-
Kernelization Complexity of Solution Discovery Problems
Authors:
Mario Grobler,
Stephanie Maaz,
Amer E. Mouawad,
Naomi Nishimura,
Vijayaragunathan Ramamoorthi,
Sebastian Siebertz
Abstract:
In the solution discovery variant of a vertex (edge) subset problem $Π$ on graphs, we are given an initial configuration of tokens on the vertices (edges) of an input graph $G$ together with a budget $b$. The question is whether we can transform this configuration into a feasible solution of $Π$ on $G$ with at most $b$ modification steps. We consider the token sliding variant of the solution disco…
▽ More
In the solution discovery variant of a vertex (edge) subset problem $Π$ on graphs, we are given an initial configuration of tokens on the vertices (edges) of an input graph $G$ together with a budget $b$. The question is whether we can transform this configuration into a feasible solution of $Π$ on $G$ with at most $b$ modification steps. We consider the token sliding variant of the solution discovery framework, where each modification step consists of sliding a token to an adjacent vertex (edge). The framework of solution discovery was recently introduced by Fellows et al. [Fellows et al., ECAI 2023] and for many solution discovery problems the classical as well as the parameterized complexity has been established. In this work, we study the kernelization complexity of the solution discovery variants of Vertex Cover, Independent Set, Dominating Set, Shortest Path, Matching, and Vertex Cut with respect to the parameters number of tokens $k$, discovery budget $b$, as well as structural parameters such as pathwidth.
△ Less
Submitted 25 September, 2024;
originally announced September 2024.
-
Deep Learning-Based Out-of-distribution Source Code Data Identification: How Far Have We Gone?
Authors:
Van Nguyen,
Xingliang Yuan,
Tingmin Wu,
Surya Nepal,
Marthie Grobler,
Carsten Rudolph
Abstract:
Software vulnerabilities (SVs) have become a common, serious, and crucial concern to safety-critical security systems. That leads to significant progress in the use of AI-based methods for software vulnerability detection (SVD). In practice, although AI-based methods have been achieving promising performances in SVD and other domain applications (e.g., computer vision), they are well-known to fail…
▽ More
Software vulnerabilities (SVs) have become a common, serious, and crucial concern to safety-critical security systems. That leads to significant progress in the use of AI-based methods for software vulnerability detection (SVD). In practice, although AI-based methods have been achieving promising performances in SVD and other domain applications (e.g., computer vision), they are well-known to fail in detecting the ground-truth label of input data (referred to as out-of-distribution, OOD, data) lying far away from the training data distribution (i.e., in-distribution, ID). This drawback leads to serious issues where the models fail to indicate when they are likely mistaken. To address this problem, OOD detectors (i.e., determining whether an input is ID or OOD) have been applied before feeding the input data to the downstream AI-based modules. While OOD detection has been widely designed for computer vision and medical diagnosis applications, automated AI-based techniques for OOD source code data detection have not yet been well-studied and explored. To this end, in this paper, we propose an innovative deep learning-based approach addressing the OOD source code data identification problem. Our method is derived from an information-theoretic perspective with the use of innovative cluster-contrastive learning to effectively learn and leverage source code characteristics, enhancing data representation learning for solving the problem. The rigorous and comprehensive experiments on real-world source code datasets show the effectiveness and advancement of our approach compared to state-of-the-art baselines by a wide margin. In short, on average, our method achieves a significantly higher performance from around 15.27%, 7.39%, and 4.93% on the FPR, AUROC, and AUPR measures, respectively, in comparison with the baselines.
△ Less
Submitted 14 April, 2024; v1 submitted 8 April, 2024;
originally announced April 2024.
-
An Innovative Information Theory-based Approach to Tackle and Enhance The Transparency in Phishing Detection
Authors:
Van Nguyen,
Tingmin Wu,
Xingliang Yuan,
Marthie Grobler,
Surya Nepal,
Carsten Rudolph
Abstract:
Phishing attacks have become a serious and challenging issue for detection, explanation, and defense. Despite more than a decade of research on phishing, encompassing both technical and non-technical remedies, phishing continues to be a serious problem. Nowadays, AI-based phishing detection stands out as one of the most effective solutions for defending against phishing attacks by providing vulner…
▽ More
Phishing attacks have become a serious and challenging issue for detection, explanation, and defense. Despite more than a decade of research on phishing, encompassing both technical and non-technical remedies, phishing continues to be a serious problem. Nowadays, AI-based phishing detection stands out as one of the most effective solutions for defending against phishing attacks by providing vulnerability (i.e., phishing or benign) predictions for the data. However, it lacks explainability in terms of providing comprehensive interpretations for the predictions, such as identifying the specific information that causes the data to be classified as phishing. To this end, we propose an innovative deep learning-based approach for email (the most common phishing way) phishing attack localization. Our method can not only predict the vulnerability of the email data but also automatically learn and figure out the most important and phishing-relevant information (i.e., sentences) in the phishing email data where the selected information indicates useful and concise explanations for the vulnerability. The rigorous experiments on seven real-world diverse email datasets show the effectiveness and advancement of our proposed method in selecting crucial information, offering concise explanations (by successfully figuring out the most important and phishing-relevant information) for the vulnerability of the phishing email data. Particularly, our method achieves a significantly higher performance, ranging from approximately 1.5% to 3.5%, compared to state-of-the-art baselines, as measured by the combined average performance of two main metrics Label-Accuracy and Cognitive-True-Positive.
△ Less
Submitted 16 April, 2024; v1 submitted 26 February, 2024;
originally announced February 2024.
-
Deterministic Parikh automata on infinite words
Authors:
Mario Grobler,
Sebastian Siebertz
Abstract:
Various variants of Parikh automata on infinite words have recently been introduced in the literature. However, with some exceptions only their non-deterministic versions have been considered. In this paper we study the deterministic versions of all variants of Parikh automata on infinite words that have not yet been studied. We compare the expressiveness of the deterministic models and investigat…
▽ More
Various variants of Parikh automata on infinite words have recently been introduced in the literature. However, with some exceptions only their non-deterministic versions have been considered. In this paper we study the deterministic versions of all variants of Parikh automata on infinite words that have not yet been studied. We compare the expressiveness of the deterministic models and investigate their closure properties and decision problems with applications to model checking. The model of deterministic limit Parikh automata turns out to be most interesting, as it is the only deterministic Parikh model generalizing the $ω$-regular languages, the only deterministic Parikh model closed under the Boolean operations and the only deterministic Parikh model for which all common decision problems are decidable.
△ Less
Submitted 24 May, 2024; v1 submitted 26 January, 2024;
originally announced January 2024.
-
Solution discovery via reconfiguration for problems in P
Authors:
Mario Grobler,
Stephanie Maaz,
Nicole Megow,
Amer E. Mouawad,
Vijayaragunathan Ramamoorthi,
Daniel Schmand,
Sebastian Siebertz
Abstract:
In the recently introduced framework of solution discovery via reconfiguration [Fellows et al., ECAI 2023], we are given an initial configuration of $k$ tokens on a graph and the question is whether we can transform this configuration into a feasible solution (for some problem) via a bounded number $b$ of small modification steps. In this work, we study solution discovery variants of polynomial-ti…
▽ More
In the recently introduced framework of solution discovery via reconfiguration [Fellows et al., ECAI 2023], we are given an initial configuration of $k$ tokens on a graph and the question is whether we can transform this configuration into a feasible solution (for some problem) via a bounded number $b$ of small modification steps. In this work, we study solution discovery variants of polynomial-time solvable problems, namely Spanning Tree Discovery, Shortest Path Discovery, Matching Discovery, and Vertex/Edge Cut Discovery in the unrestricted token addition/removal model, the token jumping model, and the token sliding model. In the unrestricted token addition/removal model, we show that all four discovery variants remain in P. For the toking jumping model we also prove containment in P, except for Vertex/Edge Cut Discovery, for which we prove NP-completeness. Finally, in the token sliding model, almost all considered problems become NP-complete, the exception being Spanning Tree Discovery, which remains polynomial-time solvable. We then study the parameterized complexity of the NP-complete problems and provide a full classification of tractability with respect to the parameters solution size (number of tokens) $k$ and transformation budget (number of steps) $b$. Along the way, we observe strong connections between the solution discovery variants of our base problems and their (weighted) rainbow variants as well as their red-blue variants with cardinality constraints.
△ Less
Submitted 22 November, 2023;
originally announced November 2023.
-
Data reduction for directed feedback vertex set on graphs without long induced cycles
Authors:
Jona Dirks,
Enna Gerhard,
Mario Grobler,
Amer E. Mouawad,
Sebastian Siebertz
Abstract:
We study reduction rules for Directed Feedback Vertex Set (DFVS) on directed graphs without long cycles. A DFVS instance without cycles longer than $d$ naturally corresponds to an instance of $d$-Hitting Set, however, enumerating all cycles in an $n$-vertex graph and then kernelizing the resulting $d$-Hitting Set instance can be too costly, as already enumerating all cycles can take time $Ω(n^d)$.…
▽ More
We study reduction rules for Directed Feedback Vertex Set (DFVS) on directed graphs without long cycles. A DFVS instance without cycles longer than $d$ naturally corresponds to an instance of $d$-Hitting Set, however, enumerating all cycles in an $n$-vertex graph and then kernelizing the resulting $d$-Hitting Set instance can be too costly, as already enumerating all cycles can take time $Ω(n^d)$. We show how to compute a kernel with at most $2^dk^d$ vertices and at most $d^{3d}k^d$ induced cycles of length at most $d$, where $k$ is the size of a minimum directed feedback vertex set.
We then study classes of graphs whose underlying undirected graphs have bounded expansion or are nowhere dense. We prove that for every nowhere dense class $\mathscr{C}$ there is a function $f_\mathscr{C}(d,ε)$ such that for graphs $G\in \mathscr{C}$ without induced cycles of length greater than $d$ we can compute a kernel with $f_\mathscr{C}(d,ε)\cdot k^{1+ε}$ vertices for any $ε>0$ in time $f_\mathscr{C}(d,ε)\cdot n^{O(1)}$.
The most restricted classes we consider are strongly connected planar graphs without any (induced or non-induced) long cycles. We show that these classes have treewidth $O(d)$ and hence DFVS on planar graphs without cycles of length greater than $d$ can be solved in time $2^{O(d)}\cdot n^{O(1)}$. We finally present a new data reduction rule for general DFVS and prove that the rule together with two standard rules subsumes all rules applied in the work of Bergougnoux et al.\ to obtain a polynomial kernel for DFVS[FVS], i.e., DFVS parameterized by the feedback vertex set number of the underlying (undirected) graph. We conclude by studying the LP-based approximation of DFVS.
△ Less
Submitted 21 January, 2025; v1 submitted 30 August, 2023;
originally announced August 2023.
-
Remarks on Parikh-recognizable omega-languages
Authors:
Mario Grobler,
Leif Sabellek,
Sebastian Siebertz
Abstract:
Several variants of Parikh automata on infinite words were recently introduced by Guha et al. [FSTTCS, 2022]. We show that one of these variants coincides with blind counter machine as introduced by Fernau and Stiebe [Fundamenta Informaticae, 2008]. Fernau and Stiebe showed that every $ω$-language recognized by a blind counter machine is of the form $\bigcup_iU_iV_i^ω$ for Parikh recognizable lang…
▽ More
Several variants of Parikh automata on infinite words were recently introduced by Guha et al. [FSTTCS, 2022]. We show that one of these variants coincides with blind counter machine as introduced by Fernau and Stiebe [Fundamenta Informaticae, 2008]. Fernau and Stiebe showed that every $ω$-language recognized by a blind counter machine is of the form $\bigcup_iU_iV_i^ω$ for Parikh recognizable languages $U_i, V_i$, but blind counter machines fall short of characterizing this class of $ω$-languages. They posed as an open problem to find a suitable automata-based characterization. We introduce several additional variants of Parikh automata on infinite words that yield automata characterizations of classes of $ω$-language of the form $\bigcup_iU_iV_i^ω$ for all combinations of languages $U_i, V_i$ being regular or Parikh-recognizable. When both $U_i$ and $V_i$ are regular, this coincides with Büchi's classical theorem. We study the effect of $\varepsilon$-transitions in all variants of Parikh automata and show that almost all of them admit $\varepsilon$-elimination. Finally we study the classical decision problems with applications to model checking.
△ Less
Submitted 31 October, 2023; v1 submitted 14 July, 2023;
originally announced July 2023.
-
On Solution Discovery via Reconfiguration
Authors:
Michael R. Fellows,
Mario Grobler,
Nicole Megow,
Amer E. Mouawad,
Vijayaragunathan Ramamoorthi,
Frances A. Rosamond,
Daniel Schmand,
Sebastian Siebertz
Abstract:
The dynamics of real-world applications and systems require efficient methods for improving infeasible solutions or restoring corrupted ones by making modifications to the current state of a system in a restricted way. We propose a new framework of solution discovery via reconfiguration for constructing a feasible solution for a given problem by executing a sequence of small modifications starting…
▽ More
The dynamics of real-world applications and systems require efficient methods for improving infeasible solutions or restoring corrupted ones by making modifications to the current state of a system in a restricted way. We propose a new framework of solution discovery via reconfiguration for constructing a feasible solution for a given problem by executing a sequence of small modifications starting from a given state. Our framework integrates and formalizes different aspects of classical local search, reoptimization, and combinatorial reconfiguration. We exemplify our framework on a multitude of fundamental combinatorial problems, namely Vertex Cover, Independent Set, Dominating Set, and Coloring. We study the classical as well as the parameterized complexity of the solution discovery variants of those problems and explore the boundary between tractable and intractable instances.
△ Less
Submitted 27 April, 2023;
originally announced April 2023.
-
Büchi-like characterizations for Parikh-recognizable omega-languages
Authors:
Mario Grobler,
Sebastian Siebertz
Abstract:
Büchi's theorem states that $ω$-regular languages are characterized as languages of the form $\bigcup_i U_i V_i^ω$, where $U_i$ and $V_i$ are regular languages. Parikh automata are automata on finite words whose transitions are equipped with vectors of positive integers, whose sum can be tested for membership in a given semi-linear set. We give an intuitive automata theoretic characterization of l…
▽ More
Büchi's theorem states that $ω$-regular languages are characterized as languages of the form $\bigcup_i U_i V_i^ω$, where $U_i$ and $V_i$ are regular languages. Parikh automata are automata on finite words whose transitions are equipped with vectors of positive integers, whose sum can be tested for membership in a given semi-linear set. We give an intuitive automata theoretic characterization of languages of the form $U_i V_i^ω$, where $U_i$ and $V_i$ are Parikh-recognizable. Furthermore, we show that the class of such languages, where $U_i$ is Parikh-recognizable and $V_i$ is regular is exactly captured by a model proposed by Klaedtke and Ruess [Automata, Languages and Programming, 2003], which again is equivalent to (a small modification of) reachability Parikh automata introduced by Guha et al. [FSTTCS, 2022]. We finish this study by introducing a model that captures exactly such languages for regular $U_i$ and Parikh-recognizable $V_i$.
△ Less
Submitted 8 February, 2023;
originally announced February 2023.
-
Parikh Automata on Infinite Words
Authors:
Mario Grobler,
Leif Sabellek,
Sebastian Siebertz
Abstract:
Parikh automata on finite words were first introduced by Klaedtke and Rueß [Automata, Languages and Programming, 2003]. In this paper, we introduce several variants of Parikh automata on infinite words and study their expressiveness. We show that one of our new models is equivalent to synchronous blind counter machines introduced by Fernau and Stiebe [Fundamenta Informaticae, 2008]. All our models…
▽ More
Parikh automata on finite words were first introduced by Klaedtke and Rueß [Automata, Languages and Programming, 2003]. In this paper, we introduce several variants of Parikh automata on infinite words and study their expressiveness. We show that one of our new models is equivalent to synchronous blind counter machines introduced by Fernau and Stiebe [Fundamenta Informaticae, 2008]. All our models admit ε-elimination, which to the best of our knowledge is an open question for blind counter automata. We then study the classical decision problems of the new automata models.
△ Less
Submitted 21 January, 2023;
originally announced January 2023.
-
History-deterministic Parikh Automata
Authors:
Enzo Erlich,
Mario Grobler,
Shibashis Guha,
Ismaël Jecker,
Karoliina Lehtinen,
Martin Zimmermann
Abstract:
Parikh automata extend finite automata by counters that can be tested for membership in a semilinear set, but only at the end of a run. Thereby, they preserve many of the desirable properties of finite automata. Deterministic Parikh automata are strictly weaker than nondeterministic ones, but enjoy better closure and algorithmic properties.
This state of affairs motivates the study of intermedia…
▽ More
Parikh automata extend finite automata by counters that can be tested for membership in a semilinear set, but only at the end of a run. Thereby, they preserve many of the desirable properties of finite automata. Deterministic Parikh automata are strictly weaker than nondeterministic ones, but enjoy better closure and algorithmic properties.
This state of affairs motivates the study of intermediate forms of nondeterminism. Here, we investigate history-deterministic Parikh automata, i.e., automata whose nondeterminism can be resolved on the fly. This restricted form of nondeterminism is well-suited for applications which classically call for determinism, e.g., solving games and composition.
We show that history-deterministic Parikh automata are strictly more expressive than deterministic ones, incomparable to unambiguous ones, and enjoy almost all of the closure properties of deterministic automata. Finally, we investigate the complexity of resolving nondeterminism in history-deterministic Parikh automata.
△ Less
Submitted 27 May, 2025; v1 submitted 16 September, 2022;
originally announced September 2022.
-
Resurrecting Trust in Facial Recognition: Mitigating Backdoor Attacks in Face Recognition to Prevent Potential Privacy Breaches
Authors:
Reena Zelenkova,
Jack Swallow,
M. A. P. Chamikara,
Dongxi Liu,
Mohan Baruwal Chhetri,
Seyit Camtepe,
Marthie Grobler,
Mahathir Almashor
Abstract:
Biometric data, such as face images, are often associated with sensitive information (e.g medical, financial, personal government records). Hence, a data breach in a system storing such information can have devastating consequences. Deep learning is widely utilized for face recognition (FR); however, such models are vulnerable to backdoor attacks executed by malicious parties. Backdoor attacks cau…
▽ More
Biometric data, such as face images, are often associated with sensitive information (e.g medical, financial, personal government records). Hence, a data breach in a system storing such information can have devastating consequences. Deep learning is widely utilized for face recognition (FR); however, such models are vulnerable to backdoor attacks executed by malicious parties. Backdoor attacks cause a model to misclassify a particular class as a target class during recognition. This vulnerability can allow adversaries to gain access to highly sensitive data protected by biometric authentication measures or allow the malicious party to masquerade as an individual with higher system permissions. Such breaches pose a serious privacy threat. Previous methods integrate noise addition mechanisms into face recognition models to mitigate this issue and improve the robustness of classification against backdoor attacks. However, this can drastically affect model accuracy. We propose a novel and generalizable approach (named BA-BAM: Biometric Authentication - Backdoor Attack Mitigation), that aims to prevent backdoor attacks on face authentication deep learning models through transfer learning and selective image perturbation. The empirical evidence shows that BA-BAM is highly robust and incurs a maximal accuracy drop of 2.4%, while reducing the attack success rate to a maximum of 20%. Comparisons with existing approaches show that BA-BAM provides a more practical backdoor mitigation approach for face recognition.
△ Less
Submitted 18 February, 2022;
originally announced February 2022.
-
Local Differential Privacy for Federated Learning
Authors:
M. A. P. Chamikara,
Dongxi Liu,
Seyit Camtepe,
Surya Nepal,
Marthie Grobler,
Peter Bertok,
Ibrahim Khalil
Abstract:
Advanced adversarial attacks such as membership inference and model memorization can make federated learning (FL) vulnerable and potentially leak sensitive private data. Local differentially private (LDP) approaches are gaining more popularity due to stronger privacy notions and native support for data distribution compared to other differentially private (DP) solutions. However, DP approaches ass…
▽ More
Advanced adversarial attacks such as membership inference and model memorization can make federated learning (FL) vulnerable and potentially leak sensitive private data. Local differentially private (LDP) approaches are gaining more popularity due to stronger privacy notions and native support for data distribution compared to other differentially private (DP) solutions. However, DP approaches assume that the FL server (that aggregates the models) is honest (run the FL protocol honestly) or semi-honest (run the FL protocol honestly while also trying to learn as much information as possible). These assumptions make such approaches unrealistic and unreliable for real-world settings. Besides, in real-world industrial environments (e.g., healthcare), the distributed entities (e.g., hospitals) are already composed of locally running machine learning models (this setting is also referred to as the cross-silo setting). Existing approaches do not provide a scalable mechanism for privacy-preserving FL to be utilized under such settings, potentially with untrusted parties. This paper proposes a new local differentially private FL (named LDPFL) protocol for industrial settings. LDPFL can run in industrial settings with untrusted entities while enforcing stronger privacy guarantees than existing approaches. LDPFL shows high FL model performance (up to 98%) under small privacy budgets (e.g., epsilon = 0.5) in comparison to existing methods.
△ Less
Submitted 3 August, 2022; v1 submitted 12 February, 2022;
originally announced February 2022.
-
Systematic Literature Review on Cyber Situational Awareness Visualizations
Authors:
Liuyue Jiang,
Asangi Jayatilaka,
Mehwish Nasim,
Marthie Grobler,
Mansooreh Zahedi,
M. Ali Babar
Abstract:
The dynamics of cyber threats are increasingly complex, making it more challenging than ever for organizations to obtain in-depth insights into their cyber security status. Therefore, organizations rely on Cyber Situational Awareness (CSA) to support them in better understanding the threats and associated impacts of cyber events. Due to the heterogeneity and complexity of cyber security data, ofte…
▽ More
The dynamics of cyber threats are increasingly complex, making it more challenging than ever for organizations to obtain in-depth insights into their cyber security status. Therefore, organizations rely on Cyber Situational Awareness (CSA) to support them in better understanding the threats and associated impacts of cyber events. Due to the heterogeneity and complexity of cyber security data, often with multidimensional attributes, sophisticated visualization techniques are needed to achieve CSA. However, there have been no previous attempts to systematically review and analyze the scientific literature on CSA visualizations. In this paper, we systematically select and review 54 publications that discuss visualizations to support CSA. We extract data from these papers to identify key stakeholders, information types, data sources, and visualization techniques. Furthermore, we analyze the level of CSA supported by the visualizations, alongside examining the maturity of the visualizations, challenges, and practices related to CSA visualizations to prepare a full analysis of the current state of CSA in an organizational context. Our results reveal certain gaps in CSA visualizations. For instance, the largest focus is on operational-level staff, and there is a clear lack of visualizations targeting other types of stakeholders such as managers, higher-level decision makers, and non-expert users. Most papers focus on threat information visualization, and there is a dearth of papers that visualize impact information, response plans, and information shared within teams. Based on the results that highlight the important concerns in CSA visualizations, we recommend a list of future research directions.
△ Less
Submitted 24 May, 2022; v1 submitted 20 December, 2021;
originally announced December 2021.
-
Robust Training Using Natural Transformation
Authors:
Shuo Wang,
Lingjuan Lyu,
Surya Nepal,
Carsten Rudolph,
Marthie Grobler,
Kristen Moore
Abstract:
Previous robustness approaches for deep learning models such as data augmentation techniques via data transformation or adversarial training cannot capture real-world variations that preserve the semantics of the input, such as a change in lighting conditions. To bridge this gap, we present NaTra, an adversarial training scheme that is designed to improve the robustness of image classification alg…
▽ More
Previous robustness approaches for deep learning models such as data augmentation techniques via data transformation or adversarial training cannot capture real-world variations that preserve the semantics of the input, such as a change in lighting conditions. To bridge this gap, we present NaTra, an adversarial training scheme that is designed to improve the robustness of image classification algorithms. We target attributes of the input images that are independent of the class identification, and manipulate those attributes to mimic real-world natural transformations (NaTra) of the inputs, which are then used to augment the training dataset of the image classifier. Specifically, we apply \textit{Batch Inverse Encoding and Shifting} to map a batch of given images to corresponding disentangled latent codes of well-trained generative models. \textit{Latent Codes Expansion} is used to boost image reconstruction quality through the incorporation of extended feature maps. \textit{Unsupervised Attribute Directing and Manipulation} enables identification of the latent directions that correspond to specific attribute changes, and then produce interpretable manipulations of those attributes, thereby generating natural transformations to the input data. We demonstrate the efficacy of our scheme by utilizing the disentangled latent representations derived from well-trained GANs to mimic transformations of an image that are similar to real-world natural variations (such as lighting conditions or hairstyle), and train models to be invariant to these natural transformations. Extensive experiments show that our method improves generalization of classification models and increases its robustness to various real-world distortions
△ Less
Submitted 9 May, 2021;
originally announced May 2021.
-
Discrepancy and Sparsity
Authors:
Mario Grobler,
Yiting Jiang,
Patrice Ossona de Mendez,
Sebastian Siebertz,
Alexandre Vigny
Abstract:
We study the connections between the notions of combinatorial discrepancy and graph degeneracy. In particular, we prove that the maximum discrepancy over all subgraphs $H$ of a graph $G$ of the neighborhood set system of $H$ is sandwiched between $Ω(\log\mathrm{deg}(G))$ and $\mathcal{O}(\mathrm{deg}(G))$, where $\mathrm{deg}(G)$ denotes the degeneracy of $G$. We extend this result to inequalities…
▽ More
We study the connections between the notions of combinatorial discrepancy and graph degeneracy. In particular, we prove that the maximum discrepancy over all subgraphs $H$ of a graph $G$ of the neighborhood set system of $H$ is sandwiched between $Ω(\log\mathrm{deg}(G))$ and $\mathcal{O}(\mathrm{deg}(G))$, where $\mathrm{deg}(G)$ denotes the degeneracy of $G$. We extend this result to inequalities relating weak coloring numbers and discrepancy of graph powers and deduce a new characterization of bounded expansion classes.
Then, we switch to a model theoretical point of view, introduce pointer structures, and study their relations to graph classes with bounded expansion. We deduce that a monotone class of graphs has bounded expansion if and only if all the set systems definable in this class have bounded hereditary discrepancy.
Using known bounds on the VC-density of set systems definable in nowhere dense classes we also give a characterization of nowhere dense classes in terms of discrepancy. As consequences of our results, we obtain a corollary on the discrepancy of neighborhood set systems of edge colored graphs, a polynomial-time algorithm to compute $\varepsilon$-approximations of size $\mathcal{O}(1/\varepsilon)$ for set systems definable in bounded expansion classes, an application to clique coloring, and even the non-existence of a quantifier elimination scheme for nowhere dense classes.
△ Less
Submitted 29 November, 2021; v1 submitted 8 May, 2021;
originally announced May 2021.
-
OCTOPUS: Overcoming Performance andPrivatization Bottlenecks in Distributed Learning
Authors:
Shuo Wang,
Surya Nepal,
Kristen Moore,
Marthie Grobler,
Carsten Rudolph,
Alsharif Abuadbba
Abstract:
The diversity and quantity of data warehouses, gathering data from distributed devices such as mobile devices, can enhance the success and robustness of machine learning algorithms. Federated learning enables distributed participants to collaboratively learn a commonly-shared model while holding data locally. However, it is also faced with expensive communication and limitations due to the heterog…
▽ More
The diversity and quantity of data warehouses, gathering data from distributed devices such as mobile devices, can enhance the success and robustness of machine learning algorithms. Federated learning enables distributed participants to collaboratively learn a commonly-shared model while holding data locally. However, it is also faced with expensive communication and limitations due to the heterogeneity of distributed data sources and lack of access to global data. In this paper, we investigate a practical distributed learning scenario where multiple downstream tasks (e.g., classifiers) could be efficiently learned from dynamically-updated and non-iid distributed data sources while providing local data privatization. We introduce a new distributed/collaborative learning scheme to address communication overhead via latent compression, leveraging global data while providing privatization of local data without additional cost due to encryption or perturbation. This scheme divides learning into (1) informative feature encoding, and transmitting the latent representation of local data to address communication overhead; (2) downstream tasks centralized at the server using the encoded codes gathered from each node to address computing overhead. Besides, a disentanglement strategy is applied to address the privatization of sensitive components of local data. Extensive experiments are conducted on image and speech datasets. The results demonstrate that downstream tasks on the compact latent representations with the privatization of local data can achieve comparable accuracy to centralized learning.
△ Less
Submitted 3 March, 2022; v1 submitted 2 May, 2021;
originally announced May 2021.
-
Adversarial Defense by Latent Style Transformations
Authors:
Shuo Wang,
Surya Nepal,
Alsharif Abuadbba,
Carsten Rudolph,
Marthie Grobler
Abstract:
Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples.
In this paper, we investigate an attack-agnostic defense against adversarial attacks on high-resolution images by detecting suspicious inputs.
The intuition behind our approach is that the essential characteristics of a normal image are generally consiste…
▽ More
Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples.
In this paper, we investigate an attack-agnostic defense against adversarial attacks on high-resolution images by detecting suspicious inputs.
The intuition behind our approach is that the essential characteristics of a normal image are generally consistent with non-essential style transformations, e.g., slightly changing the facial expression of human portraits.
In contrast, adversarial examples are generally sensitive to such transformations.
In our approach to detect adversarial instances, we propose an in\underline{V}ertible \underline{A}utoencoder based on the \underline{S}tyleGAN2 generator via \underline{A}dversarial training (VASA) to inverse images to disentangled latent codes that reveal hierarchical styles.
We then build a set of edited copies with non-essential style transformations by performing latent shifting and reconstruction, based on the correspondences between latent codes and style transformations.
The classification-based consistency of these edited copies is used to distinguish adversarial instances.
△ Less
Submitted 22 February, 2022; v1 submitted 17 June, 2020;
originally announced June 2020.
-
Defending Adversarial Attacks via Semantic Feature Manipulation
Authors:
Shuo Wang,
Tianle Chen,
Surya Nepal,
Carsten Rudolph,
Marthie Grobler,
Shangyu Chen
Abstract:
Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples. In this paper, we propose a one-off and attack-agnostic Feature Manipulation (FM)-Defense to detect and purify adversarial examples in an interpretable and efficient manner. The intuition is that the classification result of a normal image is generally resist…
▽ More
Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples. In this paper, we propose a one-off and attack-agnostic Feature Manipulation (FM)-Defense to detect and purify adversarial examples in an interpretable and efficient manner. The intuition is that the classification result of a normal image is generally resistant to non-significant intrinsic feature changes, e.g., varying thickness of handwritten digits. In contrast, adversarial examples are sensitive to such changes since the perturbation lacks transferability. To enable manipulation of features, a combo-variational autoencoder is applied to learn disentangled latent codes that reveal semantic features. The resistance to classification change over the morphs, derived by varying and reconstructing latent codes, is used to detect suspicious inputs. Further, combo-VAE is enhanced to purify the adversarial examples with good quality by considering both class-shared and class-unique features. We empirically demonstrate the effectiveness of detection and the quality of purified instance. Our experiments on three datasets show that FM-Defense can detect nearly $100\%$ of adversarial examples produced by different state-of-the-art adversarial attacks. It achieves more than $99\%$ overall purification accuracy on the suspicious instances that close the manifold of normal examples.
△ Less
Submitted 22 April, 2020; v1 submitted 3 February, 2020;
originally announced February 2020.
-
OIAD: One-for-all Image Anomaly Detection with Disentanglement Learning
Authors:
Shuo Wang,
Tianle Chen,
Shangyu Chen,
Carsten Rudolph,
Surya Nepal,
Marthie Grobler
Abstract:
Anomaly detection aims to recognize samples with anomalous and unusual patterns with respect to a set of normal data. This is significant for numerous domain applications, such as industrial inspection, medical imaging, and security enforcement. There are two key research challenges associated with existing anomaly detection approaches: (1) many approaches perform well on low-dimensional problems…
▽ More
Anomaly detection aims to recognize samples with anomalous and unusual patterns with respect to a set of normal data. This is significant for numerous domain applications, such as industrial inspection, medical imaging, and security enforcement. There are two key research challenges associated with existing anomaly detection approaches: (1) many approaches perform well on low-dimensional problems however the performance on high-dimensional instances, such as images, is limited; (2) many approaches often rely on traditional supervised approaches and manual engineering of features, while the topic has not been fully explored yet using modern deep learning approaches, even when the well-label samples are limited. In this paper, we propose a One-for-all Image Anomaly Detection system (OIAD) based on disentangled learning using only clean samples. Our key insight is that the impact of small perturbation on the latent representation can be bounded for normal samples while anomaly images are usually outside such bounded intervals, referred to as structure consistency. We implement this idea and evaluate its performance for anomaly detection. Our experiments with three datasets show that OIAD can detect over $90\%$ of anomalies while maintaining a low false alarm rate. It can also detect suspicious samples from samples labeled as clean, coincided with what humans would deem unusual.
△ Less
Submitted 26 March, 2020; v1 submitted 18 January, 2020;
originally announced January 2020.
-
Backdoor Attacks against Transfer Learning with Pre-trained Deep Learning Models
Authors:
Shuo Wang,
Surya Nepal,
Carsten Rudolph,
Marthie Grobler,
Shangyu Chen,
Tianle Chen
Abstract:
Transfer learning provides an effective solution for feasibly and fast customize accurate \textit{Student} models, by transferring the learned knowledge of pre-trained \textit{Teacher} models over large datasets via fine-tuning. Many pre-trained Teacher models used in transfer learning are publicly available and maintained by public platforms, increasing their vulnerability to backdoor attacks. In…
▽ More
Transfer learning provides an effective solution for feasibly and fast customize accurate \textit{Student} models, by transferring the learned knowledge of pre-trained \textit{Teacher} models over large datasets via fine-tuning. Many pre-trained Teacher models used in transfer learning are publicly available and maintained by public platforms, increasing their vulnerability to backdoor attacks. In this paper, we demonstrate a backdoor threat to transfer learning tasks on both image and time-series data leveraging the knowledge of publicly accessible Teacher models, aimed at defeating three commonly-adopted defenses: \textit{pruning-based}, \textit{retraining-based} and \textit{input pre-processing-based defenses}. Specifically, (A) ranking-based selection mechanism to speed up the backdoor trigger generation and perturbation process while defeating \textit{pruning-based} and/or \textit{retraining-based defenses}. (B) autoencoder-powered trigger generation is proposed to produce a robust trigger that can defeat the \textit{input pre-processing-based defense}, while guaranteeing that selected neuron(s) can be significantly activated. (C) defense-aware retraining to generate the manipulated model using reverse-engineered model inputs.
We launch effective misclassification attacks on Student models over real-world images, brain Magnetic Resonance Imaging (MRI) data and Electrocardiography (ECG) learning systems. The experiments reveal that our enhanced attack can maintain the $98.4\%$ and $97.2\%$ classification accuracy as the genuine model on clean image and time series inputs respectively while improving $27.9\%-100\%$ and $27.1\%-56.1\%$ attack success rate on trojaned image and time series inputs respectively in the presence of pruning-based and/or retraining-based defenses.
△ Less
Submitted 12 March, 2020; v1 submitted 9 January, 2020;
originally announced January 2020.
-
Generating Semantic Adversarial Examples via Feature Manipulation
Authors:
Shuo Wang,
Surya Nepal,
Carsten Rudolph,
Marthie Grobler,
Shangyu Chen,
Tianle Chen
Abstract:
The vulnerability of deep neural networks to adversarial attacks has been widely demonstrated (e.g., adversarial example attacks). Traditional attacks perform unstructured pixel-wise perturbation to fool the classifier. An alternative approach is to have perturbations in the latent space. However, such perturbations are hard to control due to the lack of interpretability and disentanglement. In th…
▽ More
The vulnerability of deep neural networks to adversarial attacks has been widely demonstrated (e.g., adversarial example attacks). Traditional attacks perform unstructured pixel-wise perturbation to fool the classifier. An alternative approach is to have perturbations in the latent space. However, such perturbations are hard to control due to the lack of interpretability and disentanglement. In this paper, we propose a more practical adversarial attack by designing structured perturbation with semantic meanings. Our proposed technique manipulates the semantic attributes of images via the disentangled latent codes. The intuition behind our technique is that images in similar domains have some commonly shared but theme-independent semantic attributes, e.g. thickness of lines in handwritten digits, that can be bidirectionally mapped to disentangled latent codes. We generate adversarial perturbation by manipulating a single or a combination of these latent codes and propose two unsupervised semantic manipulation approaches: vector-based disentangled representation and feature map-based disentangled representation, in terms of the complexity of the latent codes and smoothness of the reconstructed images. We conduct extensive experimental evaluations on real-world image data to demonstrate the power of our attacks for black-box classifiers. We further demonstrate the existence of a universal, image-agnostic semantic adversarial example.
△ Less
Submitted 20 May, 2022; v1 submitted 6 January, 2020;
originally announced January 2020.
-
A model for system developers to measure the privacy risk of data
Authors:
Awanthika Senarath,
Marthie Grobler,
Nalin Asanka Gamagedara Arachchilage
Abstract:
In this paper, we propose a model that could be used by system developers to measure the privacy risk perceived by users when they disclose data into software systems. We first derive a model to measure the perceived privacy risk based on existing knowledge and then we test our model through a survey with 151 participants. Our findings revealed that users' perceived privacy risk monotonically incr…
▽ More
In this paper, we propose a model that could be used by system developers to measure the privacy risk perceived by users when they disclose data into software systems. We first derive a model to measure the perceived privacy risk based on existing knowledge and then we test our model through a survey with 151 participants. Our findings revealed that users' perceived privacy risk monotonically increases with data sensitivity and visibility, and monotonically decreases with data relevance to the application. Furthermore, how visible data is in an application by default when the user discloses data had the highest impact on the perceived privacy risk. This model would enable developers to measure the users' perceived privacy risk associated with data items, which would help them to understand how to treat different data within a system design.
△ Less
Submitted 28 September, 2018;
originally announced September 2018.
-
Security and Performance Considerations in ROS 2: A Balancing Act
Authors:
Jongkil Kim,
Jonathon M. Smereka,
Calvin Cheung,
Surya Nepal,
Marthie Grobler
Abstract:
Robot Operating System (ROS) 2 is a ground-up re-design of ROS 1 to support performance critical cyber-physical systems (CPSs) using the Data Distribution Service (DDS) middleware. Accordingly, the security of ROS 2 is highly reliant on the security of its DDS communication protocol. However, finding a balance between the performance and security is non-trivial task. Inappropriate security impleme…
▽ More
Robot Operating System (ROS) 2 is a ground-up re-design of ROS 1 to support performance critical cyber-physical systems (CPSs) using the Data Distribution Service (DDS) middleware. Accordingly, the security of ROS 2 is highly reliant on the security of its DDS communication protocol. However, finding a balance between the performance and security is non-trivial task. Inappropriate security implementations may cause not only significant loss on performance of the system, but also security failures in the system. In this paper, we provide an analysis of the DDS security protocol as well as an overview on how to find the balance between performance and security. To accomplish this, we evaluate the latency and throughput of the communication protocols of ROS 2 in both wired and wireless networks, and measure the efficiency loss caused by the enabling of security protocols such as Virtual Private Network (VPN) and DDS security protocol in ROS 2 in both network setups. The result can be directly used by robotics developers to find the optimal and balanced settings of ROS 2 applications. Additionally, we analyzed the security specification of DDS using existing security standards and tested the implementation of the DDS protocol by performing static analysis. The results of this work can be used to enhance the security of ROS 2.
△ Less
Submitted 24 September, 2018;
originally announced September 2018.
-
Catering to Your Concerns: Automatic Generation of Personalised Security-Centric Descriptions for Android Apps
Authors:
Tingmin Wu,
Lihong Tang,
Rongjunchen Zhang,
Sheng Wen,
Cecile Paris,
Surya Nepal,
Marthie Grobler,
Yang Xiang
Abstract:
Android users are increasingly concerned with the privacy of their data and security of their devices. To improve the security awareness of users, recent automatic techniques produce security-centric descriptions by performing program analysis. However, the generated text does not always address users' concerns as they are generally too technical to be understood by ordinary users. Moreover, diffe…
▽ More
Android users are increasingly concerned with the privacy of their data and security of their devices. To improve the security awareness of users, recent automatic techniques produce security-centric descriptions by performing program analysis. However, the generated text does not always address users' concerns as they are generally too technical to be understood by ordinary users. Moreover, different users have varied linguistic preferences, which do not match the text. Motivated by this challenge, we develop an innovative scheme to help users avoid malware and privacy-breaching apps by generating security descriptions that explain the privacy and security related aspects of an Android app in clear and understandable terms. We implement a prototype system, PERSCRIPTION, to generate personalised security-centric descriptions that automatically learn users' security concerns and linguistic preferences to produce user-oriented descriptions. We evaluate our scheme through experiments and user studies. The results clearly demonstrate the improvement on readability and users' security awareness of PERSCRIPTION's descriptions compared to existing description generators.
△ Less
Submitted 26 August, 2020; v1 submitted 18 May, 2018;
originally announced May 2018.
