Large Language Models (LLMs) have shown remarkable potential across various�domains, including cybersecurity. Using commercial cloud-based LLMs may be�undesirable due to privacy concerns, costs, and network connectivity�constraints. In this paper, we present Hackphyr, a locally fine-tuned LLM to be�used as a red-team agent within network security environments. Our fine-tuned 7�billion parameter model can run on a single GPU card and achieves performance�comparable with much larger and more powerful commercial models such as GPT-4.�Hackphyr clearly outperforms other models, including GPT-3.5-turbo, and�baselines, such as Q-learning agents in complex, previously unseen scenarios.�To achieve this performance, we generated a new task-specific cybersecurity�dataset to enhance the base model's capabilities. Finally, we conducted a�comprehensive analysis of the agents' behaviors that provides insights into the�planning abilities and potential shortcomings of such agents, contributing to�the broader understanding of LLM-based agents in cybersecurity contexts
{"title":"Hackphyr: A Local Fine-Tuned LLM Agent for Network Security Environments","authors":"Maria Rigaki, Carlos Catania, Sebastian Garcia","doi":"arxiv-2409.11276","DOIUrl":"https://doi.org/arxiv-2409.11276","url":null,"abstract":"Large Language Models (LLMs) have shown remarkable potential across various\u0000domains, including cybersecurity. Using commercial cloud-based LLMs may be\u0000undesirable due to privacy concerns, costs, and network connectivity\u0000constraints. In this paper, we present Hackphyr, a locally fine-tuned LLM to be\u0000used as a red-team agent within network security environments. Our fine-tuned 7\u0000billion parameter model can run on a single GPU card and achieves performance\u0000comparable with much larger and more powerful commercial models such as GPT-4.\u0000Hackphyr clearly outperforms other models, including GPT-3.5-turbo, and\u0000baselines, such as Q-learning agents in complex, previously unseen scenarios.\u0000To achieve this performance, we generated a new task-specific cybersecurity\u0000dataset to enhance the base model's capabilities. Finally, we conducted a\u0000comprehensive analysis of the agents' behaviors that provides insights into the\u0000planning abilities and potential shortcomings of such agents, contributing to\u0000the broader understanding of LLM-based agents in cybersecurity contexts","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"89 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261659","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Matthew Tassava, Cameron Kolodjski, Jordan Milbrath, Jeremy Straub
The development of a system vulnerability analysis tool (SVAT) for complex�mission critical systems (CMCS) produced the software for operation and network�attack results review (SONARR). This software builds upon the Blackboard�Architecture and uses its a rule-fact logic to assess model networks to�identify potential pathways that an attacker might take through them via the�exploitation of vulnerabilities within the network. The SONARR objects and�algorithm were developed previously; however, performance was insufficient for�analyzing large networks. This paper describes and analyzes the performance of�a multi-threaded SONARR algorithm and other enhancements which were developed�to increase SONARR's performance and facilitate the analysis of large networks.
{"title":"Enhancing Security Testing Software for Systems that Cannot be Subjected to the Risks of Penetration Testing Through the Incorporation of Multi-threading and and Other Capabilities","authors":"Matthew Tassava, Cameron Kolodjski, Jordan Milbrath, Jeremy Straub","doi":"arxiv-2409.10893","DOIUrl":"https://doi.org/arxiv-2409.10893","url":null,"abstract":"The development of a system vulnerability analysis tool (SVAT) for complex\u0000mission critical systems (CMCS) produced the software for operation and network\u0000attack results review (SONARR). This software builds upon the Blackboard\u0000Architecture and uses its a rule-fact logic to assess model networks to\u0000identify potential pathways that an attacker might take through them via the\u0000exploitation of vulnerabilities within the network. The SONARR objects and\u0000algorithm were developed previously; however, performance was insufficient for\u0000analyzing large networks. This paper describes and analyzes the performance of\u0000a multi-threaded SONARR algorithm and other enhancements which were developed\u0000to increase SONARR's performance and facilitate the analysis of large networks.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"188 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261665","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kyle Stein, Andrew A. Mahyari, Guillermo Francia III, Eman El-Sheikh
As the complexity and connectivity of networks increase, the need for novel�malware detection approaches becomes imperative. Traditional security defenses�are becoming less effective against the advanced tactics of today's�cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in�strengthening network security, offering detailed analysis of network traffic�that goes beyond simple metadata analysis. DPI examines not only the packet�headers but also the payload content within, offering a thorough insight into�the data traversing the network. This study proposes a novel approach that�leverages a large language model (LLM) and few-shot learning to accurately�recognizes novel, unseen malware types with few labels samples. Our proposed�approach uses a pretrained LLM on known malware types to extract the embeddings�from packets. The embeddings are then used alongside few labeled samples of an�unseen malware type. This technique is designed to acclimate the model to�different malware representations, further enabling it to generate robust�embeddings for each trained and unseen classes. Following the extraction of�embeddings from the LLM, few-shot learning is utilized to enhance performance�with minimal labeled data. Our evaluation, which utilized two renowned�datasets, focused on identifying malware types within network traffic and�Internet of Things (IoT) environments. Our approach shows promising results�with an average accuracy of 86.35% and F1-Score of 86.40% on different malware�types across the two datasets.
{"title":"Towards Novel Malicious Packet Recognition: A Few-Shot Learning Approach","authors":"Kyle Stein, Andrew A. Mahyari, Guillermo Francia III, Eman El-Sheikh","doi":"arxiv-2409.11254","DOIUrl":"https://doi.org/arxiv-2409.11254","url":null,"abstract":"As the complexity and connectivity of networks increase, the need for novel\u0000malware detection approaches becomes imperative. Traditional security defenses\u0000are becoming less effective against the advanced tactics of today's\u0000cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in\u0000strengthening network security, offering detailed analysis of network traffic\u0000that goes beyond simple metadata analysis. DPI examines not only the packet\u0000headers but also the payload content within, offering a thorough insight into\u0000the data traversing the network. This study proposes a novel approach that\u0000leverages a large language model (LLM) and few-shot learning to accurately\u0000recognizes novel, unseen malware types with few labels samples. Our proposed\u0000approach uses a pretrained LLM on known malware types to extract the embeddings\u0000from packets. The embeddings are then used alongside few labeled samples of an\u0000unseen malware type. This technique is designed to acclimate the model to\u0000different malware representations, further enabling it to generate robust\u0000embeddings for each trained and unseen classes. Following the extraction of\u0000embeddings from the LLM, few-shot learning is utilized to enhance performance\u0000with minimal labeled data. Our evaluation, which utilized two renowned\u0000datasets, focused on identifying malware types within network traffic and\u0000Internet of Things (IoT) environments. Our approach shows promising results\u0000with an average accuracy of 86.35% and F1-Score of 86.40% on different malware\u0000types across the two datasets.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"1 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261661","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Real-time deepfake, a type of generative AI, is capable of "creating"�non-existing contents (e.g., swapping one's face with another) in a video. It�has been, very unfortunately, misused to produce deepfake videos (during web�conferences, video calls, and identity authentication) for malicious purposes,�including financial scams and political misinformation. Deepfake detection, as�the countermeasure against deepfake, has attracted considerable attention from�the academic community, yet existing works typically rely on learning passive�features that may perform poorly beyond seen datasets. In this paper, we�propose SFake, a new real-time deepfake detection method that innovatively�exploits deepfake models' inability to adapt to physical interference.�Specifically, SFake actively sends probes to trigger mechanical vibrations on�the smartphone, resulting in the controllable feature on the footage.�Consequently, SFake determines whether the face is swapped by deepfake based on�the consistency of the facial area with the probe pattern. We implement SFake,�evaluate its effectiveness on a self-built dataset, and compare it with six�other detection methods. The results show that SFake outperforms other�detection methods with higher detection accuracy, faster process speed, and�lower memory consumption.
{"title":"Shaking the Fake: Detecting Deepfake Videos in Real Time via Active Probes","authors":"Zhixin Xie, Jun Luo","doi":"arxiv-2409.10889","DOIUrl":"https://doi.org/arxiv-2409.10889","url":null,"abstract":"Real-time deepfake, a type of generative AI, is capable of \"creating\"\u0000non-existing contents (e.g., swapping one's face with another) in a video. It\u0000has been, very unfortunately, misused to produce deepfake videos (during web\u0000conferences, video calls, and identity authentication) for malicious purposes,\u0000including financial scams and political misinformation. Deepfake detection, as\u0000the countermeasure against deepfake, has attracted considerable attention from\u0000the academic community, yet existing works typically rely on learning passive\u0000features that may perform poorly beyond seen datasets. In this paper, we\u0000propose SFake, a new real-time deepfake detection method that innovatively\u0000exploits deepfake models' inability to adapt to physical interference.\u0000Specifically, SFake actively sends probes to trigger mechanical vibrations on\u0000the smartphone, resulting in the controllable feature on the footage.\u0000Consequently, SFake determines whether the face is swapped by deepfake based on\u0000the consistency of the facial area with the probe pattern. We implement SFake,\u0000evaluate its effectiveness on a self-built dataset, and compare it with six\u0000other detection methods. The results show that SFake outperforms other\u0000detection methods with higher detection accuracy, faster process speed, and\u0000lower memory consumption.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"8 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
System prompts that include detailed instructions to describe the task�performed by the underlying large language model (LLM) can easily transform�foundation models into tools and services with minimal overhead. Because of�their crucial impact on the utility, they are often considered intellectual�property, similar to the code of a software product. However, extracting system�prompts is easily possible by using prompt injection. As of today, there is no�effective countermeasure to prevent the stealing of system prompts and all�safeguarding efforts could be evaded with carefully crafted prompt injections�that bypass all protection mechanisms.In this work, we propose an alternative�to conventional system prompts. We introduce prompt obfuscation to prevent the�extraction of the system prompt while maintaining the utility of the system�itself with only little overhead. The core idea is to find a representation of�the original system prompt that leads to the same functionality, while the�obfuscated system prompt does not contain any information that allows�conclusions to be drawn about the original system prompt. We implement an�optimization-based method to find an obfuscated prompt representation while�maintaining the functionality. To evaluate our approach, we investigate eight�different metrics to compare the performance of a system using the original and�the obfuscated system prompts, and we show that the obfuscated version is�constantly on par with the original one. We further perform three different�deobfuscation attacks and show that with access to the obfuscated prompt and�the LLM itself, we are not able to consistently extract meaningful information.�Overall, we showed that prompt obfuscation can be an effective method to�protect intellectual property while maintaining the same utility as the�original system prompt.
{"title":"Prompt Obfuscation for Large Language Models","authors":"David Pape, Thorsten Eisenhofer, Lea Schönherr","doi":"arxiv-2409.11026","DOIUrl":"https://doi.org/arxiv-2409.11026","url":null,"abstract":"System prompts that include detailed instructions to describe the task\u0000performed by the underlying large language model (LLM) can easily transform\u0000foundation models into tools and services with minimal overhead. Because of\u0000their crucial impact on the utility, they are often considered intellectual\u0000property, similar to the code of a software product. However, extracting system\u0000prompts is easily possible by using prompt injection. As of today, there is no\u0000effective countermeasure to prevent the stealing of system prompts and all\u0000safeguarding efforts could be evaded with carefully crafted prompt injections\u0000that bypass all protection mechanisms.In this work, we propose an alternative\u0000to conventional system prompts. We introduce prompt obfuscation to prevent the\u0000extraction of the system prompt while maintaining the utility of the system\u0000itself with only little overhead. The core idea is to find a representation of\u0000the original system prompt that leads to the same functionality, while the\u0000obfuscated system prompt does not contain any information that allows\u0000conclusions to be drawn about the original system prompt. We implement an\u0000optimization-based method to find an obfuscated prompt representation while\u0000maintaining the functionality. To evaluate our approach, we investigate eight\u0000different metrics to compare the performance of a system using the original and\u0000the obfuscated system prompts, and we show that the obfuscated version is\u0000constantly on par with the original one. We further perform three different\u0000deobfuscation attacks and show that with access to the obfuscated prompt and\u0000the LLM itself, we are not able to consistently extract meaningful information.\u0000Overall, we showed that prompt obfuscation can be an effective method to\u0000protect intellectual property while maintaining the same utility as the\u0000original system prompt.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"47 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261663","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Étienne André, Marie Duflot, Laetitia Laversa, Engel Lefaucheux
Timing leaks in timed automata (TA) can occur whenever an attacker is able to�deduce a secret by observing some timed behavior. In execution-time opacity,�the attacker aims at deducing whether a private location was visited, by�observing only the execution time. It can be decided whether a TA is opaque in�this setting. In this work, we tackle control, and show that we are able to�decide whether a TA can be controlled at runtime to ensure opacity. Our method�is constructive, in the sense that we can exhibit such a controller. We also�address the case when the attacker cannot have an infinite precision in its�observations.
定时自动机(TA)中的定时泄露可能发生在攻击者能够通过观察某些定时行为来推测秘密的时候。在执行时间不透明的情况下,攻击者的目的是通过只观察执行时间来推断某个私人位置是否被访问过。在这种情况下,可以判定 TA 是否不透明。在这项工作中,我们解决了控制问题,并证明我们能够判定 TA 是否能在运行时被控制以确保不透明。我们的方法是建设性的,因为我们可以展示这样一个控制器。我们还解决了攻击者无法无限精确观测的情况。
{"title":"Execution-time opacity control for timed automata","authors":"Étienne André, Marie Duflot, Laetitia Laversa, Engel Lefaucheux","doi":"arxiv-2409.10336","DOIUrl":"https://doi.org/arxiv-2409.10336","url":null,"abstract":"Timing leaks in timed automata (TA) can occur whenever an attacker is able to\u0000deduce a secret by observing some timed behavior. In execution-time opacity,\u0000the attacker aims at deducing whether a private location was visited, by\u0000observing only the execution time. It can be decided whether a TA is opaque in\u0000this setting. In this work, we tackle control, and show that we are able to\u0000decide whether a TA can be controlled at runtime to ensure opacity. Our method\u0000is constructive, in the sense that we can exhibit such a controller. We also\u0000address the case when the attacker cannot have an infinite precision in its\u0000observations.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"89 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261721","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Regulatory authorities aim to tackle illegal activities by targeting the�economic incentives that drive such behaviour. This is typically achieved�through the implementation of financial sanctions against the entities involved�in the crimes. However, the rise of cryptocurrencies has presented new�challenges, allowing entities to evade these sanctions and continue criminal�operations. Consequently, enforcement measures have been expanded to include�crypto assets information of sanctioned entities. Yet, due to the nature of the�crypto ecosystem, blocking or freezing these digital assets is harder and, in�some cases, such as with Bitcoin, unfeasible. Therefore, sanctions serve merely�as deterrents. For this reason, in this study, we aim to assess the impact of�these sanctions on entities' crypto activities, particularly those related to�the Bitcoin ecosystem. Our objective is to shed light on the validity and�effectiveness (or lack thereof) of such countermeasures. Specifically, we�analyse the transactions and the amount of USD moved by punished entities that�possess crypto addresses after being sanctioned by the authority agency.�Results indicate that while sanctions have been effective for half of the�examined entities, the others continue to move funds through sanctioned�addresses. Furthermore, punished entities demonstrate a preference for�utilising rapid exchange services to convert their funds, rather than employing�dedicated money laundering services. To the best of our knowledge, this study�offers valuable insights into how entities use crypto assets to circumvent�sanctions.
{"title":"Assessing the Impact of Sanctions in the Crypto Ecosystem: Effective Measures or Ineffective Deterrents?","authors":"Francesco Zola, Jon Ander Medina, Raul Orduna","doi":"arxiv-2409.10031","DOIUrl":"https://doi.org/arxiv-2409.10031","url":null,"abstract":"Regulatory authorities aim to tackle illegal activities by targeting the\u0000economic incentives that drive such behaviour. This is typically achieved\u0000through the implementation of financial sanctions against the entities involved\u0000in the crimes. However, the rise of cryptocurrencies has presented new\u0000challenges, allowing entities to evade these sanctions and continue criminal\u0000operations. Consequently, enforcement measures have been expanded to include\u0000crypto assets information of sanctioned entities. Yet, due to the nature of the\u0000crypto ecosystem, blocking or freezing these digital assets is harder and, in\u0000some cases, such as with Bitcoin, unfeasible. Therefore, sanctions serve merely\u0000as deterrents. For this reason, in this study, we aim to assess the impact of\u0000these sanctions on entities' crypto activities, particularly those related to\u0000the Bitcoin ecosystem. Our objective is to shed light on the validity and\u0000effectiveness (or lack thereof) of such countermeasures. Specifically, we\u0000analyse the transactions and the amount of USD moved by punished entities that\u0000possess crypto addresses after being sanctioned by the authority agency.\u0000Results indicate that while sanctions have been effective for half of the\u0000examined entities, the others continue to move funds through sanctioned\u0000addresses. Furthermore, punished entities demonstrate a preference for\u0000utilising rapid exchange services to convert their funds, rather than employing\u0000dedicated money laundering services. To the best of our knowledge, this study\u0000offers valuable insights into how entities use crypto assets to circumvent\u0000sanctions.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"18 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261723","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jonathan Rosenthal, Shanchao Liang, Kevin Zhang, Lin Tan
Machine Learning as a Service (MLaaS) is often provided as a pay-per-query,�black-box system to clients. Such a black-box approach not only hinders open�replication, validation, and interpretation of model results, but also makes it�harder for white-hat researchers to identify vulnerabilities in the MLaaS�systems. Model extraction is a promising technique to address these challenges�by reverse-engineering black-box models. Since training data is typically�unavailable for MLaaS models, this paper focuses on the realistic version of�it: data-free model extraction. We propose a data-free model extraction�approach, CaBaGe, to achieve higher model extraction accuracy with a small�number of queries. Our innovations include (1) a novel experience replay for�focusing on difficult training samples; (2) an ensemble of generators for�steadily producing diverse synthetic data; and (3) a selective filtering�process for querying the victim model with harder, more balanced samples. In�addition, we create a more realistic setting, for the first time, where the�attacker has no knowledge of the number of classes in the victim training data,�and create a solution to learn the number of classes on the fly. Our evaluation�shows that CaBaGe outperforms existing techniques on seven datasets -- MNIST,�FMNIST, SVHN, CIFAR-10, CIFAR-100, ImageNet-subset, and Tiny ImageNet -- with�an accuracy improvement of the extracted models by up to 43.13%. Furthermore,�the number of queries required to extract a clone model matching the final�accuracy of prior work is reduced by up to 75.7%.
{"title":"CaBaGe: Data-Free Model Extraction using ClAss BAlanced Generator Ensemble","authors":"Jonathan Rosenthal, Shanchao Liang, Kevin Zhang, Lin Tan","doi":"arxiv-2409.10643","DOIUrl":"https://doi.org/arxiv-2409.10643","url":null,"abstract":"Machine Learning as a Service (MLaaS) is often provided as a pay-per-query,\u0000black-box system to clients. Such a black-box approach not only hinders open\u0000replication, validation, and interpretation of model results, but also makes it\u0000harder for white-hat researchers to identify vulnerabilities in the MLaaS\u0000systems. Model extraction is a promising technique to address these challenges\u0000by reverse-engineering black-box models. Since training data is typically\u0000unavailable for MLaaS models, this paper focuses on the realistic version of\u0000it: data-free model extraction. We propose a data-free model extraction\u0000approach, CaBaGe, to achieve higher model extraction accuracy with a small\u0000number of queries. Our innovations include (1) a novel experience replay for\u0000focusing on difficult training samples; (2) an ensemble of generators for\u0000steadily producing diverse synthetic data; and (3) a selective filtering\u0000process for querying the victim model with harder, more balanced samples. In\u0000addition, we create a more realistic setting, for the first time, where the\u0000attacker has no knowledge of the number of classes in the victim training data,\u0000and create a solution to learn the number of classes on the fly. Our evaluation\u0000shows that CaBaGe outperforms existing techniques on seven datasets -- MNIST,\u0000FMNIST, SVHN, CIFAR-10, CIFAR-100, ImageNet-subset, and Tiny ImageNet -- with\u0000an accuracy improvement of the extracted models by up to 43.13%. Furthermore,\u0000the number of queries required to extract a clone model matching the final\u0000accuracy of prior work is reduced by up to 75.7%.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"89 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261670","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Deep neural networks (DNNs) have achieved significant success in real-world�applications. However, safeguarding their intellectual property (IP) remains�extremely challenging. Existing DNN watermarking for IP protection often�require modifying DNN models, which reduces model performance and limits their�practicality. This paper introduces FreeMark, a novel DNN watermarking framework that�leverages cryptographic principles without altering the original host DNN�model, thereby avoiding any reduction in model performance. Unlike traditional�DNN watermarking methods, FreeMark innovatively generates secret keys from a�pre-generated watermark vector and the host model using gradient descent. These�secret keys, used to extract watermark from the model's activation values, are�securely stored with a trusted third party, enabling reliable watermark�extraction from suspect models. Extensive experiments demonstrate that FreeMark�effectively resists various watermark removal attacks while maintaining high�watermark capacity.
{"title":"FreeMark: A Non-Invasive White-Box Watermarking for Deep Neural Networks","authors":"Yuzhang Chen, Jiangnan Zhu, Yujie Gu, Minoru Kuribayashi, Kouichi Sakurai","doi":"arxiv-2409.09996","DOIUrl":"https://doi.org/arxiv-2409.09996","url":null,"abstract":"Deep neural networks (DNNs) have achieved significant success in real-world\u0000applications. However, safeguarding their intellectual property (IP) remains\u0000extremely challenging. Existing DNN watermarking for IP protection often\u0000require modifying DNN models, which reduces model performance and limits their\u0000practicality. This paper introduces FreeMark, a novel DNN watermarking framework that\u0000leverages cryptographic principles without altering the original host DNN\u0000model, thereby avoiding any reduction in model performance. Unlike traditional\u0000DNN watermarking methods, FreeMark innovatively generates secret keys from a\u0000pre-generated watermark vector and the host model using gradient descent. These\u0000secret keys, used to extract watermark from the model's activation values, are\u0000securely stored with a trusted third party, enabling reliable watermark\u0000extraction from suspect models. Extensive experiments demonstrate that FreeMark\u0000effectively resists various watermark removal attacks while maintaining high\u0000watermark capacity.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"47 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261724","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Echo Meißner, Frank Kargl, Benjamin Erb, Felix Engelmann
Taking part in surveys, experiments, and studies is often compensated by�rewards to increase the number of participants and encourage attendance. While�privacy requirements are usually considered for participation, privacy aspects�of the reward procedure are mostly ignored. To this end, we introduce PrePaMS,�an efficient participation management system that supports prerequisite checks�and participation rewards in a privacy-preserving way. Our system organizes�participations with potential (dis-)qualifying dependencies and enables secure�reward payoffs. By leveraging a set of proven cryptographic primitives and�mechanisms such as anonymous credentials and zero-knowledge proofs,�participations are protected so that service providers and organizers cannot�derive the identity of participants even within the reward process. In this�paper, we have designed and implemented a prototype of PrePaMS to show its�effectiveness and evaluated its performance under realistic workloads. PrePaMS�covers the information whether subjects have participated in surveys,�experiments, or studies. When combined with other secure solutions for the�actual data collection within these events, PrePaMS can represent a cornerstone�for more privacy-preserving empirical research.
{"title":"PrePaMS: Privacy-Preserving Participant Management System for Studies with Rewards and Prerequisites","authors":"Echo Meißner, Frank Kargl, Benjamin Erb, Felix Engelmann","doi":"arxiv-2409.10192","DOIUrl":"https://doi.org/arxiv-2409.10192","url":null,"abstract":"Taking part in surveys, experiments, and studies is often compensated by\u0000rewards to increase the number of participants and encourage attendance. While\u0000privacy requirements are usually considered for participation, privacy aspects\u0000of the reward procedure are mostly ignored. To this end, we introduce PrePaMS,\u0000an efficient participation management system that supports prerequisite checks\u0000and participation rewards in a privacy-preserving way. Our system organizes\u0000participations with potential (dis-)qualifying dependencies and enables secure\u0000reward payoffs. By leveraging a set of proven cryptographic primitives and\u0000mechanisms such as anonymous credentials and zero-knowledge proofs,\u0000participations are protected so that service providers and organizers cannot\u0000derive the identity of participants even within the reward process. In this\u0000paper, we have designed and implemented a prototype of PrePaMS to show its\u0000effectiveness and evaluated its performance under realistic workloads. PrePaMS\u0000covers the information whether subjects have participated in surveys,\u0000experiments, or studies. When combined with other secure solutions for the\u0000actual data collection within these events, PrePaMS can represent a cornerstone\u0000for more privacy-preserving empirical research.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"30 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142261720","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: