45 research outputs found
Neural Architectural Backdoors
This paper asks the intriguing question: is it possible to exploit neural
architecture search (NAS) as a new attack vector to launch previously
improbable attacks? Specifically, we present EVAS, a new attack that leverages
NAS to find neural architectures with inherent backdoors and exploits such
vulnerability using input-aware triggers. Compared with existing attacks, EVAS
demonstrates many interesting properties: (i) it does not require polluting
training data or perturbing model parameters; (ii) it is agnostic to downstream
fine-tuning or even re-training from scratch; (iii) it naturally evades
defenses that rely on inspecting model parameters or training data. With
extensive evaluation on benchmark datasets, we show that EVAS features high
evasiveness, transferability, and robustness, thereby expanding the adversary's
design spectrum. We further characterize the mechanisms underlying EVAS, which
are possibly explainable by architecture-level ``shortcuts'' that recognize
trigger patterns. This work raises concerns about the current practice of NAS
and points to potential directions to develop effective countermeasures
An Embarrassingly Simple Backdoor Attack on Self-supervised Learning
As a new paradigm in machine learning, self-supervised learning (SSL) is
capable of learning high-quality representations of complex data without
relying on labels. In addition to eliminating the need for labeled data,
research has found that SSL improves the adversarial robustness over supervised
learning since lacking labels makes it more challenging for adversaries to
manipulate model predictions. However, the extent to which this robustness
superiority generalizes to other types of attacks remains an open question.
We explore this question in the context of backdoor attacks. Specifically, we
design and evaluate CTRL, an embarrassingly simple yet highly effective
self-supervised backdoor attack. By only polluting a tiny fraction of training
data (<= 1%) with indistinguishable poisoning samples, CTRL causes any
trigger-embedded input to be misclassified to the adversary's designated class
with a high probability (>= 99%) at inference time. Our findings suggest that
SSL and supervised learning are comparably vulnerable to backdoor attacks. More
importantly, through the lens of CTRL, we study the inherent vulnerability of
SSL to backdoor attacks. With both empirical and analytical evidence, we reveal
that the representation invariance property of SSL, which benefits adversarial
robustness, may also be the very reason making \ssl highly susceptible to
backdoor attacks. Our findings also imply that the existing defenses against
supervised backdoor attacks are not easily retrofitted to the unique
vulnerability of SSL.Comment: The 2023 International Conference on Computer Vision (ICCV '23
Improving the Robustness of Transformer-based Large Language Models with Dynamic Attention
Transformer-based models, such as BERT and GPT, have been widely adopted in
natural language processing (NLP) due to their exceptional performance.
However, recent studies show their vulnerability to textual adversarial attacks
where the model's output can be misled by intentionally manipulating the text
inputs. Despite various methods that have been proposed to enhance the model's
robustness and mitigate this vulnerability, many require heavy consumption
resources (e.g., adversarial training) or only provide limited protection
(e.g., defensive dropout). In this paper, we propose a novel method called
dynamic attention, tailored for the transformer architecture, to enhance the
inherent robustness of the model itself against various adversarial attacks.
Our method requires no downstream task knowledge and does not incur additional
costs. The proposed dynamic attention consists of two modules: (I) attention
rectification, which masks or weakens the attention value of the chosen tokens,
and (ii) dynamic modeling, which dynamically builds the set of candidate
tokens. Extensive experiments demonstrate that dynamic attention significantly
mitigates the impact of adversarial attacks, improving up to 33\% better
performance than previous methods against widely-used adversarial attacks. The
model-level design of dynamic attention enables it to be easily combined with
other defense methods (e.g., adversarial training) to further enhance the
model's robustness. Furthermore, we demonstrate that dynamic attention
preserves the state-of-the-art robustness space of the original model compared
to other dynamic modeling methods
Defending Pre-trained Language Models as Few-shot Learners against Backdoor Attacks
Pre-trained language models (PLMs) have demonstrated remarkable performance
as few-shot learners. However, their security risks under such settings are
largely unexplored. In this work, we conduct a pilot study showing that PLMs as
few-shot learners are highly vulnerable to backdoor attacks while existing
defenses are inadequate due to the unique challenges of few-shot scenarios. To
address such challenges, we advocate MDP, a novel lightweight, pluggable, and
effective defense for PLMs as few-shot learners. Specifically, MDP leverages
the gap between the masking-sensitivity of poisoned and clean samples: with
reference to the limited few-shot data as distributional anchors, it compares
the representations of given samples under varying masking and identifies
poisoned samples as ones with significant variations. We show analytically that
MDP creates an interesting dilemma for the attacker to choose between attack
effectiveness and detection evasiveness. The empirical evaluation using
benchmark datasets and representative attacks validates the efficacy of MDP.Comment: Accepted by NeurIPS'2
Mechanism and technical system of ground and underground combined drainage of CBM in âfour region linkageâ in coal mining area
In order to better realize the safe and efficient coordinated development of coal and CBM resources in high gassy mining areas, the four regions (planning region, preparation region, production region and coal mined-out region) linkage ground-underground combined drainage mode (new Jincheng mode) and a series of technical systems of CBM in the whole mining area, all stratum layer and all time were innovatively developed. Relying on the âThirteen Five - Year Planâ national major science and technology projects to continue to tackle key problems, closely combining with the actual production of key coal mining areas in Shanxi Province. This new mode upgraded from the âthree regions linkageâ three-dimensional extraction mode of CBM developed during the âEleventh Five-Yearâ and the âTwelfth Five-Yearâ Plan and it had been widely used in key coal mining areas of Shanxi Province and achieved good results. The ground pre-drainage technology of CBM in the planning area mainly used vertical wells, directional wells, horizontal wells and other technologies in the early stage. But now it had developed into a well factory intensive development mode and technology dominated by multi-fractured horizontal well. After 15 years of ground pre-drainage, the average reduction of No.3 coal seam in East Fifth Panel of Sihe Mine of Jinneng Holding Group had reached 55%. The No.5310 and No.5311 working faces in this panel had successfully completed safe and efficient coal mining, realizing low gas mining in high gas content coal seam. The ground-underground combined drainage technology of CBM in the preparation region made full use of the advantages of the greatly increased permeability in the fracturing affected area and the increased production pressure difference of underground open space drainage. Which formed a three-dimensional drainage network, improved the drainage efficiency, effectively alleviated the tension in the replacement of mining, and promoted high production and efficiency.Based on the characteristics of intense mining activities in the production area and full opening of underground projects, directional drilling rigs were used to accurately complete regional progressive seam drilling, through hole drilling, and high directional long borehole, and accurately and evenly extract the CBM in the production region. This effectively solved the problems of uncontrollable conventional drilling trajectory, easy to form blind areas for drainage, and poor drainage effect, and realized the accurate standard of underground drainage in the production region, ensuring no risk.In view of the problems such as unclear occurrence law of CBM resources in the coal mined-out region, difficulty in resource assessment, and lack of safe drilling and mining technology, the calculation method of CBM resources in the coal mined-out region was created. And a series of technologies for ground drilling and mining in coal mined-out region were developed. 129 wells had been demonstrated and promoted in Shanxi key coal mine areas such as Jincheng, Xishan, Yangquan, etc., 128 million cubic meters of CBM had been pumped and utilized, and 1.92 million tons of carbon dioxide had been reduced.The success of the âfour region linkageâ ground-underground combined drainage mode and a series of technical systems in key coal mining areas of Shanxi had effectively achieved the triple effect of CBM âreducing greenhouse gas emissions, ensuring coal mine safety production, and supplementing green gas energyâ. Which provided strong support for Chinaâs CBM production to increase from 2.58 billion cubic meters in 2006 to 19.17 billion cubic meters in 2020. At the same time, it also provided an effective guarantee for the deepening of coal mining depth year by year in key coal mining areas of Shanxi Province, the increasingly complex mine production conditions, the continuous reduction of the number of production mines, and the steady growth of the total coal output
Dynamic Voxel Grid Optimization for High-Fidelity RGB-D Supervised Surface Reconstruction
Direct optimization of interpolated features on multi-resolution voxel grids
has emerged as a more efficient alternative to MLP-like modules. However, this
approach is constrained by higher memory expenses and limited representation
capabilities. In this paper, we introduce a novel dynamic grid optimization
method for high-fidelity 3D surface reconstruction that incorporates both RGB
and depth observations. Rather than treating each voxel equally, we optimize
the process by dynamically modifying the grid and assigning more finer-scale
voxels to regions with higher complexity, allowing us to capture more intricate
details. Furthermore, we develop a scheme to quantify the dynamic subdivision
of voxel grid during optimization without requiring any priors. The proposed
approach is able to generate high-quality 3D reconstructions with fine details
on both synthetic and real-world data, while maintaining computational
efficiency, which is substantially faster than the baseline method NeuralRGBD.Comment: For the project, see https://yanqingan.github.io