检索结果-内蒙古大学图书馆

ECLIPSE: Expunging Clean-label Indiscriminate Poisons via Sparse Diffusion Purification

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Wang, Xianlong Hu, Shengshan Zhang, Yechao Zhou, Ziqi Zhang, Leo Yu Xu, Peng Wan, Wei Jin, Hai National Engineering Research Center for Big Data Technology and System China Services Computing Technology and System Lab China Cluster and Grid Computing Lab China Hubei Engineering Research Center on Big Data Security China Hubei Key Laboratory of Distributed System Security China School of Cyber Science and Engineering Huazhong University of Science and Technology Wuhan430074 China School of Computer Science and Technology Huazhong University of Science and Technology Wuhan430074 China School of Information and Communication Technology Griffith University SouthportQLD4215 Australia

Clean-label indiscriminate poisoning attacks add invisible perturbations to correctly labeled training images, thus dramatically reducing the generalization capability of the victim models. Recently, defense mechanisms such as adversarial training, image transformation techniques, and image purification have been proposed. However, these schemes are either susceptible to adaptive attacks, built on unrealistic assumptions, or only effective against specific poison types, limiting their universal applicability. In this research, we propose a more universally effective, practical, and robust defense scheme called ECLIPSE. We first investigate the impact of Gaussian noise on the poisons and theoretically prove that any kind of poison will be largely assimilated when imposing sufficient random noise. In light of this, we assume the victim has access to an extremely limited number of clean images (a more practical scene) and subsequently enlarge this sparse set for training a denoising probabilistic model (a universal denoising tool). We then introduce Gaussian noise to absorb the poisons and apply the model for denoising, resulting in a roughly purified dataset. Finally, to address the trade-off of the inconsistency in the assimilation sensitivity of different poisons by Gaussian noise, we propose a lightweight corruption compensation module to effectively eliminate residual poisons, providing a more universal defense approach. Extensive experiments demonstrate that our defense approach outperforms 10 state-of-the-art defenses. We also propose an adaptive attack against ECLIPSE and verify the robustness of our defense scheme. Our code is available at https://***/CGCL-codes/ECLIPSE. Copyright © 2024, The Authors. All rights reserved.

关键词： Deep neural networks

Downstream-agnostic Adversarial Examples

学校读者我要写书评

暂无评论

Downstream-agnostic Adversarial Examples

International Conference on Computer Vision (ICCV)

作者： Ziqi Zhou Shengshan Hu Ruizhi Zhao Qian Wang Leo Yu Zhang Junhui Hou Hai Jin School of Cyber Science and Engineering Huazhong University of Science and Technology National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Key Laboratory of Distributed System Security Hubei Engineering Research Center on Big Data Security School of Cyber Science and Engineering Wuhan University School of Information and Communication Technology Griffith University Department of Computer Science City University of Hong Kong School of Computer Science and Technology Huazhong University of Science and Technology Cluster and Grid Computing Lab

Self-supervised learning usually uses a large amount of unlabeled data to pre-train an encoder which can be used as a general-purpose feature extractor, such that downstream users only need to perform fine-tuning operations to enjoy the benefit of "large model". Despite this promising prospect, the security of pre-trained encoder has not been thoroughly investigated yet, especially when the pre-trained encoder is publicly available for commercial *** this paper, we propose AdvEncoder, the first framework for generating downstream-agnostic universal adversarial examples based on the pre-trained encoder. AdvEncoder aims to construct a universal adversarial perturbation or patch for a set of natural images that can fool all the downstream tasks inheriting the victim pre-trained encoder. Unlike traditional adversarial example works, the pre-trained encoder only outputs feature vectors rather than classification labels. Therefore, we first exploit the high frequency component information of the image to guide the generation of adversarial examples. Then we design a generative attack framework to construct adversarial perturbations/patches by learning the distribution of the attack surrogate dataset to improve their attack success rates and transferability. Our results show that an attacker can successfully attack downstream tasks without knowing either the pre-training dataset or the downstream dataset. We also tailor four defenses for pre-trained encoders, the results of which further prove the attack ability of AdvEncoder. Our codes are available at: https://***/CGCL-codes/AdvEncoder.

关键词：

A Four-Pronged Defense Against Byzantine Attacks in Federated Learning

学校读者我要写书评

暂无评论

arXiv 2023年

作者： Wan, Wei Hu, Shengshan Li, Minghui Lu, Jianrong Zhang, Longling Zhang, Leo Yu Jin, Hai School of Cyber Science and Engineering Huazhong University of Science and Technology China School of Software Engineering Huazhong University of Science and Technology China School of Information and Communication Technology Griffith University Australia School of Computer Science and Technology Huazhong University of Science and Technology China National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Key Laboratory of Distributed System Security China Hubei Engineering Research Center on Big Data Security China Cluster and Grid Computing Lab

Federated learning (FL) is a nascent distributed learning paradigm to train a shared global model without violating users' privacy. FL has been shown to be vulnerable to various Byzantine attacks, where malicious participants could independently or collusively upload well-crafted updates to deteriorate the performance of the global model. However, existing defenses could only mitigate part of Byzantine attacks, without providing an all-sided shield for FL. It is difficult to simply combine them as they rely on totally contradictory assumptions. In this paper, we propose FPD, a four-pronged defense against both non-colluding and colluding Byzantine attacks. Our main idea is to utilize absolute similarity to filter updates rather than relative similarity used in existingI works. To this end, we first propose a reliable client selection strategy to prevent the majority of threats in the bud. Then we design a simple but effective score-based detection method to mitigate colluding attacks. Third, we construct an enhanced spectral-based outlier detector to accurately discard abnormal updates when the training data is not independent and identically distributed (non-IID). Finally, we design update denoising to rectify the direction of the slightly noisy but harmful updates. The four sequentially combined modules can effectively reconcile the contradiction in addressing non-colluding and colluding Byzantine attacks. Extensive experiments over three benchmark image classification datasets against four state-of-the-art Byzantine attacks demonstrate that FPD drastically outperforms existing defenses in IID and non-IID scenarios (with 30% improvement on model accuracy). © 2023, CC BY.

关键词： Classification (of information)

Robin: A Novel Method to Produce Robust Interpreters for Deep Learning-Based Code Classifiers

学校读者我要写书评

暂无评论

Robin: A Novel Method to Produce Robust Interpreters for Dee...

IEEE International Conference on Automated Software Engineering (ASE)

作者： Zhen Li Ruqian Zhang Deqing Zou Ning Wang Yating Li Shouhuai Xu Chen Chen Hai Jin School of Cyber Science and Engineering Huazhong University of Science and Technology Wuhan China Services Computing Technology and System Lab Hubei Key Laboratory of Distributed System Security Cluster and Grid Computing Lab National Engineering Research Center for Big Data Technology and System Hubei Engineering Research Center on Big Data Security Department of Computer Science University of Colorado Colorado Springs USA Center for Research in Computer Vision University of Central Florida USA School of Computer Science and Technology Huazhong University of Science and Technology Wuhan China

Deep learning has been widely used in source code classification tasks, such as code classification according to their functionalities, code authorship attribution, and vulnerability detection. Unfortunately, the black-box nature of deep learning makes it hard to interpret and understand why a classifier (i.e., classification model) makes a particular prediction on a given example. This lack of interpretability (or explainability) might have hindered their adoption by practitioners because it is not clear when they should or should not trust a classifier's prediction. The lack of interpretability has motivated a number of studies in recent years. However, existing methods are neither robust nor able to cope with out-of-distribution examples. In this paper, we propose a novel method to produce Robust interpreters for a given deep learning-based code classifier; the method is dubbed Robin. The key idea behind Robin is a novel hybrid structure combining an interpreter and two approximators, while leveraging the ideas of adversarial training and data augmentation. Experimental results show that on average the interpreter produced by Robin achieves a 6.11% higher fidelity (evaluated on the classifier), 67.22% higher fidelity (evaluated on the approximator), and 15.87x higher robustness than that of the three existing interpreters we evaluated. Moreover, the interpreter is 47.31% less affected by out-of-distribution examples than that of LEMNA.

关键词：

On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural Vulnerabilities

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Li, Zhen Wang, Ning Zou, Deqing Li, Yating Zhang, Ruqian Xu, Shouhuai Zhang, Chao Jin, Hai School of Cyber Science and Engineering Huazhong University of Science and Technology Wuhan China Department of Computer Science University of Colorado Colorado Springs Colorado SpringsCO United States Institute for Network Sciences and Cyberspace Tsinghua University Beijing China School of Computer Science and Technology Huazhong University of Science and Technology Wuhan China National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Key Laboratory of Distributed System Security Hubei Engineering Research Center on Big Data Security Cluster and Grid Computing Lab China JinYinHu Laboratory Wuhan China

Software vulnerabilities are a major cyber threat and it is important to detect them. One important approach to detecting vulnerabilities is to use deep learning while treating a program function as a whole, known as function-level vulnerability detectors. However, the limitation of this approach is not understood. In this paper, we investigate its limitation in detecting one class of vulnerabilities known as inter-procedural vulnerabilities, where the to-be-patched statements and the vulnerability-triggering statements belong to different functions. For this purpose, we create the first Inter-Procedural Vulnerability Dataset (InterPVD) based on C/C++ open-source software, and we propose a tool dubbed VulTrigger for identifying vulnerability-triggering statements across functions. Experimental results show that VulTrigger can effectively identify vulnerability-triggering statements and inter-procedural vulnerabilities. Our findings include: (i) inter-procedural vulnerabilities are prevalent with an average of 2.8 inter-procedural layers;and (ii) function-level vulnerability detectors are much less effective in detecting to-be-patched functions of inter-procedural vulnerabilities than detecting their counterparts of intra-procedural vulnerabilities. Copyright © 2024, The Authors. All rights reserved.

关键词： Open source software

Detector Collapse: Physical-World Backdooring Object Detection to Catastrophic Overload or Blindness in Autonomous Driving

学校读者我要写书评

暂无评论

arXiv 2024年

作者： Zhang, Hangtao Hu, Shengshan Wang, Yichen Zhang, Leo Yu Zhou, Ziqi Wang, Xianlong Zhang, Yanjun Chen, Chao School of Cyber Science and Engineering Huazhong University of Science and Technology China School of Computer Science and Technology Huazhong University of Science and Technology China National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Engineering Research Center on Big Data Security China Hubei Key Laboratory of Distributed System Security China Cluster and Grid Computing Lab China School of Information and Communication Technology Griffith University Australia University of Technology Sydney Australia RMIT University Australia

Object detection tasks, crucial in safety-critical systems like autonomous driving, focus on pinpointing object locations. These detectors are known to be susceptible to backdoor attacks. However, existing backdoor techniques have primarily been adapted from classification tasks, overlooking deeper vulnerabilities specific to object detection. This paper is dedicated to bridging this gap by introducing Detector Collapse (DC), a brand-new backdoor attack paradigm tailored for object detection. DC is designed to instantly incapacitate detectors (i.e., severely impairing detector's performance and culminating in a denial-of-service). To this end, we develop two innovative attack schemes: SPONGE for triggering widespread misidentifications and BLINDING for rendering objects invisible. Remarkably, we introduce a novel poisoning strategy exploiting natural objects, enabling DC to act as a practical backdoor in real-world environments. Our experiments on different detectors across several benchmarks show a significant improvement (∼10%-60% absolute and ∼2-7× relative) in attack efficacy over state-of-the-art attacks. Copyright © 2024, The Authors. All rights reserved.

关键词： Denial-of-service attack

Why Does Little Robustness Help? A Further Step Towards Understanding Adversarial Transferability

学校读者我要写书评

暂无评论

arXiv 2023年

作者： Zhang, Yechao Hu, Shengshan Zhang, Leo Yu Shi, Junyu Li, Minghui Liu, Xiaogeng Wan, Wei Jin, Hai School of Cyber Science and Engineering Huazhong University of Science and Technology China School of Software Engineering Huazhong University of Science and Technology China School of Information and Communication Technology Griffith University Australia School of Computer Science and Technology Huazhong University of Science and Technology China National Engineering Research Center for Big Data Technology and System Services Computing Technology and System Lab Hubei Key Laboratory of Distributed System Security China Hubei Engineering Research Center on Big Data Security China Cluster and Grid Computing Lab

Adversarial examples for deep neural networks (DNNs) have been shown to be transferable: examples that successfully fool one white-box surrogate model can also deceive other black-box models with different architectures. Although a bunch of empirical studies have provided guidance on generating highly transferable adversarial examples, many of these findings fail to be well explained and even lead to confusing or inconsistent advice for practical use. In this paper, we take a further step towards understanding adversarial transferability, with a particular focus on surrogate aspects. Starting from the intriguing "little robustness" phenomenon, where models adversarially trained with mildly perturbed adversarial samples can serve as better surrogates for transfer attacks, we attribute it to a trade-off between two dominant factors: model smoothness and gradient similarity. Our research focuses on their joint effects on transferability, rather than demonstrating the separate relationships alone. Through a combination of theoretical and empirical analyses, we hypothesize that the data distribution shift induced by off-manifold samples in adversarial training is the reason that impairs gradient similarity. Building on these insights, we further explore the impacts of prevalent data augmentation and gradient regularization on transferability and analyze how the trade-off manifest in various training methods, thus building a comprehensive blueprint for the regulation mechanisms behind transferability. Finally, we provide a general route for constructing superior surrogates to boost transferability, which optimizes both model smoothness and gradient similarity simultaneously, e.g., the combination of input gradient regularization and sharpness-aware minimization (SAM), validated by extensive experiments. In summary, we call for attention to the united impacts of these two factors for launching effective transfer attacks, rather than optimizing one while ignoring the other,

关键词： Deep neural networks

Securing Sdn/Nfv-Enabled Campus Networks with Software-Defined Perimeter-Based Zero-Trust Architecture

学校读者我要写书评

暂无评论

SSRN

SSRN 2023年

作者： Ruambo, Francis A. Zou, Deqing Lopes, Ivandro O. Yuan, Bin School of Cyber Science and Engineering Huazhong University of Science and Technology Wuhan430074 China Hubei Key Laboratory of Distributed System Security Wuhan China Hubei Engineering Research Center on Big Data Security Wuhan China National Engineering Research Center for Big Data Technology and System Wuhan China Services Computing Technology and System Lab Wuhan China Cluster and Grid Computing Lab Wuhan China Mbeya university of Science and Technology Mbeya131 Tanzania United Republic of Nucleo Operacional para a Sociedade de Informacao Cape Verde Songshan Laboratory Zhengzhou China

Network softwarization is a breakthrough in designing modern networks and providing numerous new network operations and services. This change is exemplified by Software Defined Networks (SDN) and Network Function Virtualization (NFV). As a result, the combination of SDN and NFV (SDN/NFV) frameworks and individual SDN and NFV frameworks have gained substantial traction in network security over the past decade, significantly supporting on-demand protection measures. However, the inherent security shortcomings of SDN, NFV, and SDN/NFV frameworks provide the fundamental issue in implementing security procedures via network softwarization. To solve this issue, we present a Software-Defined Perimeter (SDP)-powered Zero-Trust Architecture (ZTA) to improve security in the SDN/NFV-enabled campus network holistically. In addition to this, we also propose a threat model and quantitatively assess the suggested approach's performance and security. Furthermore, we highlight potential zero-trust network security function implementations in SDN/NFV-enabled infrastructure to increase protection for endpoint devices, network resources, and flows for detecting threats and responding effectively with minimal latency and overhead. © 2023, The Authors. All rights reserved.

关键词： Access control

Corrigendum to “A distributed Relation Detection Approach in the Internet of Things”

学校读者我要写书评

暂无评论

Mobile Information Systems 2019年第1期2019卷

作者： Weiping Zhu Hongliang Lu Xiaohui Cui Jiannong Cao International School of Software Wuhan University Wuhan *** Science and Technology on Parallel and Distributed Processing Laboratory National University of Defense Technology Changsha *** Department of Computing Hong Kong Polytechnic University Kowloon Hong Kongpolyu.edu.hk