Skip to content

Commit

Permalink
rename images name for privacy and security chapter
Browse files Browse the repository at this point in the history
  • Loading branch information
AbenezerKb committed Oct 23, 2024
1 parent ac8def5 commit f4fb16e
Show file tree
Hide file tree
Showing 15 changed files with 14 additions and 14 deletions.
28 changes: 14 additions & 14 deletions contents/privacy_security/privacy_security.qmd
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ On the other hand, this tool can be used maliciously and affect legitimate gener

@fig-poisoning demonstrates the effects of different levels of data poisoning (50 samples, 100 samples, and 300 samples of poisoned images) on generating images in various categories. Notice how the images start deforming and deviating from the desired category. For example, after 300 poison samples, a car prompt generates a cow.

![Data poisoning. Source: @shan2023prompt.](images/png/image14.png){#fig-poisoning}
![Data poisoning. Source: @shan2023prompt.](images/png/Data_poisoning.png){#fig-poisoning}

### Adversarial Attacks

Expand Down Expand Up @@ -340,7 +340,7 @@ For ML systems, consequences include impaired model accuracy, denial of service,

For example, in [@breier2018deeplaser], the authors successfully injected a fault attack into a deep neural network deployed on a microcontroller. They used a laser to heat specific transistors, forcing them to switch states. In one instance, they used this method to attack a ReLU activation function, resulting in the function always outputting a value of 0, regardless of the input. In the assembly code in @fig-injection, the attack caused the executing program always to skip the `jmp end` instruction on line 6. This means that `HiddenLayerOutput[i]` is always set to 0, overwriting any values written to it on lines 4 and 5. As a result, the targeted neurons are rendered inactive, resulting in misclassifications.

![Fault-injection demonstrated with assembly code. Source: @breier2018deeplaser.](images/png/image3.png){#fig-injection}
![Fault-injection demonstrated with assembly code. Source: @breier2018deeplaser.](images/png/Fault-injection_demonstrated_with_assembly_code.png){#fig-injection}

An attacker's strategy could be to infer information about the activation functions using side-channel attacks (discussed next). Then, the attacker could attempt to target multiple activation function computations by randomly injecting faults into the layers as close to the output layer as possible, increasing the likelihood and impact of the attack.

Expand Down Expand Up @@ -368,15 +368,15 @@ Below, a simplified visualization illustrates how analyzing the encryption devic

First, the power analysis of the device's operations after entering a correct password is shown in the first picture in @fig-encryption. The dense blue graph outputs the encryption device's voltage measurement. What is significant here is the comparison between the different analysis charts rather than the specific details of what is happening in each scenario.

![Power analysis of an encryption device with a correct password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/image5.png){#fig-encryption}
![Power analysis of an encryption device with a correct password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_correct_password.png){#fig-encryption}

When an incorrect password is entered, the power analysis chart is shown in @fig-encryption2. The first three bytes of the password are correct. As a result, the voltage patterns are very similar or identical between the two charts, up to and including the fourth byte. After the device processes the fourth byte, a mismatch between the secret key and the attempted input is determined. A change in the pattern at the transition point between the fourth and fifth bytes is noticed: the voltage increases (the current decreases) because the device has stopped processing the rest of the input.

![Power analysis of an encryption device with a (partially) wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/image16.png){#fig-encryption2}
![Power analysis of an encryption device with a (partially) wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_(partially)_wrong_password.png){#fig-encryption2}

@fig-encryption3 describes another chart of a completely wrong password. After the device finishes processing the first byte, it determines that it is incorrect and stops further processing - the voltage goes up and the current down.

![Power analysis of an encryption device with a wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/image15.png){#fig-encryption3}
![Power analysis of an encryption device with a wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_wrong_password.png){#fig-encryption3}

The example above demonstrates how information about the encryption process and the secret key can be inferred by analyzing different inputs and attempting to 'eavesdrop' on the device's operations on each input byte. For a more detailed explanation, watch @vid-powerattack below.

Expand Down Expand Up @@ -520,7 +520,7 @@ Here are some examples of TEEs that provide hardware-based security for sensitiv

@fig-enclave is a diagram demonstrating a secure enclave isolated from the host processor to provide an extra layer of security. The secure enclave has a boot ROM to establish a hardware root of trust, an AES engine for efficient and secure cryptographic operations, and protected memory. It also has a mechanism to store information securely on attached storage separate from the NAND flash storage used by the application processor and operating system. This design keeps sensitive user data secure even when the Application Processor kernel becomes compromised.

![System-on-chip secure enclave. Source: [Apple.](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)](images/png/image1.png){#fig-enclave}
![System-on-chip secure enclave. Source: [Apple.](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)](images/png/System-on-chip_secure_enclave.png){#fig-enclave}

#### Tradeoffs

Expand Down Expand Up @@ -566,7 +566,7 @@ Secure Boot offers vital protections for embedded ML hardware through the follow

Secure Boot works with TEEs to further enhance system security. @fig-secure-boot illustrates a flow diagram of a trusted embedded system. In the initial validation phase, Secure Boot verifies that the code running within the TEE is the correct, untampered version authorized by the device manufacturer. By checking digital signatures of the firmware and other critical system components, Secure Boot prevents unauthorized modifications that could compromise the TEE’s security capabilities. This establishes a foundation of trust upon which the TEE can securely execute sensitive operations such as cryptographic key management and secure data processing. By enforcing these layers of security, Secure Boot enables resilient and secure device operations in even the most resource-constrained environments.

![Secure Boot flow. Source: @Rashmi2018Secure.](images/png/image4.png){#fig-secure-boot}
![Secure Boot flow. Source: @Rashmi2018Secure.](images/png/Secure_Boot_flow.png){#fig-secure-boot}

#### Case Study: Apple's Face ID

Expand Down Expand Up @@ -669,7 +669,7 @@ The working principle behind PUFs, shown in @fig-pfu, involves generating a "cha

@fig-pfu illustrates an overview of the PUF basics: a) PUF can be thought of as a unique fingerprint for each piece of hardware; b) an Optical PUF is a special plastic token that is illuminated, creating a unique speckle pattern that is then recorded; c) in an APUF (Arbiter PUF), challenge bits select different paths, and a judge decides which one is faster, giving a response of '1' or '0'; d) in an SRAM PUF, the response is determined by the mismatch in the threshold voltage of transistors, where certain conditions lead to a preferred response of '1'. Each of these methods uses specific characteristics of the hardware to create a unique identifier.

![PUF basics. Source: @Gao2020Physical.](images/png/image2.png){#fig-pfu}
![PUF basics. Source: @Gao2020Physical.](images/png/PUF_basics.png){#fig-pfu}

#### Challenges

Expand Down Expand Up @@ -773,11 +773,11 @@ Privacy and security concerns have also risen with the public use of generative

While ChatGPT has instituted protections to prevent people from accessing private and ethically questionable information, several individuals have successfully bypassed these protections through prompt injection and other security attacks. As demonstrated in @fig-role-play, users can bypass ChatGPT protections to mimic the tone of a "deceased grandmother" to learn how to bypass a web application firewall [@Gupta2023ChatGPT].

![Grandma role play to bypass safety restrictions. Source: @Gupta2023ChatGPT.](images/png/image6.png){#fig-role-play}
![Grandma role play to bypass safety restrictions. Source: @Gupta2023ChatGPT.](images/png/Grandma_role_play_to_bypass_safety_restrictions.png){#fig-role-play}

Further, users have also successfully used reverse psychology to manipulate ChatGPT and access information initially prohibited by the model. In @fig-role-play2, a user is initially prevented from learning about piracy websites through ChatGPT but can bypass these restrictions using reverse psychology.

![Reverse psychology to bypass safety restrictions. Source: @Gupta2023ChatGPT.](images/png/image10.png){#fig-role-play2}
![Reverse psychology to bypass safety restrictions. Source: @Gupta2023ChatGPT.](images/png/Reverse_psychology_to_bypass_safety_restrictions.png){#fig-role-play2}

The ease at which security attacks can manipulate ChatGPT is concerning, given the private information it was trained upon without consent. Further research on data privacy in LLMs and generative AI should focus on preventing the model from being so naive to prompt injection attacks.

Expand Down Expand Up @@ -811,7 +811,7 @@ While the Laplace distribution is common, other distributions like Gaussian can

To illustrate the tradeoff of Privacy and accuracy in ($\epsilon$, $\delta$)-differential Privacy, the following graphs in @fig-tradeoffs show the results on accuracy for different noise levels on the MNIST dataset, a large dataset of handwritten digits [@abadi2016deep]. The delta value (black line; right y-axis) denotes the level of privacy relaxation (a high value means Privacy is less stringent). As Privacy becomes more relaxed, the accuracy of the model increases.

![Privacy-accuracy tradeoff. Source: @abadi2016deep.](images/png/image8.png){#fig-tradeoffs}
![Privacy-accuracy tradeoff. Source: @abadi2016deep.](images/png/Privacy-accuracy_tradeoff.png){#fig-tradeoffs}

The key points to remember about differential Privacy are the following:

Expand Down Expand Up @@ -871,7 +871,7 @@ Federated Learning (FL) is a type of machine learning in which a model is built

FL trains machine learning models across decentralized networks of devices or systems while keeping all training data localized. @fig-fl-lifecycle illustrates this process: each participating device leverages its local data to calculate model updates, which are then aggregated to build an improved global model. However, the raw training data is never directly shared, transferred, or compiled. This privacy-preserving approach allows for the joint development of ML models without centralizing the potentially sensitive training data in one place.

![Federated Learning lifecycle. Source: @jin2020towards.](images/png/image7.png){#fig-fl-lifecycle}
![Federated Learning lifecycle. Source: @jin2020towards.](images/png/Federated_Learning_lifecycle.png){#fig-fl-lifecycle}

One of the most common model aggregation algorithms is Federated Averaging (FedAvg), where the global model is created by averaging all of the parameters from local parameters. While FedAvg works well with independent and identically distributed data (IID), alternate algorithms like Federated Proximal (FedProx) are crucial in real-world applications where data is often non-IID. FedProx is designed for the FL process when there is significant heterogeneity in the client updates due to diverse data distributions across devices, computational capabilities, or varied amounts of data.

Expand Down Expand Up @@ -933,7 +933,7 @@ Machine unlearning is a fairly new process that describes how the influence of a

Some researchers have demonstrated a real-life example of machine unlearning approaches applied to SOTA machine learning models through training an LLM, LLaMA2-7b, to unlearn any references to Harry Potter [@eldan2023whos]. Though this model took 184K GPU hours to pre-train, it only took 1 GPU hour of fine-tuning to erase the model's ability to generate or recall Harry Potter-related content without noticeably compromising the accuracy of generating content unrelated to Harry Potter. @fig-hp-prompts demonstrates how the model output changes before (Llama-7b-chat-hf column) and after (Finetuned Llama-b column) unlearning has occurred.

![Llama unlearning Harry Potter. Source: @eldan2023whos.](images/png/image13.png){#fig-hp-prompts}
![Llama unlearning Harry Potter. Source: @eldan2023whos.](images/png/Llama_unlearning_Harry_Potter.png){#fig-hp-prompts}

#### Other Uses

Expand Down Expand Up @@ -1067,7 +1067,7 @@ Researchers can freely share this synthetic data and collaborate on modeling wit

* **Generative Adversarial Networks (GANs):** GANs are an AI algorithm used in unsupervised learning where two neural networks compete against each other in a game. @fig-gans is an overview of the GAN system. The generator network (big red box) is responsible for producing the synthetic data, and the discriminator network (yellow box) evaluates the authenticity of the data by distinguishing between fake data created by the generator network and the real data. The generator and discriminator networks learn and update their parameters based on the results. The discriminator acts as a metric on how similar the fake and real data are to one another. It is highly effective at generating realistic data and is a popular approach for generating synthetic data.

![Flowchart of GANs. Source: @rosa2021.](images/png/image9.png){#fig-gans}
![Flowchart of GANs. Source: @rosa2021.](images/png/Flowchart_of_GANs.png){#fig-gans}

* **Variational Autoencoders (VAEs):** VAEs are neural networks capable of learning complex probability distributions and balancing data generation quality and computational efficiency. They encode data into a latent space where they learn the distribution to decode the data back.

Expand Down

0 comments on commit f4fb16e

Please sign in to comment.