UNRESTRICTED CONTROLLABLE ATTACKS FOR SEGMENTATION NEURAL NETWORKS

Guangyu Shen (8795963)

12 October 2021

<p>Despite the rapid development of adversarial attacks on machine learning models, many types of new adversarial examples remain unknown. Undiscovered types of adversarial attacks pose a</p><p>serious concern for the safety of the models, which raises the issue about the effectiveness of current adversarial robustness evaluation. Image semantic segmentation is a practical computer</p><p>vision task. However, segmentation networks’ robustness under adversarial attacks receives insufficient attention. Recently, machine learning researchers started to focus on generating</p><p>adversarial examples beyond the norm-bound restriction for segmentation neural networks. In this thesis, a simple and efficient method: AdvDRIT is proposed to synthesize unconstrained controllable adversarial images leveraging conditional-GAN. Simple CGAN yields poor image quality and low attack effectiveness. Instead, the DRIT (Disentangled Representation Image Translation) structure is leveraged with a well-designed loss function, which can generate valid adversarial images in one step. AdvDRIT is evaluated on two large image datasets: ADE20K and Cityscapes. Experiment results show that AdvDRIT can improve the quality of adversarial examples by decreasing the FID score down to 40% compared to state-of-the-art generative models such as Pix2Pix, and also improve the attack success rate 38% compared to other adversarial attack methods including PGD.</p>

Data Communications

Adversarial Attacks

Semantic segmentation

Check Your Other Door: Creating Backdoor Attacks in the Frequency Domain

Hammoud, Hasan Abed Al Kader

04 1900

Deep Neural Networks (DNNs) are ubiquitous and span a variety of applications ranging from image classification and facial recognition to medical image analysis and real-time object detection. As DNN models become more sophisticated and complex, the computational cost of training these models becomes a burden. For this reason, outsourcing the training process has been the go-to option for many DNN users. Unfortunately, this comes at the cost of vulnerability to backdoor attacks. These attacks aim at establishing hidden backdoors in the DNN such that it performs well on clean samples but outputs a particular target label when a trigger is applied to the input. Current backdoor attacks generate triggers in the spatial domain; however, as we show in this work, it is not the only domain to exploit and one should always "check the other doors". To the best of our knowledge, this work is the first to propose a pipeline for generating a spatially dynamic (changing) and invisible (low norm) backdoor attack in the frequency domain. We show the advantages of utilizing the frequency domain for creating undetectable and powerful backdoor attacks through extensive experiments on various datasets and network architectures. Unlike most spatial domain attacks, frequency-based backdoor attacks can achieve high attack success rates with low poisoning rates and little to no drop in performance while remaining imperceptible to the human eye. Moreover, we show that the backdoored models (poisoned by our attacks) are resistant to various state-of-the-art (SOTA) defenses, and so we contribute two possible defenses that can successfully evade the attack. We conclude the work with some remarks regarding a network’s learning capacity and the capability of embedding a backdoor attack in the model.

backdoor attacks

robustness

security

deep neural networks

A Mixed-Integer Programming Approach for Jammer Placement Problems for Flow-Jamming Attacks on Wireless Communication Networks

Vadlamani, Satish

11 December 2015

In this dissertation, we study an important problem of security in wireless networks. We study different attacks and defense strategies in general and more specifically jamming attacks. We begin the dissertation by providing a tutorial introducing the operations research community to the various types of attacks and defense strategies in wireless networks. In this tutorial, we give examples of mathematical programming models to model jamming attacks and defense against jamming attacks in wireless networks. Later we provide a comprehensive taxonomic classification of the various types of jamming attacks and defense against jamming attacks. The classification scheme will provide a one stop location for future researchers on various jamming attack and defense strategies studied in literature. This classification scheme also highlights the areas of research in jamming attack and defense against jamming attacks which have received less attention and could be a good area of focus for future research. In the next chapter, we provide a bi-level mathematical programming model to study jamming attack and defense strategy. We solve this using a game-theoretic approach and also study the impact of power level, location of jamming device, and the number of transmission channels available to transmit data on the attack and defense against jamming attacks. We show that by increasing the number of jamming devices the throughput of the network drops by at least 7%. Finally we study a special type of jamming attack, flow-jamming attack. We provide a mathematical programming model to solve the location of jamming devices to increase the impact of flow-jamming attacks on wireless networks. We provide a Benders decomposition algorithm along with some acceleration techniques to solve large problem instances in reasonable amount of time. We draw some insights about the impact of power, location and size of the network on the impact of flow-jamming attacks in wireless networks.

Wireless networks

security

jamming attacks

Benders decomposition

Into the Long War

Rogers, Paul F.

January 2006

No / This book provides a contemporary month-by-month analysis of events in Iraq since May 2005 and assesses how they impact on other countries including Afghanistan, Iran and the wider Middle East. The book charts a tumultuous period in the conflict, including a wider international perspective on the terrorist attacks in London and Sharm al Sheik, and an assessment of how US public opinion has changed as the war drags on. It brings together Paul Rogers' international security monthly briefings as published on the Oxford Research Group website between May 2005 - April 2006, and concludes with a commentary on the significance of the year's events, and an analysis of the current situation. This is the third ORG International Security Report. We have also published reports in 2004 and 2005.

Global security

War on terror

Iraq

Terrorist attacks

Software Protection Against Fault and Side Channel Attacks

Patrick, Conor Persson

09 August 2017

Embedded systems are increasingly ubiquitous. Many of them have security requirements such as smart cards, mobile phones, and internet connected appliances. It can be a challenge to fulfill security requirements due to the constrained nature of embedded devices. This security challenge is worsened by the possibility of implementation attacks. Despite well formulated cryptosystems being used, the underlying hardware can often undermine any security proven on paper. If a secret key is at play, an adversary has a chance of revealing it by simply looking at the power variation. Additionally, an adversary can tamper with an embedded system's environment to get it to skip a security check or generate side channel information. Any adversary with physical access to an embedded system can conduct such implementation attacks. It is the focus of this work to explore different countermeasures against both side channel and fault attacks. A new countermeasure call Intra-instruction Redundancy, based on bit-slicing, or N-bit SIMD processing, is proposed. Another challenge with implementing countermeasures against implementation attacks, is that they need to be able to be combined. Most proposed side channel countermeasures do not prevent fault injection and vice versa. Combining them is non-trivial as demonstrated with a combined implementation attack. / Master of Science

Fault attacks

side channel analysis

countermeasure

A reliabilty and validity study of panic attack symptoms and cognitions questionnaires

Broyles, Susan Elizabeth

January 1987

Anxiety may be experienced in a variety of response modes. There is evidence to suggest that panic disordered individuals differ from individuals with other anxiety diagnoses in that they experience a greater increase in somatic symptoms and catastrophic cognitions. Further it has been suggested that panic disordered individuals, as compared to other anxiety disordered individuals, experience greater global anxiety and depression. The present study compared the total scores of 93 disordered subjects on the Symptom Assessment Questionnaire and the Cognitions Assessment Questionnaire and found that both questionnaires discriminated panic disordered subjects from non-panic disordered subjects. The two questionnaires also discriminated subjects with panic attacks from subjects without panic attacks. Item analyses were conducted on both questionnaires in order to identify specific items which differentiated panic disordered subjects from non-panic disordered subjects and subjects with panic attacks from subjects without panic attacks. Factor analyses were conducted on both questionnaires, resulting in the identification of somatic and cognitive factors salient to the phenomenon of panic. In general, the identified factors supported and expanded upon the panic symptoms listed in DSM-III. Finally, two widely used measures of anxiety and depression were administered to subjects. Panickers scored higher than Non-panickers on measures of state-anxiety, trait-anxiety, and depression. The Panic Disordered Group scored higher than the Non-Panic Disordered Group on the depression scale. However, the Panic Disordered Group scored no differently from the NonPanic Disordered on the state-anxiety and trait-anxiety inventories, suggesting that the presence of panic attacks in all anxiety diagnostic groups weakened the ability of the tradition anxiety measures to distinguish between the comparison groups. / M.S.

LD5655.V855 1987.B769

Anxiety

Panic attacks

Robustifying Machine Learning based Security Applications

Jan, Steve T. K.

27 August 2020

In recent years, machine learning (ML) has been explored and employed in many fields. However, there are growing concerns about the robustness of machine learning models. These concerns are further amplified in security-critical applications — attackers can manipulate the inputs (i.e., adversarial examples) to cause machine learning models to make a mistake, and it's very challenging to obtain a large amount of attackers' data. These make applying machine learning in security-critical applications difficult. In this dissertation, we present several approaches to robustifying three machine learning based security applications. First, we start from adversarial examples in image recognition. We develop a method to generate robust adversarial examples that remain effective in the physical domain. Our core idea is to use an image-to-image translation network to simulate the digital-to-physical transformation process for generating robust adversarial examples. We further show these robust adversarial examples can improve the robustness of machine learning models by adversarial retraining. The second application is bot detection. We show that the performance of existing machine learning models is not effective if we only have the limit attackers' data. We develop a data synthesis method to address this problem. The key novelty is that our method is distribution aware synthesis, using two different generators in a Generative Adversarial Network to synthesize data for the clustered regions and the outlier regions in the feature space. We show the detection performance using 1% of attackers' data is close to existing methods trained with 100% of the attackers' data. The third component of this dissertation is phishing detection. By designing a novel measurement system, we search and detect phishing websites that adopt evasion techniques not only at the page content level but also at the web domain level. The key novelty is that our system is built on the observation of the evasive behaviors of phishing pages in practice. We also study how existing browsers defenses against phishing websites that impersonate trusted entities at the web domain. Our results show existing browsers are not yet effective to detect them. / Doctor of Philosophy / Machine learning (ML) is computer algorithms that aim to identify hidden patterns from the data. In recent years, machine learning has been widely used in many fields. The range of them is broad, from natural language to autonomous driving. However, there are growing concerns about the robustness of machine learning models. And these concerns are further amplified in security-critical applications — Attackers can manipulate their inputs (i.e., adversarial examples) to cause machine learning models to predict wrong, and it's highly expensive and difficult to obtain a huge amount of attackers' data because attackers are rare compared to the normal users. These make applying machine learning in security-critical applications concerning. In this dissertation, we seek to build better defenses in three types of machine learning based security applications. The first one is image recognition, by developing a method to generate realistic adversarial examples, the machine learning models are more robust for defending against adversarial examples by adversarial retraining. The second one is bot detection, we develop a data synthesis method to detect malicious bots when we only have the limit malicious bots data. For phishing websites, we implement a tool to detect domain name impersonation and detect phishing pages using dynamic and static analysis.

Machine learning

Security

Bot Detection

Phishing Attacks

Gate-level Leakage Assessment and Mitigation

Kathuria, Tarun

22 July 2019

Side-channel leakage, caused by imperfect implementation of cryptographic algorithms in hardware, has become a serious security threat for connected devices that generate and process sensitive data. This side-channel leakage can divulge secret information in the form of power consumption or electromagnetic emissions. The side-channel leakage of a crytographic device is commonly assessed after tape-out on a physical prototype. This thesis presents a methodology called Gate-level Leakage Assessment (GLA), which evaluates the power-based side-channel leakage of an integrated circuit at design time. By combining side-channel leakage assessment with power simulations on the gate-level netlist, GLA is able to pinpoint the leakiest cells in the netlist in addition to assessing the overall side-channel vulnerability to side-channel leakage. As the power traces obtained from power simulations are noiseless, GLA is able to precisely locate the sources of side-channel leakage with fewer measurements than on a physical prototype. The thesis applies the methodology on the design of a encryption co-processor to analyze sources of side-channel leakage. Once the gate-level leakage sources are identified, this thesis presents a logic level replacement strategy for the leakage sources that can thwart side-channel leakage. The countermeasures presented selectively replaces gate-level cells with a secure logic style effectively removing the side-channel leakage with minimal impact in area. The assessment methodology along with the countermeasures demonstrated is a turnkey solution for IP module designers and is also applicable to larger system level designs. / Master of Science / Consider how a lie detector machine works. It looks for subtle changes in a person’s pulse to tell if the person is telling the truth. This unintentional divulgence of secret information is called a side-channel leakage. Integrated circuits reveal secret information in a similar way through their power consumption. This is caused by the transistors, used to build these integrated circuits, switching in concert with the secret data being processed by the integrated circuit. Typically, integrated circuits are evaluated for side-channel leakage only after they have been manufactured into a physical prototype. If the integrated circuit is found vulnerable it is too expensive to manufacture the prototype again with an updated design. This thesis presents a methodology, Gate-level Leakage Assessment (GLA) to evaluate integrated circuits for side-channel leakage during their design process even before they are manufactured. This methodology uses simulations to identify the specific transistors in the design that cause side-channel leakage. Moreover, this thesis presents a technique to selectively replace these problematic transistors in the design with an implementation that thwarts side channel leakage.

Side-channel leakage

Countermeasures

Power analysis attacks

An Investigation of a Minimal-Contact Bibliotherapy Approach to Relapse Prevention for Individuals Treated for Panic Attacks

Wright, Joseph H.

16 September 1997

The present study was designed to test the efficacy of a bibliotherapy-relapse prevention (BT-RP) program for panic attacks in which the active BT-RP condition was compared to a waiting-list control condition. Prior to the administration of the six-month BT-RP program, all participants completed an initial BT intervention (Febbraro, 1997) based on the book Coping with Panic (Clum, 1990). The BT-RP program was designed to: (a) review major components of the initial intervention; (b) increase practice of panic coping skills and therapeutic self-exposure; (c) enhance social support for panic recovery; (d) teach cognitive restructuring skills related to relapse prevention; (e) provide a protocol to follow in the event of a setback; and (f) reduce overall levels of stress. Brief monthly phone contacts were included in the BT-RP condition. Thirty-six participants, 17 in the BT-RP condition and 19 in the WL control condition, completed the study. A 2 (Treatment condition: BT-RP versus WL control) X 2 (Time: Pre-BT-RP assessment versus Post-BT-RP assessment) mixed-model research design was used to analyze the results. Results indicted significant reductions from pre- to post-treatment in the BT-RP condition for panic cognitions, anticipatory anxiety, agoraphobic avoidance, and depression, but not in the WL condition. When statistically controlling for initial levels of these variables via analyses of covariance (ANCOVAs), significant post-treatment differences in the expected direction emerged for these four dependent measure and for state anxiety. In addition, the BT-RP group reported significantly fewer panic attacks during the six-month course of the treatment trial than the WL control group on a measure of retrospective recall of full-blown panic attacks. There was also a statistically significant proportional between-group difference in terms of clinically significant improvement for full-blown panic attacks and agoraphobic avoidance in favor of the BT-RP group. However, no significant between-group differences emerged for the maintenance of initial treatment gains for panic frequency, panic symptoms, panic cognitions, anticipatory anxiety, or agoraphobic avoidance. Results of the present study are discussed in the framework of benefits of the present BT-RP program, limitations of the findings, recommendations for future research in this area, and implications for BT treatments in general. / Ph. D.

bibliotherapy

relapse prevention

self-help

panic attacks

A Test of the Effects of Assessment and Feedback on Individuals with Panic Attacks

Roodman, Allison Anne

21 August 1998

Treatment outcome studies investigating potential treatments for panic disorder invariably begin with a lengthy assessment designed to determine whether a potential subject meets criteria for the disorder. Through the process of assessment, subject are usually given some form of feedback about their condition, if only to tell them they meet criteria to enter the study. Assessment and feedback are thought to have therapeutic effects and empirical evidence is beginning to document this (Bien, Miller, & Tonigan, 1993; Finn & Tonsager, 1992). To date, there have been no studies that investigate the effects of assessment plus feedback or assessment alone on individuals with panic attacks. This study investigated whether assessment or assessment plus feedback produced any differential effects on panic attack sufferers. Seventy participants were randomly assigned to one of four groups: 1) assessment with mailed feedback (n=17); 2) assessment with face-to-face feedback (n=14); 3) assessment with no feedback (n=19); and 4) no assessment or feedback (n=20). Assessment consisted of completing a composite self-report instrument that asks about frequency of panic attacks and panic-related symptomatology. Feedback was standardized and computer generated but individualized based on scores on the assessment measure. All groups completed the outcome measures and between group differences were examined. No statistically significant differences were found between these four groups on any dependent measure. However, for a smaller subset of participants (N=35) who had at least one full panic attack at pre-assessment, a significant reduction in frequency of combined (full plus limited-symptom) panic attacks was seen pre to post, F(1,32)=7.47, p<.01, with a marginally significant two-way interaction of Time and Condition, F(2,32)=3.12, p<.06. Basically, both feedback groups showed a reduction in panic attacks while the assessment only condition remained the same. / Master of Science

panic attacks

self-help

assessment

feedback