Neural Architectural Backdoors

This paper asks the intriguing question: is it possible to exploit neural architecture search (NAS) as a new attack vector to launch previously improbable attacks? Specifically, we present EVAS, a new attack that leverages NAS to find neural architectures with inherent backdoors and exploits such vulnerability using input-aware triggers. Compared with existing attacks, EVAS demonstrates many interesting properties: (i) it does not require polluting training data or perturbing model parameters; (ii) it is agnostic to downstream fine-tuning or even re-training from scratch; (iii) it naturally evades defenses that rely on inspecting model parameters or training data. With extensive evaluation on benchmark datasets, we show that EVAS features high evasiveness, transferability, and robustness, thereby expanding the adversary's design spectrum. We further characterize the mechanisms underlying EVAS, which are possibly explainable by architecture-level ``shortcuts'' that recognize trigger patterns. This work raises concerns about the current practice of NAS and points to potential directions to develop effective countermeasures

Audio is all in one: speech-driven gesture synthetics using WavLM pre-trained model

The generation of co-speech gestures for digital humans is an emerging area in the field of virtual human creation. Prior research has made progress by using acoustic and semantic information as input and adopting classify method to identify the person's ID and emotion for driving co-speech gesture generation. However, this endeavour still faces significant challenges. These challenges go beyond the intricate interplay between co-speech gestures, speech acoustic, and semantics; they also encompass the complexities associated with personality, emotion, and other obscure but important factors. This paper introduces "diffmotion-v2," a speech-conditional diffusion-based and non-autoregressive transformer-based generative model with WavLM pre-trained model. It can produce individual and stylized full-body co-speech gestures only using raw speech audio, eliminating the need for complex multimodal processing and manually annotated. Firstly, considering that speech audio not only contains acoustic and semantic features but also conveys personality traits, emotions, and more subtle information related to accompanying gestures, we pioneer the adaptation of WavLM, a large-scale pre-trained model, to extract low-level and high-level audio information. Secondly, we introduce an adaptive layer norm architecture in the transformer-based layer to learn the relationship between speech information and accompanying gestures. Extensive subjective evaluation experiments are conducted on the Trinity, ZEGGS, and BEAT datasets to confirm the WavLM and the model's ability to synthesize natural co-speech gestures with various styles.Comment: 10 pages, 5 figures, 1 tabl

Defending Pre-trained Language Models as Few-shot Learners against Backdoor Attacks

Pre-trained language models (PLMs) have demonstrated remarkable performance as few-shot learners. However, their security risks under such settings are largely unexplored. In this work, we conduct a pilot study showing that PLMs as few-shot learners are highly vulnerable to backdoor attacks while existing defenses are inadequate due to the unique challenges of few-shot scenarios. To address such challenges, we advocate MDP, a novel lightweight, pluggable, and effective defense for PLMs as few-shot learners. Specifically, MDP leverages the gap between the masking-sensitivity of poisoned and clean samples: with reference to the limited few-shot data as distributional anchors, it compares the representations of given samples under varying masking and identifies poisoned samples as ones with significant variations. We show analytically that MDP creates an interesting dilemma for the attacker to choose between attack effectiveness and detection evasiveness. The empirical evaluation using benchmark datasets and representative attacks validates the efficacy of MDP.Comment: Accepted by NeurIPS'2

An Embarrassingly Simple Backdoor Attack on Self-supervised Learning

As a new paradigm in machine learning, self-supervised learning (SSL) is capable of learning high-quality representations of complex data without relying on labels. In addition to eliminating the need for labeled data, research has found that SSL improves the adversarial robustness over supervised learning since lacking labels makes it more challenging for adversaries to manipulate model predictions. However, the extent to which this robustness superiority generalizes to other types of attacks remains an open question. We explore this question in the context of backdoor attacks. Specifically, we design and evaluate CTRL, an embarrassingly simple yet highly effective self-supervised backdoor attack. By only polluting a tiny fraction of training data (<= 1%) with indistinguishable poisoning samples, CTRL causes any trigger-embedded input to be misclassified to the adversary's designated class with a high probability (>= 99%) at inference time. Our findings suggest that SSL and supervised learning are comparably vulnerable to backdoor attacks. More importantly, through the lens of CTRL, we study the inherent vulnerability of SSL to backdoor attacks. With both empirical and analytical evidence, we reveal that the representation invariance property of SSL, which benefits adversarial robustness, may also be the very reason making \ssl highly susceptible to backdoor attacks. Our findings also imply that the existing defenses against supervised backdoor attacks are not easily retrofitted to the unique vulnerability of SSL.Comment: The 2023 International Conference on Computer Vision (ICCV '23

Computational Experiment Study on Selection Mechanism of Project Delivery Method Based on Complex Factors

Project delivery planning is a key stage used by the project owner (or project investor) for organizing design, construction, and other operations in a construction project. The main task in this stage is to select an appropriate project delivery method. In order to analyze different factors affecting the PDM selection, this paper establishes a multiagent model mainly to show how project complexity, governance strength, and market environment affect the project owner’s decision on PDM. Experiment results show that project owner usually choose Design-Build method when the project is very complex within a certain range. Besides, this paper points out that Design-Build method will be the prior choice when the potential contractors develop quickly. This paper provides the owners with methods and suggestions in terms of showing how the factors affect PDM selection, and it may improve the project performance

On the Security Risks of Knowledge Graph Reasoning

Knowledge graph reasoning (KGR) -- answering complex logical queries over large knowledge graphs -- represents an important artificial intelligence task, entailing a range of applications (e.g., cyber threat hunting). However, despite its surging popularity, the potential security risks of KGR are largely unexplored, which is concerning, given the increasing use of such capability in security-critical domains. This work represents a solid initial step towards bridging the striking gap. We systematize the security threats to KGR according to the adversary's objectives, knowledge, and attack vectors. Further, we present ROAR, a new class of attacks that instantiate a variety of such threats. Through empirical evaluation in representative use cases (e.g., medical decision support, cyber threat hunting, and commonsense reasoning), we demonstrate that ROAR is highly effective to mislead KGR to suggest pre-defined answers for target queries, yet with negligible impact on non-target ones. Finally, we explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries, which leads to several promising research directions.Comment: In proceedings of USENIX Security'23. Codes: https://github.com/HarrialX/security-risk-KG-reasonin

Aluminum Oxide Nanoparticle Films Deposited from a Nonthermal Plasma: Synthesis, Characterization, and Crystallization

Aluminum oxide, both in amorphous and crystalline forms, is a widely used inorganic ceramic material because of its chemical and structural properties. In this work, we synthesized amorphous aluminum oxide nanoparticles using a capacitively coupled nonthermal plasma utilizing trimethylaluminum and oxygen as precursors and studied their crystallization and phase transformation behavior through postsynthetic annealing. The use of two reactor geometries resulted in amorphous aluminum oxide nanoparticles with similar compositions but different sizes. Size tuning of these nanoparticles was achieved by varying the reactor pressure to produce amorphous aluminum oxide nanoparticles ranging from 6 to 22 nm. During postsynthetic annealing, powder samples of amorphous nanoparticles began to crystallize at 800 °C, forming crystalline θ and γ phase alumina. Their phase transformation behavior was found to be size-dependent in that powders of small 6 nm amorphous particles transformed to form phase-pure α-Al₂O₃ at 1100 °C, while powders of large 11 nm particles remained in the θ and γ phases. This phenomenon is attributed to the fast rate of densification and neck formation in small amorphous aluminum oxide particles

Aluminum Oxide Nanoparticle Films Deposited from a Nonthermal Plasma: Synthesis, Characterization, and Crystallization

Aluminum oxide, both in amorphous and crystalline forms, is a widely used inorganic ceramic material because of its chemical and structural properties. In this work, we synthesized amorphous aluminum oxide nanoparticles using a capacitively coupled nonthermal plasma utilizing trimethylaluminum and oxygen as precursors and studied their crystallization and phase transformation behavior through postsynthetic annealing. The use of two reactor geometries resulted in amorphous aluminum oxide nanoparticles with similar compositions but different sizes. Size tuning of these nanoparticles was achieved by varying the reactor pressure to produce amorphous aluminum oxide nanoparticles ranging from 6 to 22 nm. During postsynthetic annealing, powder samples of amorphous nanoparticles began to crystallize at 800 °C, forming crystalline θ and γ phase alumina. Their phase transformation behavior was found to be size-dependent in that powders of small 6 nm amorphous particles transformed to form phase-pure α-Al₂O₃ at 1100 °C, while powders of large 11 nm particles remained in the θ and γ phases. This phenomenon is attributed to the fast rate of densification and neck formation in small amorphous aluminum oxide particles