Search

Your search keyword '"Yu, Chia-Mu"' showing total 175 results
Start Over Author "Yu, Chia-Mu"
175 results on '"Yu, Chia-Mu"'

1. Exploring Robustness of Visual State Space model against Backdoor Attacks

Author

Lee, Cheng-Yi, Tsai, Cheng-Chang, Yu, Chia-Mu, and Lu, Chun-Shien

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Visual State Space Model (VSS) has demonstrated remarkable performance in various computer vision tasks. However, in the process of development, backdoor attacks have brought severe challenges to security. Such attacks cause an infected model to predict target labels when a specific trigger is activated, while the model behaves normally on benign samples. In this paper, we conduct systematic experiments to comprehend on robustness of VSS through the lens of backdoor attacks, specifically how the state space model (SSM) mechanism affects robustness. We first investigate the vulnerability of VSS to different backdoor triggers and reveal that the SSM mechanism, which captures contextual information within patches, makes the VSS model more susceptible to backdoor triggers compared to models without SSM. Furthermore, we analyze the sensitivity of the VSS model to patch processing techniques and discover that these triggers are effectively disrupted. Based on these observations, we consider an effective backdoor for the VSS model that recurs in each patch to resist patch perturbations. Extensive experiments across three datasets and various backdoor attacks reveal that the VSS model performs comparably to Transformers (ViTs) but is less robust than the Gated CNNs, which comprise only stacked Gated CNN blocks without SSM., Comment: 11 pages, 9 figures, minor revise, under review

Published
2024

2. Defending Against Repetitive-based Backdoor Attacks on Semi-supervised Learning through Lens of Rate-Distortion-Perception Trade-off

Author

Lee, Cheng-Yi, Kao, Ching-Chia, Yeh, Cheng-Han, Lu, Chun-Shien, Yu, Chia-Mu, and Chen, Chu-Song

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Semi-supervised learning (SSL) has achieved remarkable performance with a small fraction of labeled data by leveraging vast amounts of unlabeled data from the Internet. However, this large pool of untrusted data is extremely vulnerable to data poisoning, leading to potential backdoor attacks. Current backdoor defenses are not yet effective against such a vulnerability in SSL. In this study, we propose a novel method, Unlabeled Data Purification (UPure), to disrupt the association between trigger patterns and target classes by introducing perturbations in the frequency domain. By leveraging the Rate- Distortion-Perception (RDP) trade-off, we further identify the frequency band, where the perturbations are added, and justify this selection. Notably, UPure purifies poisoned unlabeled data without the need of extra clean labeled data. Extensive experiments on four benchmark datasets and five SSL algorithms demonstrate that UPure effectively reduces the attack success rate from 99.78% to 0% while maintaining model accuracy, Comment: under review

Published
2024

3. Differentially Private Fine-Tuning of Diffusion Models

Author

Tsai, Yu-Lin, Li, Yizhe, Chen, Zekai, Chen, Po-Yu, Yu, Chia-Mu, Ren, Xuebin, and Buet-Golfouse, Francois

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security
Abstract

The integration of Differential Privacy (DP) with diffusion models (DMs) presents a promising yet challenging frontier, particularly due to the substantial memorization capabilities of DMs that pose significant privacy risks. Differential privacy offers a rigorous framework for safeguarding individual data points during model training, with Differential Privacy Stochastic Gradient Descent (DP-SGD) being a prominent implementation. Diffusion method decomposes image generation into iterative steps, theoretically aligning well with DP's incremental noise addition. Despite the natural fit, the unique architecture of DMs necessitates tailored approaches to effectively balance privacy-utility trade-off. Recent developments in this field have highlighted the potential for generating high-quality synthetic data by pre-training on public data (i.e., ImageNet) and fine-tuning on private data, however, there is a pronounced gap in research on optimizing the trade-offs involved in DP settings, particularly concerning parameter efficiency and model scalability. Our work addresses this by proposing a parameter-efficient fine-tuning strategy optimized for private diffusion models, which minimizes the number of trainable parameters to enhance the privacy-utility trade-off. We empirically demonstrate that our method achieves state-of-the-art performance in DP synthesis, significantly surpassing previous benchmarks on widely studied datasets (e.g., with only 0.47M trainable parameters, achieving a more than 35% improvement over the previous state-of-the-art with a small privacy budget on the CelebA-64 dataset). Anonymous codes available at https://anonymous.4open.science/r/DP-LORA-F02F., Comment: 16 pages, 5 figures, 11 tables

Published
2024

4. Safe LoRA: the Silver Lining of Reducing Safety Risks when Fine-tuning Large Language Models

Author

Hsu, Chia-Yi, Tsai, Yu-Lin, Lin, Chih-Hsun, Chen, Pin-Yu, Yu, Chia-Mu, and Huang, Chun-Ying

Subjects
Computer Science - Machine Learning
Abstract

While large language models (LLMs) such as Llama-2 or GPT-4 have shown impressive zero-shot performance, fine-tuning is still necessary to enhance their performance for customized datasets, domain-specific tasks, or other private needs. However, fine-tuning all parameters of LLMs requires significant hardware resources, which can be impractical for typical users. Therefore, parameter-efficient fine-tuning such as LoRA have emerged, allowing users to fine-tune LLMs without the need for considerable computing resources, with little performance degradation compared to fine-tuning all parameters. Unfortunately, recent studies indicate that fine-tuning can increase the risk to the safety of LLMs, even when data does not contain malicious content. To address this challenge, we propose Safe LoRA, a simple one-liner patch to the original LoRA implementation by introducing the projection of LoRA weights from selected layers to the safety-aligned subspace, effectively reducing the safety risks in LLM fine-tuning while maintaining utility. It is worth noting that Safe LoRA is a training-free and data-free approach, as it only requires the knowledge of the weights from the base and aligned LLMs. Our extensive experiments demonstrate that when fine-tuning on purely malicious data, Safe LoRA retains similar safety performance as the original aligned model. Moreover, when the fine-tuning dataset contains a mixture of both benign and malicious data, Safe LoRA mitigates the negative effect made by malicious data while preserving performance on downstream tasks.

Published
2024

5. DiffuseKronA: A Parameter Efficient Fine-tuning Method for Personalized Diffusion Models

Author

Marjit, Shyam, Singh, Harshit, Mathur, Nityanand, Paul, Sayak, Yu, Chia-Mu, and Chen, Pin-Yu

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

In the realm of subject-driven text-to-image (T2I) generative models, recent developments like DreamBooth and BLIP-Diffusion have led to impressive results yet encounter limitations due to their intensive fine-tuning demands and substantial parameter requirements. While the low-rank adaptation (LoRA) module within DreamBooth offers a reduction in trainable parameters, it introduces a pronounced sensitivity to hyperparameters, leading to a compromise between parameter efficiency and the quality of T2I personalized image synthesis. Addressing these constraints, we introduce \textbf{\textit{DiffuseKronA}}, a novel Kronecker product-based adaptation module that not only significantly reduces the parameter count by 35\% and 99.947\% compared to LoRA-DreamBooth and the original DreamBooth, respectively, but also enhances the quality of image synthesis. Crucially, \textit{DiffuseKronA} mitigates the issue of hyperparameter sensitivity, delivering consistent high-quality generations across a wide range of hyperparameters, thereby diminishing the necessity for extensive fine-tuning. Furthermore, a more controllable decomposition makes \textit{DiffuseKronA} more interpretable and even can achieve up to a 50\% reduction with results comparable to LoRA-Dreambooth. Evaluated against diverse and complex input images and text prompts, \textit{DiffuseKronA} consistently outperforms existing models, producing diverse images of higher quality with improved fidelity and a more accurate color distribution of objects, all the while upholding exceptional parameter efficiency, thus presenting a substantial advancement in the field of T2I generative modeling. Our project page, consisting of links to the code, and pre-trained checkpoints, is available at https://diffusekrona.github.io/., Comment: Project Page: https://diffusekrona.github.io/

Published
2024

6. Ring-A-Bell! How Reliable are Concept Removal Methods for Diffusion Models?

Author

Tsai, Yu-Lin, Hsu, Chia-Yi, Xie, Chulin, Lin, Chih-Hsun, Chen, Jia-You, Li, Bo, Chen, Pin-Yu, Yu, Chia-Mu, and Huang, Chun-Ying

Subjects
Computer Science - Machine Learning
Abstract

Diffusion models for text-to-image (T2I) synthesis, such as Stable Diffusion (SD), have recently demonstrated exceptional capabilities for generating high-quality content. However, this progress has raised several concerns of potential misuse, particularly in creating copyrighted, prohibited, and restricted content, or NSFW (not safe for work) images. While efforts have been made to mitigate such problems, either by implementing a safety filter at the evaluation stage or by fine-tuning models to eliminate undesirable concepts or styles, the effectiveness of these safety measures in dealing with a wide range of prompts remains largely unexplored. In this work, we aim to investigate these safety mechanisms by proposing one novel concept retrieval algorithm for evaluation. We introduce Ring-A-Bell, a model-agnostic red-teaming tool for T2I diffusion models, where the whole evaluation can be prepared in advance without prior knowledge of the target model. Specifically, Ring-A-Bell first performs concept extraction to obtain holistic representations for sensitive and inappropriate concepts. Subsequently, by leveraging the extracted concept, Ring-A-Bell automatically identifies problematic prompts for diffusion models with the corresponding generation of inappropriate content, allowing the user to assess the reliability of deployed safety mechanisms. Finally, we empirically validate our method by testing online services such as Midjourney and various methods of concept removal. Our results show that Ring-A-Bell, by manipulating safe prompting benchmarks, can transform prompts that were originally regarded as safe to evade existing safety mechanisms, thus revealing the defects of the so-called safety mechanisms which could practically lead to the generation of harmful contents. Our codes are available at https://github.com/chiayi-hsu/Ring-A-Bell., Comment: This paper has already been accepted by ICLR 2024. This version is the camera-ready version

Published
2023

7. Exploring the Benefits of Differentially Private Pre-training and Parameter-Efficient Fine-tuning for Table Transformers

Author

Wang, Xilong, Yu, Chia-Mu, and Chen, Pin-Yu

Subjects
Computer Science - Machine Learning, Computer Science - Cryptography and Security
Abstract

For machine learning with tabular data, Table Transformer (TabTransformer) is a state-of-the-art neural network model, while Differential Privacy (DP) is an essential component to ensure data privacy. In this paper, we explore the benefits of combining these two aspects together in the scenario of transfer learning -- differentially private pre-training and fine-tuning of TabTransformers with a variety of parameter-efficient fine-tuning (PEFT) methods, including Adapter, LoRA, and Prompt Tuning. Our extensive experiments on the ACSIncome dataset show that these PEFT methods outperform traditional approaches in terms of the accuracy of the downstream task and the number of trainable parameters, thus achieving an improved trade-off among parameter efficiency, privacy, and accuracy. Our code is available at github.com/IBM/DP-TabTransformer., Comment: submitted to ICASSP 2024

Published
2023

8. DPAF: Image Synthesis via Differentially Private Aggregation in Forward Phase

Author

Lin, Chih-Hsun, Hsu, Chia-Yi, Yu, Chia-Mu, Cao, Yang, and Huang, Chun-Ying

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Differentially private synthetic data is a promising alternative for sensitive data release. Many differentially private generative models have been proposed in the literature. Unfortunately, they all suffer from the low utility of the synthetic data, particularly for images of high resolutions. Here, we propose DPAF, an effective differentially private generative model for high-dimensional image synthesis. Different from the prior private stochastic gradient descent-based methods that add Gaussian noises in the backward phase during the model training, DPAF adds a differentially private feature aggregation in the forward phase, bringing advantages, including the reduction of information loss in gradient clipping and low sensitivity for the aggregation. Moreover, as an improper batch size has an adverse impact on the utility of synthetic data, DPAF also tackles the problem of setting a proper batch size by proposing a novel training strategy that asymmetrically trains different parts of the discriminator. We extensively evaluate different methods on multiple image datasets (up to images of 128x128 resolution) to demonstrate the performance of DPAF.

Published
2023

9. Exploring the Benefits of Visual Prompting in Differential Privacy

Author

Li, Yizhe, Tsai, Yu-Lin, Ren, Xuebin, Yu, Chia-Mu, and Chen, Pin-Yu

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Visual Prompting (VP) is an emerging and powerful technique that allows sample-efficient adaptation to downstream tasks by engineering a well-trained frozen source model. In this work, we explore the benefits of VP in constructing compelling neural network classifiers with differential privacy (DP). We explore and integrate VP into canonical DP training methods and demonstrate its simplicity and efficiency. In particular, we discover that VP in tandem with PATE, a state-of-the-art DP training method that leverages the knowledge transfer from an ensemble of teachers, achieves the state-of-the-art privacy-utility trade-off with minimum expenditure of privacy budget. Moreover, we conduct additional experiments on cross-domain image classification with a sufficient domain gap to further unveil the advantage of VP in DP. Lastly, we also conduct extensive ablation studies to validate the effectiveness and contribution of VP under DP consideration. Our code is available at (https://github.com/EzzzLi/Prompt-PATE)., Comment: Published at ICCV 2023

Published
2023

10. Certified Robustness of Quantum Classifiers against Adversarial Examples through Quantum Noise

Author

Huang, Jhih-Cing, Tsai, Yu-Lin, Yang, Chao-Han Huck, Su, Cheng-Fang, Yu, Chia-Mu, Chen, Pin-Yu, and Kuo, Sy-Yen

Subjects
Quantum Physics, Computer Science - Machine Learning, Computer Science - Neural and Evolutionary Computing, Electrical Engineering and Systems Science - Signal Processing
Abstract

Recently, quantum classifiers have been found to be vulnerable to adversarial attacks, in which quantum classifiers are deceived by imperceptible noises, leading to misclassification. In this paper, we propose the first theoretical study demonstrating that adding quantum random rotation noise can improve robustness in quantum classifiers against adversarial attacks. We link the definition of differential privacy and show that the quantum classifier trained with the natural presence of additive noise is differentially private. Finally, we derive a certified robustness bound to enable quantum classifiers to defend against adversarial examples, supported by experimental results simulated with noises from IBM's 7-qubits device., Comment: Accepted to IEEE ICASSP 2023

Published
2022

11. Meta Adversarial Perturbations

Author

Yuan, Chia-Hung, Chen, Pin-Yu, and Yu, Chia-Mu

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

A plethora of attack methods have been proposed to generate adversarial examples, among which the iterative methods have been demonstrated the ability to find a strong attack. However, the computation of an adversarial perturbation for a new data point requires solving a time-consuming optimization problem from scratch. To generate a stronger attack, it normally requires updating a data point with more iterations. In this paper, we show the existence of a meta adversarial perturbation (MAP), a better initialization that causes natural images to be misclassified with high probability after being updated through only a one-step gradient ascent update, and propose an algorithm for computing such perturbations. We conduct extensive experiments, and the empirical results demonstrate that state-of-the-art deep neural networks are vulnerable to meta perturbations. We further show that these perturbations are not only image-agnostic, but also model-agnostic, as a single perturbation generalizes well across unseen data points and different neural network architectures., Comment: Published in AAAI 2022 Workshop

Published
2021

12. CAFE: Catastrophic Data Leakage in Vertical Federated Learning

Author

Jin, Xiao, Chen, Pin-Yu, Hsu, Chia-Yi, Yu, Chia-Mu, and Chen, Tianyi

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence
Abstract

Recent studies show that private training data can be leaked through the gradients sharing mechanism deployed in distributed machine learning systems, such as federated learning (FL). Increasing batch size to complicate data recovery is often viewed as a promising defense strategy against data leakage. In this paper, we revisit this defense premise and propose an advanced data leakage attack with theoretical justification to efficiently recover batch data from the shared aggregated gradients. We name our proposed method as catastrophic data leakage in vertical federated learning (CAFE). Comparing to existing data leakage attacks, our extensive experimental results on vertical FL settings demonstrate the effectiveness of CAFE to perform large-batch data leakage attack with improved data recovery quality. We also propose a practical countermeasure to mitigate CAFE. Our results suggest that private data participated in standard FL, especially the vertical case, have a high risk of being leaked from the training gradients. Our analysis implies unprecedented and practical data leakage risks in those learning settings. The code of our work is available at https://github.com/DeRafael/CAFE.

Published
2021

13. Real-World Adversarial Examples involving Makeup Application

Author

Lin, Chang-Sheng, Hsu, Chia-Yi, Chen, Pin-Yu, and Yu, Chia-Mu

Subjects
Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Machine Learning
Abstract

Deep neural networks have developed rapidly and have achieved outstanding performance in several tasks, such as image classification and natural language processing. However, recent studies have indicated that both digital and physical adversarial examples can fool neural networks. Face-recognition systems are used in various applications that involve security threats from physical adversarial examples. Herein, we propose a physical adversarial attack with the use of full-face makeup. The presence of makeup on the human face is a reasonable possibility, which possibly increases the imperceptibility of attacks. In our attack framework, we combine the cycle-adversarial generative network (cycle-GAN) and a victimized classifier. The Cycle-GAN is used to generate adversarial makeup, and the architecture of the victimized classifier is VGG 16. Our experimental results show that our attack can effectively overcome manual errors in makeup application, such as color and position-related errors. We also demonstrate that the approaches used to train the models can influence physical attacks; the adversarial perturbations crafted from the pre-trained model are affected by the corresponding training data.

Published
2021

14. Perceptual Indistinguishability-Net (PI-Net): Facial Image Obfuscation with Manipulable Semantics

Author

Chen, Jia-Wei, Chen, Li-Ju, Yu, Chia-Mu, and Lu, Chun-Shien

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

With the growing use of camera devices, the industry has many image datasets that provide more opportunities for collaboration between the machine learning community and industry. However, the sensitive information in the datasets discourages data owners from releasing these datasets. Despite recent research devoted to removing sensitive information from images, they provide neither meaningful privacy-utility trade-off nor provable privacy guarantees. In this study, with the consideration of the perceptual similarity, we propose perceptual indistinguishability (PI) as a formal privacy notion particularly for images. We also propose PI-Net, a privacy-preserving mechanism that achieves image obfuscation with PI guarantee. Our study shows that PI-Net achieves significantly better privacy utility trade-off through public image data.

Published
2021

15. Genetic Algorithm-Based Fair Order Assignment Optimization of Food Delivery Platform

Author

Tsai, Min-Yan, Lin, Guo-Yu, Zeng, Jiang-Yi, Yu, Chia-Mu, Chen, Chi-Yuan, Cho, Hsin-Hung, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Chen, Yifan, editor, Yao, Dezhong, editor, and Nakano, Tadashi, editor

Published
2023
Full Text
View/download PDF

18. Formalizing Generalization and Robustness of Neural Networks to Weight Perturbations

Author

Tsai, Yu-Lin, Hsu, Chia-Yi, Yu, Chia-Mu, and Chen, Pin-Yu

Subjects
Computer Science - Machine Learning
Abstract

Studying the sensitivity of weight perturbation in neural networks and its impacts on model performance, including generalization and robustness, is an active research topic due to its implications on a wide range of machine learning tasks such as model compression, generalization gap assessment, and adversarial attacks. In this paper, we provide the first integral study and analysis for feed-forward neural networks in terms of the robustness in pairwise class margin and its generalization behavior under weight perturbation. We further design a new theory-driven loss function for training generalizable and robust neural networks against weight perturbations. Empirical experiments are conducted to validate our theoretical analysis. Our results offer fundamental insights for characterizing the generalization and robustness of neural networks against weight perturbations., Comment: This version has been accepted for poster presentation at NeurIPS 2021

Published
2021

19. Adversarial Examples can be Effective Data Augmentation for Unsupervised Machine Learning

Author

Hsu, Chia-Yi, Chen, Pin-Yu, Lu, Songtao, Liu, Sijia, and Yu, Chia-Mu

Subjects
Computer Science - Machine Learning, Computer Science - Computer Vision and Pattern Recognition
Abstract

Adversarial examples causing evasive predictions are widely used to evaluate and improve the robustness of machine learning models. However, current studies focus on supervised learning tasks, relying on the ground-truth data label, a targeted objective, or supervision from a trained classifier. In this paper, we propose a framework of generating adversarial examples for unsupervised models and demonstrate novel applications to data augmentation. Our framework exploits a mutual information neural estimator as an information-theoretic similarity measure to generate adversarial examples without supervision. We propose a new MinMax algorithm with provable convergence guarantees for efficient generation of unsupervised adversarial examples. Our framework can also be extended to supervised adversarial examples. When using unsupervised adversarial examples as a simple plug-in data augmentation tool for model retraining, significant improvements are consistently observed across different unsupervised tasks and datasets, including data reconstruction, representation learning, and contrastive learning. Our results show novel methods and considerable advantages in studying and improving unsupervised machine learning via adversarial examples., Comment: This version has been accepted by AAAI-22

Published
2021

20. Non-Singular Adversarial Robustness of Neural Networks

Author

Tsai, Yu-Lin, Hsu, Chia-Yi, Yu, Chia-Mu, and Chen, Pin-Yu

Subjects
Computer Science - Machine Learning
Abstract

Adversarial robustness has become an emerging challenge for neural network owing to its over-sensitivity to small input perturbations. While being critical, we argue that solving this singular issue alone fails to provide a comprehensive robustness assessment. Even worse, the conclusions drawn from singular robustness may give a false sense of overall model robustness. Specifically, our findings show that adversarially trained models that are robust to input perturbations are still (or even more) vulnerable to weight perturbations when compared to standard models. In this paper, we formalize the notion of non-singular adversarial robustness for neural networks through the lens of joint perturbations to data inputs as well as model weights. To our best knowledge, this study is the first work considering simultaneous input-weight adversarial perturbations. Based on a multi-layer feed-forward neural network model with ReLU activation functions and standard classification loss, we establish error analysis for quantifying the loss sensitivity subject to $\ell_\infty$-norm bounded perturbations on data inputs and model weights. Based on the error analysis, we propose novel regularization functions for robust training and demonstrate improved non-singular robustness against joint input-weight adversarial perturbations.

Published
2021

21. DPCrowd: Privacy-preserving and Communication-efficient Decentralized Statistical Estimation for Real-time Crowd-sourced Data

Author

Ren, Xuebin, Yu, Chia-Mu, Yu, Wei, Yang, Xinyu, Zhao, Jun, and Yang, Shusen

Subjects
Computer Science - Distributed, Parallel, and Cluster Computing
Abstract

In Internet of Things (IoT) driven smart-world systems, real-time crowd-sourced databases from multiple distributed servers can be aggregated to extract dynamic statistics from a larger population, thus providing more reliable knowledge for our society. Particularly, multiple distributed servers in a decentralized network can realize real-time collaborative statistical estimation by disseminating statistics from their separate databases. Despite no raw data sharing, the real-time statistics could still expose the data privacy of crowd-sourcing participants. For mitigating the privacy concern, while traditional differential privacy (DP) mechanism can be simply implemented to perturb the statistics in each timestamp and independently for each dimension, this may suffer a great utility loss from the real-time and multi-dimensional crowd-sourced data. Also, the real-time broadcasting would bring significant overheads in the whole network. To tackle the issues, we propose a novel privacy-preserving and communication-efficient decentralized statistical estimation algorithm (DPCrowd), which only requires intermittently sharing the DP protected parameters with one-hop neighbors by exploiting the temporal correlations in real-time crowd-sourced data. Then, with further consideration of spatial correlations, we develop an enhanced algorithm, DPCrowd+, to deal with multi-dimensional infinite crowd-data streams. Extensive experiments on several datasets demonstrate that our proposed schemes DPCrowd and DPCrowd+ can significantly outperform existing schemes in providing accurate and consensus estimation with rigorous privacy protection and great communication efficiency.

Published
2020
Full Text
View/download PDF

22. Privacy in Data Service Composition

Author

Barhamgi, Mahmoud, Perera, Charith, Yu, Chia-Mu, Benslimane, Djamal, Camacho, David, and Bonnet, Christine

Subjects
Computer Science - Databases, Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing
Abstract

In modern information systems different information features, about the same individual, are often collected and managed by autonomous data collection services that may have different privacy policies. Answering many end-users' legitimate queries requires the integration of data from multiple such services. However, data integration is often hindered by the lack of a trusted entity, often called a mediator, with which the services can share their data and delegate the enforcement of their privacy policies. In this paper, we propose a flexible privacy-preserving data integration approach for answering data integration queries without the need for a trusted mediator. In our approach, services are allowed to enforce their privacy policies locally. The mediator is considered to be untrusted, and only has access to encrypted information to allow it to link data subjects across the different services. Services, by virtue of a new privacy requirement, dubbed k-Protection, limiting privacy leaks, cannot infer information about the data held by each other. End-users, in turn, have access to privacy-sanitized data only. We evaluated our approach using an example and a real dataset from the healthcare application domain. The results are promising from both the privacy preservation and the performance perspectives.

Published
2020
Full Text
View/download PDF

23. Detecting Deepfake-Forged Contents with Separable Convolutional Neural Network and Image Segmentation

Author

Yu, Chia-Mu, Chang, Ching-Tang, and Ti, Yen-Wu

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Recent advances in AI technology have made the forgery of digital images and videos easier, and it has become significantly more difficult to identify such forgeries. These forgeries, if disseminated with malicious intent, can negatively impact social and political stability, and pose significant ethical and legal challenges as well. Deepfake is a variant of auto-encoders that use deep learning techniques to identify and exchange images of a person's face in a picture or film. Deepfake can result in an erosion of public trust in digital images and videos, which has far-reaching effects on political and social stability. This study therefore proposes a solution for facial forgery detection to determine if a picture or film has ever been processed by Deepfake. The proposed solution reaches detection efficiency by using the recently proposed separable convolutional neural network (CNN) and image segmentation. In addition, this study also examined how different image segmentation methods affect detection results. Finally, the ensemble model is used to improve detection capabilities. Experiment results demonstrated the excellent performance of the proposed solution.

Published
2019

26. Locally Differentially Private Minimum Finding

Author

Fukuchi, Kazuto, Yu, Chia-Mu, Haishima, Arashi, and Sakuma, Jun

Subjects
Mathematics - Statistics Theory, Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

We investigate a problem of finding the minimum, in which each user has a real value and we want to estimate the minimum of these values under the local differential privacy constraint. We reveal that this problem is fundamentally difficult, and we cannot construct a mechanism that is consistent in the worst case. Instead of considering the worst case, we aim to construct a private mechanism whose error rate is adaptive to the easiness of estimation of the minimum. As a measure of easiness, we introduce a parameter $\alpha$ that characterizes the fatness of the minimum-side tail of the user data distribution. As a result, we reveal that the mechanism can achieve $O((\ln^6N/\epsilon^2N)^{1/2\alpha})$ error without knowledge of $\alpha$ and the error rate is near-optimal in the sense that any mechanism incurs $\Omega((1/\epsilon^2N)^{1/2\alpha})$ error. Furthermore, we demonstrate that our mechanism outperforms a naive mechanism by empirical evaluations on synthetic datasets. Also, we conducted experiments on the MovieLens dataset and a purchase history dataset and demonstrate that our algorithm achieves $\tilde{O}((1/N)^{1/2\alpha})$ error adaptively to $\alpha$.

Published
2019

29. On The Utility of Conditional Generation Based Mutual Information for Characterizing Adversarial Subspaces

Author

Hsu, Chia-Yi, Lu, Pei-Hsuan, Chen, Pin-Yu, and Yu, Chia-Mu

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Recent studies have found that deep learning systems are vulnerable to adversarial examples; e.g., visually unrecognizable adversarial images can easily be crafted to result in misclassification. The robustness of neural networks has been studied extensively in the context of adversary detection, which compares a metric that exhibits strong discriminate power between natural and adversarial examples. In this paper, we propose to characterize the adversarial subspaces through the lens of mutual information (MI) approximated by conditional generation methods. We use MI as an information-theoretic metric to strengthen existing defenses and improve the performance of adversary detection. Experimental results on MagNet defense demonstrate that our proposed MI detector can strengthen its robustness against powerful adversarial attacks., Comment: Accepted to IEEE GlobalSIP 2018

Published
2018

30. On the Limitation of MagNet Defense against $L_1$-based Adversarial Examples

Author

Lu, Pei-Hsuan, Chen, Pin-Yu, Chen, Kang-Cheng, and Yu, Chia-Mu

Subjects
Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Learning, Statistics - Machine Learning
Abstract

In recent years, defending adversarial perturbations to natural examples in order to build robust machine learning models trained by deep neural networks (DNNs) has become an emerging research field in the conjunction of deep learning and security. In particular, MagNet consisting of an adversary detector and a data reformer is by far one of the strongest defenses in the black-box oblivious attack setting, where the attacker aims to craft transferable adversarial examples from an undefended DNN model to bypass an unknown defense module deployed on the same DNN model. Under this setting, MagNet can successfully defend a variety of attacks in DNNs, including the high-confidence adversarial examples generated by the Carlini and Wagner's attack based on the $L_2$ distortion metric. However, in this paper, under the same attack setting we show that adversarial examples crafted based on the $L_1$ distortion metric can easily bypass MagNet and mislead the target DNN image classifiers on MNIST and CIFAR-10. We also provide explanations on why the considered approach can yield adversarial examples with superior attack performance and conduct extensive experiments on variants of MagNet to verify its lack of robustness to $L_1$ distortion based attacks. Notably, our results substantially weaken the assumption of effective threat models on MagNet that require knowing the deployed defense technique when attacking DNNs (i.e., the gray-box attack setting)., Comment: Accepted to IEEE/IFIP International Conference on Dependable and Systems and Networks (DSN) 2018 Workshop on Dependable and Secure Machine Learning

Published
2018

31. On the Limitation of Local Intrinsic Dimensionality for Characterizing the Subspaces of Adversarial Examples

Author

Lu, Pei-Hsuan, Chen, Pin-Yu, and Yu, Chia-Mu

Subjects
Computer Science - Learning, Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition, Statistics - Machine Learning
Abstract

Understanding and characterizing the subspaces of adversarial examples aid in studying the robustness of deep neural networks (DNNs) to adversarial perturbations. Very recently, Ma et al. (ICLR 2018) proposed to use local intrinsic dimensionality (LID) in layer-wise hidden representations of DNNs to study adversarial subspaces. It was demonstrated that LID can be used to characterize the adversarial subspaces associated with different attack methods, e.g., the Carlini and Wagner's (C&W) attack and the fast gradient sign attack. In this paper, we use MNIST and CIFAR-10 to conduct two new sets of experiments that are absent in existing LID analysis and report the limitation of LID in characterizing the corresponding adversarial subspaces, which are (i) oblivious attacks and LID analysis using adversarial examples with different confidence levels; and (ii) black-box transfer attacks. For (i), we find that the performance of LID is very sensitive to the confidence parameter deployed by an attack, and the LID learned from ensembles of adversarial examples with varying confidence levels surprisingly gives poor performance. For (ii), we find that when adversarial examples are crafted from another DNN model, LID is ineffective in characterizing their adversarial subspaces. These two findings together suggest the limited capability of LID in characterizing the subspaces of adversarial examples., Comment: Accepted to ICLR 2018 Worshop

Published
2018

32. Data-Driven and Deep Learning Methodology for Deceptive Advertising and Phone Scams Detection

Author

Huang, TonTon Hsien-De, Yu, Chia-Mu, and Kao, Hung-Yu

Subjects
Computer Science - Cryptography and Security, Computer Science - Computers and Society
Abstract

The advance of smartphones and cellular networks boosts the need of mobile advertising and targeted marketing. However, it also triggers the unseen security threats. We found that the phone scams with fake calling numbers of very short lifetime are increasingly popular and have been used to trick the users. The harm is worldwide. On the other hand, deceptive advertising (deceptive ads), the fake ads that tricks users to install unnecessary apps via either alluring or daunting texts and pictures, is an emerging threat that seriously harms the reputation of the advertiser. To counter against these two new threats, the conventional blacklist (or whitelist) approach and the machine learning approach with predefined features have been proven useless. Nevertheless, due to the success of deep learning in developing the highly intelligent program, our system can efficiently and effectively detect phone scams and deceptive ads by taking advantage of our unified framework on deep neural network (DNN) and convolutional neural network (CNN). The proposed system has been deployed for operational use and the experimental results proved the effectiveness of our proposed system. Furthermore, we keep our research results and release experiment material on http://DeceptiveAds.TWMAN.ORG and http://PhoneScams.TWMAN.ORG if there is any update., Comment: 6 pages, TAAI 2017 version

Published
2017

33. Robust Estimation Method against Poisoning Attacks for Key-Value Data with Local Differential Privacy.

Author

Horigome, Hikaru, Kikuchi, Hiroaki, Fujita, Masahiro, and Yu, Chia-Mu

Subjects
STATISTICAL accuracy, STATISTICS, STATISTICAL sampling, ACCURACY of information, POISONING
Abstract

Local differential privacy (LDP) protects user information from potential threats by randomizing data on individual devices before transmission to untrusted collectors. This method enables collectors to derive user statistics by analyzing randomized data, thereby presenting a promising avenue for privacy-preserving data collection. In the context of key–value data, in which discrete and continuous values coexist, PrivKV has been introduced as an LDP protocol to ensure secure collection. However, this framework is susceptible to poisoning attacks. To address this vulnerability, we propose an expectation maximization (EM)-based algorithm combined with a cryptographic protocol to facilitate secure random sampling. Our LDP protocol, known as emPrivKV, exhibits two key advantages: it improves the accuracy of statistical information estimation from randomized data, and enhances resilience against the manipulation of statistics, that is, poisoning attacks. These attacks involve malicious users manipulating the analysis results without detection. This study presents the empirical results of applying the emPrivKV protocol to both synthetic and open datasets, highlighting a notable improvement in the precision of statistical value estimation and robustness against poisoning attacks. As a result, emPrivKV improved the frequency and the mean gains by 17.1 % and 25.9 % , respectively, compared to PrivKV, with the number of fake users being 0.1 of the genuine users. Our findings contribute to the ongoing discourse on refining LDP protocols for key–value data in scenarios involving privacy-sensitive information. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

34. LoPub: High-Dimensional Crowdsourced Data Publication with Local Differential Privacy

Author

Ren, Xuebin, Yu, Chia-Mu, Yu, Weiren, Yang, Shusen, Yang, Xinyu, McCann, Julie A., and Yu, Philip S.

Subjects
Computer Science - Cryptography and Security
Abstract

High-dimensional crowdsourced data collected from a large number of users produces rich knowledge for our society. However, it also brings unprecedented privacy threats to participants. Local privacy, a variant of differential privacy, is proposed as a means to eliminate the privacy concern. Unfortunately, achieving local privacy on high-dimensional crowdsourced data raises great challenges on both efficiency and effectiveness. Here, based on EM and Lasso regression, we propose efficient multi-dimensional joint distribution estimation algorithms with local privacy. Then, we develop a Locally privacy-preserving high-dimensional data Publication algorithm, LoPub, by taking advantage of our distribution estimation techniques. In particular, both correlations and joint distribution among multiple attributes can be identified to reduce the dimension of crowdsourced data, thus achieving both efficiency and effectiveness in locally private high-dimensional data publication. Extensive experiments on real-world datasets demonstrated that the efficiency of our multivariate distribution estimation scheme and confirm the effectiveness of our LoPub scheme in generating approximate datasets with local privacy.

Published
2016
Full Text
View/download PDF

35. On the Privacy Risks of Compromised Trigger-Action Platforms

Author

Chiang, Yu-Hsi, Hsiao, Hsu-Chun, Yu, Chia-Mu, Kim, Tiffany Hyun-Jin, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Chen, Liqun, editor, Li, Ninghui, editor, Liang, Kaitai, editor, and Schneider, Steve, editor

Published
2020
Full Text
View/download PDF

37. Differentially Private Event Sequences over Infinite Streams with Relaxed Privacy Guarantee

Author

Ren, Xuebin, Wang, Shuyang, Yao, Xianghua, Yu, Chia-Mu, Yu, Wei, Yang, Xinyu, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Biagioni, Edoardo S., editor, Zheng, Yao, editor, and Cheng, Siyao, editor

Published
2019
Full Text
View/download PDF

38. Reducing Reconciliation Communication Cost with Compressed Sensing

Author

Kung, H. T. and Yu, Chia-Mu

Subjects
Computer Science - Information Theory, Computer Science - Distributed, Parallel, and Cluster Computing
Abstract

We consider a reconciliation problem, where two hosts wish to synchronize their respective sets. Efficient solutions for minimizing the communication cost between the two hosts have been previously proposed in the literature. However, they rely on prior knowledge about the size of the set differences between the two sets to be reconciled. In this paper, we propose a method which can achieve comparable efficiency without assuming this prior knowledge. Our method uses compressive sensing techniques which can leverage the expected sparsity in set differences. We study the performance of the method via theoretical analysis and numerical simulations., Comment: 4 pages, 2 figures

Published
2012

39. Secure Multidimensional Queries in Tiered Sensor Networks

Author

Yu, Chia-Mu, Lu, Chun-Shien, and Kuo, Sy-Yen

Subjects
Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, Computer Science - Data Structures and Algorithms
Abstract

In this paper, aiming at securing range query, top-k query, and skyline query in tiered sensor networks, we propose the Secure Range Query (SRQ), Secure Top-$k$ Query (STQ), and Secure Skyline Query (SSQ) schemes, respectively. In particular, SRQ, by using our proposed \emph{prime aggregation} technique, has the lowest communication overhead among prior works, while STQ and SSQ, to our knowledge, are the first proposals in tiered sensor networks for securing top-$k$ and skyline queries, respectively. Moreover, the relatively unexplored issue of the security impact of sensor node compromises on multidimensional queries is studied; two attacks incurred from the sensor node compromises, \emph{collusion attack} and \emph{false-incrimination attack}, are investigated in this paper. After developing a novel technique called \emph{subtree sampling}, we also explore methods of efficiently mitigating the threat of sensor node compromises. Performance analyses regarding the probability for detecting incomplete query-results and communication cost of the proposed schemes are also studied.

Published
2009

40. Constrained Function Based En-Route Filtering for Sensor Networks

Author

Yu, Chia-Mu, Lu, Chun-Shien, and Kuo, Sy-Yen

Subjects
Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, Computer Science - Data Structures and Algorithms
Abstract

Sensor networks are vulnerable to \emph{false data injection attack} and \emph{path-based DoS} (PDoS) attack. While conventional authentication schemes are insufficient for solving these security conflicts, an \emph{en-route filtering} scheme acts as a defense against these two attacks. To construct an efficient en-route filtering scheme, this paper first presents a Constrained Function based message Authentication (CFA) scheme, which can be thought of as a hash function directly supporting the en-route filtering functionality. Together with the \emph{redundancy property} of sensor networks, which means that an event can be simultaneously observed by multiple sensor nodes, the devised CFA scheme is used to construct a CFA-based en-route filtering (CFAEF) scheme. In contrast to most of the existing methods, which rely on complicated security associations among sensor nodes, our design, which directly exploits an en-route filtering hash function, appears to be novel. We examine the CFA and CFAEF schemes from both the theoretical and numerical aspects to demonstrate their efficiency and effectiveness., Comment: 26 pages, single column, extension from a preliminary version appeared in IEEE WCNC 2009

Published
2009

46. Effective Adversarial Examples Identification of Credit Card Transactions

Author

Tsai, Min-Yan, Cho, Hsin-Hung, Yu, Chia-Mu, Chang, Yao-Chung, and Chao, Han-Chieh

Abstract

Credit cards are currently a prevalent method of transactions. However, credit cards are susceptible to forgery, leading to numerous cases of fraud. Such actions result in financial losses for consumers, merchants, and banks. Detecting a large number of well-crafted counterfeit credit cards is often challenging through manual means. As a result, much research has been focused on employing artificial intelligence (AI) to achieve high detection performance. However, the accuracy of these AI-based methods may be challenged by attack techniques using adversarial examples. To address this issue, this article utilizes neuron activation status distribution and deep neural networks as detection tools. Furthermore, the experiments employ three methods to generate adversarial examples, showcasing the effectiveness of the proposed detection approach. This ultimately aims to safeguard the rights of credit card users.

Published
2024
Full Text
View/download PDF

48. Adversarial Examples Can Be Effective Data Augmentation for Unsupervised Machine Learning

Author

Hsu, Chia-Yi, Chen, Pin-Yu, Lu, Songtao, Liu, Sijia, and Yu, Chia-Mu

Subjects
FOS: Computer and information sciences, Computer Science - Machine Learning, ComputingMethodologies_PATTERNRECOGNITION, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, General Medicine, Machine Learning (cs.LG)
Abstract

Adversarial examples causing evasive predictions are widely used to evaluate and improve the robustness of machine learning models. However, current studies focus on supervised learning tasks, relying on the ground-truth data label, a targeted objective, or supervision from a trained classifier. In this paper, we propose a framework of generating adversarial examples for unsupervised models and demonstrate novel applications to data augmentation. Our framework exploits a mutual information neural estimator as an information-theoretic similarity measure to generate adversarial examples without supervision. We propose a new MinMax algorithm with provable convergence guarantees for efficient generation of unsupervised adversarial examples. Our framework can also be extended to supervised adversarial examples. When using unsupervised adversarial examples as a simple plug-in data augmentation tool for model retraining, significant improvements are consistently observed across different unsupervised tasks and datasets, including data reconstruction, representation learning, and contrastive learning. Our results show novel methods and considerable advantages in studying and improving unsupervised machine learning via adversarial examples., This version has been accepted by AAAI-22

Published
2022

Catalog

Books, media, physical & digital resources
See catalog results