Search

Your search keyword '"Zhang, Xuhong"' showing total 638 results
Start Over Author "Zhang, Xuhong"
638 results on '"Zhang, Xuhong"'

1. HaVen: Hallucination-Mitigated LLM for Verilog Code Generation Aligned with HDL Engineers

Author

Yang, Yiyao, Teng, Fu, Liu, Pengju, Qi, Mengnan, Lv, Chenyang, Li, Ji, Zhang, Xuhong, and He, Zhezhi

Subjects
Computer Science - Programming Languages, Computer Science - Hardware Architecture
Abstract

Recently, the use of large language models (LLMs) for Verilog code generation has attracted great research interest to enable hardware design automation. However, previous works have shown a gap between the ability of LLMs and the practical demands of hardware description language (HDL) engineering. This gap includes differences in how engineers phrase questions and hallucinations in the code generated. To address these challenges, we introduce HaVen, a novel LLM framework designed to mitigate hallucinations and align Verilog code generation with the practices of HDL engineers. HaVen tackles hallucination issues by proposing a comprehensive taxonomy and employing a chain-of-thought (CoT) mechanism to translate symbolic modalities (e.g. truth tables, state diagrams, etc.) into accurate natural language descriptions. Furthermore, HaVen bridges this gap by using a data augmentation strategy. It synthesizes high-quality instruction-code pairs that match real HDL engineering practices. Our experiments demonstrate that HaVen significantly improves the correctness of Verilog code generation, outperforming state-of-the-art LLM-based Verilog generation methods on VerilogEval and RTLLM benchmark. HaVen is publicly available at https://github.com/Intelligent-Computing-Research-Group/HaVen.

Published
2025

2. Multi-resolution Guided 3D GANs for Medical Image Translation

Author

Ha, Juhyung, Park, Jong Sung, Crandall, David, Garyfallidis, Eleftherios, and Zhang, Xuhong

Subjects
Electrical Engineering and Systems Science - Image and Video Processing, Computer Science - Computer Vision and Pattern Recognition
Abstract

Medical image translation is the process of converting from one imaging modality to another, in order to reduce the need for multiple image acquisitions from the same patient. This can enhance the efficiency of treatment by reducing the time, equipment, and labor needed. In this paper, we introduce a multi-resolution guided Generative Adversarial Network (GAN)-based framework for 3D medical image translation. Our framework uses a 3D multi-resolution Dense-Attention UNet (3D-mDAUNet) as the generator and a 3D multi-resolution UNet as the discriminator, optimized with a unique combination of loss functions including voxel-wise GAN loss and 2.5D perception loss. Our approach yields promising results in volumetric image quality assessment (IQA) across a variety of imaging modalities, body regions, and age groups, demonstrating its robustness. Furthermore, we propose a synthetic-to-real applicability assessment as an additional evaluation to assess the effectiveness of synthetic data in downstream applications such as segmentation. This comprehensive evaluation shows that our method produces synthetic medical images not only of high-quality but also potentially useful in clinical applications. Our code is available at github.com/juhha/3D-mADUNet.

Published
2024

3. CopyrightMeter: Revisiting Copyright Protection in Text-to-image Models

Author

Xu, Naen, Li, Changjiang, Du, Tianyu, Li, Minxi, Luo, Wenjie, Liang, Jiacheng, Li, Yuyuan, Zhang, Xuhong, Han, Meng, Yin, Jianwei, and Wang, Ting

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition
Abstract

Text-to-image diffusion models have emerged as powerful tools for generating high-quality images from textual descriptions. However, their increasing popularity has raised significant copyright concerns, as these models can be misused to reproduce copyrighted content without authorization. In response, recent studies have proposed various copyright protection methods, including adversarial perturbation, concept erasure, and watermarking techniques. However, their effectiveness and robustness against advanced attacks remain largely unexplored. Moreover, the lack of unified evaluation frameworks has hindered systematic comparison and fair assessment of different approaches. To bridge this gap, we systematize existing copyright protection methods and attacks, providing a unified taxonomy of their design spaces. We then develop CopyrightMeter, a unified evaluation framework that incorporates 17 state-of-the-art protections and 16 representative attacks. Leveraging CopyrightMeter, we comprehensively evaluate protection methods across multiple dimensions, thereby uncovering how different design choices impact fidelity, efficacy, and resilience under attacks. Our analysis reveals several key findings: (i) most protections (16/17) are not resilient against attacks; (ii) the "best" protection varies depending on the target priority; (iii) more advanced attacks significantly promote the upgrading of protections. These insights provide concrete guidance for developing more robust protection methods, while its unified evaluation protocol establishes a standard benchmark for future copyright protection research in text-to-image generation.

Published
2024

4. HijackRAG: Hijacking Attacks against Retrieval-Augmented Large Language Models

Author

Zhang, Yucheng, Li, Qinfeng, Du, Tianyu, Zhang, Xuhong, Zhao, Xinkui, Feng, Zhengwen, and Yin, Jianwei

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Information Retrieval
Abstract

Retrieval-Augmented Generation (RAG) systems enhance large language models (LLMs) by integrating external knowledge, making them adaptable and cost-effective for various applications. However, the growing reliance on these systems also introduces potential security risks. In this work, we reveal a novel vulnerability, the retrieval prompt hijack attack (HijackRAG), which enables attackers to manipulate the retrieval mechanisms of RAG systems by injecting malicious texts into the knowledge database. When the RAG system encounters target questions, it generates the attacker's pre-determined answers instead of the correct ones, undermining the integrity and trustworthiness of the system. We formalize HijackRAG as an optimization problem and propose both black-box and white-box attack strategies tailored to different levels of the attacker's knowledge. Extensive experiments on multiple benchmark datasets show that HijackRAG consistently achieves high attack success rates, outperforming existing baseline attacks. Furthermore, we demonstrate that the attack is transferable across different retriever models, underscoring the widespread risk it poses to RAG systems. Lastly, our exploration of various defense mechanisms reveals that they are insufficient to counter HijackRAG, emphasizing the urgent need for more robust security measures to protect RAG systems in real-world deployments.

Published
2024

5. CoreGuard: Safeguarding Foundational Capabilities of LLMs Against Model Stealing in Edge Deployment

Author

Li, Qinfeng, Xie, Yangfan, Du, Tianyu, Shen, Zhiqiang, Qin, Zhenghan, Peng, Hao, Zhao, Xinkui, Zhu, Xianwei, Yin, Jianwei, and Zhang, Xuhong

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Distributed, Parallel, and Cluster Computing
Abstract

Proprietary large language models (LLMs) demonstrate exceptional generalization ability across various tasks. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security threats: attackers who obtain an edge-deployed LLM can easily use it as a base model for various tasks due to its high generalization ability, which we call foundational capability stealing. Unfortunately, existing model protection mechanisms are often task-specific and fail to protect general-purpose LLMs, as they mainly focus on protecting task-related parameters using trusted execution environments (TEEs). Although some recent TEE-based methods are able to protect the overall model parameters in a computation-efficient way, they still suffer from prohibitive communication costs between TEE and CPU/GPU, making it impractical to deploy for edge LLMs. To protect the foundational capabilities of edge LLMs, we propose CoreGuard, a computation- and communication-efficient model protection approach against model stealing on edge devices. The core component of CoreGuard is a lightweight and propagative authorization module residing in TEE. Extensive experiments show that CoreGuard achieves the same security protection as the black-box security guarantees with negligible overhead.

Published
2024

6. CollabEdit: Towards Non-destructive Collaborative Knowledge Editing

Author

Zheng, Jiamu, Zhang, Jinghuai, Du, Tianyu, Zhang, Xuhong, Yin, Jianwei, and Lin, Tao

Subjects
Computer Science - Computation and Language, Computer Science - Computers and Society
Abstract

Collaborative learning of large language models (LLMs) has emerged as a new paradigm for utilizing private data from different parties to guarantee efficiency and privacy. Meanwhile, Knowledge Editing (KE) for LLMs has also garnered increased attention due to its ability to manipulate the behaviors of LLMs explicitly, yet leaves the collaborative KE case (in which knowledge edits of multiple parties are aggregated in a privacy-preserving and continual manner) unexamined. To this end, this manuscript dives into the first investigation of collaborative KE, in which we start by carefully identifying the unique three challenges therein, including knowledge overlap, knowledge conflict, and knowledge forgetting. We then propose a non-destructive collaborative KE framework, COLLABEDIT, which employs a novel model merging mechanism to mimic the global KE behavior while preventing the severe performance drop. Extensive experiments on two canonical datasets demonstrate the superiority of COLLABEDIT compared to other destructive baselines, and results shed light on addressing three collaborative KE challenges and future applications.

Published
2024

7. Understanding the AI-powered Binary Code Similarity Detection

Author

Fu, Lirong, Liu, Peiyu, Meng, Wenlong, Lu, Kangjie, Zhou, Shize, Zhang, Xuhong, Chen, Wenzhi, and Ji, Shouling

Subjects
Computer Science - Software Engineering
Abstract

AI-powered binary code similarity detection (BinSD), which transforms intricate binary code comparison to the distance measure of code embedding through neural networks, has been widely applied to program analysis. However, due to the diversity of the adopted embedding strategies, evaluation methodologies, running environments, and/or benchmarks, it is difficult to quantitatively understand to what extent the BinSD problem has been solved, especially in realworld applications. Moreover, the lack of an in-depth investigation of the increasingly complex embedding neural networks and various evaluation methodologies has become the key factor hindering the development of AI-powered BinSD. To fill these research gaps, in this paper, we present a systematic evaluation of state-of-the-art AI-powered BinSD approaches by conducting a comprehensive comparison of BinSD systems on similar function detection and two downstream applications, namely vulnerability search and license violation detection. Building upon this evaluation, we perform the first investigation of embedding neural networks and evaluation methodologies. The experimental results yield several findings, which provide valuable insights in the BinSD domain, including (1) despite the GNN-based BinSD systems currently achieving the best performance in similar function detection, there still exists considerable space for improvements;(2) the capability of AI-powered BinSD approaches exhibits significant variation when applied to different downstream applications;(3) existing evaluation methodologies still need substantial adjustments. For instance, the evaluation metrics (such as the widely adopted ROC and AUC) usually fall short of accurately representing the model performance of the practical use in realworld scenarios. Based on the extensive experiments and analysis, we further provide several promising future research directions.

Published
2024

8. Bridging Context Gaps: Leveraging Coreference Resolution for Long Contextual Understanding

Author

Liu, Yanming, Peng, Xinyue, Cao, Jiannan, Bo, Shi, Shen, Yanxin, Zhang, Xuhong, Cheng, Sheng, Wang, Xun, Yin, Jianwei, and Du, Tianyu

Subjects
Computer Science - Computation and Language, Computer Science - Artificial Intelligence
Abstract

Large language models (LLMs) have shown remarkable capabilities in natural language processing; however, they still face difficulties when tasked with understanding lengthy contexts and executing effective question answering. These challenges often arise due to the complexity and ambiguity present in longer texts. To enhance the performance of LLMs in such scenarios, we introduce the Long Question Coreference Adaptation (LQCA) method. This innovative framework focuses on coreference resolution tailored to long contexts, allowing the model to identify and manage references effectively. The LQCA method encompasses four key steps: resolving coreferences within sub-documents, computing the distances between mentions, defining a representative mention for coreference, and answering questions through mention replacement. By processing information systematically, the framework provides easier-to-handle partitions for LLMs, promoting better understanding. Experimental evaluations on a range of LLMs and datasets have yielded positive results, with a notable improvements on OpenAI-o1-mini and GPT-4o models, highlighting the effectiveness of leveraging coreference resolution to bridge context gaps in question answering., Comment: Underreview version of LQCA, Bridge context gap for long context

Published
2024

9. SecCoder: Towards Generalizable and Robust Secure Code Generation

Author

Zhang, Boyu, Du, Tianyu, Tong, Junkai, Zhang, Xuhong, Chow, Kingsum, Cheng, Sheng, Wang, Xun, and Yin, Jianwei

Subjects
Computer Science - Programming Languages
Abstract

After large models (LMs) have gained widespread acceptance in code-related tasks, their superior generative capacity has greatly promoted the application of the code LM. Nevertheless, the security of the generated code has raised attention to its potential damage. Existing secure code generation methods have limited generalizability to unseen test cases and poor robustness against the attacked model, leading to safety failures in code generation. In this paper, we propose a generalizable and robust secure code generation method SecCoder by using in-context learning (ICL) and the safe demonstration. The dense retriever is also used to select the most helpful demonstration to maximize the improvement of the generated code's security. Experimental results show the superior generalizability of the proposed model SecCoder compared to the current secure code generation method, achieving a significant security improvement of an average of 7.20% on unseen test cases. The results also show the better robustness of SecCoder compared to the current attacked code LM, achieving a significant security improvement of an average of 7.74%. Our analysis indicates that SecCoder enhances the security of LMs in generating code, and it is more generalizable and robust., Comment: To Appear in the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)

Published
2024

10. G-Fuzz: A Directed Fuzzing Framework for gVisor

Author

Li, Yuwei, Chen, Yuan, Ji, Shouling, Zhang, Xuhong, Yan, Guanglu, Liu, Alex X., Wu, Chunming, Pan, Zulie, and Lin, Peng

Subjects
Computer Science - Cryptography and Security
Abstract

gVisor is a Google-published application-level kernel for containers. As gVisor is lightweight and has sound isolation, it has been widely used in many IT enterprises \cite{Stripe, DigitalOcean, Cloundflare}. When a new vulnerability of the upstream gVisor is found, it is important for the downstream developers to test the corresponding code to maintain the security. To achieve this aim, directed fuzzing is promising. Nevertheless, there are many challenges in applying existing directed fuzzing methods for gVisor. The core reason is that existing directed fuzzers are mainly for general C/C++ applications, while gVisor is an OS kernel written in the Go language. To address the above challenges, we propose G-Fuzz, a directed fuzzing framework for gVisor. There are three core methods in G-Fuzz, including lightweight and fine-grained distance calculation, target related syscall inference and utilization, and exploration and exploitation dynamic switch. Note that the methods of G-Fuzz are general and can be transferred to other OS kernels. We conduct extensive experiments to evaluate the performance of G-Fuzz. Compared to Syzkaller, the state-of-the-art kernel fuzzer, G-Fuzz outperforms it significantly. Furthermore, we have rigorously evaluated the importance for each core method of G-Fuzz. G-Fuzz has been deployed in industry and has detected multiple serious vulnerabilities., Comment: This paper has published in IEEE Transactions on Dependable and Secure Computing (TDSC), https://ieeexplore.ieee.org/abstract/document/10049484/citations?tabFilter=papers#citations

Published
2024
Full Text
View/download PDF

11. CLIBE: Detecting Dynamic Backdoors in Transformer-based NLP Models

Author

Zeng, Rui, Chen, Xi, Pu, Yuwen, Zhang, Xuhong, Du, Tianyu, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Computation and Language, Computer Science - Machine Learning
Abstract

Backdoors can be injected into NLP models to induce misbehavior when the input text contains a specific feature, known as a trigger, which the attacker secretly selects. Unlike fixed words, phrases, or sentences used in the static text trigger, NLP dynamic backdoor attacks design triggers associated with abstract and latent text features, making them considerably stealthier than traditional static backdoor attacks. However, existing research on NLP backdoor detection primarily focuses on defending against static backdoor attacks, while detecting dynamic backdoors in NLP models remains largely unexplored. This paper presents CLIBE, the first framework to detect dynamic backdoors in Transformer-based NLP models. CLIBE injects a "few-shot perturbation" into the suspect Transformer model by crafting optimized weight perturbation in the attention layers to make the perturbed model classify a limited number of reference samples as a target label. Subsequently, CLIBE leverages the generalization ability of this few-shot perturbation to determine whether the original model contains a dynamic backdoor. Extensive evaluation on three advanced NLP dynamic backdoor attacks, two widely-used Transformer frameworks, and four real-world classification tasks strongly validates the effectiveness of CLIBE. We also demonstrate the robustness of CLIBE against various adaptive attacks. Furthermore, we employ CLIBE to scrutinize 49 popular Transformer models on Hugging Face and discover one exhibiting a high probability of containing a dynamic backdoor. We have contacted Hugging Face and provided detailed evidence of this model's backdoor behavior. Moreover, we extend CLIBE to detect backdoor text generation models modified to exhibit toxic behavior. To the best of our knowledge, CLIBE is the first framework capable of detecting backdoors in text generation models without access to trigger input test samples., Comment: To appear in the Network and Distributed System Security (NDSS) Symposium, February, 2025

Published
2024

12. Iterative or Innovative? A Problem-Oriented Perspective for Code Optimization

Author

Ye, Tong, Ma, Tengfei, Wu, Lingfei, Zhang, Xuhong, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Programming Languages, Computer Science - Artificial Intelligence, Computer Science - Software Engineering
Abstract

Large language models (LLMs) have demonstrated strong capabilities in solving a wide range of programming tasks. However, LLMs have rarely been explored for code optimization. In this paper, we explore code optimization with a focus on performance enhancement, specifically aiming to optimize code for minimal execution time. The recently proposed first PIE dataset for performance optimization constructs program optimization pairs based on iterative submissions from the same programmer for the same problem. However, this approach restricts LLMs to local performance improvements, neglecting global algorithmic innovation. Therefore, we adopt a completely different perspective by reconstructing the optimization pairs into a problem-oriented approach. This allows for the integration of various ingenious ideas from different programmers tackling the same problem. Experimental results demonstrate that adapting LLMs to problem-oriented optimization pairs significantly enhances their optimization capabilities. Meanwhile, we identified performance bottlenecks within the problem-oriented perspective. By employing model merge, we further overcame bottlenecks and ultimately elevated the program optimization ratio ($51.76\%\rightarrow76.65\%$) and speedup ($2.65\times\rightarrow5.09\times$) to new levels.

Published
2024

13. DP-MemArc: Differential Privacy Transfer Learning for Memory Efficient Language Models

Author

Liu, Yanming, Peng, Xinyue, Zhang, Yuwei, Ke, Xiaolan, Deng, Songhang, Cao, Jiannan, Ma, Chen, Fu, Mengchen, Zhang, Xuhong, Cheng, Sheng, Wang, Xun, Yin, Jianwei, and Du, Tianyu

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computation and Language, Computer Science - Machine Learning
Abstract

Large language models have repeatedly shown outstanding performance across diverse applications. However, deploying these models can inadvertently risk user privacy. The significant memory demands during training pose a major challenge in terms of resource consumption. This substantial size places a heavy load on memory resources, raising considerable practical concerns. In this paper, we introduce DP-MemArc, a novel training framework aimed at reducing the memory costs of large language models while emphasizing the protection of user data privacy. DP-MemArc incorporates side network or reversible network designs to support a variety of differential privacy memory-efficient fine-tuning schemes. Our approach not only achieves in memory optimization but also ensures robust privacy protection, keeping user data secure and confidential. Extensive experiments have demonstrated that DP-MemArc effectively provides differential privacy-efficient fine-tuning across different task scenarios., Comment: 9 pages second version

Published
2024

14. Tool-Planner: Task Planning with Clusters across Multiple Tools

Author

Liu, Yanming, Peng, Xinyue, Cao, Jiannan, Bo, Shi, Zhang, Yuwei, Zhang, Xuhong, Cheng, Sheng, Wang, Xun, Yin, Jianwei, and Du, Tianyu

Subjects
Computer Science - Artificial Intelligence, Computer Science - Computation and Language, Computer Science - Robotics
Abstract

Large language models (LLMs) have demonstrated exceptional reasoning capabilities, enabling them to solve various complex problems. Recently, this ability has been applied to the paradigm of tool learning. Tool learning involves providing examples of tool usage and their corresponding functions, allowing LLMs to formulate plans and demonstrate the process of invoking and executing each tool. LLMs can address tasks that they cannot complete independently, thereby enhancing their potential across different tasks. However, this approach faces two key challenges. First, redundant error correction leads to unstable planning and long execution time. Additionally, designing a correct plan among multiple tools is also a challenge in tool learning. To address these issues, we propose Tool-Planner, a task-processing framework based on toolkits. Tool-Planner groups tools based on the API functions with the same function into a toolkit and allows LLMs to implement planning across the various toolkits. When a tool error occurs, the language model can reselect and adjust tools based on the toolkit. Experiments show that our approach demonstrates a high pass and win rate across different datasets and optimizes the planning scheme for tool learning in models such as GPT-4 and Claude 3, showcasing the potential of our method. Our code is public at \url{https://github.com/OceannTwT/Tool-Planner}, Comment: 48pages second version

Published
2024

15. Uncovering LLM-Generated Code: A Zero-Shot Synthetic Code Detector via Code Rewriting

Author

Ye, Tong, Du, Yangkai, Ma, Tengfei, Wu, Lingfei, Zhang, Xuhong, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Software Engineering, Computer Science - Artificial Intelligence
Abstract

Large Language Models (LLMs) have demonstrated remarkable proficiency in generating code. However, the misuse of LLM-generated (synthetic) code has raised concerns in both educational and industrial contexts, underscoring the urgent need for synthetic code detectors. Existing methods for detecting synthetic content are primarily designed for general text and struggle with code due to the unique grammatical structure of programming languages and the presence of numerous ''low-entropy'' tokens. Building on this, our work proposes a novel zero-shot synthetic code detector based on the similarity between the original code and its LLM-rewritten variants. Our method is based on the observation that differences between LLM-rewritten and original code tend to be smaller when the original code is synthetic. We utilize self-supervised contrastive learning to train a code similarity model and evaluate our approach on two synthetic code detection benchmarks. Our results demonstrate a significant improvement over existing SOTA synthetic content detectors, with AUROC scores increasing by 20.5% on the APPS benchmark and 29.1% on the MBPP benchmark., Comment: Accepted by AAAI 2025; previously submitted to EMNLP 2023

Published
2024

16. An Inversion-based Measure of Memorization for Diffusion Models

Author

Ma, Zhe, Li, Qingming, Zhang, Xuhong, Du, Tianyu, Lin, Ruixiao, Wang, Zonghui, Ji, Shouling, and Chen, Wenzhi

Subjects
Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

The past few years have witnessed substantial advances in image generation powered by diffusion models. However, it was shown that diffusion models are vulnerable to training data memorization, raising concerns regarding copyright infringement and privacy invasion. This study delves into a rigorous analysis of memorization in diffusion models. We introduce an inversion-based measure of memorization, InvMM, which searches for a sensitive latent noise distribution accounting for the replication of an image. For accurate estimation of the memorization score, we propose an adaptive algorithm that balances the normality and sensitivity of the inverted distribution. Comprehensive experiments, conducted on both unconditional and text-guided diffusion models, demonstrate that InvMM is capable of detecting heavily memorized images and elucidating the effect of various factors on memorization. Additionally, we discuss how memorization differs from membership. In practice, InvMM serves as a useful tool for model developers to reliably assess the risk of memorization, thereby contributing to the enhancement of trustworthiness and privacy-preserving capabilities of diffusion models.

Published
2024

17. TransLinkGuard: Safeguarding Transformer Models Against Model Stealing in Edge Deployment

Author

Li, Qinfeng, Shen, Zhiqiang, Qin, Zhenghan, Xie, Yangfan, Zhang, Xuhong, Du, Tianyu, and Yin, Jianwei

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

Proprietary large language models (LLMs) have been widely applied in various scenarios. Additionally, deploying LLMs on edge devices is trending for efficiency and privacy reasons. However, edge deployment of proprietary LLMs introduces new security challenges: edge-deployed models are exposed as white-box accessible to users, enabling adversaries to conduct effective model stealing (MS) attacks. Unfortunately, existing defense mechanisms fail to provide effective protection. Specifically, we identify four critical protection properties that existing methods fail to simultaneously satisfy: (1) maintaining protection after a model is physically copied; (2) authorizing model access at request level; (3) safeguarding runtime reverse engineering; (4) achieving high security with negligible runtime overhead. To address the above issues, we propose TransLinkGuard, a plug-and-play model protection approach against model stealing on edge devices. The core part of TransLinkGuard is a lightweight authorization module residing in a secure environment, e.g., TEE. The authorization module can freshly authorize each request based on its input. Extensive experiments show that TransLinkGuard achieves the same security protection as the black-box security guarantees with negligible overhead., Comment: Accepted by ACM MM24 Conference

Published
2024
Full Text
View/download PDF

18. Marlin: Knowledge-Driven Analysis of Provenance Graphs for Efficient and Robust Detection of Cyber Attacks

Author

Li, Zhenyuan, Wei, Yangyang, Shen, Xiangmin, Wang, Lingzhi, Chen, Yan, Xu, Haitao, Ji, Shouling, Zhang, Fan, Hou, Liang, Liu, Wenmao, Zhang, Xuhong, and Ying, Jianwei

Subjects
Computer Science - Cryptography and Security
Abstract

Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph alignment.By leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.

Published
2024

19. ERA-CoT: Improving Chain-of-Thought through Entity Relationship Analysis

Author

Liu, Yanming, Peng, Xinyue, Du, Tianyu, Yin, Jianwei, Liu, Weihao, and Zhang, Xuhong

Subjects
Computer Science - Computation and Language
Abstract

Large language models (LLMs) have achieved commendable accomplishments in various natural language processing tasks. However, LLMs still encounter significant challenges when dealing with complex scenarios involving multiple entities. These challenges arise from the presence of implicit relationships that demand multi-step reasoning. In this paper, we propose a novel approach ERA-CoT, which aids LLMs in understanding context by capturing relationships between entities and supports the reasoning of diverse tasks through Chain-of-Thoughts (CoT). Experimental results show that ERA-CoT demonstrates the superior performance of our proposed method compared to current CoT prompting methods, achieving a significant improvement of an average of 5.1\% on GPT3.5 compared to previous SOTA baselines. Our analysis indicates that ERA-CoT increases the LLM's understanding of entity relationships, significantly improves the accuracy of question answering, and enhances the reasoning ability of LLMs., Comment: 15 pages, second version of ERA-CoT

Published
2024

20. RA-ISF: Learning to Answer and Understand from Retrieval Augmentation via Iterative Self-Feedback

Author

Liu, Yanming, Peng, Xinyue, Zhang, Xuhong, Liu, Weihao, Yin, Jianwei, Cao, Jiannan, and Du, Tianyu

Subjects
Computer Science - Computation and Language, Computer Science - Artificial Intelligence
Abstract

Large language models (LLMs) demonstrate exceptional performance in numerous tasks but still heavily rely on knowledge stored in their parameters. Moreover, updating this knowledge incurs high training costs. Retrieval-augmented generation (RAG) methods address this issue by integrating external knowledge. The model can answer questions it couldn't previously by retrieving knowledge relevant to the query. This approach improves performance in certain scenarios for specific tasks. However, if irrelevant texts are retrieved, it may impair model performance. In this paper, we propose Retrieval Augmented Iterative Self-Feedback (RA-ISF), a framework that iteratively decomposes tasks and processes them in three submodules to enhance the model's problem-solving capabilities. Experiments show that our method outperforms existing benchmarks, performing well on models like GPT3.5, Llama2, significantly enhancing factual reasoning capabilities and reducing hallucinations., Comment: 20 pages, multiple figures. Providing second version RA-ISF

Published
2024

21. Elements of Social Convoy Theory in Mobile Health for Palliative Care: Scoping Review

Author

Portz, Jennifer D, Elsbernd, Kira, Plys, Evan, Ford, Kelsey Lynett, Zhang, Xuhong, Gore, M Odette, Moore, Susan L, Zhou, Shuo, and Bull, Sheana

Subjects
Information technology, T58.5-58.64, Public aspects of medicine, RA1-1270
Abstract

BackgroundMobile health (mHealth) provides a unique modality for improving access to and awareness of palliative care among patients, families, and caregivers from diverse backgrounds. Some mHealth palliative care apps exist, both commercially available and established by academic researchers. However, the elements of family support and family caregiving tools offered by these early apps is unknown. ObjectiveThe objective of this scoping review was to use social convoy theory to describe the inclusion and functionality of family, social relationships, and caregivers in palliative care mobile apps. MethodsUsing the Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Review guidelines, a systematic search of palliative care mHealth included (1) research-based mobile apps identified from academic searches published between January 1, 2010, and March 31, 2019 and (2) commercially available apps for app stores in April 2019. Two reviewers independently assessed abstracts, app titles, and descriptions against the inclusion and exclusion criteria. Abstracted data covered app name, research team or developer, palliative care element, target audience, and features for family support and caregiving functionality as defined by social convoy theory. ResultsOverall, 10 articles describing 9 individual research-based apps and 22 commercially available apps were identified. Commercially available apps were most commonly designed for both patients and social convoys, whereas the majority of research apps were designed for patient use only. ConclusionsResults suggest there is an emerging presence of apps for patients and social convoys receiving palliative care; however, there are many needs for developers and researchers to address in the future. Although palliative care mHealth is a growing field, additional research is needed for apps that embrace a team approach to information sharing, target family- and caregiver-specific issues, promote access to palliative care, and are comprehensive of palliative needs.

Published
2020
Full Text
View/download PDF

23. PRSA: PRompt Stealing Attacks against Large Language Models

Author

Yang, Yong, Li, Changjiang, Jiang, Yi, Chen, Xi, Wang, Haoyu, Zhang, Xuhong, Wang, Zonghui, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Computation and Language
Abstract

In recent years, "prompt as a service" has greatly enhanced the utility of large language models (LLMs) by enabling them to perform various downstream tasks efficiently without fine-tuning. This has also increased the commercial value of prompts. However, the potential risk of leakage in these commercialized prompts remains largely underexplored. In this paper, we introduce a novel attack framework, PRSA, designed for prompt stealing attacks against LLMs. The main idea of PRSA is to infer the intent behind a prompt by analyzing its input-output content, enabling the generation of a surrogate prompt that replicates the original's functionality. Specifically, PRSA mainly consists of two key phases: prompt mutation and prompt pruning. In the mutation phase, we propose a prompt attention algorithm based on output difference. The algorithm facilitates the generation of effective surrogate prompts by learning key factors that influence the accurate inference of prompt intent. During the pruning phase, we employ a two-step related word identification strategy to detect and mask words that are highly related to the input, thus improving the generalizability of the surrogate prompts. We verify the actual threat of PRSA through evaluation in both real-world settings, non-interactive and interactive prompt services. The results strongly confirm the PRSA's effectiveness and generalizability. We have reported these findings to prompt service providers and actively collaborate with them to implement defensive measures.

Published
2024

24. 3D Volumetric Super-Resolution in Radiology Using 3D RRDB-GAN

Author

Ha, Juhyung, Wang, Nian, Maharjan, Surendra, and Zhang, Xuhong

Subjects
Electrical Engineering and Systems Science - Image and Video Processing, Computer Science - Computer Vision and Pattern Recognition
Abstract

This study introduces the 3D Residual-in-Residual Dense Block GAN (3D RRDB-GAN) for 3D super-resolution for radiology imagery. A key aspect of 3D RRDB-GAN is the integration of a 2.5D perceptual loss function, which contributes to improved volumetric image quality and realism. The effectiveness of our model was evaluated through 4x super-resolution experiments across diverse datasets, including Mice Brain MRH, OASIS, HCP1200, and MSD-Task-6. These evaluations, encompassing both quantitative metrics like LPIPS and FID and qualitative assessments through sample visualizations, demonstrate the models effectiveness in detailed image analysis. The 3D RRDB-GAN offers a significant contribution to medical imaging, particularly by enriching the depth, clarity, and volumetric detail of medical images. Its application shows promise in enhancing the interpretation and analysis of complex medical imagery from a comprehensive 3D perspective.

Published
2024

25. MEAOD: Model Extraction Attack against Object Detectors

Author

Li, Zeyu, Shi, Chenghui, Pu, Yuwen, Zhang, Xuhong, Li, Yu, Li, Jinbao, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

The widespread use of deep learning technology across various industries has made deep neural network models highly valuable and, as a result, attractive targets for potential attackers. Model extraction attacks, particularly query-based model extraction attacks, allow attackers to replicate a substitute model with comparable functionality to the victim model and present a significant threat to the confidentiality and security of MLaaS platforms. While many studies have explored threats of model extraction attacks against classification models in recent years, object detection models, which are more frequently used in real-world scenarios, have received less attention. In this paper, we investigate the challenges and feasibility of query-based model extraction attacks against object detection models and propose an effective attack method called MEAOD. It selects samples from the attacker-possessed dataset to construct an efficient query dataset using active learning and enhances the categories with insufficient objects. We additionally improve the extraction effectiveness by updating the annotations of the query dataset. According to our gray-box and black-box scenarios experiments, we achieve an extraction performance of over 70% under the given condition of a 10k query budget.

Published
2023

26. Let All be Whitened: Multi-teacher Distillation for Efficient Visual Retrieval

Author

Ma, Zhe, Dong, Jianfeng, Ji, Shouling, Liu, Zhenguang, Zhang, Xuhong, Wang, Zonghui, He, Sifeng, Qian, Feng, Zhang, Xiaobo, and Yang, Lei

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Visual retrieval aims to search for the most relevant visual items, e.g., images and videos, from a candidate gallery with a given query item. Accuracy and efficiency are two competing objectives in retrieval tasks. Instead of crafting a new method pursuing further improvement on accuracy, in this paper we propose a multi-teacher distillation framework Whiten-MTD, which is able to transfer knowledge from off-the-shelf pre-trained retrieval models to a lightweight student model for efficient visual retrieval. Furthermore, we discover that the similarities obtained by different retrieval models are diversified and incommensurable, which makes it challenging to jointly distill knowledge from multiple models. Therefore, we propose to whiten the output of teacher models before fusion, which enables effective multi-teacher distillation for retrieval models. Whiten-MTD is conceptually simple and practically effective. Extensive experiments on two landmark image retrieval datasets and one video retrieval dataset demonstrate the effectiveness of our proposed method, and its good balance of retrieval performance and efficiency. Our source code is released at https://github.com/Maryeon/whiten_mtd., Comment: Accepted by AAAI 2024

Published
2023

30. AdaCCD: Adaptive Semantic Contrasts Discovery Based Cross Lingual Adaptation for Code Clone Detection

Author

Du, Yangkai, Ma, Tengfei, Wu, Lingfei, Zhang, Xuhong, and Ji, Shouling

Subjects
Computer Science - Software Engineering, Computer Science - Computation and Language
Abstract

Code Clone Detection, which aims to retrieve functionally similar programs from large code bases, has been attracting increasing attention. Modern software often involves a diverse range of programming languages. However, current code clone detection methods are generally limited to only a few popular programming languages due to insufficient annotated data as well as their own model design constraints. To address these issues, we present AdaCCD, a novel cross-lingual adaptation method that can detect cloned codes in a new language without annotations in that language. AdaCCD leverages language-agnostic code representations from pre-trained programming language models and propose an Adaptively Refined Contrastive Learning framework to transfer knowledge from resource-rich languages to resource-poor languages. We evaluate the cross-lingual adaptation results of AdaCCD by constructing a multilingual code clone detection benchmark consisting of 5 programming languages. AdaCCD achieves significant improvements over other baselines, and achieve comparable performance to supervised fine-tuning.

Published
2023

31. Exploring ChatGPT's Capabilities on Vulnerability Management

Author

Liu, Peiyu, Liu, Junming, Fu, Lirong, Lu, Kangjie, Xia, Yifan, Zhang, Xuhong, Chen, Wenzhi, Weng, Haiqin, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Software Engineering, Computer Science - Artificial Intelligence, Computer Science - Computation and Language, Computer Science - Cryptography and Security
Abstract

Recently, ChatGPT has attracted great attention from the code analysis domain. Prior works show that ChatGPT has the capabilities of processing foundational code analysis tasks, such as abstract syntax tree generation, which indicates the potential of using ChatGPT to comprehend code syntax and static behaviors. However, it is unclear whether ChatGPT can complete more complicated real-world vulnerability management tasks, such as the prediction of security relevance and patch correctness, which require an all-encompassing understanding of various aspects, including code syntax, program semantics, and related manual comments. In this paper, we explore ChatGPT's capabilities on 6 tasks involving the complete vulnerability management process with a large-scale dataset containing 70,346 samples. For each task, we compare ChatGPT against SOTA approaches, investigate the impact of different prompts, and explore the difficulties. The results suggest promising potential in leveraging ChatGPT to assist vulnerability management. One notable example is ChatGPT's proficiency in tasks like generating titles for software bug reports. Furthermore, our findings reveal the difficulties encountered by ChatGPT and shed light on promising future directions. For instance, directly providing random demonstration examples in the prompt cannot consistently guarantee good performance in vulnerability management. By contrast, leveraging ChatGPT in a self-heuristic way -- extracting expertise from demonstration examples itself and integrating the extracted expertise in the prompt is a promising research direction. Besides, ChatGPT may misunderstand and misuse the information in the prompt. Consequently, effectively guiding ChatGPT to focus on helpful information rather than the irrelevant content is still an open problem., Comment: Accepted by USENIX Security 2024

Published
2023

32. Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection

Author

Xia, Yifan, He, Ping, Zhang, Xuhong, Liu, Peiyu, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

The emergence of WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations, termed JavaScript-WebAssembly multilingual malware (JWMM). However, existing anti-virus solutions based on static program analysis are still limited to monolingual code. As a result, their detection effectiveness decreases significantly against JWMM. The detection of JWMM is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly. To bridge this gap, we present JWBinder, the first technique aimed at enhancing the static detection of JWMM. JWBinder performs a language-specific data-flow analysis to capture the cross-language interoperations and then characterizes the functionalities of JWMM through a unified high-level structure called Inter-language Program Dependency Graph. The extensive evaluation on one of the most representative real-world anti-virus platforms, VirusTotal, shows that \system effectively enhances anti-virus systems from various vendors and increases the overall successful detection rate against JWMM from 49.1\% to 86.2\%. Additionally, we assess the side effects and runtime overhead of JWBinder, corroborating its practical viability in real-world applications., Comment: Accepted to ESORICS 2023

Published
2023

33. CP-BCS: Binary Code Summarization Guided by Control Flow Graph and Pseudo Code

Author

Ye, Tong, Wu, Lingfei, Ma, Tengfei, Zhang, Xuhong, Du, Yangkai, Liu, Peiyu, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Programming Languages, Computer Science - Artificial Intelligence
Abstract

Automatically generating function summaries for binaries is an extremely valuable but challenging task, since it involves translating the execution behavior and semantics of the low-level language (assembly code) into human-readable natural language. However, most current works on understanding assembly code are oriented towards generating function names, which involve numerous abbreviations that make them still confusing. To bridge this gap, we focus on generating complete summaries for binary functions, especially for stripped binary (no symbol table and debug information in reality). To fully exploit the semantics of assembly code, we present a control flow graph and pseudo code guided binary code summarization framework called CP-BCS. CP-BCS utilizes a bidirectional instruction-level control flow graph and pseudo code that incorporates expert knowledge to learn the comprehensive binary function execution behavior and logic semantics. We evaluate CP-BCS on 3 different binary optimization levels (O1, O2, and O3) for 3 different computer architectures (X86, X64, and ARM). The evaluation results demonstrate CP-BCS is superior and significantly improves the efficiency of reverse engineering., Comment: EMNLP 2023 Main Conference

Published
2023

34. Facial Data Minimization: Shallow Model as Your Privacy Filter

Author

Pu, Yuwen, Chen, Jiahao, Pan, Jiayu, li, Hao, Yan, Diqun, Zhang, Xuhong, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition
Abstract

Face recognition service has been used in many fields and brings much convenience to people. However, once the user's facial data is transmitted to a service provider, the user will lose control of his/her private data. In recent years, there exist various security and privacy issues due to the leakage of facial data. Although many privacy-preserving methods have been proposed, they usually fail when they are not accessible to adversaries' strategies or auxiliary data. Hence, in this paper, by fully considering two cases of uploading facial images and facial features, which are very typical in face recognition service systems, we proposed a data privacy minimization transformation (PMT) method. This method can process the original facial data based on the shallow model of authorized services to obtain the obfuscated data. The obfuscated data can not only maintain satisfactory performance on authorized models and restrict the performance on other unauthorized models but also prevent original privacy data from leaking by AI methods and human visual theft. Additionally, since a service provider may execute preprocessing operations on the received data, we also propose an enhanced perturbation method to improve the robustness of PMT. Besides, to authorize one facial image to multiple service models simultaneously, a multiple restriction mechanism is proposed to improve the scalability of PMT. Finally, we conduct extensive experiments and evaluate the effectiveness of the proposed PMT in defending against face reconstruction, data abuse, and face attribute estimation attacks. These experimental results demonstrate that PMT performs well in preventing facial data abuse and privacy leakage while maintaining face recognition accuracy., Comment: 14 pages, 11 figures

Published
2023

35. SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices

Author

Wang, Qinying, Chang, Boyu, Ji, Shouling, Tian, Yuan, Zhang, Xuhong, Zhao, Binbin, Pan, Gaoning, Lyu, Chenyang, Payer, Mathias, Wang, Wenhai, and Beyah, Raheem

Subjects
Computer Science - Cryptography and Security
Abstract

Trusted Execution Environments (TEEs) embedded in IoT devices provide a deployable solution to secure IoT applications at the hardware level. By design, in TEEs, the Trusted Operating System (Trusted OS) is the primary component. It enables the TEE to use security-based design techniques, such as data encryption and identity authentication. Once a Trusted OS has been exploited, the TEE can no longer ensure security. However, Trusted OSes for IoT devices have received little security analysis, which is challenging from several perspectives: (1) Trusted OSes are closed-source and have an unfavorable environment for sending test cases and collecting feedback. (2) Trusted OSes have complex data structures and require a stateful workflow, which limits existing vulnerability detection tools. To address the challenges, we present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices as well as tracking state and code coverage non-invasively. SyzTrust utilizes composite feedback to guide the fuzzer to effectively explore more states as well as to increase the code coverage. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud. These systems run on Cortex M23/33 MCUs, which provide the necessary abstraction for embedded TEEs. We discovered 70 previously unknown vulnerabilities in their Trusted OSes, receiving 10 new CVEs so far. Furthermore, compared to the baseline, SyzTrust has demonstrated significant improvements, including 66% higher code coverage, 651% higher state coverage, and 31% improved vulnerability-finding capability. We report all discovered new vulnerabilities to vendors and open source SyzTrust., Comment: To appear in the IEEE Symposium on Security and Privacy (IEEE S&P) 2024, San Francisco, CA, USA

Published
2023

36. Community-Based Hierarchical Positive-Unlabeled (PU) Model Fusion for Chronic Disease Prediction

Author

Wu, Yang, Li, Xurui, Zhang, Xuhong, Kang, Yangyang, Sun, Changlong, and Liu, Xiaozhong

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence
Abstract

Positive-Unlabeled (PU) Learning is a challenge presented by binary classification problems where there is an abundance of unlabeled data along with a small number of positive data instances, which can be used to address chronic disease screening problem. State-of-the-art PU learning methods have resulted in the development of various risk estimators, yet they neglect the differences among distinct populations. To address this issue, we present a novel Positive-Unlabeled Learning Tree (PUtree) algorithm. PUtree is designed to take into account communities such as different age or income brackets, in tasks of chronic disease prediction. We propose a novel approach for binary decision-making, which hierarchically builds community-based PU models and then aggregates their deliverables. Our method can explicate each PU model on the tree for the optimized non-leaf PU node splitting. Furthermore, a mask-recovery data augmentation strategy enables sufficient training of the model in individual communities. Additionally, the proposed approach includes an adversarial PU risk estimator to capture hierarchical PU-relationships, and a model fusion network that integrates data from each tree path, resulting in robust binary classification results. We demonstrate the superior performance of PUtree as well as its variants on two benchmarks and a new diabetes-prediction dataset., Comment: Accepted by CIKM 2023 as a long paper

Published
2023

37. Efficient Query-Based Attack against ML-Based Android Malware Detection under Zero Knowledge Setting

Author

He, Ping, Xia, Yifan, Zhang, Xuhong, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Machine Learning, Computer Science - Software Engineering
Abstract

The widespread adoption of the Android operating system has made malicious Android applications an appealing target for attackers. Machine learning-based (ML-based) Android malware detection (AMD) methods are crucial in addressing this problem; however, their vulnerability to adversarial examples raises concerns. Current attacks against ML-based AMD methods demonstrate remarkable performance but rely on strong assumptions that may not be realistic in real-world scenarios, e.g., the knowledge requirements about feature space, model parameters, and training dataset. To address this limitation, we introduce AdvDroidZero, an efficient query-based attack framework against ML-based AMD methods that operates under the zero knowledge setting. Our extensive evaluation shows that AdvDroidZero is effective against various mainstream ML-based AMD methods, in particular, state-of-the-art such methods and real-world antivirus solutions., Comment: To Appear in the ACM Conference on Computer and Communications Security, November, 2023

Published
2023

38. UVSCAN: Detecting Third-Party Component Usage Violations in IoT Firmware

Author

Zhao, Binbin, Ji, Shouling, Zhang, Xuhong, Tian, Yuan, Wang, Qinying, Pu, Yuwen, Lyu, Chenyang, and Beyah, Raheem

Subjects
Computer Science - Cryptography and Security
Abstract

Nowadays, IoT devices integrate a wealth of third-party components (TPCs) in firmware to shorten the development cycle. TPCs usually have strict usage specifications, e.g., checking the return value of the function. Violating the usage specifications of TPCs can cause serious consequences, e.g., NULL pointer dereference. Therefore, this massive amount of TPC integrations, if not properly implemented, will lead to pervasive vulnerabilities in IoT devices. Detecting vulnerabilities automatically in TPC integration is challenging from several perspectives: (1) There is a gap between the high-level specifications from TPC documents, and the low-level implementations in the IoT firmware. (2) IoT firmware is mostly the closed-source binary, which loses a lot of information when compiling from the source code and has diverse architectures. To address these challenges, we design and implement UVScan, an automated and scalable system to detect TPC usage violations in IoT firmware. In UVScan, we first propose a novel natural language processing (NLP)-based rule extraction framework, which extracts API specifications from inconsistently formatted TPC documents. We then design a rule-driven NLP-guided binary analysis engine, which maps the logical information from the high-level TPC document to the low-level binary, and detects TPC usage violations in IoT firmware across different architectures. We evaluate UVScan from four perspectives on four popular TPCs and six ground-truth datasets. The results show that UVScan achieves more than 70% precision and recall, and has a significant performance improvement compared with even the source-level API misuse detectors., Comment: Accepted as a full paper at USENIX Security '23

Published
2023

39. Tram: A Token-level Retrieval-augmented Mechanism for Source Code Summarization

Author

Ye, Tong, Wu, Lingfei, Ma, Tengfei, Zhang, Xuhong, Du, Yangkai, Liu, Peiyu, Ji, Shouling, and Wang, Wenhai

Subjects
Computer Science - Artificial Intelligence
Abstract

Automatically generating human-readable text describing the functionality of a program is the intent of source code summarization. Although neural language models achieve significant performance in this field, they are limited by their inability to access external knowledge. To address this limitation, an emerging trend is combining neural models with external knowledge through retrieval methods. Previous methods have relied on the sentence-level retrieval paradigm on the encoder side. However, this paradigm is coarse-grained, noise-filled and cannot directly take advantage of the high-quality retrieved summary tokens on the decoder side. In this paper, we propose a fine-grained Token-level retrieval-augmented mechanism (Tram) on the decoder side rather than the encoder side to enhance the performance of neural models and produce more low-frequency tokens in generating summaries. Furthermore, to overcome the challenge of token-level retrieval in capturing contextual code semantics, we also propose integrating code semantics into individual summary tokens. The results of extensive experiments and human evaluation show that our token-level retrieval-augmented approach significantly improves performance and is more interpretable., Comment: NAACL 2024 Findings

Published
2023

40. Diff-ID: An Explainable Identity Difference Quantification Framework for DeepFake Detection

Author

Yu, Chuer, Zhang, Xuhong, Duan, Yuxuan, Yan, Senbo, Wang, Zonghui, Xiang, Yang, Ji, Shouling, and Chen, Wenzhi

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Despite the fact that DeepFake forgery detection algorithms have achieved impressive performance on known manipulations, they often face disastrous performance degradation when generalized to an unseen manipulation. Some recent works show improvement in generalization but rely on features fragile to image distortions such as compression. To this end, we propose Diff-ID, a concise and effective approach that explains and measures the identity loss induced by facial manipulations. When testing on an image of a specific person, Diff-ID utilizes an authentic image of that person as a reference and aligns them to the same identity-insensitive attribute feature space by applying a face-swapping generator. We then visualize the identity loss between the test and the reference image from the image differences of the aligned pairs, and design a custom metric to quantify the identity loss. The metric is then proved to be effective in distinguishing the forgery images from the real ones. Extensive experiments show that our approach achieves high detection performance on DeepFake images and state-of-the-art generalization ability to unknown forgery methods, while also being robust to image distortions.

Published
2023

41. Watch Out for the Confusing Faces: Detecting Face Swapping with the Probability Distribution of Face Identification Models

Author

Duan, Yuxuan, Zhang, Xuhong, Yu, Chuer, Wang, Zonghui, Ji, Shouling, and Chen, Wenzhi

Subjects
Computer Science - Computer Vision and Pattern Recognition
Abstract

Recently, face swapping has been developing rapidly and achieved a surprising reality, raising concerns about fake content. As a countermeasure, various detection approaches have been proposed and achieved promising performance. However, most existing detectors struggle to maintain performance on unseen face swapping methods and low-quality images. Apart from the generalization problem, current detection approaches have been shown vulnerable to evasion attacks crafted by detection-aware manipulators. Lack of robustness under adversary scenarios leaves threats for applying face swapping detection in real world. In this paper, we propose a novel face swapping detection approach based on face identification probability distributions, coined as IdP_FSD, to improve the generalization and robustness. IdP_FSD is specially designed for detecting swapped faces whose identities belong to a finite set, which is meaningful in real-world applications. Compared with previous general detection methods, we make use of the available real faces with concerned identities and require no fake samples for training. IdP_FSD exploits face swapping's common nature that the identity of swapped face combines that of two faces involved in swapping. We reflect this nature with the confusion of a face identification model and measure the confusion with the maximum value of the output probability distribution. What's more, to defend our detector under adversary scenarios, an attention-based finetuning scheme is proposed for the face identification models used in IdP_FSD. Extensive experiments show that the proposed IdP_FSD not only achieves high detection performance on different benchmark datasets and image qualities but also raises the bar for manipulators to evade the detection.

Published
2023

42. Edge Deep Learning Model Protection via Neuron Authorization

Author

Chen, Jinyin, Zheng, Haibin, Liu, Tao, Li, Rongchang, Cheng, Yao, Zhang, Xuhong, and Ji, Shouling

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

With the development of deep learning processors and accelerators, deep learning models have been widely deployed on edge devices as part of the Internet of Things. Edge device models are generally considered as valuable intellectual properties that are worth for careful protection. Unfortunately, these models have a great risk of being stolen or illegally copied. The existing model protections using encryption algorithms are suffered from high computation overhead which is not practical due to the limited computing capacity on edge devices. In this work, we propose a light-weight, practical, and general Edge device model Pro tection method at neuron level, denoted as EdgePro. Specifically, we select several neurons as authorization neurons and set their activation values to locking values and scale the neuron outputs as the "asswords" during training. EdgePro protects the model by ensuring it can only work correctly when the "passwords" are met, at the cost of encrypting and storing the information of the "passwords" instead of the whole model. Extensive experimental results indicate that EdgePro can work well on the task of protecting on datasets with different modes. The inference time increase of EdgePro is only 60% of state-of-the-art methods, and the accuracy loss is less than 1%. Additionally, EdgePro is robust against adaptive attacks including fine-tuning and pruning, which makes it more practical in real-world applications. EdgePro is also open sourced to facilitate future research: https://github.com/Leon022/Edg

Published
2023

43. MINER: A Hybrid Data-Driven Approach for REST API Fuzzing

Author

Lyu, Chenyang, Xu, Jiacheng, Ji, Shouling, Zhang, Xuhong, Wang, Qinying, Zhao, Binbin, Pan, Gaoning, Cao, Wei, and Beyah, Raheem

Subjects
Computer Science - Cryptography and Security
Abstract

In recent years, REST API fuzzing has emerged to explore errors on a cloud service. Its performance highly depends on the sequence construction and request generation. However, existing REST API fuzzers have trouble generating long sequences with well-constructed requests to trigger hard-to-reach states in a cloud service, which limits their performance of finding deep errors and security bugs. Further, they cannot find the specific errors caused by using undefined parameters during request generation. Therefore, in this paper, we propose a novel hybrid data-driven solution, named MINER, with three new designs working together to address the above limitations. First, MINER collects the valid sequences whose requests pass the cloud service's checking as the templates, and assigns more executions to long sequence templates. Second, to improve the generation quality of requests in a sequence template, MINER creatively leverages the state-of-the-art neural network model to predict key request parameters and provide them with appropriate parameter values. Third, MINER implements a new data-driven security rule checker to capture the new kind of errors caused by undefined parameters. We evaluate MINER against the state-of-the-art fuzzer RESTler on GitLab, Bugzilla, and WordPress via 11 REST APIs. The results demonstrate that the average pass rate of MINER is 23.42% higher than RESTler. MINER finds 97.54% more unique errors than RESTler on average and 142.86% more reproducible errors after manual analysis. We have reported all the newly found errors, and 7 of them have been confirmed as logic bugs by the corresponding vendors., Comment: Accepted as a full paper at USENIX Security '23

Published
2023

44. FreeEagle: Detecting Complex Neural Trojans in Data-Free Cases

Author

Fu, Chong, Zhang, Xuhong, Ji, Shouling, Wang, Ting, Lin, Peng, Feng, Yanghe, and Yin, Jianwei

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

Trojan attack on deep neural networks, also known as backdoor attack, is a typical threat to artificial intelligence. A trojaned neural network behaves normally with clean inputs. However, if the input contains a particular trigger, the trojaned model will have attacker-chosen abnormal behavior. Although many backdoor detection methods exist, most of them assume that the defender has access to a set of clean validation samples or samples with the trigger, which may not hold in some crucial real-world cases, e.g., the case where the defender is the maintainer of model-sharing platforms. Thus, in this paper, we propose FreeEagle, the first data-free backdoor detection method that can effectively detect complex backdoor attacks on deep neural networks, without relying on the access to any clean samples or samples with the trigger. The evaluation results on diverse datasets and model architectures show that FreeEagle is effective against various complex backdoor attacks, even outperforming some state-of-the-art non-data-free backdoor detection methods., Comment: Accepted by USENIX Security 2023

Published
2023

45. TextDefense: Adversarial Text Detection based on Word Importance Entropy

Author

Shen, Lujia, Zhang, Xuhong, Ji, Shouling, Pu, Yuwen, Ge, Chunpeng, Yang, Xing, and Feng, Yanghe

Subjects
Computer Science - Computation and Language, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security
Abstract

Currently, natural language processing (NLP) models are wildly used in various scenarios. However, NLP models, like all deep models, are vulnerable to adversarially generated text. Numerous works have been working on mitigating the vulnerability from adversarial attacks. Nevertheless, there is no comprehensive defense in existing works where each work targets a specific attack category or suffers from the limitation of computation overhead, irresistible to adaptive attack, etc. In this paper, we exhaustively investigate the adversarial attack algorithms in NLP, and our empirical studies have discovered that the attack algorithms mainly disrupt the importance distribution of words in a text. A well-trained model can distinguish subtle importance distribution differences between clean and adversarial texts. Based on this intuition, we propose TextDefense, a new adversarial example detection framework that utilizes the target model's capability to defend against adversarial attacks while requiring no prior knowledge. TextDefense differs from previous approaches, where it utilizes the target model for detection and thus is attack type agnostic. Our extensive experiments show that TextDefense can be applied to different architectures, datasets, and attack methods and outperforms existing methods. We also discover that the leading factor influencing the performance of TextDefense is the target model's generalizability. By analyzing the property of the target model and the property of the adversarial example, we provide our insights into the adversarial attacks in NLP and the principles of our defense method.

Published
2023

46. One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware

Author

Zhao, Binbin, Ji, Shouling, Xu, Jiacheng, Tian, Yuan, Wei, Qiuyang, Wang, Qinying, Lyu, Chenyang, Zhang, Xuhong, Lin, Changting, Wu, Jingzheng, and Beyah, Raheem

Subjects
Computer Science - Cryptography and Security
Abstract

Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the security risks raised by TPCs on $34,136$ firmware images. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security risks in firmware and discovers some well-known vulnerabilities are still rooted in firmware. Besides, we explore the geographical distribution of vulnerable devices and confirm that the security situation of devices in different regions varies. Our analysis also indicates that vulnerabilities caused by TPCs in firmware keep growing with the boom of the IoT ecosystem. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Published
2022

47. HashVFL: Defending Against Data Reconstruction Attacks in Vertical Federated Learning

Author

Qiu, Pengyu, Zhang, Xuhong, Ji, Shouling, Fu, Chong, Yang, Xing, and Wang, Ting

Subjects
Computer Science - Cryptography and Security, Computer Science - Machine Learning
Abstract

Vertical Federated Learning (VFL) is a trending collaborative machine learning model training solution. Existing industrial frameworks employ secure multi-party computation techniques such as homomorphic encryption to ensure data security and privacy. Despite these efforts, studies have revealed that data leakage remains a risk in VFL due to the correlations between intermediate representations and raw data. Neural networks can accurately capture these correlations, allowing an adversary to reconstruct the data. This emphasizes the need for continued research into securing VFL systems. Our work shows that hashing is a promising solution to counter data reconstruction attacks. The one-way nature of hashing makes it difficult for an adversary to recover data from hash codes. However, implementing hashing in VFL presents new challenges, including vanishing gradients and information loss. To address these issues, we propose HashVFL, which integrates hashing and simultaneously achieves learnability, bit balance, and consistency. Experimental results indicate that HashVFL effectively maintains task performance while defending against data reconstruction attacks. It also brings additional benefits in reducing the degree of label leakage, mitigating adversarial attacks, and detecting abnormal inputs. We hope our work will inspire further research into the potential applications of HashVFL.

Published
2022
Full Text
View/download PDF

48. Hijack Vertical Federated Learning Models As One Party

Author

Qiu, Pengyu, Zhang, Xuhong, Ji, Shouling, Li, Changjiang, Pu, Yuwen, Yang, Xing, and Wang, Ting

Subjects
Computer Science - Machine Learning, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security
Abstract

Vertical federated learning (VFL) is an emerging paradigm that enables collaborators to build machine learning models together in a distributed fashion. In general, these parties have a group of users in common but own different features. Existing VFL frameworks use cryptographic techniques to provide data privacy and security guarantees, leading to a line of works studying computing efficiency and fast implementation. However, the security of VFL's model remains underexplored., Comment: https://doi.ieeecomputersociety.org/10.1109/TDSC.2024.3358081

Published
2022
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results