint of the follow-up period. Cox proportional hazard models were applied, adjusting for individual and area-level socio-economic status covariates. Two-pollutant models with the major regulated pollutants nitrogen dioxide (NO(2)) and fine particles (PM(2)(.)(5) and PM(10)), and the health relevant combustion aerosol pollutant (elemental carbon (EC)) were assessed based on dispersion modelling. RESULTS: A total of 945,615 natural deaths occurred during 71,008,209 person-years of follow-up. The correlation of UFP concentration with other pollutants ranged from moderate (0.59 (PM(2)(.)(5))) to high (0.81 (NO(2))). We found a significant association between annual average UFP exposure and natural mortality [HR 1.012 (95 % CI 1.010-1.015), per interquartile range (IQR) (2723 particles/cm(3)) increment]. Associations were stronger for respiratory disease mortality [HR 1.022 (1.013-1.032)] and lung cancer mortality [HR 1.038 (1.028-1.048)] and weaker for CVD mortality [HR 1.005 (1.000-1.011)]. The associations of UFP with natural and lung cancer mortality attenuated but remained significant in all two-pollutant models, whereas the associations with CVD and respiratory mortality attenuated to the null. CONCLUSION: Long-term UFP exposure was associated with natural and lung cancer mortality among adults independently from other regulated air pollutants

Controlling passively-quenched single photon detectors by bright light

Single photon detectors based on passively-quenched avalanche photodiodes can be temporarily blinded by relatively bright light, of intensity less than a nanowatt. I describe a bright-light regime suitable for attacking a quantum key distribution system containing such detectors. In this regime, all single photon detectors in the receiver Bob are uniformly blinded by continuous illumination coming from the eavesdropper Eve. When Eve needs a certain detector in Bob to produce a click, she modifies polarization (or other parameter used to encode quantum states) of the light she sends to Bob such that the target detector stops receiving light while the other detector(s) continue to be illuminated. The target detector regains single photon sensitivity and, when Eve modifies the polarization again, produces a single click. Thus, Eve has full control of Bob and can do a successful intercept-resend attack. To check the feasibility of the attack, 3 different models of passively-quenched detectors have been tested. In the experiment, I have simulated the intensity diagrams the detectors would receive in a real quantum key distribution system under attack. Control parameters and side effects are considered. It appears that the attack could be practically possible.Comment: Experimental results from a third detector model added. Minor corrections and edits made. 11 pages, 10 figure

Privacy Risks of Securing Machine Learning Models against Adversarial Examples

The arms race between attacks and defenses for machine learning models has come to a forefront in recent years, in both the security community and the privacy community. However, one big limitation of previous research is that the security domain and the privacy domain have typically been considered separately. It is thus unclear whether the defense methods in one domain will have any unexpected impact on the other domain. In this paper, we take a step towards resolving this limitation by combining the two domains. In particular, we measure the success of membership inference attacks against six state-of-the-art defense methods that mitigate the risk of adversarial examples (i.e., evasion attacks). Membership inference attacks determine whether or not an individual data record has been part of a model's training set. The accuracy of such attacks reflects the information leakage of training algorithms about individual members of the training set. Adversarial defense methods against adversarial examples influence the model's decision boundaries such that model predictions remain unchanged for a small area around each input. However, this objective is optimized on training data. Thus, individual data records in the training set have a significant influence on robust models. This makes the models more vulnerable to inference attacks. To perform the membership inference attacks, we leverage the existing inference methods that exploit model predictions. We also propose two new inference methods that exploit structural properties of robust models on adversarially perturbed data. Our experimental evaluation demonstrates that compared with the natural training (undefended) approach, adversarial defense methods can indeed increase the target model's risk against membership inference attacks.Comment: ACM CCS 2019, code is available at https://github.com/inspire-group/privacy-vs-robustnes

Human factors and missed solutions to Enigma design weaknesses

The German World War II Enigma suffered from design weaknesses that facilitated its large-scale decryption by the British throughout the war. The author shows that the main technical weaknesses (self-coding and reciprocal coding) could have been avoided using simple contemporary technology, and therefore the true cause of the weaknesses is not technological but must be sought elsewhere. Specifically, human factors issues resulted in the persistent failure to seek out more effective designs. Similar limitations seem to beset the literature on the period, which misunderstands the Enigma weaknesses and therefore inhibits broader thinking about design or realising the critical role of human factors engineering in cryptography