First talk by Giuseppe Petracca
Title: Mitigating Inference Attacks on Sensed Location Data
Where: Room 333 IST building
When: Thursday September 29th, 11:30am-12:30pm
Abstract: Sensed location data is subject to inference attacks by cybercriminals that aim to obtain the exact position of sensitive locations, such as the victim’s home and work locations, to launch a variety of different attacks. Various Location-Privacy Preserving Mechanisms (LPPMs) exist to reduce the probability of success of inference attacks on location data. However, such mechanisms have been shown to be less effective when the adversary is informed of the protection mechanism adopted, also known as white-box attacks. We propose a novel approach that makes use of targeted agility maneuvers as a more robust defense against white-box attacks. Agility maneuvers are systematically activated in response to specific system events to rapidly and continuously control the rate of change in system configurations and increase diversity in the space of readings, which would decrease the probability of success of inference attacks by an adversary. Experimental results, performed on a real data set, show that the adoption of agility maneuvers reduces the probability of success of white-box attacks to 2.68% on average, compared to 56.92% when using state-of-the-art LPPMs.
Second Talk by Nicolas Papernot
Title: The Limitations of Machine Learning in Adversarial Settings
Where: Room 333 IST building
When: Tuesday October 4th, 11:00am-12:00pm
Abstract: Machine learning models, including deep neural networks, were shown to be vulnerable to adversarial examples–subtly (and often humanly indistinguishably) modified malicious inputs crafted to compromise the integrity of their outputs. Adversarial examples thus enable adversaries to manipulate system behaviors. Potential attacks include attempts to control the behavior of vehicles, have spam content identified as legitimate content, or have malware identified as legitimate software. In fact, the feasibility of misclassification attacks based on adversarial examples has been shown for image, text, and malware classifiers.
Furthermore, adversarial examples that affect one model often affect another model, even if the two models have different architectures (neural network, support vector machine, nearest neighbor, …) or were trained on different training sets, so long as both models were trained to perform the same task. An attacker may therefore train their own substitute model, craft adversarial examples against the substitute, and transfer them to a victim model, with very little information about the victim. The attacker need not even collect a training set to mount the attack, as a technique demonstrated how using the victim model as an oracle to label a synthetic training set for the substitute effectively allows adversaries to target remotely hosted classifiers.
This talk covers several adversarial example crafting algorithms operating under varying threat models and application domains, as well as defenses proposed to mitigate adversarial examples. Such defenses include label smoothing during training, training on adversarial examples, and defensive distillation.
Third Talk by Stefan Achleitner
Title: Cyber Deception: Virtual Networks to Defend Insider Reconnaissance
Where: Room 333 IST building
When: Tuesday October 18th, 11:00am-12:00pm
Abstract: Advanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets and their location in a networked environment to identify vulnerabilities which can be exploited for further attack maneuvers. Advanced network scanning techniques are often used for this purpose and are automatically executed by malware infected hosts. In my talk I will present RDS (Reconnaissance Deception System) to defend adversarial reconnaissance missions. RDS is based on SDN (Software Defined Networking), to achieve deception by simulating virtual network topologies. Our system thwarts network reconnaissance by delaying the scanning techniques of adversaries, invalidating their collected information and identifying the source of adversarial reconnaissance, while minimizing the performance impact on benign network traffic.
Fourth Talk by Jalaj Upadhyay
Title: Fast and Space-Optimal Differentially-Private Low-Rank Factorization in the General Turnstile Update Model
Where: Room 333 IST building
When: Thursday November 3rd, 11:00am-12:00pm
Abstract: The problem of {\em low-rank factorization} of an mxn matrix A requires outputting a singular value decomposition: an m x k matrix U, an n x k matrix V, and a k x k diagonal matrix D) such that U D V^T approximates the matrix A in the Frobenius norm. In this paper, we study releasing differentially-private low-rank factorization of a matrix in the general turnstile update model. We give two differentially-private algorithms instantiated with respect to two levels of privacy. Both of our privacy levels are stronger than privacy levels for this and related problems studied in previous works, namely that of Blocki {\it et al.} (FOCS 2012), Dwork {\it et al.} (STOC 2014), Hardt and Roth (STOC 2012, STOC 2013), and Hardt and Price (NIPS 2014). Our main contributions are as follows.
- In our first level of privacy, we consider two matrices A and A’ as neighboring if A – A’ can be represented as an outer product of two unit vectors. Our private algorithm with respect to this privacy level incurs optimal additive error. We also prove a lower bound that shows that the space required by this algorithm is optimal up to a logarithmic factor.
- In our second level of privacy, we consider two matrices as neighboring if their difference has the Frobenius norm at most. Our private algorithm with respect to this privacy level is computationally more efficient than our first algorithm and incurs optimal additive error.
Fifth Talk by Noor Felemban
Title: Video Processing Of Complex Activity Detection In Resource-Constrained Networks
Where: Room 333 IST building
When: Thursday November 17th, 11:00am- 12:00pm
Abstract:
We consider video processing to detect complex activities in a distributed network consisting of mobile devices and video-cloud servers. To address varying task requirements and resource-constraints of mobile devices, we consider fragmentation of the video processing workflow. Fragmentation of the workflow allows for the mobile device to filter video clips based on metadata, process portions of the clips, and offload other videos to video-cloud servers. In certain situations, the cloud may require access to the raw video even if the video is processed by a mobile device. Through the use of resizing the image and a top-k analysis, we explore various quality of information metrics in the addressing of complex activity detection that consider energy usage of the mobile devices and the quality of detecting objects in terms of completeness and timeliness.
Sixth Talk by Berkay Celik
Title: Building Stronger Detection Systems with Privileged Information
Where: Room 333 IST building
When: Thursday December 1st, 11:00am- 12:00pm
Abstract: Modern detection systems use sensor outputs available in the deployment environment to probabilistically identify attacks. These systems are trained on past or synthetic feature vectors to create a model of anomalous or normal behavior. Thereafter, run-time collected sensor outputs are compared to the model to identify attacks (or the lack of attack). While this approach to detection has been proven to be effective in many environments, it is limited to training on only features that can be reliably collected at test-time. Hence, they fail to leverage the often vast amount of ancillary information available from past forensic analysis and post-mortem data. In short, detection systems do not train (and thus do not learn from) features that are unavailable or too costly to collect at run-time.
This talk covers recent advances in machine learning to integrate privileged information—features reliably available at training time, but not at run-time—into detection algorithms. I will introduce three different approaches to model training with privileged information: knowledge transfer, model influence, and distillation and present validation of their performances in a range of detection domains.