Enhancing deep learning security through explainability and robustness

Kiourti, Panagiota

11 September 2024

The growing interest in deploying deep learning models in critical applications has raised concerns about their vulnerabilities, particularly to backdoor or Trojan attacks. These attacks aim to train a network to respond maliciously to specially crafted trigger patterns in the inputs while exhibiting state-of-the-art performance. This thesis addresses the identification of such attacks in deep reinforcement learning, proposes a mitigation strategy for their detection in classification neural networks in production using feature attribution methods, and introduces a new framework for evaluating the robustness of attribution methods. Firstly, TrojDRL is introduced as a tool for exploring and evaluating backdoor attacks on deep reinforcement learning agents. TrojDRL exploits the sequential nature of deep reinforcement learning (DRL) and considers various threat model gradations. It introduces untargeted attacks on state-of-the-art actor-critic policy networks that can circumvent existing defenses built on the assumption that backdoors are targeted. TrojDRL shows that the attacks require only as little as 0.025% poisoning of the training data. Compared with existing works of backdoor attacks on classification models, this tool is a pioneering effort toward understanding the vulnerability of DRL agents. Secondly, this thesis presents MISA, a new online detection approach for Trojan triggers present in neural networks at inference time after the deployment of the model. MISA utilizes feature attribution methods to explain the decision of a neural network. It defines misattributions to capture the anomalous manifestation of a Trojan activation in the feature attribution space by first computing the input's attribution on different features and then statistically analyzing these attributions to ascertain the presence of a Trojan trigger. Across a set of benchmarks, MISA can effectively detect Trojan triggers for a wide variety of trigger patterns, achieving 96% AUC for detecting Trojan-triggered images without any assumptions on the trigger pattern. Lastly, the robustness of feature attribution methods for deep neural networks is critically examined. This thesis challenges the current notion of attributional robustness that largely ignores the difference in the model's outputs and introduces a new evaluation framework. This involves defining similar inputs in a different way than existing methods do and introducing a novel method based on generative adversarial networks to generate these inputs, leading to a different definition of attributional robustness. The new robustness metric is comprehensively evaluated against existing metrics and state-of-the-art attribution methods. The findings highlight the need for a more objective metric that reveals the weaknesses of an attribution method rather than that of the neural network, thus providing a more accurate evaluation of the robustness of attribution methods.

Computer engineering

Software and hardware codesign of SmartNIC-based heterogeneous HPC clusters with machine learning case studies

Guo, Anqi

11 September 2024

Machine learning has evolved significantly recently and has penetrated every aspect of science, technology, and daily life. As application prediction demands higher accuracy and more complex tasks, larger models are proposed to meet these requirements. Deep learning applications like recommendation models and large language models have evolved with trillions of parameters and consume up to terabytes of memory. These models have outpaced the growth of GPU memories: GPU clusters, which aggregate GPU memory, have therefore grown exponentially to accommodate these large models. The Memory wall refers to the point at which the demand for memory exceeds the available capacity, creating a bottleneck for training ever-larger deep learning models. Heterogeneous deep learning training has become a key approach to addressing the limitations of GPU clusters, especially as models grow in size and complexity. By combining the strengths of CPUs, GPUs, and NVMe memory, heterogeneous systems aim to overcome the required scale of GPU clusters and mitigate the memory wall limitation by offloading model states and parameters and making it possible to train ever-growing large-size models on limited resources. However, such heterogeneous system performance is limited by the data exchange, computation, and control efficiency. Advanced network interface cards, known as SmartNICs, have emerged to mitigate network challenges in scale-out data centers. The placement of SmartNICs as a network-facing computational component within a node allows them to efficiently manage communication between different parts of the distributed system, offloading tasks from the central processors and reducing network traffic bottlenecks. As SmartNICs continue to evolve, they are expected to play a crucial role in enabling more scalable and efficient operations in large-scale data centers, addressing the growing demands of modern applications like machine learning and big data analytics. In this thesis, we propose heterogeneous smartNIC-based systems for coupling software and hardware for machine learning applications. We explore the heterogeneous system design space in four steps: examining the practical capabilities of emerging smartNIC, integrating host-detached smartNICs into CPU-centric systems, facilitating SmartNICs in GPU-centric systems, and exploring SmartNICs beyond computation offload with heterogeneous global control and disaggregated memory systems. Our proposal involves software-hardware codesign of SmartNIC-based systems, enhancing system performance through dynamic scheduling and control, enabling both GPU and CPU to focus on computation with reduced interruptions. The smartNIC serve as an intermediary layer, breaking barriers between heterogeneous system components and facilitating seamless connectivity between GPUs and CPU offload engines. Additionally, the introduction of a caching system reduces communication workload and memory bandwidth pressure. Furthermore, SmartNICs are attached to the switch level with disaggregated memory, forming a heterogeneous global control system. This system aims to minimize system barrier and synchronization overhead while maximizing communication-computation overlap and model FLOPs utilization for higher system performance.

Computer engineering

Reshaping input spaces to fuzz complex targets

Bulekov, Alexander

23 May 2024

In recent years, fuzz-testing has appeared as the dominant technique for automatically finding security issues in software. “Off-the-shelf” fuzzers such as AFL(++) and libFuzzer (Fioraldi et al., 2020; Serebryany, 2015) have been successfully applied to fuzz a wide range of software. The OSS-Fuzz project alone fuzzes over a thousand open-source projects and has found 40,000+ bugs to date. However, most prolific fuzzers are designed to target applications with well-defined APIs for ingesting inputs, such as image parsers. Applying fuzzers to targets with unconstrained and semantically-complex input-spaces, such as operating-system kernels, hypervisors, and browsers has proved to be a difficult problem. Most fuzzer implementations targeting these targets rely on an intermediate “grammar” layer between the fuzzing engine and the target to produce meaningful inputs. While effective, writing grammars requires a significant amount of manual effort by an expert. The grammar approach faces scaling issues when faced with the enormous amount of new code added to complex software, on a daily basis. In this thesis, we introduce input-space reshaping as a solution to the problem of fuzzing systems with semantically-complex input-spaces. While complex systems often feature clear interface boundaries, they usually accept input data both by listening to input-requests, but also by reading data directly, across the interface-boundary. Reshaping uses this common design paradigm by hooking into both types of accesses to provide fuzzers with a precise view of the input-data accessed by a system, without the need for prior-knowledge of input-semantics. Leveraging reshaping, we found that making minor modifications to the way a target ingests inputs, and providing key feedback to the fuzzer throughout input-execution drastically increases the efficiency of fuzzing complex targets with off-the-shelf fuzzing methods, without intermediate grammars. Furthermore, we found that, in some cases, reshaping can be applied without any access to target source code, by leveraging inherent charactersitics of the target. To support these claims, we describe our three applications of reshaping: 1. Fuzzing open-source hypervisors, by making minor modifications to the hypervisor source-code 2. Fuzzing the Linux Kernel without effort-intensive system-call descriptions 3. Fuzzing arbitrary closed-source hypervisors, without any modifications to source-code We detail our implementation of reshaping for each of these targets, and describe the results of our fuzzing campaigns, when compared with other state-of-the-art approaches. We demonstrate that while reshaping has a low initial implementation cost for the security engineer (less than 2% lines of code required per interface), it still competes with fuzzers outfit with meticulously-crafted grammars.

Computer engineering

Go viral and go toxic: the use and abuse of social media

Ling, Chen

24 May 2024

After the COVID-19 pandemic, social media have become even more important in our lives. At the same time, the rapid dissemination of information online poses challenges to content quality and exposes social media platforms to various risks. This makes content moderation an important challenge. Current moderation systems on social media are facing a constantly changing ecosystem. In particular, abusive attacks are shaped by technology and social events. Misinformation and harassment can be implicit and context-dependent, making the detection challenging. Different online communities have different characteristics and often abuse unfolds across multiple communities. This dissertation addresses the critical need for innovative moderation schemes that help with the current approach which relies heavily on human moderators for precise moderation. Given the increasing prevalence of multi-modal content, like images and videos, detecting toxicity in these modalities using automated tools is challenging. Due to these challenges, a prioritization scheme based on the virality of the content by a mixed-method and multi-modal approach can reinforce an effective human-in-the-loop moderation system. In this dissertation, I first present my work on measuring toxicity across social media through two case studies: one is Zoombombing, and the other is drug abuse videos, to get a better understanding of them. In both cases, I observe a mixture of misinformation, dangerous, and hateful content left unmoderated. Then, I evaluate the effectiveness of the existing social media moderation system regarding COVID-19. I find that it is largely text-aware and contradictory, relying on human-in-the-loop for precise moderation. Finally, I examine features that promote content's virality to prioritize potential popular content to facilitate the decision-making process of content by human moderators. Overall, this dissertation presents a novel prioritization scheme that incorporates mixed-method and multi-modal techniques, offering a significant advancement for the human-in-the-loop moderation processes in social media. By prioritizing content based on its potential virality, this approach empowers content moderators to make more informed decisions, thereby enhancing the overall efficacy of moderation systems in combating online toxicity.

Computer engineering

A Scalable and Efficient Outlier Detection Strategy for Categorical Data

Ortiz, Enrique

01 January 2007

Outlier detection has received significant attention in many applications, such as credit card fraud detection and network intrusion detection. Most of the existing research efforts focus on numerical datasets and cannot be directly applied to categorical sets where there is little sense in ordering the data and calculating distances among data points. Furthermore, a number of the current outlier detection methods require quadratic time with respect to the dataset size and usually need multiple scans of the data; these features are undesirable when the datasets are large and scattered over multiple geographically distributed sites. In this paper, we focus and evaluate, experimentally, a few representative current outlier detection approaches ( one based on entropy and two based on frequent itemsets) that are geared towards categorical sets. In addition, we introduce a simple, scalable and efficient outlier detection algorithm that has the advantage of discovering outliers in categorical datasets by performing a single scan of the dataset. This newly introduced outlier detection algorithm is compared with the existing, and aforementioned outlier detection strategies. The conclusion from this comparison is that the simple outlier detection algorithm that we introduce is more efficient (faster) than the existing strategies, and as effective (accurate) in discovering outliers.

Computer Engineering

An automatic medication management system for independently living healthcare patients

McCall, Corey

01 January 2010

Many healthcare patients are required to enroll in assisted living facilities because they are not able to manage their complex medication regimen without the active assistance of a caregiver. This restricts their ability to live independently, and places a considerable burden on the healthcare system. This thesis describes the development of a system that implements automatic medication management and passive remote monitoring for outpatients. The goal of the system is to enable patients to live independently, while reducing medication noncompliance. The resulting prototype is a device that performs two essential functions: (1) to provide notifications and assistance to the patient when medication is to be taken, and (2) to provide passive monitoring of the patient's compliance to a remote caregiver.

Computer Engineering

Predicting software effort for a new project using data from a casebase of previously completed projects

Chan, Wai Lun

01 January 1997

No description available.

Computer Engineering

Using voicexml to provide real-time traffic information

Trinh, Viet

01 January 2002

ABSTRACT The objective of this thesis is to study and analyze the feasibility of providing voice access for real-time traffic information. A simulated 8-mile stretch of Interstate-4 will be used as the test model for this particular study. The simulation provides real-time traffic information to a Web Map on the Internet. Since the information is accessed through the Internet, web technologies encompassing VoiceXML is the strong candidate as a method of providing this real-time service. VoiceXML includes automated speech recognition (ASR) and text-to-speech (TTS) capabilities, which accommodate the voice aspect of the research. Therefore, VoiceXML and real-time information will be studied and researched in detail. The thesis will involve development of a web site containing a real-time simulated Web Map of Interstate-4. Web technologies, such as· database, dynamic web languages, and VoiceXML will be used to implement interfaces for access to this service through mobile and conventional telephones. The system will be tested with several users to determine the merit and industrial strength of the integration of the technologies used and applied.

Computer Engineering

Simulation and interpretation for a voice-activated traffic information system

Mennicke, Martin

01 January 2003

This project explores the various aspects of real-time data analysis, and how it can be applied to a simple interface through which a user can access traffic information. This thesis involves the development of discrete-event simulation models of the traffic patterns on Interstate 4 (I-4) in Orlando. The information gathered from these patterns was used to create a simulated I-4 Web Map (containing virtual sensors). The simulation was exercised to develop and build an aggregator which reads, interprets and deciphers the information and feedback obtained from the I-4 Web Map. This information is then expressed in English words. These words, in turn, are communicated to the user by voice via a telephone. A prototype was built selecting a subsection of the simulated I-4 Web Map in Orlando. This is summarized in this thesis along with different guidelines necessary for expanding the system, the strength of the current leading-edge technologies, and a foundation to start exploring more sophisticated models.

Computer Engineering

Neural algorithms for EMI based landmine detection

Draper, Matthew C.

01 January 2003

Landmines are a major problem facing the world today. There are millions of these deadly weapons still buried in various countries around the world. Humanitarian organizations dedicate an immeasurable amount of time, effort, and money to find and remove as many of these mines as possible. Over the past decade the US Government has become involved and has encouraged much research into improving landmine sensor technologies such as Ground Penetrating Radar, Infrared Cameras, Electro-Magnetic Induction sensors, and a variety of other technologies. The major goal of this research has been two-fold; it is important to improve the probability of detection of landmines, and, equally important, to reduce the probability of false alarms. The major cost of de-mining is incurred in the efforts to safely remove suspected landmines from the ground. The technicians have to carefully dig up the object, treating it as a live mine or piece of unexploded ordinance. Unfortunately, landmines can be made out of fairly common materials such as metal, wood, and plastic, which can confuse the sensor and cause it to erroneously report normal material in the field as mines. In an effort to reduce the number of false alarms, researchers have investigated the use of computers to analyze the raw data coming from the sensor. These computers could process the raw data and decide whether or not a certain location contains a mine. One popular avenue in this field of research is using neural networks. This thesis takes a look at a variety of neural network approaches to mine detection and looks specifically at the use of an artificial neural network (ANN) with data that has been pre-processed with the 8-technique and S-Statistic. It is shown that an ANN that uses the 8-technique and S-Statistic as inputs will achieve an acceptably high probability of detection with a low probability of false alarms. It is also shown that the pre-processing is responsible for most of the performance gain, as the Back Propagation Neural Network (BPNN) and Random Neural Network (RNN) models achieve similar probabilities of detection. The BPNN, however, does consistently perform better than the RNN by a small margin.

Computer Engineering