-
Robustness Bounds on the Successful Adversarial Examples: Theory and Practice
Authors:
Hiroaki Maeshima,
Akira Otsuka
Abstract:
Adversarial example (AE) is an attack method for machine learning, which is crafted by adding imperceptible perturbation to the data inducing misclassification. In the current paper, we investigated the upper bound of the probability of successful AEs based on the Gaussian Process (GP) classification. We proved a new upper bound that depends on AE's perturbation norm, the kernel function used in G…
▽ More
Adversarial example (AE) is an attack method for machine learning, which is crafted by adding imperceptible perturbation to the data inducing misclassification. In the current paper, we investigated the upper bound of the probability of successful AEs based on the Gaussian Process (GP) classification. We proved a new upper bound that depends on AE's perturbation norm, the kernel function used in GP, and the distance of the closest pair with different labels in the training dataset. Surprisingly, the upper bound is determined regardless of the distribution of the sample dataset. We showed that our theoretical result was confirmed through the experiment using ImageNet. In addition, we showed that changing the parameters of the kernel function induces a change of the upper bound of the probability of successful AEs.
△ Less
Submitted 4 March, 2024;
originally announced March 2024.
-
Compiler Provenance Recovery for Multi-CPU Architectures Using a Centrifuge Mechanism
Authors:
Yuhei Otsubo,
Akira Otsuka,
Mamoru Mimura
Abstract:
Bit-stream recognition (BSR) has many applications, such as forensic investigations, detection of copyright infringement, and malware analysis. We propose the first BSR that takes a bare input bit-stream and outputs a class label without any preprocessing. To achieve our goal, we propose a centrifuge mechanism, where the upstream layers (sub-net) capture global features and tell the downstream lay…
▽ More
Bit-stream recognition (BSR) has many applications, such as forensic investigations, detection of copyright infringement, and malware analysis. We propose the first BSR that takes a bare input bit-stream and outputs a class label without any preprocessing. To achieve our goal, we propose a centrifuge mechanism, where the upstream layers (sub-net) capture global features and tell the downstream layers (main-net) to switch the focus, even if a part of the input bit-stream has the same value. We applied the centrifuge mechanism to compiler provenance recovery, a type of BSR, and achieved excellent classification. Additionally, downstream transfer learning (DTL), one of the learning methods we propose for the centrifuge mechanism, pre-trains the main-net using the sub-net's ground truth instead of the sub-net's output. We found that sub-predictions made by DTL tend to be highly accurate when the sub-label classification contributes to the essence of the main prediction.
△ Less
Submitted 23 November, 2022; v1 submitted 21 November, 2022;
originally announced November 2022.
-
Evaluation of vulnerability reproducibility in container-based Cyber Range
Authors:
Ryotaro Nakata,
Akira Otsuka
Abstract:
A cyber range, a practical and highly educational information security exercise system, is difficult to implement in educational institutions because of the high cost of implementing and maintaining it. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-de…
▽ More
A cyber range, a practical and highly educational information security exercise system, is difficult to implement in educational institutions because of the high cost of implementing and maintaining it. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. And it is not clear whether the sufficient vulnerabilities are reproducible, which is required to conduct incident scenarios in cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabilities used in common exercise scenarios and confirm that 99.3% of the vulnerabilities are reproducible. The container-based cyber range can be used as a new standard to replace existing methods.
△ Less
Submitted 5 November, 2020; v1 submitted 29 October, 2020;
originally announced October 2020.
-
Length-controllable Abstractive Summarization by Guiding with Summary Prototype
Authors:
Itsumi Saito,
Kyosuke Nishida,
Kosuke Nishida,
Atsushi Otsuka,
Hisako Asano,
Junji Tomita,
Hiroyuki Shindo,
Yuji Matsumoto
Abstract:
We propose a new length-controllable abstractive summarization model. Recent state-of-the-art abstractive summarization models based on encoder-decoder models generate only one summary per source text. However, controllable summarization, especially of the length, is an important aspect for practical applications. Previous studies on length-controllable abstractive summarization incorporate length…
▽ More
We propose a new length-controllable abstractive summarization model. Recent state-of-the-art abstractive summarization models based on encoder-decoder models generate only one summary per source text. However, controllable summarization, especially of the length, is an important aspect for practical applications. Previous studies on length-controllable abstractive summarization incorporate length embeddings in the decoder module for controlling the summary length. Although the length embeddings can control where to stop decoding, they do not decide which information should be included in the summary within the length constraint. Unlike the previous models, our length-controllable abstractive summarization model incorporates a word-level extractive module in the encoder-decoder model instead of length embeddings. Our model generates a summary in two steps. First, our word-level extractor extracts a sequence of important words (we call it the "prototype text") from the source text according to the word-level importance scores and the length constraint. Second, the prototype text is used as additional input to the encoder-decoder model, which generates a summary by jointly encoding and copying words from both the prototype text and source text. Since the prototype text is a guide to both the content and length of the summary, our model can generate an informative and length-controlled summary. Experiments with the CNN/Daily Mail dataset and the NEWSROOM dataset show that our model outperformed previous models in length-controlled settings.
△ Less
Submitted 20 January, 2020;
originally announced January 2020.
-
Answering while Summarizing: Multi-task Learning for Multi-hop QA with Evidence Extraction
Authors:
Kosuke Nishida,
Kyosuke Nishida,
Masaaki Nagata,
Atsushi Otsuka,
Itsumi Saito,
Hisako Asano,
Junji Tomita
Abstract:
Question answering (QA) using textual sources for purposes such as reading comprehension (RC) has attracted much attention. This study focuses on the task of explainable multi-hop QA, which requires the system to return the answer with evidence sentences by reasoning and gathering disjoint pieces of the reference texts. It proposes the Query Focused Extractor (QFE) model for evidence extraction an…
▽ More
Question answering (QA) using textual sources for purposes such as reading comprehension (RC) has attracted much attention. This study focuses on the task of explainable multi-hop QA, which requires the system to return the answer with evidence sentences by reasoning and gathering disjoint pieces of the reference texts. It proposes the Query Focused Extractor (QFE) model for evidence extraction and uses multi-task learning with the QA model. QFE is inspired by extractive summarization models; compared with the existing method, which extracts each evidence sentence independently, it sequentially extracts evidence sentences by using an RNN with an attention mechanism on the question sentence. It enables QFE to consider the dependency among the evidence sentences and cover important information in the question sentence. Experimental results show that QFE with a simple RC baseline model achieves a state-of-the-art evidence extraction score on HotpotQA. Although designed for RC, it also achieves a state-of-the-art evidence extraction score on FEVER, which is a recognizing textual entailment task on a large textual database.
△ Less
Submitted 28 May, 2019; v1 submitted 21 May, 2019;
originally announced May 2019.
-
Multi-style Generative Reading Comprehension
Authors:
Kyosuke Nishida,
Itsumi Saito,
Kosuke Nishida,
Kazutoshi Shinoda,
Atsushi Otsuka,
Hisako Asano,
Junji Tomita
Abstract:
This study tackles generative reading comprehension (RC), which consists of answering questions based on textual evidence and natural language generation (NLG). We propose a multi-style abstractive summarization model for question answering, called Masque. The proposed model has two key characteristics. First, unlike most studies on RC that have focused on extracting an answer span from the provid…
▽ More
This study tackles generative reading comprehension (RC), which consists of answering questions based on textual evidence and natural language generation (NLG). We propose a multi-style abstractive summarization model for question answering, called Masque. The proposed model has two key characteristics. First, unlike most studies on RC that have focused on extracting an answer span from the provided passages, our model instead focuses on generating a summary from the question and multiple passages. This serves to cover various answer styles required for real-world applications. Second, whereas previous studies built a specific model for each answer style because of the difficulty of acquiring one general model, our approach learns multi-style answers within a model to improve the NLG capability for all styles involved. This also enables our model to give an answer in the target style. Experiments show that our model achieves state-of-the-art performance on the Q&A task and the Q&A + NLG task of MS MARCO 2.1 and the summary task of NarrativeQA. We observe that the transfer of the style-independent NLG capability to the target style is the key to its success.
△ Less
Submitted 27 May, 2019; v1 submitted 8 January, 2019;
originally announced January 2019.
-
Retrieve-and-Read: Multi-task Learning of Information Retrieval and Reading Comprehension
Authors:
Kyosuke Nishida,
Itsumi Saito,
Atsushi Otsuka,
Hisako Asano,
Junji Tomita
Abstract:
This study considers the task of machine reading at scale (MRS) wherein, given a question, a system first performs the information retrieval (IR) task of finding relevant passages in a knowledge source and then carries out the reading comprehension (RC) task of extracting an answer span from the passages. Previous MRS studies, in which the IR component was trained without considering answer spans,…
▽ More
This study considers the task of machine reading at scale (MRS) wherein, given a question, a system first performs the information retrieval (IR) task of finding relevant passages in a knowledge source and then carries out the reading comprehension (RC) task of extracting an answer span from the passages. Previous MRS studies, in which the IR component was trained without considering answer spans, struggled to accurately find a small number of relevant passages from a large set of passages. In this paper, we propose a simple and effective approach that incorporates the IR and RC tasks by using supervised multi-task learning in order that the IR component can be trained by considering answer spans. Experimental results on the standard benchmark, answering SQuAD questions using the full Wikipedia as the knowledge source, showed that our model achieved state-of-the-art performance. Moreover, we thoroughly evaluated the individual contributions of our model components with our new Japanese dataset and SQuAD. The results showed significant improvements in the IR task and provided a new perspective on IR for RC: it is effective to teach which part of the passage answers the question rather than to give only a relevance score to the whole passage.
△ Less
Submitted 31 August, 2018;
originally announced August 2018.
-
o-glasses: Visualizing x86 Code from Binary Using a 1d-CNN
Authors:
Yuhei Otsubo,
Akira Otsuka,
Mamoru Mimura,
Takeshi Sakaki,
Atsuhiro Goto
Abstract:
Malicious document files used in targeted attacks often contain a small program called shellcode. It is often hard to prepare a runnable environment for dynamic analysis of these document files because they exploit specific vulnerabilities. In these cases, it is necessary to identify the position of the shellcode in each document file to analyze it. If the exploit code uses executable scripts such…
▽ More
Malicious document files used in targeted attacks often contain a small program called shellcode. It is often hard to prepare a runnable environment for dynamic analysis of these document files because they exploit specific vulnerabilities. In these cases, it is necessary to identify the position of the shellcode in each document file to analyze it. If the exploit code uses executable scripts such as JavaScript and Flash, it is not so hard to locate the shellcode. On the other hand, it is sometimes almost impossible to locate the shellcode when it does not contain any JavaScript or Flash but consists of native x86 code only.
Binary fragment classification is often applied to visualize the location of regions of interest, and shellcode must contain at least a small fragment of x86 native code even if most of it is obfuscated, such as, a decoder for the obfuscated body of the shellcode. In this paper, we propose a novel method, o-glasses, to visualize the shellcode by recognizing the x86 native code using a specially designed one-dimensional convolutional neural network (1d-CNN). The fragment size needs to be as small as the minimum size of the x86 native code in the whole shellcode. Our results show that a 16-instruction-sequence (approximately 48 bytes on average) is sufficient for the code fragment visualization. Our method, o-glasses (1d-CNN), outperforms other methods in that it recognizes x86 native code with a surprisingly high F-measure rate (about 99.95%).
△ Less
Submitted 13 June, 2018;
originally announced June 2018.
-
Relations among Security Metrics for Template Protection Algorithms
Authors:
Manabu Inuma,
Akira Otsuka
Abstract:
Many biometric template protection algorithms have been proposed mainly in two approaches: biometric feature transformation and biometric cryptosystem. Security evaluation of the proposed algorithms are often conducted in various inconsistent manner. Thus, it is strongly demanded to establish the common evaluation metrics for easier comparison among many algorithms. Simoens et al. and Nagar et al.…
▽ More
Many biometric template protection algorithms have been proposed mainly in two approaches: biometric feature transformation and biometric cryptosystem. Security evaluation of the proposed algorithms are often conducted in various inconsistent manner. Thus, it is strongly demanded to establish the common evaluation metrics for easier comparison among many algorithms. Simoens et al. and Nagar et al. proposed good metrics covering nearly all aspect of requirements expected for biometric template protection algorithms. One drawback of the two papers is that they are biased to experimental evaluation of security of biometric template protection algorithms. Therefore, it was still difficult mainly for algorithms in biometric cryptosystem to prove their security according to the proposed metrics. This paper will give a formal definitions for security metrics proposed by Simoens et al. and Nagar et al. so that it can be used for the evaluation of both of the two approaches. Further, this paper will discuss the relations among several notions of security metrics.
△ Less
Submitted 7 January, 2013; v1 submitted 17 December, 2012;
originally announced December 2012.
-
Theoretical framework for constructing matching algorithms in biometric authentication systems
Authors:
Manabu Inuma,
Akira Otsuka,
Hideki Imai
Abstract:
In this paper, we propose a theoretical framework to construct matching algorithms for any biometric authentication systems. Conventional matching algorithms are not necessarily secure against strong intentional impersonation attacks such as wolf attacks. The wolf attack is an attempt to impersonate a genuine user by presenting a "wolf" to a biometric authentication system without the knowledge…
▽ More
In this paper, we propose a theoretical framework to construct matching algorithms for any biometric authentication systems. Conventional matching algorithms are not necessarily secure against strong intentional impersonation attacks such as wolf attacks. The wolf attack is an attempt to impersonate a genuine user by presenting a "wolf" to a biometric authentication system without the knowledge of a genuine user's biometric sample. A wolf is a sample which can be accepted as a match with multiple templates. The wolf attack probability (WAP) is the maximum success probability of the wolf attack, which was proposed by Une, Otsuka, Imai as a measure for evaluating security of biometric authentication systems. We present a principle for construction of secure matching algorithms against the wolf attack for any biometric authentication systems. The ideal matching algorithm determines a threshold for each input value depending on the entropy of the probability distribution of the (Hamming) distances. Then we show that if the information about the probability distribution for each input value is perfectly given, then our matching algorithm is secure against the wolf attack. Our generalized matching algorithm gives a theoretical framework to construct secure matching algorithms. How lower WAP is achievable depends on how accurately the entropy is estimated. Then there is a trade-off between the efficiency and the achievable WAP. Almost every conventional matching algorithm employs a fixed threshold and hence it can be regarded as an efficient but insecure instance of our theoretical framework. Daugman's IrisCode recognition algorithm proposed can also be regarded as a non-optimal instance of our framework.
△ Less
Submitted 8 April, 2009;
originally announced April 2009.