Shucheng Yu

Zhuosheng Zhang, Shucheng Yu

Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) requiring minimal knowledge of attackers. State-of-the-art DBA attacks relying on zeroth-order gradient estimation require an excessive number of queries. Recently, Bayesian optimization (BO) has shown promising in reducing the number of queries in score-based attacks (SBA), in which attackers need to observe real-valued probability scores as outputs. However, extending BO to the setting of DBA is nontrivial because in DBA only output labels instead of real-valued scores, as needed by BO, are available to attackers. In this paper, we close this gap by proposing an efficient DBA attack, namely BO-DBA. Different from existing approaches, BO-DBA generates adversarial examples by searching so-called \emph{directions of perturbations}. It then formulates the problem as a BO problem that minimizes the real-valued distortion of perturbations. With the optimized perturbation generation process, BO-DBA converges much faster than the state-of-the-art DBA techniques. Experimental results on pre-trained ImageNet classifiers show that BO-DBA converges within 200 queries while the state-of-the-art DBA techniques need over 15,000 queries to achieve the same level of perturbation distortion. BO-DBA also shows similar attack success rates even as compared to BO-based SBA attacks but with less distortion.

Zhuosheng Zhang, Jiarui Li, Shucheng Yu et al.

For model privacy, local model parameters in federated learning shall be obfuscated before sent to the remote aggregator. This technique is referred to as \emph{secure aggregation}. However, secure aggregation makes model poisoning attacks such backdooring more convenient considering that existing anomaly detection methods mostly require access to plaintext local models. This paper proposes SAFELearning which supports backdoor detection for secure aggregation. We achieve this through two new primitives - \emph{oblivious random grouping (ORG)} and \emph{partial parameter disclosure (PPD)}. ORG partitions participants into one-time random subgroups with group configurations oblivious to participants; PPD allows secure partial disclosure of aggregated subgroup models for anomaly detection without leaking individual model privacy. SAFELearning can significantly reduce backdoor model accuracy without jeopardizing the main task accuracy under common backdoor strategies. Extensive experiments show SAFELearning is robust against malicious and faulty participants, whilst being more efficient than the state-of-art secure aggregation protocol in terms of both communication and computation costs.

Yifan Tian, Jiawei Yuan, Shucheng Yu et al.

Supporting convolutional neural network (CNN) inference on resource-constrained IoT devices in a timely manner has been an outstanding challenge for emerging smart systems. To mitigate the burden on IoT devices, the prevailing solution is to offload the CNN inference task, which is usually composed of billions of operations, to public cloud. However, the "offloading-to-cloud" solution may cause privacy breach while moving sensitive data to cloud. For privacy protection, the research community has resorted to advanced cryptographic primitives and approximation techniques to support CNN inference on encrypted data. Consequently, these attempts cause impractical computational overhead on IoT devices and degrade the performance of CNNs. Moreover, relying on the remote cloud can cause additional network latency and even make the system dysfunction when network connection is off. We proposes an extremely lightweight edge device assisted private CNN inference solution for IoT devices, namely LEP-CNN. The main design of LEP-CNN is based on a novel online/offline encryption scheme. The decryption of LEP-CNN is pre-computed offline via utilizing the linear property of the most time-consuming operations of CNNs. As a result, LEP-CNN allows IoT devices to securely offload over 99% CNN operations, and edge devices to execute CNN inference on encrypted data as efficient as on plaintext. LEP-CNN also provides an integrity check option to help IoT devices detect error results with a successful rate over 99%. Experiments on AlexNet show that LEP-CNN can speed up the CNN inference for more than 35 times for resource constrained IoT devices. A homomorphic encryption based AlexNet using CryptoNets is implemented to compare with LEP-CNN to demonstrate that LEP-CNN has a better performance than homomorphic encryption based privacy preserving neural networks under time-sensitive scenarios.