-
It's Simplex! Disaggregating Measures to Improve Certified Robustness
Authors:
Andrew C. Cullen,
Paul Montague,
Shijie Liu,
Sarah M. Erfani,
Benjamin I. P. Rubinstein
Abstract:
Certified robustness circumvents the fragility of defences against adversarial attacks, by endowing model predictions with guarantees of class invariance for attacks up to a calculated size. While there is value in these certifications, the techniques through which we assess their performance do not present a proper accounting of their strengths and weaknesses, as their analysis has eschewed consi…
▽ More
Certified robustness circumvents the fragility of defences against adversarial attacks, by endowing model predictions with guarantees of class invariance for attacks up to a calculated size. While there is value in these certifications, the techniques through which we assess their performance do not present a proper accounting of their strengths and weaknesses, as their analysis has eschewed consideration of performance over individual samples in favour of aggregated measures. By considering the potential output space of certified models, this work presents two distinct approaches to improve the analysis of certification mechanisms, that allow for both dataset-independent and dataset-dependent measures of certification performance. Embracing such a perspective uncovers new certification approaches, which have the potential to more than double the achievable radius of certification, relative to current state-of-the-art. Empirical evaluation verifies that our new approach can certify $9\%$ more samples at noise scale $σ= 1$, with greater relative improvements observed as the difficulty of the predictive task increases.
△ Less
Submitted 19 September, 2023;
originally announced September 2023.
-
Enhancing the Antidote: Improved Pointwise Certifications against Poisoning Attacks
Authors:
Shijie Liu,
Andrew C. Cullen,
Paul Montague,
Sarah M. Erfani,
Benjamin I. P. Rubinstein
Abstract:
Poisoning attacks can disproportionately influence model behaviour by making small changes to the training corpus. While defences against specific poisoning attacks do exist, they in general do not provide any guarantees, leaving them potentially countered by novel attacks. In contrast, by examining worst-case behaviours Certified Defences make it possible to provide guarantees of the robustness o…
▽ More
Poisoning attacks can disproportionately influence model behaviour by making small changes to the training corpus. While defences against specific poisoning attacks do exist, they in general do not provide any guarantees, leaving them potentially countered by novel attacks. In contrast, by examining worst-case behaviours Certified Defences make it possible to provide guarantees of the robustness of a sample against adversarial attacks modifying a finite number of training samples, known as pointwise certification. We achieve this by exploiting both Differential Privacy and the Sampled Gaussian Mechanism to ensure the invariance of prediction for each testing instance against finite numbers of poisoned examples. In doing so, our model provides guarantees of adversarial robustness that are more than twice as large as those provided by prior certifications.
△ Less
Submitted 18 March, 2024; v1 submitted 14 August, 2023;
originally announced August 2023.
-
Managing Write Access without Token Fees in Leaderless DAG-based Ledgers
Authors:
Darcy Camargo,
Luigi Vigneri,
Andrew Cullen
Abstract:
A significant portion of research on distributed ledgers has focused on circumventing the limitations of leader-based blockchains mainly in terms of scalability, decentralization and power consumption. Leaderless architectures based on directed acyclic graphs (DAGs) avoid many of these limitations altogether, but their increased flexibility and performance comes at the cost of increased design com…
▽ More
A significant portion of research on distributed ledgers has focused on circumventing the limitations of leader-based blockchains mainly in terms of scalability, decentralization and power consumption. Leaderless architectures based on directed acyclic graphs (DAGs) avoid many of these limitations altogether, but their increased flexibility and performance comes at the cost of increased design complexity, so their potential has remained largely unexplored. Management of write access to these ledgers presents a major challenge because ledger updates may be made in parallel, hence transactions cannot simply be serialised and prioritised according to token fees paid to validators. In this work, we propose an access control scheme for leaderless DAG-based ledgers which is based on consuming credits rather than paying fees in the base token. We outline a general model for this new approach and provide some simulation results showing promising performance boosts.
△ Less
Submitted 17 July, 2023;
originally announced July 2023.
-
An attack resilient policy on the tip pool for DAG-based distributed ledgers
Authors:
Lianna Zhao,
Andrew Cullen,
Sebastian Müller,
Olivia Saa,
Robert Shorten
Abstract:
This paper discusses congestion control and inconsistency problems in DAG-based distributed ledgers and proposes an additional filter to mitigate these issues. Unlike traditional blockchains, DAG-based DLTs use a directed acyclic graph structure to organize transactions, allowing higher scalability and efficiency. However, this also introduces challenges in controlling the rate at which blocks are…
▽ More
This paper discusses congestion control and inconsistency problems in DAG-based distributed ledgers and proposes an additional filter to mitigate these issues. Unlike traditional blockchains, DAG-based DLTs use a directed acyclic graph structure to organize transactions, allowing higher scalability and efficiency. However, this also introduces challenges in controlling the rate at which blocks are added to the network and preventing the influence of spam attacks. To address these challenges, we propose a filter to limit the tip pool size and to avoid referencing old blocks. Furthermore, we present experimental results to demonstrate the effectiveness of this filter in reducing the negative impacts of various attacks. Our approach offers a lightweight and efficient solution for managing the flow of blocks in DAG-based DLTs, which can enhance the consistency and reliability of these systems. Index
△ Less
Submitted 10 May, 2023; v1 submitted 13 April, 2023;
originally announced April 2023.
-
Failure-tolerant Distributed Learning for Anomaly Detection in Wireless Networks
Authors:
Marc Katzef,
Andrew C. Cullen,
Tansu Alpcan,
Christopher Leckie,
Justin Kopacz
Abstract:
The analysis of distributed techniques is often focused upon their efficiency, without considering their robustness (or lack thereof). Such a consideration is particularly important when devices or central servers can fail, which can potentially cripple distributed systems. When such failures arise in wireless communications networks, important services that they use/provide (like anomaly detectio…
▽ More
The analysis of distributed techniques is often focused upon their efficiency, without considering their robustness (or lack thereof). Such a consideration is particularly important when devices or central servers can fail, which can potentially cripple distributed systems. When such failures arise in wireless communications networks, important services that they use/provide (like anomaly detection) can be left inoperable and can result in a cascade of security problems. In this paper, we present a novel method to address these risks by combining both flat- and star-topologies, combining the performance and reliability benefits of both. We refer to this method as "Tol-FL", due to its increased failure-tolerance as compared to the technique of Federated Learning. Our approach both limits device failure risks while outperforming prior methods by up to 8% in terms of anomaly detection AUROC in a range of realistic settings that consider client as well as server failure, all while reducing communication costs. This performance demonstrates that Tol-FL is a highly suitable method for distributed model training for anomaly detection, especially in the domain of wireless networks.
△ Less
Submitted 22 March, 2023;
originally announced March 2023.
-
Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples
Authors:
Andrew C. Cullen,
Shijie Liu,
Paul Montague,
Sarah M. Erfani,
Benjamin I. P. Rubinstein
Abstract:
In guaranteeing the absence of adversarial examples in an instance's neighbourhood, certification mechanisms play an important role in demonstrating neural net robustness. In this paper, we ask if these certifications can compromise the very models they help to protect? Our new \emph{Certification Aware Attack} exploits certifications to produce computationally efficient norm-minimising adversaria…
▽ More
In guaranteeing the absence of adversarial examples in an instance's neighbourhood, certification mechanisms play an important role in demonstrating neural net robustness. In this paper, we ask if these certifications can compromise the very models they help to protect? Our new \emph{Certification Aware Attack} exploits certifications to produce computationally efficient norm-minimising adversarial examples $74 \%$ more often than comparable attacks, while reducing the median perturbation norm by more than $10\%$. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.
△ Less
Submitted 11 June, 2024; v1 submitted 8 February, 2023;
originally announced February 2023.
-
Double Bubble, Toil and Trouble: Enhancing Certified Robustness through Transitivity
Authors:
Andrew C. Cullen,
Paul Montague,
Shijie Liu,
Sarah M. Erfani,
Benjamin I. P. Rubinstein
Abstract:
In response to subtle adversarial examples flip** classifications of neural network models, recent research has promoted certified robustness as a solution. There, invariance of predictions to all norm-bounded attacks is achieved through randomised smoothing of network inputs. Today's state-of-the-art certifications make optimal use of the class output scores at the input instance under test: no…
▽ More
In response to subtle adversarial examples flip** classifications of neural network models, recent research has promoted certified robustness as a solution. There, invariance of predictions to all norm-bounded attacks is achieved through randomised smoothing of network inputs. Today's state-of-the-art certifications make optimal use of the class output scores at the input instance under test: no better radius of certification (under the $L_2$ norm) is possible given only these score. However, it is an open question as to whether such lower bounds can be improved using local information around the instance under test. In this work, we demonstrate how today's "optimal" certificates can be improved by exploiting both the transitivity of certifications, and the geometry of the input space, giving rise to what we term Geometrically-Informed Certified Robustness. By considering the smallest distance to points on the boundary of a set of certifications this approach improves certifications for more than $80\%$ of Tiny-Imagenet instances, yielding an on average $5 \%$ increase in the associated certification. When incorporating training time processes that enhance the certified radius, our technique shows even more promising results, with a uniform $4$ percentage point increase in the achieved certified radius.
△ Less
Submitted 12 October, 2022;
originally announced October 2022.
-
Learning to Retrieve Relevant Experiences for Motion Planning
Authors:
Constantinos Chamzas,
Aedan Cullen,
Anshumali Shrivastava,
Lydia E. Kavraki
Abstract:
Recent work has demonstrated that motion planners' performance can be significantly improved by retrieving past experiences from a database. Typically, the experience database is queried for past similar problems using a similarity function defined over the motion planning problems. However, to date, most works rely on simple hand-crafted similarity functions and fail to generalize outside their c…
▽ More
Recent work has demonstrated that motion planners' performance can be significantly improved by retrieving past experiences from a database. Typically, the experience database is queried for past similar problems using a similarity function defined over the motion planning problems. However, to date, most works rely on simple hand-crafted similarity functions and fail to generalize outside their corresponding training dataset. To address this limitation, we propose (FIRE), a framework that extracts local representations of planning problems and learns a similarity function over them. To generate the training data we introduce a novel self-supervised method that identifies similar and dissimilar pairs of local primitives from past solution paths. With these pairs, a Siamese network is trained with the contrastive loss and the similarity function is realized in the network's latent space. We evaluate FIRE on an 8-DOF manipulator in five categories of motion planning problems with sensed environments. Our experiments show that FIRE retrieves relevant experiences which can informatively guide sampling-based planners even in problems outside its training distribution, outperforming other baselines.
△ Less
Submitted 18 April, 2022;
originally announced April 2022.
-
Improving Quality of Service for Users of DAG-based Distributed Ledgers
Authors:
Andrew Cullen,
Lianna Zhao,
Luigi Vigneri,
Robert Shorten
Abstract:
An outstanding problem in the design of distributed ledgers concerns policies that govern the manner in which users interact with the network. Network usability is crucial to the mainstream adoption of distributed ledgers, particularly for enterprise applications in which most users do not wish to operate full node. For DAG-based ledgers such as IOTA, we propose a user-node interaction mechanism t…
▽ More
An outstanding problem in the design of distributed ledgers concerns policies that govern the manner in which users interact with the network. Network usability is crucial to the mainstream adoption of distributed ledgers, particularly for enterprise applications in which most users do not wish to operate full node. For DAG-based ledgers such as IOTA, we propose a user-node interaction mechanism that is designed to ensure the risk of a user experiencing a poor quality of service is low. Our mechanism involves users selecting nodes to issue their transactions to the ledger based on quality of service indicators advertised by the nodes. Simulation results are presented to illustrate the efficacy of the proposed policies.
△ Less
Submitted 14 July, 2023; v1 submitted 22 March, 2022;
originally announced March 2022.
-
Adversarial Decisions on Complex Dynamical Systems using Game Theory
Authors:
Andrew C. Cullen,
Tansu Alpcan,
Alexander C. Kalloniatis
Abstract:
We apply computational Game Theory to a unification of physics-based models that represent decision-making across a number of agents within both cooperative and competitive processes. Here the competitors try to both positively influence their own returns, while negatively affecting those of their competitors. Modelling these interactions with the so-called Boyd-Kuramoto-Lanchester (BKL) complex d…
▽ More
We apply computational Game Theory to a unification of physics-based models that represent decision-making across a number of agents within both cooperative and competitive processes. Here the competitors try to both positively influence their own returns, while negatively affecting those of their competitors. Modelling these interactions with the so-called Boyd-Kuramoto-Lanchester (BKL) complex dynamical system model yields results that can be applied to business, gaming and security contexts. This paper studies a class of decision problems on the BKL model, where a large set of coupled, switching dynamical systems are analysed using game-theoretic methods.
Due to their size, the computational cost of solving these BKL games becomes the dominant factor in the solution process. To resolve this, we introduce a novel Nash Dominant solver, which is both numerically efficient and exact. The performance of this new solution technique is compared to traditional exact solvers, which traverse the entire game tree, as well as to approximate solvers such as Myopic and Monte Carlo Tree Search (MCTS). These techniques are assessed, and used to gain insights into both nonlinear dynamical systems and strategic decision making in adversarial environments.
△ Less
Submitted 28 January, 2022;
originally announced January 2022.
-
Secure Access Control for DAG-based Distributed Ledgers
Authors:
Lianna Zhao,
Luigi Vigneri,
Andrew Cullen,
William Sanders,
Pietro Ferraro,
Robert Shorten
Abstract:
Access control is a fundamental component of the design of distributed ledgers, influencing many aspects of their design, such as fairness, efficiency, traditional notions of network security, and adversarial attacks such as Denial-of-Service (DoS) attacks. In this work, we consider the security of a recently proposed access control protocol for Directed Acyclic Graph-based distributed ledgers. We…
▽ More
Access control is a fundamental component of the design of distributed ledgers, influencing many aspects of their design, such as fairness, efficiency, traditional notions of network security, and adversarial attacks such as Denial-of-Service (DoS) attacks. In this work, we consider the security of a recently proposed access control protocol for Directed Acyclic Graph-based distributed ledgers. We present a number of attack scenarios and potential vulnerabilities of the protocol and introduce a number of additional features which enhance its resilience. Specifically, a blacklisting algorithm, which is based on a reputation-weighted threshold, is introduced to handle both spamming and multi-rate malicious attackers. The introduction of a solidification request component is also introduced to ensure the fairness and consistency of network in the presence of attacks. Finally, a timestamp component is also introduced to maintain the consistency of the network in the presence of multi-rate attackers. Simulations to illustrate the efficacy and robustness of the revised protocol are also described.
△ Less
Submitted 20 July, 2021;
originally announced July 2021.
-
Reinforcement Learning with Algorithms from Probabilistic Structure Estimation
Authors:
Jonathan P. Epperlein,
Roman Overko,
Sergiy Zhuk,
Christopher King,
Djallel Bouneffouf,
Andrew Cullen,
Robert Shorten
Abstract:
Reinforcement learning (RL) algorithms aim to learn optimal decisions in unknown environments through experience of taking actions and observing the rewards gained. In some cases, the environment is not influenced by the actions of the RL agent, in which case the problem can be modeled as a contextual multi-armed bandit and lightweight myopic algorithms can be employed. On the other hand, when the…
▽ More
Reinforcement learning (RL) algorithms aim to learn optimal decisions in unknown environments through experience of taking actions and observing the rewards gained. In some cases, the environment is not influenced by the actions of the RL agent, in which case the problem can be modeled as a contextual multi-armed bandit and lightweight myopic algorithms can be employed. On the other hand, when the RL agent's actions affect the environment, the problem must be modeled as a Markov decision process and more complex RL algorithms are required which take the future effects of actions into account. Moreover, in practice, it is often unknown from the outset whether or not the agent's actions will impact the environment and it is therefore not possible to determine which RL algorithm is most fitting. In this work, we propose to avoid this difficult decision entirely and incorporate a choice mechanism into our RL framework. Rather than assuming a specific problem structure, we use a probabilistic structure estimation procedure based on a likelihood-ratio (LR) test to make a more informed selection of learning algorithm. We derive a sufficient condition under which myopic policies are optimal, present an LR test for this condition, and derive a bound on the regret of our framework. We provide examples of real-world scenarios where our framework is needed and provide extensive simulations to validate our approach.
△ Less
Submitted 1 June, 2022; v1 submitted 15 March, 2021;
originally announced March 2021.
-
Access Control for Distributed Ledgers in the Internet of Things: A Networking Approach
Authors:
Andrew Cullen,
Pietro Ferraro,
William Sanders,
Luigi Vigneri,
Robert Shorten
Abstract:
In the Internet of Things (IoT) domain, devices need a platform to transact seamlessly without a trusted intermediary. Although Distributed Ledger Technologies (DLTs) could provide such a platform, blockchains, such as Bitcoin, were not designed with IoT networks in mind, hence are often unsuitable for such applications: they offer poor transaction throughput and confirmation times, put stress on…
▽ More
In the Internet of Things (IoT) domain, devices need a platform to transact seamlessly without a trusted intermediary. Although Distributed Ledger Technologies (DLTs) could provide such a platform, blockchains, such as Bitcoin, were not designed with IoT networks in mind, hence are often unsuitable for such applications: they offer poor transaction throughput and confirmation times, put stress on constrained computing and storage resources, and require high transaction fees. In this work, we consider a class of IoT-friendly DLTs based on directed acyclic graphs, rather than a blockchain, and with a reputation system in the place of Proof of Work (PoW). However, without PoW, implementation of these DLTs requires an access control algorithm to manage the rate at which nodes can add new transactions to the ledger. We model the access control problem and present an algorithm that is fair, efficient and secure. Our algorithm represents a new design paradigm for DLTs in which concepts from networking are applied to the DLT setting for the first time. For example, our algorithm uses distributed rate setting which is similar in nature to transmission control used in the Internet. However, our solution features novel adaptations to cope with the adversarial environment of DLTs in which no individual agent can be trusted. Our algorithm guarantees utilisation of resources, consistency, fairness, and resilience against attackers. All of this is achieved efficiently and with regard for the limitations of IoT devices. We perform extensive simulations to validate these claims.
△ Less
Submitted 14 July, 2021; v1 submitted 15 May, 2020;
originally announced May 2020.
-
Spatial Positioning Token (SPToken) for Smart Mobility
Authors:
Roman Overko,
Rodrigo H. Ordonez-Hurtado,
Sergiy Zhuk,
Pietro Ferraro,
Andrew Cullen,
Robert Shorten
Abstract:
We introduce a permissioned distributed ledger technology (DLT) design for crowdsourced smart mobility applications. This architecture is based on a directed acyclic graph architecture (similar to the IOTA tangle) and uses both Proof-of-Work and Proof-of-Position mechanisms to provide protection against spam attacks and malevolent actors. In addition to enabling individuals to retain ownership of…
▽ More
We introduce a permissioned distributed ledger technology (DLT) design for crowdsourced smart mobility applications. This architecture is based on a directed acyclic graph architecture (similar to the IOTA tangle) and uses both Proof-of-Work and Proof-of-Position mechanisms to provide protection against spam attacks and malevolent actors. In addition to enabling individuals to retain ownership of their data and to monetize it, the architecture also is suitable for distributed privacy-preserving machine learning algorithms, is lightweight, and can be implemented in simple internet-of-things (IoT) devices. To demonstrate its efficacy, we apply this framework to reinforcement learning settings where a third party is interested in acquiring information from agents. In particular, one may be interested in sampling an unknown vehicular traffic flow in a city, using a DLT-type architecture and without perturbing the density, with the idea of realizing a set of virtual tokens as surrogates of real vehicles to explore geographical areas of interest. These tokens, whose authenticated position determines write access to the ledger, are thus used to emulate the probing actions of commanded (real) vehicles on a given planned route by "jum**" from a passing-by vehicle to another to complete the planned trajectory. Consequently, the environment stays unaffected (i.e., the autonomy of participating vehicles is not influenced by the algorithm), regardless of the number of emitted tokens. The design of such a DLT architecture is presented, and numerical results from large-scale simulations are provided to validate the proposed approach.
△ Less
Submitted 11 December, 2020; v1 submitted 16 May, 2019;
originally announced May 2019.
-
Distributed Ledger Technology for IoT: Parasite Chain Attacks
Authors:
Andrew Cullen,
Pietro Ferraro,
Christopher King,
Robert Shorten
Abstract:
Directed Acyclic Graph (DAG) based Distributed Ledgers can be useful in a number of applications in the IoT domain. A distributed ledger should serve as an immutable and irreversible record of transactions, however, a DAG structure is a more complicated mathematical object than its blockchain counterparts, and as a result, providing guarantees of immutability and irreversibility is more involved.…
▽ More
Directed Acyclic Graph (DAG) based Distributed Ledgers can be useful in a number of applications in the IoT domain. A distributed ledger should serve as an immutable and irreversible record of transactions, however, a DAG structure is a more complicated mathematical object than its blockchain counterparts, and as a result, providing guarantees of immutability and irreversibility is more involved. In this paper, we analyse a commonly discussed attack scenario known as a parasite chain attack for the IOTA Foundation DAG based ledger. We analyse the efficacy of IOTA core MCMC algorithm using a matrix model and present an extension which improves the ledger resistance to these attacks.
△ Less
Submitted 10 November, 2020; v1 submitted 21 March, 2019;
originally announced April 2019.
