Search

Your search keyword '"Biggio A"' showing total 5,020 results
Start Over Author "Biggio A"
5,020 results on '"Biggio A"'

1. On the Robustness of Adversarial Training Against Uncertainty Attacks

Author

Ledda, Emanuele, Scodeller, Giovanni, Angioni, Daniele, Piras, Giorgio, Cinà, Antonio Emanuele, Fumera, Giorgio, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Machine Learning
Abstract

In learning problems, the noise inherent to the task at hand hinders the possibility to infer without a certain degree of uncertainty. Quantifying this uncertainty, regardless of its wide use, assumes high relevance for security-sensitive applications. Within these scenarios, it becomes fundamental to guarantee good (i.e., trustworthy) uncertainty measures, which downstream modules can securely employ to drive the final decision-making process. However, an attacker may be interested in forcing the system to produce either (i) highly uncertain outputs jeopardizing the system's availability or (ii) low uncertainty estimates, making the system accept uncertain samples that would instead require a careful inspection (e.g., human intervention). Therefore, it becomes fundamental to understand how to obtain robust uncertainty estimates against these kinds of attacks. In this work, we reveal both empirically and theoretically that defending against adversarial examples, i.e., carefully perturbed samples that cause misclassification, additionally guarantees a more secure, trustworthy uncertainty estimate under common attack scenarios without the need for an ad-hoc defense strategy. To support our claims, we evaluate multiple adversarial-robust models from the publicly available benchmark RobustBench on the CIFAR-10 and ImageNet datasets.

Published
2024

2. Bilinear Sequence Regression: A Model for Learning from Long Sequences of High-dimensional Tokens

Author

Erba, Vittorio, Troiani, Emanuele, Biggio, Luca, Maillard, Antoine, and Zdeborová, Lenka

Subjects
Condensed Matter - Disordered Systems and Neural Networks, Computer Science - Machine Learning
Abstract

Current progress in artificial intelligence is centered around so-called large language models that consist of neural networks processing long sequences of high-dimensional vectors called tokens. Statistical physics provides powerful tools to study the functioning of learning with neural networks and has played a recognized role in the development of modern machine learning. The statistical physics approach relies on simplified and analytically tractable models of data. However, simple tractable models for long sequences of high-dimensional tokens are largely underexplored. Inspired by the crucial role models such as the single-layer teacher-student perceptron (aka generalized linear regression) played in the theory of fully connected neural networks, in this paper, we introduce and study the bilinear sequence regression (BSR) as one of the most basic models for sequences of tokens. We note that modern architectures naturally subsume the BSR model due to the skip connections. Building on recent methodological progress, we compute the Bayes-optimal generalization error for the model in the limit of long sequences of high-dimensional tokens, and provide a message-passing algorithm that matches this performance. We quantify the improvement that optimal learning brings with respect to vectorizing the sequence of tokens and learning via simple linear regression. We also unveil surprising properties of the gradient descent algorithms in the BSR model.

Published
2024

3. Adversarial Pruning: A Survey and Benchmark of Pruning Methods for Adversarial Robustness

Author

Piras, Giorgio, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Giacinto, Giorgio, and Roli, Fabio

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

Recent work has proposed neural network pruning techniques to reduce the size of a network while preserving robustness against adversarial examples, i.e., well-crafted inputs inducing a misclassification. These methods, which we refer to as adversarial pruning methods, involve complex and articulated designs, making it difficult to analyze the differences and establish a fair and accurate comparison. In this work, we overcome these issues by surveying current adversarial pruning methods and proposing a novel taxonomy to categorize them based on two main dimensions: the pipeline, defining when to prune; and the specifics, defining how to prune. We then highlight the limitations of current empirical analyses and propose a novel, fair evaluation benchmark to address them. We finally conduct an empirical re-evaluation of current adversarial pruning methods and discuss the results, highlighting the shared traits of top-performing adversarial pruning methods, as well as common issues. We welcome contributions in our publicly-available benchmark at https://github.com/pralab/AdversarialPruningBenchmark

Published
2024

4. Sonic: Fast and Transferable Data Poisoning on Clustering Algorithms

Author

Villani, Francesco, Lazzaro, Dario, Cinà, Antonio Emanuele, Dell'Amico, Matteo, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Machine Learning
Abstract

Data poisoning attacks on clustering algorithms have received limited attention, with existing methods struggling to scale efficiently as dataset sizes and feature counts increase. These attacks typically require re-clustering the entire dataset multiple times to generate predictions and assess the attacker's objectives, significantly hindering their scalability. This paper addresses these limitations by proposing Sonic, a novel genetic data poisoning attack that leverages incremental and scalable clustering algorithms, e.g., FISHDBC, as surrogates to accelerate poisoning attacks against graph-based and density-based clustering methods, such as HDBSCAN. We empirically demonstrate the effectiveness and efficiency of Sonic in poisoning the target clustering algorithms. We then conduct a comprehensive analysis of the factors affecting the scalability and transferability of poisoning attacks against clustering algorithms, and we conclude by examining the robustness of hyperparameters in our attack strategy Sonic., Comment: preprint paper

Published
2024

5. Formal Operational Performance: Epochal and Sociocultural Differences in the First Level of Secondary School Students in Argentina

Author

Stella Maris Vázquez, Marianela Noriega-Biggio, and Hilda Difabio-de-Anglat

Abstract

The following research presents the outcomes of a cohort study investigating formal thinking skills among first and second-year secondary school students. A specially crafted instrument, the Logical Thought Performance Test for Adolescents (LTPA), was employed to gauge the level of formal thought. The LTP-A assesses various aspects, including: combinatorial reasoning; proportional reasoning; permutation; inferences derived from exclusive and inclusive disjunction; biconditional and asymmetric implication; and, modus tollens. The study compares the achievements of four student groups from two educational institutions at two distinct time points, with a thirty-year gap. The independent variables include the sociocultural level and the epochal aspect. Methodologically, one-way analysis of variance and cluster analysis were performed, showing significant differences in relation to sociocultural level. Results suggest that the sociocultural factor outweighs epochal differences. Then, a content analysis of some answers was carried out to detect resolution strategies, some conceptual categories and types of errors. Conclusions explore the moderating role of students' sociocultural levels, and provide educational recommendations.

Published
2024

6. Counting in Small Transformers: The Delicate Interplay between Attention and Feed-Forward Layers

Author

Behrens, Freya, Biggio, Luca, and Zdeborová, Lenka

Subjects
Computer Science - Machine Learning
Abstract

How do different architectural design choices influence the space of solutions that a transformer can implement and learn? How do different components interact with each other to shape the model's hypothesis space? We investigate these questions by characterizing the solutions simple transformer blocks can implement when challenged to solve the histogram task -- counting the occurrences of each item in an input sequence from a fixed vocabulary. Despite its apparent simplicity, this task exhibits a rich phenomenology: our analysis reveals a strong inter-dependence between the model's predictive performance and the vocabulary and embedding sizes, the token-mixing mechanism and the capacity of the feed-forward block. In this work, we characterize two different counting strategies that small transformers can implement theoretically: relation-based and inventory-based counting, the latter being less efficient in computation and memory. The emergence of either strategy is heavily influenced by subtle synergies among hyperparameters and components, and depends on seemingly minor architectural tweaks like the inclusion of softmax in the attention mechanism. By introspecting models trained on the histogram task, we verify the formation of both mechanisms in practice. Our findings highlight that even in simple settings, slight variations in model design can cause significant changes to the solutions a transformer learns., Comment: 33 pages, Accepted at Mechanistic Interpretability Workshop, ICML 2024

Published
2024

7. HO-FMN: Hyperparameter Optimization for Fast Minimum-Norm Attacks

Author

Mura, Raffaele, Floris, Giuseppe, Scionis, Luca, Piras, Giorgio, Pintor, Maura, Demontis, Ambra, Giacinto, Giorgio, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Machine Learning
Abstract

Gradient-based attacks are a primary tool to evaluate robustness of machine-learning models. However, many attacks tend to provide overly-optimistic evaluations as they use fixed loss functions, optimizers, step-size schedulers, and default hyperparameters. In this work, we tackle these limitations by proposing a parametric variation of the well-known fast minimum-norm attack algorithm, whose loss, optimizer, step-size scheduler, and hyperparameters can be dynamically adjusted. We re-evaluate 12 robust models, showing that our attack finds smaller adversarial perturbations without requiring any additional tuning. This also enables reporting adversarial robustness as a function of the perturbation budget, providing a more complete evaluation than that offered by fixed-budget attacks, while remaining efficient. We release our open-source code at https://github.com/pralab/HO-FMN.

Published
2024
Full Text
View/download PDF

8. ModSec-Learn: Boosting ModSecurity with Machine Learning

Author

Scano, Christian, Floris, Giuseppe, Montaruli, Biagio, Demetrio, Luca, Valenza, Andrea, Compagna, Luca, Ariu, Davide, Piras, Luca, Balzarotti, Davide, and Biggio, Battista

Subjects
Computer Science - Machine Learning
Abstract

ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively., Comment: arXiv admin note: text overlap with arXiv:2308.04964

Published
2024

9. Over-parameterization and Adversarial Robustness in Neural Networks: An Overview and Empirical Analysis

Author

Chen, Zhang, Demetrio, Luca, Gupta, Srishti, Feng, Xiaoyi, Xia, Zhaoqiang, Cinà, Antonio Emanuele, Pintor, Maura, Oneto, Luca, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Machine Learning, 68T10, I.5
Abstract

Thanks to their extensive capacity, over-parameterized neural networks exhibit superior predictive capabilities and generalization. However, having a large parameter space is considered one of the main suspects of the neural networks' vulnerability to adversarial example -- input samples crafted ad-hoc to induce a desired misclassification. Relevant literature has claimed contradictory remarks in support of and against the robustness of over-parameterized networks. These contradictory findings might be due to the failure of the attack employed to evaluate the networks' robustness. Previous research has demonstrated that depending on the considered model, the algorithm employed to generate adversarial examples may not function properly, leading to overestimating the model's robustness. In this work, we empirically study the robustness of over-parameterized networks against adversarial examples. However, unlike the previous works, we also evaluate the considered attack's reliability to support the results' veracity. Our results show that over-parameterized networks are robust against adversarial attacks as opposed to their under-parameterized counterparts.

Published
2024

10. SLIFER: Investigating Performance and Robustness of Malware Detection Pipelines

Author

Ponte, Andrea, Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, Ogbu, Ivan Tesfai, and Roli, Fabio

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

As a result of decades of research, Windows malware detection is approached through a plethora of techniques. However, there is an ongoing mismatch between academia -- which pursues an optimal performances in terms of detection rate and low false alarms -- and the requirements of real-world scenarios. In particular, academia focuses on combining static and dynamic analysis within a single or ensemble of models, falling into several pitfalls like (i) firing dynamic analysis without considering the computational burden it requires; (ii) discarding impossible-to-analyze samples; and (iii) analyzing robustness against adversarial attacks without considering that malware detectors are complemented with more non-machine-learning components. Thus, in this paper we bridge these gaps, by investigating the properties of malware detectors built with multiple and different types of analysis. To do so, we develop SLIFER, a Windows malware detection pipeline sequentially leveraging both static and dynamic analysis, interrupting computations as soon as one module triggers an alarm, requiring dynamic analysis only when needed. Contrary to the state of the art, we investigate how to deal with samples that impede analyzes, showing how much they impact performances, concluding that it is better to flag them as legitimate to not drastically increase false alarms. Lastly, we perform a robustness evaluation of SLIFER. Counter-intuitively, the injection of new content is either blocked more by signatures than dynamic analysis, due to byte artifacts created by the attack, or it is able to avoid detection from signatures, as they rely on constraints on file size disrupted by attacks. As far as we know, we are the first to investigate the properties of sequential malware detectors, shedding light on their behavior in real production environment.

Published
2024
Full Text
View/download PDF

11. Certified Adversarial Robustness of Machine Learning-based Malware Detectors via (De)Randomized Smoothing

Author

Gibert, Daniel, Demetrio, Luca, Zizzo, Giulio, Le, Quan, Planes, Jordi, and Biggio, Battista

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

Deep learning-based malware detection systems are vulnerable to adversarial EXEmples - carefully-crafted malicious programs that evade detection with minimal perturbation. As such, the community is dedicating effort to develop mechanisms to defend against adversarial EXEmples. However, current randomized smoothing-based defenses are still vulnerable to attacks that inject blocks of adversarial content. In this paper, we introduce a certifiable defense against patch attacks that guarantees, for a given executable and an adversarial patch size, no adversarial EXEmple exist. Our method is inspired by (de)randomized smoothing which provides deterministic robustness certificates. During training, a base classifier is trained using subsets of continguous bytes. At inference time, our defense splits the executable into non-overlapping chunks, classifies each chunk independently, and computes the final prediction through majority voting to minimize the influence of injected content. Furthermore, we introduce a preprocessing step that fixes the size of the sections and headers to a multiple of the chunk size. As a consequence, the injected content is confined to an integer number of chunks without tampering the other chunks containing the real bytes of the input examples, allowing us to extend our certified robustness guarantees to content insertion attacks. We perform an extensive ablation study, by comparing our defense with randomized smoothing-based defenses against a plethora of content manipulation attacks and neural network architectures. Results show that our method exhibits unmatched robustness against strong content-insertion attacks, outperforming randomized smoothing-based defenses in the literature.

Published
2024

12. AttackBench: Evaluating Gradient-based Attacks for Adversarial Examples

Author

Cinà, Antonio Emanuele, Rony, Jérôme, Pintor, Maura, Demetrio, Luca, Demontis, Ambra, Biggio, Battista, Ayed, Ismail Ben, and Roli, Fabio

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

Adversarial examples are typically optimized with gradient-based attacks. While novel attacks are continuously proposed, each is shown to outperform its predecessors using different experimental setups, hyperparameter settings, and number of forward and backward calls to the target models. This provides overly-optimistic and even biased evaluations that may unfairly favor one particular attack over the others. In this work, we aim to overcome these limitations by proposing AttackBench, i.e., the first evaluation framework that enables a fair comparison among different attacks. To this end, we first propose a categorization of gradient-based attacks, identifying their main components and differences. We then introduce our framework, which evaluates their effectiveness and efficiency. We measure these characteristics by (i) defining an optimality metric that quantifies how close an attack is to the optimal solution, and (ii) limiting the number of forward and backward queries to the model, such that all attacks are compared within a given maximum query budget. Our extensive experimental analysis compares more than $100$ attack implementations with a total of over $800$ different configurations against CIFAR-10 and ImageNet models, highlighting that only very few attacks outperform all the competing approaches. Within this analysis, we shed light on several implementation issues that prevent many attacks from finding better solutions or running at all. We release AttackBench as a publicly-available benchmark, aiming to continuously update it to include and evaluate novel gradient-based attacks for optimizing adversarial examples., Comment: https://attackbench.github.io

Published
2024

13. Robust Synthetic Data-Driven Detection of Living-Off-the-Land Reverse Shells

Author

Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Living-off-the-land (LOTL) techniques pose a significant challenge to security operations, exploiting legitimate tools to execute malicious commands that evade traditional detection methods. To address this, we present a robust augmentation framework for cyber defense systems as Security Information and Event Management (SIEM) solutions, enabling the detection of LOTL attacks such as reverse shells through machine learning. Leveraging real-world threat intelligence and adversarial training, our framework synthesizes diverse malicious datasets while preserving the variability of legitimate activity, ensuring high accuracy and low false-positive rates. We validate our approach through extensive experiments on enterprise-scale datasets, achieving a 90\% improvement in detection rates over non-augmented baselines at an industry-grade False Positive Rate (FPR) of $10^{-5}$. We define black-box data-driven attacks that successfully evade unprotected models, and develop defenses to mitigate them, producing adversarially robust variants of ML models. Ethical considerations are central to this work; we discuss safeguards for synthetic data generation and the responsible release of pre-trained models across four best performing architectures, including both adversarially and regularly trained variants: https://huggingface.co/dtrizna/quasarnix. Furthermore, we provide a malicious LOTL dataset containing over 1 million augmented attack variants to enable reproducible research and community collaboration: https://huggingface.co/datasets/dtrizna/QuasarNix. This work offers a reproducible, scalable, and production-ready defense against evolving LOTL threats.

Published
2024

14. Robustness-Congruent Adversarial Training for Secure Machine Learning Model Updates

Author

Angioni, Daniele, Demetrio, Luca, Pintor, Maura, Oneto, Luca, Anguita, Davide, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security
Abstract

Machine-learning models demand for periodic updates to improve their average accuracy, exploiting novel architectures and additional data. However, a newly-updated model may commit mistakes that the previous model did not make. Such misclassifications are referred to as negative flips, and experienced by users as a regression of performance. In this work, we show that this problem also affects robustness to adversarial examples, thereby hindering the development of secure model update practices. In particular, when updating a model to improve its adversarial robustness, some previously-ineffective adversarial examples may become misclassified, causing a regression in the perceived security of the system. We propose a novel technique, named robustness-congruent adversarial training, to address this issue. It amounts to fine-tuning a model with adversarial training, while constraining it to retain higher robustness on the adversarial examples that were correctly classified before the update. We show that our algorithm and, more generally, learning with non-regression constraints, provides a theoretically-grounded framework to train consistent estimators. Our experiments on robust models for computer vision confirm that (i) both accuracy and robustness, even if improved after model update, can be affected by negative flips, and (ii) our robustness-congruent adversarial training can mitigate the problem, outperforming competing baseline methods.

Published
2024

15. $\sigma$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples

Author

Cinà, Antonio Emanuele, Villani, Francesco, Pintor, Maura, Schönherr, Lea, Biggio, Battista, and Pelillo, Marcello

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

Evaluating the adversarial robustness of deep networks to gradient-based attacks is challenging. While most attacks consider $\ell_2$- and $\ell_\infty$-norm constraints to craft input perturbations, only a few investigate sparse $\ell_1$- and $\ell_0$-norm attacks. In particular, $\ell_0$-norm attacks remain the least studied due to the inherent complexity of optimizing over a non-convex and non-differentiable constraint. However, evaluating adversarial robustness under these attacks could reveal weaknesses otherwise left untested with more conventional $\ell_2$- and $\ell_\infty$-norm attacks. In this work, we propose a novel $\ell_0$-norm attack, called $\sigma$-zero, which leverages a differentiable approximation of the $\ell_0$ norm to facilitate gradient-based optimization, and an adaptive projection operator to dynamically adjust the trade-off between loss minimization and perturbation sparsity. Extensive evaluations using MNIST, CIFAR10, and ImageNet datasets, involving robust and non-robust models, show that $\sigma$-zero finds minimum $\ell_0$-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and efficiency., Comment: Code available at https://github.com/Cinofix/sigma-zero-adversarial-attack

Published
2024

17. Harnessing Synthetic Datasets: The Role of Shape Bias in Deep Neural Network Generalization

Author

Benarous, Elior, Anagnostidis, Sotiris, Biggio, Luca, and Hofmann, Thomas

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Artificial Intelligence, Computer Science - Machine Learning
Abstract

Recent advancements in deep learning have been primarily driven by the use of large models trained on increasingly vast datasets. While neural scaling laws have emerged to predict network performance given a specific level of computational resources, the growing demand for expansive datasets raises concerns. To address this, a new research direction has emerged, focusing on the creation of synthetic data as a substitute. In this study, we investigate how neural networks exhibit shape bias during training on synthetic datasets, serving as an indicator of the synthetic data quality. Specifically, our findings indicate three key points: (1) Shape bias varies across network architectures and types of supervision, casting doubt on its reliability as a predictor for generalization and its ability to explain differences in model recognition compared to human capabilities. (2) Relying solely on shape bias to estimate generalization is unreliable, as it is entangled with diversity and naturalism. (3) We propose a novel interpretation of shape bias as a tool for estimating the diversity of samples within a dataset. Our research aims to clarify the implications of using synthetic data and its associated shape bias in deep learning, addressing concerns regarding generalization and dataset quality.

Published
2023

19. Should you hold onto the treadmill handrails or not? Cortical evidence at different walking speeds

Author

Monica Biggio, Costanza Iester, Davide Cattaneo, Simone Cutini, Ambra Bisio, Ludovico Pedullà, Alessandro Torchio, Marco Bove, and Laura Bonzano

Subjects
Functional near-infrared spectroscopy, Haptic contact, Treadmill, Walking speed, Neurosciences. Biological psychiatry. Neuropsychiatry, RC321-571
Abstract

Abstract Background Treadmill-based gait training is part of rehabilitation programs focused on walking abilities. The use of handrails embedded in treadmill systems is debated, and current literature only explores the issue from a behavioral perspective. Methods We examined the cortical correlates of treadmill walking in healthy participants using functional near-infrared spectroscopy. We investigated whether the utilization of treadmill handrails at varying walking speeds could affect cortical activation associated with the task, and we evaluated potential differences in task-based functional connectivity across the various walking conditions. Results Significant differences in cortical activation were found between the two walking speeds (3 and 5 km/h) in the unsupported condition; these differences were reduced when using the handrails. Specifically, cortical activation was significantly higher when the participants swung their arms freely while walking at a speed of 5 compared to 3 km/h in several Brodmann’s Areas (BA): left BA10, BA3 and BA39, and right BA10, BA9, BA8, BA3, and BA40. No significant differences were found when participants were holding onto the handrails. A significant difference was found in the left BA40 between the two speeds, regardless of whether the participants were holding onto the handrails. Furthermore, at the higher speed and without the use of handrails, a wider pattern of task-based functional connectivity was observed, with significantly stronger connectivity between the left BA10 and BA40. Conclusions We suggest that speed and handrails use play a role in walking cortical activity patterns, therefore they are key ingredients to take into account when planning a rehabilitation program.

Published
2025
Full Text
View/download PDF

20. Improving Fast Minimum-Norm Attacks with Hyperparameter Optimization

Author

Floris, Giuseppe, Mura, Raffaele, Scionis, Luca, Piras, Giorgio, Pintor, Maura, Demontis, Ambra, and Biggio, Battista

Subjects
Computer Science - Machine Learning, Computer Science - Computer Vision and Pattern Recognition
Abstract

Evaluating the adversarial robustness of machine learning models using gradient-based attacks is challenging. In this work, we show that hyperparameter optimization can improve fast minimum-norm attacks by automating the selection of the loss function, the optimizer and the step-size scheduler, along with the corresponding hyperparameters. Our extensive evaluation involving several robust models demonstrates the improved efficacy of fast minimum-norm attacks when hyper-up with hyperparameter optimization. We release our open-source code at https://github.com/pralab/HO-FMN., Comment: Accepted at ESANN23

Published
2023
Full Text
View/download PDF

21. Samples on Thin Ice: Re-Evaluating Adversarial Pruning of Neural Networks

Author

Piras, Giorgio, Pintor, Maura, Demontis, Ambra, and Biggio, Battista

Subjects
Computer Science - Machine Learning, Computer Science - Computer Vision and Pattern Recognition
Abstract

Neural network pruning has shown to be an effective technique for reducing the network size, trading desirable properties like generalization and robustness to adversarial attacks for higher sparsity. Recent work has claimed that adversarial pruning methods can produce sparse networks while also preserving robustness to adversarial examples. In this work, we first re-evaluate three state-of-the-art adversarial pruning methods, showing that their robustness was indeed overestimated. We then compare pruned and dense versions of the same models, discovering that samples on thin ice, i.e., closer to the unpruned model's decision boundary, are typically misclassified after pruning. We conclude by discussing how this intuition may lead to designing more effective adversarial pruning methods in future work.

Published
2023

22. Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors

Author

Montaruli, Biagio, Demetrio, Luca, Pintor, Maura, Compagna, Luca, Balzarotti, Davide, and Biggio, Battista

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Machine-learning phishing webpage detectors (ML-PWD) have been shown to suffer from adversarial manipulations of the HTML code of the input webpage. Nevertheless, the attacks recently proposed have demonstrated limited effectiveness due to their lack of optimizing the usage of the adopted manipulations, and they focus solely on specific elements of the HTML code. In this work, we overcome these limitations by first designing a novel set of fine-grained manipulations which allow to modify the HTML code of the input phishing webpage without compromising its maliciousness and visual appearance, i.e., the manipulations are functionality- and rendering-preserving by design. We then select which manipulations should be applied to bypass the target detector by a query-efficient black-box optimization algorithm. Our experiments show that our attacks are able to raze to the ground the performance of current state-of-the-art ML-PWD using just 30 queries, thus overcoming the weaker attacks developed in previous work, and enabling a much fairer robustness evaluation of ML-PWD., Comment: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec '23), November 30, 2023, Copenhagen, Denmark

Published
2023
Full Text
View/download PDF

23. Nebula: Self-Attention for Dynamic Malware Analysis

Author

Trizna, Dmitrijs, Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Dynamic analysis enables detecting Windows malware by executing programs in a controlled environment and logging their actions. Previous work has proposed training machine learning models, i.e., convolutional and long short-term memory networks, on homogeneous input features like runtime APIs to either detect or classify malware, neglecting other relevant information coming from heterogeneous data like network and file operations. To overcome these issues, we introduce Nebula, a versatile, self-attention Transformer-based neural architecture that generalizes across different behavioral representations and formats, combining diverse information from dynamic log reports. Nebula is composed by several components needed to tokenize, filter, normalize and encode data to feed the transformer architecture. We firstly perform a comprehensive ablation study to evaluate their impact on the performance of the whole system, highlighting which components can be used as-is, and which must be enriched with specific domain knowledge. We perform extensive experiments on both malware detection and classification tasks, using three datasets acquired from different dynamic analyses platforms, show that, on average, Nebula outperforms state-of-the-art models at low false positive rates, with a peak of 12% improvement. Moreover, we showcase how self-supervised learning pre-training matches the performance of fully-supervised models with only 20% of training data, and we inspect the output of Nebula through explainable AI techniques, pinpointing how attention is focusing on specific tokens correlated to malicious activities of malware families. To foster reproducibility, we open-source our findings and models at https://github.com/dtrizna/nebula., Comment: 18 pages, 7 figures, 12 tables, preprint, in review

Published
2023
Full Text
View/download PDF

24. Adversarial Attacks Against Uncertainty Quantification

Author

Ledda, Emanuele, Angioni, Daniele, Piras, Giorgio, Fumera, Giorgio, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Machine-learning models can be fooled by adversarial examples, i.e., carefully-crafted input perturbations that force models to output wrong predictions. While uncertainty quantification has been recently proposed to detect adversarial inputs, under the assumption that such attacks exhibit a higher prediction uncertainty than pristine data, it has been shown that adaptive attacks specifically aimed at reducing also the uncertainty estimate can easily bypass this defense mechanism. In this work, we focus on a different adversarial scenario in which the attacker is still interested in manipulating the uncertainty estimate, but regardless of the correctness of the prediction; in particular, the goal is to undermine the use of machine-learning models when their outputs are consumed by a downstream module or by a human operator. Following such direction, we: \textit{(i)} design a threat model for attacks targeting uncertainty quantification; \textit{(ii)} devise different attack strategies on conceptually different UQ techniques spanning for both classification and semantic segmentation problems; \textit{(iii)} conduct a first complete and extensive analysis to compare the differences between some of the most employed UQ approaches under attack. Our extensive experimental analysis shows that our attacks are more effective in manipulating uncertainty quantification measures than attacks aimed to also induce misclassifications.

Published
2023

25. Hardening RGB-D Object Recognition Systems against Adversarial Patch Attacks

Author

Zheng, Yang, Demetrio, Luca, Cinà, Antonio Emanuele, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security
Abstract

RGB-D object recognition systems improve their predictive performances by fusing color and depth information, outperforming neural network architectures that rely solely on colors. While RGB-D systems are expected to be more robust to adversarial examples than RGB-only systems, they have also been proven to be highly vulnerable. Their robustness is similar even when the adversarial examples are generated by altering only the original images' colors. Different works highlighted the vulnerability of RGB-D systems; however, there is a lacking of technical explanations for this weakness. Hence, in our work, we bridge this gap by investigating the learned deep representation of RGB-D systems, discovering that color features make the function learned by the network more complex and, thus, more sensitive to small perturbations. To mitigate this problem, we propose a defense based on a detection mechanism that makes RGB-D systems more robust against adversarial examples. We empirically show that this defense improves the performances of RGB-D systems against adversarial examples even when they are computed ad-hoc to circumvent this detection mechanism, and that is also more effective than adversarial training., Comment: Accepted for publication in the Information Sciences journal

Published
2023

26. ModSec-AdvLearn: Countering Adversarial SQL Injections with Robust Machine Learning

Author

Montaruli, Biagio, Floris, Giuseppe, Scano, Christian, Demetrio, Luca, Valenza, Andrea, Compagna, Luca, Ariu, Davide, Piras, Luca, Balzarotti, Davide, and Biggio, Battista

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security
Abstract

Many Web Application Firewalls (WAFs) leverage the OWASP Core Rule Set (CRS) to block incoming malicious requests. The CRS consists of different sets of rules designed by domain experts to detect well-known web attack patterns. Both the set of rules to be used and the weights used to combine them are manually defined, yielding four different default configurations of the CRS. In this work, we focus on the detection of SQL injection (SQLi) attacks, and show that the manual configurations of the CRS typically yield a suboptimal trade-off between detection and false alarm rates. Furthermore, we show that these configurations are not robust to adversarial SQLi attacks, i.e., carefully-crafted attacks that iteratively refine the malicious SQLi payload by querying the target WAF to bypass detection. To overcome these limitations, we propose (i) using machine learning to automate the selection of the set of rules to be combined along with their weights, i.e., customizing the CRS configuration based on the monitored web services; and (ii) leveraging adversarial training to significantly improve its robustness to adversarial SQLi manipulations. Our experiments, conducted using the well-known open-source ModSecurity WAF equipped with the CRS rules, show that our approach, named ModSec-AdvLearn, can (i) increase the detection rate up to 30%, while retaining negligible false alarm rates and discarding up to 50% of the CRS rules; and (ii) improve robustness against adversarial SQLi attacks up to 85%, marking a significant stride toward designing more effective and robust WAFs. We release our open-source code at https://github.com/pralab/modsec-advlearn.

Published
2023

28. Accelerating galaxy dynamical modeling using a neural network for joint lensing and kinematics analyses

Author

Gomer, Matthew R., Ertl, Sebastian, Biggio, Luca, Wang, Han, Galan, Aymeric, Van de Vyvere, Lyne, Sluse, Dominique, Vernardos, Georgios, and Suyu, Sherry H.

Subjects
Astrophysics - Astrophysics of Galaxies
Abstract

Strong gravitational lensing is a powerful tool to provide constraints on galaxy mass distributions and cosmological parameters, such as the Hubble constant, $H_0$. Nevertheless, inference of such parameters from images of lensing systems is not trivial as parameter degeneracies can limit the precision in the measured lens mass and cosmological results. External information on the mass of the lens, in the form of kinematic measurements, is needed to ensure a precise and unbiased inference. Traditionally, such kinematic information has been included in the inference after the image modeling, using spherical Jeans approximations to match the measured velocity dispersion integrated within an aperture. However, as spatially resolved kinematic measurements become available via IFU data, more sophisticated dynamical modeling is necessary. Such kinematic modeling is expensive, and constitutes a computational bottleneck which we aim to overcome with our Stellar Kinematics Neural Network (SKiNN). SKiNN emulates axisymmetric modeling using a neural network, quickly synthesizing from a given mass model a kinematic map which can be compared to the observations to evaluate a likelihood. With a joint lensing plus kinematic framework, this likelihood constrains the mass model at the same time as the imaging data. We show that SKiNN's emulation of a kinematic map is accurate to considerably better precision than can be measured (better than $1\%$ in almost all cases). Using SKiNN speeds up the likelihood evaluation by a factor of $\sim 200$. This speedup makes dynamical modeling economical, and enables lens modelers to make effective use of modern data quality in the JWST era., Comment: (13 pages, 9 figures, submitted to Astronomy & Astrophysics)

Published
2023

29. Minimizing Energy Consumption of Deep Learning Models by Energy-Aware Training

Author

Lazzaro, Dario, Cinà, Antonio Emanuele, Pintor, Maura, Demontis, Ambra, Biggio, Battista, Roli, Fabio, and Pelillo, Marcello

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition
Abstract

Deep learning models undergo a significant increase in the number of parameters they possess, leading to the execution of a larger number of operations during inference. This expansion significantly contributes to higher energy consumption and prediction latency. In this work, we propose EAT, a gradient-based algorithm that aims to reduce energy consumption during model training. To this end, we leverage a differentiable approximation of the $\ell_0$ norm, and use it as a sparse penalty over the training loss. Through our experimental analysis conducted on three datasets and two deep neural networks, we demonstrate that our energy-aware training algorithm EAT is able to train networks with a better trade-off between classification performance and energy efficiency., Comment: 12 pages, 3 figures. Paper accepted at the 22nd International Conference on Image Analysis and Processing (ICIAP) 2023

Published
2023

30. Gemtelligence: Accelerating Gemstone classification with Deep Learning

Author

Bendinelli, Tommaso, Biggio, Luca, Nyfeler, Daniel, Ghosh, Abhigyan, Tollan, Peter, Kirschmann, Moritz Alexander, and Fink, Olga

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

The value of luxury goods, particularly investment-grade gemstones, is greatly influenced by their origin and authenticity, sometimes resulting in differences worth millions of dollars. Traditionally, human experts have determined the origin and detected treatments on gemstones through visual inspections and a range of analytical methods. However, the interpretation of the data can be subjective and time-consuming, resulting in inconsistencies. In this study, we propose Gemtelligence, a novel approach based on deep learning that enables accurate and consistent origin determination and treatment detection. Gemtelligence comprises convolutional and attention-based neural networks that process heterogeneous data types collected by multiple instruments. Notably, the algorithm demonstrated comparable predictive performance to expensive laser-ablation inductively-coupled-plasma mass-spectrometry (ICP-MS) analysis and visual examination by human experts, despite using input data from relatively inexpensive analytical methods. Our innovative methodology represents a major breakthrough in the field of gemstone analysis by significantly improving the automation and robustness of the entire analytical process pipeline.

Published
2023

31. Dynamic Context Pruning for Efficient and Interpretable Autoregressive Transformers

Author

Anagnostidis, Sotiris, Pavllo, Dario, Biggio, Luca, Noci, Lorenzo, Lucchi, Aurelien, and Hofmann, Thomas

Subjects
Computer Science - Computation and Language, Computer Science - Machine Learning
Abstract

Autoregressive Transformers adopted in Large Language Models (LLMs) are hard to scale to long sequences. Despite several works trying to reduce their computational cost, most of LLMs still adopt attention layers between all pairs of tokens in the sequence, thus incurring a quadratic cost. In this study, we present a novel approach that dynamically prunes contextual information while preserving the model's expressiveness, resulting in reduced memory and computational requirements during inference. Our method employs a learnable mechanism that determines which uninformative tokens can be dropped from the context at any point across the generation process. By doing so, our approach not only addresses performance concerns but also enhances interpretability, providing valuable insight into the model's decision-making process. Our technique can be applied to existing pre-trained models through a straightforward fine-tuning process, and the pruning strength can be specified by a sparsity parameter. Notably, our empirical findings demonstrate that we can effectively prune up to 80\% of the context without significant performance degradation on downstream tasks, offering a valuable tool for mitigating inference costs. Our reference implementation achieves up to $2\times$ increase in inference throughput and even greater memory savings.

Published
2023

32. Uncertainty Quantification in Machine Learning for Engineering Design and Health Prognostics: A Tutorial

Author

Nemani, Venkat, Biggio, Luca, Huan, Xun, Hu, Zhen, Fink, Olga, Tran, Anh, Wang, Yan, Zhang, Xiaoge, and Hu, Chao

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence
Abstract

On top of machine learning models, uncertainty quantification (UQ) functions as an essential layer of safety assurance that could lead to more principled decision making by enabling sound risk assessment and management. The safety and reliability improvement of ML models empowered by UQ has the potential to significantly facilitate the broad adoption of ML solutions in high-stakes decision settings, such as healthcare, manufacturing, and aviation, to name a few. In this tutorial, we aim to provide a holistic lens on emerging UQ methods for ML models with a particular focus on neural networks and the applications of these UQ methods in tackling engineering design as well as prognostics and health management problems. Toward this goal, we start with a comprehensive classification of uncertainty types, sources, and causes pertaining to UQ of ML models. Next, we provide a tutorial-style description of several state-of-the-art UQ methods: Gaussian process regression, Bayesian neural network, neural network ensemble, and deterministic UQ methods focusing on spectral-normalized neural Gaussian process. Established upon the mathematical formulations, we subsequently examine the soundness of these UQ methods quantitatively and qualitatively (by a toy regression example) to examine their strengths and shortcomings from different dimensions. Then, we review quantitative metrics commonly used to assess the quality of predictive uncertainty in classification and regression problems. Afterward, we discuss the increasingly important role of UQ of ML models in solving challenging problems in engineering design and health prognostics. Two case studies with source codes available on GitHub are used to demonstrate these UQ methods and compare their performance in the life prediction of lithium-ion batteries at the early stage and the remaining useful life prediction of turbofan engines.

Published
2023
Full Text
View/download PDF

33. Type-II Majoron Dark Matter

Author

Biggio, Carla, Calibbi, Lorenzo, Ota, Toshihiko, and Zanchini, Samuele

Subjects
High Energy Physics - Phenomenology, Astrophysics - High Energy Astrophysical Phenomena, High Energy Physics - Experiment
Abstract

We discuss in detail the possibility that the ``type-II majoron'' -- that is, the pseudo Nambu-Goldstone boson that arises in the context of the type-II seesaw mechanism if the lepton number is spontaneously broken by an additional singlet scalar -- account for the dark matter (DM) observed in the universe. We study the requirements the model's parameters have to fulfill in order to reproduce the measured DM relic abundance through two possible production mechanisms in the early universe, freeze-in and misalignment, both during a standard radiation-dominated era and early matter domination. We then study possible signals of type-II majoron DM and the present and expected constraints on the parameter space that can be obtained from cosmological observations, direct detection experiments, and present and future searches for decaying DM at neutrino telescopes and cosmic-ray experiments. We find that -- depending on the majoron mass, the production mechanism, and the vacuum expectation value of the type-II triplet -- all of the three decay modes (photons, electrons, neutrinos) of majoron DM particles can yield observable signals at future indirect searches for DM. Furthermore, in a corner of the parameter space, detection of majoron DM is possible through electron recoil at running and future direct detection experiments., Comment: 23 pages + appendices and bibliography, 6 figures; v2: typos corrected, references and comments added, conclusions unchanged, version accepted for publication in PRD

Published
2023
Full Text
View/download PDF

34. Controllable Neural Symbolic Regression

Author

Bendinelli, Tommaso, Biggio, Luca, and Kamienny, Pierre-Alexandre

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence
Abstract

In symbolic regression, the goal is to find an analytical expression that accurately fits experimental data with the minimal use of mathematical symbols such as operators, variables, and constants. However, the combinatorial space of possible expressions can make it challenging for traditional evolutionary algorithms to find the correct expression in a reasonable amount of time. To address this issue, Neural Symbolic Regression (NSR) algorithms have been developed that can quickly identify patterns in the data and generate analytical expressions. However, these methods, in their current form, lack the capability to incorporate user-defined prior knowledge, which is often required in natural sciences and engineering fields. To overcome this limitation, we propose a novel neural symbolic regression method, named Neural Symbolic Regression with Hypothesis (NSRwH) that enables the explicit incorporation of assumptions about the expected structure of the ground-truth expression into the prediction process. Our experiments demonstrate that the proposed conditioned deep learning model outperforms its unconditioned counterparts in terms of accuracy while also providing control over the predicted expression structure.

Published
2023

35. The Southern Center for Maternal Health Equity (SCMHE): a multisector multifaceted community-based approach to reduce disparities in maternal morbidity and mortality in the Gulf South

Author

Melissa Goldin Evans, Maeve Wallace, Alessandra N. Bazzano, Joseph R. Biggio, Kiara Cruz, Abigail Gamble, Carmen Green, Zainab Jah, Sherri Longo, Susan Perez, Rachael N. Reed, Jeffrey G. Shaffer, Lizheng Shi, and Emily Harville

Subjects
maternal health disparities, inequities and inequalities in health, community engaged intervention, community partnered, multilevel intervention, reproductive justice (RJ), Public aspects of medicine, RA1-1270
Abstract

IntroductionThe maternal mortality crisis in the United States disproportionately affects women who are Black, especially those living in the Gulf South. These disparities result from a confluence of healthcare, policy, and social factors that systematically place Black women at greater risk of maternal morbidities and mortality. This study protocol describes the Southern Center for Maternal Health Equity (SCMHE), a research center funded by the National Institutes of Health in 2023 to reduce preventable causes of maternal morbidity and mortality while improving health equity. This is a seven year program with pilot and implementation phases. SCMHE is co-led by three organizations: Reproductive Health Impact (a fiscally sponsored project of the Praxis Project), an advocacy community-based organization; Tulane University, an academic research institute; and Ochsner Health, a large regional nonprofit health system.MethodsSCMHE applies a multilevel life course approach based on the Social Ecological Model to prevent maternal morbidity and mortality with interventions at individual, interpersonal, institutional, community, and societal levels. This community-focused research center uses an intersectional lens and the Reproductive Justice framework in its aims to improve maternal health and strengthen community-based maternal health research capacity in Louisiana and Mississippi.DiscussionTo advance the field of maternal health using participatory, community-centered, and radically equity-focused approaches previously underutilized and under-evaluated, the Center will lead three R01 projects to assess the implementation of existing evidence-based strategies and build the evidence base for translational research strategies.Ethics and disseminationBy leveraging our team's existing network with local, regional, and national partners while continuing to build new, unique interdisciplinary partnerships, we will build upon our distinctive interdisciplinary strengths and community connections to bring our outreach and technical assistance efforts to diverse audiences.

Published
2024
Full Text
View/download PDF

36. An SDE for Modeling SAM: Theory and Insights

Author

Compagnoni, Enea Monzio, Biggio, Luca, Orvieto, Antonio, Proske, Frank Norbert, Kersting, Hans, and Lucchi, Aurelien

Subjects
Computer Science - Machine Learning, Mathematics - Optimization and Control
Abstract

We study the SAM (Sharpness-Aware Minimization) optimizer which has recently attracted a lot of interest due to its increased performance over more classical variants of stochastic gradient descent. Our main contribution is the derivation of continuous-time models (in the form of SDEs) for SAM and two of its variants, both for the full-batch and mini-batch settings. We demonstrate that these SDEs are rigorous approximations of the real discrete-time algorithms (in a weak sense, scaling linearly with the learning rate). Using these models, we then offer an explanation of why SAM prefers flat minima over sharp ones~--~by showing that it minimizes an implicitly regularized loss with a Hessian-dependent noise structure. Finally, we prove that SAM is attracted to saddle points under some realistic conditions. Our theoretical results are supported by detailed experiments., Comment: Accepted at ICML 2023 (Poster)

Published
2023

37. A Survey on Reinforcement Learning Security with Application to Autonomous Driving

Author

Demontis, Ambra, Pintor, Maura, Demetrio, Luca, Grosse, Kathrin, Lin, Hsiao-Ying, Fang, Chengfang, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Machine Learning, Computer Science - Robotics
Abstract

Reinforcement learning allows machines to learn from their own experience. Nowadays, it is used in safety-critical applications, such as autonomous driving, despite being vulnerable to attacks carefully crafted to either prevent that the reinforcement learning algorithm learns an effective and reliable policy, or to induce the trained agent to make a wrong decision. The literature about the security of reinforcement learning is rapidly growing, and some surveys have been proposed to shed light on this field. However, their categorizations are insufficient for choosing an appropriate defense given the kind of system at hand. In our survey, we do not only overcome this limitation by considering a different perspective, but we also discuss the applicability of state-of-the-art attacks and defenses when reinforcement learning algorithms are used in the context of autonomous driving.

Published
2022

38. Cosmology from Galaxy Redshift Surveys with PointNet

Author

Anagnostidis, Sotiris, Thomsen, Arne, Kacprzak, Tomasz, Tröster, Tilman, Biggio, Luca, Refregier, Alexandre, and Hofmann, Thomas

Subjects
Astrophysics - Cosmology and Nongalactic Astrophysics, Computer Science - Machine Learning
Abstract

In recent years, deep learning approaches have achieved state-of-the-art results in the analysis of point cloud data. In cosmology, galaxy redshift surveys resemble such a permutation invariant collection of positions in space. These surveys have so far mostly been analysed with two-point statistics, such as power spectra and correlation functions. The usage of these summary statistics is best justified on large scales, where the density field is linear and Gaussian. However, in light of the increased precision expected from upcoming surveys, the analysis of -- intrinsically non-Gaussian -- small angular separations represents an appealing avenue to better constrain cosmological parameters. In this work, we aim to improve upon two-point statistics by employing a \textit{PointNet}-like neural network to regress the values of the cosmological parameters directly from point cloud data. Our implementation of PointNets can analyse inputs of $\mathcal{O}(10^4) - \mathcal{O}(10^5)$ galaxies at a time, which improves upon earlier work for this application by roughly two orders of magnitude. Additionally, we demonstrate the ability to analyse galaxy redshift survey data on the lightcone, as opposed to previously static simulation boxes at a given fixed redshift.

Published
2022

39. Stateful Detection of Adversarial Reprogramming

Author

Zheng, Yang, Feng, Xiaoyi, Xia, Zhaoqiang, Jiang, Xiaoyue, Pintor, Maura, Demontis, Ambra, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Computer Science and Game Theory
Abstract

Adversarial reprogramming allows stealing computational resources by repurposing machine learning models to perform a different task chosen by the attacker. For example, a model trained to recognize images of animals can be reprogrammed to recognize medical images by embedding an adversarial program in the images provided as inputs. This attack can be perpetrated even if the target model is a black box, supposed that the machine-learning model is provided as a service and the attacker can query the model and collect its outputs. So far, no defense has been demonstrated effective in this scenario. We show for the first time that this attack is detectable using stateful defenses, which store the queries made to the classifier and detect the abnormal cases in which they are similar. Once a malicious query is detected, the account of the user who made it can be blocked. Thus, the attacker must create many accounts to perpetrate the attack. To decrease this number, the attacker could create the adversarial program against a surrogate classifier and then fine-tune it by making few queries to the target model. In this scenario, the effectiveness of the stateful defense is reduced, but we show that it is still effective.

Published
2022

40. Modeling lens potentials with continuous neural fields in galaxy-scale strong lenses

Author

Biggio, Luca, Vernardos, Georgios, Galan, Aymeric, and Peel, Austin

Subjects
Astrophysics - Instrumentation and Methods for Astrophysics, Astrophysics - Cosmology and Nongalactic Astrophysics
Abstract

Strong gravitational lensing is a unique observational tool for studying the dark and luminous mass distribution both within and between galaxies. Given the presence of substructures, current strong lensing observations demand more complex mass models than smooth analytical profiles, such as power-law ellipsoids. In this work, we introduce a continuous neural field to predict the lensing potential at any position throughout the image plane, allowing for a nearly model-independent description of the lensing mass. We apply our method on simulated Hubble Space Telescope imaging data containing different types of perturbations to a smooth mass distribution: a localized dark subhalo, a population of subhalos, and an external shear perturbation. Assuming knowledge of the source surface brightness, we use the continuous neural field to model either the perturbations alone or the full lensing potential. In both cases, the resulting model is able to fit the imaging data, and we are able to accurately recover the properties of both the smooth potential and of the perturbations. Unlike many other deep learning methods, ours explicitly retains lensing physics (i.e., the lens equation) and introduces high flexibility in the model only where required, namely, in the lens potential. Moreover, the neural network does not require pre-training on large sets of labelled data and predicts the potential from the single observed lensing image. Our model is implemented in the fully differentiable lens modeling code Herculens.

Published
2022
Full Text
View/download PDF

41. Explaining Machine Learning DGA Detectors from DNS Traffic Data

Author

Piras, Giorgio, Pintor, Maura, Demetrio, Luca, and Biggio, Battista

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

One of the most common causes of lack of continuity of online systems stems from a widely popular Cyber Attack known as Distributed Denial of Service (DDoS), in which a network of infected devices (botnet) gets exploited to flood the computational capacity of services through the commands of an attacker. This attack is made by leveraging the Domain Name System (DNS) technology through Domain Generation Algorithms (DGAs), a stealthy connection strategy that yet leaves suspicious data patterns. To detect such threats, advances in their analysis have been made. For the majority, they found Machine Learning (ML) as a solution, which can be highly effective in analyzing and classifying massive amounts of data. Although strongly performing, ML models have a certain degree of obscurity in their decision-making process. To cope with this problem, a branch of ML known as Explainable ML tries to break down the black-box nature of classifiers and make them interpretable and human-readable. This work addresses the problem of Explainable ML in the context of botnet and DGA detection, which at the best of our knowledge, is the first to concretely break down the decisions of ML classifiers when devised for botnet/DGA detection, therefore providing global and local explanations.

Published
2022

42. Robust Machine Learning for Malware Detection over Time

Author

Angioni, Daniele, Demetrio, Luca, Pintor, Maura, and Biggio, Battista

Subjects
Computer Science - Cryptography and Security
Abstract

The presence and persistence of Android malware is an on-going threat that plagues this information era, and machine learning technologies are now extensively used to deploy more effective detectors that can block the majority of these malicious programs. However, these algorithms have not been developed to pursue the natural evolution of malware, and their performances significantly degrade over time because of such concept-drift. Currently, state-of-the-art techniques only focus on detecting the presence of such drift, or they address it by relying on frequent updates of models. Hence, there is a lack of knowledge regarding the cause of the concept drift, and ad-hoc solutions that can counter the passing of time are still under-investigated. In this work, we commence to address these issues as we propose (i) a drift-analysis framework to identify which characteristics of data are causing the drift, and (ii) SVM-CB, a time-aware classifier that leverages the drift-analysis information to slow down the performance drop. We highlight the efficacy of our contribution by comparing its degradation over time with a state-of-the-art classifier, and we show that SVM-CB better withstands the distribution changes that naturally characterize the malware domain. We conclude by discussing the limitations of our approach and how our contribution can be taken as a first step towards more time-resistant classifiers that not only tackle, but also understand the concept drift that affects data.

Published
2022

44. Reduction of peripersonal comfort space correlate with eating disorder symptoms in young adolescents: a network analysis approach

Author

Beatriz Pereira Da Silva, Andrea Escelsior, Monica Biggio, Alessio Zizzi, Martino Belvederi Murri, Riccardo Guglielmo, Alberto Inuggi, Federico Delfante, Giacomo Marenco, Mario Amore, and Gianluca Serafini

Subjects
peripersonal space, network analysis, adolescents, psychopathology, eating disorders, Psychology, BF1-990
Abstract

BackgroundPeripersonal Space (PS) is represented as the immediate area surrounding an individual. The extent of PS changes in relation to several factors, including emotional states, type of relationship or psychopathology. Attachment anxiety has an impact on the social adaptability of peripersonal space and anxiety and fear are associated with an expansion of peripersonal space, possibly serving as a mechanism of self-protection. Peripersonal space appears to be intricately linked to various psychiatric conditions like anxiety disorders and converging evidence suggests that social maladjustment may predict or exacerbate eating disorder symptoms expression.MethodsFifty-eight healthy adolescents (38F, 20M) performed a comfort distance estimation task to assess peripersonal space. The Adolescent/Adult Sensory Profile (AASP) was used to assess sensory profiles and the SAFA protocol to investigate psychopathological aspects. Data was analysed using Network Analysis, estimating a Gaussian Graphical Models with a Bayesian approach.ResultsWe found that the task related to comfort estimation distance demonstrated a correlation with the visual scale of the Adolescent/Adult Sensory Profile (AASP). Additionally, a correlation was observed with the Eating Disorder scale of the SAFA protocol. The touch scale also was negatively correlated with Eating disorder symptoms but not with the comfort estimation task.ConclusionOur results demonstrate a relation between peripersonal space and eating disorder symptoms in healthy adolescents in line with previous findings in adults with eating disorders diagnosis. These findings suggest that socio-emotional difficulties may be possible precursors or reinforce for the development of an eating disorder symptoms.

Published
2024
Full Text
View/download PDF

45. Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware

Author

Demetrio, Luca, Biggio, Battista, and Roli, Fabio

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

While machine learning is vulnerable to adversarial examples, it still lacks systematic procedures and tools for evaluating its security in different application contexts. In this article, we discuss how to develop automated and scalable security evaluations of machine learning using practical attacks, reporting a use case on Windows malware detection.

Published
2022
Full Text
View/download PDF

46. Machine Learning Security in Industry: A Quantitative Survey

Author

Grosse, Kathrin, Bieringer, Lukas, Besold, Tarek Richard, Biggio, Battista, and Krombholz, Katharina

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Computers and Society
Abstract

Despite the large body of academic work on machine learning security, little is known about the occurrence of attacks on machine learning systems in the wild. In this paper, we report on a quantitative study with 139 industrial practitioners. We analyze attack occurrence and concern and evaluate statistical hypotheses on factors influencing threat perception and exposure. Our results shed light on real-world attacks on deployed machine learning. On the organizational level, while we find no predictors for threat exposure in our sample, the amount of implement defenses depends on exposure to threats or expected likelihood to become a target. We also provide a detailed analysis of practitioners' replies on the relevance of individual machine learning attacks, unveiling complex concerns like unreliable decision making, business information leakage, and bias introduction into models. Finally, we find that on the individual level, prior knowledge about machine learning security influences threat perception. Our work paves the way for more research about adversarial machine learning in practice, but yields also insights for regulation and auditing., Comment: Accepted at TIFS, version with more detailed appendix containing more detailed statistical results. 17 pages, 6 tables and 4 figures

Published
2022
Full Text
View/download PDF

47. Fast emulation of two-point angular statistics for photometric galaxy surveys

Author

Bonici, Marco, Biggio, Luca, Carbone, Carmelita, and Guzzo, Luigi

Subjects
Astrophysics - Cosmology and Nongalactic Astrophysics
Abstract

We develop a set of machine-learning based cosmological emulators, to obtain fast model predictions for the $C(\ell)$ angular power spectrum coefficients characterising tomographic observations of galaxy clustering and weak gravitational lensing from multi-band photometric surveys (and their cross-correlation). A set of neural networks are trained to map cosmological parameters into the coefficients, achieving a speed-up $\mathcal{O}(10^3)$ in computing the required statistics for a given set of cosmological parameters, with respect to standard Boltzmann solvers, with an accuracy better than $0.175\%$ ($<0.1\%$ for the weak lensing case). This corresponds to $\sim 2\%$ or less of the statistical error bars expected from a typical Stage IV photometric surveys. Such overall improvement in speed and accuracy is obtained through ($\textit{i}$) a specific pre-processing optimisation, ahead of the training phase, and ($\textit{ii}$) a more effective neural network architecture, compared to previous implementations.

Published
2022

48. Signal Propagation in Transformers: Theoretical Perspectives and the Role of Rank Collapse

Author

Noci, Lorenzo, Anagnostidis, Sotiris, Biggio, Luca, Orvieto, Antonio, Singh, Sidak Pal, and Lucchi, Aurelien

Subjects
Computer Science - Machine Learning
Abstract

Transformers have achieved remarkable success in several domains, ranging from natural language processing to computer vision. Nevertheless, it has been recently shown that stacking self-attention layers - the distinctive architectural component of Transformers - can result in rank collapse of the tokens' representations at initialization. The question of if and how rank collapse affects training is still largely unanswered, and its investigation is necessary for a more comprehensive understanding of this architecture. In this work, we shed new light on the causes and the effects of this phenomenon. First, we show that rank collapse of the tokens' representations hinders training by causing the gradients of the queries and keys to vanish at initialization. Furthermore, we provide a thorough description of the origin of rank collapse and discuss how to prevent it via an appropriate depth-dependent scaling of the residual branches. Finally, our analysis unveils that specific architectural hyperparameters affect the gradients of queries and values differently, leading to disproportionate gradient norms. This suggests an explanation for the widespread use of adaptive methods for Transformers' optimization.

Published
2022

49. Dynaformer: A Deep Learning Model for Ageing-aware Battery Discharge Prediction

Author

Biggio, Luca, Bendinelli, Tommaso, Kulkarni, Chetan, and Fink, Olga

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence
Abstract

Electrochemical batteries are ubiquitous devices in our society. When they are employed in mission-critical applications, the ability to precisely predict the end of discharge under highly variable environmental and operating conditions is of paramount importance in order to support operational decision-making. While there are accurate predictive models of the processes underlying the charge and discharge phases of batteries, the modelling of ageing and its effect on performance remains poorly understood. Such a lack of understanding often leads to inaccurate models or the need for time-consuming calibration procedures whenever the battery ages or its conditions change significantly. This represents a major obstacle to the real-world deployment of efficient and robust battery management systems. In this paper, we propose for the first time an approach that can predict the voltage discharge curve for batteries of any degradation level without the need for calibration. In particular, we introduce Dynaformer, a novel Transformer-based deep learning architecture which is able to simultaneously infer the ageing state from a limited number of voltage/current samples and predict the full voltage discharge curve for real batteries with high precision. Our experiments show that the trained model is effective for input current profiles of different complexities and is robust to a wide range of degradation levels. In addition to evaluating the performance of the proposed framework on simulated data, we demonstrate that a minimal amount of fine-tuning allows the model to bridge the simulation-to-real gap between simulations and real data collected from a set of batteries. The proposed methodology enables the utilization of battery-powered systems until the end of discharge in a controlled and predictable way, thereby significantly prolonging the operating cycles and reducing costs.

Published
2022

50. Support Vector Machines under Adversarial Label Contamination

Author

Xiao, Huang, Biggio, Battista, Nelson, Blaine, Xiao, Han, Eckert, Claudia, and Roli, Fabio

Subjects
Computer Science - Machine Learning
Abstract

Machine learning algorithms are increasingly being applied in security-related tasks such as spam and malware detection, although their security properties against deliberate attacks have not yet been widely understood. Intelligent and adaptive attackers may indeed exploit specific vulnerabilities exposed by machine learning techniques to violate system security. Being robust to adversarial data manipulation is thus an important, additional requirement for machine learning algorithms to successfully operate in adversarial settings. In this work, we evaluate the security of Support Vector Machines (SVMs) to well-crafted, adversarial label noise attacks. In particular, we consider an attacker that aims to maximize the SVM's classification error by flipping a number of labels in the training data. We formalize a corresponding optimal attack strategy, and solve it by means of heuristic approaches to keep the computational complexity tractable. We report an extensive experimental analysis on the effectiveness of the considered attacks against linear and non-linear SVMs, both on synthetic and real-world datasets. We finally argue that our approach can also provide useful insights for developing more secure SVM learning algorithms, and also novel techniques in a number of related research areas, such as semi-supervised and active learning.

Published
2022
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results