Minhui Xue’s research while affiliated with Data61, The Commonwealth Scientific and Industrial Research Organisation and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (140)


Figure 1: An overview of our SoK on unifying cybersecurity and cybersafety of multimodal foundation models.
Figure 2: Examples of (a) unimodal and (b) multimodal learning.
Figure 3: An illustration of information flows in MFM system (represented by arrows).
Examples of multimodal large models.
Defense effectiveness against adversarial attacks on different modalities.
SoK: Unifying Cybersecurity and Cybersafety of Multimodal Foundation Models with an Information Theory Approach
  • Preprint
  • File available

November 2024

·

5 Reads

·

Jiamin Chang

·

Hammond Pearce

·

[...]

·

Minhui Xue

Multimodal foundation models (MFMs) represent a significant advancement in artificial intelligence, combining diverse data modalities to enhance learning and understanding across a wide range of applications. However, this integration also brings unique safety and security challenges. In this paper, we conceptualize cybersafety and cybersecurity in the context of multimodal learning and present a comprehensive Systematization of Knowledge (SoK) to unify these concepts in MFMs, identifying key threats to these models. We propose a taxonomy framework grounded in information theory, evaluating and categorizing threats through the concepts of channel capacity, signal, noise, and bandwidth. This approach provides a novel framework that unifies model safety and system security in MFMs, offering a more comprehensive and actionable understanding of the risks involved. We used this to explore existing defense mechanisms, and identified gaps in current research - particularly, a lack of protection for alignment between modalities and a need for more systematic defense methods. Our work contributes to a deeper understanding of the security and safety landscape in MFMs, providing researchers and practitioners with valuable insights for improving the robustness and reliability of these models.

Download

AI-Compass: A Comprehensive and Effective Multi-module Testing Tool for AI Systems

November 2024

·

4 Reads

AI systems, in particular with deep learning techniques, have demonstrated superior performance for various real-world applications. Given the need for tailored optimization in specific scenarios, as well as the concerns related to the exploits of subsurface vulnerabilities, a more comprehensive and in-depth testing AI system becomes a pivotal topic. We have seen the emergence of testing tools in real-world applications that aim to expand testing capabilities. However, they often concentrate on ad-hoc tasks, rendering them unsuitable for simultaneously testing multiple aspects or components. Furthermore, trustworthiness issues arising from adversarial attacks and the challenge of interpreting deep learning models pose new challenges for developing more comprehensive and in-depth AI system testing tools. In this study, we design and implement a testing tool, \tool, to comprehensively and effectively evaluate AI systems. The tool extensively assesses multiple measurements towards adversarial robustness, model interpretability, and performs neuron analysis. The feasibility of the proposed testing tool is thoroughly validated across various modalities, including image classification, object detection, and text classification. Extensive experiments demonstrate that \tool is the state-of-the-art tool for a comprehensive assessment of the robustness and trustworthiness of AI systems. Our research sheds light on a general solution for AI systems testing landscape.


Edge Unlearning is Not "on Edge"! An Adaptive Exact Unlearning System on Resource-Constrained Devices

October 2024

·

26 Reads

The right to be forgotten mandates that machine learning models enable the erasure of a data owner's data and information from a trained model. Removing data from the dataset alone is inadequate, as machine learning models can memorize information from the training data, increasing the potential privacy risk to users. To address this, multiple machine unlearning techniques have been developed and deployed. Among them, approximate unlearning is a popular solution, but recent studies report that its unlearning effectiveness is not fully guaranteed. Another approach, exact unlearning, tackles this issue by discarding the data and retraining the model from scratch, but at the cost of considerable computational and memory resources. However, not all devices have the capability to perform such retraining. In numerous machine learning applications, such as edge devices, Internet-of-Things (IoT), mobile devices, and satellites, resources are constrained, posing challenges for deploying existing exact unlearning methods. In this study, we propose a Constraint-aware Adaptive Exact Unlearning System at the network Edge (CAUSE), an approach to enabling exact unlearning on resource-constrained devices. Aiming to minimize the retrain overhead by storing sub-models on the resource-constrained device, CAUSE innovatively applies a Fibonacci-based replacement strategy and updates the number of shards adaptively in the user-based data partition process. To further improve the effectiveness of memory usage, CAUSE leverages the advantage of model pruning to save memory via compression with minimal accuracy sacrifice. The experimental results demonstrate that CAUSE significantly outperforms other representative systems in realizing exact unlearning on the resource-constrained device by 9.23%-80.86%, 66.21%-83.46%, and 5.26%-194.13% in terms of unlearning speed, energy consumption, and accuracy.


Iterative Window Mean Filter: Thwarting Diffusion-based Adversarial Purification

August 2024

·

3 Reads

Face authentication systems have brought significant convenience and advanced developments, yet they have become unreliable due to their sensitivity to inconspicuous perturbations, such as adversarial attacks. Existing defenses often exhibit weaknesses when facing various attack algorithms and adaptive attacks or compromise accuracy for enhanced security. To address these challenges, we have developed a novel and highly efficient non-deep-learning-based image filter called the Iterative Window Mean Filter (IWMF) and proposed a new framework for adversarial purification, named IWMF-Diff, which integrates IWMF and denoising diffusion models. These methods can function as pre-processing modules to eliminate adversarial perturbations without necessitating further modifications or retraining of the target system. We demonstrate that our proposed methodologies fulfill four critical requirements: preserved accuracy, improved security, generalizability to various threats in different settings, and better resistance to adaptive attacks. This performance surpasses that of the state-of-the-art adversarial purification method, DiffPure.


Rethinking the Threat and Accessibility of Adversarial Attacks against Face Recognition Systems

July 2024

·

15 Reads

Face recognition pipelines have been widely deployed in various mission-critical systems in trust, equitable and responsible AI applications. However, the emergence of adversarial attacks has threatened the security of the entire recognition pipeline. Despite the sheer number of attack methods proposed for crafting adversarial examples in both digital and physical forms, it is never an easy task to assess the real threat level of different attacks and obtain useful insight into the key risks confronted by face recognition systems. Traditional attacks view imperceptibility as the most important measurement to keep perturbations stealthy, while we suspect that industry professionals may possess a different opinion. In this paper, we delve into measuring the threat brought about by adversarial attacks from the perspectives of the industry and the applications of face recognition. In contrast to widely studied sophisticated attacks in the field, we propose an effective yet easy-to-launch physical adversarial attack, named AdvColor, against black-box face recognition pipelines in the physical world. AdvColor fools models in the recognition pipeline via directly supplying printed photos of human faces to the system under adversarial illuminations. Experimental results show that physical AdvColor examples can achieve a fooling rate of more than 96% against the anti-spoofing model and an overall attack success rate of 88% against the face recognition pipeline. We also conduct a survey on the threats of prevailing adversarial attacks, including AdvColor, to understand the gap between the machine-measured and human-assessed threat levels of different forms of adversarial attacks. The survey results surprisingly indicate that, compared to deliberately launched imperceptible attacks, perceptible but accessible attacks pose more lethal threats to real-world commercial systems of face recognition.


QUEEN: Query Unlearning against Model Extraction

July 2024

·

12 Reads

Model extraction attacks currently pose a non-negligible threat to the security and privacy of deep learning models. By querying the model with a small dataset and usingthe query results as the ground-truth labels, an adversary can steal a piracy model with performance comparable to the original model. Two key issues that cause the threat are, on the one hand, accurate and unlimited queries can be obtained by the adversary; on the other hand, the adversary can aggregate the query results to train the model step by step. The existing defenses usually employ model watermarking or fingerprinting to protect the ownership. However, these methods cannot proactively prevent the violation from happening. To mitigate the threat, we propose QUEEN (QUEry unlEarNing) that proactively launches counterattacks on potential model extraction attacks from the very beginning. To limit the potential threat, QUEEN has sensitivity measurement and outputs perturbation that prevents the adversary from training a piracy model with high performance. In sensitivity measurement, QUEEN measures the single query sensitivity by its distance from the center of its cluster in the feature space. To reduce the learning accuracy of attacks, for the highly sensitive query batch, QUEEN applies query unlearning, which is implemented by gradient reverse to perturb the softmax output such that the piracy model will generate reverse gradients to worsen its performance unconsciously. Experiments show that QUEEN outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy. The artifact is publicly available at https://anonymous.4open.science/r/queen implementation-5408/.


Fig. 1: Trend of cybersecurity vulnerabilities in TensorFlow.
Fig. 9: DL specific taxonomy (CWE List additional part).
On Security Weaknesses and Vulnerabilities in Deep Learning Systems

June 2024

·

44 Reads

The security guarantee of AI-enabled software systems (particularly using deep learning techniques as a functional core) is pivotal against the adversarial attacks exploiting software vulnerabilities. However, little attention has been paid to a systematic investigation of vulnerabilities in such systems. A common situation learned from the open source software community is that deep learning engineers frequently integrate off-the-shelf or open-source learning frameworks into their ecosystems. In this work, we specifically look into deep learning (DL) framework and perform the first systematic study of vulnerabilities in DL systems through a comprehensive analysis of identified vulnerabilities from Common Vulnerabilities and Exposures (CVE) and open-source DL tools, including TensorFlow, Caffe, OpenCV, Keras, and PyTorch. We propose a two-stream data analysis framework to explore vulnerability patterns from various databases. We investigate the unique DL frameworks and libraries development ecosystems that appear to be decentralized and fragmented. By revisiting the Common Weakness Enumeration (CWE) List, which provides the traditional software vulnerability related practices, we observed that it is more challenging to detect and fix the vulnerabilities throughout the DL systems lifecycle. Moreover, we conducted a large-scale empirical study of 3,049 DL vulnerabilities to better understand the patterns of vulnerability and the challenges in fixing them. We have released the full replication package at https://github.com/codelzz/Vulnerabilities4DLSystem. We anticipate that our study can advance the development of secure DL systems.


Leakage-Resilient and Carbon-Neutral Aggregation Featuring the Federated AI-enabled Critical Infrastructure

May 2024

·

31 Reads

AI-enabled critical infrastructures (ACIs) integrate artificial intelligence (AI) technologies into various essential systems and services that are vital to the functioning of society, offering significant implications for efficiency, security and resilience. While adopting decentralized AI approaches (such as federated learning technology) in ACIs is plausible, private and sensitive data are still susceptible to data reconstruction attacks through gradient optimization. In this work, we propose Compressed Differentially Private Aggregation (CDPA), a leakage-resilient, communication-efficient, and carbon-neutral approach for ACI networks. Specifically, CDPA has introduced a novel random bit-flipping mechanism as its primary innovation. This mechanism first converts gradients into a specific binary representation and then selectively flips masked bits with a certain probability. The proposed bit-flipping introduces a larger variance to the noise while providing differentially private protection and commendable efforts in energy savings while applying vector quantization techniques within the context of federated learning. The experimental evaluation indicates that CDPA can reduce communication cost by half while preserving model utility. Moreover, we demonstrate that CDPA can effectively defend against state-of-the-art data reconstruction attacks in both computer vision and natural language processing tasks. We highlight existing benchmarks that generate 2.6x to over 100x more carbon emissions than CDPA. We hope that the CDPA developed in this paper can inform the federated AI-enabled critical infrastructure of a more balanced trade-off between utility and privacy, resilience protection, as well as a better carbon offset with less communication overhead.




Citations (52)


... On the other hand, existing methods are vulnerable to privacy leakage attacks (Hu et al., 2024), where an attacker can infer which data is within the forgetting set from the post-unlearning models. This still violates the right to be forgotten, even though the model has been updated to remove the data. ...

Reference:

Pseudo-Probability Unlearning: Towards Efficient and Privacy-Preserving Machine Unlearning
Learn What You Want to Unlearn: Unlearning Inversion Attacks against Machine Unlearning
  • Citing Conference Paper
  • May 2024

... Differential privacy is a statistical technique that provides strong privacy guarantees by introducing noise into the data being shared [233]. In the context of CRNs, differential privacy is applied to protect spectrum sensing reports and usage patterns from revealing sensitive user information [234]. ...

Bounded and Unbiased Composite Differential Privacy
  • Citing Conference Paper
  • May 2024

... Since the publication of a first side-channel attack against the IP of an embedded DNN [2], the number of physical-based attacks against DNNs has greatly increased. Several methodologies using side-channel attacks with the objective of the extraction of the DNN's hyperparameters have been proposed [11], [18]. DNN parameters have also been targeted by physical attacks, via side-channel [19], [32], or through fault injection [13], [27]. ...

DeepTheft: Stealing DNN Model Architectures through Power Side Channel
  • Citing Conference Paper
  • May 2024

... According to Wang et al. [32], we have the following property 1 and theorem 1 for the connections between model weights' magnitudes/variances and outputs' magnitudes/variances: Property 1: Let f θ (x) be a fully-connected neural network, where θ denotes the set of parameters. Assume the activation function ϕ is Lipschitz continuous with constant L, and the weight matrices W (m) are random matrices with independent and identically distributed (i.i.d.) sub-Gaussian entries. ...

CoreLocker: Neuron-level Usage Control
  • Citing Conference Paper
  • May 2024

... Rather than attempting to litigate access to (or utilization of) potentially sensitive data, these techniques apply data processing techniques to user-generated data streams to obfuscate personally identifying details before they are made accessible to third parties. Preliminary efforts by Sun et al. [29] suggest that differential privacy can be applied to obscure behavioral patterns that may identify a user; however, this investigation was only performed on simulated human activity. Wierzbowski et al. [32] observe that eliminating differences in users' characteristics (e.g., by standardizing all users' heights by seating them in a chair) while collecting VR motion data can reduce user identification rates; this places constraints on how users can interact with their devices, which makes this method difficult to apply in a practical setting. ...

PPVR: A Privacy-Preserving Approach for User Behaviors in VR
  • Citing Conference Paper
  • March 2024

... User-Centric Privacy Solutions: Much of the current research focuses on network-level privacy protections [291], but there is a gap in user-centric solutions that empower individuals to control their own data privacy. Developing tools and frameworks that give users greater control over their data in 5G networks is an important area for future research. ...

Privacy-Preserving and Fairness-Aware Federated Learning for Critical Infrastructure Protection and Resilience
  • Citing Conference Paper
  • May 2024

... Moreover, the proliferation of IoT devices, smart sensors, and wearables only exacerbates these challenges by introducing new vectors for data collection and analysis. As such, addressing the privacy implications of location data requires a multifaceted approach that combines technical innovation, regulatory oversight, and user education to create a more resilient and privacy-centric digital ecosystem [30,60,69]. ...

GEES: Enabling Location Privacy-Preserving Energy Saving in Multi-Access Edge Computing
  • Citing Conference Paper
  • May 2024

... It refers to the fairness of federated learning with respect to heterogeneous clients, including those clients with insufficient computing resources to run full-size AI models. One solution approach to ensuring equitable AI in federated learning is to support federated learning with heterogeneous clients, allowing vertical and horizontal partitioning of a global model, to enable clients with insufficient computing resources to participate in (and benefit from) federated learning [33,91]. ...

RAI4IoE: Responsible AI for Enabling the Internet of Energy
  • Citing Conference Paper
  • November 2023

... In contrast, approximate unlearning adjusts model parameters to eliminate the contribution of specific data, simulating the effects of retraining. While approximate unlearning offers cost advantages, security flaws raise concerns about its reliability [42], [46] and vulnerability to attacks [19], [20]. A recent study [32] discovered that representative approximate unlearning methods fail to guarantee the removal of learned data, indicating that models unlearned using these systems still retain the knowledge of the forgotten data to some extent. ...

A Duty to Forget, a Right to be Assured? Exposing Vulnerabilities in Machine Unlearning Services
  • Citing Conference Paper
  • January 2024