I chaired the committee to select TestofTime Awards for the IEEE Symposium on Security and Privacy symposia from 19952006, which were presented at the Opening Section of the 41^{st} IEEE Symposium on Security and Privacy.
Security and Privacy Research at the University of Virginia
Our research seeks to empower individuals and organizations to control how their data is used. We use techniques from cryptography, programming languages, machine learning, operating systems, and other areas to both understand and improve the security of computing as practiced today, and as envisioned in the future.
Everyone is welcome at our research group meetings and summer reading/viewing groups on privacy and adversarial machine learning. To get announcements, join our Slack Group (any @virginia.edu email address can join themsleves, or email me to request an invitation).
EvadeML
Secure MultiParty Computation
OblivC · MightBeEvil
· SecureComputation.org
Web and Mobile Security: ScriptInspector · SSOScan
Program Analysis: Splint · Perracotta
Security through Diversity: NVariant Systems
Physicrypt · More…
Oakland TestofTime Awards
NeurIPS 2019
Here's a video of Xiao Zhang's presentation at NeurIPS 2019:
https://slideslive.com/38921718/track2session1 (starting at 26:50)
See this post for info on the paper.
Here are a few pictures from NeurIPS 2019 (by Sicheng Zhu and Mohammad Mahmoody):
USENIX Security 2020: Hybrid Batch Attacks
Finding Blackbox Adversarial Examples with Limited Queries
Blackbox attacks generate adversarial examples (AEs) against deep neural networks with only API access to the victim model.
Existing blackbox attacks can be grouped into two main categories:

Transfer Attacks use whitebox attacks on local models to find candidate adversarial examples that transfer to the target model.

Optimization Attacks use queries to the target model and apply optimization techniques to search for adversarial examples.
Hybrid Attack
We propose a hybrid attack that combines transfer and optimization attacks:

Transfer Attack → Optimization Attack — take candidate adversarial examples of the local models of transfer attacks as the starting points for optimization attacks.

Optimization Attack → Transfer Attack — intermediate query results from the optimization attacks are used to finetune the local models of transfer attacks.
We validate effectiveness of the hybrid attack over the baseline on three benchmark datasets: MNIST, CIFAR10, ImageNet. In this post, we only show the results of AutoZOOM as the selected optimization method. More results of other attacks can be found in the paper.
Local Adversarial Examples are Useful (Transfer → Optimization)
Below, we compare the performance of AutoZOOM attack when it starts from 1) the local adversarial examples, and 2) the original points. Here, we report results for targeted attacks on normal (i.e., nonrobust) models:
Local AEs can substantially boost the performance of optimization attacks, but when the same attack is used against robust models, the improvement is small:
This ineffectiveness appears to stem from differences in the attack space of normal and robust models. Therefore, to improve effectiveness against robust target model, we use robust local models to produce the transfer candidates for starting the optimization attacks. The figure below compares impact of normal and robust local models when attacking the robust target model:
Tuning with Byproduces Doesn’t Help Much (Optimization → Transfer)
Below, we compare the performance of AutoZOOM attack on MNIST normal model when the local models are 1) finetuned during the attack process, and 2) kept static:
Tuining local models using byproducts from the optimization attack improves the query efficiency. However, for more complex datasets (e.g., CIFAR10), we observe degradation in the attack performance by finetuning (check Table 6 in the paper).
Batch Attacks
We consider a batch attack scenario: adversaries have limited number of queries and want to maximize the number of adversarial examples found within the limit. This is a more realistic way to evaluate attacks for most adversarial purposes, then just looking at the average cost to attack each seed in a large pool of seeds.
The number of queries required for attacking a specific seed varies greatly across seeds:
Based on this observation, we propose twophase strategy to prioritize easy seeds for the hybrid attack:

In the first phase, the likelytotransfer seeds are prioritized based on their PGDsteps taken to attack the local models. The candidate adversarial example for seed seed is attempted in order to find all the direct transfers.

In the second phase, the remaining seeds are prioritized based on their target loss value with respect to the target model.
To validate effectievness of the twophase strategy, we compare to two seed prioritization strategies:

Retroactive Optimal: a nonrealizable attack that assumes adversaries already know the exact number of queries to attack each seed (before the attack starts) and can prioritize seeds by their actual query cost. This provides an lower bound on the query cost for an optimal strategy.

Random: this is a baseline strategy where seeds are prioritized in random order (this is the stragety assumed in most works where the adverage costs are reported).
Results for the AutoZOOM attack on a normal ImageNet model are shown below:
Our twophase strategy performs closely to the retroactive optimal strategy and outpeforms random baseline significantly: with same number of query limit, twophase strategy finds significantly more adversarial examples comapred to the random baseline, and is closer to the retroactive optimal case. (See the paper for more experimental results and variations on the prioritization strategy.)
Main Takeaways

Transfer → Optimization: local adversarial examples can generally be used to boost optimization attacks. One caveat is, against robust target model, hybrid attack is more effective with robust local models.

Transfer → Optimization: finetuning local models is only helpful for small scale dataset (e.g., MNIST) and fails to generalize to more complex datasets. It is an open question whether we can make the finetuning process work for complex datasets.

Prioritizing seeds based on twophase strategy for the hybrid attack can significantly improve its query efficiency in batch attack scenario.
Our results make the case that it is important to evaluate both attacks and defenses with a more realistic adversary model than just looking at the average cost to attack a seed over a large pool of seeds. When an adversary only need to find a small number of adversarial examples, and has access to a large pool of potential seeds to attack (of equal value to the adversary), then the effective costs of a successful attack can be orders of magnitude lower than what would be projected assuming an adversary who cannot prioritize seeds to attack.
Paper
Fnu Suya, Jianfeng Chi, David Evans and Yuan Tian. Hybrid Batch Attacks: Finding Blackbox Adversarial Examples with Limited Queries. In USENIX Security 2020. Boston, August 2020. [PDF] [arXiv]
Code
https://github.com/suyeecav/HybridAttack
In this repository, we provide the source code to reproduce the results in the paper. In addition, we believe our hybrid attack framework can (potentially) help boost the performance of new optimization attacks. Therefore, in the repository, we also provide tutorials to incorporate new optimization attacks into the hybrid attack framework.
NeurIPS 2019: Empirically Measuring Concentration
Xiao Zhang will present our work (with Saeed Mahloujifar and Mohamood Mahmoody) as a spotlight at NeurIPS 2019, Vancouver, 10 December 2019.
Recent theoretical results, starting with Gilmer et al.‘s Adversarial Spheres (2018), show that if inputs are drawn from a concentrated metric probability space, then adversarial examples with small perturbation are inevitable.c The key insight from this line of research is that concentration of measure gives lower bound on adversarial risk for a large collection of classifiers (e.g. imperfect classifiers with risk at least $\alpha$), which further implies the impossibility results for robust learning against adversarial examples.
However, it is not clear whether these theoretical results apply to actual distributions such as images. This work presents a method for empirically measuring and bounding the concentration of a concrete dataset which is proven to converge to the actual concentration. More specifically, we prove that by simultaneously increasing the sample size and a complexity parameter of the selected collection of subsets $\mathcal{G}$, the concentration of the empirical measure based on samples converges to the actual concentration asymptotically.
To solve the empirical concentration problem, we propose heuristic algorithms to find error regions with small expansion under both $\ell_\infty$ and $\ell_2$ metrics.
For instance, our algorithm for $\ell_\infty$ starts by sorting the dataset based on the empirical density estimated using knearest neighbor, and then obtains $T$ rectangular data clusters by performing kmeans clustering on the top$q$ densest images. After expanding each of the rectangles by $\epsilon$, the error region $\mathcal{E}$ is then specified as the complement of the expanded rectangles (the reddish region in the following figure). Finally, we search for the best error region by tuning the number of rectangles $T$ and the initial coverage percentile $q$.
Based on the proposed algorithm, we empirically measure the concentration for image benchmarks, such as MNIST and CIFAR10. Compared with stateoftheart robustly trained models, our estimated bound shows that, for most settings, there exists a large gap between the robust error achieved by the best current models and the theoretical limits implied by concentration.
This suggests the concentration of measure is not the only reason behind the vulnerability of existing classifiers to adversarial perturbations. Thus, either there is room for improving the robustness of image classifiers or a need for deeper understanding of the reasons for the gap between intrinsic robustness and the actual robustness achieved by robust models.
Paper
Saeed Mahloujifar^{★}, Xiao Zhang^{★}, Mohamood Mahmoody and David Evans. Empirically Measuring Concentration: Fundamental Limits on Intrinsic Robustness. In NeurIPS 2019 (spotlight presentation). Vancouver, December 2019. [PDF] [arXiv]
Code
White House Visit
I had a chance to visit the White House for a Roundtable on Accelerating Responsible Sharing of Federal Data. The meeting was held under “Chatham House Rules”, so I won’t mention the other participants here.
The meeting was held in the Roosevelt Room of the White House. We entered through the visitor’s side entrance. After a security gate (where you put your phone in a lockbox, so no pictures inside) with a TV blaring Fox News, there is a pleasant lobby for waiting, and then an entrance right into the Roosevelt Room. (We didn’t get to see the entrance in the opposite corner of the room, which is just a hallway across from the Oval Office.)
After the meeting, as a sign of the national state at the time, participants were given a gift — a box of red, white, and blue M & M’s with a barely legible signature on them. I wasn’t brave enough to eat the contents myself, but according to my kids, they were okay, but not as good as Smarties or Reese’s Pieces.
Participants were invited to provide written statements before and after the meeting. Mine are here: