-
SOS! Soft Prompt Attack Against Open-Source Large Language Models
Authors:
Ziqing Yang,
Michael Backes,
Yang Zhang,
Ahmed Salem
Abstract:
Open-source large language models (LLMs) have become increasingly popular among both the general public and industry, as they can be customized, fine-tuned, and freely used. However, some open-source LLMs require approval before usage, which has led to third parties publishing their own easily accessible versions. Similarly, third parties have been publishing fine-tuned or quantized variants of th…
▽ More
Open-source large language models (LLMs) have become increasingly popular among both the general public and industry, as they can be customized, fine-tuned, and freely used. However, some open-source LLMs require approval before usage, which has led to third parties publishing their own easily accessible versions. Similarly, third parties have been publishing fine-tuned or quantized variants of these LLMs. These versions are particularly appealing to users because of their ease of access and reduced computational resource demands. This trend has increased the risk of training time attacks, compromising the integrity and security of LLMs. In this work, we present a new training time attack, SOS, which is designed to be low in computational demand and does not require clean data or modification of the model weights, thereby maintaining the model's utility intact. The attack addresses security issues in various scenarios, including the backdoor attack, jailbreak attack, and prompt stealing attack. Our experimental findings demonstrate that the proposed attack is effective across all evaluated targets. Furthermore, we present the other side of our SOS technique, namely the copyright token -- a novel technique that enables users to mark their copyrighted content and prevent models from using it.
△ Less
Submitted 3 July, 2024;
originally announced July 2024.
-
Dataset and Lessons Learned from the 2024 SaTML LLM Capture-the-Flag Competition
Authors:
Edoardo Debenedetti,
Javier Rando,
Daniel Paleka,
Silaghi Fineas Florin,
Dragos Albastroiu,
Niv Cohen,
Yuval Lemberg,
Reshmi Ghosh,
Rui Wen,
Ahmed Salem,
Giovanni Cherubin,
Santiago Zanella-Beguelin,
Robin Schmid,
Victor Klemm,
Takahiro Miki,
Chenhao Li,
Stefan Kraft,
Mario Fritz,
Florian Tramèr,
Sahar Abdelnabi,
Lea Schönherr
Abstract:
Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed…
▽ More
Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed defenses to prevent the model from leaking the secret. During the second phase, teams were challenged to extract the secrets hidden for defenses proposed by the other teams. This report summarizes the main insights from the competition. Notably, we found that all defenses were bypassed at least once, highlighting the difficulty of designing a successful defense and the necessity for additional research to protect LLM systems. To foster future research in this direction, we compiled a dataset with over 137k multi-turn attack chats and open-sourced the platform.
△ Less
Submitted 12 June, 2024;
originally announced June 2024.
-
Are you still on track!? Catching LLM Task Drift with Activations
Authors:
Sahar Abdelnabi,
Aideen Fay,
Giovanni Cherubin,
Ahmed Salem,
Mario Fritz,
Andrew Paverd
Abstract:
Large Language Models (LLMs) are routinely used in retrieval-augmented applications to orchestrate tasks and process inputs from users and other sources. These inputs, even in a single LLM interaction, can come from a variety of sources, of varying trustworthiness and provenance. This opens the door to prompt injection attacks, where the LLM receives and acts upon instructions from supposedly data…
▽ More
Large Language Models (LLMs) are routinely used in retrieval-augmented applications to orchestrate tasks and process inputs from users and other sources. These inputs, even in a single LLM interaction, can come from a variety of sources, of varying trustworthiness and provenance. This opens the door to prompt injection attacks, where the LLM receives and acts upon instructions from supposedly data-only sources, thus deviating from the user's original instructions. We define this as task drift, and we propose to catch it by scanning and analyzing the LLM's activations. We compare the LLM's activations before and after processing the external input in order to detect whether this input caused instruction drift. We develop two probing methods and find that simply using a linear classifier can detect drift with near perfect ROC AUC on an out-of-distribution test set. We show that this approach generalizes surprisingly well to unseen task domains, such as prompt injections, jailbreaks, and malicious instructions, without being trained on any of these attacks. Our setup does not require any modification of the LLM (e.g., fine-tuning) or any text generation, thus maximizing deployability and cost efficiency and avoiding reliance on unreliable model output. To foster future research on activation-based task inspection, decoding, and interpretability, we will release our large-scale TaskTracker toolkit, comprising a dataset of over 500K instances, representations from 4 SoTA language models, and inspection tools.
△ Less
Submitted 20 June, 2024; v1 submitted 2 June, 2024;
originally announced June 2024.
-
Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack
Authors:
Mark Russinovich,
Ahmed Salem,
Ronen Eldan
Abstract:
Large Language Models (LLMs) have risen significantly in popularity and are increasingly being adopted across multiple applications. These LLMs are heavily aligned to resist engaging in illegal or unethical topics as a means to avoid contributing to responsible AI harms. However, a recent line of attacks, known as "jailbreaks", seek to overcome this alignment. Intuitively, jailbreak attacks aim to…
▽ More
Large Language Models (LLMs) have risen significantly in popularity and are increasingly being adopted across multiple applications. These LLMs are heavily aligned to resist engaging in illegal or unethical topics as a means to avoid contributing to responsible AI harms. However, a recent line of attacks, known as "jailbreaks", seek to overcome this alignment. Intuitively, jailbreak attacks aim to narrow the gap between what the model can do and what it is willing to do. In this paper, we introduce a novel jailbreak attack called Crescendo. Unlike existing jailbreak methods, Crescendo is a multi-turn jailbreak that interacts with the model in a seemingly benign manner. It begins with a general prompt or question about the task at hand and then gradually escalates the dialogue by referencing the model's replies, progressively leading to a successful jailbreak. We evaluate Crescendo on various public systems, including ChatGPT, Gemini Pro, Gemini-Ultra, LlaMA-2 70b Chat, and Anthropic Chat. Our results demonstrate the strong efficacy of Crescendo, with it achieving high attack success rates across all evaluated models and tasks. Furthermore, we introduce Crescendomation, a tool that automates the Crescendo attack, and our evaluation showcases its effectiveness against state-of-the-art models.
△ Less
Submitted 2 April, 2024;
originally announced April 2024.
-
User Clustering for STAR-RIS Assisted Full-Duplex NOMA Communication Systems
Authors:
Abdelhamid Salem,
Kai-Kit Wong,
Chan-Byoung Chae,
Yangyang Zhang
Abstract:
In contrast to conventional reconfigurable intelligent surface (RIS), simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has been proposed recently to enlarge the serving area from 180o to 360o coverage. This work considers the performance of a STAR-RIS aided full-duplex (FD) non-orthogonal multiple access (NOMA) communication systems. The STAR-RIS is implemente…
▽ More
In contrast to conventional reconfigurable intelligent surface (RIS), simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has been proposed recently to enlarge the serving area from 180o to 360o coverage. This work considers the performance of a STAR-RIS aided full-duplex (FD) non-orthogonal multiple access (NOMA) communication systems. The STAR-RIS is implemented at the cell-edge to assist the cell-edge users, while the cell-center users can communicate directly with a FD base station (BS). We first introduce new user clustering schemes for the downlink and uplink transmissions. Then, based on the proposed transmission schemes closed-form expressions of the ergodic rates in the downlink and uplink modes are derived taking into account the system impairments caused by the self interference at the FD-BS and the imperfect successive interference cancellation (SIC). Moreover, an optimization problem to maximize the total sum-rate is formulated and solved by optimizing the amplitudes and the phase-shifts of the STAR-RIS elements and allocating the transmit power efficiently. The performance of the proposed user clustering schemes and the optimal STAR-RIS design are investigated through numerical results
△ Less
Submitted 31 December, 2023;
originally announced January 2024.
-
Maatphor: Automated Variant Analysis for Prompt Injection Attacks
Authors:
Ahmed Salem,
Andrew Paverd,
Boris Köpf
Abstract:
Prompt injection has emerged as a serious security threat to large language models (LLMs). At present, the current best-practice for defending against newly-discovered prompt injection techniques is to add additional guardrails to the system (e.g., by updating the system prompt or using classifiers on the input and/or output of the model.) However, in the same way that variants of a piece of malwa…
▽ More
Prompt injection has emerged as a serious security threat to large language models (LLMs). At present, the current best-practice for defending against newly-discovered prompt injection techniques is to add additional guardrails to the system (e.g., by updating the system prompt or using classifiers on the input and/or output of the model.) However, in the same way that variants of a piece of malware are created to evade anti-virus software, variants of a prompt injection can be created to evade the LLM's guardrails. Ideally, when a new prompt injection technique is discovered, candidate defenses should be tested not only against the successful prompt injection, but also against possible variants.
In this work, we present, a tool to assist defenders in performing automated variant analysis of known prompt injection attacks. This involves solving two main challenges: (1) automatically generating variants of a given prompt according, and (2) automatically determining whether a variant was effective based only on the output of the model. This tool can also assist in generating datasets for jailbreak and prompt injection attacks, thus overcoming the scarcity of data in this domain.
We evaluate Maatphor on three different types of prompt injection tasks. Starting from an ineffective (0%) seed prompt, Maatphor consistently generates variants that are at least 60% effective within the first 40 iterations.
△ Less
Submitted 12 December, 2023;
originally announced December 2023.
-
Rethinking Privacy in Machine Learning Pipelines from an Information Flow Control Perspective
Authors:
Lukas Wutschitz,
Boris Köpf,
Andrew Paverd,
Saravan Rajmohan,
Ahmed Salem,
Shruti Tople,
Santiago Zanella-Béguelin,
Menglin Xia,
Victor Rühle
Abstract:
Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially private model training, with inherent privacy/utility trade-offs that hurt model performance. Moreover…
▽ More
Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially private model training, with inherent privacy/utility trade-offs that hurt model performance. Moreover, these techniques have limitations in scenarios where sensitive information is shared across multiple participants and fine-grained access control is required. By ignoring metadata, we therefore miss an opportunity to better address security, privacy, and confidentiality challenges. In this paper, we take an information flow control perspective to describe machine learning systems, which allows us to leverage metadata such as access control policies and define clear-cut privacy and confidentiality guarantees with interpretable information flows. Under this perspective, we contrast two different approaches to achieve user-level non-interference: 1) fine-tuning per-user models, and 2) retrieval augmented models that access user-specific datasets at inference time. We compare these two approaches to a trivially non-interfering zero-shot baseline using a public model and to a baseline that fine-tunes this model on the whole corpus. We evaluate trained models on two datasets of scientific articles and demonstrate that retrieval augmented architectures deliver the best utility, scalability, and flexibility while satisfying strict non-interference guarantees.
△ Less
Submitted 27 November, 2023;
originally announced November 2023.
-
Comprehensive Assessment of Toxicity in ChatGPT
Authors:
Boyang Zhang,
Xinyue Shen,
Wai Man Si,
Zeyang Sha,
Zeyuan Chen,
Ahmed Salem,
Yun Shen,
Michael Backes,
Yang Zhang
Abstract:
Moderating offensive, hateful, and toxic language has always been an important but challenging topic in the domain of safe use in NLP. The emerging large language models (LLMs), such as ChatGPT, can potentially further accentuate this threat. Previous works have discovered that ChatGPT can generate toxic responses using carefully crafted inputs. However, limited research has been done to systemati…
▽ More
Moderating offensive, hateful, and toxic language has always been an important but challenging topic in the domain of safe use in NLP. The emerging large language models (LLMs), such as ChatGPT, can potentially further accentuate this threat. Previous works have discovered that ChatGPT can generate toxic responses using carefully crafted inputs. However, limited research has been done to systematically examine when ChatGPT generates toxic responses. In this paper, we comprehensively evaluate the toxicity in ChatGPT by utilizing instruction-tuning datasets that closely align with real-world scenarios. Our results show that ChatGPT's toxicity varies based on different properties and settings of the prompts, including tasks, domains, length, and languages. Notably, prompts in creative writing tasks can be 2x more likely than others to elicit toxic responses. Prompting in German and Portuguese can also double the response toxicity. Additionally, we discover that certain deliberately toxic prompts, designed in earlier studies, no longer yield harmful responses. We hope our discoveries can guide model developers to better regulate these AI systems and the users to avoid undesirable outputs.
△ Less
Submitted 3 November, 2023;
originally announced November 2023.
-
Last One Standing: A Comparative Analysis of Security and Privacy of Soft Prompt Tuning, LoRA, and In-Context Learning
Authors:
Rui Wen,
Tianhao Wang,
Michael Backes,
Yang Zhang,
Ahmed Salem
Abstract:
Large Language Models (LLMs) are powerful tools for natural language processing, enabling novel applications and user experiences. However, to achieve optimal performance, LLMs often require adaptation with private data, which poses privacy and security challenges. Several techniques have been proposed to adapt LLMs with private data, such as Low-Rank Adaptation (LoRA), Soft Prompt Tuning (SPT), a…
▽ More
Large Language Models (LLMs) are powerful tools for natural language processing, enabling novel applications and user experiences. However, to achieve optimal performance, LLMs often require adaptation with private data, which poses privacy and security challenges. Several techniques have been proposed to adapt LLMs with private data, such as Low-Rank Adaptation (LoRA), Soft Prompt Tuning (SPT), and In-Context Learning (ICL), but their comparative privacy and security properties have not been systematically investigated. In this work, we fill this gap by evaluating the robustness of LoRA, SPT, and ICL against three types of well-established attacks: membership inference, which exposes data leakage (privacy); backdoor, which injects malicious behavior (security); and model stealing, which can violate intellectual property (privacy and security). Our results show that there is no silver bullet for privacy and security in LLM adaptation and each technique has different strengths and weaknesses.
△ Less
Submitted 17 October, 2023;
originally announced October 2023.
-
STAR-RIS Assisted Full-Duplex Communication Networks
Authors:
Abdelhamid Salem,
Kai-Kit Wong,
Chan-Byoung Chae,
Yangyang Zhang
Abstract:
Different from conventional reconfigurable intelligent surfaces (RIS), a recent innovation called simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has emerged, aimed at achieving complete 360-degree coverage in communication networks. Additionally, fullduplex (FD) technology is recognized as a potent approach for enhancing spectral efficiency by enabling simul…
▽ More
Different from conventional reconfigurable intelligent surfaces (RIS), a recent innovation called simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has emerged, aimed at achieving complete 360-degree coverage in communication networks. Additionally, fullduplex (FD) technology is recognized as a potent approach for enhancing spectral efficiency by enabling simultaneous transmission and reception within the same time and frequency resources. In this study, we investigate the performance of a STAR-RIS-assisted FD communication system. The STAR-RIS is strategically placed at the cell-edge to facilitate communication for users located in this challenging region, while cell-center users can communicate directly with the FD base station (BS). We employ a non-orthogonal multiple access (NOMA) pairing scheme and account for system impairments, such as self-interference at the BS and imperfect successive interference cancellation (SIC). We derive closed-form expressions for the ergodic rates in both the up-link and down-link communications and extend our analysis to bidirectional communication between cell-center and cell-edge users. Furthermore, we formulate an optimization problem aimed at maximizing the ergodic sum-rate. This optimization involves adjusting the amplitudes and phase-shifts of the STAR-RIS elements and allocating total transmit power efficiently. To gain deeper insights into the achievable rates of STAR-RIS-aided FD systems, we explore the impact of various system parameters through numerical results.
△ Less
Submitted 26 September, 2023;
originally announced September 2023.
-
Deconstructing Classifiers: Towards A Data Reconstruction Attack Against Text Classification Models
Authors:
Adel Elmahdy,
Ahmed Salem
Abstract:
Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more se…
▽ More
Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more secure. In this work, we propose a new targeted data reconstruction attack called the Mix And Match attack, which takes advantage of the fact that most classification models are based on LLM. The Mix And Match attack uses the base model of the target model to generate candidate tokens and then prunes them using the classification head. We extensively demonstrate the effectiveness of the attack using both random and organic canaries. This work highlights the importance of considering the privacy risks associated with data reconstruction attacks in classification models and offers insights into possible leakages.
△ Less
Submitted 23 June, 2023;
originally announced June 2023.
-
Two-in-One: A Model Hijacking Attack Against Text Generation Models
Authors:
Wai Man Si,
Michael Backes,
Yang Zhang,
Ahmed Salem
Abstract:
Machine learning has progressed significantly in various applications ranging from face recognition to text generation. However, its success has been accompanied by different attacks. Recently a new attack has been proposed which raises both accountability and parasitic computing risks, namely the model hijacking attack. Nevertheless, this attack has only focused on image classification tasks. In…
▽ More
Machine learning has progressed significantly in various applications ranging from face recognition to text generation. However, its success has been accompanied by different attacks. Recently a new attack has been proposed which raises both accountability and parasitic computing risks, namely the model hijacking attack. Nevertheless, this attack has only focused on image classification tasks. In this work, we broaden the scope of this attack to include text generation and classification models, hence showing its broader applicability. More concretely, we propose a new model hijacking attack, Ditto, that can hijack different text classification tasks into multiple generation ones, e.g., language translation, text summarization, and language modeling. We use a range of text benchmark datasets such as SST-2, TweetEval, AGnews, QNLI, and IMDB to evaluate the performance of our attacks. Our results show that by using Ditto, an adversary can successfully hijack text generation models without jeopardizing their utility.
△ Less
Submitted 12 May, 2023;
originally announced May 2023.
-
Analyzing Leakage of Personally Identifiable Information in Language Models
Authors:
Nils Lukas,
Ahmed Salem,
Robert Sim,
Shruti Tople,
Lukas Wutschitz,
Santiago Zanella-Béguelin
Abstract:
Language Models (LMs) have been shown to leak information about training data through sentence-level membership inference and reconstruction attacks. Understanding the risk of LMs leaking Personally Identifiable Information (PII) has received less attention, which can be attributed to the false assumption that dataset curation techniques such as scrubbing are sufficient to prevent PII leakage. Scr…
▽ More
Language Models (LMs) have been shown to leak information about training data through sentence-level membership inference and reconstruction attacks. Understanding the risk of LMs leaking Personally Identifiable Information (PII) has received less attention, which can be attributed to the false assumption that dataset curation techniques such as scrubbing are sufficient to prevent PII leakage. Scrubbing techniques reduce but do not prevent the risk of PII leakage: in practice scrubbing is imperfect and must balance the trade-off between minimizing disclosure and preserving the utility of the dataset. On the other hand, it is unclear to which extent algorithmic defenses such as differential privacy, designed to guarantee sentence- or user-level privacy, prevent PII disclosure. In this work, we introduce rigorous game-based definitions for three types of PII leakage via black-box extraction, inference, and reconstruction attacks with only API access to an LM. We empirically evaluate the attacks against GPT-2 models fine-tuned with and without defenses in three domains: case law, health care, and e-mails. Our main contributions are (i) novel attacks that can extract up to 10$\times$ more PII sequences than existing attacks, (ii) showing that sentence-level differential privacy reduces the risk of PII disclosure but still leaks about 3% of PII sequences, and (iii) a subtle connection between record-level membership inference and PII reconstruction. Code to reproduce all experiments in the paper is available at https://github.com/microsoft/analysing_pii_leakage.
△ Less
Submitted 23 April, 2023; v1 submitted 1 February, 2023;
originally announced February 2023.
-
Multi-limb Split Learning for Tumor Classification on Vertically Distributed Data
Authors:
Omar S. Ads,
Mayar M. Alfares,
Mohammed A. -M. Salem
Abstract:
Brain tumors are one of the life-threatening forms of cancer. Previous studies have classified brain tumors using deep neural networks. In this paper, we perform the later task using a collaborative deep learning technique, more specifically split learning. Split learning allows collaborative learning via neural networks splitting into two (or more) parts, a client-side network and a server-side n…
▽ More
Brain tumors are one of the life-threatening forms of cancer. Previous studies have classified brain tumors using deep neural networks. In this paper, we perform the later task using a collaborative deep learning technique, more specifically split learning. Split learning allows collaborative learning via neural networks splitting into two (or more) parts, a client-side network and a server-side network. The client-side is trained to a certain layer called the cut layer. Then, the rest of the training is resumed on the server-side network. Vertical distribution, a method for distributing data among organizations, was implemented where several hospitals hold different attributes of information for the same set of patients. To the best of our knowledge this paper will be the first paper to implement both split learning and vertical distribution for brain tumor classification. Using both techniques, we were able to achieve train and test accuracy greater than 90\% and 70\%, respectively.
△ Less
Submitted 26 January, 2023;
originally announced January 2023.
-
Ultrafast two-colour X-ray emission spectroscopy reveals excited state landscape in a base metal dyad
Authors:
Michal Nowakowski,
Marina Huber-Gedert,
Hossam Elgabarty,
Jacek Kubicki,
Ahmet Kertem,
Natalia Lindner,
Dmitry Khakhulin,
Frederico Alves Lima,
Tae-Kyu Choi,
Mykola Biednov,
Natalia Piergies,
Peter Zalden,
Katerina Kubicek,
Angel Rodriguez-Fernandez,
Mohammad Alaraby Salem,
Thomas Kühne,
Wojciech Gawelda,
Matthias Bauer
Abstract:
Effective photoinduced charge transfer makes molecular bimetallic assemblies attractive for applications as active light induced proton reduction systems. For a more sustainable future, development of competitive base metal dyads is mandatory. However, the electron transfer mechanisms from the photosensitizer to the proton reduction catalyst in base metal dyads remain so far unexplored. We study a…
▽ More
Effective photoinduced charge transfer makes molecular bimetallic assemblies attractive for applications as active light induced proton reduction systems. For a more sustainable future, development of competitive base metal dyads is mandatory. However, the electron transfer mechanisms from the photosensitizer to the proton reduction catalyst in base metal dyads remain so far unexplored. We study a Fe-Co dyad that exhibits photocatalytic H2 production activity using femtosecond X-ray emission spectroscopy, complemented by ultrafast optical spectroscopy and theoretical time-dependent DFT calculations, to understand the electronic and structural dynamics after photoexcitation and during the subsequent charge transfer process from the FeII photosensitizer to the cobaloxime catalyst. Using this novel approach, the simultaneous measurement of the transient Kalpha X-ray emission at the iron and cobalt K-edges in a two-colour experiment is enabled making it possible to correlate the excited state dynamics to the electron transfer processes. The methodology, therefore, provides a clear and direct spectroscopic evidence of the Fe->Co electron transfer responsible for the proton reduction activity.
△ Less
Submitted 11 January, 2023;
originally announced January 2023.
-
Impact of Phase-Shift Error on the Secrecy Performance of Uplink RIS Communication Systems
Authors:
Abdelhamid Salem,
Kai-Kit Wong,
Chan-Byoung Chae
Abstract:
Reconfigurable intelligent surface (RIS) has been recognized as a promising technique for the sixth generation (6G) of mobile communication networks. The key feature of RIS is to reconfigure the propagation environment via smart signal reflections. In addition, active RIS schemes have been recently proposed to overcome the deep path loss attenuation inherent in the RIS-aided communication systems.…
▽ More
Reconfigurable intelligent surface (RIS) has been recognized as a promising technique for the sixth generation (6G) of mobile communication networks. The key feature of RIS is to reconfigure the propagation environment via smart signal reflections. In addition, active RIS schemes have been recently proposed to overcome the deep path loss attenuation inherent in the RIS-aided communication systems. Accordingly, this paper considers the secrecy performance of up-link RIS-aided multiple users multiple-input single-output (MU-MISO) communication systems, in the presence of multiple passive eavesdroppers. In contrast to the existing works, we investigate the impact of the RIS phase shift errors on the secrecy performance. Taking into account the complex environment, where a general Rician channel model is adopted for all the communication links, closed-form approximate expressions for the ergodic secrecy rate are derived for three RIS configurations, namely, i) passive RIS, ii) active RIS, iii) active RIS with energy harvesting (EH RIS). Then, based on the derived expressions, we optimize the phase shifts at the RIS to enhance the system performance. In addition, the best RIS configuration selection is considered for a given target secrecy rate and amount of the power available at the users. Finally, Monte-Carlo simulations are provided to verify the accuracy of the analysis, and the impact of different system parameters on the secrecy performance is investigated. The results in this paper show that, an active RIS scheme can be implemented to enhance the secrecy performance of RIS-aided communication systems with phase shift errors, especially when the users have limited transmission power.
△ Less
Submitted 31 December, 2022;
originally announced January 2023.
-
Rethinking Dense Cells for Integrated Sensing and Communications: A Stochastic Geometric View
Authors:
Abdelhamid Salem,
Kaitao Meng,
Christos Masouros,
Fan Liu,
David López-Pérez
Abstract:
The inclusion of the sensing functionality in the coming generations of cellular networks necessitates a rethink of dense cell deployments. In this paper, we analyze and optimize dense cell topologies for dual-functional radar-communication (DFRC) cellular networks. With the aid of tools from stochastic geometry, we derive new analytical expressions of the potential area spectral efficiencies in (…
▽ More
The inclusion of the sensing functionality in the coming generations of cellular networks necessitates a rethink of dense cell deployments. In this paper, we analyze and optimize dense cell topologies for dual-functional radar-communication (DFRC) cellular networks. With the aid of tools from stochastic geometry, we derive new analytical expressions of the potential area spectral efficiencies in (bit/sec/m2) of radar and communication systems. Based on the new formulations of the potential area spectral efficiencies, the energy efficiency (bit/Joule) of DFRC systems is provided in a closed-form formula. Then, an optimization problem to obtain the optimal base station (BS) density that maximizes the network-level energy efficiency is formulated and investigated. In this regard, the mathematical expression of the energy efficiency is shown to be a uni-modal and pseudo-concave function in the density of the BSs. Therefore, the optimal density of the BSs that maximizes the energy efficiency can be obtained. Our analytical and numerical results demonstrate that the inclusion of the sensing functionality clearly differentiates the optimal BS topologies for the DFRC systems against classical communication-only systems.
△ Less
Submitted 26 August, 2023; v1 submitted 25 December, 2022;
originally announced December 2022.
-
SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning
Authors:
Ahmed Salem,
Giovanni Cherubin,
David Evans,
Boris Köpf,
Andrew Paverd,
Anshuman Suri,
Shruti Tople,
Santiago Zanella-Béguelin
Abstract:
Deploying machine learning models in production may allow adversaries to infer sensitive information about training data. There is a vast literature analyzing different types of inference risks, ranging from membership inference to reconstruction attacks. Inspired by the success of games (i.e., probabilistic experiments) to study security properties in cryptography, some authors describe privacy i…
▽ More
Deploying machine learning models in production may allow adversaries to infer sensitive information about training data. There is a vast literature analyzing different types of inference risks, ranging from membership inference to reconstruction attacks. Inspired by the success of games (i.e., probabilistic experiments) to study security properties in cryptography, some authors describe privacy inference risks in machine learning using a similar game-based style. However, adversary capabilities and goals are often stated in subtly different ways from one presentation to the other, which makes it hard to relate and compose results. In this paper, we present a game-based framework to systematize the body of knowledge on privacy inference risks in machine learning. We use this framework to (1) provide a unifying structure for definitions of inference risks, (2) formally establish known relations among definitions, and (3) to uncover hitherto unknown relations that would have been difficult to spot otherwise.
△ Less
Submitted 20 April, 2023; v1 submitted 21 December, 2022;
originally announced December 2022.
-
Variation-based Cause Effect Identification
Authors:
Mohamed Amine ben Salem,
Karim Said Barsim,
Bin Yang
Abstract:
Mining genuine mechanisms underlying the complex data generation process in real-world systems is a fundamental step in promoting interpretability of, and thus trust in, data-driven models. Therefore, we propose a variation-based cause effect identification (VCEI) framework for causal discovery in bivariate systems from a single observational setting. Our framework relies on the principle of indep…
▽ More
Mining genuine mechanisms underlying the complex data generation process in real-world systems is a fundamental step in promoting interpretability of, and thus trust in, data-driven models. Therefore, we propose a variation-based cause effect identification (VCEI) framework for causal discovery in bivariate systems from a single observational setting. Our framework relies on the principle of independence of cause and mechanism (ICM) under the assumption of an existing acyclic causal link, and offers a practical realization of this principle. Principally, we artificially construct two settings in which the marginal distributions of one covariate, claimed to be the cause, are guaranteed to have non-negligible variations. This is achieved by re-weighting samples of the marginal so that the resultant distribution is notably distinct from this marginal according to some discrepancy measure. In the causal direction, such variations are expected to have no impact on the effect generation mechanism. Therefore, quantifying the impact of these variations on the conditionals reveals the genuine causal direction. Moreover, we formulate our approach in the kernel-based maximum mean discrepancy, lifting all constraints on the data types of cause-and-effect covariates, and rendering such artificial interventions a convex optimization problem. We provide a series of experiments on real and synthetic data showing that VCEI is, in principle, competitive to other cause effect identification frameworks.
△ Less
Submitted 22 November, 2022;
originally announced November 2022.
-
Quantitative Assessment of Drought Impacts Using XGBoost based on the Drought Impact Reporter
Authors:
Beichen Zhang,
Fatima K. Abu Salem,
Michael J. Hayes,
Tsegaye Tadesse
Abstract:
Under climate change, the increasing frequency, intensity, and spatial extent of drought events lead to higher socio-economic costs. However, the relationships between the hydro-meteorological indicators and drought impacts are not identified well yet because of the complexity and data scarcity. In this paper, we proposed a framework based on the extreme gradient model (XGBoost) for Texas to predi…
▽ More
Under climate change, the increasing frequency, intensity, and spatial extent of drought events lead to higher socio-economic costs. However, the relationships between the hydro-meteorological indicators and drought impacts are not identified well yet because of the complexity and data scarcity. In this paper, we proposed a framework based on the extreme gradient model (XGBoost) for Texas to predict multi-category drought impacts and connected a typical drought indicator, Standardized Precipitation Index (SPI), to the text-based impacts from the Drought Impact Reporter (DIR). The preliminary results of this study showed an outstanding performance of the well-trained models to assess drought impacts on agriculture, fire, society & public health, plants & wildlife, as well as relief, response & restrictions in Texas. It also provided a possibility to appraise drought impacts using hydro-meteorological indicators with the proposed framework in the United States, which could help drought risk management by giving additional information and improving the updating frequency of drought impacts. Our interpretation results using the Shapley additive explanation (SHAP) interpretability technique revealed that the rules guiding the predictions of XGBoost comply with domain expertise knowledge around the role that SPI indicators play around drought impacts.
△ Less
Submitted 4 November, 2022;
originally announced November 2022.
-
NOMA Made Practical: Removing the Receive SIC Processing through Interference Exploitation
Authors:
Abdelhamid Salem,
Xiao Tong,
Ang Li,
Christos Masouros
Abstract:
Non-orthogonal multiple access (NOMA) is a powerful transmission technique that enhances the spectral efficiency of communication links, and is being investigated for 5G standards and beyond. A major drawback of NOMA is the need to apply successive interference cancellation (SIC) at the receiver on a symbol-by-symbol basis, which limits its practicality. To circumvent this, in this paper a novel c…
▽ More
Non-orthogonal multiple access (NOMA) is a powerful transmission technique that enhances the spectral efficiency of communication links, and is being investigated for 5G standards and beyond. A major drawback of NOMA is the need to apply successive interference cancellation (SIC) at the receiver on a symbol-by-symbol basis, which limits its practicality. To circumvent this, in this paper a novel constructive multiple access (CoMA) scheme is proposed and investigated. CoMA aligns the superimposed signals to the different users constructively to the signal of interest. Since the superimposed signal aligns with the data signal, there is no need to remove it at the receiver using SIC. Accordingly, SIC component can be removed at the receiver side. In this regard and in order to provide a comprehensive investigation and comparison, different optimization problems for user paring NOMA multiple-input-single-output (MISO) systems are considered. Firstly, an optimal precoder to minimize the total transmission power for CoMA subject to a quality-of-service constraint is obtained, and compared to conventional NOMA. Then, a precoder that minimizes the CoMA symbol error rate (SER) subject to power constraint is investigated. Further, the computational complexity of CoMA is considered and compared with conventional NOMA scheme in terms of total number of complex operations. The results in this paper prove the superiority of the proposed CoMA scheme over the conventional NOMA technique, and demonstrate that CoMA is an attractive solution for user paring NOMA MISO systems with low number of BS antennas, while circumventing the receive SIC complexity.
△ Less
Submitted 15 October, 2022;
originally announced October 2022.
-
UnGANable: Defending Against GAN-based Face Manipulation
Authors:
Zheng Li,
Ning Yu,
Ahmed Salem,
Michael Backes,
Mario Fritz,
Yang Zhang
Abstract:
Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, agains…
▽ More
Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, against GAN-inversion-based face manipulation. In specific, UnGANable focuses on defending GAN inversion, an essential step for face manipulation. Its core technique is to search for alternative images (called cloaked images) around the original images (called target images) in image space. When posted online, these cloaked images can jeopardize the GAN inversion process. We consider two state-of-the-art inversion techniques including optimization-based inversion and hybrid inversion, and design five different defenses under five scenarios depending on the defender's background knowledge. Extensive experiments on four popular GAN models trained on two benchmark face datasets show that UnGANable achieves remarkable effectiveness and utility performance, and outperforms multiple baseline methods. We further investigate four adaptive adversaries to bypass UnGANable and show that some of them are slightly effective.
△ Less
Submitted 3 October, 2022;
originally announced October 2022.
-
Bayesian Estimation of Differential Privacy
Authors:
Santiago Zanella-Béguelin,
Lukas Wutschitz,
Shruti Tople,
Ahmed Salem,
Victor Rühle,
Andrew Paverd,
Mohammad Naseri,
Boris Köpf,
Daniel Jones
Abstract:
Algorithms such as Differentially Private SGD enable training machine learning models with formal privacy guarantees. However, there is a discrepancy between the protection that such algorithms guarantee in theory and the protection they afford in practice. An emerging strand of work empirically estimates the protection afforded by differentially private training as a confidence interval for the p…
▽ More
Algorithms such as Differentially Private SGD enable training machine learning models with formal privacy guarantees. However, there is a discrepancy between the protection that such algorithms guarantee in theory and the protection they afford in practice. An emerging strand of work empirically estimates the protection afforded by differentially private training as a confidence interval for the privacy budget $\varepsilon$ spent on training a model. Existing approaches derive confidence intervals for $\varepsilon$ from confidence intervals for the false positive and false negative rates of membership inference attacks. Unfortunately, obtaining narrow high-confidence intervals for $ε$ using this method requires an impractically large sample size and training as many models as samples. We propose a novel Bayesian method that greatly reduces sample size, and adapt and validate a heuristic to draw more than one sample per trained model. Our Bayesian method exploits the hypothesis testing interpretation of differential privacy to obtain a posterior for $\varepsilon$ (not just a confidence interval) from the joint posterior of the false positive and false negative rates of membership inference attacks. For the same sample size and confidence, we derive confidence intervals for $\varepsilon$ around 40% narrower than prior work. The heuristic, which we adapt from label-only DP, can be used to further reduce the number of trained models needed to get enough samples by up to 2 orders of magnitude.
△ Less
Submitted 15 June, 2022; v1 submitted 10 June, 2022;
originally announced June 2022.
-
Improving VANET's Performance by Incorporated Fog-Cloud Layer (FCL)
Authors:
Ghassan Samara,
Mohammed Rasmi,
Nael A Sweerky,
Essam Al Daoud,
Amer Abu Salem
Abstract:
Because of its usefulness in various fields including as safety applications, traffic control applications, and entertainment applications, VANET is an essential topic that is now being investigated intensively. VANET confronts numerous challenges in terms of reaction time, storage capacity, and reliability, particularly in real-time applications. As a result, merging cloud computing and cloud com…
▽ More
Because of its usefulness in various fields including as safety applications, traffic control applications, and entertainment applications, VANET is an essential topic that is now being investigated intensively. VANET confronts numerous challenges in terms of reaction time, storage capacity, and reliability, particularly in real-time applications. As a result, merging cloud computing and cloud computing has recently been researched. The goal of this study is to develop a system that merges the fog and cloud layers into a single layer known as the included fog-cloud layer. To lower the time it takes for real-time applications on VANETs to respond while also improving data flow management over the Internet and achieving an efficient perception service while avoiding the high cost of cloud connectivity.
△ Less
Submitted 30 March, 2022;
originally announced April 2022.
-
Get a Model! Model Hijacking Attack Against Machine Learning Models
Authors:
Ahmed Salem,
Michael Backes,
Yang Zhang
Abstract:
Machine learning (ML) has established itself as a cornerstone for various critical applications ranging from autonomous driving to authentication systems. However, with this increasing adoption rate of machine learning models, multiple attacks have emerged. One class of such attacks is training time attack, whereby an adversary executes their attack before or during the machine learning model trai…
▽ More
Machine learning (ML) has established itself as a cornerstone for various critical applications ranging from autonomous driving to authentication systems. However, with this increasing adoption rate of machine learning models, multiple attacks have emerged. One class of such attacks is training time attack, whereby an adversary executes their attack before or during the machine learning model training. In this work, we propose a new training time attack against computer vision based machine learning models, namely model hijacking attack. The adversary aims to hijack a target model to execute a different task than its original one without the model owner noticing. Model hijacking can cause accountability and security risks since a hijacked model owner can be framed for having their model offering illegal or unethical services. Model hijacking attacks are launched in the same way as existing data poisoning attacks. However, one requirement of the model hijacking attack is to be stealthy, i.e., the data samples used to hijack the target model should look similar to the model's original training dataset. To this end, we propose two different model hijacking attacks, namely Chameleon and Adverse Chameleon, based on a novel encoder-decoder style ML model, namely the Camouflager. Our evaluation shows that both of our model hijacking attacks achieve a high attack success rate, with a negligible drop in model utility.
△ Less
Submitted 8 November, 2021;
originally announced November 2021.
-
Explicit CSI Feedback Compression via Learned Approximate Message Passing
Authors:
Benedikt Groß,
Rana Ahmed Salem,
Thorsten Wild,
Gerhard Wunder
Abstract:
Explicit channel state information at the transmitter side is helpful to improve downlink precoding performance for multi-user MIMO systems. In order to reduce feedback signalling overhead, compression of Channel State Information (CSI) is essential. In this work different low complexity compressed sensing algorithms are compared in the context of an explicit CSI feedback scheme for 5G new radio.…
▽ More
Explicit channel state information at the transmitter side is helpful to improve downlink precoding performance for multi-user MIMO systems. In order to reduce feedback signalling overhead, compression of Channel State Information (CSI) is essential. In this work different low complexity compressed sensing algorithms are compared in the context of an explicit CSI feedback scheme for 5G new radio. A neural network approach, based on learned approximate message passing for the computation of row-sparse solutions to matrix-valued compressed sensing problems is introduced. Due to extensive weight sharing, it shares the low memory footprint and fast evaluation of the forward pass with few iterations of a first order iterative algorithm. Furthermore it can be trained on purely synthetic data prior to deployment. Its performance in the explicit CSI feedback application is evaluated, and its key benefits in terms of computational complexity savings are discussed.
△ Less
Submitted 12 October, 2021;
originally announced October 2021.
-
A DoE-based approach for the implementation of structural surrogate models in the early stage design of box-wing aircraft
Authors:
Vittorio Cipolla,
Vincenzo Binante,
Karim Abu Salem,
Giuseppe Palaia,
Davide Zanetti
Abstract:
One of the possible ways to face the challenge of reducing the environmental impact of aviation, without limiting the growth of air transport, is the introduction of more efficient, radically different aircraft architectures. Among these, the box-wing one represents a promising solution, at least in the case of its application to short-to-medium haul aircraft, which, according to the achievement o…
▽ More
One of the possible ways to face the challenge of reducing the environmental impact of aviation, without limiting the growth of air transport, is the introduction of more efficient, radically different aircraft architectures. Among these, the box-wing one represents a promising solution, at least in the case of its application to short-to-medium haul aircraft, which, according to the achievement of the H2020 project "PARSIFAL", would bring to a 20% reduction in terms of emitted CO2 per passenger-kilometre. The present paper faces the problem of estimating the structural mass of such a disruptive configuration in the early stages of the design, underlining the limitations in this capability of the approaches available by literature and proposing a DoE-based approach to define surrogate models suitable for such purpose. A test case from the project "PARSIFAL" is used for the first conception of the approach, starting from the Finite Element Model parametrization, then followed by the construction of a database of FEM results, hence introducing the regression models and implementing them in an optimization framework. Results achieved are investigated in order to validate both the wing sizing and the optimization procedure. Finally, an additional test case resulting from the application of the box-wing layout to the regional aircraft category within the Italian research project "PROSIB", is briefly presented to further assess the capabilities of the proposed approach.
△ Less
Submitted 20 July, 2021; v1 submitted 15 July, 2021;
originally announced July 2021.
-
ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models
Authors:
Yugeng Liu,
Rui Wen,
Xinlei He,
Ahmed Salem,
Zhikun Zhang,
Michael Backes,
Emiliano De Cristofaro,
Mario Fritz,
Yang Zhang
Abstract:
Inference attacks against Machine Learning (ML) models allow adversaries to learn sensitive information about training data, model parameters, etc. While researchers have studied, in depth, several kinds of attacks, they have done so in isolation. As a result, we lack a comprehensive picture of the risks caused by the attacks, e.g., the different scenarios they can be applied to, the common factor…
▽ More
Inference attacks against Machine Learning (ML) models allow adversaries to learn sensitive information about training data, model parameters, etc. While researchers have studied, in depth, several kinds of attacks, they have done so in isolation. As a result, we lack a comprehensive picture of the risks caused by the attacks, e.g., the different scenarios they can be applied to, the common factors that influence their performance, the relationship among them, or the effectiveness of possible defenses. In this paper, we fill this gap by presenting a first-of-its-kind holistic risk assessment of different inference attacks against machine learning models. We concentrate on four attacks -- namely, membership inference, model inversion, attribute inference, and model stealing -- and establish a threat model taxonomy.
Our extensive experimental evaluation, run on five model architectures and four image datasets, shows that the complexity of the training dataset plays an important role with respect to the attack's performance, while the effectiveness of model stealing and membership inference attacks are negatively correlated. We also show that defenses like DP-SGD and Knowledge Distillation can only mitigate some of the inference attacks. Our analysis relies on a modular re-usable software, ML-Doctor, which enables ML model owners to assess the risks of deploying their models, and equally serves as a benchmark tool for researchers and practitioners.
△ Less
Submitted 6 October, 2021; v1 submitted 4 February, 2021;
originally announced February 2021.
-
Don't Trigger Me! A Triggerless Backdoor Attack Against Deep Neural Networks
Authors:
Ahmed Salem,
Michael Backes,
Yang Zhang
Abstract:
Backdoor attack against deep neural networks is currently being profoundly investigated due to its severe security consequences. Current state-of-the-art backdoor attacks require the adversary to modify the input, usually by adding a trigger to it, for the target model to activate the backdoor. This added trigger not only increases the difficulty of launching the backdoor attack in the physical wo…
▽ More
Backdoor attack against deep neural networks is currently being profoundly investigated due to its severe security consequences. Current state-of-the-art backdoor attacks require the adversary to modify the input, usually by adding a trigger to it, for the target model to activate the backdoor. This added trigger not only increases the difficulty of launching the backdoor attack in the physical world, but also can be easily detected by multiple defense mechanisms. In this paper, we present the first triggerless backdoor attack against deep neural networks, where the adversary does not need to modify the input for triggering the backdoor. Our attack is based on the dropout technique. Concretely, we associate a set of target neurons that are dropped out during model training with the target label. In the prediction phase, the model will output the target label when the target neurons are dropped again, i.e., the backdoor attack is launched. This triggerless feature of our attack makes it practical in the physical world. Extensive experiments show that our triggerless backdoor attack achieves a perfect attack success rate with a negligible damage to the model's utility.
△ Less
Submitted 7 October, 2020;
originally announced October 2020.
-
BAAAN: Backdoor Attacks Against Autoencoder and GAN-Based Machine Learning Models
Authors:
Ahmed Salem,
Yannick Sautter,
Michael Backes,
Mathias Humbert,
Yang Zhang
Abstract:
The tremendous progress of autoencoders and generative adversarial networks (GANs) has led to their application to multiple critical tasks, such as fraud detection and sanitized data generation. This increasing adoption has fostered the study of security and privacy risks stemming from these models. However, previous works have mainly focused on membership inference attacks. In this work, we explo…
▽ More
The tremendous progress of autoencoders and generative adversarial networks (GANs) has led to their application to multiple critical tasks, such as fraud detection and sanitized data generation. This increasing adoption has fostered the study of security and privacy risks stemming from these models. However, previous works have mainly focused on membership inference attacks. In this work, we explore one of the most severe attacks against machine learning models, namely the backdoor attack, against both autoencoders and GANs. The backdoor attack is a training time attack where the adversary implements a hidden backdoor in the target model that can only be activated by a secret trigger. State-of-the-art backdoor attacks focus on classification-based tasks. We extend the applicability of backdoor attacks to autoencoders and GAN-based models. More concretely, we propose the first backdoor attack against autoencoders and GANs where the adversary can control what the decoded or generated images are when the backdoor is activated. Our results show that the adversary can build a backdoored autoencoder that returns a target output for all backdoored inputs, while behaving perfectly normal on clean inputs. Similarly, for the GANs, our experiments show that the adversary can generate data from a different distribution when the backdoor is activated, while maintaining the same utility when the backdoor is not.
△ Less
Submitted 8 October, 2020; v1 submitted 6 October, 2020;
originally announced October 2020.
-
Maat: Automatically Analyzing VirusTotal for Accurate Labeling and Effective Malware Detection
Authors:
Aleieldin Salem,
Sebastian Banescu,
Alexander Pretschner
Abstract:
The malware analysis and detection research community relies on the online platform VirusTotal to label Android apps based on the scan results of around 60 antiviral scanners. Unfortunately, there are no standards on how to best interpret the scan results acquired from VirusTotal, which leads to the utilization of different threshold-based labeling strategies (e.g., if ten or more scanners deem an…
▽ More
The malware analysis and detection research community relies on the online platform VirusTotal to label Android apps based on the scan results of around 60 antiviral scanners. Unfortunately, there are no standards on how to best interpret the scan results acquired from VirusTotal, which leads to the utilization of different threshold-based labeling strategies (e.g., if ten or more scanners deem an app malicious, it is considered malicious). While some of the utilized thresholds may be able to accurately approximate the ground truths of apps, the fact that VirusTotal changes the set and versions of the scanners it uses makes such thresholds unsustainable over time. We implemented a method, Maat, that tackles these issues of standardization and sustainability by automatically generating a Machine Learning (ML)-based labeling scheme, which outperforms threshold-based labeling strategies. Using the VirusTotal scan reports of 53K Android apps that span one year, we evaluated the applicability of Maat's ML-based labeling strategies by comparing their performance against threshold-based strategies. We found that such ML-based strategies (a) can accurately and consistently label apps based on their VirusTotal scan reports, and (b) contribute to training ML-based detection methods that are more effective at classifying out-of-sample apps than their threshold-based counterparts.
△ Less
Submitted 1 July, 2020;
originally announced July 2020.
-
Towards Accurate Labeling of Android Apps for Reliable Malware Detection
Authors:
Aleieldin Salem
Abstract:
In training their newly-developed malware detection methods, researchers rely on threshold-based labeling strategies that interpret the scan reports provided by online platforms, such as VirusTotal. The dynamicity of this platform renders those labeling strategies unsustainable over prolonged periods, which leads to inaccurate labels. Using inaccurately labeled apps to train and evaluate malware d…
▽ More
In training their newly-developed malware detection methods, researchers rely on threshold-based labeling strategies that interpret the scan reports provided by online platforms, such as VirusTotal. The dynamicity of this platform renders those labeling strategies unsustainable over prolonged periods, which leads to inaccurate labels. Using inaccurately labeled apps to train and evaluate malware detection methods significantly undermines the reliability of their results, leading to either dismissing otherwise promising detection approaches or adopting intrinsically inadequate ones. The infeasibility of generating accurate labels via manual analysis and the lack of reliable alternatives force researchers to utilize VirusTotal to label apps. In the paper, we tackle this issue in two manners. Firstly, we reveal the aspects of VirusTotal's dynamicity and how they impact threshold-based labeling strategies and provide actionable insights on how to use these labeling strategies given VirusTotal's dynamicity reliably. Secondly, we motivate the implementation of alternative platforms by (a) identifying VirusTotal limitations that such platforms should avoid, and (b) proposing an architecture of how such platforms can be constructed to mitigate VirusTotal's limitations.
△ Less
Submitted 1 July, 2020;
originally announced July 2020.
-
High-Level Penetration of Renewable Energy with Grid: Challenges and Opportunities
Authors:
Md Shafiul Alam,
Fahad Saleh Al-Ismail,
M. A. Abido,
Aboubakr Salem
Abstract:
The utilization of renewable energy sources (RESs) has become significant throughout the world especially over the last two decades. Although high-level RESs penetration reduces negative environmental impact compared to conventional fossil fuel based energy generation, control issues become more complex as well as total inertia to the system is significantly decreased due to removal of conventiona…
▽ More
The utilization of renewable energy sources (RESs) has become significant throughout the world especially over the last two decades. Although high-level RESs penetration reduces negative environmental impact compared to conventional fossil fuel based energy generation, control issues become more complex as well as total inertia to the system is significantly decreased due to removal of conventional synchronous generators. Some other technical issues, high uncertainties, low fault ride through capability, high fault current, low generation reserve, and low power quality, arise due to RESs integration. Renewable energy like solar and wind are highly uncertain due to intermittent nature of wind and sunlight. Cutting edge technologies including different control strategies, optimization techniques, energy storage devices, and fault current limiters are employed to handle those issues. This paper summarizes several challenges in the integration process of high-level RESs to the existing grid. The respective solutions to each challenge are also discussed. A comprehensive list of challenges and opportunities, for both wind and solar energy integration cases, are well documented. Also, the future recommendations are provided to solve the several problems of renewable integration which could be key research areas for the industry personnel and researchers.
△ Less
Submitted 8 June, 2020;
originally announced June 2020.
-
BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements
Authors:
Xiaoyi Chen,
Ahmed Salem,
Dingfan Chen,
Michael Backes,
Shiqing Ma,
Qingni Shen,
Zhonghai Wu,
Yang Zhang
Abstract:
Deep neural networks (DNNs) have progressed rapidly during the past decade and have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model's training set to mislead any i…
▽ More
Deep neural networks (DNNs) have progressed rapidly during the past decade and have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model's training set to mislead any input with an added secret trigger to a target class.
Previous backdoor attacks predominantly focus on computer vision (CV) applications, such as image classification. In this paper, we perform a systematic investigation of backdoor attack on NLP models, and propose BadNL, a general NLP backdoor attack framework including novel attack methods. Specifically, we propose three methods to construct triggers, namely BadChar, BadWord, and BadSentence, including basic and semantic-preserving variants. Our attacks achieve an almost perfect attack success rate with a negligible effect on the original model's utility. For instance, using the BadChar, our backdoor attack achieves a 98.9% attack success rate with yielding a utility improvement of 1.5% on the SST-5 dataset when only poisoning 3% of the original set. Moreover, we conduct a user study to prove that our triggers can well preserve the semantics from humans perspective.
△ Less
Submitted 4 October, 2021; v1 submitted 1 June, 2020;
originally announced June 2020.
-
Dynamic Backdoor Attacks Against Machine Learning Models
Authors:
Ahmed Salem,
Rui Wen,
Michael Backes,
Shiqing Ma,
Yang Zhang
Abstract:
Machine learning (ML) has made tremendous progress during the past decade and is being adopted in various critical real-world applications. However, recent research has shown that ML models are vulnerable to multiple security and privacy attacks. In particular, backdoor attacks against ML models have recently raised a lot of awareness. A successful backdoor attack can cause severe consequences, su…
▽ More
Machine learning (ML) has made tremendous progress during the past decade and is being adopted in various critical real-world applications. However, recent research has shown that ML models are vulnerable to multiple security and privacy attacks. In particular, backdoor attacks against ML models have recently raised a lot of awareness. A successful backdoor attack can cause severe consequences, such as allowing an adversary to bypass critical authentication systems.
Current backdooring techniques rely on adding static triggers (with fixed patterns and locations) on ML model inputs which are prone to detection by the current backdoor detection mechanisms. In this paper, we propose the first class of dynamic backdooring techniques against deep neural networks (DNN), namely Random Backdoor, Backdoor Generating Network (BaN), and conditional Backdoor Generating Network (c-BaN). Triggers generated by our techniques can have random patterns and locations, which reduce the efficacy of the current backdoor detection mechanisms. In particular, BaN and c-BaN based on a novel generative network are the first two schemes that algorithmically generate triggers. Moreover, c-BaN is the first conditional backdooring technique that given a target label, it can generate a target-specific trigger. Both BaN and c-BaN are essentially a general framework which renders the adversary the flexibility for further customizing backdoor attacks.
We extensively evaluate our techniques on three benchmark datasets: MNIST, CelebA, and CIFAR-10. Our techniques achieve almost perfect attack performance on backdoored data with a negligible utility loss. We further show that our techniques can bypass current state-of-the-art defense mechanisms against backdoor attacks, including ABS, Februus, MNTD, Neural Cleanse, and STRIP.
△ Less
Submitted 3 March, 2022; v1 submitted 7 March, 2020;
originally announced March 2020.
-
Error Probability Analysis and Power Allocation for Interference Exploitation Over Rayleigh Fading Channels
Authors:
Abdelhamid Salem,
Christos Masouros
Abstract:
This paper considers the performance analysis of constructive interference (CI) precoding technique in multi-user multiple-input multiple-output (MU-MIMO) systems with a finite constellation phase-shift keying (PSK) input alphabet. Firstly, analytical expressions for the moment generating function (MGF) and the average of the received signal-to-noise-ratio (SNR) are derived. Then, based on the der…
▽ More
This paper considers the performance analysis of constructive interference (CI) precoding technique in multi-user multiple-input multiple-output (MU-MIMO) systems with a finite constellation phase-shift keying (PSK) input alphabet. Firstly, analytical expressions for the moment generating function (MGF) and the average of the received signal-to-noise-ratio (SNR) are derived. Then, based on the derived MGF expression the average symbol error probability (SEP) for the CI precoder with PSK signaling is calculated. In this regard, new exact and very accurate asymptotic approximation for the average SEP are provided. Building on the new performance analysis, different power allocation schemes are considered to enhance the achieved SEP. In the first scheme, power allocation based on minimizing the sum symbol error probabilities (Min-Sum) is studied, while in the second scheme the power allocation based on minimizing the maximum SEP (Min-Max) is investigated. Furthermore, new analytical expressions of the throughput and power efficiency of the CI precoding in MU-MIMO systems are also derived. The numerical results in this work demonstrate that, the CI precoding outperforms the conventional interference suppression precoding techniques with an up to 20dB gain in the transmit SNR in terms of SEP, and up to 15dB gain in the transmit SNR in terms of the throughput. In addition, the SEP-based power allocation schemes provide additional up to 13dB gains in the transmit SNR compared to the conventional equal power allocation scheme.
△ Less
Submitted 7 October, 2019;
originally announced October 2019.
-
MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples
Authors:
**yuan Jia,
Ahmed Salem,
Michael Backes,
Yang Zhang,
Neil Zhenqiang Gong
Abstract:
In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of…
▽ More
In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of the target classifier's training dataset. Membership inference attacks pose severe privacy and security threats to the training dataset. Most existing defenses leverage differential privacy when training the target classifier or regularize the training process of the target classifier. These defenses suffer from two key limitations: 1) they do not have formal utility-loss guarantees of the confidence score vectors, and 2) they achieve suboptimal privacy-utility tradeoffs.
In this work, we propose MemGuard, the first defense with formal utility-loss guarantees against black-box membership inference attacks. Instead of tampering the training process of the target classifier, MemGuard adds noise to each confidence score vector predicted by the target classifier. Our key observation is that attacker uses a classifier to predict member or non-member and classifier is vulnerable to adversarial examples. Based on the observation, we propose to add a carefully crafted noise vector to a confidence score vector to turn it into an adversarial example that misleads the attacker's classifier. Our experimental results on three datasets show that MemGuard can effectively defend against membership inference attacks and achieve better privacy-utility tradeoffs than existing defenses. Our work is the first one to show that adversarial examples can be used as defensive mechanisms to defend against membership inference attacks.
△ Less
Submitted 18 December, 2019; v1 submitted 23 September, 2019;
originally announced September 2019.
-
Rate Splitting with Finite Constellations: The Benefits of Interference Exploitation vs Suppression
Authors:
Abdelhamid Salem,
Christos Masouros,
Bruno Clerckx
Abstract:
Rate-Splitting (RS) has been proposed recently to enhance the performance of multi-user multiple-input multiple-output (MU-MIMO) systems. In RS, a user message is split into a common and a private part, where the common part is decoded by all users, while the private part is decoded only by the intended user. In this paper, we study RS under a phase-shift keying (PSK) input alphabet for multi-user…
▽ More
Rate-Splitting (RS) has been proposed recently to enhance the performance of multi-user multiple-input multiple-output (MU-MIMO) systems. In RS, a user message is split into a common and a private part, where the common part is decoded by all users, while the private part is decoded only by the intended user. In this paper, we study RS under a phase-shift keying (PSK) input alphabet for multi-user multi-antenna system and propose a constructive interference (CI) exploitation approach to further enhance the sum-rate achieved by RS under PSK signaling. To that end, new analytical expressions for the ergodic sum-rate are derived for two precoding techniques of the private messages, namely, 1) a traditional interference suppression zero-forcing (ZF) precoding approach, 2) a closed-form CI precoding approach. Our analysis is presented for perfect channel state information at the transmitter (CSIT), and is extended to imperfect CSIT knowledge. A novel power allocation strategy, specifically suited for the finite alphabet setup, is derived and shown to lead to superior performance for RS over conventional linear precoding not relying on RS (NoRS). The results in this work validate the significant sum-rate gain of RS with CI over the conventional RS with ZF and NoRS.
△ Less
Submitted 19 July, 2019;
originally announced July 2019.
-
QoS Categories Activeness-Aware Adaptive EDCA Algorithm for Dense IoT Networks
Authors:
Mohammed A. Salem,
Ibrahim F. Tarrad,
Mohamed I. Youssef,
Sherine M. Abd El-Kader
Abstract:
IEEE 802.11 networks have a great role to play in supporting and deploying of the Internet of Things (IoT). The realization of IoT depends on the ability of the network to handle a massive number of stations and transmissions, and to support Quality of Service (QoS). IEEE 802.11 networks enable the QoS by applying the Enhanced Distributed Channel Access (EDCA) with static parameters regardless of…
▽ More
IEEE 802.11 networks have a great role to play in supporting and deploying of the Internet of Things (IoT). The realization of IoT depends on the ability of the network to handle a massive number of stations and transmissions, and to support Quality of Service (QoS). IEEE 802.11 networks enable the QoS by applying the Enhanced Distributed Channel Access (EDCA) with static parameters regardless of existing network capacity or which Access Category (AC) of QoS is already active. Our objective in this paper is to improve the efficiency of the uplink access in 802.11 networks; therefore we proposed an algorithm called QoS Categories Activeness-Aware Adaptive EDCA Algorithm (QCAAAE) which adapts Contention Window (CW) size, and Arbitration Inter-Frame Space Number (AIFSN) values depending on the number of associated Stations (STAs) and considering the presence of each AC. For different traffic scenarios, the simulation results confirm the outperformance of the proposed algorithm in terms of throughput (increased on average 23%) and retransmission attempts rate (decreased on average 47%) considering acceptable delay for sensitive delay services.
△ Less
Submitted 7 June, 2019;
originally announced June 2019.
-
Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning
Authors:
Ahmed Salem,
Apratim Bhattacharya,
Michael Backes,
Mario Fritz,
Yang Zhang
Abstract:
Machine learning (ML) has progressed rapidly during the past decade and the major factor that drives such development is the unprecedented large-scale data. As data generation is a continuous process, this leads to ML model owners updating their models frequently with newly-collected data in an online learning scenario. In consequence, if an ML model is queried with the same set of data samples at…
▽ More
Machine learning (ML) has progressed rapidly during the past decade and the major factor that drives such development is the unprecedented large-scale data. As data generation is a continuous process, this leads to ML model owners updating their models frequently with newly-collected data in an online learning scenario. In consequence, if an ML model is queried with the same set of data samples at two different points in time, it will provide different results.
In this paper, we investigate whether the change in the output of a black-box ML model before and after being updated can leak information of the dataset used to perform the update, namely the updating set. This constitutes a new attack surface against black-box ML models and such information leakage may compromise the intellectual property and data privacy of the ML model owner. We propose four attacks following an encoder-decoder formulation, which allows inferring diverse information of the updating set. Our new attacks are facilitated by state-of-the-art deep learning techniques. In particular, we propose a hybrid generative model (CBM-GAN) that is based on generative adversarial networks (GANs) but includes a reconstructive loss that allows reconstructing accurate samples. Our experiments show that the proposed attacks achieve strong performance.
△ Less
Submitted 30 November, 2019; v1 submitted 1 April, 2019;
originally announced April 2019.
-
Don't Pick the Cherry: An Evaluation Methodology for Android Malware Detection Methods
Authors:
Aleieldin Salem,
Sebastian Banescu,
Alexander Pretschner
Abstract:
In evaluating detection methods, the malware research community relies on scan results obtained from online platforms such as VirusTotal. Nevertheless, given the lack of standards on how to interpret the obtained data to label apps, researchers hinge on their intuitions and adopt different labeling schemes. The dynamicity of VirusTotal's results along with adoption of different labeling schemes si…
▽ More
In evaluating detection methods, the malware research community relies on scan results obtained from online platforms such as VirusTotal. Nevertheless, given the lack of standards on how to interpret the obtained data to label apps, researchers hinge on their intuitions and adopt different labeling schemes. The dynamicity of VirusTotal's results along with adoption of different labeling schemes significantly affect the accuracies achieved by any given detection method even on the same dataset, which gives subjective views on the method's performance and hinders the comparison of different malware detection techniques.
In this paper, we demonstrate the effect of varying (1) time, (2) labeling schemes, and (3) attack scenarios on the performance of an ensemble of Android repackaged malware detection methods, called dejavu, using over 30,000 real-world Android apps. Our results vividly show the impact of varying the aforementioned 3 dimensions on dejavu's performance. With such results, we encourage the adoption of a standard methodology that takes into account those 3 dimensions in evaluating newly-devised methods to detect Android (repackaged) malware.
△ Less
Submitted 25 March, 2019;
originally announced March 2019.
-
Ergodic Capacity Under Power Adaption Over Fisher-Snedecor F Fading Channels
Authors:
Hui Zhao,
Liang Yang,
Ahmed S. Salem,
Mohamed-Slim Alouini
Abstract:
In this letter, we consider a communication scenario, where the transmitter adopts different power adaption methods according to the instantaneous channel state to enhance the ergodic capacity (EC) over Fisher-Snedecor F fading channels. We derive closed-form expressions for the EC under different power adaption methods, as well as the corresponding asymptotic EC formulas to get some insights in t…
▽ More
In this letter, we consider a communication scenario, where the transmitter adopts different power adaption methods according to the instantaneous channel state to enhance the ergodic capacity (EC) over Fisher-Snedecor F fading channels. We derive closed-form expressions for the EC under different power adaption methods, as well as the corresponding asymptotic EC formulas to get some insights in the high signal-to-noise ratio region. In the numerical results section, we compare the performance of different adaptive power transmission strategies, and demonstrate the accuracy of our derived expressions.
△ Less
Submitted 7 February, 2019;
originally announced February 2019.
-
Sum Rate and Fairness Analysis for the MU-MIMO Downlink under PSK Signalling: Interference Suppression vs Exploitation
Authors:
Abdelhamid Salem,
Christos Masouros,
Kai-Kit Wong
Abstract:
In this paper, we analyze the sum rate performance of multi-user multiple-input multiple-output (MU-MIMO) systems, with a finite constellation phase-shift keying (PSK) input alphabet. We analytically calculate and compare the achievable sum rate in three downlink transmission scenarios: 1) without precoding, 2) with zero forcing (ZF) precoding 3) with closed form constructive interference (CI) pre…
▽ More
In this paper, we analyze the sum rate performance of multi-user multiple-input multiple-output (MU-MIMO) systems, with a finite constellation phase-shift keying (PSK) input alphabet. We analytically calculate and compare the achievable sum rate in three downlink transmission scenarios: 1) without precoding, 2) with zero forcing (ZF) precoding 3) with closed form constructive interference (CI) precoding technique. In light of this, new analytical expressions for the average sum rate are derived in the three cases, and Monte Carlo simulations are provided throughout to validate the analysis. Furthermore, based on the derived expressions, a power allocation scheme that can ensure fairness among the users is also proposed. The results in this work demonstrate that, the CI strictly outperforms the other two schemes, and the performance gap between the considered schemes increases with increase in the MIMO size. In addition, the CI provides higher fairness and the power allocation algorithm proposed in this paper can achieve maximum fairness index.
△ Less
Submitted 6 December, 2018;
originally announced December 2018.
-
Stimulation and Detection of Android Repackaged Malware with Active Learning
Authors:
Aleieldin Salem
Abstract:
Repackaging is a technique that has been increasingly adopted by authors of Android malware. The main problem facing the research community working on devising techniques to detect this breed of malware is the lack of ground truth that pinpoints the malicious segments grafted within benign apps. Without this crucial knowledge, it is difficult to train reliable classifiers able to effectively class…
▽ More
Repackaging is a technique that has been increasingly adopted by authors of Android malware. The main problem facing the research community working on devising techniques to detect this breed of malware is the lack of ground truth that pinpoints the malicious segments grafted within benign apps. Without this crucial knowledge, it is difficult to train reliable classifiers able to effectively classify novel, out-of-sample repackaged malware. To circumvent this problem, we argue that reliable classifiers can be trained to detect repackaged malware, if they are allowed to request new, more accurate representations of an app's behavior. This learning technique is referred to as active learning.
In this paper, we propose the usage of active learning to train classifiers able to cope with the ambiguous nature of repackaged malware. We implemented an architecture, Aion, that connects the processes of stimulating and detecting repackaged malware using a feedback loop depicting active learning. Our evaluation of a sample implementation of Aion using two malware datasets (Malgenome and Piggybacking) shows that active learning can outperform conventional detection techniques and, hence, has great potential to detect Android repackaged malware.
△ Less
Submitted 3 August, 2018;
originally announced August 2018.
-
MLCapsule: Guarded Offline Deployment of Machine Learning as a Service
Authors:
Lucjan Hanzlik,
Yang Zhang,
Kathrin Grosse,
Ahmed Salem,
Max Augustin,
Michael Backes,
Mario Fritz
Abstract:
With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by…
▽ More
With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by sending it to the client for protecting its intellectual property and pay-per-query business model.
In this paper, we propose MLCapsule, a guarded offline deployment of machine learning as a service. MLCapsule executes the model locally on the user's side and therefore the data never leaves the client. Meanwhile, MLCapsule offers the service provider the same level of control and security of its model as the commonly used server-side execution. In addition, MLCapsule is applicable to offline applications that require local execution. Beyond protecting against direct model access, we couple the secure offline deployment with defenses against advanced attacks on machine learning models such as model stealing, reverse engineering, and membership inference.
△ Less
Submitted 6 February, 2019; v1 submitted 1 August, 2018;
originally announced August 2018.
-
ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models
Authors:
Ahmed Salem,
Yang Zhang,
Mathias Humbert,
Pascal Berrang,
Mario Fritz,
Michael Backes
Abstract:
Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has sever…
▽ More
Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications.
However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and develo** threat using eight diverse datasets which show the viability of the proposed attacks across domains.
In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model.
△ Less
Submitted 14 December, 2018; v1 submitted 4 June, 2018;
originally announced June 2018.
-
Microwave Vortex Beam Launcher Design
Authors:
N. Pelin M. H. Salem,
Edip Niver,
Mohamed A. Salem
Abstract:
A novel design for a vectorial vortex beam launcher in the microwave regime is devised. The beam is formed by launching a single guided transverse electric (TE) mode of a metallic circular waveguide into free-space. Excitation is achieved by the mean of an inserted coaxial loop antenna. Modal expansion coefficients are computed, and the resulting electric and magnetic fields are determined. The ef…
▽ More
A novel design for a vectorial vortex beam launcher in the microwave regime is devised. The beam is formed by launching a single guided transverse electric (TE) mode of a metallic circular waveguide into free-space. Excitation is achieved by the mean of an inserted coaxial loop antenna. Modal expansion coefficients are computed, and the resulting electric and magnetic fields are determined. The effect of the antenna location inside the waveguide on its effective input impedance is modelled using transmission-line relations and location for optimal matching is established. The analytical results are confirmed using multi-level fast multipole method full-wave simulations.
△ Less
Submitted 15 August, 2018; v1 submitted 18 February, 2018;
originally announced March 2018.
-
Performance Analysis of Dynamic Source Routing Protocol
Authors:
Amer O. Abu Salem,
Ghassan Samara,
Tareq Alhmiedat
Abstract:
Dynamic Source Routing (DSR) is an efficient on-demand routing protocol for mobile ad-hoc networks (MANET). It depends on two main procedures: Route Discovery and Route Maintenance. Route discovery is the procedure used at the source of the packets to discover a route to the destination. Route Maintenance is the procedure that discovers link failures and repairs them. Route caching is the sub proc…
▽ More
Dynamic Source Routing (DSR) is an efficient on-demand routing protocol for mobile ad-hoc networks (MANET). It depends on two main procedures: Route Discovery and Route Maintenance. Route discovery is the procedure used at the source of the packets to discover a route to the destination. Route Maintenance is the procedure that discovers link failures and repairs them. Route caching is the sub procedure serviceable to avoid the demand for discovering a route or to reduce route discovery delay before every data packet is sent. The goal of this paper is to evaluate the performance of DSR. Different performance expressions are investigated including, delivery ratio, end to-end delay, and throughput, depending on different cache sizes and different speeds. All of that as a study to develop a new caching strategy as a future work.
△ Less
Submitted 13 December, 2017;
originally announced December 2017.
-
Cache-oblivious Matrix Multiplication for Exact Factorisation
Authors:
Fatima K. Abu Salem,
Mira Al Arab
Abstract:
We present a cache-oblivious adaptation of matrix multiplication to be incorporated in the parallel TU decomposition for rectangular matrices over finite fields, based on the Morton-hybrid space-filling curve representation. To realise this, we introduce the concepts of alignment and containment of sub-matrices under the Morton-hybrid layout. We redesign the decompositions within the recursive mat…
▽ More
We present a cache-oblivious adaptation of matrix multiplication to be incorporated in the parallel TU decomposition for rectangular matrices over finite fields, based on the Morton-hybrid space-filling curve representation. To realise this, we introduce the concepts of alignment and containment of sub-matrices under the Morton-hybrid layout. We redesign the decompositions within the recursive matrix multiplication to force the base case to avoid all jumps in address space, at the expense of extra recursive matrix multiplication (MM) calls. We show that the resulting cache oblivious adaptation has low span, and our experiments demonstrate that its sequential evaluation order demonstrates orders of magnitude improvement in run-time, despite the recursion overhead.
△ Less
Submitted 11 May, 2017;
originally announced May 2017.
-
Solution de l'Hypothèse de Riemann
Authors:
Abdelmajid Ben Hadj Salem
Abstract:
In 1859, Riemann had announced the following conjecture : the nontrivial roots (zeros) $s=α+iβ$ of the zeta function, defined by: $$ζ(s) =\displaystyle \sum_{n=1}^{+\infty}\frac{1}{n^s},\,\mbox{for}\quad \Re(s)>1$$ have real part $α= \displaystyle \frac{1}{2}$. We give a proof that $α= \displaystyle \frac{1}{2}$ using an equivalent statement of Riemann Hypothesis.
In 1859, Riemann had announced the following conjecture : the nontrivial roots (zeros) $s=α+iβ$ of the zeta function, defined by: $$ζ(s) =\displaystyle \sum_{n=1}^{+\infty}\frac{1}{n^s},\,\mbox{for}\quad \Re(s)>1$$ have real part $α= \displaystyle \frac{1}{2}$. We give a proof that $α= \displaystyle \frac{1}{2}$ using an equivalent statement of Riemann Hypothesis.
△ Less
Submitted 31 October, 2017; v1 submitted 15 March, 2017;
originally announced March 2017.