Showing 1–50 of 161 results for author: Miller, D J

On Trojans in Refined Language Models

Authors: Jayaram Raghuram, George Kesidis, David J. Miller

Abstract: A Trojan in a language model can be inserted when the model is refined for a particular application such as determining the sentiment of product reviews. In this paper, we clarify and empirically explore variations of the data-poisoning threat model. We then empirically assess two simple defenses each for a different defense scenario. Finally, we provide a brief survey of related attacks and defen… ▽ More A Trojan in a language model can be inserted when the model is refined for a particular application such as determining the sentiment of product reviews. In this paper, we clarify and empirically explore variations of the data-poisoning threat model. We then empirically assess two simple defenses each for a different defense scenario. Finally, we provide a brief survey of related attacks and defenses. △ Less

Submitted 11 June, 2024; originally announced June 2024.

Universal Post-Training Reverse-Engineering Defense Against Backdoors in Deep Neural Networks

Authors: Xi Li, Hang Wang, David J. Miller, George Kesidis

Abstract: A variety of defenses have been proposed against backdoors attacks on deep neural network (DNN) classifiers. Universal methods seek to reliably detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while reverse-engineering methods often explicitly assume one. In this paper, we describe a new detector that: relies on internal feature map of the defended… ▽ More A variety of defenses have been proposed against backdoors attacks on deep neural network (DNN) classifiers. Universal methods seek to reliably detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while reverse-engineering methods often explicitly assume one. In this paper, we describe a new detector that: relies on internal feature map of the defended DNN to detect and reverse-engineer the backdoor and identify its target class; can operate post-training (without access to the training dataset); is highly effective for various incorporation mechanisms (i.e., is universal); and which has low computational overhead and so is scalable. Our detection approach is evaluated for different attacks on benchmark CIFAR-10 and CIFAR-100 image classifiers. △ Less

Submitted 22 May, 2024; v1 submitted 3 February, 2024; originally announced February 2024.

Phenomenology of a Deconstructed Electroweak Force

Authors: Joe Davighi, Alastair Gosnay, David J Miller, Sophie Renner

Abstract: We study an effective theory of flavour in which the $SU(2)_L$ interaction is `flavour-deconstructed' near the TeV scale. This arises, for example, in UV models that unify all three generations of left-handed fermions via an $Sp(6)_L$ symmetry. Flavour-universality of the electroweak force emerges accidentally (but naturally) from breaking the $\prod_{i=1}^3 SU(2)_{L,i}$ gauge group to its diagona… ▽ More We study an effective theory of flavour in which the $SU(2)_L$ interaction is `flavour-deconstructed' near the TeV scale. This arises, for example, in UV models that unify all three generations of left-handed fermions via an $Sp(6)_L$ symmetry. Flavour-universality of the electroweak force emerges accidentally (but naturally) from breaking the $\prod_{i=1}^3 SU(2)_{L,i}$ gauge group to its diagonal subgroup, delivering hierarchical fermion masses and left-handed mixing angles in the process. The heavy gauge bosons transform as two $SU(2)_L$ triplets that mediate new flavour non-universal forces. The lighter of these couples universally to the light generations, allowing consistency with flavour bounds even for a TeV scale mass. Constraints from flavour, high mass LHC searches, and electroweak precision are then highly complementary, excluding masses below 9 TeV. The heavier triplet must instead be hundreds of TeV to be consistent with meson mixing constraints. Because only the lighter triplet couples to the Higgs, we find radiative Higgs mass corrections of a few hundred GeV, meaning this model of flavour is arguably natural. The natural region will, however, be almost completely covered by the planned electroweak programme at FCC-ee. On shorter timescales, significant parameter space will be explored by the High-Luminosity LHC measurements at high-$p_T$, and upcoming lepton flavour violation experiments, principally Mu3e. △ Less

Submitted 11 April, 2024; v1 submitted 20 December, 2023; originally announced December 2023.

Comments: 50 pages. v2: version accepted in JHEP. Changed plot ranges to remove physically equivalent regions; added more details on some electroweak observables; fixed typos

Report number: CERN-TH-2023-246

Post-Training Overfitting Mitigation in DNN Classifiers

Authors: Hang Wang, David J. Miller, George Kesidis

Abstract: Well-known (non-malicious) sources of overfitting in deep neural net (DNN) classifiers include: i) large class imbalances; ii) insufficient training-set diversity; and iii) over-training. In recent work, it was shown that backdoor data-poisoning also induces overfitting, with unusually large classification margins to the attacker's target class, mediated particularly by (unbounded) ReLU activation… ▽ More Well-known (non-malicious) sources of overfitting in deep neural net (DNN) classifiers include: i) large class imbalances; ii) insufficient training-set diversity; and iii) over-training. In recent work, it was shown that backdoor data-poisoning also induces overfitting, with unusually large classification margins to the attacker's target class, mediated particularly by (unbounded) ReLU activations that allow large signals to propagate in the DNN. Thus, an effective post-training (with no knowledge of the training set or training process) mitigation approach against backdoors was proposed, leveraging a small clean dataset, based on bounding neural activations. Improving upon that work, we threshold activations specifically to limit maximum margins (MMs), which yields performance gains in backdoor mitigation. We also provide some analytical support for this mitigation approach. Most importantly, we show that post-training MM-based regularization substantially mitigates non-malicious overfitting due to class imbalances and overtraining. Thus, unlike adversarial training, which provides some resilience against attacks but which harms clean (attack-free) generalization, we demonstrate an approach originating from adversarial learning that helps clean generalization accuracy. Experiments on CIFAR-10 and CIFAR-100, in comparison with peer methods, demonstrate strong performance of our methods. △ Less

Submitted 28 September, 2023; originally announced September 2023.

Backdoor Mitigation by Correcting the Distribution of Neural Activations

Authors: Xi Li, Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor (Trojan) attacks are an important type of adversarial exploit against deep neural networks (DNNs), wherein a test instance is (mis)classified to the attacker's target class whenever the attacker's backdoor trigger is present. In this paper, we reveal and analyze an important property of backdoor attacks: a successful attack causes an alteration in the distribution of internal layer activa… ▽ More Backdoor (Trojan) attacks are an important type of adversarial exploit against deep neural networks (DNNs), wherein a test instance is (mis)classified to the attacker's target class whenever the attacker's backdoor trigger is present. In this paper, we reveal and analyze an important property of backdoor attacks: a successful attack causes an alteration in the distribution of internal layer activations for backdoor-trigger instances, compared to that for clean instances. Even more importantly, we find that instances with the backdoor trigger will be correctly classified to their original source classes if this distribution alteration is corrected. Based on our observations, we propose an efficient and effective method that achieves post-training backdoor mitigation by correcting the distribution alteration using reverse-engineered triggers. Notably, our method does not change any trainable parameters of the DNN, but achieves generally better mitigation performance than existing methods that do require intensive DNN parameter tuning. It also efficiently detects test instances with the trigger, which may help to catch adversarial entities in the act of exploiting the backdoor. △ Less

Submitted 18 August, 2023; originally announced August 2023.

Improved Activation Clip** for Universal Backdoor Mitigation and Test-Time Detection

Authors: Hang Wang, Zhen Xiang, David J. Miller, George Kesidis

Abstract: Deep neural networks are vulnerable to backdoor attacks (Trojans), where an attacker poisons the training set with backdoor triggers so that the neural network learns to classify test-time triggers to the attacker's designated target class. Recent work shows that backdoor poisoning induces over-fitting (abnormally large activations) in the attacked model, which motivates a general, post-training c… ▽ More Deep neural networks are vulnerable to backdoor attacks (Trojans), where an attacker poisons the training set with backdoor triggers so that the neural network learns to classify test-time triggers to the attacker's designated target class. Recent work shows that backdoor poisoning induces over-fitting (abnormally large activations) in the attacked model, which motivates a general, post-training clip** method for backdoor mitigation, i.e., with bounds on internal-layer activations learned using a small set of clean samples. We devise a new such approach, choosing the activation bounds to explicitly limit classification margins. This method gives superior performance against peer methods for CIFAR-10 image classification. We also show that this method has strong robustness against adaptive attacks, X2X attacks, and on different datasets. Finally, we demonstrate a method extension for test-time detection and correction based on the output differences between the original and activation-bounded networks. The code of our method is online available. △ Less

Submitted 8 August, 2023; originally announced August 2023.

Spatial map** and analysis of graphene nanomechanical resonator networks

Authors: Brittany Carter, Viva R. Horowitz, Uriel Hernandez, David J. Miller, Andrew Blaikie, Benjamín J. Alemán

Abstract: Nanoelectromechanical (NEMS) resonator networks have drawn increasing interest due to their potential applications in emergent behavior, sensing, phononics, and mechanical information processing. A challenge toward realizing these large-scale networks is the ability to controllably tune and reconfigure the collective, macroscopic properties of the network, which relies directly on the development… ▽ More Nanoelectromechanical (NEMS) resonator networks have drawn increasing interest due to their potential applications in emergent behavior, sensing, phononics, and mechanical information processing. A challenge toward realizing these large-scale networks is the ability to controllably tune and reconfigure the collective, macroscopic properties of the network, which relies directly on the development of methods to characterize the constituent NEMS resonator building blocks and their coupling. In this work, we demonstrate a scalable optical technique to spatially map graphene NEMS networks and read out the fixed-frequency collective response as a single vector. Using the response vectors, we introduce an efficient algebraic approach to quantify the site-specific elasticity, mass, dam**, and coupling parameters of network clusters. We apply this technique to accurately characterize single uncoupled resonators and coupled resonator pairs by sampling them at just two frequencies, and without the use of curve fitting or the associated a priori parameter estimates. Our technique may be applied to a range of classical and quantum resonator systems and fills in a vital gap for programming NEMS networks. △ Less

Submitted 7 February, 2023; originally announced February 2023.

Comments: Main--15 pages, 3 figures; Supplementary Information--17 pages, 7 figures

Training set cleansing of backdoor poisoning by self-supervised representation learning

Authors: H. Wang, S. Karami, O. Dia, H. Ritter, E. Emamjomeh-Zadeh, J. Chen, Z. Xiang, D. J. Miller, G. Kesidis

Abstract: A backdoor or Trojan attack is an important type of data poisoning attack against deep neural network (DNN) classifiers, wherein the training dataset is poisoned with a small number of samples that each possess the backdoor pattern (usually a pattern that is either imperceptible or innocuous) and which are mislabeled to the attacker's target class. When trained on a backdoor-poisoned dataset, a DN… ▽ More A backdoor or Trojan attack is an important type of data poisoning attack against deep neural network (DNN) classifiers, wherein the training dataset is poisoned with a small number of samples that each possess the backdoor pattern (usually a pattern that is either imperceptible or innocuous) and which are mislabeled to the attacker's target class. When trained on a backdoor-poisoned dataset, a DNN behaves normally on most benign test samples but makes incorrect predictions to the target class when the test sample has the backdoor pattern incorporated (i.e., contains a backdoor trigger). Here we focus on image classification tasks and show that supervised training may build stronger association between the backdoor pattern and the associated target class than that between normal features and the true class of origin. By contrast, self-supervised representation learning ignores the labels of samples and learns a feature embedding based on images' semantic content. %We thus propose to use unsupervised representation learning to avoid emphasising backdoor-poisoned training samples and learn a similar feature embedding for samples of the same class. Using a feature embedding found by self-supervised representation learning, a data cleansing method, which combines sample filtering and re-labeling, is developed. Experiments on CIFAR-10 benchmark datasets show that our method achieves state-of-the-art performance in mitigating backdoor attacks. △ Less

Submitted 14 March, 2023; v1 submitted 18 October, 2022; originally announced October 2022.

MM-BD: Post-Training Detection of Backdoor Attacks with Arbitrary Backdoor Pattern Types Using a Maximum Margin Statistic

Authors: Hang Wang, Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor attacks are an important type of adversarial threat against deep neural network classifiers, wherein test samples from one or more source classes will be (mis)classified to the attacker's target class when a backdoor pattern is embedded. In this paper, we focus on the post-training backdoor defense scenario commonly considered in the literature, where the defender aims to detect whether a… ▽ More Backdoor attacks are an important type of adversarial threat against deep neural network classifiers, wherein test samples from one or more source classes will be (mis)classified to the attacker's target class when a backdoor pattern is embedded. In this paper, we focus on the post-training backdoor defense scenario commonly considered in the literature, where the defender aims to detect whether a trained classifier was backdoor-attacked without any access to the training set. Many post-training detectors are designed to detect attacks that use either one or a few specific backdoor embedding functions (e.g., patch-replacement or additive attacks). These detectors may fail when the backdoor embedding function used by the attacker (unknown to the defender) is different from the backdoor embedding function assumed by the defender. In contrast, we propose a post-training defense that detects backdoor attacks with arbitrary types of backdoor embeddings, without making any assumptions about the backdoor embedding type. Our detector leverages the influence of the backdoor attack, independent of the backdoor embedding mechanism, on the landscape of the classifier's outputs prior to the softmax layer. For each class, a maximum margin statistic is estimated. Detection inference is then performed by applying an unsupervised anomaly detector to these statistics. Thus, our detector does not need any legitimate clean samples, and can efficiently detect backdoor attacks with arbitrary numbers of source classes. These advantages over several state-of-the-art methods are demonstrated on four datasets, for three different types of backdoor patterns, and for a variety of attack configurations. Finally, we propose a novel, general approach for backdoor mitigation once a detection is made. The mitigation approach was the runner-up at the first IEEE Trojan Removal Competition. The code is online available. △ Less

Submitted 6 August, 2023; v1 submitted 13 May, 2022; originally announced May 2022.

Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios

Authors: Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor attacks (BAs) are an emerging threat to deep neural network classifiers. A victim classifier will predict to an attacker-desired target class whenever a test sample is embedded with the same backdoor pattern (BP) that was used to poison the classifier's training set. Detecting whether a classifier is backdoor attacked is not easy in practice, especially when the defender is, e.g., a downs… ▽ More Backdoor attacks (BAs) are an emerging threat to deep neural network classifiers. A victim classifier will predict to an attacker-desired target class whenever a test sample is embedded with the same backdoor pattern (BP) that was used to poison the classifier's training set. Detecting whether a classifier is backdoor attacked is not easy in practice, especially when the defender is, e.g., a downstream user without access to the classifier's training set. This challenge is addressed here by a reverse-engineering defense (RED), which has been shown to yield state-of-the-art performance in several domains. However, existing REDs are not applicable when there are only {\it two classes} or when {\it multiple attacks} are present. These scenarios are first studied in the current paper, under the practical constraints that the defender neither has access to the classifier's training set nor to supervision from clean reference classifiers trained for the same domain. We propose a detection framework based on BP reverse-engineering and a novel {\it expected transferability} (ET) statistic. We show that our ET statistic is effective {\it using the same detection threshold}, irrespective of the classification domain, the attack configuration, and the BP reverse-engineering algorithm that is used. The excellent performance of our method is demonstrated on six benchmark datasets. Notably, our detection framework is also applicable to multi-class scenarios with multiple attacks. Code is available at https://github.com/zhenxianglance/2ClassBADetection. △ Less

Submitted 14 March, 2022; v1 submitted 20 January, 2022; originally announced January 2022.

Comments: Accepted to ICLR2022

Test-Time Detection of Backdoor Triggers for Poisoned Deep Neural Networks

Authors: Xi Li, Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor (Trojan) attacks are emerging threats against deep neural networks (DNN). A DNN being attacked will predict to an attacker-desired target class whenever a test sample from any source class is embedded with a backdoor pattern; while correctly classifying clean (attack-free) test samples. Existing backdoor defenses have shown success in detecting whether a DNN is attacked and in reverse-eng… ▽ More Backdoor (Trojan) attacks are emerging threats against deep neural networks (DNN). A DNN being attacked will predict to an attacker-desired target class whenever a test sample from any source class is embedded with a backdoor pattern; while correctly classifying clean (attack-free) test samples. Existing backdoor defenses have shown success in detecting whether a DNN is attacked and in reverse-engineering the backdoor pattern in a "post-training" regime: the defender has access to the DNN to be inspected and a small, clean dataset collected independently, but has no access to the (possibly poisoned) training set of the DNN. However, these defenses neither catch culprits in the act of triggering the backdoor map**, nor mitigate the backdoor attack at test-time. In this paper, we propose an "in-flight" defense against backdoor attacks on image classification that 1) detects use of a backdoor trigger at test-time; and 2) infers the class of origin (source class) for a detected trigger example. The effectiveness of our defense is demonstrated experimentally against different strong backdoor attacks. △ Less

Submitted 6 December, 2021; originally announced December 2021.

Improved Constraints on Effective Top Quark Interactions using Edge Convolution Networks

Authors: Oliver Atkinson, Akanksha Bhardwaj, Stephen Brown, Christoph Englert, David J. Miller, Panagiotis Stylianou

Abstract: We explore the potential of Graph Neural Networks (GNNs) to improve the performance of high-dimensional effective field theory parameter fits to collider data beyond traditional rectangular cut-based differential distribution analyses. In this study, we focus on a SMEFT analysis of $pp \to t\bar t$ production, including top decays, where the linear effective field deformation is parametrised by th… ▽ More We explore the potential of Graph Neural Networks (GNNs) to improve the performance of high-dimensional effective field theory parameter fits to collider data beyond traditional rectangular cut-based differential distribution analyses. In this study, we focus on a SMEFT analysis of $pp \to t\bar t$ production, including top decays, where the linear effective field deformation is parametrised by thirteen independent Wilson coefficients. The application of GNNs allows us to condense the multidimensional phase space information available for the discrimination of BSM effects from the SM expectation by considering all available final state correlations directly. The number of contributing new physics couplings very quickly leads to statistical limitations when the GNN output is directly employed as an EFT discrimination tool. However, a selection based on minimising the SM contribution enhances the fit's sensitivity when reflected as a (non-rectangular) selection on the inclusive data samples that are typically employed when looking for non-resonant deviations from the SM by means of differential distributions. △ Less

Submitted 28 April, 2022; v1 submitted 2 November, 2021; originally announced November 2021.

Comments: 17 pages, 7 figures, 3 tables; v2 accepted by JHEP

Detecting Backdoor Attacks Against Point Cloud Classifiers

Authors: Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, George Kesidis

Abstract: Backdoor attacks (BA) are an emerging threat to deep neural network classifiers. A classifier being attacked will predict to the attacker's target class when a test sample from a source class is embedded with the backdoor pattern (BP). Recently, the first BA against point cloud (PC) classifiers was proposed, creating new threats to many important applications including autonomous driving. Such PC… ▽ More Backdoor attacks (BA) are an emerging threat to deep neural network classifiers. A classifier being attacked will predict to the attacker's target class when a test sample from a source class is embedded with the backdoor pattern (BP). Recently, the first BA against point cloud (PC) classifiers was proposed, creating new threats to many important applications including autonomous driving. Such PC BAs are not detectable by existing BA defenses due to their special BP embedding mechanism. In this paper, we propose a reverse-engineering defense that infers whether a PC classifier is backdoor attacked, without access to its training set or to any clean classifiers for reference. The effectiveness of our defense is demonstrated on the benchmark ModeNet40 dataset for PCs. △ Less

Submitted 19 October, 2021; originally announced October 2021.

Backdoor Attack and Defense for Deep Regression

Authors: Xi Li, George Kesidis, David J. Miller, Vladimir Lucic

Abstract: We demonstrate a backdoor attack on a deep neural network used for regression. The backdoor attack is localized based on training-set data poisoning wherein the mislabeled samples are surrounded by correctly labeled ones. We demonstrate how such localization is necessary for attack success. We also study the performance of a backdoor defense using gradient-based discovery of local error maximizers… ▽ More We demonstrate a backdoor attack on a deep neural network used for regression. The backdoor attack is localized based on training-set data poisoning wherein the mislabeled samples are surrounded by correctly labeled ones. We demonstrate how such localization is necessary for attack success. We also study the performance of a backdoor defense using gradient-based discovery of local error maximizers. Local error maximizers which are associated with significant (interpolation) error, and are proximal to many training samples, are suspicious. This method is also used to accurately train for deep regression in the first place by active (deep) learning leveraging an "oracle" capable of providing real-valued supervision (a regression target) for samples. Such oracles, including traditional numerical solvers of PDEs or SDEs using finite difference or Monte Carlo approximations, are far more computationally costly compared to deep regression. △ Less

Submitted 6 September, 2021; originally announced September 2021.

Robust and Active Learning for Deep Neural Network Regression

Authors: Xi Li, George Kesidis, David J. Miller, Maxime Bergeron, Ryan Ferguson, Vladimir Lucic

Abstract: We describe a gradient-based method to discover local error maximizers of a deep neural network (DNN) used for regression, assuming the availability of an "oracle" capable of providing real-valued supervision (a regression target) for samples. For example, the oracle could be a numerical solver which, operationally, is much slower than the DNN. Given a discovered set of local error maximizers, the… ▽ More We describe a gradient-based method to discover local error maximizers of a deep neural network (DNN) used for regression, assuming the availability of an "oracle" capable of providing real-valued supervision (a regression target) for samples. For example, the oracle could be a numerical solver which, operationally, is much slower than the DNN. Given a discovered set of local error maximizers, the DNN is either fine-tuned or retrained in the manner of active learning. △ Less

Submitted 27 July, 2021; originally announced July 2021.

A BIC-based Mixture Model Defense against Data Poisoning Attacks on Classifiers

Authors: Xi Li, David J. Miller, Zhen Xiang, George Kesidis

Abstract: Data Poisoning (DP) is an effective attack that causes trained classifiers to misclassify their inputs. DP attacks significantly degrade a classifier's accuracy by covertly injecting attack samples into the training set. Broadly applicable to different classifier structures, without strong assumptions about the attacker, an {\it unsupervised} Bayesian Information Criterion (BIC)-based mixture mode… ▽ More Data Poisoning (DP) is an effective attack that causes trained classifiers to misclassify their inputs. DP attacks significantly degrade a classifier's accuracy by covertly injecting attack samples into the training set. Broadly applicable to different classifier structures, without strong assumptions about the attacker, an {\it unsupervised} Bayesian Information Criterion (BIC)-based mixture model defense against "error generic" DP attacks is herein proposed that: 1) addresses the most challenging {\it embedded} DP scenario wherein, if DP is present, the poisoned samples are an {\it a priori} unknown subset of the training set, and with no clean validation set available; 2) applies a mixture model both to well-fit potentially multi-modal class distributions and to capture poisoned samples within a small subset of the mixture components; 3) jointly identifies poisoned components and samples by minimizing the BIC cost defined over the whole training set, with the identified poisoned data removed prior to classifier training. Our experimental results, for various classifier structures and benchmark datasets, demonstrate the effectiveness and universality of our defense under strong DP attacks, as well as its superiority over other works. △ Less

Submitted 12 May, 2022; v1 submitted 27 May, 2021; originally announced May 2021.

Anomaly Detection of Adversarial Examples using Class-conditional Generative Adversarial Networks

Authors: Hang Wang, David J. Miller, George Kesidis

Abstract: Deep Neural Networks (DNNs) have been shown vulnerable to Test-Time Evasion attacks (TTEs, or adversarial examples), which, by making small changes to the input, alter the DNN's decision. We propose an unsupervised attack detector on DNN classifiers based on class-conditional Generative Adversarial Networks (GANs). We model the distribution of clean data conditioned on the predicted class label by… ▽ More Deep Neural Networks (DNNs) have been shown vulnerable to Test-Time Evasion attacks (TTEs, or adversarial examples), which, by making small changes to the input, alter the DNN's decision. We propose an unsupervised attack detector on DNN classifiers based on class-conditional Generative Adversarial Networks (GANs). We model the distribution of clean data conditioned on the predicted class label by an Auxiliary Classifier GAN (AC-GAN). Given a test sample and its predicted class, three detection statistics are calculated based on the AC-GAN Generator and Discriminator. Experiments on image classification datasets under various TTE attacks show that our method outperforms previous detection methods. We also investigate the effectiveness of anomaly detection using different DNN layers (input features or internal-layer features) and demonstrate, as one might expect, that anomalies are harder to detect using features closer to the DNN's output layer. △ Less

Submitted 12 May, 2022; v1 submitted 20 May, 2021; originally announced May 2021.

A Backdoor Attack against 3D Point Cloud Classifiers

Authors: Zhen Xiang, David J. Miller, Siheng Chen, Xi Li, George Kesidis

Abstract: Vulnerability of 3D point cloud (PC) classifiers has become a grave concern due to the popularity of 3D sensors in safety-critical applications. Existing adversarial attacks against 3D PC classifiers are all test-time evasion (TTE) attacks that aim to induce test-time misclassifications using knowledge of the classifier. But since the victim classifier is usually not accessible to the attacker, th… ▽ More Vulnerability of 3D point cloud (PC) classifiers has become a grave concern due to the popularity of 3D sensors in safety-critical applications. Existing adversarial attacks against 3D PC classifiers are all test-time evasion (TTE) attacks that aim to induce test-time misclassifications using knowledge of the classifier. But since the victim classifier is usually not accessible to the attacker, the threat is largely diminished in practice, as PC TTEs typically have poor transferability. Here, we propose the first backdoor attack (BA) against PC classifiers. Originally proposed for images, BAs poison the victim classifier's training set so that the classifier learns to decide to the attacker's target class whenever the attacker's backdoor pattern is present in a given input sample. Significantly, BAs do not require knowledge of the victim classifier. Different from image BAs, we propose to insert a cluster of points into a PC as a robust backdoor pattern customized for 3D PCs. Such clusters are also consistent with a physical attack (i.e., with a captured object in a scene). We optimize the cluster's location using an independently trained surrogate classifier and choose the cluster's local geometry to evade possible PC preprocessing and PC anomaly detectors (ADs). Experimentally, our BA achieves a uniformly high success rate (> 87%) and shows evasiveness against state-of-the-art PC ADs. △ Less

Submitted 12 April, 2021; originally announced April 2021.

L-RED: Efficient Post-Training Detection of Imperceptible Backdoor Attacks without Access to the Training Set

Authors: Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor attacks (BAs) are an emerging form of adversarial attack typically against deep neural network image classifiers. The attacker aims to have the classifier learn to classify to a target class when test images from one or more source classes contain a backdoor pattern, while maintaining high accuracy on all clean test images. Reverse-Engineering-based Defenses (REDs) against BAs do not requ… ▽ More Backdoor attacks (BAs) are an emerging form of adversarial attack typically against deep neural network image classifiers. The attacker aims to have the classifier learn to classify to a target class when test images from one or more source classes contain a backdoor pattern, while maintaining high accuracy on all clean test images. Reverse-Engineering-based Defenses (REDs) against BAs do not require access to the training set but only to an independent clean dataset. Unfortunately, most existing REDs rely on an unrealistic assumption that all classes except the target class are source classes of the attack. REDs that do not rely on this assumption often require a large set of clean images and heavy computation. In this paper, we propose a Lagrangian-based RED (L-RED) that does not require knowledge of the number of source classes (or whether an attack is present). Our defense requires very few clean images to effectively detect BAs and is computationally efficient. Notably, we detect 56 out of 60 BAs using only two clean images per class in our experiments on CIFAR-10. △ Less

Submitted 21 October, 2020; v1 submitted 19 October, 2020; originally announced October 2020.

Report number: accepted by ICASSP 2021

Reverse Engineering Imperceptible Backdoor Attacks on Deep Neural Networks for Detection and Training Set Cleansing

Authors: Zhen Xiang, David J. Miller, George Kesidis

Abstract: Backdoor data poisoning is an emerging form of adversarial attack usually against deep neural network image classifiers. The attacker poisons the training set with a relatively small set of images from one (or several) source class(es), embedded with a backdoor pattern and labeled to a target class. For a successful attack, during operation, the trained classifier will: 1) misclassify a test image… ▽ More Backdoor data poisoning is an emerging form of adversarial attack usually against deep neural network image classifiers. The attacker poisons the training set with a relatively small set of images from one (or several) source class(es), embedded with a backdoor pattern and labeled to a target class. For a successful attack, during operation, the trained classifier will: 1) misclassify a test image from the source class(es) to the target class whenever the same backdoor pattern is present; 2) maintain a high classification accuracy for backdoor-free test images. In this paper, we make a break-through in defending backdoor attacks with imperceptible backdoor patterns (e.g. watermarks) before/during the training phase. This is a challenging problem because it is a priori unknown which subset (if any) of the training set has been poisoned. We propose an optimization-based reverse-engineering defense, that jointly: 1) detects whether the training set is poisoned; 2) if so, identifies the target class and the training images with the backdoor pattern embedded; and 3) additionally, reversely engineers an estimate of the backdoor pattern used by the attacker. In benchmark experiments on CIFAR-10, for a large variety of attacks, our defense achieves a new state-of-the-art by reducing the attack success rate to no more than 4.9% after removing detected suspicious training images. △ Less

Submitted 14 October, 2020; originally announced October 2020.

The Weinberg Angle and 5D RGE effects in a SO(11) GUT theory

Authors: Christoph Englert, David J. Miller, Dumitru Dan Smaranda

Abstract: The Weinberg angle is an important parameter in Grand Unified Theories (GUT) as its size is crucially influenced by the assumption of unification. In scenarios with different steps of symmetry breaking, in particular in models that involve gauge-Higgs unification, the connection of the ultraviolet theory and the TeV scale-relevant, effective Standard Model description is an important test of the m… ▽ More The Weinberg angle is an important parameter in Grand Unified Theories (GUT) as its size is crucially influenced by the assumption of unification. In scenarios with different steps of symmetry breaking, in particular in models that involve gauge-Higgs unification, the connection of the ultraviolet theory and the TeV scale-relevant, effective Standard Model description is an important test of the models' validity. In this work, we consider a 6D gauge-Higgs unification GUT scenario and explore the TeV scale-GUT relation using a detailed RGE analysis in the 4D and 5D regimes of the theory, including constraints from LHC measurements. We show that such can be consistent with unification in the light of current constraints, while the Weinberg angle likely translates into concrete conditions on the fermion sector in the higher dimensional setup. △ Less

Submitted 5 June, 2020; v1 submitted 12 March, 2020; originally announced March 2020.

Comments: 14 pages, 9 figures, 5 tables; v2 Version accepted for publication, updated figures and results

Revealing Perceptible Backdoors, without the Training Set, via the Maximum Achievable Misclassification Fraction Statistic

Authors: Zhen Xiang, David J. Miller, Hang Wang, George Kesidis

Abstract: Recently, a backdoor data poisoning attack was proposed, which adds mislabeled examples to the training set, with an embedded backdoor pattern, aiming to have the classifier learn to classify to a target class whenever the backdoor pattern is present in a test sample. Here, we address post-training detection of innocuous perceptible backdoors in DNN image classifiers, wherein the defender does not… ▽ More Recently, a backdoor data poisoning attack was proposed, which adds mislabeled examples to the training set, with an embedded backdoor pattern, aiming to have the classifier learn to classify to a target class whenever the backdoor pattern is present in a test sample. Here, we address post-training detection of innocuous perceptible backdoors in DNN image classifiers, wherein the defender does not have access to the poisoned training set, but only to the trained classifier, as well as unpoisoned examples. This problem is challenging because without the poisoned training set, we have no hint about the actual backdoor pattern used during training. This post-training scenario is also of great import because in many practical contexts the DNN user did not train the DNN and does not have access to the training data. We identify two important properties of perceptible backdoor patterns - spatial invariance and robustness - based upon which we propose a novel detector using the maximum achievable misclassification fraction (MAMF) statistic. We detect whether the trained DNN has been backdoor-attacked and infer the source and target classes. Our detector outperforms other existing detectors and, coupled with an imperceptible backdoor detector, helps achieve post-training detection of all evasive backdoors. △ Less

Submitted 6 April, 2020; v1 submitted 18 November, 2019; originally announced November 2019.

Phenomenology of GUT-inspired gauge-Higgs unification

Authors: Christoph Englert, David J. Miller, Dumitru Dan Smaranda

Abstract: We perform a detailed investigation of a Grand Unified Theory (GUT)-inspired theory of gauge-Higgs unification. Scanning the model's parameter space with adapted numerical techniques, we contrast the scenario's low energy limit with existing SM and collider search constraints. We discuss potential modifications of di-Higgs phenomenology at hadron colliders as sensitive probes of the gauge-like cha… ▽ More We perform a detailed investigation of a Grand Unified Theory (GUT)-inspired theory of gauge-Higgs unification. Scanning the model's parameter space with adapted numerical techniques, we contrast the scenario's low energy limit with existing SM and collider search constraints. We discuss potential modifications of di-Higgs phenomenology at hadron colliders as sensitive probes of the gauge-like character of the Higgs self-interactions and find that for phenomenologically viable parameter choices modifications of the order of 20\% compared to the SM cross section can be expected. While these modifications are challenging to observe at the LHC, a future 100 TeV hadron collider might be able to constrain the scenario through more precise di-Higgs measurements. We point out alternative signatures that can be employed to constrain this model in the near future. △ Less

Submitted 3 February, 2020; v1 submitted 13 November, 2019; originally announced November 2019.

Comments: 10 pages, 9 figures, 1 table; v2: references added, version published in PLB

Notes on Margin Training and Margin p-Values for Deep Neural Network Classifiers

Authors: George Kesidis, David J. Miller, Zhen Xiang

Abstract: We provide a new local class-purity theorem for Lipschitz continuous DNN classifiers. In addition, we discuss how to achieve classification margin for training samples. Finally, we describe how to compute margin p-values for test samples. We provide a new local class-purity theorem for Lipschitz continuous DNN classifiers. In addition, we discuss how to achieve classification margin for training samples. Finally, we describe how to compute margin p-values for test samples. △ Less

Submitted 5 December, 2019; v1 submitted 14 October, 2019; originally announced October 2019.

The Multiple Point Principle and Extended Higgs Sectors

Authors: John McDowall, David J Miller

Abstract: The Higgs boson quartic self-coupling in the Standard Model appears to become zero just below the Planck scale, with interesting implications to the stability fo the Higgs vacuum at high energies. We review the Multiple Point Principle that suggests the quartic self-coupling should vanish exactly at the Planck scale. Although this vanishing is not consistent with the Standard Model, we investigate… ▽ More The Higgs boson quartic self-coupling in the Standard Model appears to become zero just below the Planck scale, with interesting implications to the stability fo the Higgs vacuum at high energies. We review the Multiple Point Principle that suggests the quartic self-coupling should vanish exactly at the Planck scale. Although this vanishing is not consistent with the Standard Model, we investigate Higgs sectors extended with additional states to test whether one may satisfy the high scale boundary condition while maintaining the observed Higgs mass. We also test these scenarios to ensure the stability of the vacuum at all energies below the the Planck scale and confront them with experimental results from the LHC and Dark Matter experiments. △ Less

Submitted 23 September, 2019; originally announced September 2019.

Comments: Review, 22 pages, 9 figures. Version accepted for publication

Measurement Anomaly of Step Width in Calibration Grating using Atomic Force Microscopy

Authors: Gun Ahn, Yoon-Young Choi, Dean J. Miller, Hanwook Song, Kwangsoo No, Seungbum Hong

Abstract: We imaged the topography of a silicon grating with atomic force microscopy (AFM) using different scan parameters to probe the effect of pixel pitch on resolution. We found variations in the measured step height and profile of the grating depending on scan parameters, with measured step width decreasing from 1300 to 108 nm and step height increasing from 172 to 184 nm when a pixel pitch in the scan… ▽ More We imaged the topography of a silicon grating with atomic force microscopy (AFM) using different scan parameters to probe the effect of pixel pitch on resolution. We found variations in the measured step height and profile of the grating depending on scan parameters, with measured step width decreasing from 1300 to 108 nm and step height increasing from 172 to 184 nm when a pixel pitch in the scan axis decreased from 625 nm to 3.91 nm. In order to resolve the measurement anomaly of step width, we compared these values with step width and height of the same grating measured using scanning electron microscopy (SEM). The values obtained from SEM imaging were 187.3 nm +/- 6.2 nm and 116 nm +/- 10.4 nm, which were in good agreement with AFM data using a 3.91 nm of pixel pitch. We think that we need at least four pixels over the step width to avoid the measurement anomaly induced by the stick-slip or dragging of the tip. Our findings that RMS roughness varied less than 1 nm and converged at the value of 77.6 nm for any pixel pitch suggest that the RMS roughness is relatively insensitive to the pixel pitch. △ Less

Submitted 20 September, 2019; originally announced September 2019.

Comments: 11 pages, 3 figures

Detection of Backdoors in Trained Classifiers Without Access to the Training Set

Authors: Zhen Xiang, David J. Miller, George Kesidis

Abstract: Recently, a special type of data poisoning (DP) attack targeting Deep Neural Network (DNN) classifiers, known as a backdoor, was proposed. These attacks do not seek to degrade classification accuracy, but rather to have the classifier learn to classify to a target class whenever the backdoor pattern is present in a test example. Launching backdoor attacks does not require knowledge of the classifi… ▽ More Recently, a special type of data poisoning (DP) attack targeting Deep Neural Network (DNN) classifiers, known as a backdoor, was proposed. These attacks do not seek to degrade classification accuracy, but rather to have the classifier learn to classify to a target class whenever the backdoor pattern is present in a test example. Launching backdoor attacks does not require knowledge of the classifier or its training process - it only needs the ability to poison the training set with (a sufficient number of) exemplars containing a sufficiently strong backdoor pattern (labeled with the target class). Here we address post-training detection of backdoor attacks in DNN image classifiers, seldom considered in existing works, wherein the defender does not have access to the poisoned training set, but only to the trained classifier itself, as well as to clean examples from the classification domain. This is an important scenario because a trained classifier may be the basis of e.g. a phone app that will be shared with many users. Detecting backdoors post-training may thus reveal a widespread attack. We propose a purely unsupervised anomaly detection (AD) defense against imperceptible backdoor attacks that: i) detects whether the trained DNN has been backdoor-attacked; ii) infers the source and target classes involved in a detected attack; iii) we even demonstrate it is possible to accurately estimate the backdoor pattern. We test our AD approach, in comparison with alternative defenses, for several backdoor patterns, data sets, and attack settings and demonstrate its favorability. Our defense essentially requires setting a single hyperparameter (the detection threshold), which can e.g. be chosen to fix the system's false positive rate. △ Less

Submitted 19 August, 2020; v1 submitted 27 August, 2019; originally announced August 2019.

Non-volatile rewritable frequency tuning of a nanoelectromechanical resonator using photoinduced do**

Authors: David J. Miller, Andrew Blaikie, Benjamin J. Aleman

Abstract: Tuning the frequency of a resonant element is of vital importance in both the macroscopic world, such as when tuning a musical instrument, as well as at the nanoscale. In particular, precisely controlling the resonance frequency of isolated nanoelectromechanical resonators (NEMS) has enabled innovations such as tunable mechanical filtering and mixing as well as commercial technologies such as robu… ▽ More Tuning the frequency of a resonant element is of vital importance in both the macroscopic world, such as when tuning a musical instrument, as well as at the nanoscale. In particular, precisely controlling the resonance frequency of isolated nanoelectromechanical resonators (NEMS) has enabled innovations such as tunable mechanical filtering and mixing as well as commercial technologies such as robust timing oscillators. Much like their electronic device counterparts, the potential of NEMS grows when they are built up into large-scale arrays. Such arrays have enabled neutral-particle mass spectroscopy and have been proposed for ultralow-power alternatives to traditional analog electronics as well as nanomechanical information technologies like memory, logic, and computing. A fundamental challenge to these applications is to precisely tune the vibrational frequency and coupling of all resonators in the array, since traditional tuning methods, like patterned electrostatic gating or dielectric tuning, become intractable when devices are densely packed. Here, we demonstrate a persistent, rewritable, scalable, and high-speed frequency tuning method for graphene-based NEMS. Our method uses a focused laser and two shared electrical contacts to photodope individual resonators by simultaneously applying optical and electrostatic fields. After the fields are removed, the trapped charge created by this process persists and applies a local electrostatic tension to the resonators, tuning their frequencies. By providing a facile means to locally address the strain of a NEMS resonator, this approach lays the groundwork for fully programmable large-scale NEMS lattices and networks. △ Less

Submitted 4 December, 2019; v1 submitted 20 August, 2019; originally announced August 2019.

Comments: 19 pages, 4 figures

Proposal for the validation of Monte Carlo implementations of the standard model effective field theory

Authors: Gauthier Durieux, Ilaria Brivio, Fabio Maltoni, Michael Trott, Simone Alioli, Andy Buckley, Mauro Chiesa, Jorge de Blas, Athanasios Dedes, Céline Degrande, Ansgar Denner, Christoph Englert, James Ferrando, Benjamin Fuks, Peter Galler, Admir Greljo, Valentin Hirschi, Gino Isidori, Wolfgang Kilian, Frank Krauss, Jean-Nicolas Lang, Jonas Lindert, Michelangelo Mangano, David Marzocca, Olivier Mattelaer , et al. (16 additional authors not shown)

Abstract: We propose a procedure to cross-validate Monte Carlo implementations of the standard model effective field theory. It is based on the numerical comparison of squared amplitudes computed at specific phase-space and parameter points in pairs of implementations. Interactions are fully linearised in the effective field theory expansion. The squares of linear effective field theory amplitudes and their… ▽ More We propose a procedure to cross-validate Monte Carlo implementations of the standard model effective field theory. It is based on the numerical comparison of squared amplitudes computed at specific phase-space and parameter points in pairs of implementations. Interactions are fully linearised in the effective field theory expansion. The squares of linear effective field theory amplitudes and their interference with standard-model contributions are compared separately. Such pairwise comparisons are primarily performed at tree level and a possible extension to the one-loop level is also briefly considered. We list the current standard model effective field theory implementations and the comparisons performed to date. △ Less

Submitted 28 June, 2019; originally announced June 2019.

Comments: agreement achieved under the auspices of the LHC Top and Electroweak Working Groups, and of the LHC Higgs Cross Section Working Group

Report number: CERN-LPCC-2019-02

Adversarial Learning in Statistical Classification: A Comprehensive Review of Defenses Against Attacks

Authors: David J. Miller, Zhen Xiang, George Kesidis

Abstract: There is great potential for damage from adversarial learning (AL) attacks on machine-learning based systems. In this paper, we provide a contemporary survey of AL, focused particularly on defenses against attacks on statistical classifiers. After introducing relevant terminology and the goals and range of possible knowledge of both attackers and defenders, we survey recent work on test-time evasi… ▽ More There is great potential for damage from adversarial learning (AL) attacks on machine-learning based systems. In this paper, we provide a contemporary survey of AL, focused particularly on defenses against attacks on statistical classifiers. After introducing relevant terminology and the goals and range of possible knowledge of both attackers and defenders, we survey recent work on test-time evasion (TTE), data poisoning (DP), and reverse engineering (RE) attacks and particularly defenses against same. In so doing, we distinguish robust classification from anomaly detection (AD), unsupervised from supervised, and statistical hypothesis-based defenses from ones that do not have an explicit null (no attack) hypothesis; we identify the hyperparameters a particular method requires, its computational complexity, as well as the performance measures on which it was evaluated and the obtained quality. We then dig deeper, providing novel insights that challenge conventional AL wisdom and that target unresolved issues, including: 1) robust classification versus AD as a defense strategy; 2) the belief that attack success increases with attack strength, which ignores susceptibility to AD; 3) small perturbations for test-time evasion attacks: a fallacy or a requirement?; 4) validity of the universal assumption that a TTE attacker knows the ground-truth class for the example to be attacked; 5) black, grey, or white box attacks as the standard for defense evaluation; 6) susceptibility of query-based RE to an AD defense. We also discuss attacks on the privacy of training data. We then present benchmark comparisons of several defenses against TTE, RE, and backdoor DP attacks on images. The paper concludes with a discussion of future work. △ Less

Submitted 2 December, 2019; v1 submitted 12 April, 2019; originally announced April 2019.

Journal ref: Proceedings of the IEEE, March. 2020

Scherk-Schwarz orbifolds at the LHC

Authors: Dumitru Dan Smaranda, David J Miller

Abstract: We examine orbifold theories of Grand Unification with Scherk-Schwarz twisting, performing a renormalisation group analysis and applying low energy experimental constraints. We rule out the minimal SU(5) models, and consider simple extensions including additional fields, such as an additional scalar field, or additional symmetries, such as $SU(5)\times U(1)$ or $E_6$. We find that it is very diffi… ▽ More We examine orbifold theories of Grand Unification with Scherk-Schwarz twisting, performing a renormalisation group analysis and applying low energy experimental constraints. We rule out the minimal SU(5) models, and consider simple extensions including additional fields, such as an additional scalar field, or additional symmetries, such as $SU(5)\times U(1)$ or $E_6$. We find that it is very difficult to generate a large enough Higgs mass while simultaneously passing LHC experimental search constraints. △ Less

Submitted 8 October, 2019; v1 submitted 29 January, 2019; originally announced January 2019.

Comments: 26 pages, 12 figures; v3: Version accepted for publication; v4: Typos corrected

Journal ref: Phys. Rev. D 100, 075016 (2019)

Confronting Scherk-Schwarz orbifold models with LHC data

Authors: Dumitru Dan Smaranda, David J Miller

Abstract: We will outline our recent efforts aimed at analysing a class of models known as orbifold GUTs and their phenomenology in a variety of minimal and non-minimal settings. We examine the minimal SU(5) models, rule them out, and proceed by extending them with an additional scalar field along with a gauge extension via SU(5)xU(1) models. We end up by commenting on the future improvements needed to more… ▽ More We will outline our recent efforts aimed at analysing a class of models known as orbifold GUTs and their phenomenology in a variety of minimal and non-minimal settings. We examine the minimal SU(5) models, rule them out, and proceed by extending them with an additional scalar field along with a gauge extension via SU(5)xU(1) models. We end up by commenting on the future improvements needed to more accurately handle exclusions along with tracing the U(1) gauge extensions to more complete 6D theories. △ Less

Submitted 23 January, 2019; originally announced January 2019.

Comments: Conference proceedings for ICHEP 2018, XXXIX International Conference on High Energy Physics, July 4-11, 2018, COEX, Seoul

TopFitter: Fitting top-quark Wilson Coefficients to Run II data

Authors: Stephen Brown, Andy Buckley, Christoph Englert, James Ferrando, Peter Galler, David J Miller, Liam Moore, Michael Russell, Chris White, Neil Warrack

Abstract: We describe the latest TopFitter analysis, which uses top quark observables to fit the Wilson Coefficients of the SM augmented with dimension-6 operators. In particular, we discuss the inclusion of new LHC Run II data and the implementation of particle-level observables. We describe the latest TopFitter analysis, which uses top quark observables to fit the Wilson Coefficients of the SM augmented with dimension-6 operators. In particular, we discuss the inclusion of new LHC Run II data and the implementation of particle-level observables. △ Less

Submitted 10 January, 2019; originally announced January 2019.

Comments: Conference proceedings for ICHEP 2018, XXXIX International Conference on High Energy Physics, July 4-11, 2018, COEX, Seoul

When Not to Classify: Detection of Reverse Engineering Attacks on DNN Image Classifiers

Authors: Yujia Wang, David J. Miller, George Kesidis

Abstract: This paper addresses detection of a reverse engineering (RE) attack targeting a deep neural network (DNN) image classifier; by querying, RE's aim is to discover the classifier's decision rule. RE can enable test-time evasion attacks, which require knowledge of the classifier. Recently, we proposed a quite effective approach (ADA) to detect test-time evasion attacks. In this paper, we extend ADA to… ▽ More This paper addresses detection of a reverse engineering (RE) attack targeting a deep neural network (DNN) image classifier; by querying, RE's aim is to discover the classifier's decision rule. RE can enable test-time evasion attacks, which require knowledge of the classifier. Recently, we proposed a quite effective approach (ADA) to detect test-time evasion attacks. In this paper, we extend ADA to detect RE attacks (ADA-RE). We demonstrate our method is successful in detecting "stealthy" RE attacks before they learn enough to launch effective test-time evasion attacks. △ Less

Submitted 31 October, 2018; originally announced November 2018.

A Mixture Model Based Defense for Data Poisoning Attacks Against Naive Bayes Spam Filters

Authors: David J. Miller, Xinyi Hu, Zhen Xiang, George Kesidis

Abstract: Naive Bayes spam filters are highly susceptible to data poisoning attacks. Here, known spam sources/blacklisted IPs exploit the fact that their received emails will be treated as (ground truth) labeled spam examples, and used for classifier training (or re-training). The attacking source thus generates emails that will skew the spam model, potentially resulting in great degradation in classifier a… ▽ More Naive Bayes spam filters are highly susceptible to data poisoning attacks. Here, known spam sources/blacklisted IPs exploit the fact that their received emails will be treated as (ground truth) labeled spam examples, and used for classifier training (or re-training). The attacking source thus generates emails that will skew the spam model, potentially resulting in great degradation in classifier accuracy. Such attacks are successful mainly because of the poor representation power of the naive Bayes (NB) model, with only a single (component) density to represent spam (plus a possible attack). We propose a defense based on the use of a mixture of NB models. We demonstrate that the learned mixture almost completely isolates the attack in a second NB component, with the original spam component essentially unchanged by the attack. Our approach addresses both the scenario where the classifier is being re-trained in light of new data and, significantly, the more challenging scenario where the attack is embedded in the original spam training set. Even for weak attack strengths, BIC-based model order selection chooses a two-component solution, which invokes the mixture-based defense. Promising results are presented on the TREC 2005 spam corpus. △ Less

Submitted 31 October, 2018; originally announced November 2018.

High Scale Boundary Conditions in Models with Two Higgs Doublets

Authors: John McDowall, David J Miller

Abstract: We investigate high scale boundary conditions on the quartic Higgs-couplings and their $β$-functions in the Type-II Two Higgs Doublet Model and the Inert Doublet Model. These conditions are associated with two possible UV physics scenarios: the Multiple Point Principle, in which the potential exhibits a second minimum at $M_{Pl}$, and Asymptotic Safety, where the scalar couplings run towards an in… ▽ More We investigate high scale boundary conditions on the quartic Higgs-couplings and their $β$-functions in the Type-II Two Higgs Doublet Model and the Inert Doublet Model. These conditions are associated with two possible UV physics scenarios: the Multiple Point Principle, in which the potential exhibits a second minimum at $M_{Pl}$, and Asymptotic Safety, where the scalar couplings run towards an interacting UV fixed point at high scales. We employ renormalisation group running at two-loops and apply theoretical and experimental constraints to their parameter spaces. We find neither model can simultaneously accommodate the MPP whilst also providing realistic masses for both the Higgs and the top quark. However, we do find regions of parameter space compatible with Asymptotic Safety. △ Less

Submitted 19 June, 2019; v1 submitted 10 October, 2018; originally announced October 2018.

Comments: 25 pages, 13 figures (25 plots); v3: version accepted for publication

Journal ref: Phys. Rev. D 100, 015018 (2019)

High scale boundary conditions with an additional complex singlet

Authors: John McDowall, David J. Miller

Abstract: We investigate Planck scale boundary conditions on Higgs quartic interactions and their $β$-functions in the SM augmented by an additional complex scalar. We use renormalisation group running at two-loops, and include both theoretical and experimental constraints. We find that the boundary condition $λ=β_λ=0$ at the Planck scale is compatible with the current Higgs and top mass measurements, but r… ▽ More We investigate Planck scale boundary conditions on Higgs quartic interactions and their $β$-functions in the SM augmented by an additional complex scalar. We use renormalisation group running at two-loops, and include both theoretical and experimental constraints. We find that the boundary condition $λ=β_λ=0$ at the Planck scale is compatible with the current Higgs and top mass measurements, but requires additional scalars lighter than about $600\,$GeV. △ Less

Submitted 21 June, 2018; v1 submitted 7 February, 2018; originally announced February 2018.

Comments: 23 pages, 13 figures; version accepted for publication

Journal ref: Phys. Rev. D 97, 115042 (2018)

When Not to Classify: Anomaly Detection of Attacks (ADA) on DNN Classifiers at Test Time

Authors: David J. Miller, Yulia Wang, George Kesidis

Abstract: A significant threat to the recent, wide deployment of machine learning-based systems, including deep neural networks (DNNs), is adversarial learning attacks. We analyze possible test-time evasion-attack mechanisms and show that, in some important cases, when the image has been attacked, correctly classifying it has no utility: i) when the image to be attacked is (even arbitrarily) selected from t… ▽ More A significant threat to the recent, wide deployment of machine learning-based systems, including deep neural networks (DNNs), is adversarial learning attacks. We analyze possible test-time evasion-attack mechanisms and show that, in some important cases, when the image has been attacked, correctly classifying it has no utility: i) when the image to be attacked is (even arbitrarily) selected from the attacker's cache; ii) when the sole recipient of the classifier's decision is the attacker. Moreover, in some application domains and scenarios it is highly actionable to detect the attack irrespective of correctly classifying in the face of it (with classification still performed if no attack is detected). We hypothesize that, even if human-imperceptible, adversarial perturbations are machine-detectable. We propose a purely unsupervised anomaly detector (AD) that, unlike previous works: i) models the joint density of a deep layer using highly suitable null hypothesis density models (matched in particular to the non- negative support for RELU layers); ii) exploits multiple DNN layers; iii) leverages a "source" and "destination" class concept, source class uncertainty, the class confusion matrix, and DNN weight information in constructing a novel decision statistic grounded in the Kullback-Leibler divergence. Tested on MNIST and CIFAR-10 image databases under three prominent attack strategies, our approach outperforms previous detection methods, achieving strong ROC AUC detection accuracy on two attacks and better accuracy than recently reported for a variety of methods on the strongest (CW) attack. We also evaluate a fully white box attack on our system. Finally, we evaluate other important performance measures, such as classification accuracy, versus detection rate and attack strength. △ Less

Submitted 27 June, 2018; v1 submitted 18 December, 2017; originally announced December 2017.

Adversarial Learning: A Critical Review and Active Learning Study

Authors: David J. Miller, Xinyi Hu, Zhicong Qiu, George Kesidis

Abstract: This papers consists of two parts. The first is a critical review of prior art on adversarial learning, identifying some significant limitations of previous works. The second part is an experimental study considering adversarial active learning and an investigation of the efficacy of a mixed sample selection strategy for combating an adversary who attempts to disrupt the classifier learning. This papers consists of two parts. The first is a critical review of prior art on adversarial learning, identifying some significant limitations of previous works. The second part is an experimental study considering adversarial active learning and an investigation of the efficacy of a mixed sample selection strategy for combating an adversary who attempts to disrupt the classifier learning. △ Less

Submitted 27 May, 2017; originally announced May 2017.

Results from TopFitter

Authors: Andy Buckley, Christoph Englert, James Ferrando, David J. Miller, Liam Moore, Karl Nordström, Michael Russell, Chris D. White

Abstract: We discuss a global fit of top quark BSM couplings, phrased in the model-independent language of higher-dimensional effective operators, to the currently available data from the LHC and Tevatron. We examine the interplay between inclusive and differential measurements, and the complementarity of LHC and Tevatron results. We conclude with a discussion of projections for improvement over LHC Run II. We discuss a global fit of top quark BSM couplings, phrased in the model-independent language of higher-dimensional effective operators, to the currently available data from the LHC and Tevatron. We examine the interplay between inclusive and differential measurements, and the complementarity of LHC and Tevatron results. We conclude with a discussion of projections for improvement over LHC Run II. △ Less

Submitted 28 December, 2016; v1 submitted 7 December, 2016; originally announced December 2016.

Comments: 5 pages, 4 figures, proceedings of the 9th International Workshop on the CKM Unitarity Triangle, 28 November - 3 December 2016, Tata Institute for Fundamental Research (TIFR), Mumbai, India

A to Z of the Muon Anomalous Magnetic Moment in the MSSM with Pati-Salam at the GUT scale

Authors: Alexander S. Belyaev, José E. Camargo-Molina, Steve F. King, David J. Miller, António P. Morais, Patrick B. Schaefers

Abstract: We analyse the low energy predictions of the minimal supersymmetric standard model (MSSM) arising from a GUT scale Pati-Salam gauge group further constrained by an $A_4 \times Z_5$ family symmetry, resulting in four soft scalar masses at the GUT scale: one left-handed soft mass $m_0$ and three right-handed soft masses $m_1,m_2,m_3$, one for each generation. We demonstrate that this model, which wa… ▽ More We analyse the low energy predictions of the minimal supersymmetric standard model (MSSM) arising from a GUT scale Pati-Salam gauge group further constrained by an $A_4 \times Z_5$ family symmetry, resulting in four soft scalar masses at the GUT scale: one left-handed soft mass $m_0$ and three right-handed soft masses $m_1,m_2,m_3$, one for each generation. We demonstrate that this model, which was initially developed to describe the neutrino sector, can explain collider and non-collider measurements such as the dark matter relic density, the Higgs boson mass and, in particular, the anomalous magnetic moment of the muon $(g-2)_μ$. Since about two decades, $(g-2)_μ$ suffers a puzzling about 3$\,σ$ excess of the experimentally measured value over the theoretical prediction, which our model is able to fully resolve. As the consequence of this resolution, our model predicts specific regions of the parameter space with the specific properties including light smuons and neutralinos, which could also potentially explain di-lepton excesses observed by CMS and ATLAS. △ Less

Submitted 28 June, 2016; v1 submitted 6 May, 2016; originally announced May 2016.

Comments: 29 pages, 14 figures; [v2] added references, corrected minor typos

Journal ref: JHEP 1606 (2016) 142

Decoupling and tuning competing effects of different types of defects on flux creep in irradiated YBa$_{2}$Cu$_{3}$O$_{7-δ}$ coated conductors

Authors: S. Eley, M. Leroux, M. W. Rupich, D. J. Miller, H. Sheng, P. M. Niraula, A. Kayani, U. Welp, W. -K. Kwok, L. Civale

Abstract: YBa$_{2}$Cu$_{3}$O$_{7-δ}$ coated conductors (CCs) have achieved high critical current densities ($\textit{J}_{c}$) that can be further increased through the introduction of additional defects using particle irradiation. However, these gains are accompanied by increases in the flux creep rate, a manifestation of competition between the different types of defects. Here, we study this competition to… ▽ More YBa$_{2}$Cu$_{3}$O$_{7-δ}$ coated conductors (CCs) have achieved high critical current densities ($\textit{J}_{c}$) that can be further increased through the introduction of additional defects using particle irradiation. However, these gains are accompanied by increases in the flux creep rate, a manifestation of competition between the different types of defects. Here, we study this competition to better understand how to design pinning landscapes that simultaneously increase $\textit{J}_{c}$ and reduce creep. CCs grown by metal organic deposition show non-monotonic changes in the temperature-dependent creep rate, $\textit{S}(\textit{T})$. Notably, in low fields, there is a conspicuous dip to low $\textit{S}$ as temperature ($\textit{T}$) increases from ~20 K to ~65 K. Oxygen-, proton-, and Au-irradiation substantially increase $\textit{S}$ in this temperature range. Focusing on an oxygen-irradiated CC, we investigate the contribution of different types of irradiation-induced defects to the flux creep rate. Specifically, we study $\textit{S}(\textit{T})$ as we tune the relative density of point defects to larger defects by annealing both an as-grown and an irradiated CC in O$_{2}$ at temperatures $\textit{T}_{A}$ = 250$°$C to 600$°$C. We observe a steady decrease in $\textit{S}$($\textit{T}$ > 20 K) with increasing $\textit{T}_{A}$, unveiling the role of pre-existing nanoparticle precipitates in creating the dip in $\textit{S}(\textit{T})$ and point defects and clusters in increasing $\textit{S}$ at intermediate temperatures. △ Less

Submitted 6 June, 2016; v1 submitted 13 February, 2016; originally announced February 2016.

Comments: 22 pages, 7 figures

Journal ref: Supercond. Sci. Technol. 30 015010 (2017)

Integration of Oscillatory and Subanalytic Functions

Authors: Raf Cluckers, Georges Comte, Daniel J. Miller, Jean-Philippe Rolin, Tamara Servi

Abstract: We prove the stability under integration and under Fourier transform of a concrete class of functions containing all globally subanalytic functions and their complex exponentials. This paper extends the investigation started in [J.-M. Lion, J.-P. Rolin: "Volumes, feuilles de Rolle de feuilletages analytiques et théorème de Wilkie" Ann. Fac. Sci. Toulouse Math. (6) 7 (1998), no. 1, 93-112] and [R.… ▽ More We prove the stability under integration and under Fourier transform of a concrete class of functions containing all globally subanalytic functions and their complex exponentials. This paper extends the investigation started in [J.-M. Lion, J.-P. Rolin: "Volumes, feuilles de Rolle de feuilletages analytiques et théorème de Wilkie" Ann. Fac. Sci. Toulouse Math. (6) 7 (1998), no. 1, 93-112] and [R. Cluckers, D. J. Miller: "Stability under integration of sums of products of real globally subanalytic functions and their logarithms" Duke Math. J. 156 (2011), no. 2, 311-348] to an enriched framework including oscillatory functions. It provides a new example of fruitful interaction between analysis and singularity theory. △ Less

Submitted 11 December, 2017; v1 submitted 8 January, 2016; originally announced January 2016.

Comments: Final version. Accepted for publication in Duke Math. Journal. Changes in proofs: from Section 6 to the end, we now use the theory of continuously uniformly distributed modulo 1 functions that provides a uniform technical point of view in the proofs of limit statements

MSC Class: 26B15; 14P15; 32B20; 42B20; 42A38 (Primary) 03C64; 14P10; 33B10 (Secondary)

Journal ref: Duke Math. J. 167, no. 7 (2018), 1239-1309

ATD: Anomalous Topic Discovery in High Dimensional Discrete Data

Authors: Hossein Soleimani, David J. Miller

Abstract: We propose an algorithm for detecting patterns exhibited by anomalous clusters in high dimensional discrete data. Unlike most anomaly detection (AD) methods, which detect individual anomalies, our proposed method detects groups (clusters) of anomalies; i.e. sets of points which collectively exhibit abnormal patterns. In many applications this can lead to better understanding of the nature of the a… ▽ More We propose an algorithm for detecting patterns exhibited by anomalous clusters in high dimensional discrete data. Unlike most anomaly detection (AD) methods, which detect individual anomalies, our proposed method detects groups (clusters) of anomalies; i.e. sets of points which collectively exhibit abnormal patterns. In many applications this can lead to better understanding of the nature of the atypical behavior and to identifying the sources of the anomalies. Moreover, we consider the case where the atypical patterns exhibit on only a small (salient) subset of the very high dimensional feature space. Individual AD techniques and techniques that detect anomalies using all the features typically fail to detect such anomalies, but our method can detect such instances collectively, discover the shared anomalous patterns exhibited by them, and identify the subsets of salient features. In this paper, we focus on detecting anomalous topics in a batch of text documents, develo** our algorithm based on topic models. Results of our experiments show that our method can accurately detect anomalous topics and salient features (words) under each such topic in a synthetic data set and two real-world text corpora and achieves better performance compared to both standard group AD and individual AD techniques. All required code to reproduce our experiments is available from https://github.com/hsoleimani/ATD △ Less

Submitted 20 May, 2016; v1 submitted 20 December, 2015; originally announced December 2015.

Constraining top quark effective theory in the LHC Run II era

Authors: Andy Buckley, Christoph Englert, James Ferrando, David J. Miller, Liam Moore, Michael Russell, Chris D. White

Abstract: We perform an up-to-date global fit of top quark effective theory to experimental data from the Tevatron, and from LHC Runs I and II. Experimental data includes total cross-sections up to 13 TeV, as well as differential distributions, for both single top and pair production. We also include the top quark width, charge asymmetries, and polarisation information from top decay products. We present bo… ▽ More We perform an up-to-date global fit of top quark effective theory to experimental data from the Tevatron, and from LHC Runs I and II. Experimental data includes total cross-sections up to 13 TeV, as well as differential distributions, for both single top and pair production. We also include the top quark width, charge asymmetries, and polarisation information from top decay products. We present bounds on the coefficients of dimension six operators, and examine the interplay between inclusive and differential measurements, and Tevatron / LHC data. All results are currently in good agreement with the Standard Model. △ Less

Submitted 4 July, 2018; v1 submitted 10 December, 2015; originally announced December 2015.

Comments: v1: 23 pages plus references (34 total), 12 figures. v2: Version accepted by JHEP. v3: Added table of numerical constraints. v4: Corrected typo in table 2

Detecting Clusters of Anomalies on Low-Dimensional Feature Subsets with Application to Network Traffic Flow Data

Authors: Zhicong Qiu, David J. Miller, George Kesidis

Abstract: In a variety of applications, one desires to detect groups of anomalous data samples, with a group potentially manifesting its atypicality (relative to a reference model) on a low-dimensional subset of the full measured set of features. Samples may only be weakly atypical individually, whereas they may be strongly atypical when considered jointly. What makes this group anomaly detection problem qu… ▽ More In a variety of applications, one desires to detect groups of anomalous data samples, with a group potentially manifesting its atypicality (relative to a reference model) on a low-dimensional subset of the full measured set of features. Samples may only be weakly atypical individually, whereas they may be strongly atypical when considered jointly. What makes this group anomaly detection problem quite challenging is that it is a priori unknown which subset of features jointly manifests a particular group of anomalies. Moreover, it is unknown how many anomalous groups are present in a given data batch. In this work, we develop a group anomaly detection (GAD) scheme to identify the subset of samples and subset of features that jointly specify an anomalous cluster. We apply our approach to network intrusion detection to detect BotNet and peer-to-peer flow clusters. Unlike previous studies, our approach captures and exploits statistical dependencies that may exist between the measured features. Experiments on real world network traffic data demonstrate the advantage of our proposed system, and highlight the importance of exploiting feature dependency structure, compared to the feature (or test) independence assumption made in previous studies. △ Less

Submitted 10 June, 2015; originally announced November 2015.

Rapid Doubling of the Critical Current of YBa$_2$Cu$_3$O$_{7-δ}$ Coated Conductors for Viable High-Speed Industrial Processing

Authors: Maxime Leroux, Karen J. Kihlstrom, Sigrid Holleis, Martin W. Rupich, Srivatsan Sathyamurthy, Steven Fleshler, Hua** Sheng, Dean J. Miller, Serena Eley, Leonardo Civale, Asghar Kayani, Prashantamani M. Niraula, Ulrich Welp, Wai-Kwong Kwok

Abstract: We demonstrate that 3.5-MeV oxygen irradiation can markedly enhance the in-field critical current of commercial 2nd generation superconducting tapes with an exposure time of just one second per 0.8 cm2. The speed demonstrated here is now at the level required for an industrial reel-to-reel post-processing. The irradiation is made on production line samples through the protective silver coating and… ▽ More We demonstrate that 3.5-MeV oxygen irradiation can markedly enhance the in-field critical current of commercial 2nd generation superconducting tapes with an exposure time of just one second per 0.8 cm2. The speed demonstrated here is now at the level required for an industrial reel-to-reel post-processing. The irradiation is made on production line samples through the protective silver coating and does not require any modification of the growth process. From TEM imaging, we identify small clusters as the main source of increased vortex pinning. △ Less

Submitted 24 September, 2015; originally announced September 2015.

Comments: 4 figures

Journal ref: Appl. Phys. Lett. 107, 192601 (2015)

Stabilization of highly polar BiFeO$_3$-like structure: a new interface design route for enhanced ferroelectricity in artificial perovskite superlattices

Authors: Hongwei Wang, Jianguo Wen, Dean J. Miller, Qibin Zhou, Mohan Chen, Ho Nyung Lee, Karin M. Rabe, Xifan Wu

Abstract: In ABO3 perovskites, oxygen octahedron rotations are common structural distortions that can promote large ferroelectricity in BiFeO3 with an R3c structure [1], but suppress ferroelectricity in CaTiO3 with a Pbnm symmetry [2]. For many CaTiO3-like perovskites, the BiFeO3 structure is a metastable phase. Here, we report the stabilization of the highly-polar BiFeO3-like phase of CaTiO3 in a BaTiO3/Ca… ▽ More In ABO3 perovskites, oxygen octahedron rotations are common structural distortions that can promote large ferroelectricity in BiFeO3 with an R3c structure [1], but suppress ferroelectricity in CaTiO3 with a Pbnm symmetry [2]. For many CaTiO3-like perovskites, the BiFeO3 structure is a metastable phase. Here, we report the stabilization of the highly-polar BiFeO3-like phase of CaTiO3 in a BaTiO3/CaTiO3 superlattice grown on a SrTiO3 substrate. The stabilization is realized by a reconstruction of oxygen octahedron rotations at the interface from the pattern of nonpolar bulk CaTiO3 to a different pattern that is characteristic of a BiFeO3 phase. The reconstruction is interpreted through a combination of amplitude-contrast sub 0.1nm high-resolution transmission electron microscopy and first-principles theories of the structure, energetics, and polarization of the superlattice and its constituents. We further predict a number of new artificial ferroelectric materials demonstrating that nonpolar perovskites can be turned into ferroelectrics via this interface mechanism. Therefore, a large number of perovskites with the CaTiO3 structure type, which include many magnetic representatives, are now good candidates as novel highly-polar multiferroic materials [3]. △ Less

Submitted 15 February, 2016; v1 submitted 1 July, 2015; originally announced July 2015.

Comments: Phys. Rev. X, in production

Journal ref: Phys. Rev. X 6, 011027 (2016)

A global fit of top quark effective theory to data

Authors: Andy Buckley, Christoph Englert, James Ferrando, David J. Miller, Liam Moore, Michael Russell, Chris D. White

Abstract: In this paper we present a global fit of beyond the Standard Model (BSM) dimension six operators relevant to the top quark sector to currently available data. Experimental measurements include parton-level top-pair and single top production from the LHC and the Tevatron. Higher order QCD corrections are modelled using differential and global K-factors, and we use novel fast-fitting techniques deve… ▽ More In this paper we present a global fit of beyond the Standard Model (BSM) dimension six operators relevant to the top quark sector to currently available data. Experimental measurements include parton-level top-pair and single top production from the LHC and the Tevatron. Higher order QCD corrections are modelled using differential and global K-factors, and we use novel fast-fitting techniques developed in the context of Monte Carlo event generator tuning to perform the fit. This allows us to provide new, fully correlated and model-independent bounds on new physics effects in the top sector from the most current direct hadron-collider measurements in light of the involved theoretical and experimental systematics. As a by-product, our analysis constitutes a proof-of-principle that fast fitting of theory to data is possible in the top quark sector, and paves the way for a more detailed analysis including top quark decays, detector corrections and precision observables. △ Less

Submitted 30 November, 2015; v1 submitted 29 June, 2015; originally announced June 2015.

Comments: Additional references and preprint code added. Minor error in generation of plots fixed, no conclusions affected

Report number: GLAS-PPE/2015-04

Journal ref: Phys. Rev. D 92, 091501 (2015)

Next-to-leading order predictions for WW+jet production

Authors: John M. Campbell, David J. Miller, Tania Robens

Abstract: In this work we report on a next-to-leading order calculation of WW + jet production at hadron colliders, with subsequent leptonic decays of the W-bosons included. The calculation of the one-loop contributions is performed using generalized unitarity methods in order to derive analytic expressions for the relevant amplitudes. These amplitudes have been implemented in the parton-level Monte Carlo g… ▽ More In this work we report on a next-to-leading order calculation of WW + jet production at hadron colliders, with subsequent leptonic decays of the W-bosons included. The calculation of the one-loop contributions is performed using generalized unitarity methods in order to derive analytic expressions for the relevant amplitudes. These amplitudes have been implemented in the parton-level Monte Carlo generator MCFM, which we use to provide a complete next-to-leading order calculation. Predictions for total cross-sections, as well as differential distributions for several key observables, are computed both for the LHC operating at 14 TeV as well as for a possible future 100 TeV proton-proton collider. △ Less

Submitted 4 August, 2015; v1 submitted 15 June, 2015; originally announced June 2015.

Comments: 14 pages, 7 figures; v2: several references added, 2 typos corrected. Corresponds to published journal version

Report number: FERMILAB-PUB-15-257-T

Journal ref: Phys. Rev. D 92, 014033 (2015)