101 research outputs found
A Unified Hardware-based Threat Detector for AI Accelerators
The proliferation of AI technology gives rise to a variety of security
threats, which significantly compromise the confidentiality and integrity of AI
models and applications. Existing software-based solutions mainly target one
specific attack, and require the implementation into the models, rendering them
less practical. We design UniGuard, a novel unified and non-intrusive detection
methodology to safeguard FPGA-based AI accelerators. The core idea of UniGuard
is to harness power side-channel information generated during model inference
to spot any anomaly. We employ a Time-to-Digital Converter to capture power
fluctuations and train a supervised machine learning model to identify various
types of threats. Evaluations demonstrate that UniGuard can achieve 94.0%
attack detection accuracy, with high generalization over unknown or adaptive
attacks and robustness against varied configurations (e.g., sensor frequency
and location)
Defense against ML-based Power Side-channel Attacks on DNN Accelerators with Adversarial Attacks
Artificial Intelligence (AI) hardware accelerators have been widely adopted
to enhance the efficiency of deep learning applications. However, they also
raise security concerns regarding their vulnerability to power side-channel
attacks (SCA). In these attacks, the adversary exploits unintended
communication channels to infer sensitive information processed by the
accelerator, posing significant privacy and copyright risks to the models.
Advanced machine learning algorithms are further employed to facilitate the
side-channel analysis and exacerbate the privacy issue of AI accelerators.
Traditional defense strategies naively inject execution noise to the runtime of
AI models, which inevitably introduce large overheads.
In this paper, we present AIAShield, a novel defense methodology to safeguard
FPGA-based AI accelerators and mitigate model extraction threats via
power-based SCAs. The key insight of AIAShield is to leverage the prominent
adversarial attack technique from the machine learning community to craft
delicate noise, which can significantly obfuscate the adversary's side-channel
observation while incurring minimal overhead to the execution of the protected
model. At the hardware level, we design a new module based on ring oscillators
to achieve fine-grained noise generation. At the algorithm level, we repurpose
Neural Architecture Search to worsen the adversary's extraction results.
Extensive experiments on the Nvidia Deep Learning Accelerator (NVDLA)
demonstrate that AIAShield outperforms existing solutions with excellent
transferability
Mercury: An Automated Remote Side-channel Attack to Nvidia Deep Learning Accelerator
DNN accelerators have been widely deployed in many scenarios to speed up the
inference process and reduce the energy consumption. One big concern about the
usage of the accelerators is the confidentiality of the deployed models: model
inference execution on the accelerators could leak side-channel information,
which enables an adversary to preciously recover the model details. Such model
extraction attacks can not only compromise the intellectual property of DNN
models, but also facilitate some adversarial attacks.
Although previous works have demonstrated a number of side-channel techniques
to extract models from DNN accelerators, they are not practical for two
reasons. (1) They only target simplified accelerator implementations, which
have limited practicality in the real world. (2) They require heavy human
analysis and domain knowledge. To overcome these limitations, this paper
presents Mercury, the first automated remote side-channel attack against the
off-the-shelf Nvidia DNN accelerator. The key insight of Mercury is to model
the side-channel extraction process as a sequence-to-sequence problem. The
adversary can leverage a time-to-digital converter (TDC) to remotely collect
the power trace of the target model's inference. Then he uses a learning model
to automatically recover the architecture details of the victim model from the
power trace without any prior knowledge. The adversary can further use the
attention mechanism to localize the leakage points that contribute most to the
attack. Evaluation results indicate that Mercury can keep the error rate of
model extraction below 1%
Prompt Injection attack against LLM-integrated Applications
Large Language Models (LLMs), renowned for their superior proficiency in
language comprehension and generation, stimulate a vibrant ecosystem of
applications around them. However, their extensive assimilation into various
services introduces significant security risks. This study deconstructs the
complexities and implications of prompt injection attacks on actual
LLM-integrated applications. Initially, we conduct an exploratory analysis on
ten commercial applications, highlighting the constraints of current attack
strategies in practice. Prompted by these limitations, we subsequently
formulate HouYi, a novel black-box prompt injection attack technique, which
draws inspiration from traditional web injection attacks. HouYi is
compartmentalized into three crucial elements: a seamlessly-incorporated
pre-constructed prompt, an injection prompt inducing context partition, and a
malicious payload designed to fulfill the attack objectives. Leveraging HouYi,
we unveil previously unknown and severe attack outcomes, such as unrestricted
arbitrary LLM usage and uncomplicated application prompt theft. We deploy HouYi
on 36 actual LLM-integrated applications and discern 31 applications
susceptible to prompt injection. 10 vendors have validated our discoveries,
including Notion, which has the potential to impact millions of users. Our
investigation illuminates both the possible risks of prompt injection attacks
and the possible tactics for mitigation
Subjective and objective quality assessment of multi-attribute retouched face images
Facial retouching, aiming at enhancing an individual’s appearance digitally, has become popular in many parts of human life, such as personal entertainment, commercial advertising, etc. However, excessive use of facial retouching can affect public aesthetic values and accordingly induce issues of mental health. There is a growing need for comprehensive quality assessment of Retouched Face (RF) images. This paper aims to advance this topic from both subjective and objective studies. Firstly, we generate 2,500 RF images by retouching 250 high-quality face images from multiple attributes (i.e., eyes, nose, mouth, and facial shape) with different photo-editing tools. After that, we carry out a series of subjective experiments to evaluate the quality of multi-attribute RF images from various perspectives, and construct the Multi-Attribute Retouched Face Database (MARFD) with multi-labels. Secondly, considering that retouching alters the facial morphology, we introduce a multi-task learning based No-Reference (NR) Image Quality Assessment (IQA) method, named MTNet. Specifically, to capture high-level semantic information associated with geometric changes, MTNet treats the alteration degree estimation of retouching attributes as auxiliary tasks for the main task (i.e., the overall quality prediction). In addition, inspired by the perceptual effects of viewing distance, MTNet utilizes a multi-scale data augmentation strategy during network training to help the network better understand the distortions. Experimental results on MARFD show that our MTNet correlates well with subjective ratings and outperforms 16 state-of-the-art NR-IQA methods
AMSP: Reducing Communication Overhead of ZeRO for Efficient LLM Training
Training large language models (LLMs) encounters challenges in GPU memory
consumption due to the high memory requirements of model states. The widely
used Zero Redundancy Optimizer (ZeRO) addresses this issue through strategic
sharding but introduces communication challenges at scale. To tackle this
problem, we propose AMSP, a system designed to optimize ZeRO for scalable LLM
training. AMSP incorporates three flexible sharding strategies: Full-Replica,
Full-Sharding, and Partial-Sharding, and allows each component within the model
states (Parameters, Gradients, Optimizer States) to independently choose a
sharding strategy as well as the device mesh. We conduct a thorough analysis of
communication costs, formulating an optimization problem to discover the
optimal sharding strategy. Additionally, AMSP optimizes distributed LLM
training by efficiently overlapping communication with computation. Evaluations
demonstrate up to 52\% Model FLOPs Utilization (MFU) when training the
LLaMA-based model on 1024 GPUs, resulting in a 1.56 times improvement in
training throughput compared to newly proposed systems like MiCS and ZeRO++
Cardiovascular Autonomic Neuropathy Is an Independent Risk Factor for Left Ventricular Diastolic Dysfunction in Patients with Type 2 Diabetes
Aim. This study aimed to evaluate the association between cardiovascular autonomic neuropathy (CAN) and left ventricular diastolic dysfunction (LVDD) in type 2 diabetes patients. Methods. 315 type 2 diabetes patients from inpatients of Drum Tower Hospital were included and classified into no CAN (NCAN), possible CAN (PCAN), and definite CAN (DCAN) based on cardiovascular autonomic reflex tests. The left ventricular diastolic function was assessed by tissue Doppler imaging echocardiography. Results. The distribution of NCAN, PCAN, and DCAN was 11.4%, 51.1%, and 37.5%, respectively. The proportion of LVDD increased among the groups of NCAN, PCAN, and DCAN (39.4%, 45.3%, and 68.0%, = 0.001). Patients with DCAN had higher filling pressure ( / ratio) (10.9 ± 2.7 versus 9.4 ± 2.8, = 0.013) and impaired diastolic performance ( ) (6.8 ± 1.7 versus 8.6±2.4, = 0.004) compared with NCAN. CAN was found to be an independent risk factor for LVDD from the multivariate regression analysis (OR = 1.628, = 0.009, 95% CI 1.131-2.344). Conclusions. Our results indicated that CAN was an independent risk marker for the presence of LVDD in patients with diabetes. Early diagnosis and treatment of CAN are advocated for preventing LVDD in type 2 diabetes
Dual-constraint coarse-to-fine network for camouflaged object detection
Camouflaged object detection (COD) is an important yet challenging task, with great application values in industrial defect detection, medical care, etc. The challenges mainly come from the high intrinsic similarities between target objects and background. In this paper, inspired by the biological studies that object detection consists of two steps, i.e., search and identification, we propose a novel framework, named DCNet, for accurate COD. DCNet explores candidate objects and extra object-related edges through two constraints (object area and boundary) and detects camouflaged objects in a coarse-to-fine manner. Specifically, we first exploit an area-boundary decoder (ABD) to obtain initial region cues and boundary cues simultaneously by fusing multi-level features of the backbone. Then, an area search module (ASM) is embedded into each level of the backbone to adaptively search coarse regions of objects with the assistance of region cues from the ABD. After the ASM, an area refinement module (ARM) is utilized to identify fine regions of objects by fusing adjacent-level features with the guidance of boundary cues. Through the deep supervision strategy, DCNet can finally localize the camouflaged objects precisely. Extensive experiments on three benchmark COD datasets demonstrate that our DCNet is superior to 12 state-of-the-art COD methods. In addition, DCNet shows promising results on two COD-related tasks, i.e., industrial defect detection and polyp segmentation
Utilization of CRISPR-Cas genome editing technology in filamentous fungi: function and advancement potentiality
Filamentous fungi play a crucial role in environmental pollution control, protein secretion, and the production of active secondary metabolites. The evolution of gene editing technology has significantly improved the study of filamentous fungi, which in the past was laborious and time-consuming. But recently, CRISPR-Cas systems, which utilize small guide RNA (sgRNA) to mediate clustered regularly interspaced short palindromic repeats (CRISPR) and CRISPR-associated proteins (Cas), have demonstrated considerable promise in research and application for filamentous fungi. The principle, function, and classification of CRISPR-Cas, along with its application strategies and research progress in filamentous fungi, will all be covered in the review. Additionally, we will go over general matters to take into account when editing a genome with the CRISPR-Cas system, including the creation of vectors, different transformation methodologies, multiple editing approaches, CRISPR-mediated transcriptional activation (CRISPRa) or interference (CRISPRi), base editors (BEs), and Prime editors (PEs)
- …