Neural Architectural Backdoors

This paper asks the intriguing question: is it possible to exploit neural architecture search (NAS) as a new attack vector to launch previously improbable attacks? Specifically, we present EVAS, a new attack that leverages NAS to find neural architectures with inherent backdoors and exploits such vulnerability using input-aware triggers. Compared with existing attacks, EVAS demonstrates many interesting properties: (i) it does not require polluting training data or perturbing model parameters; (ii) it is agnostic to downstream fine-tuning or even re-training from scratch; (iii) it naturally evades defenses that rely on inspecting model parameters or training data. With extensive evaluation on benchmark datasets, we show that EVAS features high evasiveness, transferability, and robustness, thereby expanding the adversary's design spectrum. We further characterize the mechanisms underlying EVAS, which are possibly explainable by architecture-level ``shortcuts'' that recognize trigger patterns. This work raises concerns about the current practice of NAS and points to potential directions to develop effective countermeasures

An Embarrassingly Simple Backdoor Attack on Self-supervised Learning

As a new paradigm in machine learning, self-supervised learning (SSL) is capable of learning high-quality representations of complex data without relying on labels. In addition to eliminating the need for labeled data, research has found that SSL improves the adversarial robustness over supervised learning since lacking labels makes it more challenging for adversaries to manipulate model predictions. However, the extent to which this robustness superiority generalizes to other types of attacks remains an open question. We explore this question in the context of backdoor attacks. Specifically, we design and evaluate CTRL, an embarrassingly simple yet highly effective self-supervised backdoor attack. By only polluting a tiny fraction of training data (<= 1%) with indistinguishable poisoning samples, CTRL causes any trigger-embedded input to be misclassified to the adversary's designated class with a high probability (>= 99%) at inference time. Our findings suggest that SSL and supervised learning are comparably vulnerable to backdoor attacks. More importantly, through the lens of CTRL, we study the inherent vulnerability of SSL to backdoor attacks. With both empirical and analytical evidence, we reveal that the representation invariance property of SSL, which benefits adversarial robustness, may also be the very reason making \ssl highly susceptible to backdoor attacks. Our findings also imply that the existing defenses against supervised backdoor attacks are not easily retrofitted to the unique vulnerability of SSL.Comment: The 2023 International Conference on Computer Vision (ICCV '23

Improving the Robustness of Transformer-based Large Language Models with Dynamic Attention

Transformer-based models, such as BERT and GPT, have been widely adopted in natural language processing (NLP) due to their exceptional performance. However, recent studies show their vulnerability to textual adversarial attacks where the model's output can be misled by intentionally manipulating the text inputs. Despite various methods that have been proposed to enhance the model's robustness and mitigate this vulnerability, many require heavy consumption resources (e.g., adversarial training) or only provide limited protection (e.g., defensive dropout). In this paper, we propose a novel method called dynamic attention, tailored for the transformer architecture, to enhance the inherent robustness of the model itself against various adversarial attacks. Our method requires no downstream task knowledge and does not incur additional costs. The proposed dynamic attention consists of two modules: (I) attention rectification, which masks or weakens the attention value of the chosen tokens, and (ii) dynamic modeling, which dynamically builds the set of candidate tokens. Extensive experiments demonstrate that dynamic attention significantly mitigates the impact of adversarial attacks, improving up to 33\% better performance than previous methods against widely-used adversarial attacks. The model-level design of dynamic attention enables it to be easily combined with other defense methods (e.g., adversarial training) to further enhance the model's robustness. Furthermore, we demonstrate that dynamic attention preserves the state-of-the-art robustness space of the original model compared to other dynamic modeling methods

Defending Pre-trained Language Models as Few-shot Learners against Backdoor Attacks

Pre-trained language models (PLMs) have demonstrated remarkable performance as few-shot learners. However, their security risks under such settings are largely unexplored. In this work, we conduct a pilot study showing that PLMs as few-shot learners are highly vulnerable to backdoor attacks while existing defenses are inadequate due to the unique challenges of few-shot scenarios. To address such challenges, we advocate MDP, a novel lightweight, pluggable, and effective defense for PLMs as few-shot learners. Specifically, MDP leverages the gap between the masking-sensitivity of poisoned and clean samples: with reference to the limited few-shot data as distributional anchors, it compares the representations of given samples under varying masking and identifies poisoned samples as ones with significant variations. We show analytically that MDP creates an interesting dilemma for the attacker to choose between attack effectiveness and detection evasiveness. The empirical evaluation using benchmark datasets and representative attacks validates the efficacy of MDP.Comment: Accepted by NeurIPS'2

Mechanism and technical system of ground and underground combined drainage of CBM in “four region linkage” in coal mining area

In order to better realize the safe and efficient coordinated development of coal and CBM resources in high gassy mining areas, the four regions (planning region, preparation region, production region and coal mined-out region) linkage ground-underground combined drainage mode (new Jincheng mode) and a series of technical systems of CBM in the whole mining area, all stratum layer and all time were innovatively developed. Relying on the “Thirteen Five - Year Plan” national major science and technology projects to continue to tackle key problems, closely combining with the actual production of key coal mining areas in Shanxi Province. This new mode upgraded from the “three regions linkage” three-dimensional extraction mode of CBM developed during the “Eleventh Five-Year” and the “Twelfth Five-Year” Plan and it had been widely used in key coal mining areas of Shanxi Province and achieved good results. The ground pre-drainage technology of CBM in the planning area mainly used vertical wells, directional wells, horizontal wells and other technologies in the early stage. But now it had developed into a well factory intensive development mode and technology dominated by multi-fractured horizontal well. After 15 years of ground pre-drainage, the average reduction of No.3 coal seam in East Fifth Panel of Sihe Mine of Jinneng Holding Group had reached 55%. The No.5310 and No.5311 working faces in this panel had successfully completed safe and efficient coal mining, realizing low gas mining in high gas content coal seam. The ground-underground combined drainage technology of CBM in the preparation region made full use of the advantages of the greatly increased permeability in the fracturing affected area and the increased production pressure difference of underground open space drainage. Which formed a three-dimensional drainage network, improved the drainage efficiency, effectively alleviated the tension in the replacement of mining, and promoted high production and efficiency.Based on the characteristics of intense mining activities in the production area and full opening of underground projects, directional drilling rigs were used to accurately complete regional progressive seam drilling, through hole drilling, and high directional long borehole, and accurately and evenly extract the CBM in the production region. This effectively solved the problems of uncontrollable conventional drilling trajectory, easy to form blind areas for drainage, and poor drainage effect, and realized the accurate standard of underground drainage in the production region, ensuring no risk.In view of the problems such as unclear occurrence law of CBM resources in the coal mined-out region, difficulty in resource assessment, and lack of safe drilling and mining technology, the calculation method of CBM resources in the coal mined-out region was created. And a series of technologies for ground drilling and mining in coal mined-out region were developed. 129 wells had been demonstrated and promoted in Shanxi key coal mine areas such as Jincheng, Xishan, Yangquan, etc., 128 million cubic meters of CBM had been pumped and utilized, and 1.92 million tons of carbon dioxide had been reduced.The success of the ‘four region linkage’ ground-underground combined drainage mode and a series of technical systems in key coal mining areas of Shanxi had effectively achieved the triple effect of CBM “reducing greenhouse gas emissions, ensuring coal mine safety production, and supplementing green gas energy”. Which provided strong support for China’s CBM production to increase from 2.58 billion cubic meters in 2006 to 19.17 billion cubic meters in 2020. At the same time, it also provided an effective guarantee for the deepening of coal mining depth year by year in key coal mining areas of Shanxi Province, the increasingly complex mine production conditions, the continuous reduction of the number of production mines, and the steady growth of the total coal output

Dynamic Voxel Grid Optimization for High-Fidelity RGB-D Supervised Surface Reconstruction

Direct optimization of interpolated features on multi-resolution voxel grids has emerged as a more efficient alternative to MLP-like modules. However, this approach is constrained by higher memory expenses and limited representation capabilities. In this paper, we introduce a novel dynamic grid optimization method for high-fidelity 3D surface reconstruction that incorporates both RGB and depth observations. Rather than treating each voxel equally, we optimize the process by dynamically modifying the grid and assigning more finer-scale voxels to regions with higher complexity, allowing us to capture more intricate details. Furthermore, we develop a scheme to quantify the dynamic subdivision of voxel grid during optimization without requiring any priors. The proposed approach is able to generate high-quality 3D reconstructions with fine details on both synthetic and real-world data, while maintaining computational efficiency, which is substantially faster than the baseline method NeuralRGBD.Comment: For the project, see https://yanqingan.github.io