-
Avoiding Generative Model Writer's Block With Embedding Nudging
Authors:
Ali Zand,
Milad Nasr
Abstract:
Generative image models, since introduction, have become a global phenomenon. From new arts becoming possible to new vectors of abuse, many new capabilities have become available. One of the challenging issues with generative models is controlling the generation process specially to prevent specific generations classes or instances . There are several reasons why one may want to control the output…
▽ More
Generative image models, since introduction, have become a global phenomenon. From new arts becoming possible to new vectors of abuse, many new capabilities have become available. One of the challenging issues with generative models is controlling the generation process specially to prevent specific generations classes or instances . There are several reasons why one may want to control the output of generative models, ranging from privacy and safety concerns to application limitations or user preferences
To address memorization and privacy challenges, there has been considerable research dedicated to filtering prompts or filtering the outputs of these models. What all these solutions have in common is that at the end of the day they stop the model from producing anything, hence limiting the usability of the model. In this paper, we propose a method for addressing this usability issue by making it possible to steer away from unwanted concepts (when detected in model's output) and still generating outputs. In particular we focus on the latent diffusion image generative models and how one can prevent them to generate particular images while generating similar images with limited overhead.
We focus on mitigating issues like image memorization, demonstrating our technique's effectiveness through qualitative and quantitative evaluations. Our method successfully prevents the generation of memorized training images while maintaining comparable image quality and relevance to the unmodified model.
△ Less
Submitted 27 August, 2024;
originally announced August 2024.
-
Peptide Sequencing Via Protein Language Models
Authors:
Thuong Le Hoai Pham,
Jillur Rahman Saurav,
Aisosa A. Omere,
Calvin J. Heyl,
Mohammad Sadegh Nasr,
Cody Tyler Reynolds,
Jai Prakash Yadav Veerla,
Helen H Shang,
Justyn Jaworski,
Alison Ravenscraft,
Joseph Anthony Buonomo,
Jacob M. Luber
Abstract:
We introduce a protein language model for determining the complete sequence of a peptide based on measurement of a limited set of amino acids. To date, protein sequencing relies on mass spectrometry, with some novel edman degregation based platforms able to sequence non-native peptides. Current protein sequencing techniques face limitations in accurately identifying all amino acids, hindering comp…
▽ More
We introduce a protein language model for determining the complete sequence of a peptide based on measurement of a limited set of amino acids. To date, protein sequencing relies on mass spectrometry, with some novel edman degregation based platforms able to sequence non-native peptides. Current protein sequencing techniques face limitations in accurately identifying all amino acids, hindering comprehensive proteome analysis. Our method simulates partial sequencing data by selectively masking amino acids that are experimentally difficult to identify in protein sequences from the UniRef database. This targeted masking mimics real-world sequencing limitations. We then modify and finetune a ProtBert derived transformer-based model, for a new downstream task predicting these masked residues, providing an approximation of the complete sequence. Evaluating on three bacterial Escherichia species, we achieve per-amino-acid accuracy up to 90.5% when only four amino acids ([KCYM]) are known. Structural assessment using AlphaFold and TM-score validates the biological relevance of our predictions. The model also demonstrates potential for evolutionary analysis through cross-species performance. This integration of simulated experimental constraints with computational predictions offers a promising avenue for enhancing protein sequence analysis, potentially accelerating advancements in proteomics and structural biology by providing a probabilistic reconstruction of the complete protein sequence from limited experimental data.
△ Less
Submitted 1 August, 2024;
originally announced August 2024.
-
Phantom: General Trigger Attacks on Retrieval Augmented Language Generation
Authors:
Harsh Chaudhari,
Giorgio Severi,
John Abascal,
Matthew Jagielski,
Christopher A. Choquette-Choo,
Milad Nasr,
Cristina Nita-Rotaru,
Alina Oprea
Abstract:
Retrieval Augmented Generation (RAG) expands the capabilities of modern large language models (LLMs) in chatbot applications, enabling developers to adapt and personalize the LLM output without expensive training or fine-tuning. RAG systems use an external knowledge database to retrieve the most relevant documents for a given query, providing this context to the LLM generator. While RAG achieves i…
▽ More
Retrieval Augmented Generation (RAG) expands the capabilities of modern large language models (LLMs) in chatbot applications, enabling developers to adapt and personalize the LLM output without expensive training or fine-tuning. RAG systems use an external knowledge database to retrieve the most relevant documents for a given query, providing this context to the LLM generator. While RAG achieves impressive utility in many applications, its adoption to enable personalized generative models introduces new security risks. In this work, we propose new attack surfaces for an adversary to compromise a victim's RAG system, by injecting a single malicious document in its knowledge database. We design Phantom, general two-step attack framework against RAG augmented LLMs. The first step involves crafting a poisoned document designed to be retrieved by the RAG system within the top-k results only when an adversarial trigger, a specific sequence of words acting as backdoor, is present in the victim's queries. In the second step, a specially crafted adversarial string within the poisoned document triggers various adversarial attacks in the LLM generator, including denial of service, reputation damage, privacy violations, and harmful behaviors. We demonstrate our attacks on multiple LLM architectures, including Gemma, Vicuna, and Llama.
△ Less
Submitted 30 May, 2024;
originally announced May 2024.
-
Can a Multichoice Dataset be Repurposed for Extractive Question Answering?
Authors:
Teresa Lynn,
Malik H. Altakrori,
Samar Mohamed Magdy,
Rocktim Jyoti Das,
Chenyang Lyu,
Mohamed Nasr,
Younes Samih,
Alham Fikri Aji,
Preslav Nakov,
Shantanu Godbole,
Salim Roukos,
Radu Florian,
Nizar Habash
Abstract:
The rapid evolution of Natural Language Processing (NLP) has favored major languages such as English, leaving a significant gap for many others due to limited resources. This is especially evident in the context of data annotation, a task whose importance cannot be underestimated, but which is time-consuming and costly. Thus, any dataset for resource-poor languages is precious, in particular when…
▽ More
The rapid evolution of Natural Language Processing (NLP) has favored major languages such as English, leaving a significant gap for many others due to limited resources. This is especially evident in the context of data annotation, a task whose importance cannot be underestimated, but which is time-consuming and costly. Thus, any dataset for resource-poor languages is precious, in particular when it is task-specific. Here, we explore the feasibility of repurposing existing datasets for a new NLP task: we repurposed the Belebele dataset (Bandarkar et al., 2023), which was designed for multiple-choice question answering (MCQA), to enable extractive QA (EQA) in the style of machine reading comprehension. We present annotation guidelines and a parallel EQA dataset for English and Modern Standard Arabic (MSA). We also present QA evaluation results for several monolingual and cross-lingual QA pairs including English, MSA, and five Arabic dialects. Our aim is to enable others to adapt our approach for the 120+ other language variants in Belebele, many of which are deemed under-resourced. We also conduct a thorough analysis and share our insights from the process, which we hope will contribute to a deeper understanding of the challenges and the opportunities associated with task reformulation in NLP research.
△ Less
Submitted 26 April, 2024;
originally announced April 2024.
-
Stealing Part of a Production Language Model
Authors:
Nicholas Carlini,
Daniel Paleka,
Krishnamurthy Dj Dvijotham,
Thomas Steinke,
Jonathan Hayase,
A. Feder Cooper,
Katherine Lee,
Matthew Jagielski,
Milad Nasr,
Arthur Conmy,
Itay Yona,
Eric Wallace,
David Rolnick,
Florian Tramèr
Abstract:
We introduce the first model-stealing attack that extracts precise, nontrivial information from black-box production language models like OpenAI's ChatGPT or Google's PaLM-2. Specifically, our attack recovers the embedding projection layer (up to symmetries) of a transformer model, given typical API access. For under \…
▽ More
We introduce the first model-stealing attack that extracts precise, nontrivial information from black-box production language models like OpenAI's ChatGPT or Google's PaLM-2. Specifically, our attack recovers the embedding projection layer (up to symmetries) of a transformer model, given typical API access. For under \$20 USD, our attack extracts the entire projection matrix of OpenAI's Ada and Babbage language models. We thereby confirm, for the first time, that these black-box models have a hidden dimension of 1024 and 2048, respectively. We also recover the exact hidden dimension size of the gpt-3.5-turbo model, and estimate it would cost under $2,000 in queries to recover the entire projection matrix. We conclude with potential defenses and mitigations, and discuss the implications of possible future work that could extend our attack.
△ Less
Submitted 9 July, 2024; v1 submitted 11 March, 2024;
originally announced March 2024.
-
Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context
Authors:
Gemini Team,
Petko Georgiev,
Ving Ian Lei,
Ryan Burnell,
Libin Bai,
Anmol Gulati,
Garrett Tanzer,
Damien Vincent,
Zhufeng Pan,
Shibo Wang,
Soroosh Mariooryad,
Yifan Ding,
Xinyang Geng,
Fred Alcober,
Roy Frostig,
Mark Omernick,
Lexi Walker,
Cosmin Paduraru,
Christina Sorokin,
Andrea Tacchetti,
Colin Gaffney,
Samira Daruki,
Olcan Sercinoglu,
Zach Gleicher,
Juliette Love
, et al. (1110 additional authors not shown)
Abstract:
In this report, we introduce the Gemini 1.5 family of models, representing the next generation of highly compute-efficient multimodal models capable of recalling and reasoning over fine-grained information from millions of tokens of context, including multiple long documents and hours of video and audio. The family includes two new models: (1) an updated Gemini 1.5 Pro, which exceeds the February…
▽ More
In this report, we introduce the Gemini 1.5 family of models, representing the next generation of highly compute-efficient multimodal models capable of recalling and reasoning over fine-grained information from millions of tokens of context, including multiple long documents and hours of video and audio. The family includes two new models: (1) an updated Gemini 1.5 Pro, which exceeds the February version on the great majority of capabilities and benchmarks; (2) Gemini 1.5 Flash, a more lightweight variant designed for efficiency with minimal regression in quality. Gemini 1.5 models achieve near-perfect recall on long-context retrieval tasks across modalities, improve the state-of-the-art in long-document QA, long-video QA and long-context ASR, and match or surpass Gemini 1.0 Ultra's state-of-the-art performance across a broad set of benchmarks. Studying the limits of Gemini 1.5's long-context ability, we find continued improvement in next-token prediction and near-perfect retrieval (>99%) up to at least 10M tokens, a generational leap over existing models such as Claude 3.0 (200k) and GPT-4 Turbo (128k). Finally, we highlight real-world use cases, such as Gemini 1.5 collaborating with professionals on completing their tasks achieving 26 to 75% time savings across 10 different job categories, as well as surprising new capabilities of large language models at the frontier; when given a grammar manual for Kalamang, a language with fewer than 200 speakers worldwide, the model learns to translate English to Kalamang at a similar level to a person who learned from the same content.
△ Less
Submitted 8 August, 2024; v1 submitted 8 March, 2024;
originally announced March 2024.
-
Query-Based Adversarial Prompt Generation
Authors:
Jonathan Hayase,
Ema Borevkovic,
Nicholas Carlini,
Florian Tramèr,
Milad Nasr
Abstract:
Recent work has shown it is possible to construct adversarial examples that cause an aligned language model to emit harmful strings or perform harmful behavior. Existing attacks work either in the white-box setting (with full access to the model weights), or through transferability: the phenomenon that adversarial examples crafted on one model often remain effective on other models. We improve on…
▽ More
Recent work has shown it is possible to construct adversarial examples that cause an aligned language model to emit harmful strings or perform harmful behavior. Existing attacks work either in the white-box setting (with full access to the model weights), or through transferability: the phenomenon that adversarial examples crafted on one model often remain effective on other models. We improve on prior work with a query-based attack that leverages API access to a remote language model to construct adversarial examples that cause the model to emit harmful strings with (much) higher probability than with transfer-only attacks. We validate our attack on GPT-3.5 and OpenAI's safety classifier; we can cause GPT-3.5 to emit harmful strings that current transfer attacks fail at, and we can evade the safety classifier with nearly 100% probability.
△ Less
Submitted 19 February, 2024;
originally announced February 2024.
-
Auditing Private Prediction
Authors:
Karan Chadha,
Matthew Jagielski,
Nicolas Papernot,
Christopher Choquette-Choo,
Milad Nasr
Abstract:
Differential privacy (DP) offers a theoretical upper bound on the potential privacy leakage of analgorithm, while empirical auditing establishes a practical lower bound. Auditing techniques exist forDP training algorithms. However machine learning can also be made private at inference. We propose thefirst framework for auditing private prediction where we instantiate adversaries with varying poiso…
▽ More
Differential privacy (DP) offers a theoretical upper bound on the potential privacy leakage of analgorithm, while empirical auditing establishes a practical lower bound. Auditing techniques exist forDP training algorithms. However machine learning can also be made private at inference. We propose thefirst framework for auditing private prediction where we instantiate adversaries with varying poisoningand query capabilities. This enables us to study the privacy leakage of four private prediction algorithms:PATE [Papernot et al., 2016], CaPC [Choquette-Choo et al., 2020], PromptPATE [Duan et al., 2023],and Private-kNN [Zhu et al., 2020]. To conduct our audit, we introduce novel techniques to empiricallyevaluate privacy leakage in terms of Renyi DP. Our experiments show that (i) the privacy analysis ofprivate prediction can be improved, (ii) algorithms which are easier to poison lead to much higher privacyleakage, and (iii) the privacy leakage is significantly lower for adversaries without query control than thosewith full control.
△ Less
Submitted 14 February, 2024;
originally announced February 2024.
-
Private Fine-tuning of Large Language Models with Zeroth-order Optimization
Authors:
Xinyu Tang,
Ashwinee Panda,
Milad Nasr,
Saeed Mahloujifar,
Prateek Mittal
Abstract:
Differentially private stochastic gradient descent (DP-SGD) allows models to be trained in a privacy-preserving manner, but has proven difficult to scale to the era of foundation models. We introduce DP-ZO, a private fine-tuning framework for large language models by privatizing zeroth order optimization methods. A key insight into the design of our method is that the direction of the gradient in…
▽ More
Differentially private stochastic gradient descent (DP-SGD) allows models to be trained in a privacy-preserving manner, but has proven difficult to scale to the era of foundation models. We introduce DP-ZO, a private fine-tuning framework for large language models by privatizing zeroth order optimization methods. A key insight into the design of our method is that the direction of the gradient in the zeroth-order optimization we use is random and the only information from training data is the step size, i.e., a scalar. Therefore, we only need to privatize the scalar step size, which is memory-efficient. DP-ZO provides a strong privacy-utility trade-off across different tasks, and model sizes that are comparable to DP-SGD in $(\varepsilon,δ)$-DP. Notably, DP-ZO possesses significant advantages over DP-SGD in memory efficiency, and obtains higher utility in $\varepsilon$-DP when using the Laplace mechanism.
△ Less
Submitted 12 August, 2024; v1 submitted 8 January, 2024;
originally announced January 2024.
-
SpatialVisVR: An Immersive, Multiplexed Medical Image Viewer With Contextual Similar-Patient Search
Authors:
Jai Prakash Veerla,
Partha Sai Guttikonda,
Amir Hajighasemi,
Jillur Rahman Saurav,
Aarti Darji,
Cody T. Reynolds,
Mohamed Mohamed,
Mohammad S. Nasr,
Helen H. Shang,
Jacob M. Luber
Abstract:
In contemporary pathology, multiplexed immunofluorescence (mIF) and multiplex immunohistochemistry (mIHC) present both significant opportunities and challenges. These methodologies shed light on intricate tumor microenvironment interactions, emphasizing the need for intuitive visualization tools to analyze vast biological datasets effectively. As electronic health records (EHR) proliferate and phy…
▽ More
In contemporary pathology, multiplexed immunofluorescence (mIF) and multiplex immunohistochemistry (mIHC) present both significant opportunities and challenges. These methodologies shed light on intricate tumor microenvironment interactions, emphasizing the need for intuitive visualization tools to analyze vast biological datasets effectively. As electronic health records (EHR) proliferate and physicians face increasing information overload, the integration of advanced technologies becomes imperative. SpatialVisVR emerges as a versatile VR platform tailored for comparing medical images, with adaptability for data privacy on embedded hardware. Clinicians can capture pathology slides in real-time via mobile devices, leveraging SpatialVisVR's deep learning algorithm to match and display similar mIF images. This interface supports the manipulation of up to 100 multiplexed protein channels, thereby assisting in immuno-oncology decision-making. Ultimately, SpatialVisVR aims to streamline diagnostic processes, advocating for a comprehensive and efficient approach to immuno-oncology research and treatment.
△ Less
Submitted 11 May, 2024; v1 submitted 5 January, 2024;
originally announced January 2024.
-
Demonstration of an Adversarial Attack Against a Multimodal Vision Language Model for Pathology Imaging
Authors:
Poojitha Thota,
Jai Prakash Veerla,
Partha Sai Guttikonda,
Mohammad S. Nasr,
Shirin Nilizadeh,
Jacob M. Luber
Abstract:
In the context of medical artificial intelligence, this study explores the vulnerabilities of the Pathology Language-Image Pretraining (PLIP) model, a Vision Language Foundation model, under targeted attacks. Leveraging the Kather Colon dataset with 7,180 H&E images across nine tissue types, our investigation employs Projected Gradient Descent (PGD) adversarial perturbation attacks to induce miscl…
▽ More
In the context of medical artificial intelligence, this study explores the vulnerabilities of the Pathology Language-Image Pretraining (PLIP) model, a Vision Language Foundation model, under targeted attacks. Leveraging the Kather Colon dataset with 7,180 H&E images across nine tissue types, our investigation employs Projected Gradient Descent (PGD) adversarial perturbation attacks to induce misclassifications intentionally. The outcomes reveal a 100% success rate in manipulating PLIP's predictions, underscoring its susceptibility to adversarial perturbations. The qualitative analysis of adversarial examples delves into the interpretability challenges, shedding light on nuanced changes in predictions induced by adversarial manipulations. These findings contribute crucial insights into the interpretability, domain adaptation, and trustworthiness of Vision Language Models in medical imaging. The study emphasizes the pressing need for robust defenses to ensure the reliability of AI models. The source codes for this experiment can be found at https://github.com/jaiprakash1824/VLM_Adv_Attack.
△ Less
Submitted 7 May, 2024; v1 submitted 4 January, 2024;
originally announced January 2024.
-
Predicting Future States with Spatial Point Processes in Single Molecule Resolution Spatial Transcriptomics
Authors:
Parisa Boodaghi Malidarreh,
Biraaj Rout,
Mohammad Sadegh Nasr,
Priyanshi Borad,
Jillur Rahman Saurav,
Jai Prakash Veerla,
Kelli Fenelon,
Theodora Koromila,
Jacob M. Luber
Abstract:
In this paper, we introduce a pipeline based on Random Forest Regression to predict the future distribution of cells that are expressed by the Sog-D gene (active cells) in both the Anterior to posterior (AP) and the Dorsal to Ventral (DV) axis of the Drosophila in embryogenesis process. This method provides insights about how cells and living organisms control gene expression in super resolution w…
▽ More
In this paper, we introduce a pipeline based on Random Forest Regression to predict the future distribution of cells that are expressed by the Sog-D gene (active cells) in both the Anterior to posterior (AP) and the Dorsal to Ventral (DV) axis of the Drosophila in embryogenesis process. This method provides insights about how cells and living organisms control gene expression in super resolution whole embryo spatial transcriptomics imaging at sub cellular, single molecule resolution. A Random Forest Regression model was used to predict the next stage active distribution based on the previous one. To achieve this goal, we leveraged temporally resolved, spatial point processes by including Ripley's K-function in conjunction with the cell's state in each stage of embryogenesis, and found average predictive accuracy of active cell distribution. This tool is analogous to RNA Velocity for spatially resolved developmental biology, from one data point we can predict future spatially resolved gene expression using features from the spatial point processes.
△ Less
Submitted 4 January, 2024;
originally announced January 2024.
-
Hyperspectral shadow removal with Iterative Logistic Regression and latent Parametric Linear Combination of Gaussians
Authors:
Core Francisco Park,
Maya Nasr,
Manuel Pérez-Carrasco,
Eleanor Walker,
Douglas Finkbeiner,
Cecilia Garraffo
Abstract:
Shadow detection and removal is a challenging problem in the analysis of hyperspectral images. Yet, this step is crucial for analyzing data for remote sensing applications like methane detection. In this work, we develop a shadow detection and removal method only based on the spectrum of each pixel and the overall distribution of spectral values. We first introduce Iterative Logistic Regression (I…
▽ More
Shadow detection and removal is a challenging problem in the analysis of hyperspectral images. Yet, this step is crucial for analyzing data for remote sensing applications like methane detection. In this work, we develop a shadow detection and removal method only based on the spectrum of each pixel and the overall distribution of spectral values. We first introduce Iterative Logistic Regression (ILR) to learn a spectral basis in which shadows can be linearly classified. We then model the joint distribution of the mean radiance and the projection coefficients of the spectra onto the above basis as a parametric linear combination of Gaussians. We can then extract the maximum likelihood mixing parameter of the Gaussians to estimate the shadow coverage and to correct the shadowed spectra. Our correction scheme reduces correction artefacts at shadow borders. The shadow detection and removal method is applied to hyperspectral images from MethaneAIR, a precursor to the satellite MethaneSAT.
△ Less
Submitted 23 December, 2023;
originally announced December 2023.
-
Real-Time Diagnostic Integrity Meets Efficiency: A Novel Platform-Agnostic Architecture for Physiological Signal Compression
Authors:
Neel R Vora,
Amir Hajighasemi,
Cody T. Reynolds,
Amirmohammad Radmehr,
Mohamed Mohamed,
Jillur Rahman Saurav,
Abdul Aziz,
Jai Prakash Veerla,
Mohammad S Nasr,
Hayden Lotspeich,
Partha Sai Guttikonda,
Thuong Pham,
Aarti Darji,
Parisa Boodaghi Malidarreh,
Helen H Shang,
Jay Harvey,
Kan Ding,
Phuc Nguyen,
Jacob M Luber
Abstract:
Head-based signals such as EEG, EMG, EOG, and ECG collected by wearable systems will play a pivotal role in clinical diagnosis, monitoring, and treatment of important brain disorder diseases.
However, the real-time transmission of the significant corpus physiological signals over extended periods consumes substantial power and time, limiting the viability of battery-dependent physiological monit…
▽ More
Head-based signals such as EEG, EMG, EOG, and ECG collected by wearable systems will play a pivotal role in clinical diagnosis, monitoring, and treatment of important brain disorder diseases.
However, the real-time transmission of the significant corpus physiological signals over extended periods consumes substantial power and time, limiting the viability of battery-dependent physiological monitoring wearables.
This paper presents a novel deep-learning framework employing a variational autoencoder (VAE) for physiological signal compression to reduce wearables' computational complexity and energy consumption.
Our approach achieves an impressive compression ratio of 1:293 specifically for spectrogram data, surpassing state-of-the-art compression techniques such as JPEG2000, H.264, Direct Cosine Transform (DCT), and Huffman Encoding, which do not excel in handling physiological signals.
We validate the efficacy of the compressed algorithms using collected physiological signals from real patients in the Hospital and deploy the solution on commonly used embedded AI chips (i.e., ARM Cortex V8 and Jetson Nano). The proposed framework achieves a 91% seizure detection accuracy using XGBoost, confirming the approach's reliability, practicality, and scalability.
△ Less
Submitted 4 January, 2024; v1 submitted 19 December, 2023;
originally announced December 2023.
-
Gemini: A Family of Highly Capable Multimodal Models
Authors:
Gemini Team,
Rohan Anil,
Sebastian Borgeaud,
Jean-Baptiste Alayrac,
Jiahui Yu,
Radu Soricut,
Johan Schalkwyk,
Andrew M. Dai,
Anja Hauth,
Katie Millican,
David Silver,
Melvin Johnson,
Ioannis Antonoglou,
Julian Schrittwieser,
Amelia Glaese,
Jilin Chen,
Emily Pitler,
Timothy Lillicrap,
Angeliki Lazaridou,
Orhan Firat,
James Molloy,
Michael Isard,
Paul R. Barham,
Tom Hennigan,
Benjamin Lee
, et al. (1325 additional authors not shown)
Abstract:
This report introduces a new family of multimodal models, Gemini, that exhibit remarkable capabilities across image, audio, video, and text understanding. The Gemini family consists of Ultra, Pro, and Nano sizes, suitable for applications ranging from complex reasoning tasks to on-device memory-constrained use-cases. Evaluation on a broad range of benchmarks shows that our most-capable Gemini Ultr…
▽ More
This report introduces a new family of multimodal models, Gemini, that exhibit remarkable capabilities across image, audio, video, and text understanding. The Gemini family consists of Ultra, Pro, and Nano sizes, suitable for applications ranging from complex reasoning tasks to on-device memory-constrained use-cases. Evaluation on a broad range of benchmarks shows that our most-capable Gemini Ultra model advances the state of the art in 30 of 32 of these benchmarks - notably being the first model to achieve human-expert performance on the well-studied exam benchmark MMLU, and improving the state of the art in every one of the 20 multimodal benchmarks we examined. We believe that the new capabilities of the Gemini family in cross-modal reasoning and language understanding will enable a wide variety of use cases. We discuss our approach toward post-training and deploying Gemini models responsibly to users through services including Gemini, Gemini Advanced, Google AI Studio, and Cloud Vertex AI.
△ Less
Submitted 17 June, 2024; v1 submitted 18 December, 2023;
originally announced December 2023.
-
Scalable Extraction of Training Data from (Production) Language Models
Authors:
Milad Nasr,
Nicholas Carlini,
Jonathan Hayase,
Matthew Jagielski,
A. Feder Cooper,
Daphne Ippolito,
Christopher A. Choquette-Choo,
Eric Wallace,
Florian Tramèr,
Katherine Lee
Abstract:
This paper studies extractable memorization: training data that an adversary can efficiently extract by querying a machine learning model without prior knowledge of the training dataset. We show an adversary can extract gigabytes of training data from open-source language models like Pythia or GPT-Neo, semi-open models like LLaMA or Falcon, and closed models like ChatGPT. Existing techniques from…
▽ More
This paper studies extractable memorization: training data that an adversary can efficiently extract by querying a machine learning model without prior knowledge of the training dataset. We show an adversary can extract gigabytes of training data from open-source language models like Pythia or GPT-Neo, semi-open models like LLaMA or Falcon, and closed models like ChatGPT. Existing techniques from the literature suffice to attack unaligned models; in order to attack the aligned ChatGPT, we develop a new divergence attack that causes the model to diverge from its chatbot-style generations and emit training data at a rate 150x higher than when behaving properly. Our methods show practical attacks can recover far more data than previously thought, and reveal that current alignment techniques do not eliminate memorization.
△ Less
Submitted 28 November, 2023;
originally announced November 2023.
-
Report of the 1st Workshop on Generative AI and Law
Authors:
A. Feder Cooper,
Katherine Lee,
James Grimmelmann,
Daphne Ippolito,
Christopher Callison-Burch,
Christopher A. Choquette-Choo,
Niloofar Mireshghallah,
Miles Brundage,
David Mimno,
Madiha Zahrah Choksi,
Jack M. Balkin,
Nicholas Carlini,
Christopher De Sa,
Jonathan Frankle,
Deep Ganguli,
Bryant Gipson,
Andres Guadamuz,
Swee Leng Harris,
Abigail Z. Jacobs,
Elizabeth Joh,
Gautam Kamath,
Mark Lemley,
Cass Matthews,
Christine McLeavey,
Corynne McSherry
, et al. (10 additional authors not shown)
Abstract:
This report presents the takeaways of the inaugural Workshop on Generative AI and Law (GenLaw), held in July 2023. A cross-disciplinary group of practitioners and scholars from computer science and law convened to discuss the technical, doctrinal, and policy challenges presented by law for Generative AI, and by Generative AI for law, with an emphasis on U.S. law in particular. We begin the report…
▽ More
This report presents the takeaways of the inaugural Workshop on Generative AI and Law (GenLaw), held in July 2023. A cross-disciplinary group of practitioners and scholars from computer science and law convened to discuss the technical, doctrinal, and policy challenges presented by law for Generative AI, and by Generative AI for law, with an emphasis on U.S. law in particular. We begin the report with a high-level statement about why Generative AI is both immensely significant and immensely challenging for law. To meet these challenges, we conclude that there is an essential need for 1) a shared knowledge base that provides a common conceptual language for experts across disciplines; 2) clarification of the distinctive technical capabilities of generative-AI systems, as compared and contrasted to other computer and AI systems; 3) a logical taxonomy of the legal issues these systems raise; and, 4) a concrete research agenda to promote collaboration and knowledge-sharing on emerging issues at the intersection of Generative AI and law. In this report, we synthesize the key takeaways from the GenLaw workshop that begin to address these needs. All of the listed authors contributed to the workshop upon which this report is based, but they and their organizations do not necessarily endorse all of the specific claims in this report.
△ Less
Submitted 2 December, 2023; v1 submitted 10 November, 2023;
originally announced November 2023.
-
SoccerNet 2023 Challenges Results
Authors:
Anthony Cioppa,
Silvio Giancola,
Vladimir Somers,
Floriane Magera,
Xin Zhou,
Hassan Mkhallati,
Adrien Deliège,
Jan Held,
Carlos Hinojosa,
Amir M. Mansourian,
Pierre Miralles,
Olivier Barnich,
Christophe De Vleeschouwer,
Alexandre Alahi,
Bernard Ghanem,
Marc Van Droogenbroeck,
Abdullah Kamal,
Adrien Maglo,
Albert Clapés,
Amr Abdelaziz,
Artur Xarles,
Astrid Orcesi,
Atom Scott,
Bin Liu,
Byoungkwon Lim
, et al. (77 additional authors not shown)
Abstract:
The SoccerNet 2023 challenges were the third annual video understanding challenges organized by the SoccerNet team. For this third edition, the challenges were composed of seven vision-based tasks split into three main themes. The first theme, broadcast video understanding, is composed of three high-level tasks related to describing events occurring in the video broadcasts: (1) action spotting, fo…
▽ More
The SoccerNet 2023 challenges were the third annual video understanding challenges organized by the SoccerNet team. For this third edition, the challenges were composed of seven vision-based tasks split into three main themes. The first theme, broadcast video understanding, is composed of three high-level tasks related to describing events occurring in the video broadcasts: (1) action spotting, focusing on retrieving all timestamps related to global actions in soccer, (2) ball action spotting, focusing on retrieving all timestamps related to the soccer ball change of state, and (3) dense video captioning, focusing on describing the broadcast with natural language and anchored timestamps. The second theme, field understanding, relates to the single task of (4) camera calibration, focusing on retrieving the intrinsic and extrinsic camera parameters from images. The third and last theme, player understanding, is composed of three low-level tasks related to extracting information about the players: (5) re-identification, focusing on retrieving the same players across multiple views, (6) multiple object tracking, focusing on tracking players and the ball through unedited video streams, and (7) jersey number recognition, focusing on recognizing the jersey number of players from tracklets. Compared to the previous editions of the SoccerNet challenges, tasks (2-3-7) are novel, including new annotations and data, task (4) was enhanced with more data and annotations, and task (6) now focuses on end-to-end approaches. More information on the tasks, challenges, and leaderboards are available on https://www.soccer-net.org. Baselines and development kits can be found on https://github.com/SoccerNet.
△ Less
Submitted 12 September, 2023;
originally announced September 2023.
-
Privacy Side Channels in Machine Learning Systems
Authors:
Edoardo Debenedetti,
Giorgio Severi,
Nicholas Carlini,
Christopher A. Choquette-Choo,
Matthew Jagielski,
Milad Nasr,
Eric Wallace,
Florian Tramèr
Abstract:
Most current approaches for protecting privacy in machine learning (ML) assume that models exist in a vacuum. Yet, in reality, these models are part of larger systems that include components for training data filtering, output monitoring, and more. In this work, we introduce privacy side channels: attacks that exploit these system-level components to extract private information at far higher rates…
▽ More
Most current approaches for protecting privacy in machine learning (ML) assume that models exist in a vacuum. Yet, in reality, these models are part of larger systems that include components for training data filtering, output monitoring, and more. In this work, we introduce privacy side channels: attacks that exploit these system-level components to extract private information at far higher rates than is otherwise possible for standalone models. We propose four categories of side channels that span the entire ML lifecycle (training data filtering, input preprocessing, output post-processing, and query filtering) and allow for enhanced membership inference, data extraction, and even novel threats such as extraction of users' test queries. For example, we show that deduplicating training data before applying differentially-private training creates a side-channel that completely invalidates any provable privacy guarantees. We further show that systems which block language models from regenerating training data can be exploited to exfiltrate private keys contained in the training set--even if the model did not memorize these keys. Taken together, our results demonstrate the need for a holistic, end-to-end privacy analysis of machine learning systems.
△ Less
Submitted 18 July, 2024; v1 submitted 11 September, 2023;
originally announced September 2023.
-
Reverse-Engineering Decoding Strategies Given Blackbox Access to a Language Generation System
Authors:
Daphne Ippolito,
Nicholas Carlini,
Katherine Lee,
Milad Nasr,
Yun William Yu
Abstract:
Neural language models are increasingly deployed into APIs and websites that allow a user to pass in a prompt and receive generated text. Many of these systems do not reveal generation parameters. In this paper, we present methods to reverse-engineer the decoding method used to generate text (i.e., top-$k$ or nucleus sampling). Our ability to discover which decoding strategy was used has implicati…
▽ More
Neural language models are increasingly deployed into APIs and websites that allow a user to pass in a prompt and receive generated text. Many of these systems do not reveal generation parameters. In this paper, we present methods to reverse-engineer the decoding method used to generate text (i.e., top-$k$ or nucleus sampling). Our ability to discover which decoding strategy was used has implications for detecting generated text. Additionally, the process of discovering the decoding strategy can reveal biases caused by selecting decoding settings which severely truncate a model's predicted distributions. We perform our attack on several families of open-source language models, as well as on production systems (e.g., ChatGPT).
△ Less
Submitted 9 September, 2023;
originally announced September 2023.
-
Universal and Transferable Adversarial Attacks on Aligned Language Models
Authors:
Andy Zou,
Zifan Wang,
Nicholas Carlini,
Milad Nasr,
J. Zico Kolter,
Matt Fredrikson
Abstract:
Because "out-of-the-box" large language models are capable of generating a great deal of objectionable content, recent work has focused on aligning these models in an attempt to prevent undesirable generation. While there has been some success at circumventing these measures -- so-called "jailbreaks" against LLMs -- these attacks have required significant human ingenuity and are brittle in practic…
▽ More
Because "out-of-the-box" large language models are capable of generating a great deal of objectionable content, recent work has focused on aligning these models in an attempt to prevent undesirable generation. While there has been some success at circumventing these measures -- so-called "jailbreaks" against LLMs -- these attacks have required significant human ingenuity and are brittle in practice. In this paper, we propose a simple and effective attack method that causes aligned language models to generate objectionable behaviors. Specifically, our approach finds a suffix that, when attached to a wide range of queries for an LLM to produce objectionable content, aims to maximize the probability that the model produces an affirmative response (rather than refusing to answer). However, instead of relying on manual engineering, our approach automatically produces these adversarial suffixes by a combination of greedy and gradient-based search techniques, and also improves over past automatic prompt generation methods.
Surprisingly, we find that the adversarial prompts generated by our approach are quite transferable, including to black-box, publicly released LLMs. Specifically, we train an adversarial attack suffix on multiple prompts (i.e., queries asking for many different types of objectionable content), as well as multiple models (in our case, Vicuna-7B and 13B). When doing so, the resulting attack suffix is able to induce objectionable content in the public interfaces to ChatGPT, Bard, and Claude, as well as open source LLMs such as LLaMA-2-Chat, Pythia, Falcon, and others. In total, this work significantly advances the state-of-the-art in adversarial attacks against aligned language models, raising important questions about how such systems can be prevented from producing objectionable information. Code is available at github.com/llm-attacks/llm-attacks.
△ Less
Submitted 20 December, 2023; v1 submitted 27 July, 2023;
originally announced July 2023.
-
Histopathology Slide Indexing and Search: Are We There Yet?
Authors:
Helen H. Shang,
Mohammad Sadegh Nasr,
Jai Prakash Veerla,
Parisa Boodaghi Malidarreh,
MD Jillur Rahman Saurav,
Amir Hajighasemi,
Manfred Huber,
Chace Moleta,
Jitin Makker,
Jacob M. Luber
Abstract:
The search and retrieval of digital histopathology slides is an important task that has yet to be solved. In this case study, we investigate the clinical readiness of three state-of-the-art histopathology slide search engines, Yottixel, SISH, and RetCCL, on three patients with solid tumors. We provide a qualitative assessment of each model's performance in providing retrieval results that are reli…
▽ More
The search and retrieval of digital histopathology slides is an important task that has yet to be solved. In this case study, we investigate the clinical readiness of three state-of-the-art histopathology slide search engines, Yottixel, SISH, and RetCCL, on three patients with solid tumors. We provide a qualitative assessment of each model's performance in providing retrieval results that are reliable and useful to pathologists. We found that all three image search engines fail to produce consistently reliable results and have difficulties in capturing granular and subtle features of malignancy, limiting their diagnostic accuracy. Based on our findings, we also propose a minimal set of requirements to further advance the development of accurate and reliable histopathology image search engines for successful clinical adoption.
△ Less
Submitted 4 January, 2024; v1 submitted 29 June, 2023;
originally announced June 2023.
-
The State of Applying Artificial Intelligence to Tissue Imaging for Cancer Research and Early Detection
Authors:
Michael Robben,
Amir Hajighasemi,
Mohammad Sadegh Nasr,
Jai Prakesh Veerla,
Anne M. Alsup,
Biraaj Rout,
Helen H. Shang,
Kelli Fowlds,
Parisa Boodaghi Malidarreh,
Paul Koomey,
MD Jillur Rahman Saurav,
Jacob M. Luber
Abstract:
Artificial intelligence represents a new frontier in human medicine that could save more lives and reduce the costs, thereby increasing accessibility. As a consequence, the rate of advancement of AI in cancer medical imaging and more particularly tissue pathology has exploded, opening it to ethical and technical questions that could impede its adoption into existing systems. In order to chart the…
▽ More
Artificial intelligence represents a new frontier in human medicine that could save more lives and reduce the costs, thereby increasing accessibility. As a consequence, the rate of advancement of AI in cancer medical imaging and more particularly tissue pathology has exploded, opening it to ethical and technical questions that could impede its adoption into existing systems. In order to chart the path of AI in its application to cancer tissue imaging, we review current work and identify how it can improve cancer pathology diagnostics and research. In this review, we identify 5 core tasks that models are developed for, including regression, classification, segmentation, generation, and compression tasks. We address the benefits and challenges that such methods face, and how they can be adapted for use in cancer prevention and treatment. The studies looked at in this paper represent the beginning of this field and future experiments will build on the foundations that we highlight.
△ Less
Submitted 29 June, 2023;
originally announced June 2023.
-
Are aligned neural networks adversarially aligned?
Authors:
Nicholas Carlini,
Milad Nasr,
Christopher A. Choquette-Choo,
Matthew Jagielski,
Irena Gao,
Anas Awadalla,
Pang Wei Koh,
Daphne Ippolito,
Katherine Lee,
Florian Tramer,
Ludwig Schmidt
Abstract:
Large language models are now tuned to align with the goals of their creators, namely to be "helpful and harmless." These models should respond helpfully to user questions, but refuse to answer requests that could cause harm. However, adversarial users can construct inputs which circumvent attempts at alignment. In this work, we study adversarial alignment, and ask to what extent these models rema…
▽ More
Large language models are now tuned to align with the goals of their creators, namely to be "helpful and harmless." These models should respond helpfully to user questions, but refuse to answer requests that could cause harm. However, adversarial users can construct inputs which circumvent attempts at alignment. In this work, we study adversarial alignment, and ask to what extent these models remain aligned when interacting with an adversarial user who constructs worst-case inputs (adversarial examples). These inputs are designed to cause the model to emit harmful content that would otherwise be prohibited. We show that existing NLP-based optimization attacks are insufficiently powerful to reliably attack aligned text models: even when current NLP-based attacks fail, we can find adversarial inputs with brute force. As a result, the failure of current attacks should not be seen as proof that aligned text models remain aligned under adversarial inputs.
However the recent trend in large-scale ML models is multimodal models that allow users to provide images that influence the text that is generated. We show these models can be easily attacked, i.e., induced to perform arbitrary un-aligned behavior through adversarial perturbation of the input image. We conjecture that improved NLP attacks may demonstrate this same level of adversarial control over text-only models.
△ Less
Submitted 6 May, 2024; v1 submitted 26 June, 2023;
originally announced June 2023.
-
Multimodal Pathology Image Search Between H&E Slides and Multiplexed Immunofluorescent Images
Authors:
Amir Hajighasemi,
MD Jillur Rahman Saurav,
Mohammad S Nasr,
Jai Prakash Veerla,
Aarti Darji,
Parisa Boodaghi Malidarreh,
Michael Robben,
Helen H Shang,
Jacob M Luber
Abstract:
We present an approach for multimodal pathology image search, using dynamic time warping (DTW) on Variational Autoencoder (VAE) latent space that is fed into a ranked choice voting scheme to retrieve multiplexed immunofluorescent imaging (mIF) that is most similar to a query H&E slide. Through training the VAE and applying DTW, we align and compare mIF and H&E slides. Our method improves different…
▽ More
We present an approach for multimodal pathology image search, using dynamic time warping (DTW) on Variational Autoencoder (VAE) latent space that is fed into a ranked choice voting scheme to retrieve multiplexed immunofluorescent imaging (mIF) that is most similar to a query H&E slide. Through training the VAE and applying DTW, we align and compare mIF and H&E slides. Our method improves differential diagnosis and therapeutic decisions by integrating morphological H&E data with immunophenotyping from mIF, providing clinicians a rich perspective of disease states. This facilitates an understanding of the spatial relationships in tissue samples and could revolutionize the diagnostic process, enhancing precision and enabling personalized therapy selection. Our technique demonstrates feasibility using colorectal cancer and healthy tonsil samples. An exhaustive ablation study was conducted on a search engine designed to explore the correlation between multiplexed Immunofluorescence (mIF) and Hematoxylin and Eosin (H&E) staining, in order to validate its ability to map these distinct modalities into a unified vector space. Despite extreme class imbalance, the system demonstrated robustness and utility by returning similar results across various data features, which suggests potential for future use in multimodal histopathology data analysis.
△ Less
Submitted 11 June, 2023;
originally announced June 2023.
-
Privacy Auditing with One (1) Training Run
Authors:
Thomas Steinke,
Milad Nasr,
Matthew Jagielski
Abstract:
We propose a scheme for auditing differentially private machine learning systems with a single training run. This exploits the parallelism of being able to add or remove multiple training examples independently. We analyze this using the connection between differential privacy and statistical generalization, which avoids the cost of group privacy. Our auditing scheme requires minimal assumptions a…
▽ More
We propose a scheme for auditing differentially private machine learning systems with a single training run. This exploits the parallelism of being able to add or remove multiple training examples independently. We analyze this using the connection between differential privacy and statistical generalization, which avoids the cost of group privacy. Our auditing scheme requires minimal assumptions about the algorithm and can be applied in the black-box or white-box setting.
△ Less
Submitted 15 May, 2023;
originally announced May 2023.
-
Synthetic Query Generation for Privacy-Preserving Deep Retrieval Systems using Differentially Private Language Models
Authors:
Aldo Gael Carranza,
Rezsa Farahani,
Natalia Ponomareva,
Alex Kurakin,
Matthew Jagielski,
Milad Nasr
Abstract:
We address the challenge of ensuring differential privacy (DP) guarantees in training deep retrieval systems. Training these systems often involves the use of contrastive-style losses, which are typically non-per-example decomposable, making them difficult to directly DP-train with since common techniques require per-example gradients. To address this issue, we propose an approach that prioritizes…
▽ More
We address the challenge of ensuring differential privacy (DP) guarantees in training deep retrieval systems. Training these systems often involves the use of contrastive-style losses, which are typically non-per-example decomposable, making them difficult to directly DP-train with since common techniques require per-example gradients. To address this issue, we propose an approach that prioritizes ensuring query privacy prior to training a deep retrieval system. Our method employs DP language models (LMs) to generate private synthetic queries representative of the original data. These synthetic queries can be used in downstream retrieval system training without compromising privacy. Our approach demonstrates a significant enhancement in retrieval quality compared to direct DP-training, all while maintaining query-level privacy guarantees. This work highlights the potential of harnessing LMs to overcome limitations in standard DP-training methods.
△ Less
Submitted 23 May, 2024; v1 submitted 10 May, 2023;
originally announced May 2023.
-
Clinically Relevant Latent Space Embedding of Cancer Histopathology Slides through Variational Autoencoder Based Image Compression
Authors:
Mohammad Sadegh Nasr,
Amir Hajighasemi,
Paul Koomey,
Parisa Boodaghi Malidarreh,
Michael Robben,
Jillur Rahman Saurav,
Helen H. Shang,
Manfred Huber,
Jacob M. Luber
Abstract:
In this paper, we introduce a Variational Autoencoder (VAE) based training approach that can compress and decompress cancer pathology slides at a compression ratio of 1:512, which is better than the previously reported state of the art (SOTA) in the literature, while still maintaining accuracy in clinical validation tasks. The compression approach was tested on more common computer vision datasets…
▽ More
In this paper, we introduce a Variational Autoencoder (VAE) based training approach that can compress and decompress cancer pathology slides at a compression ratio of 1:512, which is better than the previously reported state of the art (SOTA) in the literature, while still maintaining accuracy in clinical validation tasks. The compression approach was tested on more common computer vision datasets such as CIFAR10, and we explore which image characteristics enable this compression ratio on cancer imaging data but not generic images. We generate and visualize embeddings from the compressed latent space and demonstrate how they are useful for clinical interpretation of data, and how in the future such latent embeddings can be used to accelerate search of clinical imaging data.
△ Less
Submitted 23 March, 2023;
originally announced March 2023.
-
Students Parrot Their Teachers: Membership Inference on Model Distillation
Authors:
Matthew Jagielski,
Milad Nasr,
Christopher Choquette-Choo,
Katherine Lee,
Nicholas Carlini
Abstract:
Model distillation is frequently proposed as a technique to reduce the privacy leakage of machine learning. These empirical privacy defenses rely on the intuition that distilled ``student'' models protect the privacy of training data, as they only interact with this data indirectly through a ``teacher'' model. In this work, we design membership inference attacks to systematically study the privacy…
▽ More
Model distillation is frequently proposed as a technique to reduce the privacy leakage of machine learning. These empirical privacy defenses rely on the intuition that distilled ``student'' models protect the privacy of training data, as they only interact with this data indirectly through a ``teacher'' model. In this work, we design membership inference attacks to systematically study the privacy provided by knowledge distillation to both the teacher and student training sets. Our new attacks show that distillation alone provides only limited privacy across a number of domains. We explain the success of our attacks on distillation by showing that membership inference attacks on a private dataset can succeed even if the target model is *never* queried on any actual training points, but only on inputs whose predictions are highly influenced by training data. Finally, we show that our attacks are strongest when student and teacher sets are similar, or when the attacker can poison the teacher set.
△ Less
Submitted 6 March, 2023;
originally announced March 2023.
-
Why Is Public Pretraining Necessary for Private Model Training?
Authors:
Arun Ganesh,
Mahdi Haghifam,
Milad Nasr,
Sewoong Oh,
Thomas Steinke,
Om Thakkar,
Abhradeep Thakurta,
Lun Wang
Abstract:
In the privacy-utility tradeoff of a model trained on benchmark language and vision tasks, remarkable improvements have been widely reported with the use of pretraining on publicly available data. This is in part due to the benefits of transfer learning, which is the standard motivation for pretraining in non-private settings. However, the stark contrast in the improvement achieved through pretrai…
▽ More
In the privacy-utility tradeoff of a model trained on benchmark language and vision tasks, remarkable improvements have been widely reported with the use of pretraining on publicly available data. This is in part due to the benefits of transfer learning, which is the standard motivation for pretraining in non-private settings. However, the stark contrast in the improvement achieved through pretraining under privacy compared to non-private settings suggests that there may be a deeper, distinct cause driving these gains. To explain this phenomenon, we hypothesize that the non-convex loss landscape of a model training necessitates an optimization algorithm to go through two phases. In the first, the algorithm needs to select a good "basin" in the loss landscape. In the second, the algorithm solves an easy optimization within that basin. The former is a harder problem to solve with private data, while the latter is harder to solve with public data due to a distribution shift or data scarcity. Guided by this intuition, we provide theoretical constructions that provably demonstrate the separation between private training with and without public pretraining. Further, systematic experiments on CIFAR10 and LibriSpeech provide supporting evidence for our hypothesis.
△ Less
Submitted 19 February, 2023;
originally announced February 2023.
-
Tight Auditing of Differentially Private Machine Learning
Authors:
Milad Nasr,
Jamie Hayes,
Thomas Steinke,
Borja Balle,
Florian Tramèr,
Matthew Jagielski,
Nicholas Carlini,
Andreas Terzis
Abstract:
Auditing mechanisms for differential privacy use probabilistic means to empirically estimate the privacy level of an algorithm. For private machine learning, existing auditing mechanisms are tight: the empirical privacy estimate (nearly) matches the algorithm's provable privacy guarantee. But these auditing techniques suffer from two limitations. First, they only give tight estimates under implaus…
▽ More
Auditing mechanisms for differential privacy use probabilistic means to empirically estimate the privacy level of an algorithm. For private machine learning, existing auditing mechanisms are tight: the empirical privacy estimate (nearly) matches the algorithm's provable privacy guarantee. But these auditing techniques suffer from two limitations. First, they only give tight estimates under implausible worst-case assumptions (e.g., a fully adversarial dataset). Second, they require thousands or millions of training runs to produce non-trivial statistical estimates of the privacy leakage.
This work addresses both issues. We design an improved auditing scheme that yields tight privacy estimates for natural (not adversarially crafted) datasets -- if the adversary can see all model updates during training. Prior auditing works rely on the same assumption, which is permitted under the standard differential privacy threat model. This threat model is also applicable, e.g., in federated learning settings. Moreover, our auditing scheme requires only two training runs (instead of thousands) to produce tight privacy estimates, by adapting recent advances in tight composition theorems for differential privacy. We demonstrate the utility of our improved auditing schemes by surfacing implementation bugs in private machine learning code that eluded prior auditing techniques.
△ Less
Submitted 15 February, 2023;
originally announced February 2023.
-
Extracting Training Data from Diffusion Models
Authors:
Nicholas Carlini,
Jamie Hayes,
Milad Nasr,
Matthew Jagielski,
Vikash Sehwag,
Florian Tramèr,
Borja Balle,
Daphne Ippolito,
Eric Wallace
Abstract:
Image diffusion models such as DALL-E 2, Imagen, and Stable Diffusion have attracted significant attention due to their ability to generate high-quality synthetic images. In this work, we show that diffusion models memorize individual images from their training data and emit them at generation time. With a generate-and-filter pipeline, we extract over a thousand training examples from state-of-the…
▽ More
Image diffusion models such as DALL-E 2, Imagen, and Stable Diffusion have attracted significant attention due to their ability to generate high-quality synthetic images. In this work, we show that diffusion models memorize individual images from their training data and emit them at generation time. With a generate-and-filter pipeline, we extract over a thousand training examples from state-of-the-art models, ranging from photographs of individual people to trademarked company logos. We also train hundreds of diffusion models in various settings to analyze how different modeling and data decisions affect privacy. Overall, our results show that diffusion models are much less private than prior generative models such as GANs, and that mitigating these vulnerabilities may require new advances in privacy-preserving training.
△ Less
Submitted 30 January, 2023;
originally announced January 2023.
-
Preventing Verbatim Memorization in Language Models Gives a False Sense of Privacy
Authors:
Daphne Ippolito,
Florian Tramèr,
Milad Nasr,
Chiyuan Zhang,
Matthew Jagielski,
Katherine Lee,
Christopher A. Choquette-Choo,
Nicholas Carlini
Abstract:
Studying data memorization in neural language models helps us understand the risks (e.g., to privacy or copyright) associated with models regurgitating training data and aids in the development of countermeasures. Many prior works -- and some recently deployed defenses -- focus on "verbatim memorization", defined as a model generation that exactly matches a substring from the training set. We argu…
▽ More
Studying data memorization in neural language models helps us understand the risks (e.g., to privacy or copyright) associated with models regurgitating training data and aids in the development of countermeasures. Many prior works -- and some recently deployed defenses -- focus on "verbatim memorization", defined as a model generation that exactly matches a substring from the training set. We argue that verbatim memorization definitions are too restrictive and fail to capture more subtle forms of memorization. Specifically, we design and implement an efficient defense that perfectly prevents all verbatim memorization. And yet, we demonstrate that this "perfect" filter does not prevent the leakage of training data. Indeed, it is easily circumvented by plausible and minimally modified "style-transfer" prompts -- and in some cases even the non-modified original prompts -- to extract memorized information. We conclude by discussing potential alternative definitions and why defining memorization is a difficult yet crucial open question for neural language models.
△ Less
Submitted 11 September, 2023; v1 submitted 31 October, 2022;
originally announced October 2022.
-
No Free Lunch in "Privacy for Free: How does Dataset Condensation Help Privacy"
Authors:
Nicholas Carlini,
Vitaly Feldman,
Milad Nasr
Abstract:
New methods designed to preserve data privacy require careful scrutiny. Failure to preserve privacy is hard to detect, and yet can lead to catastrophic results when a system implementing a ``privacy-preserving'' method is attacked. A recent work selected for an Outstanding Paper Award at ICML 2022 (Dong et al., 2022) claims that dataset condensation (DC) significantly improves data privacy when tr…
▽ More
New methods designed to preserve data privacy require careful scrutiny. Failure to preserve privacy is hard to detect, and yet can lead to catastrophic results when a system implementing a ``privacy-preserving'' method is attacked. A recent work selected for an Outstanding Paper Award at ICML 2022 (Dong et al., 2022) claims that dataset condensation (DC) significantly improves data privacy when training machine learning models. This claim is supported by theoretical analysis of a specific dataset condensation technique and an empirical evaluation of resistance to some existing membership inference attacks.
In this note we examine the claims in the work of Dong et al. (2022) and describe major flaws in the empirical evaluation of the method and its theoretical analysis. These flaws imply that their work does not provide statistically significant evidence that DC improves the privacy of training ML models over a naive baseline. Moreover, previously published results show that DP-SGD, the standard approach to privacy preserving ML, simultaneously gives better accuracy and achieves a (provably) lower membership attack success rate.
△ Less
Submitted 29 September, 2022;
originally announced September 2022.
-
FEL: High Capacity Learning for Recommendation and Ranking via Federated Ensemble Learning
Authors:
Meisam Hejazinia,
Dzmitry Huba,
Ilias Leontiadis,
Kiwan Maeng,
Mani Malek,
Luca Melis,
Ilya Mironov,
Milad Nasr,
Kaikai Wang,
Carole-Jean Wu
Abstract:
Federated learning (FL) has emerged as an effective approach to address consumer privacy needs. FL has been successfully applied to certain machine learning tasks, such as training smart keyboard models and keyword spotting. Despite FL's initial success, many important deep learning use cases, such as ranking and recommendation tasks, have been limited from on-device learning. One of the key chall…
▽ More
Federated learning (FL) has emerged as an effective approach to address consumer privacy needs. FL has been successfully applied to certain machine learning tasks, such as training smart keyboard models and keyword spotting. Despite FL's initial success, many important deep learning use cases, such as ranking and recommendation tasks, have been limited from on-device learning. One of the key challenges faced by practical FL adoption for DL-based ranking and recommendation is the prohibitive resource requirements that cannot be satisfied by modern mobile systems. We propose Federated Ensemble Learning (FEL) as a solution to tackle the large memory requirement of deep learning ranking and recommendation tasks. FEL enables large-scale ranking and recommendation model training on-device by simultaneously training multiple model versions on disjoint clusters of client devices. FEL integrates the trained sub-models via an over-arch layer into an ensemble model that is hosted on the server. Our experiments demonstrate that FEL leads to 0.43-2.31% model quality improvement over traditional on-device federated learning - a significant improvement for ranking and recommendation system use cases.
△ Less
Submitted 7 June, 2022;
originally announced June 2022.
-
A SSIM Guided cGAN Architecture For Clinically Driven Generative Image Synthesis of Multiplexed Spatial Proteomics Channels
Authors:
Jillur Rahman Saurav,
Mohammad Sadegh Nasr,
Paul Koomey,
Michael Robben,
Manfred Huber,
Jon Weidanz,
Bríd Ryan,
Eytan Ruppin,
Peng Jiang,
Jacob M. Luber
Abstract:
Here we present a structural similarity index measure (SSIM) guided conditional Generative Adversarial Network (cGAN) that generatively performs image-to-image (i2i) synthesis to generate photo-accurate protein channels in multiplexed spatial proteomics images. This approach can be utilized to accurately generate missing spatial proteomics channels that were not included during experimental data c…
▽ More
Here we present a structural similarity index measure (SSIM) guided conditional Generative Adversarial Network (cGAN) that generatively performs image-to-image (i2i) synthesis to generate photo-accurate protein channels in multiplexed spatial proteomics images. This approach can be utilized to accurately generate missing spatial proteomics channels that were not included during experimental data collection either at the bench or the clinic. Experimental spatial proteomic data from the Human BioMolecular Atlas Program (HuBMAP) was used to generate spatial representations of missing proteins through a U-Net based image synthesis pipeline. HuBMAP channels were hierarchically clustered by the (SSIM) as a heuristic to obtain the minimal set needed to recapitulate the underlying biology represented by the spatial landscape of proteins. We subsequently prove that our SSIM based architecture allows for scaling of generative image synthesis to slides with up to 100 channels, which is better than current state of the art algorithms which are limited to data with 11 channels. We validate these claims by generating a new experimental spatial proteomics data set from human lung adenocarcinoma tissue sections and show that a model trained on HuBMAP can accurately synthesize channels from our new data set. The ability to recapitulate experimental data from sparsely stained multiplexed histological slides containing spatial proteomic will have tremendous impact on medical diagnostics and drug development, and also raises important questions on the medical ethics of utilizing data produced by generative image synthesis in the clinical setting. The algorithm that we present in this paper will allow researchers and clinicians to save time and costs in proteomics based histological staining while also increasing the amount of data that they can generate through their experiments.
△ Less
Submitted 11 June, 2023; v1 submitted 20 May, 2022;
originally announced May 2022.
-
An Impartial Perspective for Superconducting Nb3Sn coated Copper RF Cavities for Future Accelerators
Authors:
E. Barzi,
B. C. Barish,
R. A. Rimmer,
A. Valente-Feliciano,
C. M. Rey,
W. A. Barletta,
E. Nanni,
M. Nasr,
M. Ross,
M. Schneider,
S. Tantawi,
P. B. Welander,
E. I. Simakov,
I. O. Usov,
L. Alff,
N. Karabas,
M. Major,
J. P. Palakkal,
S. Petzold,
N. Pietralla,
N. Schäfer,
A. Kikuchi,
H. Hayano,
H. Ito,
S. Kashiwaji
, et al. (10 additional authors not shown)
Abstract:
This Snowmass21 Contributed Paper encourages the Particle Physics community in fostering R&D in Superconducting Nb3Sn coated Copper RF Cavities instead of costly bulk Niobium. It describes the pressing need to devote effort in this direction, which would deliver higher gradient and higher temperature of operation and reduce the overall capital and operational costs of any future collider. It is un…
▽ More
This Snowmass21 Contributed Paper encourages the Particle Physics community in fostering R&D in Superconducting Nb3Sn coated Copper RF Cavities instead of costly bulk Niobium. It describes the pressing need to devote effort in this direction, which would deliver higher gradient and higher temperature of operation and reduce the overall capital and operational costs of any future collider. It is unlikely that an ILC will be built in the next ten years with Nb as one of the main cost drivers of SRFs. This paper provides strong arguments on the benefits of using this time for R&D on producing Nb3Sn on inexpensive and thermally efficient metals such as Cu or bronze, while pursuing in parallel the novel U.S. concept of parallel-feed RF accelerator structures. A technology that synergistically uses both of these advanced tools would make an ILC or equivalent machines more affordable and more likely to be built. Such a successful enterprise would readily apply to other HEP accelerators, for instance a Muon Collider, and to accelerators beyond HEP. We present and assess current efforts in the U.S. on the novel concept of parallel-feed RF accelerator structures, and in the U.S. and abroad in producing Nb3Sn films on either Cu or bronze despite minimal funding.
△ Less
Submitted 26 March, 2022; v1 submitted 17 March, 2022;
originally announced March 2022.
-
Membership Inference Attacks From First Principles
Authors:
Nicholas Carlini,
Steve Chien,
Milad Nasr,
Shuang Song,
Andreas Terzis,
Florian Tramer
Abstract:
A membership inference attack allows an adversary to query a trained machine learning model to predict whether or not a particular example was contained in the model's training dataset. These attacks are currently evaluated using average-case "accuracy" metrics that fail to characterize whether the attack can confidently identify any members of the training set. We argue that attacks should instea…
▽ More
A membership inference attack allows an adversary to query a trained machine learning model to predict whether or not a particular example was contained in the model's training dataset. These attacks are currently evaluated using average-case "accuracy" metrics that fail to characterize whether the attack can confidently identify any members of the training set. We argue that attacks should instead be evaluated by computing their true-positive rate at low (e.g., <0.1%) false-positive rates, and find most prior attacks perform poorly when evaluated in this way. To address this we develop a Likelihood Ratio Attack (LiRA) that carefully combines multiple ideas from the literature. Our attack is 10x more powerful at low false-positive rates, and also strictly dominates prior attacks on existing metrics.
△ Less
Submitted 12 April, 2022; v1 submitted 7 December, 2021;
originally announced December 2021.
-
C$^3$: A "Cool" Route to the Higgs Boson and Beyond
Authors:
Mei Bai,
Tim Barklow,
Rainer Bartoldus,
Martin Breidenbach,
Philippe Grenier,
Zhirong Huang,
Michael Kagan,
John Lewellen,
Zenghai Li,
Thomas W. Markiewicz,
Emilio A. Nanni,
Mamdouh Nasr,
Cho-Kuen Ng,
Marco Oriunno,
Michael E. Peskin,
Thomas G. Rizzo,
James Rosenzweig,
Ariel G. Schwartzman,
Vladimir Shiltsev,
Evgenya Simakov,
Bruno Spataro,
Dong Su,
Sami Tantawi,
Caterina Vernieri,
Glen White
, et al. (1 additional authors not shown)
Abstract:
We present a proposal for a cold copper distributed coupling accelerator that can provide a rapid route to precision Higgs physics with a compact 8 km footprint. This proposal is based on recent advances that increase the efficiency and operating gradient of a normal conducting accelerator. This technology also provides an $e^{+}e^{-}$ collider path to physics at multi-TeV energies. In this articl…
▽ More
We present a proposal for a cold copper distributed coupling accelerator that can provide a rapid route to precision Higgs physics with a compact 8 km footprint. This proposal is based on recent advances that increase the efficiency and operating gradient of a normal conducting accelerator. This technology also provides an $e^{+}e^{-}$ collider path to physics at multi-TeV energies. In this article, we describe our vision for this technology and the near-term R&D program needed to pursue it.
△ Less
Submitted 27 October, 2021;
originally announced October 2021.
-
Mitigating Membership Inference Attacks by Self-Distillation Through a Novel Ensemble Architecture
Authors:
Xinyu Tang,
Saeed Mahloujifar,
Liwei Song,
Virat Shejwalkar,
Milad Nasr,
Amir Houmansadr,
Prateek Mittal
Abstract:
Membership inference attacks are a key measure to evaluate privacy leakage in machine learning (ML) models. These attacks aim to distinguish training members from non-members by exploiting differential behavior of the models on member and non-member inputs. The goal of this work is to train ML models that have high membership privacy while largely preserving their utility; we therefore aim for an…
▽ More
Membership inference attacks are a key measure to evaluate privacy leakage in machine learning (ML) models. These attacks aim to distinguish training members from non-members by exploiting differential behavior of the models on member and non-member inputs. The goal of this work is to train ML models that have high membership privacy while largely preserving their utility; we therefore aim for an empirical membership privacy guarantee as opposed to the provable privacy guarantees provided by techniques like differential privacy, as such techniques are shown to deteriorate model utility. Specifically, we propose a new framework to train privacy-preserving models that induces similar behavior on member and non-member inputs to mitigate membership inference attacks. Our framework, called SELENA, has two major components. The first component and the core of our defense is a novel ensemble architecture for training. This architecture, which we call Split-AI, splits the training data into random subsets, and trains a model on each subset of the data. We use an adaptive inference strategy at test time: our ensemble architecture aggregates the outputs of only those models that did not contain the input sample in their training data. We prove that our Split-AI architecture defends against a large family of membership inference attacks, however, it is susceptible to new adaptive attacks. Therefore, we use a second component in our framework called Self-Distillation to protect against such stronger attacks. The Self-Distillation component (self-)distills the training dataset through our Split-AI ensemble, without using any external public datasets. Through extensive experiments on major benchmark datasets we show that SELENA presents a superior trade-off between membership privacy and utility compared to the state of the art.
△ Less
Submitted 15 October, 2021;
originally announced October 2021.
-
Smart Healthcare in the Age of AI: Recent Advances, Challenges, and Future Prospects
Authors:
Mahmoud Nasr,
MD. Milon Islam,
Shady Shehata,
Fakhri Karray,
Yuri Quintana
Abstract:
The significant increase in the number of individuals with chronic ailments (including the elderly and disabled) has dictated an urgent need for an innovative model for healthcare systems. The evolved model will be more personalized and less reliant on traditional brick-and-mortar healthcare institutions such as hospitals, nursing homes, and long-term healthcare centers. The smart healthcare syste…
▽ More
The significant increase in the number of individuals with chronic ailments (including the elderly and disabled) has dictated an urgent need for an innovative model for healthcare systems. The evolved model will be more personalized and less reliant on traditional brick-and-mortar healthcare institutions such as hospitals, nursing homes, and long-term healthcare centers. The smart healthcare system is a topic of recently growing interest and has become increasingly required due to major developments in modern technologies, especially in artificial intelligence (AI) and machine learning (ML). This paper is aimed to discuss the current state-of-the-art smart healthcare systems highlighting major areas like wearable and smartphone devices for health monitoring, machine learning for disease diagnosis, and the assistive frameworks, including social robots developed for the ambient assisted living environment. Additionally, the paper demonstrates software integration architectures that are very significant to create smart healthcare systems, integrating seamlessly the benefit of data analytics and other tools of AI. The explained developed systems focus on several facets: the contribution of each developed framework, the detailed working procedure, the performance as outcomes, and the comparative merits and limitations. The current research challenges with potential future directions are addressed to highlight the drawbacks of existing systems and the possible methods to introduce novel frameworks, respectively. This review aims at providing comprehensive insights into the recent developments of smart healthcare systems to equip experts to contribute to the field.
△ Less
Submitted 24 June, 2021;
originally announced July 2021.
-
Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems
Authors:
Alireza Bahramali,
Milad Nasr,
Amir Houmansadr,
Dennis Goeckel,
Don Towsley
Abstract:
Deep Neural Networks (DNNs) have become prevalent in wireless communication systems due to their promising performance. However, similar to other DNN-based applications, they are vulnerable to adversarial examples. In this work, we propose an input-agnostic, undetectable, and robust adversarial attack against DNN-based wireless communication systems in both white-box and black-box scenarios. We de…
▽ More
Deep Neural Networks (DNNs) have become prevalent in wireless communication systems due to their promising performance. However, similar to other DNN-based applications, they are vulnerable to adversarial examples. In this work, we propose an input-agnostic, undetectable, and robust adversarial attack against DNN-based wireless communication systems in both white-box and black-box scenarios. We design tailored Universal Adversarial Perturbations (UAPs) to perform the attack. We also use a Generative Adversarial Network (GAN) to enforce an undetectability constraint for our attack. Furthermore, we investigate the robustness of our attack against countermeasures. We show that in the presence of defense mechanisms deployed by the communicating parties, our attack performs significantly better compared to existing attacks against DNN-based wireless systems. In particular, the results demonstrate that even when employing well-considered defenses, DNN-based wireless communications are vulnerable to adversarial attacks.
△ Less
Submitted 1 February, 2021;
originally announced February 2021.
-
Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning
Authors:
Milad Nasr,
Shuang Song,
Abhradeep Thakurta,
Nicolas Papernot,
Nicholas Carlini
Abstract:
Differentially private (DP) machine learning allows us to train models on private data while limiting data leakage. DP formalizes this data leakage through a cryptographic game, where an adversary must predict if a model was trained on a dataset D, or a dataset D' that differs in just one example.If observing the training algorithm does not meaningfully increase the adversary's odds of successfull…
▽ More
Differentially private (DP) machine learning allows us to train models on private data while limiting data leakage. DP formalizes this data leakage through a cryptographic game, where an adversary must predict if a model was trained on a dataset D, or a dataset D' that differs in just one example.If observing the training algorithm does not meaningfully increase the adversary's odds of successfully guessing which dataset the model was trained on, then the algorithm is said to be differentially private. Hence, the purpose of privacy analysis is to upper bound the probability that any adversary could successfully guess which dataset the model was trained on.In our paper, we instantiate this hypothetical adversary in order to establish lower bounds on the probability that this distinguishing game can be won. We use this adversary to evaluate the importance of the adversary capabilities allowed in the privacy analysis of DP training algorithms.For DP-SGD, the most common method for training neural networks with differential privacy, our lower bounds are tight and match the theoretical upper bound. This implies that in order to prove better upper bounds, it will be necessary to make use of additional assumptions. Fortunately, we find that our attacks are significantly weaker when additional (realistic)restrictions are put in place on the adversary's capabilities.Thus, in the practical setting common to many real-world deployments, there is a gap between our lower bounds and the upper bounds provided by the analysis: differential privacy is conservative and adversaries may not be able to leak as much information as suggested by the theoretical bound.
△ Less
Submitted 11 January, 2021;
originally announced January 2021.
-
On algebraic integers which are 2-Salem elements in positive characteristic
Authors:
Mabrouk Nasr,
Hassen Kthiri,
Jean-Louis Verger-Gaugry
Abstract:
Bateman and Duquette have initiated the study of Salem elements in positive characteristic. This work extends their results to 2-Salem elements whose minimal polynomials are of the type $Y^n + λ_{n-1}Y^{n-1} + \ldots+λ_1Y + λ_0 \in \mathbb{F}_q[X][Y ]$ where $n \geq2, λ_0\neq 0$ and $°λ_{n-1} < °λ_{n-2} = \max_{i\neq n-2}°(λ_i)$. This work provides an analogue of their results for 2-Salem elements…
▽ More
Bateman and Duquette have initiated the study of Salem elements in positive characteristic. This work extends their results to 2-Salem elements whose minimal polynomials are of the type $Y^n + λ_{n-1}Y^{n-1} + \ldots+λ_1Y + λ_0 \in \mathbb{F}_q[X][Y ]$ where $n \geq2, λ_0\neq 0$ and $°λ_{n-1} < °λ_{n-2} = \max_{i\neq n-2}°(λ_i)$. This work provides an analogue of their results for 2-Salem elements whose minimal polynomials meet certain requirements.
△ Less
Submitted 31 December, 2020;
originally announced December 2020.
-
Experimental demonstration of particle acceleration with normal conducting accelerating structure at cryogenic temperature
Authors:
Mamdouh Nasr,
Emilio Nanni,
Martin Breidenbach,
Stephen Weathersby,
Marco Oriunno,
Sami Tantawi
Abstract:
Reducing the operating temperature of normal conducting particle accelerators substantially increases their efficiency. Low-temperature operation increases the yield strength of the accelerator material and reduces surface resistance, hence a great reduction in cyclic fatigue could be achieved resulting in a large reduction in breakdown rates compared to room-temperature operation. Furthermore, te…
▽ More
Reducing the operating temperature of normal conducting particle accelerators substantially increases their efficiency. Low-temperature operation increases the yield strength of the accelerator material and reduces surface resistance, hence a great reduction in cyclic fatigue could be achieved resulting in a large reduction in breakdown rates compared to room-temperature operation. Furthermore, temperature reduction increases the intrinsic quality factor of the accelerating cavities, and consequently, the shunt impedance leading to increased system efficiency and beam loading capabilities. In this paper, we present an experimental demonstration of the high-gradient operation of an X-band, 11.424 GHz, 20-cells linear accelerator (linac) operating at a liquid nitrogen temperature of 77 K. The tested linac was previously processed and tested at room temperature. We verified the enhanced accelerating parameters of the tested accelerator at cryogenic temperature using different measurements including electron beam acceleration up to a gradient of 150 MV/m, corresponding to a peak surface electric field of 375 MV/m. We also measured the breakdown rates in the tested structure showing a reduction of two orders of magnitude, x100, compared to their values at room temperature for the same accelerating gradient.
△ Less
Submitted 31 October, 2020;
originally announced November 2020.
-
Benchmarking Meta-heuristic Optimization
Authors:
Mona Nasr,
Omar Farouk,
Ahmed Mohamedeen,
Ali Elrafie,
Marwan Bedeir,
Ali Khaled
Abstract:
Solving an optimization task in any domain is a very challenging problem, especially when dealing with nonlinear problems and non-convex functions. Many meta-heuristic algorithms are very efficient when solving nonlinear functions. A meta-heuristic algorithm is a problem-independent technique that can be applied to a broad range of problems. In this experiment, some of the evolutionary algorithms…
▽ More
Solving an optimization task in any domain is a very challenging problem, especially when dealing with nonlinear problems and non-convex functions. Many meta-heuristic algorithms are very efficient when solving nonlinear functions. A meta-heuristic algorithm is a problem-independent technique that can be applied to a broad range of problems. In this experiment, some of the evolutionary algorithms will be tested, evaluated, and compared with each other. We will go through the Genetic Algorithm\, Differential Evolution, Particle Swarm Optimization Algorithm, Grey Wolf Optimizer, and Simulated Annealing. They will be evaluated against the performance from many points of view like how the algorithm performs throughout generations and how the algorithm's result is close to the optimal result. Other points of evaluation are discussed in depth in later sections.
△ Less
Submitted 27 July, 2020;
originally announced July 2020.
-
Improving Deep Learning with Differential Privacy using Gradient Encoding and Denoising
Authors:
Milad Nasr,
Reza Shokri,
Amir houmansadr
Abstract:
Deep learning models leak significant amounts of information about their training datasets. Previous work has investigated training models with differential privacy (DP) guarantees through adding DP noise to the gradients. However, such solutions (specifically, DPSGD), result in large degradations in the accuracy of the trained models. In this paper, we aim at training deep learning models with DP…
▽ More
Deep learning models leak significant amounts of information about their training datasets. Previous work has investigated training models with differential privacy (DP) guarantees through adding DP noise to the gradients. However, such solutions (specifically, DPSGD), result in large degradations in the accuracy of the trained models. In this paper, we aim at training deep learning models with DP guarantees while preserving model accuracy much better than previous works. Our key technique is to encode gradients to map them to a smaller vector space, therefore enabling us to obtain DP guarantees for different noise distributions. This allows us to investigate and choose noise distributions that best preserve model accuracy for a target privacy budget. We also take advantage of the post-processing property of differential privacy by introducing the idea of denoising, which further improves the utility of the trained models without degrading their DP guarantees. We show that our mechanism outperforms the state-of-the-art DPSGD; for instance, for the same model accuracy of $96.1\%$ on MNIST, our technique results in a privacy bound of $ε=3.2$ compared to $ε=6$ of DPSGD, which is a significant improvement.
△ Less
Submitted 22 July, 2020;
originally announced July 2020.
-
Spectrally reconfigurable quantum emitters enabled by optimized fast modulation
Authors:
Daniil M. Lukin,
Alexander D. White,
Rahul Trivedi,
Melissa A. Guidry,
Naoya Morioka,
Charles Babin,
Öney O. Soykal,
Jawad Ul Hassan,
Nguyen Tien Son,
Takeshi Ohshima,
Praful K. Vasireddy,
Mamdouh H. Nasr,
Shuo Sun,
Jean-Phillipe W. MacLean,
Constantin Dory,
Emilio A. Nanni,
Jörg Wrachtrup,
Florian Kaiser,
Jelena Vučković
Abstract:
The ability to shape photon emission facilitates strong photon-mediated interactions between disparate physical systems, thereby enabling applications in quantum information processing, simulation and communication. Spectral control in solid state platforms such as color centers, rare earth ions, and quantum dots is particularly attractive for realizing such applications on-chip. Here we propose t…
▽ More
The ability to shape photon emission facilitates strong photon-mediated interactions between disparate physical systems, thereby enabling applications in quantum information processing, simulation and communication. Spectral control in solid state platforms such as color centers, rare earth ions, and quantum dots is particularly attractive for realizing such applications on-chip. Here we propose the use of frequency-modulated optical transitions for spectral engineering of single photon emission. Using a scattering-matrix formalism, we find that a two-level system, when modulated faster than its optical lifetime, can be treated as a single-photon source with a widely reconfigurable photon spectrum that is amenable to standard numerical optimization techniques. To enable the experimental demonstration of this spectral control scheme, we investigate the Stark tuning properties of the silicon vacancy in silicon carbide, a color center with promise for optical quantum information processing technologies. We find that the silicon vacancy possesses excellent spectral stability and tuning characteristics, allowing us to probe its fast modulation regime, observe the theoretically-predicted two-photon correlations, and demonstrate spectral engineering. Our results suggest that frequency modulation is a powerful technique for the generation of new light states with unprecedented control over the spectral and temporal properties of single photons.
△ Less
Submitted 27 July, 2020; v1 submitted 27 March, 2020;
originally announced March 2020.
-
An Ultra-Compact X-Ray Free-Electron Laser
Authors:
J. B. Rosenzweig,
N. Majernik,
R. R. Robles,
G. Andonian,
O. Camacho,
A. Fukasawa,
A. Kogar,
G. Lawler,
Jianwei Miao,
P. Musumeci,
B. Naranjo,
Y. Sakai,
R. Candler,
B. Pound,
C. Pellegrini,
C. Emma,
A. Halavanau,
J. Hastings,
Z. Li,
M. Nasr,
S. Tantawi,
P. Anisimov,
B. Carlsten,
F. Krawczyk,
E. Simakov
, et al. (11 additional authors not shown)
Abstract:
In the field of beam physics, two frontier topics have taken center stage due to their potential to enable new approaches to discovery in a wide swath of science. These areas are: advanced, high gradient acceleration techniques, and x-ray free electron lasers (XFELs). Further, there is intense interest in the marriage of these two fields, with the goal of producing a very compact XFEL. In this con…
▽ More
In the field of beam physics, two frontier topics have taken center stage due to their potential to enable new approaches to discovery in a wide swath of science. These areas are: advanced, high gradient acceleration techniques, and x-ray free electron lasers (XFELs). Further, there is intense interest in the marriage of these two fields, with the goal of producing a very compact XFEL. In this context, recent advances in high gradient radio-frequency cryogenic copper structure research have opened the door to the use of surface electric fields between 250 and 500 MV/m. Such an approach is foreseen to enable a new generation of photoinjectors with six-dimensional beam brightness beyond the current state-of-the-art by well over an order of magnitude. This advance is an essential ingredient enabling an ultra-compact XFEL (UC-XFEL). In addition, one may accelerate these bright beams to GeV scale in less than 10 meters. Such an injector, when combined with inverse free electron laser-based bunching techniques can produce multi-kA beams with unprecedented beam quality, quantified by ~50 nm-rad normalized emittances. These beams, when injected into innovative, short-period (1-10 mm) undulators uniquely enable UC-XFELs having footprints consistent with university-scale laboratories. We describe the architecture and predicted performance of this novel light source, which promises photon production per pulse of a few percent of existing XFEL sources. We review implementation issues including collective beam effects, compact x-ray optics systems, and other relevant technical challenges. To illustrate the potential of such a light source to fundamentally change the current paradigm of XFELs with their limited access, we examine possible applications in biology, chemistry, materials, atomic physics, industry, and medicine which may profit from this new model of performing XFEL science.
△ Less
Submitted 14 August, 2020; v1 submitted 12 March, 2020;
originally announced March 2020.
-
Blind Adversarial Network Perturbations
Authors:
Milad Nasr,
Alireza Bahramali,
Amir Houmansadr
Abstract:
Deep Neural Networks (DNNs) are commonly used for various traffic analysis problems, such as website fingerprinting and flow correlation, as they outperform traditional (e.g., statistical) techniques by large margins. However, deep neural networks are known to be vulnerable to adversarial examples: adversarial inputs to the model that get labeled incorrectly by the model due to small adversarial p…
▽ More
Deep Neural Networks (DNNs) are commonly used for various traffic analysis problems, such as website fingerprinting and flow correlation, as they outperform traditional (e.g., statistical) techniques by large margins. However, deep neural networks are known to be vulnerable to adversarial examples: adversarial inputs to the model that get labeled incorrectly by the model due to small adversarial perturbations. In this paper, for the first time, we show that an adversary can defeat DNN-based traffic analysis techniques by applying \emph{adversarial perturbations} on the patterns of \emph{live} network traffic.
△ Less
Submitted 15 February, 2020;
originally announced February 2020.
