Special Section on Attacking and Protecting Artificial Intelligence

Modern artificial intelligence systems largely rely on advanced algorithms, including machine learning techniques such as deep learning. The research community has invested significant efforts in understanding these algorithms, optimally tuning them, and improving their performance, but it has mostly neglected the security facet of the problem. Recent attacks and exploits demonstrated that machine learning-based algorithms are susceptible to attacks targeting computer systems, including backdoors, hardware trojans and fault attacks, but are also susceptible to a range of attacks specifically targeting them, such as adversarial input perturbations. Implementations of machine learning algorithms are often crucial proprietary assets for companies thus need to be protected. It follows that implementations of artificial intelligence-based algorithms are an attractive target for piracy and illegitimate use and, as such, they need to be protected as all other IPs. This is equally important for machine learning algorithms running on remote servers vulnerable to micro-architectural exploits.Published versio

Feature Classification for Robust Shape-Based Collaborative Tracking and Model Updating

Abstract A new collaborative tracking approach is introduced which takes advantage of classified features. The core of this tracker is a single tracker that is able to detect occlusions and classify features contributing in localizing the object. Features are classified in four classes: good, suspicious, malicious, and neutral. Good features are estimated to be parts of the object with a high degree of confidence. Suspicious ones have a lower, yet significantly high, degree of confidence to be a part of the object. Malicious features are estimated to be generated by clutter, while neutral features are characterized with not a sufficient level of uncertainty to be assigned to the tracked object. When there is no occlusion, the single tracker acts alone, and the feature classification module helps it to overcome distracters such as still objects or little clutter in the scene. When more than one desired moving objects bounding boxes are close enough, the collaborative tracker is activated and it exploits the advantages of the classified features to localize each object precisely as well as updating the objects shape models more precisely by assigning again the classified features to the objects. The experimental results show successful tracking compared with the collaborative tracker that does not use the classified features. Moreover, more precise updated object shape models will be shown

Exploring Parallelism to Improve the Performance of FrodoKEM in Hardware

FrodoKEM is a lattice-based key encapsulation mechanism, currently a semi-finalist in NIST’s post-quantum standardisation effort. A condition for these candidates is to use NIST standards for sources of randomness (i.e. seed-expanding), and as such most candidates utilise SHAKE, an XOF defined in the SHA-3 standard. However, for many of the candidates, this module is a significant implementation bottleneck. Trivium is a lightweight, ISO standard stream cipher which performs well in hardware and has been used in previous hardware designs for lattice-based cryptography. This research proposes optimised designs for FrodoKEM, concentrating on high throughput by parallelising the matrix multiplication operations within the cryptographic scheme. This process is eased by the use of Trivium due to its higher throughput and lower area consumption. The parallelisations proposed also complement the addition of first-order masking to the decapsulation module. Overall, we significantly increase the throughput of FrodoKEM; for encapsulation we see a 16 × speed-up, achieving 825 operations per second, and for decapsulation we see a 14 × speed-up, achieving 763 operations per second, compared to the previous state of the art, whilst also maintaining a similar FPGA area footprint of less than 2000 slices.</p

A fast cardiac electromechanics model coupling the Eikonal and the nonlinear mechanics equations

We present a new model of human cardiac electromechanics for the left ventricle where electrophysiology is described by a Reaction-Eikonal model and which enables an off-line resolution of the reaction model, thus entailing a big saving of computational time. Subcellular dynamics is coupled with a model of tissue mechanics, which is in turn coupled with a Windkessel model for blood circulation. Our numerical results show that the proposed model is able to provide a physiological response to changes in certain variables (end-diastolic volume, total peripheral resistance, contractility). We also show that our model is able to reproduce with high accuracy and with a considerably lower computational time the results that we would obtain if the monodomain model should be used in place of the Eikonal model

Data Under Siege: The Quest for the Optimal Convolutional Autoencoder in Side-Channel Attacks

Encryption is a method to keep our data safe from third parties. However, side-channel information may be leaked during encryption due to physical properties. This information can be used in side-channel attacks to recover critical values such as the secret encryption key. To this end, it is necessary to understand the robustness of implementations to assess the security of data handled by a device. Side-channel attacks are one such method which allow researchers to evaluate the robustness of implementations using appropriate metrics.In the security community, machine learning is playing a prominent role in the study of side-channel attacks. A notable example of this is the use of Convolutional Autoencoders (CAE) as a preprocessing step on the measurements. In this work we study in depth the problem of finding the most suitable architecture of such Convolutional Autoencoders. To this end, Optuna is used to explore the CAE hyperparameter space. This process allows us to identify hyperparameters that outperform state-of-the-art autoencoders, reducing the needed traces for a succesful attack by approximately 37% in the presence of Gaussian noise and reducing the trainable parameters needed to attack desynchronization by a factor of 29. In addition to the promising results, experiments carried out in this paper allow a better understanding of the hyperparameter space in the field of side channel attacks, providing a solid base for future use of CAE in this specific domain

The QARMAv2 Family of Tweakable Block Ciphers

We introduce the QARMAv2 family of tweakable block ciphers. It is a redesign of QARMA (from FSE 2017) to improve its security bounds and allow for longer tweaks, while keeping similar latency and area. The wider tweak input caters to both specific use cases and the design of modes of operation with higher security bounds. This is achieved through new key and tweak schedules, revised S-Box and linear layer choices, and a more comprehensive security analysis. QARMAv2 offers competitive latency and area in fully unrolled hardware implementations. Some of our results may be of independent interest. These include: new MILP models of certain classes of diffusion matrices; the comparative analysis of a full reflection cipher against an iterative half-cipher; our boomerang attack framework; and an improved approach to doubling the width of a block cipher

CCSW '22: The 2022 cloud computing security workshop

Clouds and massive-scale computing infrastructures are starting to dominate computing and will likely continue to do so for the foreseeable future. Major cloud operators are now comprising millions of cores hosting substantial fractions of corporate and government IT infrastructure. CCSW is the world's premier forum bringing together researchers and practitioners in all security aspects of cloud-centric and outsourced computing, including: ·Side channel attacks ·Cryptographic protocols for cloud security ·Secure cloud resource virtualization mechanisms ·Secure data management outsourcing (e.g., database as a service) ·Privacy and integrity mechanisms for outsourcing ·Foundations of cloud-centric threat models ·Secure computation outsourcing ·Remote attestation mechanisms in clouds ·Sandboxing and VM-based enforcements ·Trust and policy management in clouds ·Secure identity management mechanisms ·Cloud-aware web service security paradigms and mechanisms ·Cloud-centric regulatory compliance issues and mechanisms ·Business and security risk models and clouds ·Cost and usability models and their interaction with security in clouds ·Scalability of security in global-size clouds ·Binary analysis of software for remote attestation and cloud protection ·Network security (DOS, IDS etc.) mechanisms for cloud contexts ·Security for emerging cloud programming models ·Energy/cost/efficiency of security in clouds ·mOpen hardware for cloud ·Machine learning for cloud protection CCSW especially encourages novel paradigms and controversial ideas that are not on the above list. The workshop has historically acted as a fertile ground for creative debate and interaction in security-sensitive areas of computing impacted by clouds. This year marked the 13th anniversary of CCSW. In the past decade, CCSW has had a significant impact in our research community