Arrow Research search

Author name cluster

Seyit Camtepe

Possible papers associated with this exact author name in Arrow. This page groups case-insensitive exact name matches and is not a full identity disambiguation profile.

6 papers
2 author rows

Possible papers

6

AAAI Conference 2024 Conference Paper

IPRemover: A Generative Model Inversion Attack against Deep Neural Network Fingerprinting and Watermarking

  • Wei Zong
  • Yang-Wai Chow
  • Willy Susilo
  • Joonsang Baek
  • Jongkil Kim
  • Seyit Camtepe

Training Deep Neural Networks (DNNs) can be expensive when data is difficult to obtain or labeling them requires significant domain expertise. Hence, it is crucial that the Intellectual Property (IP) of DNNs trained on valuable data be protected against IP infringement. DNN fingerprinting and watermarking are two lines of work in DNN IP protection. Recently proposed DNN fingerprinting techniques are able to detect IP infringement while preserving model performance by relying on the key assumption that the decision boundaries of independently trained models are intrinsically different from one another. In contrast, DNN watermarking embeds a watermark in a model and verifies IP infringement if an identical or similar watermark is extracted from a suspect model. The techniques deployed in fingerprinting and watermarking vary significantly because their underlying mechanisms are different. From an adversary's perspective, a successful IP removal attack should defeat both fingerprinting and watermarking. However, to the best of our knowledge, there is no work on such attacks in the literature yet. In this paper, we fill this gap by presenting an IP removal attack that can defeat both fingerprinting and watermarking. We consider the challenging data-free scenario whereby all data is inverted from the victim model. Under this setting, a stolen model only depends on the victim model. Experimental results demonstrate the success of our attack in defeating state-of-the-art DNN fingerprinting and watermarking techniques. This work reveals a novel attack surface that exploits generative model inversion attacks to bypass DNN IP defenses. This threat must be addressed by future defenses for reliable IP protection.

PDF Details DOI

ECAI Conference 2024 Conference Paper

One-Shot Collaborative Data Distillation

  • William Holland
  • Chandra Thapa
  • Wei Shao 0006
  • Seyit Camtepe
  • Sarah Ali Siddiqui

Large machine-learning training datasets can be distilled into small collections of informative synthetic data samples. These synthetic sets support efficient model learning and reduce the communication cost of data sharing. Thus, high-fidelity distilled data can support the efficient deployment of machine learning applications in distributed network environments. A naive way to construct a synthetic set in a distributed environment is to allow each client to perform local data distillation and to merge local distillations at a central server. However, the quality of the resulting set is impaired by heterogeneity in the distributions of the local data held by clients. To overcome this challenge, we introduce the first collaborative data distillation technique, called CollabDM, which captures the global distribution of the data and requires only a single round of communication between client and server. Our method outperforms the state-of-the-art one-shot learning method on skewed data in distributed learning environments. We also show the promising practical benefits of our method when applied to attack detection in 5G networks.

Details

ICLR Conference 2023 Conference Paper

An Additive Instance-Wise Approach to Multi-class Model Interpretation

  • Vy Vo
  • Van Nguyen 0002
  • Trung Le 0001
  • Quan Hung Tran
  • Gholamreza Haffari
  • Seyit Camtepe
  • Dinh Q. Phung

Interpretable machine learning offers insights into what factors drive a certain prediction of a black-box system. A large number of interpreting methods focus on identifying explanatory input features, which generally fall into two main categories: attribution and selection. A popular attribution-based approach is to exploit local neighborhoods for learning instance-specific explainers in an additive manner. The process is thus inefficient and susceptible to poorly-conditioned samples. Meanwhile, many selection-based methods directly optimize local feature distributions in an instance-wise training framework, thereby being capable of leveraging global information from other inputs. However, they can only interpret single-class predictions and many suffer from inconsistency across different settings, due to a strict reliance on a pre-defined number of features selected. This work exploits the strengths of both methods and proposes a framework for learning local explanations simultaneously for multiple target classes. Our model explainer significantly outperforms additive and instance-wise counterparts on faithfulness with more compact and comprehensible explanations. We also demonstrate the capacity to select stable and important features through extensive experiments on various data sets and black-box model architectures.

Details

AAMAS Conference 2023 Conference Paper

An Adversarial Strategic Game for Machine Learning as a Service using System Features

  • Guoxin Sun
  • Tansu Alpcan
  • Seyit Camtepe
  • Andrew C. Cullen
  • Benjamin I. P. Rubinstein

Machine-learning-as-a-service (MLaaS) dramatically decreases the barrier of entry to machine learning through accessible, externally trained model building and deployment. However, numerous studies have shown that MLaaS models are vulnerable to adversarial attacks, which can alter input data with small perturbations and deceive the underlying machine learning algorithms. In this paper, we propose a novel approach for detecting and mitigating adversarial attacks in MLaaS. Our approach leverages previously overlooked system-level features in combination with data-driven methods to detect the generation process of adversarial examples. To guide the mitigation process, we model the dynamic interactions between an adaptive adversary, an imperfect anomaly detector, and a broader defensive system as a non-cooperative strategic game with imperfect information. We use experimental data from a realistic small-scale MLaaS ecosystem to construct the game components, such as players’ utilities and detection accuracy. Our experimental results indicate that an adversarial attack against MLaaS defended by our method requires up to six times more cloud service accounts compared to other state-of-the-art frameworks. These promising results demonstrate the importance of considering realistic system settings when developing and evaluating adversarial attacks and defenses.

PDF

AAAI Conference 2023 Conference Paper

Feature-Space Bayesian Adversarial Learning Improved Malware Detector Robustness

  • Bao Gia Doan
  • Shuiqiao Yang
  • Paul Montague
  • Olivier De Vel
  • Tamas Abraham
  • Seyit Camtepe
  • Salil S. Kanhere
  • Ehsan Abbasnejad

We present a new algorithm to train a robust malware detector. Malware is a prolific problem and malware detectors are a front-line defense. Modern detectors rely on machine learning algorithms. Now, the adversarial objective is to devise alterations to the malware code to decrease the chance of being detected whilst preserving the functionality and realism of the malware. Adversarial learning is effective in improving robustness but generating functional and realistic adversarial malware samples is non-trivial. Because: i) in contrast to tasks capable of using gradient-based feedback, adversarial learning in a domain without a differentiable mapping function from the problem space (malware code inputs) to the feature space is hard; and ii) it is difficult to ensure the adversarial malware is realistic and functional. This presents a challenge for developing scalable adversarial machine learning algorithms for large datasets at a production or commercial scale to realize robust malware detectors. We propose an alternative; perform adversarial learning in the feature space in contrast to the problem space. We prove the projection of perturbed, yet valid malware, in the problem space into feature space will always be a subset of adversarials generated in the feature space. Hence, by generating a robust network against feature-space adversarial examples, we inherently achieve robustness against problem-space adversarial examples. We formulate a Bayesian adversarial learning objective that captures the distribution of models for improved robustness. To explain the robustness of the Bayesian adversarial learning algorithm, we prove that our learning method bounds the difference between the adversarial risk and empirical risk and improves robustness. We show that Bayesian neural networks (BNNs) achieve state-of-the-art results; especially in the False Positive Rate (FPR) regime. Adversarially trained BNNs achieve state-of-the-art robustness. Notably, adversarially trained BNNs are robust against stronger attacks with larger attack budgets by a margin of up to 15% on a recent production-scale malware dataset of more than 20 million samples. Importantly, our efforts create a benchmark for future defenses in the malware domain.

PDF Details DOI

AAAI Conference 2022 Conference Paper

SplitFed: When Federated Learning Meets Split Learning

  • Chandra Thapa
  • Pathum Chamikara Mahawaga Arachchige
  • Seyit Camtepe
  • Lichao Sun

Federated learning (FL) and split learning (SL) are two popular distributed machine learning approaches. Both follow a model-to-data scenario; clients train and test machine learning models without sharing raw data. SL provides better model privacy than FL due to the machine learning model architecture split between clients and the server. Moreover, the split model makes SL a better option for resource-constrained environments. However, SL performs slower than FL due to the relay-based training across multiple clients. In this regard, this paper presents a novel approach, named splitfed learning (SFL), that amalgamates the two approaches eliminating their inherent drawbacks, along with a refined architectural configuration incorporating differential privacy and PixelDP to enhance data privacy and model robustness. Our analysis and empirical results demonstrate that (pure) SFL provides similar test accuracy and communication efficiency as SL while significantly decreasing its computation time per global epoch than in SL for multiple clients. Furthermore, as in SL, its communication efficiency over FL improves with the number of clients. Besides, the performance of SFL with privacy and robustness measures is further evaluated under extended experimental settings.

PDF Details