Your search keyword '"Biggio A"' showing total 199 results

1. Humanizing the law of cyber targeting : human dignity, cyber-attacks and the protection of the civilian population

Author

Biggio, Giacomo, Tsagourias, Nicholas, and Buchan, Russell

Subjects

343.09

Abstract

The main objective of my thesis is to argue whether a human dignity-oriented interpretation of the set of rules known as the ‘law of targeting’ can reduce the potential adverse effects related to the use of cyber technologies in times of armed conflict, thereby contributing to the process known as the ‘humanization of International Humanitarian Law’. In order to do so, I will discuss the process of humanization as being the result of the dynamic between the principles of military necessity and humanity, arguing for an interpretation of the principle of humanity grounded on the idea that the dignity of the individual must be respected even during wartime. I will then employ a human dignity-oriented interpretation to the notion of attack under Art. 49 of Additional Protocol I, in order to argue that the underlying notion of violence shall be interpreted more expansively and include, beyond cyber-operations causing physical violence, also cyber-operations causing serious psychological violence and serious economic violence. This would extend the definition of attack to a wider range of cyber operations, subjecting them to the rules of targeting and, by increasing the protection of the civilian population, would therefore enhance the process of humanization. Subsequently, I will discuss what are the major interpretive issues related to the application of the human dignity-based framework to the law of targeting in the cyber context, by examining the principle of distinction between civilians/civilian objects and combatants/military objectives, the principle of proportionality and the rules on precautions in attack and against the effects of attacks.

Published

2019

2. Living-off-The-Land Reverse-Shell Detection by Informed Data Augmentation

Author

Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, Roli, Fabio, Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Abstract

The living-off-the-land (LOTL) offensive methodologies rely on the perpetration of malicious actions through chains of commands executed by legitimate applications, identifiable exclusively by analysis of system logs. LOTL techniques are well hidden inside the stream of events generated by common legitimate activities, moreover threat actors often camouflage activity through obfuscation, making them particularly difficult to detect without incurring in plenty of false alarms, even using machine learning. To improve the performance of models in such an harsh environment, we propose an augmentation framework to enhance and diversify the presence of LOTL malicious activity inside legitimate logs. Guided by threat intelligence, we generate a dataset by injecting attack templates known to be employed in the wild, further enriched by malleable patterns of legitimate activities to replicate the behavior of evasive threat actors. We conduct an extensive ablation study to understand which models better handle our augmented dataset, also manipulated to mimic the presence of model-agnostic evasion and poisoning attacks. Our results suggest that augmentation is needed to maintain high-predictive capabilities, robustness to attack is achieved through specific hardening techniques like adversarial training, and it is possible to deploy near-real-time models with almost-zero false alarms.

Published

2024

3. Robustness-Congruent Adversarial Training for Secure Machine Learning Model Updates

Author

Angioni, Daniele, Demetrio, Luca, Pintor, Maura, Oneto, Luca, Anguita, Davide, Biggio, Battista, Roli, Fabio, Angioni, Daniele, Demetrio, Luca, Pintor, Maura, Oneto, Luca, Anguita, Davide, Biggio, Battista, and Roli, Fabio

Abstract

Machine-learning models demand for periodic updates to improve their average accuracy, exploiting novel architectures and additional data. However, a newly-updated model may commit mistakes that the previous model did not make. Such misclassifications are referred to as negative flips, and experienced by users as a regression of performance. In this work, we show that this problem also affects robustness to adversarial examples, thereby hindering the development of secure model update practices. In particular, when updating a model to improve its adversarial robustness, some previously-ineffective adversarial examples may become misclassified, causing a regression in the perceived security of the system. We propose a novel technique, named robustness-congruent adversarial training, to address this issue. It amounts to fine-tuning a model with adversarial training, while constraining it to retain higher robustness on the adversarial examples that were correctly classified before the update. We show that our algorithm and, more generally, learning with non-regression constraints, provides a theoretically-grounded framework to train consistent estimators. Our experiments on robust models for computer vision confirm that (i) both accuracy and robustness, even if improved after model update, can be affected by negative flips, and (ii) our robustness-congruent adversarial training can mitigate the problem, outperforming competing baseline methods.

Published

2024

4. $\sigma$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples

Author

Cinà, Antonio Emanuele, Villani, Francesco, Pintor, Maura, Schönherr, Lea, Biggio, Battista, Pelillo, Marcello, Cinà, Antonio Emanuele, Villani, Francesco, Pintor, Maura, Schönherr, Lea, Biggio, Battista, and Pelillo, Marcello

Abstract

Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging. While most attacks consider $\ell_2$- and $\ell_\infty$-norm constraints to craft input perturbations, only a few investigate sparse $\ell_1$- and $\ell_0$-norm attacks. In particular, $\ell_0$-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable constraint. However, evaluating adversarial robustness under these attacks could reveal weaknesses otherwise left untested with more conventional $\ell_2$- and $\ell_\infty$-norm attacks. In this work, we propose a novel $\ell_0$-norm attack, called $\sigma$-zero, which leverages an ad hoc differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization, and an adaptive projection operator to dynamically adjust the trade-off between loss minimization and perturbation sparsity. Extensive evaluations using MNIST, CIFAR10, and ImageNet datasets, involving robust and non-robust models, show that $\sigma$-zero finds minimum $\ell_0$-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and scalability., Comment: Code available at https://github.com/Cinofix/sigma-zero-adversarial-attack

Published

2024

5. SLIFER: Investigating Performance and Robustness of Malware Detection Pipelines

Author

Ponte, Andrea, Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, Ogbu, Ivan Tesfai, Roli, Fabio, Ponte, Andrea, Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, Ogbu, Ivan Tesfai, and Roli, Fabio

Abstract

As a result of decades of research, Windows malware detection is approached through a plethora of techniques. However, there is an ongoing mismatch between academia -- which pursues an optimal performances in terms of detection rate and low false alarms -- and the requirements of real-world scenarios. In particular, academia focuses on combining static and dynamic analysis within a single or ensemble of models, falling into several pitfalls like (i) firing dynamic analysis without considering the computational burden it requires; (ii) discarding impossible-to-analyse samples; and (iii) analysing robustness against adversarial attacks without considering that malware detectors are complemented with more non-machine-learning components. Thus, in this paper we propose SLIFER, a novel Windows malware detection pipeline sequentially leveraging both static and dynamic analysis, interrupting computations as soon as one module triggers an alarm, requiring dynamic analysis only when needed. Contrary to the state of the art, we investigate how to deal with samples resistance to analysis, showing how much they impact performances, concluding that it is better to flag them as legitimate to not drastically increase false alarms. Lastly, we perform a robustness evaluation of SLIFER leveraging content-injections attacks, and we show that, counter-intuitively, attacks are blocked more by YARA rules than dynamic analysis due to byte artifacts created while optimizing the adversarial strategy.

Published

2024

6. Certified Adversarial Robustness of Machine Learning-based Malware Detectors via (De)Randomized Smoothing

Author

Gibert, Daniel, Demetrio, Luca, Zizzo, Giulio, Le, Quan, Planes, Jordi, Biggio, Battista, Gibert, Daniel, Demetrio, Luca, Zizzo, Giulio, Le, Quan, Planes, Jordi, and Biggio, Battista

Abstract

Deep learning-based malware detection systems are vulnerable to adversarial EXEmples - carefully-crafted malicious programs that evade detection with minimal perturbation. As such, the community is dedicating effort to develop mechanisms to defend against adversarial EXEmples. However, current randomized smoothing-based defenses are still vulnerable to attacks that inject blocks of adversarial content. In this paper, we introduce a certifiable defense against patch attacks that guarantees, for a given executable and an adversarial patch size, no adversarial EXEmple exist. Our method is inspired by (de)randomized smoothing which provides deterministic robustness certificates. During training, a base classifier is trained using subsets of continguous bytes. At inference time, our defense splits the executable into non-overlapping chunks, classifies each chunk independently, and computes the final prediction through majority voting to minimize the influence of injected content. Furthermore, we introduce a preprocessing step that fixes the size of the sections and headers to a multiple of the chunk size. As a consequence, the injected content is confined to an integer number of chunks without tampering the other chunks containing the real bytes of the input examples, allowing us to extend our certified robustness guarantees to content insertion attacks. We perform an extensive ablation study, by comparing our defense with randomized smoothing-based defenses against a plethora of content manipulation attacks and neural network architectures. Results show that our method exhibits unmatched robustness against strong content-insertion attacks, outperforming randomized smoothing-based defenses in the literature.

Published

2024

7. AttackBench: Evaluating Gradient-based Attacks for Adversarial Examples

Author

Cinà, Antonio Emanuele, Rony, Jérôme, Pintor, Maura, Demetrio, Luca, Demontis, Ambra, Biggio, Battista, Ayed, Ismail Ben, Roli, Fabio, Cinà, Antonio Emanuele, Rony, Jérôme, Pintor, Maura, Demetrio, Luca, Demontis, Ambra, Biggio, Battista, Ayed, Ismail Ben, and Roli, Fabio

Abstract

Adversarial examples are typically optimized with gradient-based attacks. While novel attacks are continuously proposed, each is shown to outperform its predecessors using different experimental setups, hyperparameter settings, and number of forward and backward calls to the target models. This provides overly-optimistic and even biased evaluations that may unfairly favor one particular attack over the others. In this work, we aim to overcome these limitations by proposing AttackBench, i.e., the first evaluation framework that enables a fair comparison among different attacks. To this end, we first propose a categorization of gradient-based attacks, identifying their main components and differences. We then introduce our framework, which evaluates their effectiveness and efficiency. We measure these characteristics by (i) defining an optimality metric that quantifies how close an attack is to the optimal solution, and (ii) limiting the number of forward and backward queries to the model, such that all attacks are compared within a given maximum query budget. Our extensive experimental analysis compares more than 100 attack implementations with a total of over 800 different configurations against CIFAR-10 and ImageNet models, highlighting that only very few attacks outperform all the competing approaches. Within this analysis, we shed light on several implementation issues that prevent many attacks from finding better solutions or running at all. We release AttackBench as a publicly available benchmark, aiming to continuously update it to include and evaluate novel gradient-based attacks for optimizing adversarial examples., Comment: https://attackbench.github.io

Published

2024

8. Security of Machine Learning (Dagstuhl Seminar 22281)

Author

Battista Biggio and Nicholas Carlini and Pavel Laskov and Konrad Rieck and Antonio Emanuele Cinà, Biggio, Battista, Carlini, Nicholas, Laskov, Pavel, Rieck, Konrad, Cinà, Antonio Emanuele, Battista Biggio and Nicholas Carlini and Pavel Laskov and Konrad Rieck and Antonio Emanuele Cinà, Biggio, Battista, Carlini, Nicholas, Laskov, Pavel, Rieck, Konrad, and Cinà, Antonio Emanuele

Abstract

Machine learning techniques, especially deep neural networks inspired by mathematical models of human intelligence, have reached an unprecedented success on a variety of data analysis tasks. The reliance of critical modern technologies on machine learning, however, raises concerns on their security, especially since powerful attacks against mainstream learning algorithms have been demonstrated since the early 2010s. Despite a substantial body of related research, no comprehensive theory and design methodology is currently known for the security of machine learning. The proposed seminar aims at identifying potential research directions that could lead to building the scientific foundation for the security of machine learning. By bringing together researchers from machine learning and information security communities, the seminar is expected to generate new ideas for security assessment and design in the field of machine learning.

Published

2023

9. Type-II Majoron Dark Matter

Author

Biggio, Carla, Calibbi, Lorenzo, Ota, Toshihiko, Zanchini, Samuele, Biggio, Carla, Calibbi, Lorenzo, Ota, Toshihiko, and Zanchini, Samuele

Abstract

We discuss in detail the possibility that the "type-II majoron" -- that is, the pseudo Nambu-Goldstone boson that arises in the context of the type-II seesaw mechanism if the lepton number is spontaneously broken by an additional singlet scalar -- account for the dark matter (DM) observed in the universe. We study the requirements the model's parameters have to fulfill in order to reproduce the measured DM relic abundance through two possible production mechanisms in the early universe, freeze-in and misalignment, both during a standard radiation-dominated era and early matter domination. We then study possible signals of type-II majoron DM and the present and expected constraints on the parameter space that can be obtained from cosmological observations, direct detection experiments, and present and future searches for decaying DM at neutrino telescopes and cosmic-ray experiments. We find that -- depending on the majoron mass, the production mechanism, and the value of the vacuum expectation value of the type-II triplet -- all of the three decay modes (photons, electrons, neutrinos) of majoron DM particles can yield observable signals at future indirect searches for DM. Furthermore, in a corner of the parameter space, detection of majoron DM is possible through electron recoil at running and future direct detection experiments., Comment: 22 pages + appendices and bibliography, 6 figures

Published

2023

10. Accelerating galaxy dynamical modeling using a neural network for joint lensing and kinematics analyses

Author

Gomer, Matthew R., Ertl, Sebastian, Biggio, Luca, Wang, Han, Galan, Aymeric, Van de Vyvere, Lyne, Sluse, Dominique, Vernardos, Georgios, Suyu, Sherry H., Gomer, Matthew R., Ertl, Sebastian, Biggio, Luca, Wang, Han, Galan, Aymeric, Van de Vyvere, Lyne, Sluse, Dominique, Vernardos, Georgios, and Suyu, Sherry H.

Abstract

Strong gravitational lensing is a powerful tool to provide constraints on galaxy mass distributions and cosmological parameters, such as the Hubble constant, $H_0$. Nevertheless, inference of such parameters from images of lensing systems is not trivial as parameter degeneracies can limit the precision in the measured lens mass and cosmological results. External information on the mass of the lens, in the form of kinematic measurements, is needed to ensure a precise and unbiased inference. Traditionally, such kinematic information has been included in the inference after the image modeling, using spherical Jeans approximations to match the measured velocity dispersion integrated within an aperture. However, as spatially resolved kinematic measurements become available via IFU data, more sophisticated dynamical modeling is necessary. Such kinematic modeling is expensive, and constitutes a computational bottleneck which we aim to overcome with our Stellar Kinematics Neural Network (SKiNN). SKiNN emulates axisymmetric modeling using a neural network, quickly synthesizing from a given mass model a kinematic map which can be compared to the observations to evaluate a likelihood. With a joint lensing plus kinematic framework, this likelihood constrains the mass model at the same time as the imaging data. We show that SKiNN's emulation of a kinematic map is accurate to considerably better precision than can be measured (better than $1\%$ in almost all cases). Using SKiNN speeds up the likelihood evaluation by a factor of $\sim 200$. This speedup makes dynamical modeling economical, and enables lens modelers to make effective use of modern data quality in the JWST era., Comment: (13 pages, 9 figures, submitted to Astronomy & Astrophysics)

Published

2023

11. An SDE for Modeling SAM: Theory and Insights

Author

Compagnoni, Enea Monzio, Biggio, Luca, Orvieto, Antonio, Proske, Frank Norbert, Kersting, Hans, Lucchi, Aurelien, Compagnoni, Enea Monzio, Biggio, Luca, Orvieto, Antonio, Proske, Frank Norbert, Kersting, Hans, and Lucchi, Aurelien

Abstract

We study the SAM (Sharpness-Aware Minimization) optimizer which has recently attracted a lot of interest due to its increased performance over more classical variants of stochastic gradient descent. Our main contribution is the derivation of continuous-time models (in the form of SDEs) for SAM and two of its variants, both for the full-batch and mini-batch settings. We demonstrate that these SDEs are rigorous approximations of the real discrete-time algorithms (in a weak sense, scaling linearly with the learning rate). Using these models, we then offer an explanation of why SAM prefers flat minima over sharp ones~--~by showing that it minimizes an implicitly regularized loss with a Hessian-dependent noise structure. Finally, we prove that SAM is attracted to saddle points under some realistic conditions. Our theoretical results are supported by detailed experiments., Comment: Accepted at ICML 2023 (Poster)

Published

2023

12. Dynamic Context Pruning for Efficient and Interpretable Autoregressive Transformers

Author

Anagnostidis, Sotiris, Pavllo, Dario, Biggio, Luca, Noci, Lorenzo, Lucchi, Aurelien, Hofmann, Thomas, Anagnostidis, Sotiris, Pavllo, Dario, Biggio, Luca, Noci, Lorenzo, Lucchi, Aurelien, and Hofmann, Thomas

Abstract

Autoregressive Transformers adopted in Large Language Models (LLMs) are hard to scale to long sequences. Despite several works trying to reduce their computational cost, most of LLMs still adopt attention layers between all pairs of tokens in the sequence, thus incurring a quadratic cost. In this study, we present a novel approach that dynamically prunes contextual information while preserving the model's expressiveness, resulting in reduced memory and computational requirements during inference. Our method employs a learnable mechanism that determines which uninformative tokens can be dropped from the context at any point across the generation process. By doing so, our approach not only addresses performance concerns but also enhances interpretability, providing valuable insight into the model's decision-making process. Our technique can be applied to existing pre-trained models through a straightforward fine-tuning process, and the pruning strength can be specified by a sparsity parameter. Notably, our empirical findings demonstrate that we can effectively prune up to 80\% of the context without significant performance degradation on downstream tasks, offering a valuable tool for mitigating inference costs. Our reference implementation achieves up to $2\times$ increase in inference throughput and even greater memory savings.

Published

2023

13. Uncertainty Quantification in Machine Learning for Engineering Design and Health Prognostics: A Tutorial

Author

Nemani, Venkat, Biggio, Luca, Huan, Xun, Hu, Zhen, Fink, Olga, Tran, Anh, Wang, Yan, Zhang, Xiaoge, Hu, Chao, Nemani, Venkat, Biggio, Luca, Huan, Xun, Hu, Zhen, Fink, Olga, Tran, Anh, Wang, Yan, Zhang, Xiaoge, and Hu, Chao

Abstract

On top of machine learning models, uncertainty quantification (UQ) functions as an essential layer of safety assurance that could lead to more principled decision making by enabling sound risk assessment and management. The safety and reliability improvement of ML models empowered by UQ has the potential to significantly facilitate the broad adoption of ML solutions in high-stakes decision settings, such as healthcare, manufacturing, and aviation, to name a few. In this tutorial, we aim to provide a holistic lens on emerging UQ methods for ML models with a particular focus on neural networks and the applications of these UQ methods in tackling engineering design as well as prognostics and health management problems. Toward this goal, we start with a comprehensive classification of uncertainty types, sources, and causes pertaining to UQ of ML models. Next, we provide a tutorial-style description of several state-of-the-art UQ methods: Gaussian process regression, Bayesian neural network, neural network ensemble, and deterministic UQ methods focusing on spectral-normalized neural Gaussian process. Established upon the mathematical formulations, we subsequently examine the soundness of these UQ methods quantitatively and qualitatively (by a toy regression example) to examine their strengths and shortcomings from different dimensions. Then, we review quantitative metrics commonly used to assess the quality of predictive uncertainty in classification and regression problems. Afterward, we discuss the increasingly important role of UQ of ML models in solving challenging problems in engineering design and health prognostics. Two case studies with source codes available on GitHub are used to demonstrate these UQ methods and compare their performance in the life prediction of lithium-ion batteries at the early stage and the remaining useful life prediction of turbofan engines.

Published

2023

14. Controllable Neural Symbolic Regression

Author

Bendinelli, Tommaso, Biggio, Luca, Kamienny, Pierre-Alexandre, Bendinelli, Tommaso, Biggio, Luca, and Kamienny, Pierre-Alexandre

Abstract

In symbolic regression, the goal is to find an analytical expression that accurately fits experimental data with the minimal use of mathematical symbols such as operators, variables, and constants. However, the combinatorial space of possible expressions can make it challenging for traditional evolutionary algorithms to find the correct expression in a reasonable amount of time. To address this issue, Neural Symbolic Regression (NSR) algorithms have been developed that can quickly identify patterns in the data and generate analytical expressions. However, these methods, in their current form, lack the capability to incorporate user-defined prior knowledge, which is often required in natural sciences and engineering fields. To overcome this limitation, we propose a novel neural symbolic regression method, named Neural Symbolic Regression with Hypothesis (NSRwH) that enables the explicit incorporation of assumptions about the expected structure of the ground-truth expression into the prediction process. Our experiments demonstrate that the proposed conditioned deep learning model outperforms its unconditioned counterparts in terms of accuracy while also providing control over the predicted expression structure.

Published

2023

15. Harnessing Synthetic Datasets: The Role of Shape Bias in Deep Neural Network Generalization

Author

Benarous, Elior, Anagnostidis, Sotiris, Biggio, Luca, Hofmann, Thomas, Benarous, Elior, Anagnostidis, Sotiris, Biggio, Luca, and Hofmann, Thomas

Abstract

Recent advancements in deep learning have been primarily driven by the use of large models trained on increasingly vast datasets. While neural scaling laws have emerged to predict network performance given a specific level of computational resources, the growing demand for expansive datasets raises concerns. To address this, a new research direction has emerged, focusing on the creation of synthetic data as a substitute. In this study, we investigate how neural networks exhibit shape bias during training on synthetic datasets, serving as an indicator of the synthetic data quality. Specifically, our findings indicate three key points: (1) Shape bias varies across network architectures and types of supervision, casting doubt on its reliability as a predictor for generalization and its ability to explain differences in model recognition compared to human capabilities. (2) Relying solely on shape bias to estimate generalization is unreliable, as it is entangled with diversity and naturalism. (3) We propose a novel interpretation of shape bias as a tool for estimating the diversity of samples within a dataset. Our research aims to clarify the implications of using synthetic data and its associated shape bias in deep learning, addressing concerns regarding generalization and dataset quality.

Published

2023

16. Nebula: Self-Attention for Dynamic Malware Analysis

Author

Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, Roli, Fabio, Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Abstract

Dynamic analysis enables detecting Windows malware by executing programs in a controlled environment, and storing their actions in log reports. Previous work has started training machine learning models on such reports to perform either malware detection or malware classification. However, most of the approaches (i) have only considered convolutional and long-short term memory networks, (ii) they have been built focusing only on APIs called at runtime, without considering other relevant though heterogeneous sources of information like network and file operations, and (iii) the code and pretrained models are hardly available, hindering reproducibility of results in this research area. In this work, we overcome these limitations by presenting Nebula, a versatile, self-attention transformer-based neural architecture that can generalize across different behavior representations and formats, combining heterogeneous information from dynamic log reports. We show the efficacy of Nebula on three distinct data collections from different dynamic analysis platforms, comparing its performance with previous state-of-the-art models developed for malware detection and classification tasks. We produce an extensive ablation study that showcases how the components of Nebula influence its predictive performance, while enabling it to outperform some competing approaches at very low false positive rates. We conclude our work by inspecting the behavior of Nebula through the application of explainability methods, which highlight that Nebula correctly focuses more on portions of reports that contain malicious activities. We release our code and models at github.com/dtrizna/nebula., Comment: 18 pages, 7 figures, 12 tables, preprint, in review

Published

2023

17. Samples on Thin Ice: Re-Evaluating Adversarial Pruning of Neural Networks

Author

Piras, Giorgio, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Piras, Giorgio, Pintor, Maura, Demontis, Ambra, and Biggio, Battista

Abstract

Neural network pruning has shown to be an effective technique for reducing the network size, trading desirable properties like generalization and robustness to adversarial attacks for higher sparsity. Recent work has claimed that adversarial pruning methods can produce sparse networks while also preserving robustness to adversarial examples. In this work, we first re-evaluate three state-of-the-art adversarial pruning methods, showing that their robustness was indeed overestimated. We then compare pruned and dense versions of the same models, discovering that samples on thin ice, i.e., closer to the unpruned model's decision boundary, are typically misclassified after pruning. We conclude by discussing how this intuition may lead to designing more effective adversarial pruning methods in future work.

Published

2023

18. Improving Fast Minimum-Norm Attacks with Hyperparameter Optimization

Author

Floris, Giuseppe, Mura, Raffaele, Scionis, Luca, Piras, Giorgio, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Floris, Giuseppe, Mura, Raffaele, Scionis, Luca, Piras, Giorgio, Pintor, Maura, Demontis, Ambra, and Biggio, Battista

Abstract

Evaluating the adversarial robustness of machine learning models using gradient-based attacks is challenging. In this work, we show that hyperparameter optimization can improve fast minimum-norm attacks by automating the selection of the loss function, the optimizer and the step-size scheduler, along with the corresponding hyperparameters. Our extensive evaluation involving several robust models demonstrates the improved efficacy of fast minimum-norm attacks when hyper-up with hyperparameter optimization. We release our open-source code at https://github.com/pralab/HO-FMN., Comment: Accepted at ESANN23

Published

2023

19. Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors

Author

Montaruli, Biagio, Demetrio, Luca, Pintor, Maura, Compagna, Luca, Balzarotti, Davide, Biggio, Battista, Montaruli, Biagio, Demetrio, Luca, Pintor, Maura, Compagna, Luca, Balzarotti, Davide, and Biggio, Battista

Abstract

Machine-learning phishing webpage detectors (ML-PWD) have been shown to suffer from adversarial manipulations of the HTML code of the input webpage. Nevertheless, the attacks recently proposed have demonstrated limited effectiveness due to their lack of optimizing the usage of the adopted manipulations, and they focus solely on specific elements of the HTML code. In this work, we overcome these limitations by first designing a novel set of fine-grained manipulations which allow to modify the HTML code of the input phishing webpage without compromising its maliciousness and visual appearance, i.e., the manipulations are functionality- and rendering-preserving by design. We then select which manipulations should be applied to bypass the target detector by a query-efficient black-box optimization algorithm. Our experiments show that our attacks are able to raze to the ground the performance of current state-of-the-art ML-PWD using just 30 queries, thus overcoming the weaker attacks developed in previous work, and enabling a much fairer robustness evaluation of ML-PWD., Comment: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec '23), November 30, 2023, Copenhagen, Denmark

Published

2023

20. Adversarial Attacks Against Uncertainty Quantification

Author

Ledda, Emanuele, Angioni, Daniele, Piras, Giorgio, Fumera, Giorgio, Biggio, Battista, Roli, Fabio, Ledda, Emanuele, Angioni, Daniele, Piras, Giorgio, Fumera, Giorgio, Biggio, Battista, and Roli, Fabio

Abstract

Machine-learning models can be fooled by adversarial examples, i.e., carefully-crafted input perturbations that force models to output wrong predictions. While uncertainty quantification has been recently proposed to detect adversarial inputs, under the assumption that such attacks exhibit a higher prediction uncertainty than pristine data, it has been shown that adaptive attacks specifically aimed at reducing also the uncertainty estimate can easily bypass this defense mechanism. In this work, we focus on a different adversarial scenario in which the attacker is still interested in manipulating the uncertainty estimate, but regardless of the correctness of the prediction; in particular, the goal is to undermine the use of machine-learning models when their outputs are consumed by a downstream module or by a human operator. Following such direction, we: \textit{(i)} design a threat model for attacks targeting uncertainty quantification; \textit{(ii)} devise different attack strategies on conceptually different UQ techniques spanning for both classification and semantic segmentation problems; \textit{(iii)} conduct a first complete and extensive analysis to compare the differences between some of the most employed UQ approaches under attack. Our extensive experimental analysis shows that our attacks are more effective in manipulating uncertainty quantification measures than attacks aimed to also induce misclassifications.

Published

2023

21. Hardening RGB-D Object Recognition Systems against Adversarial Patch Attacks

Author

Zheng, Yang, Demetrio, Luca, Cinà, Antonio Emanuele, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Zheng, Yang, Demetrio, Luca, Cinà, Antonio Emanuele, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Abstract

RGB-D object recognition systems improve their predictive performances by fusing color and depth information, outperforming neural network architectures that rely solely on colors. While RGB-D systems are expected to be more robust to adversarial examples than RGB-only systems, they have also been proven to be highly vulnerable. Their robustness is similar even when the adversarial examples are generated by altering only the original images' colors. Different works highlighted the vulnerability of RGB-D systems; however, there is a lacking of technical explanations for this weakness. Hence, in our work, we bridge this gap by investigating the learned deep representation of RGB-D systems, discovering that color features make the function learned by the network more complex and, thus, more sensitive to small perturbations. To mitigate this problem, we propose a defense based on a detection mechanism that makes RGB-D systems more robust against adversarial examples. We empirically show that this defense improves the performances of RGB-D systems against adversarial examples even when they are computed ad-hoc to circumvent this detection mechanism, and that is also more effective than adversarial training., Comment: Accepted for publication in the Information Sciences journal

Published

2023

22. Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning

Author

Montaruli, Biagio, Demetrio, Luca, Valenza, Andrea, Compagna, Luca, Ariu, Davide, Piras, Luca, Balzarotti, Davide, Biggio, Battista, Montaruli, Biagio, Demetrio, Luca, Valenza, Andrea, Compagna, Luca, Ariu, Davide, Piras, Luca, Balzarotti, Davide, and Biggio, Battista

Abstract

ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of the weights of the firing rules exceeds a given threshold. In this work, we show that this simple strategy is largely ineffective for detecting SQL injection (SQLi) attacks, as it tends to block many legitimate requests, while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection. To overcome these issues, we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs.

Published

2023

23. Minimizing Energy Consumption of Deep Learning Models by Energy-Aware Training

Author

Lazzaro, Dario, Cinà, Antonio Emanuele, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Pelillo, Marcello, Lazzaro, Dario, Cinà, Antonio Emanuele, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Roli, Fabio, and Pelillo, Marcello

Abstract

Deep learning models undergo a significant increase in the number of parameters they possess, leading to the execution of a larger number of operations during inference. This expansion significantly contributes to higher energy consumption and prediction latency. In this work, we propose EAT, a gradient-based algorithm that aims to reduce energy consumption during model training. To this end, we leverage a differentiable approximation of the $\ell_0$ norm, and use it as a sparse penalty over the training loss. Through our experimental analysis conducted on three datasets and two deep neural networks, we demonstrate that our energy-aware training algorithm EAT is able to train networks with a better trade-off between classification performance and energy efficiency., Comment: 12 pages, 3 figures. Paper accepted at the 22nd International Conference on Image Analysis and Processing (ICIAP) 2023

Published

2023

24. Gemtelligence: Accelerating Gemstone classification with Deep Learning

Author

Bendinelli, Tommaso, Biggio, Luca, Nyfeler, Daniel, Ghosh, Abhigyan, Tollan, Peter, Kirschmann, Moritz Alexander, Fink, Olga, Bendinelli, Tommaso, Biggio, Luca, Nyfeler, Daniel, Ghosh, Abhigyan, Tollan, Peter, Kirschmann, Moritz Alexander, and Fink, Olga

Abstract

The value of luxury goods, particularly investment-grade gemstones, is greatly influenced by their origin and authenticity, sometimes resulting in differences worth millions of dollars. Traditionally, human experts have determined the origin and detected treatments on gemstones through visual inspections and a range of analytical methods. However, the interpretation of the data can be subjective and time-consuming, resulting in inconsistencies. In this study, we propose Gemtelligence, a novel approach based on deep learning that enables accurate and consistent origin determination and treatment detection. Gemtelligence comprises convolutional and attention-based neural networks that process heterogeneous data types collected by multiple instruments. Notably, the algorithm demonstrated comparable predictive performance to expensive laser-ablation inductively-coupled-plasma mass-spectrometry (ICP-MS) analysis and visual examination by human experts, despite using input data from relatively inexpensive analytical methods. Our innovative methodology represents a major breakthrough in the field of gemstone analysis by significantly improving the automation and robustness of the entire analytical process pipeline.

Published

2023

25. Cosmology from Galaxy Redshift Surveys with PointNet

Author

Anagnostidis, Sotiris, Thomsen, Arne, Kacprzak, Tomasz, Tröster, Tilman, Biggio, Luca, Refregier, Alexandre, Hofmann, Thomas, Anagnostidis, Sotiris, Thomsen, Arne, Kacprzak, Tomasz, Tröster, Tilman, Biggio, Luca, Refregier, Alexandre, and Hofmann, Thomas

Abstract

In recent years, deep learning approaches have achieved state-of-the-art results in the analysis of point cloud data. In cosmology, galaxy redshift surveys resemble such a permutation invariant collection of positions in space. These surveys have so far mostly been analysed with two-point statistics, such as power spectra and correlation functions. The usage of these summary statistics is best justified on large scales, where the density field is linear and Gaussian. However, in light of the increased precision expected from upcoming surveys, the analysis of -- intrinsically non-Gaussian -- small angular separations represents an appealing avenue to better constrain cosmological parameters. In this work, we aim to improve upon two-point statistics by employing a \textit{PointNet}-like neural network to regress the values of the cosmological parameters directly from point cloud data. Our implementation of PointNets can analyse inputs of $\mathcal{O}(10^4) - \mathcal{O}(10^5)$ galaxies at a time, which improves upon earlier work for this application by roughly two orders of magnitude. Additionally, we demonstrate the ability to analyse galaxy redshift survey data on the lightcone, as opposed to previously static simulation boxes at a given fixed redshift.

Published

2022

26. Universal Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) Testing for Obstetric Inpatient Units Across the United States.

Author

Gilner, Jennifer, Gilner, Jennifer, Kansal, Namita, Biggio, Joseph R, Delaney, Shani, Grotegut, Chad A, Hardy, Erica, Hirshberg, Adi, Kachikis, Alisa, LaCourse, Sylvia M, Martin, Jane, Metz, Torri D, Miller, Emily S, Norton, Mary E, Sinkey, Rachel, Sobhani, Nasim C, Son, Shannon L, Srinivas, Sindhu, Tita, Alan, Werner, Erika F, Hughes, Brenna L, Gilner, Jennifer, Gilner, Jennifer, Kansal, Namita, Biggio, Joseph R, Delaney, Shani, Grotegut, Chad A, Hardy, Erica, Hirshberg, Adi, Kachikis, Alisa, LaCourse, Sylvia M, Martin, Jane, Metz, Torri D, Miller, Emily S, Norton, Mary E, Sinkey, Rachel, Sobhani, Nasim C, Son, Shannon L, Srinivas, Sindhu, Tita, Alan, Werner, Erika F, and Hughes, Brenna L

Abstract

BackgroundThe purpose of this study was to estimate prevalence of asymptomatic severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) infection among patients admitted to obstetric inpatient units throughout the United States as detected by universal screening. We sought to describe the relationship between obstetric inpatient asymptomatic infection rates and publicly available surrounding community infection rates.MethodsA cross-sectional study in which medical centers reported rates of positive SARS-CoV-2 testing in asymptomatic pregnant and immediate postpartum patients over a 1-3-month time span in 2020. Publicly reported SARS-CoV-2 case rates from the relevant county and state for each center were collected from the COVID Act Now dashboard and the COVID Tracking Project for correlation analysis.ResultsData were collected from 9 health centers, encompassing 18 hospitals. Participating health centers were located in Alabama, California, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, Rhode Island, Utah, and Washington State. Each hospital had an active policy for universal SARS-CoV-2 testing on obstetric inpatient units. A total of 10 147 SARS-CoV-2 tests were administered, of which 124 were positive (1.2%). Positivity rates varied by site, ranging from 0-3.2%. While SARS-CoV-2 infection rates were lower in asymptomatic obstetric inpatient groups than the surrounding communities, there was a positive correlation between positivity rates in obstetric inpatient units and their surrounding county (P=.003, r=.782) and state (P=.007, r=.708).ConclusionsGiven the correlation between community and obstetric inpatient rates, the necessity of SARS-CoV-2-related healthcare resource utilization in obstetric inpatient units may be best informed by surrounding community infection rates.

Published

2022

27. A Survey on Reinforcement Learning Security with Application to Autonomous Driving

Author

Demontis, Ambra, Pintor, Maura, Demetrio, Luca, Grosse, Kathrin, Lin, Hsiao-Ying, Fang, Chengfang, Biggio, Battista, Roli, Fabio, Demontis, Ambra, Pintor, Maura, Demetrio, Luca, Grosse, Kathrin, Lin, Hsiao-Ying, Fang, Chengfang, Biggio, Battista, and Roli, Fabio

Abstract

Reinforcement learning allows machines to learn from their own experience. Nowadays, it is used in safety-critical applications, such as autonomous driving, despite being vulnerable to attacks carefully crafted to either prevent that the reinforcement learning algorithm learns an effective and reliable policy, or to induce the trained agent to make a wrong decision. The literature about the security of reinforcement learning is rapidly growing, and some surveys have been proposed to shed light on this field. However, their categorizations are insufficient for choosing an appropriate defense given the kind of system at hand. In our survey, we do not only overcome this limitation by considering a different perspective, but we also discuss the applicability of state-of-the-art attacks and defenses when reinforcement learning algorithms are used in the context of autonomous driving.

Published

2022

28. Stateful Detection of Adversarial Reprogramming

Author

Zheng, Yang, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Zheng, Yang, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Pintor, Maura, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Abstract

Adversarial reprogramming allows stealing computational resources by repurposing machine learning models to perform a different task chosen by the attacker. For example, a model trained to recognize images of animals can be reprogrammed to recognize medical images by embedding an adversarial program in the images provided as inputs. This attack can be perpetrated even if the target model is a black box, supposed that the machine-learning model is provided as a service and the attacker can query the model and collect its outputs. So far, no defense has been demonstrated effective in this scenario. We show for the first time that this attack is detectable using stateful defenses, which store the queries made to the classifier and detect the abnormal cases in which they are similar. Once a malicious query is detected, the account of the user who made it can be blocked. Thus, the attacker must create many accounts to perpetrate the attack. To decrease this number, the attacker could create the adversarial program against a surrogate classifier and then fine-tune it by making few queries to the target model. In this scenario, the effectiveness of the stateful defense is reduced, but we show that it is still effective.

Published

2022

29. Explaining Machine Learning DGA Detectors from DNS Traffic Data

Author

Piras, Giorgio, Pintor, Maura, Demetrio, Luca, Biggio, Battista, Piras, Giorgio, Pintor, Maura, Demetrio, Luca, and Biggio, Battista

Abstract

One of the most common causes of lack of continuity of online systems stems from a widely popular Cyber Attack known as Distributed Denial of Service (DDoS), in which a network of infected devices (botnet) gets exploited to flood the computational capacity of services through the commands of an attacker. This attack is made by leveraging the Domain Name System (DNS) technology through Domain Generation Algorithms (DGAs), a stealthy connection strategy that yet leaves suspicious data patterns. To detect such threats, advances in their analysis have been made. For the majority, they found Machine Learning (ML) as a solution, which can be highly effective in analyzing and classifying massive amounts of data. Although strongly performing, ML models have a certain degree of obscurity in their decision-making process. To cope with this problem, a branch of ML known as Explainable ML tries to break down the black-box nature of classifiers and make them interpretable and human-readable. This work addresses the problem of Explainable ML in the context of botnet and DGA detection, which at the best of our knowledge, is the first to concretely break down the decisions of ML classifiers when devised for botnet/DGA detection, therefore providing global and local explanations.

Published

2022

30. Robust Machine Learning for Malware Detection over Time

Author

Angioni, Daniele, Demetrio, Luca, Pintor, Maura, Biggio, Battista, Angioni, Daniele, Demetrio, Luca, Pintor, Maura, and Biggio, Battista

Abstract

The presence and persistence of Android malware is an on-going threat that plagues this information era, and machine learning technologies are now extensively used to deploy more effective detectors that can block the majority of these malicious programs. However, these algorithms have not been developed to pursue the natural evolution of malware, and their performances significantly degrade over time because of such concept-drift. Currently, state-of-the-art techniques only focus on detecting the presence of such drift, or they address it by relying on frequent updates of models. Hence, there is a lack of knowledge regarding the cause of the concept drift, and ad-hoc solutions that can counter the passing of time are still under-investigated. In this work, we commence to address these issues as we propose (i) a drift-analysis framework to identify which characteristics of data are causing the drift, and (ii) SVM-CB, a time-aware classifier that leverages the drift-analysis information to slow down the performance drop. We highlight the efficacy of our contribution by comparing its degradation over time with a state-of-the-art classifier, and we show that SVM-CB better withstands the distribution changes that naturally characterize the malware domain. We conclude by discussing the limitations of our approach and how our contribution can be taken as a first step towards more time-resistant classifiers that not only tackle, but also understand the concept drift that affects data.

Published

2022

31. Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware

Author

Demetrio, Luca, Biggio, Battista, Roli, Fabio, Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Abstract

While machine learning is vulnerable to adversarial examples, it still lacks systematic procedures and tools for evaluating its security in different application contexts. In this article, we discuss how to develop automated and scalable security evaluations of machine learning using practical attacks, reporting a use case on Windows malware detection.

Published

2022

32. Machine Learning Security in Industry: A Quantitative Survey

Author

Grosse, Kathrin, Bieringer, Lukas, Besold, Tarek Richard, Biggio, Battista, Krombholz, Katharina, Grosse, Kathrin, Bieringer, Lukas, Besold, Tarek Richard, Biggio, Battista, and Krombholz, Katharina

Abstract

Despite the large body of academic work on machine learning security, little is known about the occurrence of attacks on machine learning systems in the wild. In this paper, we report on a quantitative study with 139 industrial practitioners. We analyze attack occurrence and concern and evaluate statistical hypotheses on factors influencing threat perception and exposure. Our results shed light on real-world attacks on deployed machine learning. On the organizational level, while we find no predictors for threat exposure in our sample, the amount of implement defenses depends on exposure to threats or expected likelihood to become a target. We also provide a detailed analysis of practitioners' replies on the relevance of individual machine learning attacks, unveiling complex concerns like unreliable decision making, business information leakage, and bias introduction into models. Finally, we find that on the individual level, prior knowledge about machine learning security influences threat perception. Our work paves the way for more research about adversarial machine learning in practice, but yields also insights for regulation and auditing., Comment: Accepted at TIFS, version with more detailed appendix containing more detailed statistical results. 17 pages, 6 tables and 4 figures

Published

2022

33. Wild Patterns Reloaded: A Survey of Machine Learning Security against Training Data Poisoning

Author

Cinà, Antonio Emanuele, Grosse, Kathrin, Demontis, Ambra, Vascon, Sebastiano, Zellinger, Werner, Moser, Bernhard A., Oprea, Alina, Biggio, Battista, Pelillo, Marcello, Roli, Fabio, Cinà, Antonio Emanuele, Grosse, Kathrin, Demontis, Ambra, Vascon, Sebastiano, Zellinger, Werner, Moser, Bernhard A., Oprea, Alina, Biggio, Battista, Pelillo, Marcello, and Roli, Fabio

Abstract

The success of machine learning is fueled by the increasing availability of computing power and large training datasets. The training data is used to learn new models or update existing ones, assuming that it is sufficiently representative of the data that will be encountered at test time. This assumption is challenged by the threat of poisoning, an attack that manipulates the training data to compromise the model's performance at test time. Although poisoning has been acknowledged as a relevant threat in industry applications, and a variety of different attacks and defenses have been proposed so far, a complete systematization and critical review of the field is still missing. In this survey, we provide a comprehensive systematization of poisoning attacks and defenses in machine learning, reviewing more than 100 papers published in the field in the last 15 years. We start by categorizing the current threat models and attacks, and then organize existing defenses accordingly. While we focus mostly on computer-vision applications, we argue that our systematization also encompasses state-of-the-art attacks and defenses for other data modalities. Finally, we discuss existing resources for research in poisoning, and shed light on the current limitations and open research questions in this research field., Comment: 35 pages, Accepted at ACM Computing Surveys

Published

2022

34. Machine Learning Security against Data Poisoning: Are We There Yet?

Author

Cinà, Antonio Emanuele, Grosse, Kathrin, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Pelillo, Marcello, Cinà, Antonio Emanuele, Grosse, Kathrin, Demontis, Ambra, Biggio, Battista, Roli, Fabio, and Pelillo, Marcello

Abstract

The recent success of machine learning (ML) has been fueled by the increasing availability of computing power and large amounts of data in many different applications. However, the trustworthiness of the resulting models can be compromised when such data is maliciously manipulated to mislead the learning process. In this article, we first review poisoning attacks that compromise the training data used to learn ML models, including attacks that aim to reduce the overall performance, manipulate the predictions on specific test samples, and even implant backdoors in the model. We then discuss how to mitigate these attacks using basic security principles, or by deploying ML-oriented defensive mechanisms. We conclude our article by formulating some relevant open challenges which are hindering the development of testing methods and benchmarks suitable for assessing and improving the trustworthiness of ML models against data poisoning attacks, Comment: preprint, 10 pages, 3 figures. Paper accepted to the IEEE Computer - Special Issue on Trustworthy AI

Published

2022

35. Energy-Latency Attacks via Sponge Poisoning

Author

Cinà, Antonio Emanuele, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Pelillo, Marcello, Cinà, Antonio Emanuele, Demontis, Ambra, Biggio, Battista, Roli, Fabio, and Pelillo, Marcello

Abstract

Sponge examples are test-time inputs carefully optimized to increase energy consumption and latency of neural networks when deployed on hardware accelerators. In this work, we are the first to demonstrate that sponge examples can also be injected at training time, via an attack that we call sponge poisoning. This attack allows one to increase the energy consumption and latency of machine-learning models indiscriminately on each test-time input. We present a novel formalization for sponge poisoning, overcoming the limitations related to the optimization of test-time sponge examples, and show that this attack is possible even if the attacker only controls a few model updates; for instance, if model training is outsourced to an untrusted third-party or distributed via federated learning. Our extensive experimental analysis shows that sponge poisoning can almost completely vanish the effect of hardware accelerators. We also analyze the activations of poisoned models, identifying which components are more vulnerable to this attack. Finally, we examine the feasibility of countermeasures against sponge poisoning to decrease energy consumption, showing that sanitization methods may be overly expensive for most of the users., Comment: Preprint;16 pages

Published

2022

36. ImageNet-Patch: A Dataset for Benchmarking Machine Learning Robustness against Adversarial Patches

Author

Pintor, Maura, Angioni, Daniele, Sotgiu, Angelo, Demetrio, Luca, Demontis, Ambra, Biggio, Battista, Roli, Fabio, Pintor, Maura, Angioni, Daniele, Sotgiu, Angelo, Demetrio, Luca, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Abstract

Adversarial patches are optimized contiguous pixel blocks in an input image that cause a machine-learning model to misclassify it. However, their optimization is computationally demanding, and requires careful hyperparameter tuning, potentially leading to suboptimal robustness evaluations. To overcome these issues, we propose ImageNet-Patch, a dataset to benchmark machine-learning models against adversarial patches. It consists of a set of patches, optimized to generalize across different models, and readily applicable to ImageNet data after preprocessing them with affine transformations. This process enables an approximate yet faster robustness evaluation, leveraging the transferability of adversarial perturbations. We showcase the usefulness of this dataset by testing the effectiveness of the computed patches against 127 models. We conclude by discussing how our dataset could be used as a benchmark for robustness, and how our methodology can be generalized to other domains. We open source our dataset and evaluation code at https://github.com/pralab/ImageNet-Patch.

Published

2022

37. FIGARO: Generating Symbolic Music with Fine-Grained Artistic Control

Author

von Rütte, Dimitri, Biggio, Luca, Kilcher, Yannic, Hofmann, Thomas, von Rütte, Dimitri, Biggio, Luca, Kilcher, Yannic, and Hofmann, Thomas

Abstract

Generating music with deep neural networks has been an area of active research in recent years. While the quality of generated samples has been steadily increasing, most methods are only able to exert minimal control over the generated sequence, if any. We propose the self-supervised description-to-sequence task, which allows for fine-grained controllable generation on a global level. We do so by extracting high-level features about the target sequence and learning the conditional distribution of sequences given the corresponding high-level description in a sequence-to-sequence modelling setup. We train FIGARO (FIne-grained music Generation via Attention-based, RObust control) by applying description-to-sequence modelling to symbolic music. By combining learned high level features with domain knowledge, which acts as a strong inductive bias, the model achieves state-of-the-art results in controllable symbolic music generation and generalizes well beyond the training distribution., Comment: Published in ICLR 2023

Published

2022

38. On the effectiveness of Randomized Signatures as Reservoir for Learning Rough Dynamics

Author

Compagnoni, Enea Monzio, Scampicchio, Anna, Biggio, Luca, Orvieto, Antonio, Hofmann, Thomas, Teichmann, Josef, Compagnoni, Enea Monzio, Scampicchio, Anna, Biggio, Luca, Orvieto, Antonio, Hofmann, Thomas, and Teichmann, Josef

Abstract

Many finance, physics, and engineering phenomena are modeled by continuous-time dynamical systems driven by highly irregular (stochastic) inputs. A powerful tool to perform time series analysis in this context is rooted in rough path theory and leverages the so-called Signature Transform. This algorithm enjoys strong theoretical guarantees but is hard to scale to high-dimensional data. In this paper, we study a recently derived random projection variant called Randomized Signature, obtained using the Johnson-Lindenstrauss Lemma. We provide an in-depth experimental evaluation of the effectiveness of the Randomized Signature approach, in an attempt to showcase the advantages of this reservoir to the community. Specifically, we find that this method is preferable to the truncated Signature approach and alternative deep learning techniques in terms of model complexity, training time, accuracy, robustness, and data hungriness., Comment: Accepted for IEEE IJCNN 2023

Published

2022

39. Modeling lens potentials with continuous neural fields in galaxy-scale strong lenses

Author

Biggio, Luca, Vernardos, Georgios, Galan, Aymeric, Peel, Austin, Biggio, Luca, Vernardos, Georgios, Galan, Aymeric, and Peel, Austin

Abstract

Strong gravitational lensing is a unique observational tool for studying the dark and luminous mass distribution both within and between galaxies. Given the presence of substructures, current strong lensing observations demand more complex mass models than smooth analytical profiles, such as power-law ellipsoids. In this work, we introduce a continuous neural field to predict the lensing potential at any position throughout the image plane, allowing for a nearly model-independent description of the lensing mass. We apply our method on simulated Hubble Space Telescope imaging data containing different types of perturbations to a smooth mass distribution: a localized dark subhalo, a population of subhalos, and an external shear perturbation. Assuming knowledge of the source surface brightness, we use the continuous neural field to model either the perturbations alone or the full lensing potential. In both cases, the resulting model is able to fit the imaging data, and we are able to accurately recover the properties of both the smooth potential and of the perturbations. Unlike many other deep learning methods, ours explicitly retains lensing physics (i.e., the lens equation) and introduces high flexibility in the model only where required, namely, in the lens potential. Moreover, the neural network does not require pre-training on large sets of labelled data and predicts the potential from the single observed lensing image. Our model is implemented in the fully differentiable lens modeling code Herculens.

Published

2022

40. Fast emulation of two-point angular statistics for photometric galaxy surveys

Author

Bonici, Marco, Biggio, Luca, Carbone, Carmelita, Guzzo, Luigi, Bonici, Marco, Biggio, Luca, Carbone, Carmelita, and Guzzo, Luigi

Abstract

We develop a set of machine-learning based cosmological emulators, to obtain fast model predictions for the $C(\ell)$ angular power spectrum coefficients characterising tomographic observations of galaxy clustering and weak gravitational lensing from multi-band photometric surveys (and their cross-correlation). A set of neural networks are trained to map cosmological parameters into the coefficients, achieving a speed-up $\mathcal{O}(10^3)$ in computing the required statistics for a given set of cosmological parameters, with respect to standard Boltzmann solvers, with an accuracy better than $0.175\%$ ($<0.1\%$ for the weak lensing case). This corresponds to $\sim 2\%$ or less of the statistical error bars expected from a typical Stage IV photometric surveys. Such overall improvement in speed and accuracy is obtained through ($\textit{i}$) a specific pre-processing optimisation, ahead of the training phase, and ($\textit{ii}$) a more effective neural network architecture, compared to previous implementations.

Published

2022

41. Signal Propagation in Transformers: Theoretical Perspectives and the Role of Rank Collapse

Author

Noci, Lorenzo, Anagnostidis, Sotiris, Biggio, Luca, Orvieto, Antonio, Singh, Sidak Pal, Lucchi, Aurelien, Noci, Lorenzo, Anagnostidis, Sotiris, Biggio, Luca, Orvieto, Antonio, Singh, Sidak Pal, and Lucchi, Aurelien

Abstract

Transformers have achieved remarkable success in several domains, ranging from natural language processing to computer vision. Nevertheless, it has been recently shown that stacking self-attention layers - the distinctive architectural component of Transformers - can result in rank collapse of the tokens' representations at initialization. The question of if and how rank collapse affects training is still largely unanswered, and its investigation is necessary for a more comprehensive understanding of this architecture. In this work, we shed new light on the causes and the effects of this phenomenon. First, we show that rank collapse of the tokens' representations hinders training by causing the gradients of the queries and keys to vanish at initialization. Furthermore, we provide a thorough description of the origin of rank collapse and discuss how to prevent it via an appropriate depth-dependent scaling of the residual branches. Finally, our analysis unveils that specific architectural hyperparameters affect the gradients of queries and values differently, leading to disproportionate gradient norms. This suggests an explanation for the widespread use of adaptive methods for Transformers' optimization.

Published

2022

42. Dynaformer: A Deep Learning Model for Ageing-aware Battery Discharge Prediction

Author

Biggio, Luca, Bendinelli, Tommaso, Kulkarni, Chetan, Fink, Olga, Biggio, Luca, Bendinelli, Tommaso, Kulkarni, Chetan, and Fink, Olga

Abstract

Electrochemical batteries are ubiquitous devices in our society. When they are employed in mission-critical applications, the ability to precisely predict the end of discharge under highly variable environmental and operating conditions is of paramount importance in order to support operational decision-making. While there are accurate predictive models of the processes underlying the charge and discharge phases of batteries, the modelling of ageing and its effect on performance remains poorly understood. Such a lack of understanding often leads to inaccurate models or the need for time-consuming calibration procedures whenever the battery ages or its conditions change significantly. This represents a major obstacle to the real-world deployment of efficient and robust battery management systems. In this paper, we propose for the first time an approach that can predict the voltage discharge curve for batteries of any degradation level without the need for calibration. In particular, we introduce Dynaformer, a novel Transformer-based deep learning architecture which is able to simultaneously infer the ageing state from a limited number of voltage/current samples and predict the full voltage discharge curve for real batteries with high precision. Our experiments show that the trained model is effective for input current profiles of different complexities and is robust to a wide range of degradation levels. In addition to evaluating the performance of the proposed framework on simulated data, we demonstrate that a minimal amount of fine-tuning allows the model to bridge the simulation-to-real gap between simulations and real data collected from a set of batteries. The proposed methodology enables the utilization of battery-powered systems until the end of discharge in a controlled and predictable way, thereby significantly prolonging the operating cycles and reducing costs.

Published

2022

43. Support Vector Machines under Adversarial Label Contamination

Author

Xiao, Huang, Biggio, Battista, Nelson, Blaine, Xiao, Han, Eckert, Claudia, Roli, Fabio, Xiao, Huang, Biggio, Battista, Nelson, Blaine, Xiao, Han, Eckert, Claudia, and Roli, Fabio

Abstract

Machine learning algorithms are increasingly being applied in security-related tasks such as spam and malware detection, although their security properties against deliberate attacks have not yet been widely understood. Intelligent and adaptive attackers may indeed exploit specific vulnerabilities exposed by machine learning techniques to violate system security. Being robust to adversarial data manipulation is thus an important, additional requirement for machine learning algorithms to successfully operate in adversarial settings. In this work, we evaluate the security of Support Vector Machines (SVMs) to well-crafted, adversarial label noise attacks. In particular, we consider an attacker that aims to maximize the SVM's classification error by flipping a number of labels in the training data. We formalize a corresponding optimal attack strategy, and solve it by means of heuristic approaches to keep the computational complexity tractable. We report an extensive experimental analysis on the effectiveness of the considered attacks against linear and non-linear SVMs, both on synthetic and real-world datasets. We finally argue that our approach can also provide useful insights for developing more secure SVM learning algorithms, and also novel techniques in a number of related research areas, such as semi-supervised and active learning.

Published

2022

44. Phantom Sponges: Exploiting Non-Maximum Suppression to Attack Deep Object Detectors

Author

Shapira, Avishag, Zolfi, Alon, Demetrio, Luca, Biggio, Battista, Shabtai, Asaf, Shapira, Avishag, Zolfi, Alon, Demetrio, Luca, Biggio, Battista, and Shabtai, Asaf

Abstract

Adversarial attacks against deep learning-based object detectors have been studied extensively in the past few years. Most of the attacks proposed have targeted the model's integrity (i.e., caused the model to make incorrect predictions), while adversarial attacks targeting the model's availability, a critical aspect in safety-critical domains such as autonomous driving, have not yet been explored by the machine learning research community. In this paper, we propose a novel attack that negatively affects the decision latency of an end-to-end object detection pipeline. We craft a universal adversarial perturbation (UAP) that targets a widely used technique integrated in many object detector pipelines -- non-maximum suppression (NMS). Our experiments demonstrate the proposed UAP's ability to increase the processing time of individual frames by adding "phantom" objects that overload the NMS algorithm while preserving the detection of the original objects which allows the attack to go undetected for a longer period of time.

Published

2022

45. Time delay estimation in unresolved lensed quasars

Author

Biggio, L., Domi, A., Tosi, S., Vernardos, G., Ricci, D., Paganin, L., Bracco, G., Biggio, L., Domi, A., Tosi, S., Vernardos, G., Ricci, D., Paganin, L., and Bracco, G.

Abstract

Time-delay cosmography can be used to infer the Hubble parameter $H_0$ by measuring the relative time delays between multiple images of gravitationally-lensed quasars. A few of such systems have already been used to measure $H_0$: their time delays were determined from the multiple images light curves obtained by regular, years long, monitoring campaigns. Such campaigns can hardly be performed by any telescope: many facilities are often over-subscribed with a large amount of observational requests to fulfill. While the ideal systems for time-delay measurements are lensed quasars whose images are well resolved by the instruments, several lensed quasars have a small angular separation between the multiple images, and would appear as a single, unresolved, image to a large number of telescopes featuring poor angular resolutions or located in not privileged geographical locations. Methods allowing to infer the time delay also from unresolved light curves would boost the potential of such telescopes and greatly increase the available statistics for $H_0$ measurements. This work presents a study of unresolved lensed quasar systems to estimate the time delay using a deep learning-based approach that exploits the capabilities of one-dimensional convolutional neural networks. Experiments on state-of-the-art simulations of unresolved light curves show the potential of the proposed method and pave the way for future applications in time-delay cosmography.

Published

2021

46. Facemasks for Source Control: Testing Influenza Transfer to Bedside Tables

Author

Biggio, Adriane, Raczynski, Michael E., deValpine, Maria G., Nagy-Agren, Stephanie E., Biggio, Adriane, Raczynski, Michael E., deValpine, Maria G., and Nagy-Agren, Stephanie E.

Abstract

Background: Research testing human study participants regarding the effectiveness of face masks in preventing influenza transfer or transmission is limited. In this pilot study, we investigated the following question: In influenza-positive veterans, what is the effect of face-mask wearing in comparison to not wearing a face mask on influenza transfer to bedside tables measured for 2 hours per condition over a 10-week period during the 2019–2020 influenza season. Methods: Influenza-positive veterans with influenza symptom onset ≤ 120 hours admitted to the Salem Veterans Affairs Medical Center were recruited to participate in this study. Exclusion criteria included critical illness requiring an oxygen mask or intubation. The Precept® FluidGard® 160 Procedure Mask 15300, Precept Medical Products, Inc., Arden, NC was worn by all participants during the two-hour intervention period. Surface swabs were used to measure the presence of influenza on bedside tables. CDC/NIOSH tested for influenza A and B from surface samples and facemasks using real-time polymerase chain reaction (PCR) assay (TaqMan ThermoFisher Scientific). Demographic information was collected (Table 1). A study questionnaire collected qualitative data on tolerability and feasibility of wearing a facemask when hospitalized with influenza. Institutional Review Board approval was granted. Results: From January 2, 2020, to March 11, 2020, 8 participants completed the study. Mean age was 67 years, all were male. Of these 8 participants, 6 had influenza A and 2 had influenza B. Half were diabetic; all received oseltamivir. Relative room humidity ranged from 15.6% to 39.8%. Neither influenza A nor B was detected by qPCR on bedside tables for any of the 8 participants under either face-mask–wearing condition. All participants reported that wearing the face mask was easy or very easy; of these, 5 reported experiencing warmth from the mask. Also, 50% of participants selected 2 hours as the time they could tolerate w

Published

2021

47. Semiotics of Distances in Virtual and Augmented Environments

Author

Biggio, Federico and Biggio, Federico

Abstract

The interpretations of communication practices technologically mediated by immersive devices insist on the theme of distance to highlight prototypical aspects of mediation, from the rarefaction of enunciative and referential distance, to that which leads to the solipsistic isolation of the user behind a screen. Tracing the semantic articulation of these interpretations, the contribution intends to place particular emphasis on the media of virtual and augmented reality, and on how they remedy the concept of distance by investing it in new meaning. In particular, we will focus on the illusory cancellation of the distance that occurs during an immersive experience and the establishment of a critical distance in the user, linked to the emergence of a meta experiential competence, by means of the installation of an interstitial device such as the prosthesis and the interface.

Published

2021

48. Between Persuasion and Dissuasion: Narratological Meta-operativity in Augmented Experience Design

Author

Biggio, Federico and Biggio, Federico

Abstract

The idea I will try to argue in this article is that a supposed “embodied media phobia” can more rightly be conceived of as an ideological catalyst of dysphoric beliefs about contemporary computational media rather than as entailing a factual risk for the future to be brought about by virtual and augmented reality. In this regard, the proliferation of sci-fi and of dystopian narratives within the contemporary film scene – prototypically represented by the TV series Black Mirror – conditions and even promotes the development of self-reflective thinking regarding the “dystopia in our daily lives” (Attimonelli and Susca 2020). Such ideology will be demystified in a further way too, by proposing a reflection around the concept of meta-operativity: according to the aesthetic theory advanced by Emilio Garroni (1977) and Pietro Montani (2014, 2018), if the interaction with embodied media can be conceived of as a process able to drive the development of meta-operative competence, then the symbolic value of dystopian stories can be understood as a strategy to foster meta-textual reading and a self-reflective interpretation of one’s own experience.

Published

2021

49. Why Adversarial Reprogramming Works, When It Fails, and How to Tell the Difference

Author

Zheng, Yang, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Demontis, Ambra, Pintor, Maura, Biggio, Battista, Roli, Fabio, Zheng, Yang, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Demontis, Ambra, Pintor, Maura, Biggio, Battista, and Roli, Fabio

Abstract

Adversarial reprogramming allows repurposing a machine-learning model to perform a different task. For example, a model trained to recognize animals can be reprogrammed to recognize digits by embedding an adversarial program in the digit images provided as input. Recent work has shown that adversarial reprogramming may not only be used to abuse machine-learning models provided as a service, but also beneficially, to improve transfer learning when training data is scarce. However, the factors affecting its success are still largely unexplained. In this work, we develop a first-order linear model of adversarial reprogramming to show that its success inherently depends on the size of the average input gradient, which grows when input gradients are more aligned, and when inputs have higher dimensionality. The results of our experimental analysis, involving fourteen distinct reprogramming tasks, show that the above factors are correlated with the success and the failure of adversarial reprogramming.

Published

2021

50. The Threat of Offensive AI to Organizations

Author

Mirsky, Yisroel, Demontis, Ambra, Kotak, Jaidip, Shankar, Ram, Gelei, Deng, Yang, Liu, Zhang, Xiangyu, Lee, Wenke, Elovici, Yuval, Biggio, Battista, Mirsky, Yisroel, Demontis, Ambra, Kotak, Jaidip, Shankar, Ram, Gelei, Deng, Yang, Liu, Zhang, Xiangyu, Lee, Wenke, Elovici, Yuval, and Biggio, Battista

Abstract

AI has provided us with the ability to automate tasks, extract information from vast amounts of data, and synthesize media that is nearly indistinguishable from the real thing. However, positive tools can also be used for negative purposes. In particular, cyber adversaries can use AI (such as machine learning) to enhance their attacks and expand their campaigns. Although offensive AI has been discussed in the past, there is a need to analyze and understand the threat in the context of organizations. For example, how does an AI-capable adversary impact the cyber kill chain? Does AI benefit the attacker more than the defender? What are the most significant AI threats facing organizations today and what will be their impact on the future? In this survey, we explore the threat of offensive AI on organizations. First, we present the background and discuss how AI changes the adversary's methods, strategies, goals, and overall attack model. Then, through a literature review, we identify 33 offensive AI capabilities which adversaries can use to enhance their attacks. Finally, through a user study spanning industry and academia, we rank the AI threats and provide insights on the adversaries.

Published

2021