Adversarial examples make Deep Learning (DL) models vulnerable to safe deployment in practical systems. Although several techniques have been proposed in the literature, defending against adversarial attacks is still challenging. The current work identifies weaknesses of traditional strategies in detecting and classifying adversarial examples. To overcome these limitations, we carefully analyze techniques like binary detector and ensemble method, and compose them in a manner which mitigates the limitations. We also effectively develop a re-attack strategy, a randomization technique called RRP (Random Resizing and Patch-removing), and a rule-based decision method. Our proposed method, BEARR (Binary detector with Ensemble and re-Attacking scheme including Randomization and Rule-based decision technique) detects adversarial examples as well as classifies those examples with a higher accuracy compared to contemporary methods. We evaluate BEARR on standard image classification datasets: CIFAR-10, CIFAR-100, and tiny-imagenet as well as two real-world datasets: plantvillage and chest X-ray in the presence of state-of-the-art adversarial attack techniques. We have also validated BEARR against a more potent attacker who has perfect knowledge of the protection mechanism. We observe that BEARR is significantly better than existing methods in the context of detection and classification accuracy of adversarial examples.
{"title":"Decision Guided Robust DL Classification of Adversarial Images Combining Weaker Defenses","authors":"Shubhajit Datta;Manaar Alam;Arijit Mondal;Debdeep Mukhopadhyay;Partha Pratim Chakrabarti","doi":"10.1109/JETCAS.2024.3497295","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3497295","url":null,"abstract":"Adversarial examples make Deep Learning (DL) models vulnerable to safe deployment in practical systems. Although several techniques have been proposed in the literature, defending against adversarial attacks is still challenging. The current work identifies weaknesses of traditional strategies in detecting and classifying adversarial examples. To overcome these limitations, we carefully analyze techniques like binary detector and ensemble method, and compose them in a manner which mitigates the limitations. We also effectively develop a re-attack strategy, a randomization technique called RRP (Random Resizing and Patch-removing), and a rule-based decision method. Our proposed method, BEARR (Binary detector with Ensemble and re-Attacking scheme including Randomization and Rule-based decision technique) detects adversarial examples as well as classifies those examples with a higher accuracy compared to contemporary methods. We evaluate BEARR on standard image classification datasets: CIFAR-10, CIFAR-100, and tiny-imagenet as well as two real-world datasets: plantvillage and chest X-ray in the presence of state-of-the-art adversarial attack techniques. We have also validated BEARR against a more potent attacker who has perfect knowledge of the protection mechanism. We observe that BEARR is significantly better than existing methods in the context of detection and classification accuracy of adversarial examples.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"758-772"},"PeriodicalIF":3.7,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-04DOI: 10.1109/JETCAS.2024.3491497
Debopriya Roy Dipta;Jonathan Tan;Berk Gulmezoglu
Microarchitectural attacks threaten the security of individuals in a diverse set of platforms, such as personal computers, mobile phones, cloud environments, and AR/VR devices. Chip vendors are struggling to patch every hardware vulnerability in a timely manner, leaving billions of people’s private information under threat. Hence, dynamic attack detection tools which utilize hardware performance counters and machine learning (ML) models, have become popular for detecting ongoing attacks. In this study, we evaluate the robustness of various ML-based detection models with a sophisticated fuzzing framework. The framework manipulates hardware performance counters in a controlled manner using individual fuzzing blocks. Later, the framework is leveraged to modify the microarchitecture attack source code and to evade the detection tools. We evaluate our fuzzing framework with time overhead, achieved leakage rate, and the number of trials to successfully evade the detection.
{"title":"Systematical Evasion From Learning-Based Microarchitectural Attack Detection Tools","authors":"Debopriya Roy Dipta;Jonathan Tan;Berk Gulmezoglu","doi":"10.1109/JETCAS.2024.3491497","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491497","url":null,"abstract":"Microarchitectural attacks threaten the security of individuals in a diverse set of platforms, such as personal computers, mobile phones, cloud environments, and AR/VR devices. Chip vendors are struggling to patch every hardware vulnerability in a timely manner, leaving billions of people’s private information under threat. Hence, dynamic attack detection tools which utilize hardware performance counters and machine learning (ML) models, have become popular for detecting ongoing attacks. In this study, we evaluate the robustness of various ML-based detection models with a sophisticated fuzzing framework. The framework manipulates hardware performance counters in a controlled manner using individual fuzzing blocks. Later, the framework is leveraged to modify the microarchitecture attack source code and to evade the detection tools. We evaluate our fuzzing framework with time overhead, achieved leakage rate, and the number of trials to successfully evade the detection.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"823-833"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821230","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-04DOI: 10.1109/JETCAS.2024.3491169
Tian Chen;Yu-An Tan;Chunying Li;Zheng Zhang;Weizhi Meng;Yuanzhang Li
With the increasing popularity of heterogeneous computing systems in Artificial Intelligence (AI) applications, ensuring the confidentiality and integrity of sensitive data transferred between different elements has become a critical challenge. In this paper, we propose an enhanced security framework called SecureComm to protect data transfer between ARM CPU and FPGA through Double Data Rate (DDR) memory on CPU-FPGA heterogeneous platforms. SecureComm extends the SM4 crypto module by incorporating a proposed Message Authentication Code (MAC) to ensure data confidentiality and integrity. It also constructs smart queues in the shared memory of DDR, which work in conjunction with the designed protocols to help schedule data flow and facilitate flexible adaptation to various AI tasks with different data scales. Furthermore, some of the hardware modules of SecureComm are improved and encapsulated as independent IPs to increase their versatility beyond the scope of this paper. We implemented several ARM CPU-FPGA collaborative AI applications to justify the security and evaluate the timing overhead of SecureComm. We also deployed SecureComm to non-AI tasks to demonstrate its versatility, ultimately offering suggestions for its use in tasks of varying data scales.
{"title":"SecureComm: A Secure Data Transfer Framework for Neural Network Inference on CPU-FPGA Heterogeneous Edge Devices","authors":"Tian Chen;Yu-An Tan;Chunying Li;Zheng Zhang;Weizhi Meng;Yuanzhang Li","doi":"10.1109/JETCAS.2024.3491169","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3491169","url":null,"abstract":"With the increasing popularity of heterogeneous computing systems in Artificial Intelligence (AI) applications, ensuring the confidentiality and integrity of sensitive data transferred between different elements has become a critical challenge. In this paper, we propose an enhanced security framework called SecureComm to protect data transfer between ARM CPU and FPGA through Double Data Rate (DDR) memory on CPU-FPGA heterogeneous platforms. SecureComm extends the SM4 crypto module by incorporating a proposed Message Authentication Code (MAC) to ensure data confidentiality and integrity. It also constructs smart queues in the shared memory of DDR, which work in conjunction with the designed protocols to help schedule data flow and facilitate flexible adaptation to various AI tasks with different data scales. Furthermore, some of the hardware modules of SecureComm are improved and encapsulated as independent IPs to increase their versatility beyond the scope of this paper. We implemented several ARM CPU-FPGA collaborative AI applications to justify the security and evaluate the timing overhead of SecureComm. We also deployed SecureComm to non-AI tasks to demonstrate its versatility, ultimately offering suggestions for its use in tasks of varying data scales.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"811-822"},"PeriodicalIF":3.7,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This work describes an approach towards pixel quantization using variable resolution which is made feasible using image transformation in the analog domain. The main aim is to reduce the average bits-per-pixel (BPP) necessary for representing an image while maintaining the classification accuracy of a Convolutional Neural Network (CNN) that is trained for image classification. The proposed algorithm is based on the Hadamard transform that leads to a low-resolution variable quantization by the analog-to-digital converter (ADC) thus reducing the power dissipation in hardware at the sensor node. Despite the trade-offs inherent in image transformation, the proposed algorithm achieves competitive accuracy levels across various image sizes and ADC configurations, highlighting the importance of considering both accuracy and power consumption in edge computing applications. The schematic of a novel 1.5 bit ADC that incorporates the Hadamard transform is also proposed. A hardware implementation of the analog transformation followed by software-based variable quantization is done for the CIFAR-10 test dataset. The digitized data shows that the network can still identify transformed images with a remarkable 90% accuracy for 3-BPP transformed images following the proposed method.
{"title":"Variable Resolution Pixel Quantization for Low Power Machine Vision Application on Edge","authors":"Senorita Deb;Sai Sanjeet;Prabir Kumar Biswas;Bibhu Datta Sahoo","doi":"10.1109/JETCAS.2024.3490504","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3490504","url":null,"abstract":"This work describes an approach towards pixel quantization using variable resolution which is made feasible using image transformation in the analog domain. The main aim is to reduce the average bits-per-pixel (BPP) necessary for representing an image while maintaining the classification accuracy of a Convolutional Neural Network (CNN) that is trained for image classification. The proposed algorithm is based on the Hadamard transform that leads to a low-resolution variable quantization by the analog-to-digital converter (ADC) thus reducing the power dissipation in hardware at the sensor node. Despite the trade-offs inherent in image transformation, the proposed algorithm achieves competitive accuracy levels across various image sizes and ADC configurations, highlighting the importance of considering both accuracy and power consumption in edge computing applications. The schematic of a novel 1.5 bit ADC that incorporates the Hadamard transform is also proposed. A hardware implementation of the analog transformation followed by software-based variable quantization is done for the CIFAR-10 test dataset. The digitized data shows that the network can still identify transformed images with a remarkable 90% accuracy for 3-BPP transformed images following the proposed method.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"15 1","pages":"58-71"},"PeriodicalIF":3.7,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143601937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-30DOI: 10.1109/JETCAS.2024.3488597
Dong Hyub Kim;Jonah O’Brien Weiss;Sandip Kundu
Deep Neural Networks (DNNs) have become invaluable intellectual property for AI providers due to advancements fueled by a decade of research and development. However, recent studies have demonstrated the effectiveness of model extraction attacks, which threaten this value by stealing DNN models. These attacks can lead to misuse of personal data, safety risks in critical systems, and the spread of misinformation. This paper explores model extraction attacks on DNN models deployed on mobile devices, using runtime profiles as a side-channel. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. To overcome this, we propose a novel method analyzing GPU call profiles to identify the original DNN architecture. Our approach achieves full accuracy in extracting DNN architectures from a predefined set, even when layer information is obscured. For unseen architectures, a layer-by-layer hyperparameter extraction method guided by sub-layer patterns is introduced, also achieving high accuracy. This research achieves two firsts: 1) targeting mobile GPUs for DNN architecture extraction and 2) successfully extracting architectures from optimized models with fused layers.
{"title":"Extracting DNN Architectures via Runtime Profiling on Mobile GPUs","authors":"Dong Hyub Kim;Jonah O’Brien Weiss;Sandip Kundu","doi":"10.1109/JETCAS.2024.3488597","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3488597","url":null,"abstract":"Deep Neural Networks (DNNs) have become invaluable intellectual property for AI providers due to advancements fueled by a decade of research and development. However, recent studies have demonstrated the effectiveness of model extraction attacks, which threaten this value by stealing DNN models. These attacks can lead to misuse of personal data, safety risks in critical systems, and the spread of misinformation. This paper explores model extraction attacks on DNN models deployed on mobile devices, using runtime profiles as a side-channel. Since mobile devices are resource constrained, DNN deployments require optimization efforts to reduce latency. The main hurdle in extracting DNN architectures in this scenario is that optimization techniques, such as operator-level and graph-level fusion, can obfuscate the association between runtime profile operators and their corresponding DNN layers, posing challenges for adversaries to accurately predict the computation performed. To overcome this, we propose a novel method analyzing GPU call profiles to identify the original DNN architecture. Our approach achieves full accuracy in extracting DNN architectures from a predefined set, even when layer information is obscured. For unseen architectures, a layer-by-layer hyperparameter extraction method guided by sub-layer patterns is introduced, also achieving high accuracy. This research achieves two firsts: 1) targeting mobile GPUs for DNN architecture extraction and 2) successfully extracting architectures from optimized models with fused layers.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"620-633"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-30DOI: 10.1109/JETCAS.2024.3476386
Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu
Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: �https://github.com/cure-lab/Function-Coupled-Watermark�.
性能良好的深度神经网络(DNN)通常需要大量标注数据和计算资源进行训练。为了保护这些知识产权(IP),人们提出了各种水印技术,DNN 提供商可以通过检索其嵌入的水印来主张 IP 所有权。虽然文献报道的结果很有希望,但现有的解决方案都受到水印去除攻击,如模型微调、模型剪枝和模型提取。在本文中,我们提出了一种新型 DNN 水印解决方案,可有效抵御上述攻击。我们的主要见解是加强水印和模型功能的耦合,这样去除水印就会不可避免地降低模型在正常输入上的性能。具体来说,一方面,我们从原始训练数据集中抽取输入样本,并将其融合为水印图像。另一方面,我们在训练过程中随机屏蔽模型权重,以便在网络中分布水印信息。我们的方法可以成功抵御常见的水印去除攻击、水印模糊攻击和现有的广泛使用的后门检测方法,在各种基准上的评估结果表明,我们的方法优于现有的解决方案。我们的代码可在以下网址获取:https://github.com/cure-lab/Function-Coupled-Watermark。
{"title":"On Function-Coupled Watermarks for Deep Neural Networks","authors":"Xiangyu Wen;Yu Li;Wei Jiang;Qiang Xu","doi":"10.1109/JETCAS.2024.3476386","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3476386","url":null,"abstract":"Well-performed deep neural networks (DNNs) generally require massive labeled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers can claim IP ownership by retrieving their embedded watermarks. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning, model pruning, and model extraction. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model’s performance on normal inputs. Specifically, on one hand, we sample inputs from the original training dataset and fuse them as watermark images. On the other hand, we randomly mask model weights during training to distribute the watermark information in the network. Our method can successfully defend against common watermark removal attacks, watermark ambiguity attacks, and existing widely used backdoor detection methods, outperforming existing solutions as demonstrated by evaluation results on various benchmarks. Our code is available at: \u0000<uri>https://github.com/cure-lab/Function-Coupled-Watermark</uri>\u0000.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"608-619"},"PeriodicalIF":3.7,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10738841","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-24DOI: 10.1109/JETCAS.2024.3486114
Amit Dhurandhar;Tejaswini Pedapati;Avinash Balakrishnan;Pin-Yu Chen;Karthikeyan Shanmugam;Ruchir Puri
Extensive surveys on explanations that are suitable for humans, claims that an explanation being contrastive is one of its most important traits. A few methods have been proposed to generate contrastive explanations for differentiable models such as deep neural networks, where one has complete access to the model. In this work, we propose a method, Model Agnostic Contrastive Explanations Method (MACEM), that can generate contrastive explanations for any classification model where one is able to only query the class probabilities for a desired input. This allows us to generate contrastive explanations for not only neural networks, but also models such as random forests, boosted trees and even arbitrary ensembles that are still amongst the state-of-the-art when learning on tabular data. Our method is also applicable to the scenarios where only the black-box access of the model is provided, implying that we can only obtain the predictions and prediction probabilities. With the advent of larger models, it is increasingly prevalent to be working in the black-box scenario, where the user will not necessarily have access to the model weights or parameters, and will only be able to interact with the model using an API. As such, to obtain meaningful explanations we propose a principled and scalable approach to handle real and categorical features leading to novel formulations for computing pertinent positives and negatives that form the essence of a contrastive explanation. A detailed treatment of this nature where we focus on scalability and handle different data types was not performed in the previous work, which assumed all features to be positive real valued with zero being indicative of the least interesting value. We part with this strong implicit assumption and generalize these methods so as to be applicable across a much wider range of problem settings. We quantitatively as well as qualitatively validate our approach over public datasets covering diverse domains.
关于适合人类的解释的大量调查表明,解释的对比性是其最重要的特征之一。目前已经提出了几种方法来为可微分模型(如深度神经网络)生成对比性解释,在这种情况下,人们可以完全访问模型。在这项工作中,我们提出了一种名为 "模型不可知性对比解释法"(MACEM)的方法,它可以为任何分类模型生成对比解释,在这种模型中,人们只能查询所需输入的类概率。这使我们不仅能为神经网络生成对比性解释,还能为随机森林、提升树等模型生成对比性解释,甚至还能为任意集合生成对比性解释。我们的方法也适用于只提供模型黑箱访问的情况,这意味着我们只能获得预测结果和预测概率。随着大型模型的出现,在黑箱场景下工作的情况越来越普遍,在这种情况下,用户不一定能访问模型权重或参数,只能通过 API 与模型进行交互。因此,为了获得有意义的解释,我们提出了一种原则性的、可扩展的方法来处理真实的和分类的特征,从而得出新的公式来计算相关的正面和负面特征,这些特征构成了对比解释的本质。前人的研究假设所有特征都是正实值,零表示最不感兴趣的值。我们摒弃了这一强烈的隐含假设,将这些方法加以推广,使其适用于更广泛的问题设置。我们在涵盖不同领域的公共数据集上对我们的方法进行了定量和定性验证。
{"title":"Model Agnostic Contrastive Explanations for Classification Models","authors":"Amit Dhurandhar;Tejaswini Pedapati;Avinash Balakrishnan;Pin-Yu Chen;Karthikeyan Shanmugam;Ruchir Puri","doi":"10.1109/JETCAS.2024.3486114","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3486114","url":null,"abstract":"Extensive surveys on explanations that are suitable for humans, claims that an explanation being contrastive is one of its most important traits. A few methods have been proposed to generate contrastive explanations for differentiable models such as deep neural networks, where one has complete access to the model. In this work, we propose a method, Model Agnostic Contrastive Explanations Method (MACEM), that can generate contrastive explanations for any classification model where one is able to only query the class probabilities for a desired input. This allows us to generate contrastive explanations for not only neural networks, but also models such as random forests, boosted trees and even arbitrary ensembles that are still amongst the state-of-the-art when learning on tabular data. Our method is also applicable to the scenarios where only the black-box access of the model is provided, implying that we can only obtain the predictions and prediction probabilities. With the advent of larger models, it is increasingly prevalent to be working in the black-box scenario, where the user will not necessarily have access to the model weights or parameters, and will only be able to interact with the model using an API. As such, to obtain meaningful explanations we propose a principled and scalable approach to handle real and categorical features leading to novel formulations for computing pertinent positives and negatives that form the essence of a contrastive explanation. A detailed treatment of this nature where we focus on scalability and handle different data types was not performed in the previous work, which assumed all features to be positive real valued with zero being indicative of the least interesting value. We part with this strong implicit assumption and generalize these methods so as to be applicable across a much wider range of problem settings. We quantitatively as well as qualitatively validate our approach over public datasets covering diverse domains.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"789-798"},"PeriodicalIF":3.7,"publicationDate":"2024-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Machine learning, with its myriad applications, has become an integral component of numerous AI systems. A common practice in this domain is the use of transfer learning, where a pre-trained model’s architecture, readily available to the public, is fine-tuned to suit specific tasks. As Machine Learning as a Service (MLaaS) platforms increasingly use pre-trained models in their backends, it is crucial to safeguard these architectures and understand their vulnerabilities. In this work, we present �ArchWhisperer�, a model fingerprinting attack approach based on the novel observation that the classification patterns of adversarial images can be used as a means to steal the models. Furthermore, the adversarial image classifications in conjunction with model inference times is used to further enhance our attack in terms of attack effectiveness as well as query budget. �ArchWhisperer� is designed for typical user-level access in remote MLaaS environments and it exploits varying misclassifications of adversarial images across different models to fingerprint several renowned Convolutional Neural Network (CNN) and Vision Transformer (ViT) architectures. We utilize the profiling of remote model inference times to reduce the necessary adversarial images, subsequently decreasing the number of queries required. We have presented our results over 27 pre-trained models of different CNN and ViT architectures using CIFAR-10 dataset and demonstrate a high accuracy of 88.8% while keeping the query budget under 20. This is a marked improvement compared to state-of-the-art works.
{"title":"Stealing the Invisible: Unveiling Pre-Trained CNN Models Through Adversarial Examples and Timing Side-Channels","authors":"Shubhi Shukla;Manaar Alam;Pabitra Mitra;Debdeep Mukhopadhyay","doi":"10.1109/JETCAS.2024.3485133","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3485133","url":null,"abstract":"Machine learning, with its myriad applications, has become an integral component of numerous AI systems. A common practice in this domain is the use of transfer learning, where a pre-trained model’s architecture, readily available to the public, is fine-tuned to suit specific tasks. As Machine Learning as a Service (MLaaS) platforms increasingly use pre-trained models in their backends, it is crucial to safeguard these architectures and understand their vulnerabilities. In this work, we present \u0000<monospace>ArchWhisperer</monospace>\u0000, a model fingerprinting attack approach based on the novel observation that the classification patterns of adversarial images can be used as a means to steal the models. Furthermore, the adversarial image classifications in conjunction with model inference times is used to further enhance our attack in terms of attack effectiveness as well as query budget. \u0000<monospace>ArchWhisperer</monospace>\u0000 is designed for typical user-level access in remote MLaaS environments and it exploits varying misclassifications of adversarial images across different models to fingerprint several renowned Convolutional Neural Network (CNN) and Vision Transformer (ViT) architectures. We utilize the profiling of remote model inference times to reduce the necessary adversarial images, subsequently decreasing the number of queries required. We have presented our results over 27 pre-trained models of different CNN and ViT architectures using CIFAR-10 dataset and demonstrate a high accuracy of 88.8% while keeping the query budget under 20. This is a marked improvement compared to state-of-the-art works.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"634-646"},"PeriodicalIF":3.7,"publicationDate":"2024-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Federated Learning (FL) has emerged as an approach to provide a privacy-preserving and communication-efficient Machine Learning (ML) framework in mobile-edge environments which are likely to be resource-constrained and heterogeneous. Therefore, the required precision level and performance from each of the devices may vary depending upon the circumstances, giving rise to designs containing mixed-precision and quantized models. Among the various quantization schemes, binary and ternary representations are significant since they enable arrangements that can strike effective balances between performance and precision. In this paper, we propose RLFL, a hybrid ternary/full-precision FL system along with a Reinforcement Learning (RL) aggregation method with the goal of improved performance comparing to a homogeneous ternary environment. This system consists a mix of clients with full-precision and resource-constrained clients with ternary ML models. However, aggregating models with ternary and full-precision weights using traditional aggregation approaches present a challenge due to the disparity in weight magnitudes. In order to obtain an improved accuracy, we use a deep RL model to explore and optimize the amount of contribution assigned to each client’s model for aggregation in each iteration. We evaluate and compare accuracy and communication overhead of the proposed approach against the prior work for the classification of MNIST, FMNIST, and CIFAR10 datasets. Evaluation results show that the proposed RLFL system, along with its aggregation technique, outperforms the existing FL approaches in accuracy ranging from 5% to 19% while imposing negligible computation overhead.
{"title":"RLFL: A Reinforcement Learning Aggregation Approach for Hybrid Federated Learning Systems Using Full and Ternary Precision","authors":"HamidReza Imani;Jeff Anderson;Samuel Farid;Abdolah Amirany;Tarek El-Ghazawi","doi":"10.1109/JETCAS.2024.3483554","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3483554","url":null,"abstract":"Federated Learning (FL) has emerged as an approach to provide a privacy-preserving and communication-efficient Machine Learning (ML) framework in mobile-edge environments which are likely to be resource-constrained and heterogeneous. Therefore, the required precision level and performance from each of the devices may vary depending upon the circumstances, giving rise to designs containing mixed-precision and quantized models. Among the various quantization schemes, binary and ternary representations are significant since they enable arrangements that can strike effective balances between performance and precision. In this paper, we propose RLFL, a hybrid ternary/full-precision FL system along with a Reinforcement Learning (RL) aggregation method with the goal of improved performance comparing to a homogeneous ternary environment. This system consists a mix of clients with full-precision and resource-constrained clients with ternary ML models. However, aggregating models with ternary and full-precision weights using traditional aggregation approaches present a challenge due to the disparity in weight magnitudes. In order to obtain an improved accuracy, we use a deep RL model to explore and optimize the amount of contribution assigned to each client’s model for aggregation in each iteration. We evaluate and compare accuracy and communication overhead of the proposed approach against the prior work for the classification of MNIST, FMNIST, and CIFAR10 datasets. Evaluation results show that the proposed RLFL system, along with its aggregation technique, outperforms the existing FL approaches in accuracy ranging from 5% to 19% while imposing negligible computation overhead.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"673-687"},"PeriodicalIF":3.7,"publicationDate":"2024-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821201","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-10-15DOI: 10.1109/JETCAS.2024.3481273
Mingfu Xue;Jinlong Fu;Zhiyuan Li;Shifeng Ni;Heyi Wu;Leo Yu Zhang;Yushu Zhang;Weiqiang Liu
In recent years, domestic Linux operating systems have developed rapidly, but the threat of ELF viruses has become increasingly prominent. Currently, domestic antivirus software for information technology application innovation (ITAI) operating systems shows insufficient capability in detecting ELF viruses. At the same time, research on generating malicious samples in ELF format is scarce. In order to fill this gap at home and abroad and meet the growing application needs of domestic antivirus software companies, this paper proposes an automatic ELF adversarial malicious samples generation technique based on reinforcement learning. Based on reinforcement learning framework, after being processed by cycles of feature extraction, malicious detection, agent decision-making, and evade-detection operation, the sample can evade the detection of antivirus engines. Specifically, nine feature extractor subclasses are used to extract features in multiple aspects. The PPO algorithm is used as the agent algorithm. The action table in the evade-detection module contains 11 evade-detection operations for ELF malicious samples. This method is experimentally verified on the ITAI operating system, and the ELF malicious sample set on the Linux x86 platform is used as the original sample set. The detection rate of this sample set by ClamAV before processing is 98%, and the detection rate drops to 25% after processing. The detection rate of this sample set by 360 Security before processing is 4%, and the detection rate drops to 1% after processing. Furthermore, after processing, the average number of engines on VirusTotal that could detect the maliciousness of the samples decreases from 39 to 15. Many malicious samples were detected by �$41sim 43$ � engines on VirusTotal before processing, while after the evade-detection processing, only �$8sim 9$ � engines on VirusTotal can detect the malware. In terms of executability and malicious function consistency, the processed samples can still run normally and the malicious functions remain consistent with those before processing. Overall, the proposed method in this paper can effectively generate adversarial ELF malware samples. Using this method to generate malicious samples to test and train the anti-virus software can promote and improve anti-virus software’s detection and defense capability against malware.
{"title":"A Reinforcement Learning-Based ELF Adversarial Malicious Sample Generation Method","authors":"Mingfu Xue;Jinlong Fu;Zhiyuan Li;Shifeng Ni;Heyi Wu;Leo Yu Zhang;Yushu Zhang;Weiqiang Liu","doi":"10.1109/JETCAS.2024.3481273","DOIUrl":"https://doi.org/10.1109/JETCAS.2024.3481273","url":null,"abstract":"In recent years, domestic Linux operating systems have developed rapidly, but the threat of ELF viruses has become increasingly prominent. Currently, domestic antivirus software for information technology application innovation (ITAI) operating systems shows insufficient capability in detecting ELF viruses. At the same time, research on generating malicious samples in ELF format is scarce. In order to fill this gap at home and abroad and meet the growing application needs of domestic antivirus software companies, this paper proposes an automatic ELF adversarial malicious samples generation technique based on reinforcement learning. Based on reinforcement learning framework, after being processed by cycles of feature extraction, malicious detection, agent decision-making, and evade-detection operation, the sample can evade the detection of antivirus engines. Specifically, nine feature extractor subclasses are used to extract features in multiple aspects. The PPO algorithm is used as the agent algorithm. The action table in the evade-detection module contains 11 evade-detection operations for ELF malicious samples. This method is experimentally verified on the ITAI operating system, and the ELF malicious sample set on the Linux x86 platform is used as the original sample set. The detection rate of this sample set by ClamAV before processing is 98%, and the detection rate drops to 25% after processing. The detection rate of this sample set by 360 Security before processing is 4%, and the detection rate drops to 1% after processing. Furthermore, after processing, the average number of engines on VirusTotal that could detect the maliciousness of the samples decreases from 39 to 15. Many malicious samples were detected by \u0000<inline-formula> <tex-math>$41sim 43$ </tex-math></inline-formula>\u0000 engines on VirusTotal before processing, while after the evade-detection processing, only \u0000<inline-formula> <tex-math>$8sim 9$ </tex-math></inline-formula>\u0000 engines on VirusTotal can detect the malware. In terms of executability and malicious function consistency, the processed samples can still run normally and the malicious functions remain consistent with those before processing. Overall, the proposed method in this paper can effectively generate adversarial ELF malware samples. Using this method to generate malicious samples to test and train the anti-virus software can promote and improve anti-virus software’s detection and defense capability against malware.","PeriodicalId":48827,"journal":{"name":"IEEE Journal on Emerging and Selected Topics in Circuits and Systems","volume":"14 4","pages":"743-757"},"PeriodicalIF":3.7,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142821272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: