Your search keyword '"Shouling Ji"' showing total 71 results

1. Query-efficient model extraction for text classification model in a hard label setting

Author

Hao Peng, Shixin Guo, Dandan Zhao, Yiming Wu, Jianming Han, Zhe Wang, Shouling Ji, and Ming Zhong

Subjects

Model extraction, Language model stealing, Model privacy, Adversarial attack, Natural language processing, Performance Evaluation, Electronic computers. Computer science, QA75.5-76.95

Abstract

Designing a query-efficient model extraction strategy to steal models from cloud-based platforms with black-box constraints remains a challenge, especially for language models. In a more realistic setting, a lack of information about the target model’s internal parameters, gradients, training data, or even confidence scores prevents attackers from easily copying the target model. Selecting informative and useful examples to train a substitute model is critical to query-efficient model stealing. We propose a novel model extraction framework that fine-tunes a pretrained model based on bidirectional encoder representations from transformers (BERT) while improving query efficiency by utilizing an active learning selection strategy. The active learning strategy, incorporating semantic-based diversity sampling and class-balanced uncertainty sampling, builds an informative subset from the public unannotated dataset as the input for fine-tuning. We apply our method to extract deep classifiers with identical and mismatched architectures as the substitute model under tight and moderate query budgets. Furthermore, we evaluate the transferability of adversarial examples constructed with the help of the models extracted by our method. The results show that our method achieves higher accuracy with fewer queries than existing baselines and the resulting models exhibit a high transferability success rate of adversarial examples.

Published

2023

2. Efficient text-based evolution algorithm to hard-label adversarial attacks on text

Author

Hao Peng, Zhe Wang, Dandan Zhao, Yiming Wu, Jianming Han, Shixin Guo, Shouling Ji, and Ming Zhong

Subjects

Natural language processing, Machine learning, Language model, Adversarial attack, Black-box attack, Hard-label, Electronic computers. Computer science, QA75.5-76.95

Abstract

Deep neural networks that play a pivotal role in fields such as images, text, and audio are vulnerable to adversarial attacks. In current textual adversarial attacks, the vast majority are configured with a black-box soft-label which is achieved by the gradient information or confidence of the model. Therefore, it becomes challenging and realistic to implement adversarial attacks using only the predicted top labels of the hard-label model. Existing methods to implement hard-label adversarial attacks use population-based genetic optimization algorithms. However, this approach requires significant query consumption, which is a considerable shortcoming. To solve this problem, we propose a new textual black-box hard-label adversarial attack algorithm based on the idea of differential evolution of populations, called the text-based differential evolution (TDE) algorithm. First, the method will judge the importance of the words of the initial rough adversarial examples, according to which only the keywords in the text sentence will be operated, and the rest of the words will be gradually replaced with the original words so as to reduce the words in the sentence in which the replacement occurs. Our method judges the quality of semantic similarity of the adversarial examples in the replacement process and deposits high-quality adversarial example individuals into the population. Secondly, the optimization process of adversarial examples is combined and optimized according to the word importance. Compared with existing methods based on genetic algorithm guidance, our method avoids a large number of meaningless repetitive queries and significantly improves the overall attack efficiency of the algorithm and the semantic quality of the generated adversarial examples. We experimented with multiple datasets on three text tasks of sentiment classification, natural language inference, and toxic comment, and also perform experimental comparisons on models and APIs in realistic scenarios. For example, in the Google Cloud commercial API adversarial attack experiment, compared to the existing hard-label method, our method reduces the average number of queries required for the attack from 6986 to 176, and increases semantic similarity from 0.844 to 0.876. It is shown through extensive experimental data that our approach not only significantly reduces the number of queries, but also significantly outperforms existing methods in terms of the quality of adversarial examples.

Published

2023

3. Improved functionality of Ligilactobacillus salivarius Li01 in alleviating colonic inflammation by layer-by-layer microencapsulation

Author

Mingfei Yao, Yanmeng Lu, Ting Zhang, Jiaojiao Xie, Shengyi Han, Shuobo Zhang, Yiqiu Fei, Zongxin Ling, Jingjing Wu, Yue Hu, Shouling Ji, Hao Chen, Björn Berglund, and Lanjuan Li

Subjects

Microbial ecology, QR100-130

Abstract

Abstract The low viability during gastrointestinal transit and poor mucoadhesion considerably limits the effectiveness of Ligilactobacillus salivarius Li01 (Li01) in regulating gut microbiota and alleviating inflammatory bowel disease (IBD). In this study, a delivery system was designed through layer-by-layer (LbL) encapsulating a single Li01cell with chitosan and alginate. The layers were strengthened by cross-linking to form a firm and mucoadhesive shell (~10 nm thickness) covering the bacterial cell. The LbL Li01 displayed improved viability under simulated gastrointestinal conditions and mucoadhesive function. Almost no cells could be detected among the free Li01 after 2 h incubation in digestive fluids, while for LbL Li01, the total reduction was around 3 log CFU/mL and the viable number of cells remained above 6 log CFU/mL. Besides, a 5-fold increase in the value of rupture length and a two-fold increase in the number of peaks were found in the (bacteria-mucin) adhesion curves of LbL Li01, compared to those of free Li01. Oral administration with LbL Li01 on colitis mice facilitated intestinal barrier recovery and restoration of the gut microbiota. The improved functionality of Li01 by LbL encapsulation could increase the potential for the probiotic to be used in clinical applications to treat IBD; this should be explored in future studies.

Published

2021

4. Adversarial examples detection through the sensitivity in space mappings

Author

Xurong Li, Shouling Ji, Juntao Ji, Zhenyu Ren, Chunming Wu, Bo Li, and Ting Wang

Subjects

AE detection, feature space, feature mapping, machine learning, adversarial examples detection, space mappings, Computer applications to medicine. Medical informatics, R858-859.7, Computer software, QA76.75-76.765

Abstract

Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine‐learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false‐positive rate (

Published

2020

5. Text-Based Price Recommendation System for Online Rental Houses

Author

Lujia Shen, Qianjun Liu, Gong Chen, and Shouling Ji

Subjects

price recommendation, natural language processing, sentence embedding, long short-term memory (lstm), mean shift, Electronic computers. Computer science, QA75.5-76.95

Abstract

Online short-term rental platforms, such as Airbnb, have been becoming popular, and a better pricing strategy is imperative for hosts of new listings. In this paper, we analyzed the relationship between the description of each listing and its price, and proposed a text-based price recommendation system called TAPE to recommend a reasonable price for newly added listings. We used deep learning techniques (e.g., feedforward network, long short-term memory, and mean shift) to design and implement TAPE. Using two chronologically extracted datasets of the same four cities, we revealed important factors (e.g., indoor equipment and high-density area) that positively or negatively affect each property’s price, and evaluated our preliminary and enhanced models. Our models achieved a Root-Mean-Square Error (RMSE) of 33.73 in Boston, 20.50 in London, 34.68 in Los Angeles, and 26.31 in New York City, which are comparable to an existing model that uses more features.

Published

2020

6. Spreading Social Influence with both Positive and Negative Opinions in Online Networks

Author

Jing (Selena) He, Meng Han, Shouling Ji, Tianyu Du, and Zhao Li

Subjects

influence spread, social networks, positive influential node set, greedy algorithm, positive and negative influences, Electronic computers. Computer science, QA75.5-76.95

Abstract

Social networks are important media for spreading information, ideas, and influence among individuals. Most existing research focuses on understanding the characteristics of social networks, investigating how information is spread through the "word-of-mouth" effect of social networks, or exploring social influences among individuals and groups. However, most studies ignore negative influences among individuals and groups. Motivated by the goal of alleviating social problems, such as drinking, smoking, and gambling, and influence-spreading problems, such as promoting new products, we consider positive and negative influences, and propose a new optimization problem called the Minimum-sized Positive Influential Node Set (MPINS) selection problem to identify the minimum set of influential nodes such that every node in the network can be positively influenced by these selected nodes with no less than a threshold of θ. Our contributions are threefold. First, we prove that, under the independent cascade model considering positive and negative influences, MPINS is APX-hard. Subsequently, we present a greedy approximation algorithm to address the MPINS selection problem. Finally, to validate the proposed greedy algorithm, we conduct extensive simulations and experiments on random graphs and seven different real-world data sets that represent small-, medium-, and large-scale networks.

Published

2019

7. Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services

Author

Haiqin Weng, Binbin Zhao, Shouling Ji, Jianhai Chen, Ting Wang, Qinming He, and Raheem Beyah

Subjects

image captchas, captcha security, captcha-solving service, underground market, Electronic computers. Computer science, QA75.5-76.95

Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

Published

2019

8. One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware

Author

Binbin Zhao, Shouling Ji, Jiacheng Xu, Yuan Tian, Qiuyang Wei, Qinying Wang, Chenyang Lyu, Xuhong Zhang, Changting Lin, Jingzheng Wu, and Raheem Beyah

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Electrical and Electronic Engineering, Cryptography and Security (cs.CR)

Abstract

Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the security risks raised by TPCs on $34,136$ firmware images. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security risks in firmware and discovers some well-known vulnerabilities are still rooted in firmware. Besides, we explore the geographical distribution of vulnerable devices and confirm that the security situation of devices in different regions varies. Our analysis also indicates that vulnerabilities caused by TPCs in firmware keep growing with the boom of the IoT ecosystem. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Published

2023

9. V-Fuzz: Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs

Author

Chunming Wu, Yuwei Li, Jianhai Chen, Shouling Ji, Yuan Chen, Raheem Beyah, Qinchen Gu, and Chenyang Lyu

Subjects

Computer science, Common Vulnerabilities and Exposures, Code coverage, Binary number, 02 engineering and technology, Machine learning, computer.software_genre, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Vulnerability prediction, Fraction (mathematics), Electrical and Electronic Engineering, business.industry, 020207 software engineering, Fuzz testing, Computer Science Applications, Human-Computer Interaction, Control and Systems Engineering, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Artificial intelligence, business, computer, Algorithms, Software, Information Systems

Abstract

Fuzzing is a technique of finding bugs by executing a target program recurrently with a large number of abnormal inputs. Most of the coverage-based fuzzers consider all parts of a program equally and pay too much attention to how to improve the code coverage. It is inefficient as the vulnerable code only takes a tiny fraction of the entire code. In this article, we design and implement an evolutionary fuzzing framework called V-Fuzz, which aims to find bugs efficiently and quickly in limited time for binary programs. V-Fuzz consists of two main components: 1) a vulnerability prediction model and 2) a vulnerability-oriented evolutionary fuzzer. Given a binary program to V-Fuzz, the vulnerability prediction model will give a prior estimation on which parts of a program are more likely to be vulnerable. Then, the fuzzer leverages an evolutionary algorithm to generate inputs which are more likely to arrive at the vulnerable locations, guided by the vulnerability prediction result. The experimental results demonstrate that V-Fuzz can find bugs efficiently with the assistance of vulnerability prediction. Moreover, V-Fuzz has discovered ten common vulnerabilities and exposures (CVEs), and three of them are newly discovered.

Published

2022

10. Exploiting Heterogeneous Graph Neural Networks with Latent Worker/Task Correlation Information for Label Aggregation in Crowdsourcing

Author

Lingfei Wu, Hanlu Wu, Shouling Ji, Fangli Xu, and Tengfei Ma

Subjects

General Computer Science, Exploit, Computer science, business.industry, Construct (python library), Machine learning, computer.software_genre, Crowdsourcing, Correlation, Task (computing), ComputingMethodologies_PATTERNRECOGNITION, Graph (abstract data type), Artificial intelligence, Noise (video), Layer (object-oriented design), business, computer

Abstract

Crowdsourcing has attracted much attention for its convenience to collect labels from non-expert workers instead of experts. However, due to the high level of noise from the non-experts, a label aggregation model that infers the true label from noisy crowdsourced labels is required. In this article, we propose a novel framework based on graph neural networks for aggregating crowd labels. We construct a heterogeneous graph between workers and tasks and derive a new graph neural network to learn the representations of nodes and the true labels. Besides, we exploit the unknown latent interaction between the same type of nodes (workers or tasks) by adding a homogeneous attention layer in the graph neural networks. Experimental results on 13 real-world datasets show superior performance over state-of-the-art models.

Published

2021

11. ACT-Detector: Adaptive channel transformation-based light-weighted detector for adversarial attacks

Author

Haibin Zheng, Shangguan Wenchang, Shouling Ji, Liu Liangying, and Jinyin Chen

Subjects

Information Systems and Management, Computer science, 02 engineering and technology, Theoretical Computer Science, Adversarial system, Immune system, Artificial Intelligence, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, Cuckoo search, Vulnerability (computing), business.industry, 05 social sciences, Detector, 050301 education, Pattern recognition, Computer Science Applications, Transformation (function), Control and Systems Engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, 0503 education, Software, MNIST database, Communication channel

Abstract

With the extensive application of deep neural networks (DNNs) in computer vision tasks, the vulnerability of such systems to carefully crafted adversarial examples has attracted increasing attention. Although various adversarial defense methods have been proposed to improve the robustness of DNNs, the detection of adversarial examples remains challenging. Previous studies have demonstrated that adversarial examples are sensitive to channel transformation operations, such as rotate and resize, whereas clean examples are immune to them. The detection efficiency heavily relies on the numbers and types of transformation operations. Thus, we propose an adaptive channel transformation-based light-weighted detector known as the ACT-Detector, which selects approximately optimal channel transformation types and the minimal channel transformation number through a cuckoo search. The ACT-Detector can not only detect adversarial and clean examples but can also identify the type of attack, such as white-box and black-box attacks. Comprehensive experiments were performed on the MNIST, CIFAR10, and ImageNet datasets to verify the detection efficiency of the ACT-Detector. The ACT-Detector outperformed a detector containing 45 channel transformations, using only five channel transformations to achieve 99.05% and 98.8% detection rates on the MNIST and CIFAR10 datasets, respectively. This is because the ACT-Detector could select channels with different features, whereas the features in the 45 channels were redundant. By reducing the channel number, the total time required for the ACT-Detector to detect one example was approximately one-quarter that required for the detector with 45 channels during testing. Thus, the proposed detector is proven to be effective and efficient, which is valuable for the detection of adversarial examples.

Published

2021

12. Improved functionality of Ligilactobacillus salivarius Li01 in alleviating colonic inflammation by layer-by-layer microencapsulation

Author

Jingjing Wu, Yanmeng Lu, Jiaojiao Xie, Mingfei Yao, Shouling Ji, Björn Berglund, Shengyi Han, Shuobo Zhang, Yue Hu, Hao Chen, Lanjuan Li, Ting Zhang, Zongxin Ling, and Yiqiu Fei

Subjects

0301 basic medicine, 02 engineering and technology, Pharmacology, Gut flora, Applied Microbiology and Biotechnology, Microbiology, Inflammatory bowel disease, Bacterial Adhesion, Article, law.invention, Cell Line, Chitosan, Applied microbiology, Microbial ecology, 03 medical and health sciences, chemistry.chemical_compound, Probiotic, Mice, law, Oral administration, medicine, Mucoadhesion, Animals, Humans, Colitis, Bacteriological Techniques, Microbial Viability, biology, Probiotics, QR100-130, Immunology in the medical area, Adhesion, 021001 nanoscience & nanotechnology, medicine.disease, biology.organism_classification, Inflammatory Bowel Diseases, Disease Models, Animal, Lactobacillus, 030104 developmental biology, chemistry, Immunologi inom det medicinska området, Cytokines, Disease Susceptibility, Microbiome, Inflammation Mediators, 0210 nano-technology, Biomarkers, Biotechnology

Abstract

The low viability during gastrointestinal transit and poor mucoadhesion considerably limits the effectiveness of Ligilactobacillus salivarius Li01 (Li01) in regulating gut microbiota and alleviating inflammatory bowel disease (IBD). In this study, a delivery system was designed through layer-by-layer (LbL) encapsulating a single Li01cell with chitosan and alginate. The layers were strengthened by cross-linking to form a firm and mucoadhesive shell (similar to 10 nm thickness) covering the bacterial cell. The LbL Li01 displayed improved viability under simulated gastrointestinal conditions and mucoadhesive function. Almost no cells could be detected among the free Li01 after 2 h incubation in digestive fluids, while for LbL Li01, the total reduction was around 3 log CFU/mL and the viable number of cells remained above 6 log CFU/mL. Besides, a 5-fold increase in the value of rupture length and a two-fold increase in the number of peaks were found in the (bacteria-mucin) adhesion curves of LbL Li01, compared to those of free Li01. Oral administration with LbL Li01 on colitis mice facilitated intestinal barrier recovery and restoration of the gut microbiota. The improved functionality of Li01 by LbL encapsulation could increase the potential for the probiotic to be used in clinical applications to treat IBD; this should be explored in future studies. Funding Agencies|National Key Research and Development Program of China [2018YFC2000500]; National Natural Science Foundation of ChinaNational Natural Science Foundation of China (NSFC) [32001683]; Beijing Advanced Innovation Center for Food Nutrition and Human Health; National Science Foundation of ChinaNational Natural Science Foundation of China (NSFC) [81790631]

Published

2021

13. Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings

Author

Yuhao Mao, Chong Fu, Saizhuo Wang, Shouling Ji, Xuhong Zhang, Zhenguang Liu, Jun Zhou, Alex X. Liu, Raheem Beyah, and Ting Wang

Subjects

Computer Science - Computers and Society, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition

Abstract

One intriguing property of adversarial attacks is their "transferability" -- an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far, there is still a lack of comprehensive understanding about transferability-based attacks ("transfer attacks") in real-world environments. To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (1) Simple surrogates do not necessarily improve real transfer attacks. (2) No dominant surrogate architecture is found in real transfer attacks. (3) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called $\kappa$ value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (1) Model similarity is not a well-defined concept. (2) $L_2$ norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than $L_\infty$ norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions., Comment: Accepted to IEEE Security & Privacy 2022

Published

2022

14. Text-based price recommendation system for online rental houses

Author

Shouling Ji, Gong Chen, Qianjun Liu, and Lujia Shen

Subjects

Mean squared error, Database, Computer Networks and Communications, Property (programming), Computer science, business.industry, Deep learning, Feed forward, Listing (computer), Recommender system, computer.software_genre, Computer Science Applications, Renting, Artificial Intelligence, Mean-shift, Artificial intelligence, business, computer, Information Systems

Abstract

Online short-term rental platforms, such as Airbnb, have been becoming popular, and a better pricing strategy is imperative for hosts of new listings. In this paper, we analyzed the relationship between the description of each listing and its price, and proposed a text-based price recommendation system called TAPE to recommend a reasonable price for newly added listings. We used deep learning techniques (e.g., feedforward network, long short-term memory, and mean shift) to design and implement TAPE. Using two chronologically extracted datasets of the same four cities, we revealed important factors (e.g., indoor equipment and high-density area) that positively or negatively affect each property's price, and evaluated our preliminary and enhanced models. Our models achieved a Root-Mean-Square Error (RMSE) of 33.73 in Boston, 20.50 in London, 34.68 in Los Angeles, and 26.31 in New York City, which are comparable to an existing model that uses more features.

Published

2020

15. GA-Par: Dependable Microservice Orchestration Framework for Geo-Distributed Clouds

Author

Zhenyu Wen, Renyu Yang, Shouling Ji, Tao Lin, Rajiv Ranjan, Alexander Romanovsky, Changting Lin, and Jie Xu

Subjects

020203 distributed computing, Service (systems architecture), algorithm, business.industry, Computer science, Quality of service, Distributed computing, Cloud computing, 02 engineering and technology, Microservices, placement, dependability, microservice, Computational Theory and Mathematics, Hardware and Architecture, Signal Processing, Container (abstract data type), 0202 electrical engineering, electronic engineering, information engineering, Dependability, service orchestration, Orchestration (computing), business

Abstract

Recent advances in composing Cloud applications have been driven by deployments of inter-networking heterogeneous microservices across multiple Cloud datacenters. System dependability has been of the upmost importance and criticality to both service vendors and customers. Security, a measurable attribute, is increasingly regarded as the representative example of dependability. Literally, with the increment of microservice types and dynamicity, applications are exposed to aggravated internal security threats and externally environmental uncertainties. Existing work mainly focuses on the QoS-aware composition of native VM-based Cloud application components, while ignoring uncertainties and security risks among interactive and interdependent container-based microservices. Still, orchestrating a set of microservices across datacenters under those constraints remains computationally intractable. This paper describes a new dependable microservice orchestration framework GA-Par to effectively select and deploy microservices whilst reducing the discrepancy between user security requirements and actual service provision. We adopt a hybrid (both whitebox and blackbox based) approach to measure the satisfaction of security requirement and the environmental impact of network QoS on system dependability. Due to the exponential grow of solution space, we develop a parallel Genetic Algorithm framework based on Spark to accelerate the operations for calculating the optimal or near-optimal solution. Large-scale real world datasets are utilized to validate models and orchestration approach. Experiments show that our solution outperforms the greedy-based security aware method with 42.34 percent improvement. GA-Par is roughly 4× faster than a Hadoop-based genetic algorithm solver and the effectiveness can be constantly guaranteed under different application scales.

Published

2020

16. EfficientTDNN: Efficient Architecture Search for Speaker Recognition

Author

Rui Wang, Zhihua Wei, Haoran Duan, Shouling Ji, Yang Long, and Zhen Hong

Subjects

FOS: Computer and information sciences, Computational Mathematics, Artificial Intelligence (cs.AI), Acoustics and Ultrasonics, Audio and Speech Processing (eess.AS), Computer Science - Artificial Intelligence, FOS: Electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), Electrical and Electronic Engineering, Electrical Engineering and Systems Science - Audio and Speech Processing

Abstract

Convolutional neural networks (CNNs), such as the time-delay neural network (TDNN), have shown their remarkable capability in learning speaker embedding. However, they meanwhile bring a huge computational cost in storage size, processing, and memory. Discovering the specialized CNN that meets a specific constraint requires a substantial effort of human experts. Compared with hand-designed approaches, neural architecture search (NAS) appears as a practical technique in automating the manual architecture design process and has attracted increasing interest in spoken language processing tasks such as speaker recognition. In this paper, we propose EfficientTDNN, an efficient architecture search framework consisting of a TDNN-based supernet and a TDNN-NAS algorithm. The proposed supernet introduces temporal convolution of different ranges of the receptive field and feature aggregation of various resolutions from different layers to TDNN. On top of it, the TDNN-NAS algorithm quickly searches for the desired TDNN architecture via weight-sharing subnets, which surprisingly reduces computation while handling the vast number of devices with various resources requirements. Experimental results on the VoxCeleb dataset show the proposed EfficientTDNN enables approximate $10^{13}$ architectures concerning depth, kernel, and width. Considering different computation constraints, it achieves a 2.20% equal error rate (EER) with 204M multiply-accumulate operations (MACs), 1.41% EER with 571M MACs as well as 0.94% EER with 1.45G MACs. Comprehensive investigations suggest that the trained supernet generalizes subnets not sampled during training and obtains a favorable trade-off between accuracy and efficiency., 13 pages, 12 figures, accepted to TASLP

Published

2022

17. Copy, Right? A Testing Framework for Copyright Protection of Deep Learning Models

Author

Jialuo Chen, Jingyi Wang, Tinglan Peng, Youcheng Sun, Peng Cheng, Shouling Ji, Xingjun Ma, Bo Li, and Dawn Song

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Cryptography and Security (cs.CR)

Abstract

Deep learning (DL) models, especially those large-scale and high-performance ones, can be very costly to train, demanding a great amount of data and computational resources. Unauthorized reproduction of DL models can lead to copyright infringement and cause huge economic losses to model owners. Existing copyright protection techniques are mostly based on watermarking, which embeds an owner-specified watermark into the model. While being able to provide exact ownership verification, these techniques are 1) invasive, as they need to tamper with the training process, which may affect the utility or introduce new security risks; 2) prone to adaptive attacks that attempt to remove the watermark; and 3) not robust to the emerging model extraction attacks. Latest fingerprinting work, though being non-invasive, also falls short when facing the diverse and ever-growing attack scenarios. In this paper, we propose a novel testing framework for DL copyright protection: DEEPJUDGE. DEEPJUDGE quantitatively tests the similarities between two DL models: a victim model and a suspect model. It leverages a diverse set of testing metrics and test case generation methods to produce a chain of supporting evidence to help determine whether a suspect model is a copy of the victim model. Advantages of DEEPJUDGE include: 1) non-invasive, as it works directly on the model and does not tamper with the training process; 2) efficient, as it only needs a small set of test cases and a quick scan of models; 3) flexible, as it can easily incorporate new metrics or generation methods to obtain more confident judgement; and 4) fairly robust to model extraction and adaptive attacks. We verify the effectiveness of DEEPJUDGE under typical copyright infringement scenarios, including model finetuning, pruning and extraction, via extensive experiments on both image and speech datasets with a variety of model architectures.

Published

2021

18. Backdoor Pre-trained Models Can Transfer to All

Author

Chengfang Fang, Lujia Shen, Xuhong Zhang, Jie Shi, Jianwei Yin, Jing Chen, Jinfeng Li, Ting Wang, and Shouling Ji

Subjects

FOS: Computer and information sciences, Online model, Computer Science - Machine Learning, Class (computer programming), Computer Science - Computation and Language, Computer Science - Cryptography and Security, business.industry, Computer science, Machine learning, computer.software_genre, Security token, Machine Learning (cs.LG), Task (computing), Named-entity recognition, Component (UML), Artificial intelligence, Language model, business, Computation and Language (cs.CL), Cryptography and Security (cs.CR), computer, Backdoor

Abstract

Pre-trained general-purpose language models have been a dominating component in enabling real-world natural language processing (NLP) applications. However, a pre-trained model with backdoor can be a severe threat to the applications. Most existing backdoor attacks in NLP are conducted in the fine-tuning phase by introducing malicious triggers in the targeted class, thus relying greatly on the prior knowledge of the fine-tuning task. In this paper, we propose a new approach to map the inputs containing triggers directly to a predefined output representation of the pre-trained NLP models, e.g., a predefined output representation for the classification token in BERT, instead of a target label. It can thus introduce backdoor to a wide range of downstream tasks without any prior knowledge. Additionally, in light of the unique properties of triggers in NLP, we propose two new metrics to measure the performance of backdoor attacks in terms of both effectiveness and stealthiness. Our experiments with various types of triggers show that our method is widely applicable to different fine-tuning tasks (classification and named entity recognition) and to different models (such as BERT, XLNet, BART), which poses a severe threat. Furthermore, by collaborating with the popular online model repository Hugging Face, the threat brought by our method has been confirmed. Finally, we analyze the factors that may affect the attack performance and share insights on the causes of the success of our backdoor attack.

Published

2021

19. AHEAD: Adaptive Hierarchical Decomposition for Range Query under Local Differential Privacy

Author

Zhikun Zhang, Linkang Du, Shaojie Bai, Jiming Chen, Changchang Liu, Peng Cheng, and Shouling Ji

Subjects

FOS: Computer and information sciences, Structure (mathematical logic), Computer Science - Cryptography and Security, Series (mathematics), Range query (data structures), Computer science, computer.software_genre, Hierarchical decomposition, Tree structure, Differential privacy, Data mining, Noise (video), Cryptography and Security (cs.CR), Protocol (object-oriented programming), computer

Abstract

For protecting users' private data, local differential privacy (LDP) has been leveraged to provide the privacy-preserving range query, thus supporting further statistical analysis. However, existing LDP-based range query approaches are limited by their properties, i.e., collecting user data according to a pre-defined structure. These static frameworks would incur excessive noise added to the aggregated data especially in the low privacy budget setting. In this work, we propose an Adaptive Hierarchical Decomposition (AHEAD) protocol, which adaptively and dynamically controls the built tree structure, so that the injected noise is well controlled for maintaining high utility. Furthermore, we derive a guideline for properly choosing parameters for AHEAD so that the overall utility can be consistently competitive while rigorously satisfying LDP. Leveraging multiple real and synthetic datasets, we extensively show the effectiveness of AHEAD in both low and high dimensional range query scenarios, as well as its advantages over the state-of-the-art methods. In addition, we provide a series of useful observations for deploying AHEAD in practice., To Appear in the ACM Conference on Computer and Communications Security (CCS) 2021

Published

2021

20. On the Security Risks of AutoML

Author

Pang, Ren, Zhaohan Xi, Shouling Ji, Xiapu Luo, and Wang, Ting

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Machine Learning (cs.LG)

Abstract

Neural Architecture Search (NAS) represents an emerging machine learning (ML) paradigm that automatically searches for models tailored to given tasks, which greatly simplifies the development of ML systems and propels the trend of ML democratization. Yet, little is known about the potential security risks incurred by NAS, which is concerning given the increasing use of NAS-generated models in critical domains. This work represents a solid initial step towards bridging the gap. Through an extensive empirical study of 10 popular NAS methods, we show that compared with their manually designed counterparts, NAS-generated models tend to suffer greater vulnerability to various malicious attacks (e.g., adversarial evasion, model poisoning, and functionality stealing). Further, with both empirical and analytical evidence, we provide possible explanations for such phenomena: given the prohibitive search space and training cost, most NAS methods favor models that converge fast at early training stages; this preference results in architectural properties associated with attack vulnerability (e.g., high loss smoothness and low gradient variance). Our findings not only reveal the relationships between model characteristics and attack vulnerability but also suggest the inherent connections underlying different attacks. Finally, we discuss potential remedies to mitigate such drawbacks, including increasing cell depth and suppressing skip connects, which lead to several promising research directions., Comment: Accepted as a full paper at USENIX Security '22

Published

2021

21. Fine-Grained Fashion Similarity Prediction by Attribute-Specific Embedding Learning

Author

Zhe Ma, Jianfeng Dong, Shouling Ji, Xiaofeng Mao, Richang Hong, Yuan He, and Xun Yang

Subjects

FOS: Computer and information sciences, Theoretical computer science, Channel (digital image), Computer science, business.industry, Computer Vision and Pattern Recognition (cs.CV), Deep learning, Feature extraction, Perspective (graphical), Computer Science - Computer Vision and Pattern Recognition, Computer Graphics and Computer-Aided Design, Image (mathematics), Computer Science - Information Retrieval, Similarity (network science), Code (cryptography), Embedding, Artificial intelligence, business, Information Retrieval (cs.IR), Software

Abstract

This paper strives to predict fine-grained fashion similarity. In this similarity paradigm, one should pay more attention to the similarity in terms of a specific design/attribute between fashion items. For example, whether the collar designs of the two clothes are similar. It has potential value in many fashion related applications, such as fashion copyright protection. To this end, we propose an Attribute-Specific Embedding Network (ASEN) to jointly learn multiple attribute-specific embeddings, thus measure the fine-grained similarity in the corresponding space. The proposed ASEN is comprised of a global branch and a local branch. The global branch takes the whole image as input to extract features from a global perspective, while the local branch takes as input the zoomed-in region-of-interest (RoI) w.r.t. the specified attribute thus able to extract more fine-grained features. As the global branch and the local branch extract the features from different perspectives, they are complementary to each other. Additionally, in each branch, two attention modules, i.e., Attribute-aware Spatial Attention and Attribute-aware Channel Attention, are integrated to make ASEN be able to locate the related regions and capture the essential patterns under the guidance of the specified attribute, thus make the learned attribute-specific embeddings better reflect the fine-grained similarity. Extensive experiments on three fashion-related datasets, i.e., FashionAI, DARN, and DeepFashion, show the effectiveness of ASEN for fine-grained fashion similarity prediction and its potential for fashion reranking. Code and data are available at https://github.com/maryeon/asenpp ., Conference paper: arXiv:2002.02814

Published

2021

22. Multilevel Graph Matching Networks for Deep Graph Similarity Learning

Author

Shouling Ji, Chunming Wu, Fangli Xu, Xiang Ling, Tengfei Ma, Saizhuo Wang, Alex X. Liu, and Lingfei Wu

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Theoretical computer science, Matching (graph theory), Computer Science - Artificial Intelligence, Computer Networks and Communications, Computer science, Node (networking), Machine Learning (stat.ML), Graph similarity, Regression, Computer Science Applications, Machine Learning (cs.LG), Set (abstract data type), Task (computing), Artificial Intelligence (cs.AI), Statistics - Machine Learning, Artificial Intelligence, Robustness (computer science), Benchmark (computing), Software, MathematicsofComputing_DISCRETEMATHEMATICS

Abstract

While the celebrated graph neural networks yield effective representations for individual nodes of a graph, there has been relatively less success in extending to the task of graph similarity learning. Recent work on graph similarity learning has considered either global-level graph-graph interactions or low-level node-node interactions, however ignoring the rich cross-level interactions (e.g., between each node of one graph and the other whole graph). In this paper, we propose a multi-level graph matching network (MGMN) framework for computing the graph similarity between any pair of graph-structured objects in an end-to-end fashion. In particular, the proposed MGMN consists of a node-graph matching network for effectively learning cross-level interactions between each node of one graph and the other whole graph, and a siamese graph neural network to learn global-level interactions between two input graphs. Furthermore, to compensate for the lack of standard benchmark datasets, we have created and collected a set of datasets for both the graph-graph classification and graph-graph regression tasks with different sizes in order to evaluate the effectiveness and robustness of our models. Comprehensive experiments demonstrate that MGMN consistently outperforms state-of-the-art baseline models on both the graph-graph classification and graph-graph regression tasks. Compared with previous work, MGMN also exhibits stronger robustness as the sizes of the two input graphs increase., Comment: Accepted by IEEE Transactions on Neural Networks and Learning Systems (IEEE TNNLS)

Published

2021

23. Smart Contract Vulnerability Detection: From Pure Neural Network to Interpretable Graph Feature and Expert Pattern Fusion

Author

Qinming He, Shouling Ji, Peng Qian, Lei Zhu, Zhenguang Liu, and Xiang Wang

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Programming Languages, Source code, Artificial neural network, Smart contract, Computer science, business.industry, Deep learning, media_common.quotation_subject, Machine learning, computer.software_genre, Machine Learning (cs.LG), Scalability, Code (cryptography), Feature (machine learning), Graph (abstract data type), Artificial intelligence, business, computer, Programming Languages (cs.PL), media_common

Abstract

Smart contracts hold digital coins worth billions of dollars, their security issues have drawn extensive attention in the past years. Towards smart contract vulnerability detection, conventional methods heavily rely on fixed expert rules, leading to low accuracy and poor scalability. Recent deep learning approaches alleviate this issue but fail to encode useful expert knowledge. In this paper, we explore combining deep learning with expert patterns in an explainable fashion. Specifically, we develop automatic tools to extract expert patterns from the source code. We then cast the code into a semantic graph to extract deep graph features. Thereafter, the global graph feature and local expert patterns are fused to cooperate and approach the final prediction, while yielding their interpretable weights. Experiments are conducted on all available smart contracts with source code in two platforms, Ethereum and VNT Chain. Empirically, our system significantly outperforms state-of-the-art methods. Our code is released., This paper has been accepted by IJCAI 2021

Published

2021

24. Attend to count: Crowd counting with adaptive capacity multi-scale CNNs

Author

Zhikang Zou, Pan Zhou, Xiaoxiao Guo, Yu Cheng, Xiaoye Qu, and Shouling Ji

Subjects

FOS: Computer and information sciences, 0209 industrial biotechnology, Adaptive capacity, business.industry, Computer science, Computer Vision and Pattern Recognition (cs.CV), Cognitive Neuroscience, Computer Science - Computer Vision and Pattern Recognition, Pattern recognition, 02 engineering and technology, Density estimation, Convolutional neural network, Computer Science Applications, 020901 industrial engineering & automation, Artificial Intelligence, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, Crowd counting

Abstract

Crowd counting is a challenging task due to the large variations in crowd distributions. Previous methods tend to tackle the whole image with a single fixed structure, which is unable to handle diverse complicated scenes with different crowd densities. Hence, we propose the Adaptive Capacity Multi-scale convolutional neural networks (ACM-CNN), a novel crowd counting approach which can assign different capacities to different portions of the input. The intuition is that the model should focus on important regions of the input image and optimize its capacity allocation conditioning on the crowd intensive degree. ACM-CNN consists of three types of modules: a coarse network, a fine network, and a smooth network. The coarse network is used to explore the areas that need to be focused via count attention mechanism, and generate a rough feature map. Then the fine network processes the areas of interest into a fine feature map. To alleviate the sense of division caused by fusion, the smooth network is designed to combine two feature maps organically to produce high-quality density maps. Extensive experiments are conducted on five mainstream datasets. The results demonstrate the effectiveness of the proposed model for both density estimation and crowd counting tasks., Comment: Accepted to Neurocomputing, code will be released soon

Published

2019

25. Privacy-Preserving Online Task Allocation in Edge-Computing-Enabled Massive Crowdsensing

Author

Hao Jiang, Li Yu, Dapeng Wu, Pan Zhou, Shouling Ji, and Wenbo Chen

Subjects

Computer Networks and Communications, business.industry, Computer science, Distributed computing, media_common.quotation_subject, 020206 networking & telecommunications, Regret, Cloud computing, 02 engineering and technology, Computer Science Applications, Scheduling (computing), Hardware and Architecture, Smart city, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, Task analysis, Differential privacy, 020201 artificial intelligence & image processing, Resource management, business, Edge computing, Information Systems, Reputation, media_common

Abstract

We propose a novel context-aware task allocation framework for mobile crowdsensing in the scenario of edge computing to enable the crowdsensing platform effectively and real-timely handle large-scale crowdsensing tasks in smart city. The task allocation performs in both cloud computing layer and edge computing layer. It aims to combine the merits of cloud and edge computing, i.e., diminishing communication latency while guaranteeing overall scheduling. The cloud layer evaluates the participants’ task-oriented reputation based on the participants’ background information, task context, and historical feedbacks (i.e., rewards) and sends the edge layer the most promising subset of participants. Then the edge layer communicates with the participants for the real-time information and makes optimization based on the task requirement (e.g., maximizing the sensing coverage under the constraint of the task budget). In the cloud layer, we propose a privacy-preserving and contextual online learning algorithm to manage the participants’ reputation. The algorithm can adapt the decision-making strategy based on previous performances of participants. In the edge layer, plenty of existing centralized task allocation strategies can be directly applied to optimize based on the participants’ real-time information. Theoretical analysis shows that our proposal achieves sublinear regret and differential privacy for both requesters and participants. Experiments results validate that our proposed algorithm supports increasing big dataset while striking a balance between the privacy-preserving level and the prediction accuracy.

Published

2019

26. An I/O Efficient Distributed Approximation Framework Using Cluster Sampling

Author

Jiangling Yin, Changjun Jiang, Xuhong Zhang, Xiaobo Zhou, Rui Wang, Shouling Ji, and Jun Wang

Subjects

020203 distributed computing, Uniform distribution (continuous), Speedup, Computer science, Probabilistic logic, Sampling (statistics), Sample (statistics), 02 engineering and technology, Computational Theory and Mathematics, Hardware and Architecture, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), Cluster sampling, Distributed File System, Algorithm

Abstract

In this paper, we present an I/O efficient distributed approximation framework to support approximations on arbitrary sub-datasets of a large dataset. Due to the prohibitive storage overhead of caching offline samples for each sub-dataset, existing offline sample-based systems provide high accuracy results for only a limited number of sub-datasets, such as the popular ones. On the other hand, current online sample-based approximation systems, which generate samples at runtime, do not take into account the uneven storage distribution of a sub-dataset. They work well for uniform distribution of a sub-dataset while suffer low I/O efficiency and poor estimation accuracy on unevenly distributed sub-datasets. To address the problem, we develop a distribution aware method called CLAP (cluster sampling based approximation). Our idea is to collect the occurrences of a sub-dataset at each logical partition of a dataset (storage distribution) in the distributed system, and make good use of such information to enable I/O efficient online sampling. There are three thrusts in CLAP. First, we develop a probabilistic map to reduce the exponential number of recorded sub-datasets to a linear one. Second, we apply the cluster sampling with unequal probability theory to implement a distribution-aware method for efficient online sampling for a single or multiple sub-datasets. Third, we enrich CLAP support with more complex approximations such as ratio and regression using bootstrap based estimation beyond the simple aggragation approxiamtions. Forth, we add an option in CLAP to allow users specifying a target error bound when submitting an approximation job. Fifth, we quantitatively derive the optimal sampling unit size in a distributed file system by associating it with approximation costs and accuracy. We have implemented CLAP into Hadoop as an example system and open sourced it on GitHub. Our comprehensive experimental results show that CLAP can achieve a speedup by up to 20× over the precise execution.

Published

2019

27. Spreading social influence with both positive and negative opinions in online networks

Author

Zhao Li, Jing He, Meng Han, Shouling Ji, and Tianyu Du

Subjects

Random graph, Theoretical computer science, Optimization problem, Computer Networks and Communications, Computer science, Node (networking), Social issues, Computer Science Applications, Artificial Intelligence, Greedy algorithm, Set (psychology), Selection (genetic algorithm), Information Systems, Social influence

Abstract

Spreading social influence with both positive and negative opinions in online networks Social networks are important media for spreading information, ideas, and influence among individuals. Most existing research focuses on understanding the characteristics of social networks, investigating how information is spread through the "word-of-mouth" effect of social networks, or exploring social influences among individuals and groups. However, most studies ignore negative influences among individuals and groups. Motivated by the goal of alleviating social problems, such as drinking, smoking, and gambling, and influence-spreading problems, such as promoting new products, we consider positive and negative influences, and propose a new optimization problem called the Minimum-sized Positive Influential Node Set (MPINS) selection problem to identify the minimum set of influential nodes such that every node in the network can be positively influenced by these selected nodes with no less than a threshold of θ. Our contributions are threefold. First, we prove that, under the independent cascade model considering positive and negative influences, MPINS is APX-hard. Subsequently, we present a greedy approximation algorithm to address the MPINS selection problem. Finally, to validate the proposed greedy algorithm, we conduct extensive simulations and experiments on random graphs and seven different realworld data sets that represent small-, medium-, and large-scale networks.

Published

2019

28. Towards understanding the security of modern image captchas and underground captcha-solving services

Author

Jianhai Chen, Ting Wang, Binbin Zhao, Haiqin Weng, Raheem Beyah, Qinming He, and Shouling Ji

Subjects

CAPTCHA, Computer Networks and Communications, business.industry, Computer science, Best practice, ComputingMilieux_PERSONALCOMPUTING, Design elements and principles, Computer security, computer.software_genre, Computer Science Applications, Image (mathematics), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Artificial Intelligence, The Internet, business, computer, Information Systems

Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

Published

2019

29. Deep Dual Consecutive Network for Human Pose Estimation

Author

Xun Wang, Feng Runyang, Shouling Ji, Shuang Wu, Haoming Chen, Bailin Yang, and Zhenguang Liu

Subjects

FOS: Computer and information sciences, Computer science, business.industry, Computer Vision and Pattern Recognition (cs.CV), Motion blur, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Computer Science - Computer Vision and Pattern Recognition, Context (language use), Modular design, Residual, Recurrent neural network, Benchmark (computing), Code (cryptography), Computer vision, Artificial intelligence, business, Pose

Abstract

Multi-frame human pose estimation in complicated situations is challenging. Although state-of-the-art human joints detectors have demonstrated remarkable results for static images, their performances come short when we apply these models to video sequences. Prevalent shortcomings include the failure to handle motion blur, video defocus, or pose occlusions, arising from the inability in capturing the temporal dependency among video frames. On the other hand, directly employing conventional recurrent neural networks incurs empirical difficulties in modeling spatial contexts, especially for dealing with pose occlusions. In this paper, we propose a novel multi-frame human pose estimation framework, leveraging abundant temporal cues between video frames to facilitate keypoint detection. Three modular components are designed in our framework. A Pose Temporal Merger encodes keypoint spatiotemporal context to generate effective searching scopes while a Pose Residual Fusion module computes weighted pose residuals in dual directions. These are then processed via our Pose Correction Network for efficient refining of pose estimations. Our method ranks No.1 in the Multi-frame Person Pose Estimation Challenge on the large-scale benchmark datasets PoseTrack2017 and PoseTrack2018. We have released our code, hoping to inspire future research., This paper is accepted by CVPR 2021

Published

2021

30. FineFool: A Novel DNN Object Contour Attack on Image Recognition based on the Attention Perturbation Adversarial Technique

Author

Haibin Zheng, Hui Xiong, Jinyin Chen, Tianyu Du, Zhen Hong, Chen Ruoxi, and Shouling Ji

Subjects

General Computer Science, Computer science, business.industry, Deep learning, Feature extraction, Perturbation (astronomy), 020206 networking & telecommunications, Pattern recognition, 02 engineering and technology, Object (computer science), Adversarial system, adversarial attack, deep learning, attention perturbation adversarial technique, perturbation visualization, targeted attack, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), 020201 artificial intelligence & image processing, Artificial intelligence, business, Law, Feature learning, MNIST database

Abstract

Deep neural networks (DNNs) have various applications owing to their feature learning ability. However, recent studies have shown that DNNs are vulnerable to adversarial examples. Currently, research on the generation of adversarial examples primarily focuses on improving the attack success rate (ASR) while reducing the perturbation size. By visualizing of heat maps, previous works have found that the feature extraction effect of DNNs is owing to the precise location of object contours and the provision of the correct attention to those areas. Therefore, the perturbations in adversarial examples will weaken the location of object contours in deep hidden layers and reduce the attention scope of the object area, which will lead to successful attacks. Inspired by this observation, we propose FineFool, a novel adversarial attack based on the attention perturbation adversarial technique, which includes channel-spatial attention and pixel-spatial attention. The former reduces the area of concern using DNNs while the latter achieves the error location of the object contours. By using the attention perturbation adversarial technique to target positions that are more vulnerable in legitimate examples, FineFool achieves a higher ASR with fewer perturbations compared with that of state-of-the-art adversarial attacks. Extensive experiments are carried out on MNIST, CIFAR10, and ImageNet datasets against six models. The results show that FineFool can achieve the best performance compared with the six baselines. More specifically, the mean ASR values of untargeted/targeted attack are 99.23% and 98.26% for FineFool on all datasets, respectively, which is the highest under white-box attack situations. The code of FineFool is open sourced at https://zenodo.org/record/4421611#.X .

Published

2021

31. Adversarial Attacks against Windows PE Malware Detection: A Survey of the State-of-the-Art

Author

Xiang Ling, Lingfei Wu, Jiangyu Zhang, Zhenqing Qu, Wei Deng, Xiang Chen, Yaguan Qian, Chunming Wu, Shouling Ji, Tianyue Luo, Jingzheng Wu, and Yanjun Wu

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Artificial Intelligence (cs.AI), General Computer Science, Computer Science - Artificial Intelligence, Law, Cryptography and Security (cs.CR)

Abstract

Malware has been one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against ever-increasing and ever-evolving malware, tremendous efforts have been made to propose a variety of malware detection that attempt to effectively and efficiently detect malware so as to mitigate possible damages as early as possible. Recent studies have shown that, on the one hand, existing ML and DL techniques enable superior solutions in detecting newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples. In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. Then, we conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. Finally, we conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. In addition, a curated resource list of adversarial attacks and defenses for Windows PE malware detection is also available at https://github.com/ryderling/adversarial-attacks-and-defenses-for-windows-pe-malware-detection., Comment: Accepted by ELSEVIER Computers & Security (COSE)

Published

2021

32. Hierarchical Similarity Learning for Language-based Product Image Retrieval

Author

Jianfeng Dong, Fenghao Liu, Zhe Ma, Yuan He, Xiaoye Qu, and Shouling Ji

Subjects

FOS: Computer and information sciences, Matching (graph theory), Computer science, business.industry, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, Pattern recognition, Computer Science - Information Retrieval, Multimedia (cs.MM), Task (computing), Similarity (network science), Product (mathematics), Code (cryptography), Task analysis, Artificial intelligence, business, Image retrieval, Similarity learning, Computer Science - Multimedia, Information Retrieval (cs.IR)

Abstract

This paper aims for the language-based product image retrieval task. The majority of previous works have made significant progress by designing network structure, similarity measurement, and loss function. However, they typically perform vision-text matching at certain granularity regardless of the intrinsic multiple granularities of images. In this paper, we focus on the cross-modal similarity measurement, and propose a novel Hierarchical Similarity Learning (HSL) network. HSL first learns multi-level representations of input data by stacked encoders, and object-granularity similarity and image-granularity similarity are computed at each level. All the similarities are combined as the final hierarchical cross-modal similarity. Experiments on a large-scale product retrieval dataset demonstrate the effectiveness of our proposed method. Code and data are available at https://github.com/liufh1/hsl., Comment: Accepted by ICASSP 2021. Code and data will be available at https://github.com/liufh1/hsl

Published

2021

33. A Double Closed-Loop Digital Hydraulic Cylinder Position System Based on Global Fast Terminal Sliding Mode Active Disturbance Rejection Control

Author

Shouling Jiang, Fuxian Huang, Wenfeng Liu, Yuwen Huang, and Ying Chen

Subjects

Double closed-loop digital hydraulic cylinder, nonlinear state space model, active disturbance rejection control, global fast terminal sliding mode variable structure control, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Due to the coupling of multiple nonlinear factors in the position control system of the double closed-loop digital hydraulic cylinder, achieving precise and stable control of complex nonlinear systems with a single structural controller is difficult. To address this problem, we propose a Global Fast Terminal Sliding Mode Active Disturbance Rejection Control (GFTSMADRC). Firstly, by focusing on the mathematical model of the current double closed-loop digital hydraulic cylinder, the high-order nonlinear state equation of the system is derived, and employing active disturbance rejection control (ADRC), the high-order nonlinear system is transformed into a second-order integral series control system. Secondly, we propose Sliding Mode Active Disturbance Rejection Control (SMADRC) by integrating sliding mode variable structure control. Thirdly, to further enhance system performance, we propose a GFTSMADRC strategy by incorporating global fast terminal sliding mode variable structure control. The control law and adaptive law of the system are derived based on the Lyapunov stability theorem. Specifically, the effectiveness of the proposed control method is validated through simulation and experimentation.

Published

2024

34. Deep Graph Matching and Searching for Semantic Code Retrieval

Author

Alex X. Liu, Gaoning Pan, Fangli Xu, Xiang Ling, Lingfei Wu, Shouling Ji, Chunming Wu, Tengfei Ma, and Saizhuo Wang

Subjects

FOS: Computer and information sciences, Source code, General Computer Science, Natural language user interface, Java, Computer science, Computer Science - Artificial Intelligence, media_common.quotation_subject, InformationSystems_INFORMATIONSTORAGEANDRETRIEVAL, 02 engineering and technology, computer.software_genre, Computer Science - Information Retrieval, Computer Science - Software Engineering, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), media_common, Semantic matching, computer.programming_language, Artificial neural network, business.industry, 020207 software engineering, Python (programming language), Software Engineering (cs.SE), Artificial Intelligence (cs.AI), 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Natural language, Natural language processing, Information Retrieval (cs.IR)

Abstract

Code retrieval is to find the code snippet from a large corpus of source code repositories that highly matches the query of natural language description. Recent work mainly uses natural language processing techniques to process both query texts (i.e., human natural language) and code snippets (i.e., machine programming language), however neglecting the deep structured features of query texts and source codes, both of which contain rich semantic information. In this paper, we propose an end-to-end deep graph matching and searching (DGMS) model based on graph neural networks for the task of semantic code retrieval. To this end, we first represent both natural language query texts and programming language code snippets with the unified graph-structured data, and then use the proposed graph matching and searching model to retrieve the best matching code snippet. In particular, DGMS not only captures more structural information for individual query texts or code snippets but also learns the fine-grained similarity between them by cross-attention based semantic matching operations. We evaluate the proposed DGMS model on two public code retrieval datasets with two representative programming languages (i.e., Java and Python). Experiment results demonstrate that DGMS significantly outperforms state-of-the-art baseline models by a large margin on both datasets. Moreover, our extensive ablation studies systematically investigate and illustrate the impact of each part of DGMS., Accepted by ACM Transactions on Knowledge Discovery from Data (ACM TKDD)

Published

2020

35. Trojaning Language Models for Fun and Profit

Author

Ting Wang, Xinyang Zhang, Shouling Ji, and Zheng Zhang

Subjects

FOS: Computer and information sciences, Flexibility (engineering), Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Computation and Language, business.industry, Computer science, media_common.quotation_subject, Adversary, Crowdsourcing, Machine Learning (cs.LG), Human–computer interaction, Paradigm shift, Question answering, Language model, business, Function (engineering), Cryptography and Security (cs.CR), Computation and Language (cs.CL), Natural language, media_common

Abstract

Recent years have witnessed the emergence of a new paradigm of building natural language processing (NLP) systems: general-purpose, pre-trained language models (LMs) are composed with simple downstream models and fine-tuned for a variety of NLP tasks. This paradigm shift significantly simplifies the system development cycles. However, as many LMs are provided by untrusted third parties, their lack of standardization or regulation entails profound security implications, which are largely unexplored. To bridge this gap, this work studies the security threats posed by malicious LMs to NLP systems. Specifically, we present TROJAN-LM, a new class of trojaning attacks in which maliciously crafted LMs trigger host NLP systems to malfunction in a highly predictable manner. By empirically studying three state-of-the-art LMs (BERT, GPT-2, XLNet) in a range of security-critical NLP tasks (toxic comment detection, question answering, text completion) as well as user studies on crowdsourcing platforms, we demonstrate that TROJAN-LM possesses the following properties: (i) flexibility - the adversary is able to flexibly dene logical combinations (e.g., 'and', 'or', 'xor') of arbitrary words as triggers, (ii) efficacy - the host systems misbehave as desired by the adversary with high probability when trigger-embedded inputs are present, (iii) specificity - the trojan LMs function indistinguishably from their benign counterparts on clean inputs, and (iv) fluency - the trigger-embedded inputs appear as fluent natural language and highly relevant to their surrounding contexts. We provide analytical justification for the practicality of TROJAN-LM, and further discuss potential countermeasures and their challenges, which lead to several promising research directions., Additional experiments and text editing; To appear in 2021 6th IEEE European Symposium on Security and Privacy

Published

2020

36. AdvMind: Inferring Adversary Intent of Black-Box Attacks

Author

Ren Pang, Ting Wang, Xiapu Luo, Shouling Ji, and Xinyang Zhang

Subjects

FOS: Computer and information sciences, Black box (phreaking), Class (computer programming), Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer science, Machine Learning (stat.ML), 02 engineering and technology, Adversary, Computer security, computer.software_genre, Machine Learning (cs.LG), Adversarial system, Statistics - Machine Learning, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Benchmark (computing), 020201 artificial intelligence & image processing, Deterrence theory, Cryptography and Security (cs.CR), computer

Abstract

Deep neural networks (DNNs) are inherently susceptible to adversarial attacks even under black-box settings, in which the adversary only has query access to the target models. In practice, while it may be possible to effectively detect such attacks (e.g., observing massive similar but non-identical queries), it is often challenging to exactly infer the adversary intent (e.g., the target class of the adversarial example the adversary attempts to craft) especially during early stages of the attacks, which is crucial for performing effective deterrence and remediation of the threats in many scenarios. In this paper, we present AdvMind, a new class of estimation models that infer the adversary intent of black-box adversarial attacks in a robust and prompt manner. Specifically, to achieve robust detection, AdvMind accounts for the adversary adaptiveness such that her attempt to conceal the target will significantly increase the attack cost (e.g., in terms of the number of queries); to achieve prompt detection, AdvMind proactively synthesizes plausible query results to solicit subsequent queries from the adversary that maximally expose her intent. Through extensive empirical evaluation on benchmark datasets and state-of-the-art black-box attacks, we demonstrate that on average AdvMind detects the adversary intent with over 75% accuracy after observing less than 3 query batches and meanwhile increases the cost of adaptive attacks by over 60%. We further discuss the possible synergy between AdvMind and other defense methods against black-box adversarial attacks, pointing to several promising research directions., Accepted as a full paper at KDD 2020

Published

2020

37. Privacy Risks of General-Purpose Language Models

Author

Mi Zhang, Shouling Ji, Min Yang, and Xudong Pan

Subjects

Information privacy, Plain text, Computer science, business.industry, 02 engineering and technology, computer.file_format, General-purpose language, 010501 environmental sciences, 01 natural sciences, Data science, Text mining, 0202 electrical engineering, electronic engineering, information engineering, Leverage (statistics), 020201 artificial intelligence & image processing, Language model, business, computer, 0105 earth and related environmental sciences

Abstract

Recently, a new paradigm of building general-purpose language models (e.g., Google’s Bert and OpenAI’s GPT-2) in Natural Language Processing (NLP) for text feature extraction, a standard procedure in NLP systems that converts texts to vectors (i.e., embeddings) for downstream modeling, has arisen and starts to find its application in various downstream NLP tasks and real world systems (e.g., Google’s search engine [6]). To obtain general-purpose text embeddings, these language models have highly complicated architectures with millions of learnable parameters and are usually pretrained on billions of sentences before being utilized. As is widely recognized, such a practice indeed improves the state-of-the-art performance of many downstream NLP tasks. However, the improved utility is not for free. We find the text embeddings from general-purpose language models would capture much sensitive information from the plain text. Once being accessed by the adversary, the embeddings can be reverse-engineered to disclose sensitive information of the victims for further harassment. Although such a privacy risk can impose a real threat to the future leverage of these promising NLP tools, there are neither published attacks nor systematic evaluations by far for the mainstream industry-level language models. To bridge this gap, we present the first systematic study on the privacy risks of 8 state-of-the-art language models with 4 diverse case studies. By constructing 2 novel attack classes, our study demonstrates the aforementioned privacy risks do exist and can impose practical threats to the application of general-purpose language models on sensitive data covering identity, genome, healthcare and location. For example, we show the adversary with nearly no prior knowledge can achieve about 75% accuracy when inferring the precise disease site from Bert embeddings of patients’ medical descriptions. As possible countermeasures, we propose 4 different defenses (via rounding, differential privacy, adversarial training and subspace projection) to obfuscate the unprotected embeddings for mitigation purpose. With extensive evaluations, we also provide a preliminary analysis on the utility-privacy trade-off brought by each defense, which we hope may foster future mitigation researches.

Published

2020

38. De-Health: All Your Online Health Information Are Belong to Us

Author

Ting Wang, Raheem Beyah, Qianjun Liu, Jing Chen, Pan Zhou, Haiqin Weng, Shouling Ji, Qinchen Gu, and Zhao Li

Subjects

020205 medical informatics, Computer science, business.industry, Internet privacy, 02 engineering and technology, Linkage (mechanical), law.invention, 03 medical and health sciences, Information sensitivity, 0302 clinical medicine, law, 0202 electrical engineering, electronic engineering, information engineering, 030212 general & internal medicine, Health information, business

Abstract

In this paper, we study the privacy of online health data. We present a novel online health data De-Anonymization (DA) framework, named De-Health. Leveraging two real world online health datasets WebMD and HealthBoards, we validate the DA efficacy of De-Health. We also present a linkage attack framework which can link online health/medical information to real world people. Through a proof-of-concept attack, we link 347 out of 2805 WebMD users to real world people, and find the full names, medical/health information, birthdates, phone numbers, and other sensitive information for most of the re-identified users. This clearly illustrates the fragility of the privacy of those who use online health forums.

Published

2020

39. Handitext: handwriting recognition based on dynamic characteristics with incremental LSTM

Author

Hongwei Zhu, Zhe Liu, Shouling Ji, Weizhi Meng, Liming Fang, Zehong Cao, Boqing Lv, Yu Yu, Fang, Liming, Zhu, Hongwei, Lv, Boqing, Liu, Zhe, Meng, Weizhi, Yu, Yu, Ji, Shouling, and Cao, Zehong

Subjects

Scheme (programming language), Password, Authentication, Biometrics, Computer science, business.industry, Reliability (computer networking), handwriting recognition based on dynamic characteristics with incremental LSTM [HandiText], 020206 networking & telecommunications, 02 engineering and technology, General Medicine, Machine learning, computer.software_genre, Handwriting, Handwriting recognition, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Word (computer architecture), computer.programming_language

Abstract

The Internet of Things (IoT) is a new manifestation of data science. To ensure the credibility of data about IoT devices, authentication has gradually become an important research topic in the IoT ecosystem. However, traditional graphical passwords and text passwords can cause user’s serious memory burdens. Therefore, a convenient method for determining user identity is needed. In this article, we propose a handwriting recognition authentication scheme named HandiText based on behavior and biometrics features. When people write a word by hand, HandiText captures their static biological features and dynamic behavior features during the writing process (writing speed, pressure, etc.). The features are related to habits, which make it difficult for attackers to imitate. We also carry out algorithms comparisons and experiments evaluation to prove the reliability of our scheme. The experiment results show that the Long Short-Term Memory has the best classification accuracy, reaching 99% while keeping relatively low false-positive rate and false-negative rate. We also test other datasets, the average accuracy of HandiText reach 98%, with strong generalization ability. Besides, the 324 users we investigated indicated that they are willing to use this scheme on IoT devices. Refereed/Peer-reviewed

Published

2020

40. Fine-Grained Fashion Similarity Learning by Attribute-Specific Embedding Network

Author

Yao Zhang, Zhongzi Long, Zhe Ma, Shouling Ji, Jianfeng Dong, Hui Xue, and Yuan He

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Theoretical computer science, Computer science, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, General Medicine, Space (commercial competition), Measure (mathematics), Machine Learning (cs.LG), Similarity (network science), Code (cryptography), Embedding, Similarity learning

Abstract

This paper strives to learn fine-grained fashion similarity. In this similarity paradigm, one should pay more attention to the similarity in terms of a specific design/attribute among fashion items, which has potential values in many fashion related applications such as fashion copyright protection. To this end, we propose an Attribute-Specific Embedding Network (ASEN) to jointly learn multiple attribute-specific embeddings in an end-to-end manner, thus measure the fine-grained similarity in the corresponding space. With two attention modules, i.e., Attribute-aware Spatial Attention and Attribute-aware Channel Attention, ASEN is able to locate the related regions and capture the essential patterns under the guidance of the specified attribute, thus make the learned attribute-specific embeddings better reflect the fine-grained similarity. Extensive experiments on four fashion-related datasets show the effectiveness of ASEN for fine-grained fashion similarity learning and its potential for fashion reranking., Comment: 16 pages, 13 figutes. Accepted by AAAI 2020. Code and data are available at https://github.com/Maryeon/asen

Published

2020

41. Unsupervised Reference-Free Summary Quality Evaluation via Contrastive Learning

Author

Hanlu Wu, Tengfei Ma, Tariro Manyumwa, Shouling Ji, and Lingfei Wu

Subjects

FOS: Computer and information sciences, Computer science, media_common.quotation_subject, 02 engineering and technology, 010501 environmental sciences, computer.software_genre, 01 natural sciences, Ranking (information retrieval), Task (project management), Factor (programming language), 0202 electrical engineering, electronic engineering, information engineering, Quality (business), 0105 earth and related environmental sciences, computer.programming_language, media_common, Computer Science - Computation and Language, business.industry, Automatic summarization, Ranking, Metric (mathematics), Unsupervised learning, 020201 artificial intelligence & image processing, Artificial intelligence, business, Construct (philosophy), computer, Computation and Language (cs.CL), Natural language processing

Abstract

Evaluation of a document summarization system has been a critical factor to impact the success of the summarization task. Previous approaches, such as ROUGE, mainly consider the informativeness of the assessed summary and require human-generated references for each test summary. In this work, we propose to evaluate the summary qualities without reference summaries by unsupervised contrastive learning. Specifically, we design a new metric which covers both linguistic qualities and semantic informativeness based on BERT. To learn the metric, for each summary, we construct different types of negative samples with respect to different aspects of the summary qualities, and train our model with a ranking loss. Experiments on Newsroom and CNN/Daily Mail demonstrate that our new evaluation method outperforms other metrics even without reference summaries. Furthermore, we show that our method is general and transferable across datasets., Comment: Long Paper in EMNLP 2020

Published

2020

42. A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models

Author

Xinyang Zhang, Ren Pang, Alex X. Liu, Xiapu Luo, Yevgeniy Vorobeychik, Hua Shen, Ting Wang, and Shouling Ji

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Exploit, Computer science, 0211 other engineering and technologies, Machine Learning (stat.ML), 02 engineering and technology, Computer security, computer.software_genre, Machine Learning (cs.LG), 030218 nuclear medicine & medical imaging, 03 medical and health sciences, Attack model, Adversarial system, 0302 clinical medicine, Statistics - Machine Learning, Backdoor, 021110 strategic, defence & security studies, Artificial neural network, business.industry, Deep learning, Adversary, Key (cryptography), Artificial intelligence, business, Cryptography and Security (cs.CR), computer

Abstract

Despite their tremendous success in a range of domains, deep learning systems are inherently susceptible to two types of manipulations: adversarial inputs -- maliciously crafted samples that deceive target deep neural network (DNN) models, and poisoned models -- adversely forged DNNs that misbehave on pre-defined inputs. While prior work has intensively studied the two attack vectors in parallel, there is still a lack of understanding about their fundamental connections: what are the dynamic interactions between the two attack vectors? what are the implications of such interactions for optimizing existing attacks? what are the potential countermeasures against the enhanced attacks? Answering these key questions is crucial for assessing and mitigating the holistic vulnerabilities of DNNs deployed in realistic settings. Here we take a solid step towards this goal by conducting the first systematic study of the two attack vectors within a unified framework. Specifically, (i) we develop a new attack model that jointly optimizes adversarial inputs and poisoned models; (ii) with both analytical and empirical evidence, we reveal that there exist intriguing "mutual reinforcement" effects between the two attack vectors -- leveraging one vector significantly amplifies the effectiveness of the other; (iii) we demonstrate that such effects enable a large design spectrum for the adversary to enhance the existing attacks that exploit both vectors (e.g., backdoor attacks), such as maximizing the attack evasiveness with respect to various detection methods; (iv) finally, we discuss potential countermeasures against such optimized attacks and their technical challenges, pointing to several promising research directions., Accepted as a full paper at ACM CCS 2020

Published

2019

43. VulSniper: Focus Your Attention to Shoot Fine-Grained Vulnerabilities

Author

Yanjun Wu, Duan Xu, Yang Mutian, Rui Zhiqing, Jingzheng Wu, Shouling Ji, and Luo Tianyue

Subjects

Focus (computing), Computer science, Computer security, computer.software_genre, computer

Abstract

With the explosive development of information technology, vulnerabilities have become one of the major threats to computer security. Most vulnerabilities with similar patterns can be detected effectively by static analysis methods. However, some vulnerable and non-vulnerable code is hardly distinguishable, resulting in low detection accuracy. In this paper, we define the accurate identification of vulnerabilities in similar code as a fine-grained vulnerability detection problem. We propose VulSniper which is designed to detect fine-grained vulnerabilities more effectively. In VulSniper, attention mechanism is used to capture the critical features of the vulnerabilities. Especially, we use bottom-up and top-down structures to learn the attention weights of different areas of the program. Moreover, in order to fully extract the semantic features of the program, we generate the code property graph, design a 144-dimensional vector to describe the relation between the nodes, and finally encode the program as a feature tensor. VulSniper achieves F1-scores of 80.6% and 73.3% on the two benchmark datasets, the SARD Buffer Error dataset and the SARD Resource Management Error dataset respectively, which are significantly higher than those of the state-of-the-art methods.

Published

2019

44. Fast-RCM: Fast Tree-Based Unsupervised Rare-Class Mining

Author

Ting Wang, Haiqin Weng, Changchang Liu, Jianhai Chen, Shouling Ji, and Qinming He

Subjects

Computer science, business.industry, Data_MISCELLANEOUS, Approximation algorithm, Pattern recognition, 02 engineering and technology, Class (biology), Computer Science Applications, Domain (software engineering), Human-Computer Interaction, Tree (data structure), ComputingMethodologies_PATTERNRECOGNITION, Control and Systems Engineering, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Anomaly detection, Artificial intelligence, Electrical and Electronic Engineering, business, Time complexity, Software, Information Systems, Curse of dimensionality

Abstract

Rare classes are usually hidden in an imbalanced dataset with the majority of the data examples from major classes. Rare-class mining (RCM) aims at extracting all the data examples belonging to rare classes. Most of the existing approaches for RCM require a certain amount of labeled data examples as input. However, they are ineffective in practice since requesting label information from domain experts is time consuming and human-labor extensive. Thus, we investigate the unsupervised RCM problem, which to the best of our knowledge is the first such attempt. To this end, we propose an efficient algorithm called Fast-RCM for unsupervised RCM, which has an approximately linear time complexity with respect to data size and data dimensionality. Given an unlabeled dataset, Fast-RCM mines out the rare class by first building a rare tree for the input dataset and then extracting data examples of the rare classes based on this rare tree. Compared with the existing approaches which have quadric or even cubic time complexity, Fast-RCM is much faster and can be extended to large-scale datasets. The experimental evaluation on both synthetic and real-world datasets demonstrate that our algorithm can effectively and efficiently extract the rare classes from an unlabeled dataset under the unsupervised settings, and is approximately five times faster than that of the state-of-the-art methods.

Published

2019

45. Efficient Global String Kernel with Random Features

Author

Liang Ma, Ian En-Hsu Yen, Lingfei Wu, Liang Zhao, Charu C. Aggarwal, Siyu Huo, Kun Xu, and Shouling Ji

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer science, Diagonal, Machine Learning (stat.ML), Linear classifier, Machine Learning (cs.LG), Kernel (linear algebra), Discriminative model, Statistics - Machine Learning, String kernel, Edit distance, Algorithm, Classifier (UML), Diagonally dominant matrix

Abstract

Analysis of large-scale sequential data has been one of the most crucial tasks in areas such as bioinformatics, text, and audio mining. Existing string kernels, however, either (i) rely on local features of short substructures in the string, which hardly capture long discriminative patterns, (ii) sum over too many substructures, such as all possible subsequences, which leads to diagonal dominance of the kernel matrix, or (iii) rely on non-positive-definite similarity measures derived from the edit distance. Furthermore, while there have been works addressing the computational challenge with respect to the length of string, most of them still experience quadratic complexity in terms of the number of training samples when used in a kernel-based classifier. In this paper, we present a new class of global string kernels that aims to (i) discover global properties hidden in the strings through global alignments, (ii) maintain positive-definiteness of the kernel, without introducing a diagonal dominant kernel matrix, and (iii) have a training cost linear with respect to not only the length of the string but also the number of training string samples. To this end, the proposed kernels are explicitly defined through a series of different random feature maps, each corresponding to a distribution of random strings. We show that kernels defined this way are always positive-definite, and exhibit computational benefits as they always produce \emph{Random String Embeddings (RSE)} that can be directly used in any linear classification models. Our extensive experiments on nine benchmark datasets corroborate that RSE achieves better or comparable accuracy in comparison to state-of-the-art baselines, especially with the strings of longer lengths. In addition, we empirically show that RSE scales linearly with the increase of the number and the length of string., KDD'19 Oral Paper, Data and Code link available in the paper

Published

2019

46. DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model

Author

Jiannan Wang, Jiaxu Zou, Bo Li, Xiang Ling, Ting Wang, Chunming Wu, and Shouling Ji

Subjects

Security analysis, Artificial neural network, Computer science, business.industry, Deep learning, Vulnerability, 020207 software engineering, 02 engineering and technology, Adversarial machine learning, Computer security, computer.software_genre, Adversarial system, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer

Abstract

Deep learning (DL) models are inherently vulnerable to adversarial examples – maliciously crafted inputs to trigger target DL models to misbehave – which significantly hinders the application of DL in security-sensitive domains. Intensive research on adversarial learning has led to an arms race between adversaries and defenders. Such plethora of emerging attacks and defenses raise many questions: Which attacks are more evasive, preprocessing-proof, or transferable? Which defenses are more effective, utility-preserving, or general? Are ensembles of multiple defenses more robust than individuals? Yet, due to the lack of platforms for comprehensive evaluation on adversarial attacks and defenses, these critical questions remain largely unsolved. In this paper, we present the design, implementation, and evaluation of DEEPSEC, a uniform platform that aims to bridge this gap. In its current implementation, DEEPSEC incorporates 16 state-of-the-art attacks with 10 attack utility metrics, and 13 state-of-the-art defenses with 5 defensive utility metrics. To our best knowledge, DEEPSEC is the first platform that enables researchers and practitioners to (i) measure the vulnerability of DL models, (ii) evaluate the effectiveness of various attacks/defenses, and (iii) conduct comparative studies on attacks/defenses in a comprehensive and informative manner. Leveraging DEEPSEC, we systematically evaluate the existing adversarial attack and defense methods, and draw a set of key findings, which demonstrate DEEPSEC’s rich functionality, such as (1) the trade-off between misclassification and imperceptibility is empirically confirmed; (2) most defenses that claim to be universally applicable can only defend against limited types of attacks under restricted settings; (3) it is not necessary that adversarial examples with higher perturbation magnitude are easier to be detected; (4) the ensemble of multiple defenses cannot improve the overall defense capability, but can improve the lower bound of the defense effectiveness of individuals. Extensive analysis on DEEPSEC demonstrates its capabilities and advantages as a benchmark platform which can benefit future adversarial learning research.

Published

2019

47. SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems

Author

Ting Wang, Tianyu Du, Jinfeng Li, Qinchen Gu, Shouling Ji, and Raheem Beyah

Subjects

FOS: Computer and information sciences, 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, Artificial neural network, business.industry, Computer science, Event (computing), Deep learning, Speech recognition, 0211 other engineering and technologies, Cloud computing, 02 engineering and technology, Adversarial machine learning, Speaker recognition, Adversarial system, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, Set (psychology), Cryptography and Security (cs.CR)

Abstract

Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SirenAttack, a new class of attacks to generate adversarial audios. Compared with existing attacks, SirenAttack highlights with a set of significant features: (i) versatile -- it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) effective -- it is able to generate adversarial audios that can be recognized as specific phrases by target acoustic systems; and (iii) stealthy -- it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SirenAttack on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classification), with results showing the versatility, effectiveness, and stealthiness of SirenAttack. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, including adversarial training, audio downsampling, and moving average filtering, which leads to promising directions for further research., Comment: The experimental results were not up to our expectation

Published

2019

48. Adversarial CAPTCHAs

Author

Chenghui Shi, Xiaogang Xu, Shouling Ji, Kai Bu, Jianhai Chen, Raheem Beyah, and Ting Wang

Subjects

Human-Computer Interaction, FOS: Computer and information sciences, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Computer Science - Cryptography and Security, Control and Systems Engineering, ComputingMilieux_PERSONALCOMPUTING, Humans, Electrical and Electronic Engineering, Cryptography and Security (cs.CR), Software, Computer Science Applications, Information Systems

Abstract

Following the principle of to set one's own spear against one's own shield, we study how to design adversarial CAPTCHAs in this paper. We first identify the similarity and difference between adversarial CAPTCHA generation and existing hot adversarial example (image) generation research. Then, we propose a framework for text-based and image-based adversarial CAPTCHA generation on top of state-of-the-art adversarial image generation techniques. Finally, we design and implement an adversarial CAPTCHA generation and evaluation system, named aCAPTCHA, which integrates 10 image preprocessing techniques, 9 CAPTCHA attacks, 4 baseline adversarial CAPTCHA generation methods, and 8 new adversarial CAPTCHA generation methods. To examine the performance of aCAPTCHA, extensive security and usability evaluations are conducted. The results demonstrate that the generated adversarial CAPTCHAs can significantly improve the security of normal CAPTCHAs while maintaining similar usability. To facilitate the CAPTCHA security research, we also open source the aCAPTCHA system, including the source code, trained models, datasets, and the usability evaluation interfaces., Comment: 16pages,9 figures, journal

Published

2019

49. A Truthful FPTAS Mechanism for Emergency Demand Response in Colocation Data Centers

Author

Zhenguang Liu, Shouling Ji, Yang Xiang, Jianhai Chen, Qinming He, and Deshi Ye

Subjects

FOS: Computer and information sciences, Mathematical optimization, business.industry, Computer science, Approximation algorithm, Bidding, Grid, Demand response, Dynamic programming, Load management, Computer Science - Computer Science and Game Theory, Electricity market, Data center, business, Computer Science and Game Theory (cs.GT)

Abstract

Demand response (DR) is not only a crucial solution to the demand side management but also a vital means of electricity market in maintaining power grid reliability, sustainability and stability. DR can enable consumers (e.g. data centers) to reduce their electricity consumption when the supply of electricity is a shortage. The consumers will be rewarded in the case of DR if they reduce or shift some of their energy usage during peak hours. Aiming at solving the efficiency of DR, in this paper, we present MEDR, a mechanism on emergency DR in colocation data center. First, we formalize the MEDR problem and propose a dynamic programming to solve the optimization version of the problem. We then design a deterministic mechanism as a solution to solve the MEDR problem. We show that our proposed mechanism is truthful. Next, we prove that our mechanism is an FPTAS, i.e., it can be approximated within $1 + \epsilon$ for any given $\epsilon > 0$, while the running time of our mechanism is polynomial in $n$ and $1/\epsilon$, where $n$ is the number of tenants in the datacenter. Furthermore, we also give an auction system covering the efficient FPTAS algorithm as bidding decision program for DR in colocation datacenter. Finally, we choose a practical smart grid dataset to build a large number of datasets for simulation in performance evaluation. By evaluating metrics of the approximation ratio of our mechanism, the non-negative utility of tenants and social cost of colocation datacenter, the results demonstrate the effectiveness of our work., Comment: This paper is a version of 9 pages and published as a main conference paper of IEEE INFOCOM 2019

Published

2019

50. Fast and parameter-light rare behavior detection in maritime trajectories

Author

Fei Wang, Anthony K. H. Tung, Yifan Lei, Zhenguang Liu, Shouling Ji, and Wang Xun

Subjects

Scheme (programming language), Visual analytics, Computer science, 020207 software engineering, Single parameter, Context (language use), 02 engineering and technology, Library and Information Sciences, Management Science and Operations Research, computer.software_genre, Computer Science Applications, Human knowledge, 0202 electrical engineering, electronic engineering, information engineering, Media Technology, Preprocessor, 020201 artificial intelligence & image processing, Data mining, Cluster analysis, Set (psychology), computer, Information Systems, computer.programming_language

Abstract

Rare behaviors indicate important events and situations in maritime surveillance applications. State-of-the-art methods provide many effective solutions to detect anomalous behaviors. Meanwhile, most solutions are parameter-laden and too costly to identify useful rare behaviors with human knowledge in a visual analytics manner. This paper is concerned with a scheme cross trajectories, vessel attributes and the movement context for detecting rare behaviors through preprocessing, kNN-based clustering, and verification. Although the scheme involves several parameters, we demonstrate that they are able to be tackled in thresholds. As a result, a rare behavior factor is the single parameter that affect the detecting results. The proposed scheme is evaluated via a simulated data set for performance and a real life AIS data for effectiveness. Results show that high accuracy to labelled anomalies and useful rare behaviors can be achieved.

Published

2020