AI-synthesized speech, also known as deepfake speech, has recently raised significant concerns due to the rapid advancement of speech synthesis and speech conversion techniques. Previous works often rely on distinguishing synthesizer artifacts to identify deepfake speech. However, excessive reliance on these specific synthesizer artifacts may result in unsatisfactory performance when addressing speech signals created by unseen synthesizers. In this paper, we propose a robust deepfake speech detection method that employs feature decomposition to learn synthesizer-independent content features as complementary for detection. Specifically, we propose a dual-stream feature decomposition learning strategy that decomposes the learned speech representation using a synthesizer stream and a content stream. The synthesizer stream specializes in learning synthesizer features through supervised training with synthesizer labels. Meanwhile, the content stream focuses on learning synthesizer-independent content features, enabled by a pseudo-labeling-based supervised learning method. This method randomly transforms speech to generate speed and compression labels for training. Additionally, we employ an adversarial learning technique to reduce the synthesizer-related components in the content stream. The final classification is determined by concatenating the synthesizer and content features. To enhance the model’s robustness to different synthesizer characteristics, we further propose a synthesizer feature augmentation strategy that randomly blends the characteristic styles within real and fake audio features and randomly shuffles the synthesizer features with the content features. This strategy effectively enhances the feature diversity and simulates more feature combinations. Experimental results on four deepfake speech benchmark datasets demonstrate that our model achieves state-of-the-art robust detection performance across various evaluation scenarios, including cross-method, cross-dataset, and cross-language evaluations.
{"title":"Robust AI-Synthesized Speech Detection Using Feature Decomposition Learning and Synthesizer Feature Augmentation","authors":"Kuiyuan Zhang;Zhongyun Hua;Yushu Zhang;Yifang Guo;Tao Xiang","doi":"10.1109/TIFS.2024.3520001","DOIUrl":"10.1109/TIFS.2024.3520001","url":null,"abstract":"AI-synthesized speech, also known as deepfake speech, has recently raised significant concerns due to the rapid advancement of speech synthesis and speech conversion techniques. Previous works often rely on distinguishing synthesizer artifacts to identify deepfake speech. However, excessive reliance on these specific synthesizer artifacts may result in unsatisfactory performance when addressing speech signals created by unseen synthesizers. In this paper, we propose a robust deepfake speech detection method that employs feature decomposition to learn synthesizer-independent content features as complementary for detection. Specifically, we propose a dual-stream feature decomposition learning strategy that decomposes the learned speech representation using a synthesizer stream and a content stream. The synthesizer stream specializes in learning synthesizer features through supervised training with synthesizer labels. Meanwhile, the content stream focuses on learning synthesizer-independent content features, enabled by a pseudo-labeling-based supervised learning method. This method randomly transforms speech to generate speed and compression labels for training. Additionally, we employ an adversarial learning technique to reduce the synthesizer-related components in the content stream. The final classification is determined by concatenating the synthesizer and content features. To enhance the model’s robustness to different synthesizer characteristics, we further propose a synthesizer feature augmentation strategy that randomly blends the characteristic styles within real and fake audio features and randomly shuffles the synthesizer features with the content features. This strategy effectively enhances the feature diversity and simulates more feature combinations. Experimental results on four deepfake speech benchmark datasets demonstrate that our model achieves state-of-the-art robust detection performance across various evaluation scenarios, including cross-method, cross-dataset, and cross-language evaluations.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"871-885"},"PeriodicalIF":6.3,"publicationDate":"2024-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142849581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-18DOI: 10.1109/TIFS.2024.3520014
Bo Gao;Weiwei Liu;Guangjie Liu;Fengyuan Nie;Jianan Huang
Deep learning-based website fingerprinting (WF) attacks dominate website traffic classification. In the real world, the main challenges limiting their effectiveness are, on the one hand, the difficulty in countering the effect of content updates on the basis of accurate descriptions of page features in traffic representations. On the other hand, the model’s accuracy relies on training numerous samples, requiring constant manual labeling. The key to solving the problem is to find a website traffic representation that can stably and accurately display page features, as well as to perform self-supervised learning that is not reliant on manual labeling. This study introduces the multi-level resource-coherented graph convolutional neural network (MRCGCN), a self-supervised learning-based WF attack. It analyzes website traffic using resources as the basic unit, which are coarser than packets, ensuring the page’s unique resource layout while improving the robustness of the representations. Then, we utilized an echelon-ordered graph kernel function to extract the graph topology as the label for website traffic. Finally, a two-channel graph convolutional neural network is designed for constructing a self-supervised learning-based traffic classifier. We evaluated the WF attacks using real data in both closed- and open-world scenarios. The results demonstrate that the proposed WF attack has superior and more comprehensive performance compared to state-of-the-art methods.
{"title":"Multi-Level Resource-Coherented Graph Learning for Website Fingerprinting Attacks","authors":"Bo Gao;Weiwei Liu;Guangjie Liu;Fengyuan Nie;Jianan Huang","doi":"10.1109/TIFS.2024.3520014","DOIUrl":"10.1109/TIFS.2024.3520014","url":null,"abstract":"Deep learning-based website fingerprinting (WF) attacks dominate website traffic classification. In the real world, the main challenges limiting their effectiveness are, on the one hand, the difficulty in countering the effect of content updates on the basis of accurate descriptions of page features in traffic representations. On the other hand, the model’s accuracy relies on training numerous samples, requiring constant manual labeling. The key to solving the problem is to find a website traffic representation that can stably and accurately display page features, as well as to perform self-supervised learning that is not reliant on manual labeling. This study introduces the multi-level resource-coherented graph convolutional neural network (MRCGCN), a self-supervised learning-based WF attack. It analyzes website traffic using resources as the basic unit, which are coarser than packets, ensuring the page’s unique resource layout while improving the robustness of the representations. Then, we utilized an echelon-ordered graph kernel function to extract the graph topology as the label for website traffic. Finally, a two-channel graph convolutional neural network is designed for constructing a self-supervised learning-based traffic classifier. We evaluated the WF attacks using real data in both closed- and open-world scenarios. The results demonstrate that the proposed WF attack has superior and more comprehensive performance compared to state-of-the-art methods.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"693-708"},"PeriodicalIF":6.3,"publicationDate":"2024-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142849471","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Model Inversion Attacks (MIAs) pose a certain threat to the data privacy of learning-based systems, as they enable adversaries to reconstruct identifiable features of the training distribution with only query access to the victim model. In the context of deep learning, the primary challenges associated with MIAs are suboptimal attack success rates and the corresponding high computational costs. Prior efforts assumed that the expansive search space caused these limitations, employing generative models to constrain the dimensions of the search space. Despite the initial success of these generative-based solutions, recent experiments have cast doubt on this fundamental assumption, leaving two open questions about the influential factors determining MIA performance and how to manipulate these factors to improve MIAs. To answer these questions, we reframe MIAs from the perspective of information flow. This new formulation allows us to establish a lower bound for the error probability of MIAs, determined by two critical factors: (1) the size of the search space and (2) the mutual information between input and output random variables. Through a detailed analysis of generative-based MIAs within this theoretical framework, we uncover a trade-off between the size of the search space and the generation capability of generative models. Based on the theoretical conclusions, we introduce the Query-Efficient Model Inversion Approach (QE-MIA). By strategically selecting an appropriate search space and introducing additional mutual information, QE-MIA achieves a reduction of $60%sim 70%$ in query overhead while concurrently enhancing the attack success rate by $5%sim 25%$ .
模型反转攻击(mia)对基于学习的系统的数据隐私构成了一定的威胁,因为它们使攻击者能够仅通过对受害者模型的查询访问来重建训练分布的可识别特征。在深度学习的背景下,与MIAs相关的主要挑战是次优攻击成功率和相应的高计算成本。先前的研究假设是庞大的搜索空间造成了这些限制,使用生成模型来约束搜索空间的维度。尽管这些基于生成的解决方案取得了初步成功,但最近的实验对这一基本假设提出了质疑,留下了两个悬而未决的问题,即决定MIA性能的影响因素以及如何操纵这些因素来改善MIA。为了回答这些问题,我们从信息流的角度重新构建mia。这个新公式允许我们建立mia错误概率的下界,它由两个关键因素决定:(1)搜索空间的大小和(2)输入和输出随机变量之间的互信息。通过在该理论框架内对基于生成的MIAs的详细分析,我们发现了搜索空间大小与生成模型的生成能力之间的权衡。在理论结论的基础上,提出了查询高效模型反演方法(Query-Efficient Model Inversion Approach, QE-MIA)。通过战略性地选择适当的搜索空间并引入额外的互信息,QE-MIA实现了查询开销减少60%至70%,同时将攻击成功率提高了5%至25%。
{"title":"Query-Efficient Model Inversion Attacks: An Information Flow View","authors":"Yixiao Xu;Binxing Fang;Mohan Li;Xiaolei Liu;Zhihong Tian","doi":"10.1109/TIFS.2024.3518779","DOIUrl":"10.1109/TIFS.2024.3518779","url":null,"abstract":"Model Inversion Attacks (MIAs) pose a certain threat to the data privacy of learning-based systems, as they enable adversaries to reconstruct identifiable features of the training distribution with only query access to the victim model. In the context of deep learning, the primary challenges associated with MIAs are suboptimal attack success rates and the corresponding high computational costs. Prior efforts assumed that the expansive search space caused these limitations, employing generative models to constrain the dimensions of the search space. Despite the initial success of these generative-based solutions, recent experiments have cast doubt on this fundamental assumption, leaving two open questions about the influential factors determining MIA performance and how to manipulate these factors to improve MIAs. To answer these questions, we reframe MIAs from the perspective of information flow. This new formulation allows us to establish a lower bound for the error probability of MIAs, determined by two critical factors: (1) the size of the search space and (2) the mutual information between input and output random variables. Through a detailed analysis of generative-based MIAs within this theoretical framework, we uncover a trade-off between the size of the search space and the generation capability of generative models. Based on the theoretical conclusions, we introduce the Query-Efficient Model Inversion Approach (QE-MIA). By strategically selecting an appropriate search space and introducing additional mutual information, QE-MIA achieves a reduction of <inline-formula> <tex-math>$60%sim 70%$ </tex-math></inline-formula> in query overhead while concurrently enhancing the attack success rate by <inline-formula> <tex-math>$5%sim 25%$ </tex-math></inline-formula>.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"1023-1036"},"PeriodicalIF":6.3,"publicationDate":"2024-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142849580","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-18DOI: 10.1109/TIFS.2024.3520015
Yuhang Qiu;Honghui Chen;Xingbo Dong;Zheng Lin;Iman Yi Liao;Massimo Tistarelli;Zhe Jin
Determining dense feature points on fingerprints used in constructing deep fixed-length representations for accurate matching, particularly at the pixel level, is of significant interest. To explore the interpretability of fingerprint matching, we propose a multi-stage interpretable fingerprint matching network, namely Interpretable Fixed-length Representation for Fingerprint Matching via Vision Transformer (IFViT), which consists of two primary modules. The first module, an interpretable dense registration module, establishes a Vision Transformer (ViT)-based Siamese Network to capture long-range dependencies and the global context in fingerprint pairs. It provides interpretable dense pixel-wise correspondences of feature points for fingerprint alignment and enhances the interpretability in the subsequent matching stage. The second module takes into account both local and global representations of the aligned fingerprint pair to achieve an interpretable fixed-length representation extraction and matching. It employs the ViTs trained in the first module with the additional fully connected layer and retrains them to simultaneously produce the discriminative fixed-length representation and interpretable dense pixel-wise correspondences of feature points. Extensive experimental results on diverse publicly available fingerprint databases demonstrate that the proposed framework not only exhibits superior performance on dense registration and matching but also significantly promotes the interpretability in deep fixed-length representations-based fingerprint matching.
{"title":"IFViT: Interpretable Fixed-Length Representation for Fingerprint Matching via Vision Transformer","authors":"Yuhang Qiu;Honghui Chen;Xingbo Dong;Zheng Lin;Iman Yi Liao;Massimo Tistarelli;Zhe Jin","doi":"10.1109/TIFS.2024.3520015","DOIUrl":"10.1109/TIFS.2024.3520015","url":null,"abstract":"Determining dense feature points on fingerprints used in constructing deep fixed-length representations for accurate matching, particularly at the pixel level, is of significant interest. To explore the interpretability of fingerprint matching, we propose a multi-stage interpretable fingerprint matching network, namely Interpretable Fixed-length Representation for Fingerprint Matching via Vision Transformer (IFViT), which consists of two primary modules. The first module, an interpretable dense registration module, establishes a Vision Transformer (ViT)-based Siamese Network to capture long-range dependencies and the global context in fingerprint pairs. It provides interpretable dense pixel-wise correspondences of feature points for fingerprint alignment and enhances the interpretability in the subsequent matching stage. The second module takes into account both local and global representations of the aligned fingerprint pair to achieve an interpretable fixed-length representation extraction and matching. It employs the ViTs trained in the first module with the additional fully connected layer and retrains them to simultaneously produce the discriminative fixed-length representation and interpretable dense pixel-wise correspondences of feature points. Extensive experimental results on diverse publicly available fingerprint databases demonstrate that the proposed framework not only exhibits superior performance on dense registration and matching but also significantly promotes the interpretability in deep fixed-length representations-based fingerprint matching.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"559-573"},"PeriodicalIF":6.3,"publicationDate":"2024-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142849468","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Assessing the stealthiness of adversarial perturbations is challenging due to the lack of appropriate evaluation metrics. Existing evaluation metrics, e.g., $L_{p}$ norms or Image Quality Assessment (IQA), fall short of assessing the pixel-level stealthiness of subtle adversarial perturbations since these metrics are primarily designed for traditional distortions. To bridge this gap, we present the first comprehensive study on the subjective and objective assessment of the stealthiness of adversarial perturbations from a visual perspective at a pixel level. Specifically, we propose new subjective assessment criteria for human observers to score adversarial stealthiness in a fine-grained manner. Then, we create a large-scale adversarial example dataset comprising 10586 pairs of clean and adversarial samples encompassing twelve state-of-the-art adversarial attacks. To obtain the subjective scores according to the proposed criterion, we recruit 60 human observers, and each adversarial example is evaluated by at least 15 observers. The mean opinion score of each adversarial example is utilized for labeling. Finally, we develop a three-stage objective scoring model that mimics human scoring habits to predict adversarial perturbation’s stealthiness. Experimental results demonstrate that our objective model exhibits superior consistency with the human visual system, surpassing commonly employed metrics like PSNR and SSIM.
{"title":"Stealthiness Assessment of Adversarial Perturbation: From a Visual Perspective","authors":"Hangcheng Liu;Yuan Zhou;Ying Yang;Qingchuan Zhao;Tianwei Zhang;Tao Xiang","doi":"10.1109/TIFS.2024.3520016","DOIUrl":"10.1109/TIFS.2024.3520016","url":null,"abstract":"Assessing the stealthiness of adversarial perturbations is challenging due to the lack of appropriate evaluation metrics. Existing evaluation metrics, e.g., <inline-formula> <tex-math>$L_{p}$ </tex-math></inline-formula> norms or Image Quality Assessment (IQA), fall short of assessing the pixel-level stealthiness of subtle adversarial perturbations since these metrics are primarily designed for traditional distortions. To bridge this gap, we present the first comprehensive study on the subjective and objective assessment of the stealthiness of adversarial perturbations from a visual perspective at a pixel level. Specifically, we propose new subjective assessment criteria for human observers to score adversarial stealthiness in a fine-grained manner. Then, we create a large-scale adversarial example dataset comprising 10586 pairs of clean and adversarial samples encompassing twelve state-of-the-art adversarial attacks. To obtain the subjective scores according to the proposed criterion, we recruit 60 human observers, and each adversarial example is evaluated by at least 15 observers. The mean opinion score of each adversarial example is utilized for labeling. Finally, we develop a three-stage objective scoring model that mimics human scoring habits to predict adversarial perturbation’s stealthiness. Experimental results demonstrate that our objective model exhibits superior consistency with the human visual system, surpassing commonly employed metrics like PSNR and SSIM.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"898-913"},"PeriodicalIF":6.3,"publicationDate":"2024-12-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142849467","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-16DOI: 10.1109/TIFS.2024.3518065
Apollo Albright;Boris Gelfand;Michael Dixon
We show that a class of optical physical unclonable functions (PUFs) can be efficiently PAC-learned to arbitrary precision with arbitrarily high probability, even in the presence of intentionally injected noise, given access to polynomially many challenge-response pairs, under mild and practical assumptions about the distributions of the noise and challenge vectors. We motivate our analysis by identifying similarities between the integrated version of Pappu’s original optical PUF design and the post-quantum Learning with Errors (LWE) cryptosystem. We derive polynomial bounds for the required number of samples and the computational complexity of a linear regression algorithm, based on size parameters of the PUF, the distributions of the challenge and noise vectors, and the desired accuracy and probability of success of the regression algorithm. We use a similar analysis to that done by Bootle et al. [“LWE without modular reduction and improved side-channel attacks against BLISS,” in Advances in Cryptology – ASIACRYPT 2018], who demonstrated a learning attack on poorly implemented versions of LWE cryptosystems. This extends the results of Rührmair et al. [“Optical PUFs reloaded,” Cryptology ePrint Archive, 2013], who presented a theoretical framework showing that a subset of this class of PUFs is learnable in polynomial time in the absence of injected noise, under the assumption that the optics of the PUF were either linear or had negligible nonlinear effects. (Rührmair et al. also included an experimental validation of this technique, which of course included measurement uncertainty, demonstrating robustness to the presence of natural noise.) We recommend that the design of strong PUFs should be treated as a cryptographic engineering problem in physics, as PUF designs would benefit greatly from basing their physics and security on standard cryptographic assumptions. Finally, we identify future research directions, including suggestions for how to modify an LWE-based optical PUF design to better defend against cryptanalytic attacks.
{"title":"Learnability of Optical Physical Unclonable Functions Through the Lens of Learning With Errors","authors":"Apollo Albright;Boris Gelfand;Michael Dixon","doi":"10.1109/TIFS.2024.3518065","DOIUrl":"10.1109/TIFS.2024.3518065","url":null,"abstract":"We show that a class of optical physical unclonable functions (PUFs) can be efficiently PAC-learned to arbitrary precision with arbitrarily high probability, even in the presence of intentionally injected noise, given access to polynomially many challenge-response pairs, under mild and practical assumptions about the distributions of the noise and challenge vectors. We motivate our analysis by identifying similarities between the integrated version of Pappu’s original optical PUF design and the post-quantum Learning with Errors (LWE) cryptosystem. We derive polynomial bounds for the required number of samples and the computational complexity of a linear regression algorithm, based on size parameters of the PUF, the distributions of the challenge and noise vectors, and the desired accuracy and probability of success of the regression algorithm. We use a similar analysis to that done by Bootle et al. [“LWE without modular reduction and improved side-channel attacks against BLISS,” in Advances in Cryptology – ASIACRYPT 2018], who demonstrated a learning attack on poorly implemented versions of LWE cryptosystems. This extends the results of Rührmair et al. [“Optical PUFs reloaded,” Cryptology ePrint Archive, 2013], who presented a theoretical framework showing that a subset of this class of PUFs is learnable in polynomial time in the absence of injected noise, under the assumption that the optics of the PUF were either linear or had negligible nonlinear effects. (Rührmair et al. also included an experimental validation of this technique, which of course included measurement uncertainty, demonstrating robustness to the presence of natural noise.) We recommend that the design of strong PUFs should be treated as a cryptographic engineering problem in physics, as PUF designs would benefit greatly from basing their physics and security on standard cryptographic assumptions. Finally, we identify future research directions, including suggestions for how to modify an LWE-based optical PUF design to better defend against cryptanalytic attacks.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"886-897"},"PeriodicalIF":6.3,"publicationDate":"2024-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10802998","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142832519","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A Bitcoin miner who owns a sufficient amount of mining power can perform selfish mining to increase its relative revenue. Studies have demonstrated that the time-averaged profit of a selfish miner starts to rise once the mining difficulty level gets adjusted in favor of the attacker. Selfish mining profitability lies in the fact that orphan blocks are not incorporated into the current version of Bitcoin’s difficulty adjustment mechanism (DAM). Therefore, it is believed that considering the count of orphan blocks in the DAM can result in complete unprofitability for selfish mining. In this paper, we disprove this belief by providing a formal analysis of the selfish mining time-averaged profit. We present a precise definition of the orphan blocks that can be incorporated into calculating the next epoch’s target and then introduce two modified versions of DAM in which both main-chain blocks and orphan blocks are incorporated. We propose two versions of smart intermittent selfish mining, where the first one dominates the normal intermittent selfish mining, and the second one results in selfish mining profitability under the modified DAMs. Moreover, we present the orphan exclusion attack with the help of which the attacker can stop honest miners from reporting the orphan blocks. Using combinatorial tools, we analyze the profitability of selfish mining accompanied by the orphan exclusion attack under the modified DAMs. Our results show that even when considering orphan blocks in the DAM, selfish mining can still be profitable. However, the level of profitability under the modified DAMs is significantly lower than that observed under the current version of Bitcoin DAM, suggesting that orphan reporting can be an effective countermeasure against a payoff-maximizing selfish miner.
{"title":"Selfish Mining Time-Averaged Analysis in Bitcoin: Is Orphan Reporting an Effective Countermeasure?","authors":"Roozbeh Sarenche;Ren Zhang;Svetla Nikova;Bart Preneel","doi":"10.1109/TIFS.2024.3518090","DOIUrl":"10.1109/TIFS.2024.3518090","url":null,"abstract":"A Bitcoin miner who owns a sufficient amount of mining power can perform selfish mining to increase its relative revenue. Studies have demonstrated that the time-averaged profit of a selfish miner starts to rise once the mining difficulty level gets adjusted in favor of the attacker. Selfish mining profitability lies in the fact that orphan blocks are not incorporated into the current version of Bitcoin’s difficulty adjustment mechanism (DAM). Therefore, it is believed that considering the count of orphan blocks in the DAM can result in complete unprofitability for selfish mining. In this paper, we disprove this belief by providing a formal analysis of the selfish mining time-averaged profit. We present a precise definition of the orphan blocks that can be incorporated into calculating the next epoch’s target and then introduce two modified versions of DAM in which both main-chain blocks and orphan blocks are incorporated. We propose two versions of smart intermittent selfish mining, where the first one dominates the normal intermittent selfish mining, and the second one results in selfish mining profitability under the modified DAMs. Moreover, we present the orphan exclusion attack with the help of which the attacker can stop honest miners from reporting the orphan blocks. Using combinatorial tools, we analyze the profitability of selfish mining accompanied by the orphan exclusion attack under the modified DAMs. Our results show that even when considering orphan blocks in the DAM, selfish mining can still be profitable. However, the level of profitability under the modified DAMs is significantly lower than that observed under the current version of Bitcoin DAM, suggesting that orphan reporting can be an effective countermeasure against a payoff-maximizing selfish miner.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"449-464"},"PeriodicalIF":6.3,"publicationDate":"2024-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142832514","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-16DOI: 10.1109/TIFS.2024.3516555
K. Naveen Kumar;C. Krishna Mohan;Linga Reddy Cenkeramaddi
Federated learning (FL) has emerged as a powerful collaborative learning approach that enables client devices to train a joint machine learning model without sharing private data. However, the decentralized nature of FL makes it highly vulnerable to adversarial attacks from multiple sources. There are diverse FL data poisoning and model poisoning attack methods in the literature. Nevertheless, most of them focus only on the attack’s impact and do not consider the attack budget and attack visibility. These factors are essential to effectively comprehend the adversary’s rationale in designing an attack. Hence, our work highlights the significance of considering these factors by providing an attacker perspective in designing an attack with a low budget, low visibility, and high impact. Also, existing attacks that use total neuron replacement and randomly selected neuron replacement approaches only cater to these factors partially. Therefore, we propose a novel federated learning minimal model replacement attack (FL-MMR) that uses optimal transport (OT) for minimal neural alignment between a surrogate poisoned model and the benign model. Later, we optimize the attack budget in a three-fold adaptive fashion by considering critical learning periods and introducing the replacement map. In addition, we comprehensively evaluate our attack under three threat scenarios using three large-scale datasets: GTSRB, CIFAR10, and EMNIST. We observed that our FL-MMR attack drops global accuracy to �$approx 35%$ � less with merely 0.54% total attack budget and lower attack visibility than other attacks. The results confirm that our method aligns closely with the attacker’s viewpoint compared to other methods.
{"title":"Federated Learning Minimal Model Replacement Attack Using Optimal Transport: An Attacker Perspective","authors":"K. Naveen Kumar;C. Krishna Mohan;Linga Reddy Cenkeramaddi","doi":"10.1109/TIFS.2024.3516555","DOIUrl":"10.1109/TIFS.2024.3516555","url":null,"abstract":"Federated learning (FL) has emerged as a powerful collaborative learning approach that enables client devices to train a joint machine learning model without sharing private data. However, the decentralized nature of FL makes it highly vulnerable to adversarial attacks from multiple sources. There are diverse FL data poisoning and model poisoning attack methods in the literature. Nevertheless, most of them focus only on the attack’s impact and do not consider the attack budget and attack visibility. These factors are essential to effectively comprehend the adversary’s rationale in designing an attack. Hence, our work highlights the significance of considering these factors by providing an attacker perspective in designing an attack with a low budget, low visibility, and high impact. Also, existing attacks that use total neuron replacement and randomly selected neuron replacement approaches only cater to these factors partially. Therefore, we propose a novel federated learning minimal model replacement attack (FL-MMR) that uses optimal transport (OT) for minimal neural alignment between a surrogate poisoned model and the benign model. Later, we optimize the attack budget in a three-fold adaptive fashion by considering critical learning periods and introducing the replacement map. In addition, we comprehensively evaluate our attack under three threat scenarios using three large-scale datasets: GTSRB, CIFAR10, and EMNIST. We observed that our FL-MMR attack drops global accuracy to \u0000<inline-formula> <tex-math>$approx 35%$ </tex-math></inline-formula>\u0000 less with merely 0.54% total attack budget and lower attack visibility than other attacks. The results confirm that our method aligns closely with the attacker’s viewpoint compared to other methods.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"478-487"},"PeriodicalIF":6.3,"publicationDate":"2024-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142832515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-16DOI: 10.1109/TIFS.2024.3518058
Shuaishuai Zhang;Jie Huang;Peihao Li
Differentially Private Federated learning (DPFL) applies differential privacy (DP) techniques to preserve clients’ privacy in Federated Learning (FL). Existing methods based on Gaussian Mechanism require the operations of model updates clipping and noise injection, which lead to a serious degradation in model accuracies. Several improved methods are proposed to mitigate the accuracy degradation by decreasing the scale of the injected noise. Different from previous methods, we firstly propose to enhance the model robustness against the DP noise for the accuracy improvement. In this paper, we develop a novel FL scheme with improved model robustness, called FedIMR, which can provide the client-level DP guarantee while maintaining a high model accuracy. We find that the injected noise leads to the fluctuation of loss values in the local training, hindering the model convergence seriously. This motivates us to improve the model robustness for narrowing down the bias of model outputs caused by the noise. The model robustness is evaluated with the signal-to-noise ratio (SNR) of each layer’s outputs. Two techniques are proposed to improve the output SNR, including the logit vector normalization (LVN) and dynamic clipping threshold (DCT). Specifically, LVN normalizes the logit vertor to make the optimization algorithm keep increasing the model output, which is the signal item of the output SNR. DCT dynamically adjusts the clipping threshold to reduce the noise item of the output SNR. We also provide the privacy analysis and convergence results. Experiments are conducted over three famous datasets to evaluate the effectiveness of our method. Both the theoretical results and empirical experiments confirm that our FedIMR can achieve a better accuracy-privacy tradeoff than previous methods.
{"title":"Analyze and Improve Differentially Private Federated Learning: A Model Robustness Perspective","authors":"Shuaishuai Zhang;Jie Huang;Peihao Li","doi":"10.1109/TIFS.2024.3518058","DOIUrl":"10.1109/TIFS.2024.3518058","url":null,"abstract":"Differentially Private Federated learning (DPFL) applies differential privacy (DP) techniques to preserve clients’ privacy in Federated Learning (FL). Existing methods based on Gaussian Mechanism require the operations of model updates clipping and noise injection, which lead to a serious degradation in model accuracies. Several improved methods are proposed to mitigate the accuracy degradation by decreasing the scale of the injected noise. Different from previous methods, we firstly propose to enhance the model robustness against the DP noise for the accuracy improvement. In this paper, we develop a novel FL scheme with improved model robustness, called FedIMR, which can provide the client-level DP guarantee while maintaining a high model accuracy. We find that the injected noise leads to the fluctuation of loss values in the local training, hindering the model convergence seriously. This motivates us to improve the model robustness for narrowing down the bias of model outputs caused by the noise. The model robustness is evaluated with the signal-to-noise ratio (SNR) of each layer’s outputs. Two techniques are proposed to improve the output SNR, including the logit vector normalization (LVN) and dynamic clipping threshold (DCT). Specifically, LVN normalizes the logit vertor to make the optimization algorithm keep increasing the model output, which is the signal item of the output SNR. DCT dynamically adjusts the clipping threshold to reduce the noise item of the output SNR. We also provide the privacy analysis and convergence results. Experiments are conducted over three famous datasets to evaluate the effectiveness of our method. Both the theoretical results and empirical experiments confirm that our FedIMR can achieve a better accuracy-privacy tradeoff than previous methods.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"807-821"},"PeriodicalIF":6.3,"publicationDate":"2024-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142832520","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-12-16DOI: 10.1109/TIFS.2024.3518068
Jie Song;Sijia Zhang;Pengyi Zhang;Junghoon Park;Yu Gu;Ge Yu
In recent years, blockchain anonymity has led to more illicit accounts participating in various money laundering transactions. Existing studies typically detect money laundering transactions, known as AML (Anti-money Laundering), through learning transaction features on transaction graphs of transactional blockchains. However, transaction graphs fail to represent the accounts’ social features within transactional organizations. Account graphs reveal such features well, and detecting illicit accounts on account graphs provides a new perspective on AML. For example, it helps uncover illegal transactions whose transaction features are not distinct in transaction graphs, with a loose assumption that illicit accounts are likely involved in illegal transactions. In this paper, we propose a Social Attention Graph Neural Network (�$textsf {SGNN}$ �) on account graphs converted from transaction graphs. To detect illicit accounts, �$textsf {SGNN}$ � learns the social features on two sub-graphs, a heterogeneous graph and a hypergraph, extracted from the account graph, and fuses these features into account attribute vectors through attention. The experimental results on the Elliptic++ dataset demonstrate �$textsf {SGNN}$ �’s advances. It outperforms the best baseline by 14.18% in precision, 7.37% in F1 score, 0.96% in accuracy, and 0.64% in recall when detecting illicit accounts on account graphs, as well as detects 20.3% more recall of illegal transactions through these illicit accounts than state-of-the-art methods based on transaction graphs when the mappings between illegal transactions and illicit accounts are provided. Moreover, thanks to social features, �$textsf {SGNN}$ � has a novel capability that works under many account scales and activity degrees. We release our code on �https://github.com/CloudLab-NEU/SGNN�.
{"title":"Illicit Social Accounts? Anti-Money Laundering for Transactional Blockchains","authors":"Jie Song;Sijia Zhang;Pengyi Zhang;Junghoon Park;Yu Gu;Ge Yu","doi":"10.1109/TIFS.2024.3518068","DOIUrl":"10.1109/TIFS.2024.3518068","url":null,"abstract":"In recent years, blockchain anonymity has led to more illicit accounts participating in various money laundering transactions. Existing studies typically detect money laundering transactions, known as AML (Anti-money Laundering), through learning transaction features on transaction graphs of transactional blockchains. However, transaction graphs fail to represent the accounts’ social features within transactional organizations. Account graphs reveal such features well, and detecting illicit accounts on account graphs provides a new perspective on AML. For example, it helps uncover illegal transactions whose transaction features are not distinct in transaction graphs, with a loose assumption that illicit accounts are likely involved in illegal transactions. In this paper, we propose a Social Attention Graph Neural Network (\u0000<inline-formula> <tex-math>$textsf {SGNN}$ </tex-math></inline-formula>\u0000) on account graphs converted from transaction graphs. To detect illicit accounts, \u0000<inline-formula> <tex-math>$textsf {SGNN}$ </tex-math></inline-formula>\u0000 learns the social features on two sub-graphs, a heterogeneous graph and a hypergraph, extracted from the account graph, and fuses these features into account attribute vectors through attention. The experimental results on the Elliptic++ dataset demonstrate \u0000<inline-formula> <tex-math>$textsf {SGNN}$ </tex-math></inline-formula>\u0000’s advances. It outperforms the best baseline by 14.18% in precision, 7.37% in F1 score, 0.96% in accuracy, and 0.64% in recall when detecting illicit accounts on account graphs, as well as detects 20.3% more recall of illegal transactions through these illicit accounts than state-of-the-art methods based on transaction graphs when the mappings between illegal transactions and illicit accounts are provided. Moreover, thanks to social features, \u0000<inline-formula> <tex-math>$textsf {SGNN}$ </tex-math></inline-formula>\u0000 has a novel capability that works under many account scales and activity degrees. We release our code on \u0000<uri>https://github.com/CloudLab-NEU/SGNN</uri>\u0000.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"391-404"},"PeriodicalIF":6.3,"publicationDate":"2024-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142832517","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: