Adversarial Sample Detection for Deep Neural Network through Model Mutation Testing

Deep neural networks (DNN) have been shown to be useful in a wide range of applications. However, they are also known to be vulnerable to adversarial samples. By transforming a normal sample with some carefully crafted human imperceptible perturbations, even highly accurate DNN make wrong decisions. Multiple defense mechanisms have been proposed which aim to hinder the generation of such adversarial samples. However, a recent work show that most of them are ineffective. In this work, we propose an alternative approach to detect adversarial samples at runtime. Our main observation is that adversarial samples are much more sensitive than normal samples if we impose random mutations on the DNN. We thus first propose a measure of `sensitivity' and show empirically that normal samples and adversarial samples have distinguishable sensitivity. We then integrate statistical hypothesis testing and model mutation testing to check whether an input sample is likely to be normal or adversarial at runtime by measuring its sensitivity. We evaluated our approach on the MNIST and CIFAR10 datasets. The results show that our approach detects adversarial samples generated by state-of-the-art attacking methods efficiently and accurately.Comment: Accepted by ICSE 201

Towards Certified Probabilistic Robustness with High Accuracy

Adversarial examples pose a security threat to many critical systems built on neural networks (such as face recognition systems, and self-driving cars). While many methods have been proposed to build robust models, how to build certifiably robust yet accurate neural network models remains an open problem. For example, adversarial training improves empirical robustness, but they do not provide certification of the model's robustness. On the other hand, certified training provides certified robustness but at the cost of a significant accuracy drop. In this work, we propose a novel approach that aims to achieve both high accuracy and certified probabilistic robustness. Our method has two parts, i.e., a probabilistic robust training method with an additional goal of minimizing variance in terms of divergence and a runtime inference method for certified probabilistic robustness of the prediction. The latter enables efficient certification of the model's probabilistic robustness at runtime with statistical guarantees. This is supported by our training objective, which minimizes the variance of the model's predictions in a given vicinity, derived from a general definition of model robustness. Our approach works for a variety of perturbations and is reasonably efficient. Our experiments on multiple models trained on different datasets demonstrate that our approach significantly outperforms existing approaches in terms of both certification rate and accuracy

Exploiting Machine Unlearning for Backdoor Attacks in Deep Learning System

In recent years, the security issues of artificial intelligence have become increasingly prominent due to the rapid development of deep learning research and applications. Backdoor attack is an attack targeting the vulnerability of deep learning models, where hidden backdoors are activated by triggers embedded by the attacker, thereby outputting malicious predictions that may not align with the intended output for a given input. In this work, we propose a novel black-box backdoor attack based on machine unlearning. The attacker first augments the training set with carefully designed samples, including poison and mitigation data, to train a `benign' model. Then, the attacker posts unlearning requests for the mitigation samples to remove the impact of relevant data on the model, gradually activating the hidden backdoor. Since backdoors are implanted during the iterative unlearning process, it significantly increases the computational overhead of existing defense methods for backdoor detection or mitigation. To address this new security threat, we proposes two methods for detecting or mitigating such malicious unlearning requests. We conduct the experiment in both exact unlearning and approximate unlearning (i.e., SISA) settings. Experimental results indicate that: 1) our attack approach can successfully implant backdoor into the model, and sharding increases the difficult of attack; 2) our detection algorithms are effective in identifying the mitigation samples, while sharding reduces the effectiveness of our detection algorithms

EFFECTS OF RUNNING BIOMECHANICS ON THE OCCURRENCE OF ILIOTIBIAL SYNDROME IN MALE RUNNERS — A PROSPECTIVE STUDY

This study aimed to determine the gait characteristics that easily induce ITBS and explore the gait changes after the occurrence of ITBS. 30 healthy male runners participated in our study, 15 in ITBS and control group respectively. All participants underwent two gait trials, namely, before the first day of their routine running and after 8 weeks. After 8 weeks of running, the ITBS group exhibited greater peak anterior pelvic tilt and hip flexion angle than the control group. The ITBS group showed increased peak trunk inclination angle, whereas the control group demonstrated lower peak hip flexion and peak hip adduction than those at the beginning of running. Decreased peak hip flexion and peak hip adduction angle was a gait adjustment strategy that could be used to avoid ITBS occurrence. Excessive trunk posture and pelvic activity during running are also ITBS risk factors

EFFECTS OF PNF INTERVENTION ON PAIN, JOINT PROPRIOCEPTION AND KNEE MOMENTS IN THE ELDERLY WITH KNEE OSTEOARTHRITIS DURING STAIR ASCENDING

In this study, we aimed to explore the effects of a 6-week proprioceptive neuromuscular facilitation (PNF) intervention on stair pain, joint proprioception, and external knee moment in the elderly patients with knee osteoarthritis (KOA) during stair ascending. A total of 27 elderly patients with KOA participated in our study. Fourteen of the patients were included in the PNF group, and 13 were included in the control group. The WOMAC measures for specific pain and joint motion sense measures were used, and gait test were performed at weeks 0 and 6. After a 6-week PNF intervention, the PNF group showed a decreased “using stairs” pain score, decreased difficulty with “climbing stairs” score, decreased joint kinesthesia threshold, increased knee flexion moment (KFM), and decreased knee adduction moment (KAM) during climbing stairs. We suggest the use of PNF intervention, which relieves joint pain, enhances muscles strength and proprioception recovery, increases KFM, and decreases KAM, in the treatment of KOA in elderly patients

DETRAINING EFFECTS OF TAI CHI ON STATIC BALANCE IN OLDER WOMEN

This study aimed to investigate the detraining effects of Tai Chi (TC) on balance ability in single leg stance (SLS). TC, brisk walking (BW), and control (C) groups completed a 16-week intervention and 8-week detraining program. Time and center of pressure trajectory in SLS was tested with pressure plate at baseline, 16th, 24th week. Primary outcome (Time) and secondary outcomes (Lng, Area, D-ap, D-ml) improved significantly at the 16th week in the TC and BW groups. Most outcomes increased significantly at the 24th week compared to the 16th week in the BW group. TC was effective to improve balance ability and maintaining intervention gains and is recommended as an appropriate exercise to prevent falls in the older adults

Biophysical Insight into the SARS-CoV2 Spike–ACE2 Interaction and Its Modulation by Hepcidin through a Multifaceted Computational Approach

At the center of the SARS-CoV2 infection, the spike protein and its interaction with the human receptor ACE2 play a central role in the molecular machinery of SARS-CoV2 infection of human cells. Vaccine therapies are a valuable barrier to the worst effects of the virus and to its diffusion, but the need of purposed drugs is emerging as a core target of the fight against COVID19. In this respect, the repurposing of drugs has already led to discovery of drugs thought to reduce the effects of the cytokine storm, but still a drug targeting the spike protein, in the infection stage, is missing. In this work, we present a multifaceted computational approach strongly grounded on a biophysical modeling of biological systems, so to disclose the interaction of the SARS-CoV2 spike protein with ACE2 with a special focus to an allosteric regulation of the spike–ACE2 interaction. Our approach includes the following methodologies: Protein Contact Networks and Network Clustering, Targeted Molecular Dynamics, Elastic Network Modeling, Perturbation Response Scanning, and a computational analysis of energy flow and SEPAS as a protein-softness and monomer-based affinity predictor. We applied this approach to free (closed and open) states of spike protein and spike–ACE2 complexes. Eventually, we analyzed the interactions of free and bound forms of spike with hepcidin (HPC), the major hormone in iron regulation, recently addressed as a central player in the COVID19 pathogenesis, with a special emphasis to the most severe outcomes. Our results demonstrate that, compared with closed and open states, the spike protein in the ACE2-bound state shows higher allosteric potential. The correspondence between hinge sites and the Allosteric Modulation Region (AMR) in the S-ACE complex suggests a molecular basis for hepcidin involvement in COVID19 pathogenesis. We verify the importance of AMR in different states of spike and then study its interactions with HPC and the consequence of the HPC-AMR interaction on spike dynamics and its affinity for ACE2. We propose two complementary mechanisms for HPC effects on spike of SARS-CoV-2; (a) HPC acts as a competitive inhibitor when spike is in a preinfection state (open and with no ACE2), (b) the HPC-AMR interaction pushes the spike structure into the safer closed state. These findings need clear molecular in vivo verification beside clinical observations