Analyzing the Differentially Private Theil-Sen Estimator for Simple Linear Regression
In this paper, we study differentially private point and confidence interval estimators for simple linear regression. Motivated by recent work that highlights the strong empirical performance of an algorithm based on robust statistics, DPTheilSen, we provide a rigorous, finite-sample analysis of its privacy and accuracy properties, offer guidance on setting hyperparameters, and show how to produce differentially private confidence intervals to accompany its point estimates.
Updated: 2024-03-11 23:28:06
标题: 分析简单线性回归中的差分隐私Theil-Sen估计器
摘要: 在本文中,我们研究了简单线性回归的差分隐私点估计和置信区间估计器。受到最近一项研究的启发,该研究强调了基于稳健统计的算法DPTheilSen的优异实证表现,我们提供了对其隐私和精确性属性的严格有限样本分析,提供了有关设置超参数的指导,并展示了如何生成与其点估计相配套的差分隐私置信区间。
更新时间: 2024-03-11 23:28:06
领域: cs.CR,stat.AP
Secure Decentralized Learning with Blockchain
Federated Learning (FL) is a well-known paradigm of distributed machine learning on mobile and IoT devices, which preserves data privacy and optimizes communication efficiency. To avoid the single point of failure problem in FL, decentralized federated learning (DFL) has been proposed to use peer-to-peer communication for model aggregation, which has been considered an attractive solution for machine learning tasks on distributed personal devices. However, this process is vulnerable to attackers who share false models and data. If there exists a group of malicious clients, they might harm the performance of the model by carrying out a poisoning attack. In addition, in DFL, clients often lack the incentives to contribute their computing powers to do model training. In this paper, we proposed Blockchain-based Decentralized Federated Learning (BDFL), which leverages a blockchain for decentralized model verification and auditing. BDFL includes an auditor committee for model verification, an incentive mechanism to encourage the participation of clients, a reputation model to evaluate the trustworthiness of clients, and a protocol suite for dynamic network updates. Evaluation results show that, with the reputation mechanism, BDFL achieves fast model convergence and high accuracy on real datasets even if there exist 30\% malicious clients in the system.
Updated: 2024-03-11 21:52:12
标题: 区块链实现的安全去中心化学习
摘要: 联邦学习(FL)是一种在移动和物联网设备上进行分布式机器学习的众所周知的范式,它保护数据隐私并优化通信效率。为了避免FL中的单点故障问题,提出了去中心化的联邦学习(DFL)来利用点对点通信进行模型聚合,这被认为是分布式个人设备上机器学习任务的吸引人的解决方案。然而,这个过程容易受到共享虚假模型和数据的攻击者的攻击。如果存在一组恶意客户端,它们可能通过进行毒化攻击来损害模型的性能。此外,在DFL中,客户端经常缺乏动力来贡献他们的计算能力进行模型训练。在本文中,我们提出了基于区块链的去中心化联邦学习(BDFL),利用区块链进行去中心化模型验证和审计。BDFL包括一个模型验证的审计委员会,一个激励机制来鼓励客户端的参与,一个评估客户端信誉的声誉模型,以及一个用于动态网络更新的协议套件。评估结果显示,通过声誉机制,即使系统中存在30%的恶意客户端,BDFL也能在真实数据集上实现快速模型收敛和高准确性。
更新时间: 2024-03-11 21:52:12
领域: cs.CR,cs.LG,I.2.11; C.2.4
Textual analysis of End User License Agreement for red-flagging potentially malicious software
New software and updates are downloaded by end users every day. Each dowloaded software has associated with it an End Users License Agreements (EULA), but this is rarely read. An EULA includes information to avoid legal repercussions. However,this proposes a host of potential problems such as spyware or producing an unwanted affect in the target system. End users do not read these EULA's because of length of the document and users find it extremely difficult to understand. Text summarization is one of the relevant solution to these kind of problems. This require a solution which can summarize the EULA and classify the EULA as "Benign" or "Malicious". We propose a solution in which we have summarize the EULA and classify the EULA as "Benign" or "Malicious". We extract EULA text of different sofware's then we classify the text using eight different supervised classifiers. we use ensemble learning to classify the EULA as benign or malicious using five different text summarization methods. An accuracy of $95.8$\% shows the effectiveness of the presented approach.
Updated: 2024-03-11 20:45:27
标题: 对潜在恶意软件进行标记的最终用户许可协议的文本分析
摘要: 每天都有终端用户下载新软件和更新。每个下载的软件都附带一个最终用户许可协议(EULA),但这很少被阅读。EULA包含了避免法律后果的信息。然而,这提出了一系列潜在问题,如间谍软件或在目标系统中产生不良影响。终端用户不阅读这些EULA,因为文件长度过长,用户发现非常难以理解。文本摘要是这类问题的一个相关解决方案。这需要一种能够概括EULA并将其分类为“良性”或“恶意”的解决方案。我们提出了一种解决方案,其中我们概括了EULA并将其分类为“良性”或“恶意”。我们提取了不同软件的EULA文本,然后使用八种不同的监督分类器对文本进行分类。我们使用集成学习来使用五种不同的文本摘要方法将EULA分类为良性或恶意。95.8%的准确度显示了所提出方法的有效性。
更新时间: 2024-03-11 20:45:27
领域: cs.SE,cs.CL,cs.CR,cs.LG
Don't Forget What I did?: Assessing Client Contributions in Federated Learning
Federated Learning (FL) is a collaborative machine learning (ML) approach, where multiple clients participate in training an ML model without exposing the private data. Fair and accurate assessment of client contributions is an important problem in FL to facilitate incentive allocation and encouraging diverse clients to participate in a unified model training. Existing methods for assessing client contribution adopts co-operative game-theoretic concepts, such as Shapley values, but under simplified assumptions. In this paper, we propose a history-aware game-theoretic framework, called FLContrib, to assess client contributions when a subset of (potentially non-i.i.d.) clients participate in each epoch of FL training. By exploiting the FL training process and linearity of Shapley value, we develop FLContrib that yields a historical timeline of client contributions as FL training progresses over epochs. Additionally, to assess client contribution under limited computational budget, we propose a scheduling procedure that considers a two-sided fairness criteria to perform expensive Shapley value computation only in a subset of training epochs. In experiments, we demonstrate a controlled trade-off between the correctness and efficiency of client contributions assessed via FLContrib. To demonstrate the benefits of history-aware client contributions, we apply FLContrib to detect dishonest clients conducting data poisoning in FL training.
Updated: 2024-03-11 20:39:32
标题: 不要忘记我做了什么?:评估联邦学习中客户的贡献
摘要: 联邦学习(FL)是一种协作式机器学习(ML)方法,多个客户端参与训练一个ML模型,而不暴露私人数据。在FL中,公平而准确地评估客户端贡献是一个重要问题,以促进激励分配并鼓励多样化的客户端参与统一模型训练。现有的评估客户端贡献的方法采用合作博弈理论概念,如Shapley值,但在简化的假设下。本文提出了一个称为FLContrib的历史感知博弈理论框架,用于评估当每个时期的FL训练中的一个子集(可能是非独立同分布)客户端参与时的客户端贡献。通过利用FL训练过程和Shapley值的线性性,我们开发了FLContrib,它产生客户端贡献的历史时间线,随着FL训练在各个时期的进行。此外,为了在有限的计算预算下评估客户端贡献,我们提出了一个调度程序,考虑了一个两边公平标准,仅在一部分训练时期中执行昂贵的Shapley值计算。在实验中,我们展示了通过FLContrib评估的客户端贡献的正确性和效率之间的受控权衡。为了展示历史感知的客户端贡献的好处,我们将FLContrib应用于检测在FL训练中进行数据中毒的不诚实客户端。
更新时间: 2024-03-11 20:39:32
领域: cs.LG,cs.AI,cs.CR
DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice
Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.
Updated: 2024-03-11 18:06:10
标题: DeepSec:决定安全协议的等价性属性 - 改进的理论和实践
摘要: 自动验证已成为加密协议安全评估中不可或缺的一部分。在此背景下,隐私类型属性常常被建模为在过程演算中表达的不可区分性陈述,即行为等价性。本文既对该验证问题的理论又对实践做出了贡献。我们为静态等价性、迹等价性和标记的双模拟性建立了新的复杂性结果,并在协议会话数量有限的情况下提供了这些等价性的决策过程。我们的过程是第一个能够准确决定大量加密原语的迹等价性和标记的双模拟性的工具--即可由一个子项收敛析取重写系统表示的原语。我们还在一个新工具DeepSec 中实现了这个过程。通过广泛的实验,我们展示了它比其他类似工具更高效,同时扩大了可以分析的协议范围。
更新时间: 2024-03-11 18:06:10
领域: cs.CR,C.2.2; D.2.4; F.3.1
DT-DDNN: A Physical Layer Security Attack Detector in 5G RF Domain for CAVs
The Synchronization Signal Block (SSB) is a fundamental component of the 5G New Radio (NR) air interface, crucial for the initial access procedure of Connected and Automated Vehicles (CAVs), and serves several key purposes in the network's operation. However, due to the predictable nature of SSB transmission, including the Primary and Secondary Synchronization Signals (PSS and SSS), jamming attacks are critical threats. These attacks, which can be executed without requiring high power or complex equipment, pose substantial risks to the 5G network, particularly as a result of the unencrypted transmission of control signals. Leveraging RF domain knowledge, this work presents a novel deep learning-based technique for detecting jammers in CAV networks. Unlike the existing jamming detection algorithms that mostly rely on network parameters, we introduce a double-threshold deep learning jamming detector by focusing on the SSB. The detection method is focused on RF domain features and improves the robustness of the network without requiring integration with the pre-existing network infrastructure. By integrating a preprocessing block to extract PSS correlation and energy per null resource elements (EPNRE) characteristics, our method distinguishes between normal and jammed received signals with high precision. Additionally, by incorporating of Discrete Wavelet Transform (DWT), the efficacy of training and detection are optimized. A double-threshold double Deep Neural Network (DT-DDNN) is also introduced to the architecture complemented by a deep cascade learning model to increase the sensitivity of the model to variations of signal-to-jamming noise ratio (SJNR). Results show that the proposed method achieves 96.4% detection rate in extra low jamming power, i.e., SJNR between 15 to 30 dB. Further, performance of DT-DDNN is validated by analyzing real 5G signals obtained from a practical testbed.
Updated: 2024-03-11 17:25:14
标题: DT-DDNN:一种用于CAVs的5G射频领域物理层安全攻击检测器
摘要: 同步信号块(SSB)是5G新无线电(NR)空中接口的基本组成部分,对于连接和自动化车辆(CAVs)的初始访问过程至关重要,并在网络运行中起着几个关键作用。然而,由于SSB传输的可预测性,包括主要和次要同步信号(PSS和SSS),干扰攻击是重要威胁。这些攻击可以在不需要高功率或复杂设备的情况下执行,对5G网络构成重大风险,特别是由于控制信号的未加密传输。利用射频领域知识,本文提出了一种基于深度学习的新型技术,用于检测CAV网络中的干扰器。与现有的干扰检测算法大多依赖于网络参数不同,我们通过专注于SSB引入了双阈值深度学习干扰检测器。检测方法专注于射频领域特征,提高了网络的稳健性,而不需要与现有网络基础设施集成。通过集成一个预处理块来提取PSS相关性和每个空载资源元素的能量(EPNRE)特征,我们的方法可以高精度地区分正常和受干扰的接收信号。此外,通过结合离散小波变换(DWT),培训和检测的效能得到了优化。还引入了双阈值双深度神经网络(DT-DDNN)到架构中,并辅以深层级联学习模型,以增加模型对信号与干扰噪声比(SJNR)变化的敏感性。结果表明,所提出的方法在额外低干扰功率下(即SJNR在15至30 dB之间)实现了96.4%的检测率。此外,通过分析从实际测试平台获得的真实5G信号,验证了DT-DDNN的性能。
更新时间: 2024-03-11 17:25:14
领域: eess.SP,cs.CR,cs.LG,cs.NI
RSBA: Robust Statistical Backdoor Attack under Privilege-Constrained Scenarios
Learning-based systems have been demonstrated to be vulnerable to backdoor attacks, wherein malicious users manipulate model performance by injecting backdoors into the target model and activating them with specific triggers. Previous backdoor attack methods primarily focused on two key metrics: attack success rate and stealthiness. However, these methods often necessitate significant privileges over the target model, such as control over the training process, making them challenging to implement in real-world scenarios. Moreover, the robustness of existing backdoor attacks is not guaranteed, as they prove sensitive to defenses such as image augmentations and model distillation. In this paper, we address these two limitations and introduce RSBA (Robust Statistical Backdoor Attack under Privilege-constrained Scenarios). The key insight of RSBA is that statistical features can naturally divide images into different groups, offering a potential implementation of triggers. This type of trigger is more robust than manually designed ones, as it is widely distributed in normal images. By leveraging these statistical triggers, RSBA enables attackers to conduct black-box attacks by solely poisoning the labels or the images. We empirically and theoretically demonstrate the robustness of RSBA against image augmentations and model distillation. Experimental results show that RSBA achieves a 99.83\% attack success rate in black-box scenarios. Remarkably, it maintains a high success rate even after model distillation, where attackers lack access to the training dataset of the student model (1.39\% success rate for baseline methods on average).
Updated: 2024-03-11 17:14:40
标题: RSBA:特权受限情况下的稳健统计后门攻击
摘要: 基于学习的系统已经被证明容易受到后门攻击的影响,恶意用户通过向目标模型注入后门并使用特定触发器来操纵模型性能。先前的后门攻击方法主要关注两个关键指标:攻击成功率和隐蔽性。然而,这些方法通常需要对目标模型具有重要的特权,比如控制训练过程,使得它们在现实场景中难以实施。此外,现有后门攻击的鲁棒性不能得到保证,因为它们对诸如图像增强和模型蒸馏等防御措施敏感。在本文中,我们解决了这两个限制,并引入了RSBA(在受特权约束的情况下进行鲁棒的统计后门攻击)。RSBA的关键见解是统计特征可以自然地将图像分成不同的组,提供了潜在实施触发器的可能性。这种类型的触发器比手动设计的更为鲁棒,因为它广泛分布在正常图像中。通过利用这些统计触发器,RSBA使攻击者能够通过仅污染标签或图像来进行黑盒攻击。我们从经验和理论上证明了RSBA对图像增强和模型蒸馏的鲁棒性。实验结果显示,RSBA在黑盒场景中实现了99.83\%的攻击成功率。值得注意的是,即使在模型蒸馏之后,攻击者无法访问学生模型的训练数据集的情况下,它仍然保持了很高的成功率(平均为基准方法的1.39\%)。
更新时间: 2024-03-11 17:14:40
领域: cs.CR,cs.AI,cs.CV
Unlink to Unlearn: Simplifying Edge Unlearning in GNNs
As concerns over data privacy intensify, unlearning in Graph Neural Networks (GNNs) has emerged as a prominent research frontier in academia. This concept is pivotal in enforcing the \textit{right to be forgotten}, which entails the selective removal of specific data from trained GNNs upon user request. Our research focuses on edge unlearning, a process of particular relevance to real-world applications. Current state-of-the-art approaches like GNNDelete can eliminate the influence of specific edges yet suffer from \textit{over-forgetting}, which means the unlearning process inadvertently removes excessive information beyond needed, leading to a significant performance decline for remaining edges. Our analysis identifies the loss functions of GNNDelete as the primary source of over-forgetting and also suggests that loss functions may be redundant for effective edge unlearning. Building on these insights, we simplify GNNDelete to develop \textbf{Unlink to Unlearn} (UtU), a novel method that facilitates unlearning exclusively through unlinking the forget edges from graph structure. Our extensive experiments demonstrate that UtU delivers privacy protection on par with that of a retrained model while preserving high accuracy in downstream tasks, by upholding over 97.3\% of the retrained model's privacy protection capabilities and 99.8\% of its link prediction accuracy. Meanwhile, UtU requires only constant computational demands, underscoring its advantage as a highly lightweight and practical edge unlearning solution.
Updated: 2024-03-11 17:08:36
标题: 解除链接以消除学习:简化GNN中的边缘去学习
摘要: 随着对数据隐私的担忧加剧,图神经网络(GNNs)中的遗忘(unlearning)已成为学术界一个突出的研究前沿。这个概念在强化“被遗忘的权利”方面至关重要,这意味着根据用户请求有选择地从经过训练的GNNs中删除特定数据。我们的研究集中在边的遗忘上,这是与现实世界应用特别相关的一个过程。目前的技术水平如GNNDelete可以消除特定边的影响,但存在“过度遗忘”的问题,这意味着遗忘过程无意中移除了超出需要的过多信息,导致剩余边的性能显著下降。我们的分析确定了GNNDelete的损失函数作为过度遗忘的主要来源,并且还提出损失函数对于有效的边遗忘可能是多余的。基于这些见解,我们简化了GNNDelete,开发出了一种新方法“Unlink to Unlearn”(UtU),通过仅仅通过从图结构中取消遗忘边来促进遗忘。我们的广泛实验表明,UtU提供了与重新训练模型相当的隐私保护效果,同时在下游任务中保持高准确性,保持了超过97.3%的重新训练模型的隐私保护能力和99.8%的链接预测准确性。同时,UtU只需要恒定的计算需求,突出了它作为一种高度轻量级和实用的边遗忘解决方案的优势。
更新时间: 2024-03-11 17:08:36
领域: cs.LG,cs.AI,cs.CR
Towards Incident Response Orchestration and Automation for the Advanced Metering Infrastructure
The threat landscape of industrial infrastructures has expanded exponentially over the last few years. Such infrastructures include services such as the smart meter data exchange that should have real-time availability. Smart meters constitute the main component of the Advanced Metering Infrastructure, and their measurements are also used as historical data for forecasting the energy demand to avoid load peaks that could lead to blackouts within specific areas. Hence, a comprehensive Incident Response plan must be in place to ensure high service availability in case of cyber-attacks or operational errors. Currently, utility operators execute such plans mostly manually, requiring extensive time, effort, and domain expertise, and they are prone to human errors. In this paper, we present a method to provide an orchestrated and highly automated Incident Response plan targeting specific use cases and attack scenarios in the energy sector, including steps for preparedness, detection and analysis, containment, eradication, recovery, and post-incident activity through the use of playbooks. In particular, we use the OASIS Collaborative Automated Course of Action Operations (CACAO) standard to define highly automatable workflows in support of cyber security operations for the Advanced Metering Infrastructure. The proposed method is validated through an Advanced Metering Infrastructure testbed where the most prominent cyber-attacks are emulated, and playbooks are instantiated to ensure rapid response for the containment and eradication of the threat, business continuity on the smart meter data exchange service, and compliance with incident reporting requirements.
Updated: 2024-03-11 16:58:13
标题: 朝着高级计量基础设施的事件响应编排和自动化发展
摘要: 在过去几年中,工业基础设施的威胁形势呈指数级增长。这些基础设施包括智能电表数据交换等服务,应具有实时可用性。智能电表构成了先进计量基础设施的主要组成部分,它们的测量数据也被用作历史数据,用于预测能源需求,以避免可能导致特定区域停电的负载峰值。因此,必须制定一项全面的事件响应计划,以确保在网络攻击或操作错误发生时能保持高服务可用性。目前,实用程序操作员大多手动执行此类计划,需要大量时间、精力和领域专业知识,且容易出现人为错误。在本文中,我们提出了一种方法,通过使用playbooks,为目标特定用例和能源部门中的攻击场景提供编排和高度自动化的事件响应计划,包括准备、检测和分析、限制、消除、恢复和事后活动步骤。具体来说,我们使用OASIS Collaborative Automated Course of Action Operations(CACAO)标准来定义高度可自动化的工作流程,以支持先进计量基础设施的网络安全运营。通过一个先进计量基础设施实验平台对所提出的方法进行验证,模拟最突出的网络攻击,并实例化playbooks,以确保对威胁进行限制和消除的快速响应,智能电表数据交换服务的业务连续性,以及符合事件报告要求。
更新时间: 2024-03-11 16:58:13
领域: cs.CR
DID:RING: Ring Signatures using Decentralised Identifiers For Privacy-Aware Identity
Decentralised identifiers have become a standardised element of digital identity architecture, with supra-national organisations such as the European Union adopting them as a key component for a unified European digital identity ledger. This paper delves into enhancing security and privacy features within decentralised identifiers by integrating ring signatures as an alternative verification method. This allows users to identify themselves through digital signatures without revealing which public key they used. To this end, the study proposed a novel decentralised identity method showcased in a decentralised identifier-based architectural framework. Additionally, the investigation assesses the repercussions of employing this new method in the verification process, focusing specifically on privacy and security aspects. Although ring signatures are an established asset of cryptographic protocols, this paper seeks to leverage their capabilities in the evolving domain of digital identities.
Updated: 2024-03-11 15:20:37
标题: DID:RING:使用分散标识符的环签名,用于隐私感知身份
摘要: 去中心化标识已经成为数字身份架构的标准化要素,欧盟等跨国组织将其作为统一欧洲数字身份分类帐的关键组成部分。本文探讨了通过集成环签名作为替代验证方法来增强去中心化标识中的安全和隐私功能。这使用户能够通过数字签名来识别自己,而不会透露他们使用的公钥是哪一个。为此,该研究提出了一种新颖的去中心化身份方法,展示了基于去中心化标识的架构框架。此外,调查评估了在验证过程中采用这种新方法的后果,特别关注隐私和安全方面。尽管环签名是密码协议的一个成熟资产,但本文旨在利用它们在数字身份不断发展的领域中的能力。
更新时间: 2024-03-11 15:20:37
领域: cs.CR
Unprotected 4G/5G Control Procedures at Low Layers Considered Dangerous
Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.
Updated: 2024-03-11 13:42:05
标题: 低层未受保护的4G/5G控制程序被认为是危险的
摘要: 多年来,文献中展示了3GPP蜂窝系统中的几个安全漏洞。大多数研究集中在蜂窝无线堆栈的较高层,如RRC和NAS,这些层受到加密保护。然而,堆栈的较低层,如PHY和MAC,虽然既没有加密也没有完整性保护,但却没有受到深入研究。此外,5G的最新版本显著增加了低层控制消息和过程的数量。蜂窝标准的复杂性和跨层操作的高度使得关于安全性的推理变得非常复杂,并需要系统分析。我们研究了每个物理信道传输的控制过程,并发现当前的蜂窝系统容易受到由于信息泄漏而导致的几种新的被动攻击,以及通过注入MAC和PHY消息导致的主动攻击。例如,我们发现波束成形信息泄漏使得基于指纹的用户定位和跟踪成为可能。我们确定了一些主动攻击,通过禁用UE的射频前端降低用户的吞吐量,通过诱使其他连接的UE充当干扰器来破坏用户通信,或者偷偷断开活跃用户的连接。我们对各种场景中的COTS UE进行了攻击评估,并通过测量三个国家的当前运营商配置来证明其实用性。我们的结果表明,攻击者可以在很大程度上准确地定位用户,定位精度为20米的时间达到96%,以90%的概率追踪用户的移动路径,在2秒内通过伪造39位DCI降低吞吐量超过95%,并断开用户连接。
更新时间: 2024-03-11 13:42:05
领域: cs.CR
Poisoning Programs by Un-Repairing Code: Security Concerns of AI-generated Code
AI-based code generators have gained a fundamental role in assisting developers in writing software starting from natural language (NL). However, since these large language models are trained on massive volumes of data collected from unreliable online sources (e.g., GitHub, Hugging Face), AI models become an easy target for data poisoning attacks, in which an attacker corrupts the training data by injecting a small amount of poison into it, i.e., astutely crafted malicious samples. In this position paper, we address the security of AI code generators by identifying a novel data poisoning attack that results in the generation of vulnerable code. Next, we devise an extensive evaluation of how these attacks impact state-of-the-art models for code generation. Lastly, we discuss potential solutions to overcome this threat.
Updated: 2024-03-11 12:47:04
标题: 通过未修复代码来毒化程序:AI生成代码的安全问题
摘要: 基于人工智能的代码生成器在帮助开发人员从自然语言(NL)开始编写软件方面发挥着基本作用。然而,由于这些大型语言模型是在来自不可靠在线来源(如GitHub、Hugging Face)的庞大数据量上进行训练的,人工智能模型很容易成为数据毒化攻击的目标,即攻击者通过向其中注入少量毒素,即巧妙制作的恶意样本,来腐蚀训练数据。在这篇立场论文中,我们通过识别一种导致生成易受攻击代码的新型数据毒化攻击来讨论AI代码生成器的安全性。接下来,我们对这些攻击如何影响代码生成的最新模型进行了全面评估。最后,我们讨论了克服这种威胁的潜在解决方案。
更新时间: 2024-03-11 12:47:04
领域: cs.CR,cs.AI,cs.SE
Provable Mutual Benefits from Federated Learning in Privacy-Sensitive Domains
Cross-silo federated learning (FL) allows data owners to train accurate machine learning models by benefiting from each others private datasets. Unfortunately, the model accuracy benefits of collaboration are often undermined by privacy defenses. Therefore, to incentivize client participation in privacy-sensitive domains, a FL protocol should strike a delicate balance between privacy guarantees and end-model accuracy. In this paper, we study the question of when and how a server could design a FL protocol provably beneficial for all participants. First, we provide necessary and sufficient conditions for the existence of mutually beneficial protocols in the context of mean estimation and convex stochastic optimization. We also derive protocols that maximize the total clients' utility, given symmetric privacy preferences. Finally, we design protocols maximizing end-model accuracy and demonstrate their benefits in synthetic experiments.
Updated: 2024-03-11 12:43:44
标题: 在隐私敏感领域中,联邦学习带来的可证明的互惠好处
摘要: 跨边界联合学习(FL)允许数据所有者通过共享彼此的私人数据集来训练准确的机器学习模型。不幸的是,合作的模型准确性优势通常会受到隐私防御的影响。因此,在隐私敏感领域激励客户参与,一个FL协议应该在隐私保证和最终模型准确性之间达到微妙的平衡。在本文中,我们研究了服务器如何设计一个对所有参与者都有利的FL协议的时间和方式。首先,我们在均值估计和凸随机优化的背景下提供了存在相互有利的协议的必要和充分条件。我们还推导出在对称隐私偏好的情况下最大化总客户效用的协议。最后,我们设计了最大化最终模型准确性的协议,并在合成实验中展示了它们的好处。
更新时间: 2024-03-11 12:43:44
领域: stat.ML,cs.CR,cs.GT,cs.LG
Stealing Part of a Production Language Model
We introduce the first model-stealing attack that extracts precise, nontrivial information from black-box production language models like OpenAI's ChatGPT or Google's PaLM-2. Specifically, our attack recovers the embedding projection layer (up to symmetries) of a transformer model, given typical API access. For under \$20 USD, our attack extracts the entire projection matrix of OpenAI's Ada and Babbage language models. We thereby confirm, for the first time, that these black-box models have a hidden dimension of 1024 and 2048, respectively. We also recover the exact hidden dimension size of the gpt-3.5-turbo model, and estimate it would cost under \$2,000 in queries to recover the entire projection matrix. We conclude with potential defenses and mitigations, and discuss the implications of possible future work that could extend our attack.
Updated: 2024-03-11 11:46:12
标题: 窃取生产语言模型的一部分
摘要: 我们介绍了第一种从黑匣子生产语言模型(如OpenAI的ChatGPT或Google的PaLM-2)中提取精确、非平凡信息的模型窃取攻击。具体而言,我们的攻击在典型的API访问情况下恢复了一个变压器模型的嵌入投影层(考虑对称性)。在不到20美元的成本下,我们的攻击提取了OpenAI的Ada和Babbage语言模型的整个投影矩阵。我们因此首次确认这些黑匣子模型分别具有隐藏维度为1024和2048。我们还恢复了gpt-3.5-turbo模型的确切隐藏维度大小,并估计恢复整个投影矩阵可能需要不到2,000美元的查询成本。我们最后总结了潜在的防御和缓解措施,并讨论了可能延伸我们攻击的未来工作的影响。
更新时间: 2024-03-11 11:46:12
领域: cs.CR
Self-Sovereign Identity for Electric Vehicle Charging
Electric Vehicles (EVs) are more and more charged at public Charge Points (CPs) using Plug-and-Charge (PnC) protocols such as the ISO 15118 standard which eliminates user interaction for authentication and authorization. Currently, this requires a rather complex Public Key Infrastructure (PKI) and enables driver tracking via the included unique identifiers. In this paper, we propose an approach for using Self-Sovereign Identities (SSIs) as trusted credentials for EV charging authentication and authorization which overcomes the privacy problems and the issues of a complex centralized PKI. Our implementation shows the feasibility of our approach with ISO 15118. The security and privacy of the proposed approach is shown in a formal analysis using the Tamarin prover.
Updated: 2024-03-11 11:43:40
标题: 电动汽车充电的自主身份验证
摘要: 电动汽车(EVs)越来越多地在公共充电站(CPs)上使用插拔式充电(PnC)协议进行充电,例如ISO 15118标准,该标准消除了用户交互进行身份验证和授权的需求。目前,这需要一个相当复杂的公钥基础设施(PKI),并且可以通过包含的唯一标识符对驾驶员进行跟踪。在本文中,我们提出了一种使用自主身份(SSIs)作为可信凭证进行EV充电身份验证和授权的方法,从而解决了隐私问题和复杂集中式PKI的问题。我们的实施表明我们的方法与ISO 15118的可行性。提出的方法的安全性和隐私性通过Tamarin证明器的正式分析得到验证。
更新时间: 2024-03-11 11:43:40
领域: cs.CR
Real is not True: Backdoor Attacks Against Deepfake Detection
The proliferation of malicious deepfake applications has ignited substantial public apprehension, casting a shadow of doubt upon the integrity of digital media. Despite the development of proficient deepfake detection mechanisms, they persistently demonstrate pronounced vulnerability to an array of attacks. It is noteworthy that the pre-existing repertoire of attacks predominantly comprises adversarial example attack, predominantly manifesting during the testing phase. In the present study, we introduce a pioneering paradigm denominated as Bad-Deepfake, which represents a novel foray into the realm of backdoor attacks levied against deepfake detectors. Our approach hinges upon the strategic manipulation of a delimited subset of the training data, enabling us to wield disproportionate influence over the operational characteristics of a trained model. This manipulation leverages inherent frailties inherent to deepfake detectors, affording us the capacity to engineer triggers and judiciously select the most efficacious samples for the construction of the poisoned set. Through the synergistic amalgamation of these sophisticated techniques, we achieve an remarkable performance-a 100% attack success rate (ASR) against extensively employed deepfake detectors.
Updated: 2024-03-11 10:57:14
标题: 真实并不是真实的:对深度伪造检测的后门攻击
摘要: 恶意深度伪造应用程序的泛滥引发了大量公众担忧,对数字媒体的完整性投下了一片阴影。尽管已开发出精通的深度伪造检测机制,但它们持续展示出对各种攻击具有显著的脆弱性。值得注意的是,现有攻击手段的主要组成部分是对抗性示例攻击,主要表现在测试阶段。在本研究中,我们引入了一种被称为Bad-Deepfake的开拓性范式,代表了对针对深度伪造检测器的后门攻击领域的一次新的尝试。我们的方法依赖于对一定数量的训练数据集进行策略性操作,使我们能够对受过训练的模型的运行特性产生不成比例的影响。这种操作利用了深度伪造检测器固有的脆弱性,使我们有能力设计触发器并谨慎选择最有效的样本来构建受污染的数据集。通过这些复杂技术的协同融合,我们实现了出色的表现——对广泛使用的深度伪造检测器达到了100%的攻击成功率(ASR)。
更新时间: 2024-03-11 10:57:14
领域: cs.CR
Towards more accurate and useful data anonymity vulnerability measures
The purpose of anonymizing structured data is to protect the privacy of individuals in the data while retaining the statistical properties of the data. There is a large body of work that examines anonymization vulnerabilities. Focusing on strong anonymization mechanisms, this paper examines a number of prominent attack papers and finds several problems, all of which lead to overstating risk. First, some papers fail to establish a correct statistical inference baseline (or any at all), leading to incorrect measures. Notably, the reconstruction attack from the US Census Bureau that led to a redesign of its disclosure method made this mistake. We propose the non-member framework, an improved method for how to compute a more accurate inference baseline, and give examples of its operation. Second, some papers don't use a realistic membership base rate, leading to incorrect precision measures if precision is reported. Third, some papers unnecessarily report measures in such a way that it is difficult or impossible to assess risk. Virtually the entire literature on membership inference attacks, dozens of papers, make one or both of these errors. We propose that membership inference papers report precision/recall values using a representative range of base rates.
Updated: 2024-03-11 10:40:08
标题: 朝着更准确和有用的数据匿名性漏洞度量方向前进
摘要: 结构化数据的匿名化的目的是保护数据中个人的隐私,同时保留数据的统计特性。有大量研究探讨了匿名化漏洞。本文关注强匿名化机制,审查了一些突出的攻击论文,发现了几个问题,这些问题都导致了风险的夸大。首先,一些论文未能建立正确的统计推断基线(或者根本没有建立),导致了错误的测量。值得注意的是,美国人口普查局进行的重建攻击导致了其披露方法的重新设计,就是因为犯了这个错误。我们提出了非成员框架,这是一种改进的方法,用于计算更准确的推断基线,并举例说明其操作。 其次,一些论文没有使用现实的成员基准率,导致了如果报告精度,就会出现错误的精度测量。第三,一些论文不必要地以一种难以或不可能评估风险的方式报告测量结果。几乎所有关于成员推断攻击的文献,数十篇论文中,都存在这两种错误中的一种或两种。我们建议成员推断论文报告使用代表性基准率范围的精度/召回值。
更新时间: 2024-03-11 10:40:08
领域: cs.CR
DNNShield: Embedding Identifiers for Deep Neural Network Ownership Verification
The surge in popularity of machine learning (ML) has driven significant investments in training Deep Neural Networks (DNNs). However, these models that require resource-intensive training are vulnerable to theft and unauthorized use. This paper addresses this challenge by introducing DNNShield, a novel approach for DNN protection that integrates seamlessly before training. DNNShield embeds unique identifiers within the model architecture using specialized protection layers. These layers enable secure training and deployment while offering high resilience against various attacks, including fine-tuning, pruning, and adaptive adversarial attacks. Notably, our approach achieves this security with minimal performance and computational overhead (less than 5\% runtime increase). We validate the effectiveness and efficiency of DNNShield through extensive evaluations across three datasets and four model architectures. This practical solution empowers developers to protect their DNNs and intellectual property rights.
Updated: 2024-03-11 10:27:36
标题: DNNShield:深度神经网络所有权验证的标识符嵌入
摘要: 机器学习(ML)的流行使深度神经网络(DNNs)的培训得到了很大的投资。然而,这些需要资源密集型培训的模型容易遭受盗窃和未经授权的使用。本文通过引入DNNShield来解决这一挑战,这是一种在培训之前无缝集成的DNN保护新方法。DNNShield通过在模型架构中嵌入唯一标识符,利用专门的保护层来实现。这些层使得培训和部署更加安全,并且对各种攻击,包括微调、修剪和自适应对抗性攻击具有高抗性。值得注意的是,我们的方法在最小的性能和计算开销下实现了这种安全性(运行时间增加不到5%)。通过在三个数据集和四个模型架构上进行广泛评估,我们验证了DNNShield的有效性和效率。这种实用解决方案使开发人员能够保护他们的DNN和知识产权。
更新时间: 2024-03-11 10:27:36
领域: cs.CR
DistriBlock: Identifying adversarial audio samples by leveraging characteristics of the output distribution
Adversarial attacks can mislead automatic speech recognition (ASR) systems into predicting an arbitrary target text, thus posing a clear security threat. To prevent such attacks, we propose DistriBlock, an efficient detection strategy applicable to any ASR system that predicts a probability distribution over output tokens in each time step. We measure a set of characteristics of this distribution: the median, maximum, and minimum over the output probabilities, the entropy of the distribution, as well as the Kullback-Leibler and the Jensen-Shannon divergence with respect to the distributions of the subsequent time step. Then, by leveraging the characteristics observed for both benign and adversarial data, we apply binary classifiers, including simple threshold-based classification, ensembles of such classifiers, and neural networks. Through extensive analysis across different state-of-the-art ASR systems and language data sets, we demonstrate the supreme performance of this approach, with a mean area under the receiver operating characteristic for distinguishing target adversarial examples against clean and noisy data of 99% and 97%, respectively. To assess the robustness of our method, we show that adaptive adversarial examples that can circumvent DistriBlock are much noisier, which makes them easier to detect through filtering and creates another avenue for preserving the system's robustness.
Updated: 2024-03-11 10:07:03
标题: DistriBlock:利用输出分布特征识别对抗性音频样本
摘要: 对抗性攻击可能会误导自动语音识别(ASR)系统,使其预测任意目标文本,从而构成明显的安全威胁。为防止此类攻击,我们提出了DistriBlock,一种适用于任何ASR系统的高效检测策略,该系统在每个时间步预测输出令牌的概率分布。我们测量了该分布的一组特征:输出概率的中值、最大值和最小值,分布的熵,以及相对于后续时间步的Kullback-Leibler和Jensen-Shannon散度。然后,通过利用对良性数据和对抗性数据观察到的特征,我们应用二元分类器,包括基于简单阈值的分类、这些分类器的集成和神经网络。通过对不同最先进的ASR系统和语言数据集进行广泛分析,我们展示了该方法的卓越性能,对于区分目标对抗性示例与干净和嘈杂数据的平均接收器工作特性下面积分别为99%和97%。为了评估我们方法的鲁棒性,我们展示了可以规避DistriBlock的自适应对抗性示例更加嘈杂,这使得它们更容易通过过滤来检测,并为保护系统的鲁棒性开辟了另一条途径。
更新时间: 2024-03-11 10:07:03
领域: cs.SD,cs.CR,cs.LG,eess.AS
Robustness, Efficiency, or Privacy: Pick Two in Machine Learning
The success of machine learning (ML) applications relies on vast datasets and distributed architectures which, as they grow, present major challenges. In real-world scenarios, where data often contains sensitive information, issues like data poisoning and hardware failures are common. Ensuring privacy and robustness is vital for the broad adoption of ML in public life. This paper examines the costs associated with achieving these objectives in distributed ML architectures, from both theoretical and empirical perspectives. We overview the meanings of privacy and robustness in distributed ML, and clarify how they can be achieved efficiently in isolation. However, we contend that the integration of these two objectives entails a notable compromise in computational efficiency. In short, traditional noise injection hurts accuracy by concealing poisoned inputs, while cryptographic methods clash with poisoning defenses due to their non-linear nature. However, we outline future research directions aimed at reconciling this compromise with efficiency by considering weaker threat models.
Updated: 2024-03-11 10:06:37
标题: 鲁棒性、效率或隐私:在机器学习中选择两个
摘要: 机器学习(ML)应用程序的成功依赖于庞大的数据集和分布式架构,随着它们的增长,面临着重大挑战。在现实世界的场景中,数据通常包含敏感信息,数据污染和硬件故障等问题很常见。确保隐私和稳健性对于ML在公共生活中的广泛应用至关重要。本文从理论和实证的角度考察了在分布式ML架构中实现这些目标所带来的成本。我们概述了在分布式ML中隐私和稳健性的含义,并澄清了如何在隔离中有效实现它们。然而,我们认为实现这两个目标的整合涉及到在计算效率上的显著妥协。简言之,传统的噪声注入通过隐藏被感染的输入来损害准确性,而加密方法与毒害防御相冲突,因为它们是非线性的。然而,我们概述了旨在通过考虑更弱的威胁模型来调和这种妥协与效率的未来研究方向。
更新时间: 2024-03-11 10:06:37
领域: cs.LG,cs.CR,cs.DC
A Scalable Formal Verification Methodology for Data-Oblivious Hardware
The importance of preventing microarchitectural timing side channels in security-critical applications has surged in recent years. Constant-time programming has emerged as a best-practice technique for preventing the leakage of secret information through timing. It is based on the assumption that the timing of certain basic machine instructions is independent of their respective input data. However, whether or not an instruction satisfies this data-independent timing criterion varies between individual processor microarchitectures. In this paper, we propose a novel methodology to formally verify data-oblivious behavior in hardware using standard property checking techniques. The proposed methodology is based on an inductive property that enables scalability even to complex out-of-order cores. We show that proving this inductive property is sufficient to exhaustively verify data-obliviousness at the microarchitectural level. In addition, the paper discusses several techniques that can be used to make the verification process easier and faster. We demonstrate the feasibility of the proposed methodology through case studies on several open-source designs. One case study uncovered a data-dependent timing violation in the extensively verified and highly secure IBEX RISC-V core. In addition to several hardware accelerators and in-order processors, our experiments also include RISC-V BOOM, a complex out-of-order processor, highlighting the scalability of the approach.
Updated: 2024-03-11 08:47:15
标题: 一种可扩展的数据混淆硬件形式验证方法论
摘要: 近年来,防止安全关键应用程序中的微架构时序侧信道泄漏的重要性不断增加。恒定时间编程已经成为一种防止通过时序泄露秘密信息的最佳实践技术。它基于这样的假设,即某些基本机器指令的时序与其相应的输入数据无关。然而,一个指令是否满足这个数据无关时序标准在不同处理器微架构之间可能会有所不同。在本文中,我们提出了一种新颖的方法论,使用标准属性检查技术在硬件中形式验证数据无关行为。所提出的方法基于一种归纳属性,即使对于复杂的乱序核心也能实现可扩展性。我们表明,证明这种归纳属性足以全面验证微架构级别的数据无关性。此外,本文讨论了几种可用于简化和加快验证过程的技术。我们通过对几个开源设计的案例研究证明了所提出方法的可行性。其中一个案例研究发现了在经过广泛验证且高度安全的IBEX RISC-V核心中的一个数据相关时序违例。除了几个硬件加速器和顺序处理器外,我们的实验还包括RISC-V BOOM,一个复杂的乱序处理器,突出了该方法的可扩展性。
更新时间: 2024-03-11 08:47:15
领域: cs.CR
Asset-driven Threat Modeling for AI-based Systems
Threat modeling is a popular method to securely develop systems by achieving awareness of potential areas of future damage caused by adversaries. The benefit of threat modeling lies in its ability to indicate areas of concern, paving the way to consider mitigation during the design stage. However, threat modeling for systems relying on Artificial Intelligence is still not well explored. While conventional threat modeling methods and tools did not address AI-related threats, research on this amalgamation still lacks solutions capable of guiding and automating the process, as well as providing evidence that the methods hold up in practice. To evaluate that the work at hand is able to guide and automatically identify AI-related threats during the architecture definition stage, several experts were tasked to create a threat model of an AI system designed in the healthcare domain. The usability of the solution was well-perceived, and the results indicate that it is effective for threat identification.
Updated: 2024-03-11 08:40:01
标题: 基于资产的威胁建模对人工智能系统
摘要: 威胁建模是一种流行的方法,通过意识到潜在的由对手造成的未来损害领域,来安全地开发系统。威胁建模的好处在于其能够指出关注的领域,为在设计阶段考虑缓解措施铺平道路。然而,针对依赖人工智能的系统的威胁建模仍未得到充分探讨。虽然传统的威胁建模方法和工具未能解决与人工智能相关的威胁,但对这种融合的研究仍缺乏能够引导和自动化过程的解决方案,并提供这些方法在实践中是否可行的证据。为了评估正在进行的工作能够在架构定义阶段引导和自动识别与人工智能相关的威胁,几位专家被委托创建一个在医疗领域设计的人工智能系统的威胁模型。解决方案的可用性被很好地感知,结果表明它对于威胁识别是有效的。
更新时间: 2024-03-11 08:40:01
领域: cs.CR,cs.SE
Breaking Speaker Recognition with PaddingBack
Machine Learning as a Service (MLaaS) has gained popularity due to advancements in Deep Neural Networks (DNNs). However, untrusted third-party platforms have raised concerns about AI security, particularly in backdoor attacks. Recent research has shown that speech backdoors can utilize transformations as triggers, similar to image backdoors. However, human ears can easily be aware of these transformations, leading to suspicion. In this paper, we propose PaddingBack, an inaudible backdoor attack that utilizes malicious operations to generate poisoned samples, rendering them indistinguishable from clean ones. Instead of using external perturbations as triggers, we exploit the widely-used speech signal operation, padding, to break speaker recognition systems. Experimental results demonstrate the effectiveness of our method, achieving a significant attack success rate while retaining benign accuracy. Furthermore, PaddingBack demonstrates the ability to resist defense methods and maintain its stealthiness against human perception.
Updated: 2024-03-11 05:16:03
标题: 用填充攻击破解说话者识别系统
摘要: 机器学习作为服务(MLaaS)由于深度神经网络(DNNs)的进步而变得流行。然而,不受信任的第三方平台引发了关于人工智能安全性的担忧,特别是关于后门攻击。最近的研究表明,语音后门可以利用转换作为触发器,类似于图像后门。然而,人类耳朵很容易察觉到这些转换,从而引起怀疑。在本文中,我们提出了PaddingBack,一种听不见的后门攻击,利用恶意操作生成毒化样本,使它们与干净的样本无法区分。我们不是使用外部扰动作为触发器,而是利用广泛使用的语音信号操作“填充”来破坏说话者识别系统。实验结果证明了我们的方法的有效性,实现了显著的攻击成功率,同时保持良性准确性。此外,PaddingBack展示了抵抗防御方法并保持对人类感知的隐秘性的能力。
更新时间: 2024-03-11 05:16:03
领域: cs.CR,cs.SD,eess.AS,eess.SP
Intra-Section Code Cave Injection for Adversarial Evasion Attacks on Windows PE Malware File
Windows malware is predominantly available in cyberspace and is a prime target for deliberate adversarial evasion attacks. Although researchers have investigated the adversarial malware attack problem, a multitude of important questions remain unanswered, including (a) Are the existing techniques to inject adversarial perturbations in Windows Portable Executable (PE) malware files effective enough for evasion purposes?; (b) Does the attack process preserve the original behavior of malware?; (c) Are there unexplored approaches/locations that can be used to carry out adversarial evasion attacks on Windows PE malware?; and (d) What are the optimal locations and sizes of adversarial perturbations required to evade an ML-based malware detector without significant structural change in the PE file? To answer some of these questions, this work proposes a novel approach that injects a code cave within the section (i.e., intra-section) of Windows PE malware files to make space for adversarial perturbations. In addition, a code loader is also injected inside the PE file, which reverts adversarial malware to its original form during the execution, preserving the malware's functionality and executability. To understand the effectiveness of our approach, we injected adversarial perturbations inside the .text, .data and .rdata sections, generated using the gradient descent and Fast Gradient Sign Method (FGSM), to target the two popular CNN-based malware detectors, MalConv and MalConv2. Our experiments yielded notable results, achieving a 92.31% evasion rate with gradient descent and 96.26% with FGSM against MalConv, compared to the 16.17% evasion rate for append attacks. Similarly, when targeting MalConv2, our approach achieved a remarkable maximum evasion rate of 97.93% with gradient descent and 94.34% with FGSM, significantly surpassing the 4.01% evasion rate observed with append attacks.
Updated: 2024-03-11 04:34:42
标题: Windows PE恶意文件的对抗逃避攻击中的节内代码洞注入
摘要: Windows恶意软件主要存在于网络空间中,并成为有意识的对抗规避攻击的主要目标。虽然研究人员已经调查了对抗性恶意软件攻击问题,但仍有许多重要问题尚未解答,包括:(a)现有的将对抗性扰动注入Windows可移植可执行文件(PE)恶意软件文件的技术是否足够有效用于规避目的?;(b)攻击过程是否保留了恶意软件的原始行为?;(c)是否存在未被探索的方法/位置可用于对Windows PE恶意软件进行对抗性规避攻击?;以及(d)在PE文件中需要的对抗性扰动的最佳位置和大小是什么,以规避基于机器学习的恶意软件检测器,而不会对PE文件的结构造成重大改变?为了回答其中一些问题,本文提出了一种新颖的方法,将代码洞注入到Windows PE恶意软件文件的部分(即内部部分),为对抗性扰动腾出空间。此外,在PE文件中还注入了一个代码加载器,在执行过程中将对抗性恶意软件恢复到其原始形式,保留恶意软件的功能性和可执行性。为了了解我们方法的有效性,我们在.text、.data和.rdata部分内注入了通过梯度下降和快速梯度符号方法(FGSM)生成的对抗性扰动,以针对两个流行的基于CNN的恶意软件检测器MalConv和MalConv2。我们的实验取得了显著的结果,梯度下降实现了92.31%的规避率,FGSM实现了96.26%的规避率,而通过附加攻击的规避率为16.17%。同样,当针对MalConv2时,我们的方法实现了最大的97.93%的规避率,梯度下降实现了94.34%的规避率,显著超过了通过附加攻击观察到的4.01%的规避率。
更新时间: 2024-03-11 04:34:42
领域: cs.CR
A Mathematical Framework for the Problem of Security for Cognition in Neurotechnology
The rapid advancement in neurotechnology in recent years has created an emerging critical intersection between neurotechnology and security. Implantable devices, non-invasive monitoring, and non-invasive therapies all carry with them the prospect of violating the privacy and autonomy of individuals' cognition. A growing number of scientists and physicians have made calls to address this issue -- which we term Cognitive Security -- but applied efforts have been limited. A major barrier hampering scientific and engineering efforts to address Cognitive Security is the lack of a clear means of describing and analyzing relevant problems. In this paper we develop Cognitive Security, a mathematical framework which enables such description and analysis by drawing on methods and results from multiple fields. We demonstrate certain statistical properties which have significant implications for Cognitive Security, and then present descriptions of the algorithmic problems faced by attackers attempting to violate privacy and autonomy, and defenders attempting to obstruct such attempts.
Updated: 2024-03-11 03:44:18
标题: 一个关于神经技术认知安全问题的数学框架
摘要: 近年来神经技术的快速发展在神经技术和安全之间创造了一个新兴的关键交汇点。可植入设备、非侵入式监测和非侵入式疗法都具有侵犯个体认知隐私和自主性的可能性。越来越多的科学家和医生呼吁解决这一问题,我们称之为认知安全,但应用努力有限。阻碍科学和工程努力解决认知安全问题的一个主要障碍是缺乏清晰描述和分析相关问题的手段。在本文中,我们发展了认知安全,这是一个数学框架,通过借鉴多个领域的方法和结果,使得可以描述和分析这些问题。我们展示了对认知安全具有重要影响的某些统计特性,然后提出了攻击者面临的算法问题的描述,这些攻击者试图侵犯隐私和自主性,以及捍卫者试图阻止此类尝试。
更新时间: 2024-03-11 03:44:18
领域: cs.CR,cs.CY,cs.ET,cs.LG,q-bio.NC,68Q99 (Primary), 68P27, 68Q07, 68Q09, 68T30, 68T05, 91E99, 92C75 (Secondary),F.m; I.2; J.2; J.3
A Zero Trust Framework for Realization and Defense Against Generative AI Attacks in Power Grid
Understanding the potential of generative AI (GenAI)-based attacks on the power grid is a fundamental challenge that must be addressed in order to protect the power grid by realizing and validating risk in new attack vectors. In this paper, a novel zero trust framework for a power grid supply chain (PGSC) is proposed. This framework facilitates early detection of potential GenAI-driven attack vectors (e.g., replay and protocol-type attacks), assessment of tail risk-based stability measures, and mitigation of such threats. First, a new zero trust system model of PGSC is designed and formulated as a zero-trust problem that seeks to guarantee for a stable PGSC by realizing and defending against GenAI-driven cyber attacks. Second, in which a domain-specific generative adversarial networks (GAN)-based attack generation mechanism is developed to create a new vulnerability cyberspace for further understanding that threat. Third, tail-based risk realization metrics are developed and implemented for quantifying the extreme risk of a potential attack while leveraging a trust measurement approach for continuous validation. Fourth, an ensemble learning-based bootstrap aggregation scheme is devised to detect the attacks that are generating synthetic identities with convincing user and distributed energy resources device profiles. Experimental results show the efficacy of the proposed zero trust framework that achieves an accuracy of 95.7% on attack vector generation, a risk measure of 9.61% for a 95% stable PGSC, and a 99% confidence in defense against GenAI-driven attack.
Updated: 2024-03-11 02:47:21
标题: 一个用于实现和防御电网中生成式人工智能攻击的零信任框架
摘要: 理解基于生成式人工智能(GenAI)的攻击对电网的潜在威胁是一项必须解决的基本挑战,以便通过实现和验证新攻击向量中的风险来保护电网。本文提出了一个针对电网供应链(PGSC)的新型零信任框架。该框架有助于早期发现潜在的GenAI驱动的攻击向量(例如重放和协议类型攻击),评估基于尾风险的稳定性措施,并减轻这些威胁。首先,设计并制定了一个新的PGSC零信任系统模型,将其作为一个零信任问题,旨在通过实现和抵御GenAI驱动的网络攻击来保证PGSC的稳定性。其次,开发了一种基于特定领域的生成对抗网络(GAN)的攻击生成机制,为进一步理解该威胁创造了一个新的漏洞网络空间。第三,开发并实施了基于尾风险实现度量的指标,用于量化潜在攻击的极端风险,同时利用信任测量方法进行持续验证。第四,设计了基于集成学习的自举聚合方案,用于检测生成具有令人信服的用户和分布式能源资源设备配置文件的合成身份的攻击。实验结果表明,所提出的零信任框架在攻击向量生成方面实现了95.7%的准确性,在95%稳定的PGSC上具有9.61%的风险度量,并对抗GenAI驱动的攻击具有99%的信心。
更新时间: 2024-03-11 02:47:21
领域: cs.CR,cs.LG
A Model for Assessing Network Asset Vulnerability Using QPSO-LightGBM
With the continuous development of computer technology and network technology, the scale of the network continues to expand, the network space tends to be complex, and the application of computers and networks has been deeply into politics, the military, finance, electricity, and other important fields. When security events do not occur, the vulnerability assessment of these high-risk network assets can be actively carried out to prepare for rainy days, to effectively reduce the loss caused by security events. Therefore, this paper proposes a multi-classification prediction model of network asset vulnerability based on quantum particle swarm algorithm-Lightweight Gradient Elevator (QPSO-LightGBM). In this model, based on using the Synthetic minority oversampling technique (SMOTE) to balance the data, quantum particle swarm optimization (QPSO) was used for automatic parameter optimization, and LightGBM was used for modeling. Realize multi-classification prediction of network asset vulnerability. To verify the rationality of the model, the proposed model is compared with the model constructed by other algorithms. The results show that the proposed model is better in various predictive performance indexes.
Updated: 2024-03-11 02:23:52
标题: 使用QPSO-LightGBM评估网络资产脆弱性的模型
摘要: 随着计算机技术和网络技术的不断发展,网络规模不断扩大,网络空间趋于复杂,计算机和网络的应用已深入政治、军事、金融、电力等重要领域。在安全事件没有发生时,可以积极进行高风险网络资产的漏洞评估,以做好应对可能发生的安全事件的准备,有效减少安全事件造成的损失。因此,本文提出了基于量子粒子群算法-轻量级梯度提升机(QPSO-LightGBM)的网络资产漏洞多分类预测模型。在该模型中,使用合成少数类过采样技术(SMOTE)平衡数据,利用量子粒子群优化(QPSO)进行自动参数优化,使用LightGBM进行建模,实现网络资产漏洞的多分类预测。为验证模型的合理性,将提出的模型与其他算法构建的模型进行比较。结果表明,提出的模型在各种预测性能指标上更好。
更新时间: 2024-03-11 02:23:52
领域: cs.CR
Using Hallucinations to Bypass GPT4's Filter
Large language models (LLMs) are initially trained on vast amounts of data, then fine-tuned using reinforcement learning from human feedback (RLHF); this also serves to teach the LLM to provide appropriate and safe responses. In this paper, we present a novel method to manipulate the fine-tuned version into reverting to its pre-RLHF behavior, effectively erasing the model's filters; the exploit currently works for GPT4, Claude Sonnet, and (to some extent) for Inflection-2.5. Unlike other jailbreaks (for example, the popular "Do Anything Now" (DAN) ), our method does not rely on instructing the LLM to override its RLHF policy; hence, simply modifying the RLHF process is unlikely to address it. Instead, we induce a hallucination involving reversed text during which the model reverts to a word bucket, effectively pausing the model's filter. We believe that our exploit presents a fundamental vulnerability in LLMs currently unaddressed, as well as an opportunity to better understand the inner workings of LLMs during hallucinations.
Updated: 2024-03-11 01:21:32
标题: 利用幻觉绕过GPT4的过滤器
摘要: 大型语言模型(LLMs)最初通过大量数据进行训练,然后使用来自人类反馈的强化学习(RLHF)进行微调;这也有助于教导LLM提供适当和安全的回应。在本文中,我们提出了一种新方法,可以操纵经过微调的版本恢复到其RLHF之前的行为,有效地擦除模型的过滤器;该漏洞目前适用于GPT4、Claude Sonnet以及(在某种程度上)Inflection-2.5。与其他越狱(例如流行的“现在做任何事”(DAN))不同,我们的方法不依赖于指示LLM覆盖其RLHF策略;因此,简单修改RLHF过程不太可能解决这个问题。相反,我们诱导出一种幻觉,涉及到反向文本,使模型恢复到一个词桶,有效地暂停了模型的过滤器。我们认为我们的漏洞呈现了目前未解决的LLMs的基本漏洞,以及更好地理解LLMs在幻觉期间的内部工作机制的机会。
更新时间: 2024-03-11 01:21:32
领域: cs.CR,cs.AI,cs.CL,cs.LG
Towards Scalable and Robust Model Versioning
As the deployment of deep learning models continues to expand across industries, the threat of malicious incursions aimed at gaining access to these deployed models is on the rise. Should an attacker gain access to a deployed model, whether through server breaches, insider attacks, or model inversion techniques, they can then construct white-box adversarial attacks to manipulate the model's classification outcomes, thereby posing significant risks to organizations that rely on these models for critical tasks. Model owners need mechanisms to protect themselves against such losses without the necessity of acquiring fresh training data - a process that typically demands substantial investments in time and capital. In this paper, we explore the feasibility of generating multiple versions of a model that possess different attack properties, without acquiring new training data or changing model architecture. The model owner can deploy one version at a time and replace a leaked version immediately with a new version. The newly deployed model version can resist adversarial attacks generated leveraging white-box access to one or all previously leaked versions. We show theoretically that this can be accomplished by incorporating parameterized hidden distributions into the model training data, forcing the model to learn task-irrelevant features uniquely defined by the chosen data. Additionally, optimal choices of hidden distributions can produce a sequence of model versions capable of resisting compound transferability attacks over time. Leveraging our analytical insights, we design and implement a practical model versioning method for DNN classifiers, which leads to significant robustness improvements over existing methods. We believe our work presents a promising direction for safeguarding DNN services beyond their initial deployment.
Updated: 2024-03-11 00:50:45
标题: 朝向可扩展和稳健的模型版本控制
摘要: 随着深度学习模型在各行各业的部署不断扩大,针对这些部署模型的恶意入侵威胁也在上升。如果攻击者通过服务器入侵、内部人员攻击或模型反演技术获得对部署模型的访问权限,他们可以构建白盒对抗攻击来操纵模型的分类结果,从而给依赖这些模型执行重要任务的组织带来重大风险。模型所有者需要机制来保护自己免受损失,而无需获取新的训练数据 - 这通常需要大量的时间和资本投入。 在本文中,我们探讨了生成具有不同攻击属性的多个模型版本的可行性,而无需获取新的训练数据或更改模型架构。模型所有者可以每次部署一个版本,并立即用新版本替换泄露的版本。新部署的模型版本可以抵抗通过白盒访问获得对先前泄露的一个或所有版本的对抗攻击生成。我们理论上表明,这可以通过将参数化隐藏分布融入模型训练数据中来实现,迫使模型学习由所选数据唯一定义的与任务无关的特征。此外,隐藏分布的最佳选择可以产生一系列随时间能够抵抗复合可转移攻击的模型版本。借助我们的分析洞察力,我们设计并实施了一种用于DNN分类器的实际模型版本方法,这一方法比现有方法大大提高了鲁棒性。我们相信我们的工作为保护DNN服务超越初始部署提供了一个有前途的方向。
更新时间: 2024-03-11 00:50:45
领域: cs.LG,cs.CR
Practically adaptable CPABE based Health-Records sharing framework
With recent elevated adaptation of cloud services in almost every major public sector, the health sector emerges as a vulnerable segment, particularly in data exchange of sensitive Health records, as determining the retention, exchange, and efficient use of patient records without jeopardizing patient privacy, particularly on mobile-applications remains an area to expand. In the existing scenarios of cloud-mobile services, several vulnerabilities can be found including trapping of data within a single cloud-service-provider and loss of resource control being the significant ones. In this study, we have suggested a CPABE and OAuth2.0 based framework for efficient access-control and authorization respectively to improve the practicality of EHR sharing across a single client-application. In addition to solving issues like practicality, data entrapment, and resource control loss, the suggested framework also aims to provide two significant functionalities simultaneously, the specific operation of client application itself, and straightforward access of data to institutions, governments, and organizations seeking delicate EHRs. Our implementation of the suggested framework along with its analytical comparison signifies its potential in terms of efficient performance and minimal latency as this study would have a considerable impact on the recent literature as it intends to bridge the pragmatic deficit in CPABE-based EHR services.
Updated: 2024-03-11 00:23:17
标题: 实用适应的基于CPABE的健康记录共享框架
摘要: 随着云服务在几乎每个主要公共部门的广泛应用,健康部门成为一个脆弱的领域,特别是在敏感健康记录的数据交换方面,确定保留、交换和有效使用患者记录而不危及患者隐私,特别是在移动应用方面仍有待扩展。在现有的云移动服务场景中,可以发现几个漏洞,包括数据被困在单个云服务提供商内以及资源控制丢失等重要问题。在这项研究中,我们提出了一个基于CPABE和OAuth2.0的框架,用于分别改善单个客户端应用程序之间的高效访问控制和授权,以提高EHR共享的实用性。除了解决实用性、数据困扰和资源控制丢失等问题,建议的框架还旨在同时提供两个重要的功能,即客户端应用程序本身的特定操作,以及对寻求敏感EHR的机构、政府和组织的数据的直接访问。我们对建议的框架的实施以及与其分析比较标志着其在高效性能和最小延迟方面的潜力,因为这项研究将对最近的文献产生重大影响,因为它旨在填补基于CPABE的EHR服务中的实用性赤字。
更新时间: 2024-03-11 00:23:17
领域: cs.CR