diff --git a/contents/core/privacy_security/privacy_security.bib b/contents/core/privacy_security/privacy_security.bib index 2a3edc3e..416d3309 100644 --- a/contents/core/privacy_security/privacy_security.bib +++ b/contents/core/privacy_security/privacy_security.bib @@ -1,685 +1,753 @@ %comment{This file was created with betterbib v5.0.11.} - @inproceedings{Asonov2004Keyboard, - author = {Asonov, D. and Agrawal, R.}, - booktitle = {IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004}, - date-added = {2023-11-22 17:05:39 -0500}, - date-modified = {2023-11-22 17:06:45 -0500}, - doi = {10.1109/secpri.2004.1301311}, - organization = {IEEE}, - pages = {3--11}, - publisher = {IEEE}, - source = {Crossref}, - title = {Keyboard acoustic emanations}, - url = {https://doi.org/10.1109/secpri.2004.1301311}, - year = {2004}, + doi = {10.1109/secpri.2004.1301311}, + pages = {3--11}, + source = {Crossref}, + author = {Asonov, D. and Agrawal, R.}, + url = {https://doi.org/10.1109/secpri.2004.1301311}, + booktitle = {IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004}, + publisher = {IEEE}, + title = {Keyboard acoustic emanations}, + date-added = {2023-11-22 17:05:39 -0500}, + date-modified = {2023-11-22 17:06:45 -0500}, + organization = {IEEE}, } @inproceedings{Biega2020Oper, - author = {Biega, Asia J. and Potash, Peter and Daum\'e, Hal and Diaz, Fernando and Finck, Mich\`ele}, - editor = {Huang, Jimmy and Chang, Yi and Cheng, Xueqi and Kamps, Jaap and Murdock, Vanessa and Wen, Ji-Rong and Liu, Yiqun}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/conf/sigir/BiegaPDDF20.bib}, - booktitle = {Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval}, - doi = {10.1145/3397271.3401034}, - pages = {399--408}, - publisher = {ACM}, - timestamp = {Thu, 03 Sep 2020 01:00:00 +0200}, - title = {Operationalizing the Legal Principle of Data Minimization for Personalization}, - url = {https://doi.org/10.1145/3397271.3401034}, - year = {2020}, - source = {Crossref}, - month = jul, + doi = {10.1145/3397271.3401034}, + pages = {399--408}, + source = {Crossref}, + author = {Biega, Asia J. and Potash, Peter and Daum\'e, Hal and Diaz, Fernando and Finck, Mich\`ele}, + year = {2020}, + month = jul, + url = {https://doi.org/10.1145/3397271.3401034}, + booktitle = {Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval}, + publisher = {ACM}, + title = {Operationalizing the Legal Principle of Data Minimization for Personalization}, + editor = {Huang, Jimmy and Chang, Yi and Cheng, Xueqi and Kamps, Jaap and Murdock, Vanessa and Wen, Ji-Rong and Liu, Yiqun}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/conf/sigir/BiegaPDDF20.bib}, + timestamp = {Thu, 03 Sep 2020 01:00:00 +0200}, } @article{Burnet1989Spycatcher, - author = {Burnet, David and Thomas, Richard}, - date-added = {2023-11-22 17:03:00 -0500}, - date-modified = {2023-11-22 17:04:44 -0500}, - doi = {10.2307/1410360}, - issn = {0263-323X}, - journal = {J. Law Soc.}, - number = {2}, - pages = {210}, - publisher = {JSTOR}, - source = {Crossref}, - title = {Spycatcher: {The} Commodification of Truth}, - url = {https://doi.org/10.2307/1410360}, - volume = {16}, - year = {1989}, -} - -@inproceedings{Dwork2006Theory, - author = {Dwork, Cynthia and McSherry, Frank and Nissim, Kobbi and Smith, Adam}, - editor = {Halevi, Shai and Rabin, Tal}, - address = {Berlin, Heidelberg}, - booktitle = {Theory of Cryptography}, - date-added = {2023-11-22 18:04:12 -0500}, - date-modified = {2023-11-22 18:05:20 -0500}, - pages = {265--284}, - publisher = {Springer Berlin Heidelberg}, - title = {Calibrating Noise to Sensitivity in Private Data Analysis}, - year = {2006}, + number = {2}, + doi = {10.2307/1410360}, + pages = {210}, + source = {Crossref}, + volume = {16}, + author = {Burnet, David and Thomas, Richard}, + year = {1989}, + url = {https://doi.org/10.2307/1410360}, + issn = {0263-323X}, + journal = {Journal of Law and Society}, + publisher = {JSTOR}, + title = {Spycatcher: The Commodification of Truth}, + date-added = {2023-11-22 17:03:00 -0500}, + date-modified = {2023-11-22 17:04:44 -0500}, +} + +@incollection{Dwork2006Theory, + doi = {10.1007/11681878\_14}, + pages = {265--284}, + source = {Crossref}, + author = {Dwork, Cynthia and McSherry, Frank and Nissim, Kobbi and Smith, Adam}, + year = {2006}, + isbn = {9783540327318,9783540327325}, + url = {https://doi.org/10.1007/11681878\_14}, + issn = {0302-9743,1611-3349}, + booktitle = {Theory of Cryptography}, + publisher = {Springer Berlin Heidelberg}, + title = {Calibrating Noise to Sensitivity in Private Data Analysis}, + editor = {Halevi, Shai and Rabin, Tal}, + address = {Berlin, Heidelberg}, + date-added = {2023-11-22 18:04:12 -0500}, + date-modified = {2023-11-22 18:05:20 -0500}, } @article{Gao2020Physical, - author = {Gao, Yansong and Al-Sarawi, Said F. and Abbott, Derek}, - date-added = {2023-11-22 17:52:20 -0500}, - date-modified = {2023-11-22 17:54:56 -0500}, - doi = {10.1038/s41928-020-0372-5}, - issn = {2520-1131}, - journal = {Nature Electronics}, - number = {2}, - pages = {81--91}, - publisher = {Springer Science and Business Media LLC}, - source = {Crossref}, - title = {Physical unclonable functions}, - url = {https://doi.org/10.1038/s41928-020-0372-5}, - volume = {3}, - year = {2020}, - month = feb, + number = {2}, + doi = {10.1038/s41928-020-0372-5}, + pages = {81--91}, + source = {Crossref}, + volume = {3}, + author = {Gao, Yansong and Al-Sarawi, Said F. and Abbott, Derek}, + year = {2020}, + month = feb, + url = {https://doi.org/10.1038/s41928-020-0372-5}, + issn = {2520-1131}, + journal = {Nature Electronics}, + publisher = {Springer Science and Business Media LLC}, + title = {Physical unclonable functions}, + date-added = {2023-11-22 17:52:20 -0500}, + date-modified = {2023-11-22 17:54:56 -0500}, } @article{Gupta2023ChatGPT, - author = {Gupta, Maanak and Akiri, Charankumar and Aryal, Kshitiz and Parker, Eli and Praharaj, Lopamudra}, - date-added = {2023-11-22 18:01:41 -0500}, - date-modified = {2023-11-22 18:02:55 -0500}, - doi = {10.1109/access.2023.3300381}, - issn = {2169-3536}, - journal = {\#IEEE\_O\_ACC\#}, - pages = {80218--80245}, - publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, - source = {Crossref}, - title = {From {ChatGPT} to {ThreatGPT:} {Impact} of Generative {AI} in Cybersecurity and Privacy}, - url = {https://doi.org/10.1109/access.2023.3300381}, - volume = {11}, - year = {2023}, + doi = {10.1109/access.2023.3300381}, + pages = {80218--80245}, + source = {Crossref}, + volume = {11}, + author = {Gupta, Maanak and Akiri, Charankumar and Aryal, Kshitiz and Parker, Eli and Praharaj, Lopamudra}, + year = {2023}, + url = {https://doi.org/10.1109/access.2023.3300381}, + issn = {2169-3536}, + journal = {IEEE Access}, + publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, + title = {From ChatGPT to ThreatGPT: Impact of Generative AI in Cybersecurity and Privacy}, + date-added = {2023-11-22 18:01:41 -0500}, + date-modified = {2023-11-22 18:02:55 -0500}, } @article{Kocher2011Intro, - author = {Kocher, Paul and Jaffe, Joshua and Jun, Benjamin and Rohatgi, Pankaj}, - date-added = {2023-11-22 16:58:42 -0500}, - date-modified = {2023-11-22 17:00:36 -0500}, - doi = {10.1007/s13389-011-0006-y}, - issn = {2190-8508, 2190-8516}, - journal = {Journal of Cryptographic Engineering}, - number = {1}, - pages = {5--27}, - publisher = {Springer Science and Business Media LLC}, - source = {Crossref}, - title = {Introduction to differential power analysis}, - url = {https://doi.org/10.1007/s13389-011-0006-y}, - volume = {1}, - year = {2011}, - month = mar, + number = {1}, + doi = {10.1007/s13389-011-0006-y}, + pages = {5--27}, + source = {Crossref}, + volume = {1}, + author = {Kocher, Paul and Jaffe, Joshua and Jun, Benjamin and Rohatgi, Pankaj}, + year = {2011}, + month = mar, + url = {https://doi.org/10.1007/s13389-011-0006-y}, + issn = {2190-8508,2190-8516}, + journal = {Journal of Cryptographic Engineering}, + publisher = {Springer Science and Business Media LLC}, + title = {Introduction to differential power analysis}, + date-added = {2023-11-22 16:58:42 -0500}, + date-modified = {2023-11-22 17:00:36 -0500}, } @inproceedings{Kocher2018spectre, - author = {Kocher, Paul and Horn, Jann and Fogh, Anders and Genkin, Daniel and Gruss, Daniel and Haas, Werner and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas and Schwarz, Michael and Yarom, Yuval}, - booktitle = {2019 IEEE Symposium on Security and Privacy (SP)}, - date-added = {2023-11-22 16:33:35 -0500}, - date-modified = {2023-11-22 16:34:01 -0500}, - doi = {10.1109/sp.2019.00002}, - publisher = {IEEE}, - source = {Crossref}, - title = {Spectre Attacks: {Exploiting} Speculative Execution}, - url = {https://doi.org/10.1109/sp.2019.00002}, - year = {2019}, - month = may, + doi = {10.1109/sp.2019.00002}, + pages = {1--19}, + source = {Crossref}, + author = {Kocher, Paul and Horn, Jann and Fogh, Anders and Genkin, Daniel and Gruss, Daniel and Haas, Werner and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas and Schwarz, Michael and Yarom, Yuval}, + year = {2019}, + month = may, + url = {https://doi.org/10.1109/sp.2019.00002}, + booktitle = {2019 IEEE Symposium on Security and Privacy (SP)}, + publisher = {IEEE}, + title = {Spectre Attacks: Exploiting Speculative Execution}, + date-added = {2023-11-22 16:33:35 -0500}, + date-modified = {2023-11-22 16:34:01 -0500}, } @article{Li2020Federated, - author = {Li, Tian and Sahu, Anit Kumar and Talwalkar, Ameet and Smith, Virginia}, - date-added = {2023-11-22 19:15:13 -0500}, - date-modified = {2023-11-22 19:17:19 -0500}, - doi = {10.1109/msp.2020.2975749}, - issn = {1053-5888, 1558-0792}, - journal = {IEEE Signal Process Mag.}, - number = {3}, - pages = {50--60}, - publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, - source = {Crossref}, - title = {Federated Learning: {Challenges,} Methods, and Future Directions}, - url = {https://doi.org/10.1109/msp.2020.2975749}, - volume = {37}, - year = {2020}, - month = may, + number = {3}, + doi = {10.1109/msp.2020.2975749}, + pages = {50--60}, + source = {Crossref}, + volume = {37}, + author = {Li, Tian and Sahu, Anit Kumar and Talwalkar, Ameet and Smith, Virginia}, + year = {2020}, + month = may, + url = {https://doi.org/10.1109/msp.2020.2975749}, + issn = {1053-5888,1558-0792}, + journal = {IEEE Signal Processing Magazine}, + publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, + title = {Federated Learning: Challenges, Methods, and Future Directions}, + date-added = {2023-11-22 19:15:13 -0500}, + date-modified = {2023-11-22 19:17:19 -0500}, } @inproceedings{Lipp2018meltdown, - author = {Kocher, Paul and Horn, Jann and Fogh, Anders and Genkin, Daniel and Gruss, Daniel and Haas, Werner and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas and Schwarz, Michael and Yarom, Yuval}, - booktitle = {2019 IEEE Symposium on Security and Privacy (SP)}, - date-added = {2023-11-22 16:32:26 -0500}, - date-modified = {2023-11-22 16:33:08 -0500}, - doi = {10.1109/sp.2019.00002}, - publisher = {IEEE}, - source = {Crossref}, - title = {Spectre Attacks: {Exploiting} Speculative Execution}, - url = {https://doi.org/10.1109/sp.2019.00002}, - year = {2019}, - month = may, + doi = {10.1109/sp.2019.00002}, + pages = {1--19}, + source = {Crossref}, + author = {Kocher, Paul and Horn, Jann and Fogh, Anders and Genkin, Daniel and Gruss, Daniel and Haas, Werner and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas and Schwarz, Michael and Yarom, Yuval}, + year = {2019}, + month = may, + url = {https://doi.org/10.1109/sp.2019.00002}, + booktitle = {2019 IEEE Symposium on Security and Privacy (SP)}, + publisher = {IEEE}, + title = {Spectre Attacks: Exploiting Speculative Execution}, + date-added = {2023-11-22 16:32:26 -0500}, + date-modified = {2023-11-22 16:33:08 -0500}, } @inproceedings{Rashmi2018Secure, - author = {R.V., Rashmi and A., Karthikeyan}, - booktitle = {2018 Second International Conference on Electronics, Communication and Aerospace Technology (ICECA)}, - date-added = {2023-11-22 17:50:16 -0500}, - date-modified = {2023-11-22 17:51:39 -0500}, - doi = {10.1109/iceca.2018.8474730}, - pages = {291--298}, - publisher = {IEEE}, - source = {Crossref}, - title = {Secure boot of Embedded Applications - A Review}, - url = {https://doi.org/10.1109/iceca.2018.8474730}, - year = {2018}, - month = mar, + doi = {10.1109/iceca.2018.8474730}, + pages = {291--298}, + source = {Crossref}, + author = {R.V., Rashmi and A., Karthikeyan}, + year = {2018}, + month = mar, + url = {https://doi.org/10.1109/iceca.2018.8474730}, + booktitle = {2018 Second International Conference on Electronics, Communication and Aerospace Technology (ICECA)}, + publisher = {IEEE}, + title = {Secure boot of Embedded Applications - A Review}, + date-added = {2023-11-22 17:50:16 -0500}, + date-modified = {2023-11-22 17:51:39 -0500}, } @inproceedings{abadi2016deep, - author = {Abadi, Martin and Chu, Andy and Goodfellow, Ian and McMahan, H. Brendan and Mironov, Ilya and Talwar, Kunal and Zhang, Li}, - address = {New York, NY, USA}, - booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, - date-added = {2023-11-22 18:06:03 -0500}, - date-modified = {2023-11-22 18:08:42 -0500}, - doi = {10.1145/2976749.2978318}, - keywords = {deep learning, differential privacy}, - pages = {308--318}, - publisher = {ACM}, - series = {CCS '16}, - source = {Crossref}, - title = {Deep Learning with Differential Privacy}, - url = {https://doi.org/10.1145/2976749.2978318}, - year = {2016}, - month = oct, + doi = {10.1145/2976749.2978318}, + source = {Crossref}, + author = {Abadi, Martin and Chu, Andy and Goodfellow, Ian and McMahan, H. Brendan and Mironov, Ilya and Talwar, Kunal and Zhang, Li}, + year = {2016}, + month = oct, + url = {https://doi.org/10.1145/2976749.2978318}, + booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, + publisher = {ACM}, + title = {Deep Learning with Differential Privacy}, + address = {New York, NY, USA}, + date-added = {2023-11-22 18:06:03 -0500}, + date-modified = {2023-11-22 18:08:42 -0500}, + keywords = {deep learning, differential privacy}, + pages = {308--318}, + series = {CCS '16}, } @inproceedings{agrawal2003side, - author = {Agrawal, Dakshi and Baktir, Selcuk and Karakoyunlu, Deniz and Rohatgi, Pankaj and Sunar, Berk}, - booktitle = {2007 IEEE Symposium on Security and Privacy (SP '07)}, - doi = {10.1109/sp.2007.36}, - organization = {Springer}, - pages = {29--45}, - publisher = {IEEE}, - source = {Crossref}, - title = {{Trojan} Detection using {IC} Fingerprinting}, - url = {https://doi.org/10.1109/sp.2007.36}, - year = {2007}, - month = may, + doi = {10.1109/sp.2007.36}, + pages = {296--310}, + source = {Crossref}, + author = {Agrawal, Dakshi and Baktir, Selcuk and Karakoyunlu, Deniz and Rohatgi, Pankaj and Sunar, Berk}, + year = {2007}, + month = may, + url = {https://doi.org/10.1109/sp.2007.36}, + booktitle = {2007 IEEE Symposium on Security and Privacy (SP '07)}, + publisher = {IEEE}, + title = {Trojan Detection using IC Fingerprinting}, + organization = {Springer}, } @inproceedings{ahmed2020headless, - author = {Abdelkader, Ahmed and Curry, Michael J. and Fowl, Liam and Goldstein, Tom and Schwarzschild, Avi and Shu, Manli and Studer, Christoph and Zhu, Chen}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/conf/icassp/AbdelkaderCFGSS20.bib}, - booktitle = {ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)}, - doi = {10.1109/icassp40776.2020.9053181}, - pages = {3087--3091}, - publisher = {IEEE}, - timestamp = {Thu, 23 Jul 2020 01:00:00 +0200}, - title = {Headless Horseman: {Adversarial} Attacks on Transfer Learning Models}, - url = {https://doi.org/10.1109/icassp40776.2020.9053181}, - year = {2020}, - source = {Crossref}, - month = may, -} - -@inproceedings{amiel2006fault, - author = {Amiel, Frederic and Clavier, Christophe and Tunstall, Michael}, - booktitle = {International Workshop on Fault Diagnosis and Tolerance in Cryptography}, - date-added = {2023-11-22 16:45:05 -0500}, - date-modified = {2023-11-22 16:45:55 -0500}, - organization = {Springer}, - pages = {223--236}, - title = {Fault analysis of {DPA}-resistant algorithms}, - year = {2006}, + doi = {10.1109/icassp40776.2020.9053181}, + pages = {3087--3091}, + source = {Crossref}, + author = {Abdelkader, Ahmed and Curry, Michael J. and Fowl, Liam and Goldstein, Tom and Schwarzschild, Avi and Shu, Manli and Studer, Christoph and Zhu, Chen}, + year = {2020}, + month = may, + url = {https://doi.org/10.1109/icassp40776.2020.9053181}, + booktitle = {ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)}, + publisher = {IEEE}, + title = {Headless Horseman: Adversarial Attacks on Transfer Learning Models}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/conf/icassp/AbdelkaderCFGSS20.bib}, + timestamp = {Thu, 23 Jul 2020 01:00:00 +0200}, +} + +@incollection{amiel2006fault, + doi = {10.1007/11889700\_20}, + pages = {223--236}, + source = {Crossref}, + author = {Amiel, Frederic and Clavier, Christophe and Tunstall, Michael}, + year = {2006}, + isbn = {9783540462507,9783540462514}, + url = {https://doi.org/10.1007/11889700\_20}, + issn = {0302-9743,1611-3349}, + booktitle = {Fault Diagnosis and Tolerance in Cryptography}, + publisher = {Springer Berlin Heidelberg}, + title = {Fault Analysis of DPA-Resistant Algorithms}, + date-added = {2023-11-22 16:45:05 -0500}, + date-modified = {2023-11-22 16:45:55 -0500}, + organization = {Springer}, } @inproceedings{antonakakis2017understanding, - author = {Antonakakis, Manos and April, Tim and Bailey, Michael and Bernhard, Matt and Bursztein, Elie and Cochran, Jaime and Durumeric, Zakir and Halderman, J Alex and Invernizzi, Luca and Kallitsis, Michalis and others}, - booktitle = {26th USENIX security symposium (USENIX Security 17)}, - pages = {1093--1110}, - title = {Understanding the mirai botnet}, - year = {2017}, + author = {Antonakakis, Manos and April, Tim and Bailey, Michael and Bernhard, Matt and Bursztein, Elie and Cochran, Jaime and Durumeric, Zakir and Halderman, J Alex and Invernizzi, Luca and Kallitsis, Michalis and others}, + booktitle = {26th USENIX security symposium (USENIX Security 17)}, + pages = {1093--1110}, + title = {Understanding the mirai botnet}, + year = {2017}, } @article{ateniese2015hacking, - author = {Ateniese, Giuseppe and Mancini, Luigi V. and Spognardi, Angelo and Villani, Antonio and Vitali, Domenico and Felici, Giovanni}, - date-added = {2023-11-22 16:14:42 -0500}, - date-modified = {2023-11-22 16:15:42 -0500}, - doi = {10.1504/ijsn.2015.071829}, - issn = {1747-8405, 1747-8413}, - journal = {Int. J. Secur. Netw.}, - number = {3}, - pages = {137}, - publisher = {Inderscience Publishers}, - source = {Crossref}, - title = {Hacking smart machines with smarter ones: {How} to extract meaningful data from machine learning classifiers}, - url = {https://doi.org/10.1504/ijsn.2015.071829}, - volume = {10}, - year = {2015}, + number = {3}, + doi = {10.1504/ijsn.2015.071829}, + pages = {137}, + source = {Crossref}, + volume = {10}, + author = {Ateniese, Giuseppe and Mancini, Luigi V. and Spognardi, Angelo and Villani, Antonio and Vitali, Domenico and Felici, Giovanni}, + year = {2015}, + url = {https://doi.org/10.1504/ijsn.2015.071829}, + issn = {1747-8405,1747-8413}, + journal = {International Journal of Security and Networks}, + publisher = {Inderscience Publishers}, + title = {Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers}, + date-added = {2023-11-22 16:14:42 -0500}, + date-modified = {2023-11-22 16:15:42 -0500}, } @inproceedings{barenghi2010low, - author = {Barenghi, Alessandro and Bertoni, Guido M. and Breveglieri, Luca and Pellicioli, Mauro and Pelosi, Gerardo}, - booktitle = {2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)}, - date-added = {2023-11-22 16:42:05 -0500}, - date-modified = {2023-11-22 16:43:09 -0500}, - doi = {10.1109/hst.2010.5513121}, - organization = {IEEE}, - pages = {7--12}, - publisher = {IEEE}, - source = {Crossref}, - title = {Low voltage fault attacks to {AES}}, - url = {https://doi.org/10.1109/hst.2010.5513121}, - year = {2010}, - month = jun, + doi = {10.1109/hst.2010.5513121}, + pages = {7--12}, + source = {Crossref}, + author = {Barenghi, Alessandro and Bertoni, Guido M. and Breveglieri, Luca and Pellicioli, Mauro and Pelosi, Gerardo}, + year = {2010}, + month = jun, + url = {https://doi.org/10.1109/hst.2010.5513121}, + booktitle = {2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)}, + publisher = {IEEE}, + title = {Low voltage fault attacks to AES}, + date-added = {2023-11-22 16:42:05 -0500}, + date-modified = {2023-11-22 16:43:09 -0500}, + organization = {IEEE}, } @inproceedings{biggio2012poisoning, - author = {Biggio, Battista and Nelson, Blaine and Laskov, Pavel}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/conf/icml/BiggioNL12.bib}, - booktitle = {Proceedings of the 29th International Conference on Machine Learning, ICML 2012, Edinburgh, Scotland, UK, June 26 - July 1, 2012}, - publisher = {icml.cc / Omnipress}, - timestamp = {Wed, 03 Apr 2019 01:00:00 +0200}, - title = {Poisoning Attacks against Support Vector Machines}, - url = {http://icml.cc/2012/papers/880.pdf}, - year = {2012}, + author = {Biggio, Battista and Nelson, Blaine and Laskov, Pavel}, + title = {Poisoning Attacks against Support Vector Machines.}, + journal = {ICML}, + year = {2012}, + url = {http://icml.cc/2012/papers/880.pdf}, + source = {DBLP}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/conf/icml/BiggioNL12.bib}, + booktitle = {Proceedings of the 29th International Conference on Machine Learning, ICML 2012, Edinburgh, Scotland, UK, June 26 - July 1, 2012}, + publisher = {icml.cc / Omnipress}, + timestamp = {Wed, 03 Apr 2019 01:00:00 +0200}, } @article{breier2018deeplaser, - author = {Breier, Jakub and Hou, Xiaolu and Jap, Dirmanto and Ma, Lei and Bhasin, Shivam and Liu, Yang}, - journal = {ArXiv preprint}, - title = {Deeplaser: {Practical} fault attack on deep neural networks}, - url = {https://arxiv.org/abs/1806.05859}, - volume = {abs/1806.05859}, - year = {2018}, + url = {http://arxiv.org/abs/1806.05859v2}, + year = {2018}, + month = jun, + title = {DeepLaser: Practical Fault Attack on Deep Neural Networks}, + author = {Breier, Jakub and Hou, Xiaolu and Jap, Dirmanto and Ma, Lei and Bhasin, Shivam and Liu, Yang}, + primaryclass = {cs.CR}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/1806.05859}, } @article{cavoukian2009privacy, - author = {Cavoukian, Ann}, - date-added = {2023-11-22 17:55:45 -0500}, - date-modified = {2023-11-22 17:56:58 -0500}, - journal = {Office of the Information and Privacy Commissioner}, - title = {Privacy by design}, - year = {2009}, -} - -@book{dhanjani2015abusing, - author = {Greengard, Samuel}, - date-added = {2023-11-22 17:09:41 -0500}, - date-modified = {2023-11-22 17:10:22 -0500}, - doi = {10.7551/mitpress/10277.001.0001}, - isbn = {9780262328937}, - publisher = {The MIT Press}, - source = {Crossref}, - title = {The Internet of Things}, - url = {https://doi.org/10.7551/mitpress/10277.001.0001}, - year = {2015}, + author = {Cavoukian, Ann}, + date-added = {2023-11-22 17:55:45 -0500}, + date-modified = {2023-11-22 17:56:58 -0500}, + journal = {Office of the Information and Privacy Commissioner}, + title = {Privacy by design}, + year = {2009}, +} + +@book{greengard2021internet, + doi = {10.7551/mitpress/13937.001.0001}, + source = {Crossref}, + author = {Greengard, Samuel}, + year = {2021}, + isbn = {9780262365857}, + url = {https://doi.org/10.7551/mitpress/13937.001.0001}, + publisher = {The MIT Press}, + title = {The Internet of Things}, } @article{eldan2023whos, - author = {Eldan, Ronen and Russinovich, Mark}, - journal = {ArXiv preprint}, - title = {Who's Harry Potter? Approximate Unlearning in {LLMs}}, - url = {https://arxiv.org/abs/2310.02238}, - volume = {abs/2310.02238}, - year = {2023}, + url = {http://arxiv.org/abs/2310.02238v2}, + year = {2023}, + month = oct, + title = {Who's Harry Potter? Approximate Unlearning in LLMs}, + author = {Eldan, Ronen and Russinovich, Mark}, + primaryclass = {cs.CL}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/2310.02238}, } @article{eykholt2018robust, - author = {Eykholt, Kevin and Evtimov, Ivan and Fernandes, Earlence and Li, Bo and Rahmati, Amir and Xiao, Chaowei and Prakash, Atul and Kohno, Tadayoshi and Song, Dawn}, - journal = {ArXiv preprint}, - title = {Robust Physical-World Attacks on Deep Learning Models}, - url = {https://arxiv.org/abs/1707.08945}, - volume = {abs/1707.08945}, - year = {2017}, + url = {http://arxiv.org/abs/1707.08945v5}, + year = {2017}, + month = jul, + title = {Robust Physical-World Attacks on Deep Learning Models}, + author = {Eykholt, Kevin and Evtimov, Ivan and Fernandes, Earlence and Li, Bo and Rahmati, Amir and Xiao, Chaowei and Prakash, Atul and Kohno, Tadayoshi and Song, Dawn}, + primaryclass = {cs.CR}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/1707.08945}, } @article{farwell2011stuxnet, - author = {Farwell, James P. and Rohozinski, Rafal}, - date-added = {2023-11-22 14:03:31 -0500}, - date-modified = {2023-11-22 14:05:19 -0500}, - doi = {10.1080/00396338.2011.555586}, - issn = {0039-6338, 1468-2699}, - journal = {Survival}, - number = {1}, - pages = {23--40}, - publisher = {Informa UK Limited}, - source = {Crossref}, - title = {Stuxnet and the Future of Cyber War}, - url = {https://doi.org/10.1080/00396338.2011.555586}, - volume = {53}, - year = {2011}, - month = jan, -} - -@inproceedings{gandolfi2001electromagnetic, - author = {Gandolfi, Karine and Mourtel, Christophe and Olivier, Francis}, - booktitle = {Cryptographic Hardware and Embedded Systems{\textemdash}CHES 2001: Third International Workshop Paris, France, May 14{\textendash}16, 2001 Proceedings 3}, - date-added = {2023-11-22 16:56:42 -0500}, - date-modified = {2023-11-22 16:57:40 -0500}, - organization = {Springer}, - pages = {251--261}, - title = {Electromagnetic analysis: {Concrete} results}, - year = {2001}, + number = {1}, + doi = {10.1080/00396338.2011.555586}, + pages = {23--40}, + source = {Crossref}, + volume = {53}, + author = {Farwell, James P. and Rohozinski, Rafal}, + year = {2011}, + month = jan, + url = {https://doi.org/10.1080/00396338.2011.555586}, + issn = {0039-6338,1468-2699}, + journal = {Survival}, + publisher = {Informa UK Limited}, + title = {Stuxnet and the Future of Cyber War}, + date-added = {2023-11-22 14:03:31 -0500}, + date-modified = {2023-11-22 14:05:19 -0500}, +} + +@incollection{gandolfi2001electromagnetic, + doi = {10.1007/3-540-44709-1\_21}, + pages = {251--261}, + source = {Crossref}, + author = {Gandolfi, Karine and Mourtel, Christophe and Olivier, Francis}, + year = {2001}, + isbn = {9783540425212,9783540447092}, + url = {https://doi.org/10.1007/3-540-44709-1\_21}, + issn = {0302-9743}, + booktitle = {Cryptographic Hardware and Embedded Systems --- CHES 2001}, + publisher = {Springer Berlin Heidelberg}, + title = {Electromagnetic Analysis: Concrete Results}, + date-added = {2023-11-22 16:56:42 -0500}, + date-modified = {2023-11-22 16:57:40 -0500}, + organization = {Springer}, } @inproceedings{gnad2017voltage, - author = {Gnad, Dennis R. E. and Oboril, Fabian and Tahoori, Mehdi B.}, - booktitle = {2017 27th International Conference on Field Programmable Logic and Applications (FPL)}, - date-added = {2023-11-22 17:07:13 -0500}, - date-modified = {2023-11-22 17:07:59 -0500}, - doi = {10.23919/fpl.2017.8056840}, - organization = {IEEE}, - pages = {1--7}, - publisher = {IEEE}, - source = {Crossref}, - title = {Voltage drop-based fault attacks on {FPGAs} using valid bitstreams}, - url = {https://doi.org/10.23919/fpl.2017.8056840}, - year = {2017}, - month = sep, + doi = {10.23919/fpl.2017.8056840}, + source = {Crossref}, + author = {Gnad, Dennis R. E. and Oboril, Fabian and Tahoori, Mehdi B.}, + year = {2017}, + month = sep, + url = {https://doi.org/10.23919/fpl.2017.8056840}, + booktitle = {2017 27th International Conference on Field Programmable Logic and Applications (FPL)}, + publisher = {IEEE}, + title = {Voltage drop-based fault attacks on FPGAs using valid bitstreams}, + date-added = {2023-11-22 17:07:13 -0500}, + date-modified = {2023-11-22 17:07:59 -0500}, + organization = {IEEE}, + pages = {1--7}, } @article{goodfellow2020generative, - author = {Goodfellow, Ian and Pouget-Abadie, Jean and Mirza, Mehdi and Xu, Bing and Warde-Farley, David and Ozair, Sherjil and Courville, Aaron and Bengio, Yoshua}, - doi = {10.1145/3422622}, - issn = {0001-0782, 1557-7317}, - journal = {Commun. ACM}, - number = {11}, - pages = {139--144}, - publisher = {Association for Computing Machinery (ACM)}, - source = {Crossref}, - title = {Generative adversarial networks}, - url = {https://doi.org/10.1145/3422622}, - volume = {63}, - year = {2020}, - month = oct, + number = {11}, + doi = {10.1145/3422622}, + pages = {139--144}, + source = {Crossref}, + volume = {63}, + author = {Goodfellow, Ian and Pouget-Abadie, Jean and Mirza, Mehdi and Xu, Bing and Warde-Farley, David and Ozair, Sherjil and Courville, Aaron and Bengio, Yoshua}, + year = {2020}, + month = oct, + url = {https://doi.org/10.1145/3422622}, + issn = {0001-0782,1557-7317}, + journal = {Communications of the ACM}, + publisher = {Association for Computing Machinery (ACM)}, + title = {Generative adversarial networks}, } @article{hosseini2017deceiving, - author = {Hosseini, Hossein and Kannan, Sreeram and Zhang, Baosen and Poovendran, Radha}, - journal = {ArXiv preprint}, - title = {Deceiving google's perspective api built for detecting toxic comments}, - url = {https://arxiv.org/abs/1702.08138}, - volume = {abs/1702.08138}, - year = {2017}, + url = {http://arxiv.org/abs/1702.08138v1}, + year = {2017}, + month = feb, + title = {Deceiving Google's Perspective API Built for Detecting Toxic Comments}, + author = {Hosseini, Hossein and Kannan, Sreeram and Zhang, Baosen and Poovendran, Radha}, + primaryclass = {cs.LG}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/1702.08138}, } @inproceedings{hsiao2023mavfi, - author = {Hsiao, Yu-Shun and Wan, Zishen and Jia, Tianyu and Ghosal, Radhika and Mahmoud, Abdulrahman and Raychowdhury, Arijit and Brooks, David and Wei, Gu-Yeon and Reddi, Vijay Janapa}, - booktitle = {2023 Design, Automation \& Test in Europe Conference \& Exhibition (DATE)}, - date-added = {2023-11-22 16:54:11 -0500}, - date-modified = {2023-11-22 16:55:12 -0500}, - doi = {10.23919/date56975.2023.10137246}, - organization = {IEEE}, - pages = {1--6}, - publisher = {IEEE}, - source = {Crossref}, - title = {{MAVFI:} {An} End-to-End Fault Analysis Framework with Anomaly Detection and Recovery for Micro Aerial Vehicles}, - url = {https://doi.org/10.23919/date56975.2023.10137246}, - year = {2023}, - month = apr, + doi = {10.23919/date56975.2023.10137246}, + source = {Crossref}, + author = {Hsiao, Yu-Shun and Wan, Zishen and Jia, Tianyu and Ghosal, Radhika and Mahmoud, Abdulrahman and Raychowdhury, Arijit and Brooks, David and Wei, Gu-Yeon and Reddi, Vijay Janapa}, + year = {2023}, + month = apr, + url = {https://doi.org/10.23919/date56975.2023.10137246}, + booktitle = {2023 Design, Automation \& Test in Europe Conference \& Exhibition (DATE)}, + publisher = {IEEE}, + title = {MAVFI: An End-to-End Fault Analysis Framework with Anomaly Detection and Recovery for Micro Aerial Vehicles}, + date-added = {2023-11-22 16:54:11 -0500}, + date-modified = {2023-11-22 16:55:12 -0500}, + organization = {IEEE}, + pages = {1--6}, } @inproceedings{hutter2009contact, - author = {Hutter, Michael and Schmidt, Jorn-Marc and Plos, Thomas}, - booktitle = {2009 European Conference on Circuit Theory and Design}, - date-added = {2023-11-22 16:43:29 -0500}, - date-modified = {2023-11-22 16:44:30 -0500}, - doi = {10.1109/ecctd.2009.5275012}, - organization = {IEEE}, - pages = {409--412}, - publisher = {IEEE}, - source = {Crossref}, - title = {Contact-based fault injections and power analysis on {RFID} tags}, - url = {https://doi.org/10.1109/ecctd.2009.5275012}, - year = {2009}, - month = aug, + doi = {10.1109/ecctd.2009.5275012}, + pages = {409--412}, + source = {Crossref}, + author = {Hutter, Michael and Schmidt, Jorn-Marc and Plos, Thomas}, + year = {2009}, + month = aug, + url = {https://doi.org/10.1109/ecctd.2009.5275012}, + booktitle = {2009 European Conference on Circuit Theory and Design}, + publisher = {IEEE}, + title = {Contact-based fault injections and power analysis on RFID tags}, + date-added = {2023-11-22 16:43:29 -0500}, + date-modified = {2023-11-22 16:44:30 -0500}, + organization = {IEEE}, } @article{jin2020towards, - author = {Jin, Yilun and Wei, Xiguang and Liu, Yang and Yang, Qiang}, - title = {Towards utilizing unlabeled data in federated learning: {A} survey and prospective}, - journal = {arXiv preprint arXiv:2002.11545}, - year = {2020}, + url = {http://arxiv.org/abs/2002.11545v2}, + year = {2020}, + month = feb, + title = {Towards Utilizing Unlabeled Data in Federated Learning: A Survey and Prospective}, + author = {Jin, Yilun and Wei, Xiguang and Liu, Yang and Yang, Qiang}, + primaryclass = {cs.LG}, + archiveprefix = {arXiv}, + journal = {arXiv preprint arXiv:2002.11545}, } @book{joye2012fault, - author = {Joye, Marc and Tunstall, Michael}, - date-added = {2023-11-22 16:35:24 -0500}, - date-modified = {2023-11-22 16:36:20 -0500}, - doi = {10.1007/978-3-642-29656-7}, - isbn = {9783642296550, 9783642296567}, - issn = {1619-7100}, - publisher = {Springer Berlin Heidelberg}, - source = {Crossref}, - title = {Fault Analysis in Cryptography}, - url = {https://doi.org/10.1007/978-3-642-29656-7}, - year = {2012}, + doi = {10.1007/978-3-642-29656-7}, + source = {Crossref}, + year = {2012}, + isbn = {9783642296550,9783642296567}, + url = {https://doi.org/10.1007/978-3-642-29656-7}, + issn = {1619-7100}, + publisher = {Springer Berlin Heidelberg}, + title = {Fault Analysis in Cryptography}, + author = {Joye, Marc and Tunstall, Michael}, + date-added = {2023-11-22 16:35:24 -0500}, + date-modified = {2023-11-22 16:36:20 -0500}, } @article{kairouz2021advances, - author = {Kairouz, Peter and McMahan, H. Brendan and Avent, Brendan and Bellet, Aur\'elien and Bennis, Mehdi and Nitin Bhagoji, Arjun and Bonawitz, Kallista and Charles, Zachary and Cormode, Graham and Cummings, Rachel and D{\textquoteright}Oliveira, Rafael G. L. and Eichner, Hubert and El Rouayheb, Salim and Evans, David and Gardner, Josh and Garrett, Zachary and Gasc\'on, Adri\`a and Ghazi, Badih and Gibbons, Phillip B. and Gruteser, Marco and Harchaoui, Zaid and He, Chaoyang and He, Lie and Huo, Zhouyuan and Hutchinson, Ben and Hsu, Justin and Jaggi, Martin and Javidi, Tara and Joshi, Gauri and Khodak, Mikhail and Konecn\'y, Jakub and Korolova, Aleksandra and Koushanfar, Farinaz and Koyejo, Sanmi and Lepoint, Tancr\`ede and Liu, Yang and Mittal, Prateek and Mohri, Mehryar and Nock, Richard and \"Ozg\"ur, Ayfer and Pagh, Rasmus and Qi, Hang and Ramage, Daniel and Raskar, Ramesh and Raykova, Mariana and Song, Dawn and Song, Weikang and Stich, Sebastian U. and Sun, Ziteng and Suresh, Ananda Theertha and Tram\`er, Florian and Vepakomma, Praneeth and Wang, Jianyu and Xiong, Li and Xu, Zheng and Yang, Qiang and Yu, Felix X. and Yu, Han and Zhao, Sen}, - bdsk-url-1 = {http://dx.doi.org/10.1561/2200000083}, - date-added = {2023-11-22 19:14:08 -0500}, - date-modified = {2023-11-22 19:14:08 -0500}, - doi = {10.1561/2200000083}, - issn = {1935-8237, 1935-8245}, - journal = {Foundations and Trends{\textregistered} in Machine Learning}, - number = {1{\textendash}2}, - pages = {1--210}, - publisher = {Now Publishers}, - source = {Crossref}, - title = {Advances and Open Problems in Federated Learning}, - url = {https://doi.org/10.1561/2200000083}, - volume = {14}, - year = {2021}, + number = {1--2}, + doi = {10.1561/2200000083}, + pages = {1--210}, + source = {Crossref}, + volume = {14}, + author = {Kairouz, Peter and McMahan, H. Brendan and Avent, Brendan and Bellet, Aur\'elien and Bennis, Mehdi and Nitin Bhagoji, Arjun and Bonawitz, Kallista and Charles, Zachary and Cormode, Graham and Cummings, Rachel and D'Oliveira, Rafael G. L. and Eichner, Hubert and El Rouayheb, Salim and Evans, David and Gardner, Josh and Garrett, Zachary and Gasc\'on, Adri\`a and Ghazi, Badih and Gibbons, Phillip B. and Gruteser, Marco and Harchaoui, Zaid and He, Chaoyang and He, Lie and Huo, Zhouyuan and Hutchinson, Ben and Hsu, Justin and Jaggi, Martin and Javidi, Tara and Joshi, Gauri and Khodak, Mikhail and Konecn\'y, Jakub and Korolova, Aleksandra and Koushanfar, Farinaz and Koyejo, Sanmi and Lepoint, Tancr\`ede and Liu, Yang and Mittal, Prateek and Mohri, Mehryar and Nock, Richard and \"Ozg\"ur, Ayfer and Pagh, Rasmus and Qi, Hang and Ramage, Daniel and Raskar, Ramesh and Raykova, Mariana and Song, Dawn and Song, Weikang and Stich, Sebastian U. and Sun, Ziteng and Suresh, Ananda Theertha and Tram\`er, Florian and Vepakomma, Praneeth and Wang, Jianyu and Xiong, Li and Xu, Zheng and Yang, Qiang and Yu, Felix X. and Yu, Han and Zhao, Sen}, + year = {2021}, + url = {https://doi.org/10.1561/2200000083}, + issn = {1935-8237,1935-8245}, + journal = {Foundations and Trends® in Machine Learning}, + publisher = {Now Publishers}, + title = {Advances and Open Problems in Federated Learning}, + bdsk-url-1 = {http://dx.doi.org/10.1561/2200000083}, + date-added = {2023-11-22 19:14:08 -0500}, + date-modified = {2023-11-22 19:14:08 -0500}, } @inproceedings{khan2021knowledgeadaptation, - author = {Khan, Mohammad Emtiyaz and Swaroop, Siddharth}, - editor = {Ranzato, Marc'Aurelio and Beygelzimer, Alina and Dauphin, Yann N. and Liang, Percy and Vaughan, Jennifer Wortman}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/conf/nips/KhanS21.bib}, - booktitle = {Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual}, - pages = {19757--19770}, - timestamp = {Tue, 03 May 2022 01:00:00 +0200}, - title = {Knowledge-Adaptation Priors}, - url = {https://proceedings.neurips.cc/paper/2021/hash/a4380923dd651c195b1631af7c829187-Abstract.html}, - year = {2021}, -} - -@inproceedings{kocher1999differential, - author = {Kocher, Paul and Jaffe, Joshua and Jun, Benjamin}, - booktitle = {Advances in Cryptology{\textemdash}CRYPTO'99: 19th Annual International Cryptology Conference Santa Barbara, California, USA, August 15{\textendash}19, 1999 Proceedings 19}, - date-added = {2023-11-22 16:55:28 -0500}, - date-modified = {2023-11-22 16:56:18 -0500}, - organization = {Springer}, - pages = {388--397}, - title = {Differential power analysis}, - year = {1999}, + author = {Khan, Mohammad Emtiyaz and Swaroop, Siddharth}, + editor = {Ranzato, Marc'Aurelio and Beygelzimer, Alina and Dauphin, Yann N. and Liang, Percy and Vaughan, Jennifer Wortman}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/conf/nips/KhanS21.bib}, + booktitle = {Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual}, + pages = {19757--19770}, + timestamp = {Tue, 03 May 2022 01:00:00 +0200}, + title = {Knowledge-Adaptation Priors}, + url = {https://proceedings.neurips.cc/paper/2021/hash/a4380923dd651c195b1631af7c829187-Abstract.html}, + year = {2021}, +} + +@incollection{kocher1999differential, + doi = {10.1007/3-540-48405-1\_25}, + pages = {388--397}, + source = {Crossref}, + author = {Kocher, Paul and Jaffe, Joshua and Jun, Benjamin}, + year = {1999}, + isbn = {9783540663478,9783540484059}, + url = {https://doi.org/10.1007/3-540-48405-1\_25}, + issn = {0302-9743}, + booktitle = {Advances in Cryptology --- CRYPTO' 99}, + publisher = {Springer Berlin Heidelberg}, + title = {Differential Power Analysis}, + date-added = {2023-11-22 16:55:28 -0500}, + date-modified = {2023-11-22 16:56:18 -0500}, + organization = {Springer}, } @article{miller2015remote, - author = {Miller, Charlie and Valasek, Chris}, - date-added = {2023-11-22 17:11:27 -0500}, - date-modified = {2023-11-22 17:12:18 -0500}, - journal = {Black Hat USA}, - number = {S 91}, - pages = {1--91}, - title = {Remote exploitation of an unaltered passenger vehicle}, - volume = {2015}, - year = {2015}, + author = {Miller, Charlie and Valasek, Chris}, + date-added = {2023-11-22 17:11:27 -0500}, + date-modified = {2023-11-22 17:12:18 -0500}, + journal = {Black Hat USA}, + number = {S 91}, + pages = {1--91}, + title = {Remote exploitation of an unaltered passenger vehicle}, + volume = {2015}, + year = {2015}, } @article{miller2019lessons, - author = {Miller, Charlie}, - date-added = {2023-11-22 16:12:04 -0500}, - date-modified = {2023-11-22 16:13:31 -0500}, - doi = {10.1109/mdat.2018.2863106}, - issn = {2168-2356, 2168-2364}, - journal = {IEEE Design \& Test}, - number = {6}, - pages = {7--9}, - publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, - source = {Crossref}, - title = {Lessons learned from hacking a car}, - url = {https://doi.org/10.1109/mdat.2018.2863106}, - volume = {36}, - year = {2019}, - month = dec, -} - -@article{narayanan2006break, - author = {Narayanan, Arvind and Shmatikov, Vitaly}, - date-added = {2023-11-22 16:16:19 -0500}, - date-modified = {2023-11-22 16:16:59 -0500}, - journal = {arXiv preprint cs/0610105}, - title = {How to break anonymity of the netflix prize dataset}, - year = {2006}, + number = {6}, + doi = {10.1109/mdat.2018.2863106}, + pages = {7--9}, + source = {Crossref}, + volume = {36}, + author = {Miller, Charlie}, + year = {2019}, + month = dec, + url = {https://doi.org/10.1109/mdat.2018.2863106}, + issn = {2168-2356,2168-2364}, + journal = {IEEE Design \& Test}, + publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, + title = {Lessons learned from hacking a car}, + date-added = {2023-11-22 16:12:04 -0500}, + date-modified = {2023-11-22 16:13:31 -0500}, +} + +@misc{narayanan2006break, + author = {Narayanan, Arvind and Shmatikov, Vitaly}, + title = {How To Break Anonymity of the Netflix Prize Dataset}, + journal = {CoRR}, + volume = {abs/cs/0610105}, + year = {2006}, + url = {http://arxiv.org/abs/cs/0610105}, + source = {DBLP}, + date-added = {2023-11-22 16:16:19 -0500}, + date-modified = {2023-11-22 16:16:59 -0500}, } @article{oliynyk2023know, - author = {Oliynyk, Daryna and Mayer, Rudolf and Rauber, Andreas}, - date-added = {2023-11-22 16:18:21 -0500}, - date-modified = {2023-11-22 16:20:44 -0500}, - doi = {10.1145/3595292}, - issn = {0360-0300, 1557-7341}, - journal = {ACM Comput. Surv.}, - keywords = {model stealing, Machine learning, model extraction}, - number = {14s}, - pages = {1--41}, - publisher = {Association for Computing Machinery (ACM)}, - source = {Crossref}, - title = {I Know What You Trained Last Summer: {A} Survey on Stealing Machine Learning Models and Defences}, - url = {https://doi.org/10.1145/3595292}, - volume = {55}, - year = {2023}, - month = jul, + number = {14s}, + doi = {10.1145/3595292}, + pages = {1--41}, + source = {Crossref}, + volume = {55}, + author = {Oliynyk, Daryna and Mayer, Rudolf and Rauber, Andreas}, + year = {2023}, + month = jul, + url = {https://doi.org/10.1145/3595292}, + issn = {0360-0300,1557-7341}, + journal = {ACM Computing Surveys}, + publisher = {Association for Computing Machinery (ACM)}, + title = {I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences}, + date-added = {2023-11-22 16:18:21 -0500}, + date-modified = {2023-11-22 16:20:44 -0500}, + keywords = {model stealing, Machine learning, model extraction}, } @article{oprea2022poisoning, - author = {Oprea, Alina and Singhal, Anoop and Vassilev, Apostol}, - doi = {10.1109/mc.2022.3190787}, - issn = {0018-9162, 1558-0814}, - journal = {Computer}, - number = {11}, - pages = {94--99}, - publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, - source = {Crossref}, - title = {Poisoning Attacks Against Machine Learning: {Can} Machine Learning Be Trustworthy?}, - url = {https://doi.org/10.1109/mc.2022.3190787}, - volume = {55}, - year = {2022}, - month = nov, + number = {11}, + doi = {10.1109/mc.2022.3190787}, + pages = {94--99}, + source = {Crossref}, + volume = {55}, + author = {Oprea, Alina and Singhal, Anoop and Vassilev, Apostol}, + year = {2022}, + month = nov, + url = {https://doi.org/10.1109/mc.2022.3190787}, + issn = {0018-9162,1558-0814}, + journal = {Computer}, + publisher = {Institute of Electrical and Electronics Engineers (IEEE)}, + title = {Poisoning Attacks Against Machine Learning: Can Machine Learning Be Trustworthy?}, } @article{parrish2023adversarial, - author = {Parrish, Alicia and Kirk, Hannah Rose and Quaye, Jessica and Rastogi, Charvi and Bartolo, Max and Inel, Oana and Ciro, Juan and Mosquera, Rafael and Howard, Addison and Cukierski, Will and Sculley, D. and Reddi, Vijay Janapa and Aroyo, Lora}, - journal = {ArXiv preprint}, - title = {Adversarial Nibbler: {A} Data-Centric Challenge for Improving the Safety of Text-to-Image Models}, - url = {https://arxiv.org/abs/2305.14384}, - volume = {abs/2305.14384}, - year = {2023}, + url = {http://arxiv.org/abs/2305.14384v1}, + year = {2023}, + month = may, + title = {Adversarial Nibbler: A Data-Centric Challenge for Improving the Safety of Text-to-Image Models}, + author = {Parrish, Alicia and Kirk, Hannah Rose and Quaye, Jessica and Rastogi, Charvi and Bartolo, Max and Inel, Oana and Ciro, Juan and Mosquera, Rafael and Howard, Addison and Cukierski, Will and Sculley, D. and Reddi, Vijay Janapa and Aroyo, Lora}, + primaryclass = {cs.LG}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/2305.14384}, } @inproceedings{ramesh2021zero, - author = {Ramesh, Aditya and Pavlov, Mikhail and Goh, Gabriel and Gray, Scott and Voss, Chelsea and Radford, Alec and Chen, Mark and Sutskever, Ilya}, - editor = {Meila, Marina and Zhang, Tong}, - bibsource = {dblp computer science bibliography, https://dblp.org}, - biburl = {https://dblp.org/rec/conf/icml/RameshPGGVRCS21.bib}, - booktitle = {Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event}, - pages = {8821--8831}, - publisher = {PMLR}, - series = {Proceedings of Machine Learning Research}, - timestamp = {Wed, 25 Aug 2021 01:00:00 +0200}, - title = {Zero-Shot Text-to-Image Generation}, - url = {http://proceedings.mlr.press/v139/ramesh21a.html}, - volume = {139}, - year = {2021}, + author = {Ramesh, Aditya and Pavlov, Mikhail and Goh, Gabriel and Gray, Scott and Voss, Chelsea and Radford, Alec and Chen, Mark and Sutskever, Ilya}, + editor = {Meila, Marina and Zhang, Tong}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/conf/icml/RameshPGGVRCS21.bib}, + booktitle = {Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event}, + pages = {8821--8831}, + publisher = {PMLR}, + series = {Proceedings of Machine Learning Research}, + timestamp = {Wed, 25 Aug 2021 01:00:00 +0200}, + title = {Zero-Shot Text-to-Image Generation}, + url = {http://proceedings.mlr.press/v139/ramesh21a.html}, + volume = {139}, + year = {2021}, } @inproceedings{rombach2022highresolution, - author = {Rombach, Robin and Blattmann, Andreas and Lorenz, Dominik and Esser, Patrick and Ommer, Bjorn}, - booktitle = {2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)}, - doi = {10.1109/cvpr52688.2022.01042}, - publisher = {IEEE}, - source = {Crossref}, - title = {High-Resolution Image Synthesis with Latent Diffusion Models}, - url = {https://doi.org/10.1109/cvpr52688.2022.01042}, - year = {2022}, - month = jun, + doi = {10.1109/cvpr52688.2022.01042}, + pages = {10674--10685}, + source = {Crossref}, + author = {Rombach, Robin and Blattmann, Andreas and Lorenz, Dominik and Esser, Patrick and Ommer, Bjorn}, + year = {2022}, + month = jun, + url = {https://doi.org/10.1109/cvpr52688.2022.01042}, + booktitle = {2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)}, + publisher = {IEEE}, + title = {High-Resolution Image Synthesis with Latent Diffusion Models}, } @article{rosa2021, - author = {de Rosa, Gustavo H. and Papa, Jo\~ao P.}, - journal = {Pattern Recogn.}, - title = {A survey on text generation using generative adversarial networks}, - year = {2021}, - doi = {10.1016/j.patcog.2021.108098}, - source = {Crossref}, - url = {https://doi.org/10.1016/j.patcog.2021.108098}, - volume = {119}, - publisher = {Elsevier BV}, - issn = {0031-3203}, - pages = {108098}, - month = nov, + doi = {10.1016/j.patcog.2021.108098}, + pages = {108098}, + source = {Crossref}, + volume = {119}, + author = {de Rosa, Gustavo H. and Papa, Jo\~ao P.}, + year = {2021}, + month = nov, + url = {https://doi.org/10.1016/j.patcog.2021.108098}, + issn = {0031-3203}, + journal = {Pattern Recognition}, + publisher = {Elsevier BV}, + title = {A survey on text generation using generative adversarial networks}, } @article{shan2023prompt, - author = {Shan, Shawn and Ding, Wenxin and Passananti, Josephine and Zheng, Haitao and Zhao, Ben Y}, - journal = {ArXiv preprint}, - title = {Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models}, - url = {https://arxiv.org/abs/2310.13828}, - volume = {abs/2310.13828}, - year = {2023}, + url = {http://arxiv.org/abs/2310.13828v3}, + year = {2023}, + month = oct, + title = {Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models}, + author = {Shan, Shawn and Ding, Wenxin and Passananti, Josephine and Wu, Stanley and Zheng, Haitao and Zhao, Ben Y.}, + primaryclass = {cs.CR}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/2310.13828}, } @inproceedings{skorobogatov2003optical, - author = {Skorobogatov, Sergei P and Anderson, Ross J}, - booktitle = {Cryptographic Hardware and Embedded Systems-CHES 2002: 4th International Workshop Redwood Shores, CA, USA, August 13{\textendash}15, 2002 Revised Papers 4}, - organization = {Springer}, - pages = {2--12}, - title = {Optical fault induction attacks}, - year = {2003}, + author = {Skorobogatov, Sergei P. and Anderson, Ross J.}, + title = {Optical Fault Induction Attacks.}, + journal = {CHES}, + pages = {2--12}, + year = {2002}, + doi = {10.1007/3-540-36400-5\_2}, + url = {https://doi.org/10.1007/3-540-36400-5\_2}, + source = {DBLP}, + booktitle = {Cryptographic Hardware and Embedded Systems-CHES 2002: 4th International Workshop Redwood Shores, CA, USA, August 13--15, 2002 Revised Papers 4}, + organization = {Springer}, } @inproceedings{skorobogatov2009local, - author = {Skorobogatov, Sergei}, - booktitle = {2009 IEEE International Workshop on Hardware-Oriented Security and Trust}, - doi = {10.1109/hst.2009.5225028}, - organization = {IEEE}, - pages = {1--6}, - publisher = {IEEE}, - source = {Crossref}, - title = {Local heating attacks on Flash memory devices}, - url = {https://doi.org/10.1109/hst.2009.5225028}, - year = {2009}, + doi = {10.1109/hst.2009.5225028}, + pages = {1--6}, + source = {Crossref}, + author = {Skorobogatov, Sergei}, + year = {2009}, + url = {https://doi.org/10.1109/hst.2009.5225028}, + booktitle = {2009 IEEE International Workshop on Hardware-Oriented Security and Trust}, + publisher = {IEEE}, + title = {Local heating attacks on Flash memory devices}, + organization = {IEEE}, } @article{tarun2023deep, - author = {Tarun, Ayush K and Chundawat, Vikram S and Mandal, Murari and Kankanhalli, Mohan}, - journal = {ArXiv preprint}, - title = {Deep Regression Unlearning}, - url = {https://arxiv.org/abs/2210.08196}, - volume = {abs/2210.08196}, - year = {2022}, + url = {http://arxiv.org/abs/2210.08196v2}, + year = {2022}, + month = oct, + title = {Deep Regression Unlearning}, + author = {Tarun, Ayush K and Chundawat, Vikram S and Mandal, Murari and Kankanhalli, Mohan}, + primaryclass = {cs.LG}, + archiveprefix = {arXiv}, + journal = {ArXiv preprint}, + volume = {abs/2210.08196}, } @inproceedings{zhao2018fpga, - author = {Zhao, Mark and Suh, G. Edward}, - booktitle = {2018 IEEE Symposium on Security and Privacy (SP)}, - date-added = {2023-11-22 17:08:21 -0500}, - date-modified = {2023-11-22 17:09:07 -0500}, - doi = {10.1109/sp.2018.00049}, - organization = {IEEE}, - pages = {229--244}, - publisher = {IEEE}, - source = {Crossref}, - title = {{FPGA}-Based Remote Power Side-Channel Attacks}, - url = {https://doi.org/10.1109/sp.2018.00049}, - year = {2018}, - month = may, -} + doi = {10.1109/sp.2018.00049}, + source = {Crossref}, + author = {Zhao, Mark and Suh, G. Edward}, + year = {2018}, + month = may, + url = {https://doi.org/10.1109/sp.2018.00049}, + booktitle = {2018 IEEE Symposium on Security and Privacy (SP)}, + publisher = {IEEE}, + title = {FPGA-Based Remote Power Side-Channel Attacks}, + date-added = {2023-11-22 17:08:21 -0500}, + date-modified = {2023-11-22 17:09:07 -0500}, + organization = {IEEE}, + pages = {229--244}, +} + +@article{heyndrickx2023melloddy, + title = {Melloddy: Cross-pharma federated learning at unprecedented scale unlocks benefits in qsar without compromising proprietary information}, + author = {Heyndrickx, Wouter and Mervin, Lewis and Morawietz, Tobias and Sturm, No\'e and Friedrich, Lukas and Zalewski, Adam and Pentina, Anastasia and Humbeck, Lina and Oldenhof, Martijn and Niwayama, Ritsuya and others}, + journal = {Journal of chemical information and modeling}, + volume = {64}, + number = {7}, + pages = {2331--2344}, + year = {2023}, + publisher = {ACS Publications}, + url = {https://pubs.acs.org/doi/10.1021/acs.jcim.3c00799}, +} \ No newline at end of file diff --git a/contents/core/privacy_security/privacy_security.qmd b/contents/core/privacy_security/privacy_security.qmd index 9797eaeb..22359825 100644 --- a/contents/core/privacy_security/privacy_security.qmd +++ b/contents/core/privacy_security/privacy_security.qmd @@ -10,7 +10,7 @@ Resources: [Slides](#sec-security-and-privacy-resource), [Videos](#sec-security ![_DALL·E 3 Prompt: An illustration on privacy and security in machine learning systems. The image shows a digital landscape with a network of interconnected nodes and data streams, symbolizing machine learning algorithms. In the foreground, there's a large lock superimposed over the network, representing privacy and security. The lock is semi-transparent, allowing the underlying network to be partially visible. The background features binary code and digital encryption symbols, emphasizing the theme of cybersecurity. The color scheme is a mix of blues, greens, and grays, suggesting a high-tech, digital environment._](images/png/cover_security_privacy.png) -Security and privacy are critical when developing real-world machine learning systems. As machine learning is increasingly applied to sensitive domains like healthcare, finance, and personal data, protecting confidentiality and preventing misuse of data and models becomes imperative. Anyone aiming to build robust and responsible ML systems must grasp potential security and privacy risks such as data leaks, model theft, adversarial attacks, bias, and unintended access to private information. We also need to understand best practices for mitigating these risks. Most importantly, security and privacy cannot be an afterthought and must be proactively addressed throughout the ML system development lifecycle - from data collection and labeling to model training, evaluation, and deployment. Embedding security and privacy considerations into each stage of building, deploying, and managing machine learning systems is essential for safely unlocking the benefits of A.I. +Security and privacy are critical when developing real-world machine learning systems. As machine learning is increasingly applied to sensitive domains like healthcare, finance, and personal data, protecting confidentiality and preventing misuse of data and models becomes imperative. Anyone aiming to build robust and responsible ML systems must grasp potential security and privacy risks such as data leaks, model theft, adversarial attacks, bias, and unintended access to private information. We also need to understand best practices for mitigating these risks. Most importantly, security and privacy cannot be an afterthought and must be proactively addressed throughout the ML system development lifecycle - from data collection and labeling to model training, evaluation, and deployment. Embedding security and privacy considerations into each stage of building, deploying, and managing machine learning systems is essential for safely unlocking the benefits of AI. ::: {.callout-tip} @@ -40,13 +40,7 @@ Security and privacy are critical when developing real-world machine learning sy Machine learning has evolved substantially from its academic origins, where privacy was not a primary concern. As ML migrated into commercial and consumer applications, the data became more sensitive - encompassing personal information like communications, purchases, and health data. This explosion of data availability fueled rapid advancements in ML capabilities. However, it also exposed new privacy risks, as demonstrated by incidents like the [AOL data leak in 2006](https://en.wikipedia.org/wiki/AOL_search_log_release) and the [Cambridge Analytica](https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html) scandal. -These events highlighted the growing need to address privacy in ML systems. In this chapter, we explore privacy and security considerations together, as they are inherently linked in ML: - -* Privacy refers to controlling access to sensitive user data, such as financial information or biometric data collected by an ML application. - -* Security protects ML systems and data from hacking, theft, and misuse. - -For example, an ML-powered home security camera must secure video feeds against unauthorized access and provide privacy protections to ensure only intended users can view the footage. A breach of either security or privacy could expose private user moments. +These events highlighted the growing need to address privacy in ML systems. In this chapter, we explore privacy and security considerations together, as they are inherently linked in ML. For example, an ML-powered home security camera must secure video feeds against unauthorized access and provide privacy protections to ensure only intended users can view the footage. A breach of either security or privacy could expose private user moments. Embedded ML systems like smart assistants and wearables are ubiquitous and process intimate user data. However, their computational constraints often prevent heavy security protocols. Designers must balance performance needs with rigorous security and privacy standards tailored to embedded hardware limitations. @@ -56,15 +50,15 @@ We hope that by building a holistic understanding of risks and safeguards, you w ## Terminology -In this chapter, we will discuss security and privacy together, so there are key terms that we need to be clear about. +In this chapter, we will discuss security and privacy together, so there are key terms that we need to be clear about. Since these terms are general concepts applied in many domains, we want to define how they relate to the context of this chapter and provide relevant examples to illustrate their application. -* **Privacy:** Consider an ML-powered home security camera that identifies and records potential threats. This camera records identifiable information of individuals approaching and potentially entering this home, including faces. Privacy concerns may surround who can access this data. + * **Privacy:** The ability to control access to sensitive user data collected and processed by a system. In machine learning, this involves ensuring that personal information, such as financial details or biometric data, is accessible only to authorized individuals. For instance, a home security camera powered by machine learning might record video footage and identify faces of visitors. Privacy concerns center on who can access, view, or share this sensitive data. -* **Security:** Consider an ML-powered home security camera that identifies and records potential threats. The security aspect would ensure that hackers cannot access these video feeds and recognition models. +* **Security:** The practice of protecting machine learning systems and their data from unauthorized access, hacking, theft, and misuse. A secure system safeguards its data and operations to ensure integrity and confidentiality. For example, in the context of the home security camera, security measures prevent hackers from intercepting live video feeds or tampering with stored footage and ensure the model itself remains uncompromised. -* **Threat:** Using our home security camera example, a threat could be a hacker trying to access live feeds or stored videos or using false inputs to trick the system. +* **Threat:** Refers to any potential danger, malicious actor, or harmful event that aims to exploit weaknesses in a system to compromise its security or privacy. A threat is the external force or intent that seeks to cause harm. Using the home security camera example, a threat could involve a hacker attempting to access live streams, steal stored videos, or deceive the system with false inputs to bypass facial recognition. -* **Vulnerability:** A common vulnerability might be a poorly secured network through which the camera connects to the internet, which could be exploited to access the data. +* **Vulnerability:** Refers to a weakness, flaw, or gap in the system that creates the opportunity for a threat to succeed. Vulnerabilities are the points of exposure that threats target. Vulnerabilities can exist in hardware, software, or network configurations. For instance, if the home security camera connects to the internet through an unsecured Wi-Fi network, this vulnerability could allow attackers to intercept or manipulate the video data. ## Historical Precedents @@ -74,7 +68,7 @@ While the specifics of machine learning hardware security can be distinct, the e In 2010, something unexpected was found on a computer in Iran - a very complicated computer virus that experts had never seen before. [Stuxnet](https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/200661/Cyber-Reports-2017-04.pdf) was a malicious computer worm that targeted supervisory control and data acquisition (SCADA) systems and was designed to damage Iran's nuclear program [@farwell2011stuxnet]. Stuxnet was using four "[zero-day exploits](https://en.wikipedia.org/wiki/Zero-day_(computing))" - attacks that take advantage of secret weaknesses in software that no one knows about yet. This made Stuxnet very sneaky and hard to detect. -But Stuxnet wasn't designed to steal information or spy on people. Its goal was physical destruction - to sabotage centrifuges at Iran's Natanz nuclear plant! So how did the virus get onto computers at the Natanz plant, which was supposed to be disconnected from the outside world for security? Experts think someone inserted a USB stick containing Stuxnet into the internal Natanz network. This allowed the virus to "jump" from an outside system onto the isolated nuclear control systems and wreak havoc. +But Stuxnet wasn't designed to steal information or spy on people. Its goal was physical destruction - to sabotage centrifuges at Iran's Natanz nuclear plant! So, how did the virus get onto computers at the Natanz plant, which was supposed to be disconnected from the outside world for security? Experts think someone inserted a USB stick containing Stuxnet into the internal Natanz network. This allowed the virus to "jump" from an outside system onto the isolated nuclear control systems and wreak havoc. Stuxnet was incredibly advanced malware built by national governments to cross from the digital realm into real-world infrastructure. It specifically targeted important industrial machines, where embedded machine learning is highly applicable in a way never done before. The virus provided a wake-up call about how sophisticated cyberattacks could now physically destroy equipment and facilities. @@ -112,7 +106,7 @@ Although the devices were not ML-based, the incident is a stark reminder of what ### Implications -These historical breaches demonstrate the cascading effects of hardware vulnerabilities in embedded systems. Each incident offers a precedent for understanding the risks and designing better security protocols. For instance, the Mirai botnet highlights the immense destructive potential when threat actors can gain control over networked devices with weak security, a situation becoming increasingly common with ML systems. Many current ML devices function as "edge" devices meant to collect and process data locally before sending it to the cloud. Much like the cameras and DVRs compromised by Mirai, edge ML devices often rely on embedded hardware like ARM processors and run lightweight O.S. like Linux. Securing the device credentials is critical. +These historical breaches demonstrate the cascading effects of hardware vulnerabilities in embedded systems. Each incident offers a precedent for understanding the risks and designing better security protocols. For instance, the Mirai botnet highlights the immense destructive potential when threat actors can gain control over networked devices with weak security, a situation becoming increasingly common with ML systems. Many current ML devices function as "edge" devices meant to collect and process data locally before sending it to the cloud. Much like the cameras and DVRs compromised by Mirai, edge ML devices often rely on embedded hardware like ARM processors and run lightweight OS like Linux. Securing the device credentials is critical. Similarly, the Jeep Cherokee hack was a watershed moment for the automotive industry. It exposed serious vulnerabilities in the growing network-connected vehicle systems and their lack of isolation from core drive systems like brakes and steering. In response, auto manufacturers invested heavily in new cybersecurity measures, though gaps likely remain. @@ -130,10 +124,7 @@ The lesson is the importance of designing for security from the outset and havin ## Security Threats to ML Models -ML models face security risks that can undermine their integrity, performance, and trustworthiness if not adequately addressed. While there are several different threats, the primary threats include: -Model theft, where adversaries steal the proprietary model parameters and the sensitive data they contain. -Data poisoning, which compromises models through data tampering. -Adversarial attacks deceive the model to make incorrect or unwanted predictions. +ML models face security risks that can undermine their integrity, performance, and trustworthiness if not adequately addressed. Among these, three primary threats stand out: model theft, where adversaries steal proprietary model parameters and the sensitive data they contain; data poisoning, which compromises models by tampering with training data; and adversarial attacks, designed to deceive models into making incorrect or unwanted predictions. We will discuss each of these threats in detail and provide case study examples to illustrate their real-world implications. ### Model Theft @@ -174,13 +165,13 @@ Instead of extracting exact numerical values of the model's parameters, these at * **Prediction Consistency:** The attacker tries to align their model's prediction patterns with the target model's. This involves matching prediction outputs (both positive and negative) on the same set of inputs and ensuring distributional consistency across different classes. For instance, consider a natural language processing (NLP) model that generates sentiment analysis for movie reviews (labels reviews as positive, neutral, or negative). The attacker will try to fine-tune their model to match the prediction of the original models on the same set of movie reviews. This includes ensuring that the model makes the same mistakes (mispredictions) that the targeted model makes. -#### Case Study +#### Case Study: Tesla's IP Theft Case In 2018, Tesla filed a [lawsuit](https://storage.courtlistener.com/recap/gov.uscourts.nvd.131251/gov.uscourts.nvd.131251.1.0_1.pdf) against self-driving car startup [Zoox](https://zoox.com/), alleging former employees stole confidential data and trade secrets related to Tesla's autonomous driving assistance system. -Tesla claimed that several of its former employees took over 10 G.B. of proprietary data, including ML models and source code, before joining Zoox. This allegedly included one of Tesla's crucial image recognition models for identifying objects. +Tesla claimed that several of its former employees took over 10 GB of proprietary data, including ML models and source code, before joining Zoox. This allegedly included one of Tesla's crucial image recognition models for identifying objects. -The theft of this sensitive proprietary model could help Zoox shortcut years of ML development and duplicate Tesla's capabilities. Tesla argued this theft of I.P. caused significant financial and competitive harm. There were also concerns it could allow model inversion attacks to infer private details about Tesla's testing data. +The theft of this sensitive proprietary model could help Zoox shortcut years of ML development and duplicate Tesla's capabilities. Tesla argued this theft of IP caused significant financial and competitive harm. There were also concerns it could allow model inversion attacks to infer private details about Tesla's testing data. The Zoox employees denied stealing any proprietary information. However, the case highlights the significant risks of model theft—enabling the cloning of commercial models, causing economic impacts, and opening the door for further data privacy violations. @@ -214,7 +205,7 @@ There are six main categories of data poisoning [@oprea2022poisoning]: * **Knowledge:** While targeted attacks require a high degree of familiarity with the data, subpopulation attacks require less intimate knowledge to be effective. -#### Case Study 1 +#### Case Study: Poisoning Content Moderation Systems In 2017, researchers demonstrated a data poisoning attack against a popular toxicity classification model called Perspective [@hosseini2017deceiving]. This ML model detects toxic comments online. @@ -224,9 +215,9 @@ After retraining on the poisoned data, the model's false negative rate increased This case highlights how data poisoning can degrade model accuracy and reliability. For social media platforms, a poisoning attack that impairs toxicity detection could lead to the proliferation of harmful content and distrust of ML moderation systems. The example demonstrates why securing training data integrity and monitoring for poisoning is critical across application domains. -#### Case Study 2 +#### Case Study: Protecting Art Through Data Poisoning -Interestingly enough, data poisoning attacks are not always malicious [@shan2023prompt]. Nightshade, a tool developed by a team led by Professor Ben Zhao at the University of Chicago, utilizes data poisoning to help artists protect their art against scraping and copyright violations by generative A.I. models. Artists can use the tool to modify their images subtly before uploading them online. +Interestingly enough, data poisoning attacks are not always malicious [@shan2023prompt]. Nightshade, a tool developed by a team led by Professor Ben Zhao at the University of Chicago, utilizes data poisoning to help artists protect their art against scraping and copyright violations by generative AI models. Artists can use the tool to modify their images subtly before uploading them online. While these changes are imperceptible to the human eye, they can significantly degrade the performance of generative AI models when integrated into the training data. Generative models can be manipulated to produce unrealistic or nonsensical outputs. For example, with just 300 corrupted images, the University of Chicago researchers could deceive the latest Stable Diffusion model into generating images of canines resembling felines or bovines when prompted for automobiles. @@ -256,11 +247,11 @@ Adversarial attacks fall under different scenarios: The landscape of machine learning models is complex and broad, especially given their relatively recent integration into commercial applications. This rapid adoption, while transformative, has brought to light numerous vulnerabilities within these models. Consequently, various adversarial attack methods have emerged, each strategically exploiting different aspects of different models. Below, we highlight a subset of these methods, showcasing the multifaceted nature of adversarial attacks on machine learning models: -* **Generative Adversarial Networks (GANs)** are deep learning models consisting of two networks competing against each other: a generator and a discriminator [@goodfellow2020generative]. The generator tries to synthesize realistic data while the discriminator evaluates whether they are real or fake. GANs can be used to craft adversarial examples. The generator network is trained to produce inputs that the target model misclassifies. These GAN-generated images can then attack a target classifier or detection model. The generator and the target model are engaged in a competitive process, with the generator continually improving its ability to create deceptive examples and the target model enhancing its resistance to such examples. GANs provide a robust framework for crafting complex and diverse adversarial inputs, illustrating the adaptability of generative models in the adversarial landscape. +* **Generative Adversarial Networks (GANs):** The adversarial nature of GANs, where a generator and discriminator compete, aligns perfectly with crafting adversarial attacks [@goodfellow2020generative]. By leveraging this framework, the generator network is trained to produce inputs that exploit weaknesses in a target model, causing it to misclassify. This dynamic, competitive process makes GANs particularly effective at creating sophisticated and diverse adversarial examples, underscoring their adaptability in attacking machine learning models. -* **Transfer Learning Adversarial Attacks** exploit the knowledge transferred from a pre-trained model to a target model, creating adversarial examples that can deceive both models. These attacks pose a growing concern, particularly when adversaries have knowledge of the feature extractor but lack access to the classification head (the part or layer responsible for making the final classifications). Referred to as “headless attacks," these transferable adversarial strategies leverage the expressive capabilities of feature extractors to craft perturbations while oblivious to the label space or training data. The existence of such attacks underscores the importance of developing robust defenses for transfer learning applications, especially since pre-trained models are commonly used [@ahmed2020headless]. +* **Transfer Learning Adversarial Attacks:** These attacks target the feature extractors in transfer learning models by introducing perturbations that manipulate their learned representations. Feature extractors, pre-trained to identify general patterns, are fine-tuned for specific tasks in downstream models. Adversaries exploit this transfer by crafting inputs that distort the feature extractor’s outputs, causing downstream misclassifications. "Headless attacks" exemplify this strategy, where adversaries focus on the feature extractor without requiring access to the classification head or training data. This highlights a critical vulnerability in transfer learning pipelines, as the foundational components of many models can be exploited. Strengthening defenses is essential, given the widespread reliance on pre-trained models [@ahmed2020headless]. -#### Case Study +#### Case Study: Tricking Traffic Sign Detection Models In 2017, researchers conducted experiments by placing small black and white stickers on stop signs [@eykholt2018robust]. When viewed by a normal human eye, the stickers did not obscure the sign or prevent interpretability. However, when images of the stickers stop signs were fed into standard traffic sign classification ML models, they were misclassified as speed limit signs over 85% of the time. @@ -270,11 +261,7 @@ This case study provides a concrete illustration of how adversarial examples exp ## Security Threats to ML Hardware -A systematic examination of security threats to embedded machine learning hardware is essential to comprehensively understanding potential vulnerabilities in ML systems. Initially, hardware vulnerabilities arising from intrinsic design flaws that can be exploited will be explored. This foundational knowledge is crucial for recognizing the origins of hardware weaknesses. Following this, physical attacks will be examined, representing the most direct and overt methods of compromising hardware integrity. Building on this, fault injection attacks will be analyzed, demonstrating how deliberate manipulations can induce system failures. - -Advancing to side-channel attacks next will show the increasing complexity, as these rely on exploiting indirect information leakages, requiring a nuanced understanding of hardware operations and environmental interactions. Leaky interfaces will show how external communication channels can become vulnerable, leading to accidental data exposures. Counterfeit hardware discussions benefit from prior explorations of hardware integrity and exploitation techniques, as they often compound these issues with additional risks due to their questionable provenance. Finally, supply chain risks encompass all concerns above and frame them within the context of the hardware's journey from production to deployment, highlighting the multifaceted nature of hardware security and the need for vigilance at every stage. - -@tbl-threat_types overview table summarizing the topics: +Embedded machine learning hardware plays a critical role in powering modern AI applications but is increasingly exposed to a diverse range of security threats. These vulnerabilities can arise from flaws in hardware design, physical tampering, or even the complex pathways of global supply chains. Addressing these risks requires a comprehensive understanding of the various ways hardware integrity can be compromised. As summarized in @tbl-threat_types, this section explores the key categories of hardware threats, offering insights into their origins, methods, and implications for ML systems. +-------------------------+--------------------------------------------------------------------------------------------------+------------------------------------------------+ | Threat Type | Description | Relevance to ML Hardware Security | @@ -298,15 +285,15 @@ Advancing to side-channel attacks next will show the increasing complexity, as t ### Hardware Bugs -Hardware is not immune to the pervasive issue of design flaws or bugs. Attackers can exploit these vulnerabilities to access, manipulate, or extract sensitive data, breaching the confidentiality and integrity that users and services depend on. An example of such vulnerabilities came to light with the discovery of Meltdown and Spectre---two hardware vulnerabilities that exploit critical vulnerabilities in modern processors. These bugs allow attackers to bypass the hardware barrier that separates applications, allowing a malicious program to read the memory of other programs and the operating system. +Hardware is not immune to the pervasive issue of design flaws or bugs. Attackers can exploit these vulnerabilities to access, manipulate, or extract sensitive data, breaching the confidentiality and integrity that users and services depend on. An example of such vulnerabilities came to light with the discovery of [Meltdown and Spectre](https://meltdownattack.com/)---two hardware vulnerabilities that exploit critical vulnerabilities in modern processors. These bugs allow attackers to bypass the hardware barrier that separates applications, allowing a malicious program to read the memory of other programs and the operating system. Meltdown [@Lipp2018meltdown] and Spectre [@Kocher2018spectre] work by taking advantage of optimizations in modern CPUs that allow them to speculatively execute instructions out of order before validity checks have been completed. This reveals data that should be inaccessible, which the attack captures through side channels like caches. The technical complexity demonstrates the difficulty of eliminating vulnerabilities even with extensive validation. -If an ML system is processing sensitive data, such as personal user information or proprietary business analytics, Meltdown and Spectre represent a real and present danger to data security. Consider the case of an ML accelerator card designed to speed up machine learning processes, such as the ones we discussed in the [A.I. Hardware](../hw_acceleration/hw_acceleration.qmd) chapter. These accelerators work with the CPU to handle complex calculations, often related to data analytics, image recognition, and natural language processing. If such an accelerator card has a vulnerability akin to Meltdown or Spectre, it could leak the data it processes. An attacker could exploit this flaw not just to siphon off data but also to gain insights into the ML model's workings, including potentially reverse-engineering the model itself (thus, going back to the issue of [model theft](@sec-model_theft). +If an ML system is processing sensitive data, such as personal user information or proprietary business analytics, Meltdown and Spectre represent a real and present danger to data security. Consider the case of an ML accelerator card designed to speed up machine learning processes, such as the ones we discussed in the [AI Hardware](../hw_acceleration/hw_acceleration.qmd) chapter. These accelerators work with the CPU to handle complex calculations, often related to data analytics, image recognition, and natural language processing. If such an accelerator card has a vulnerability akin to Meltdown or Spectre, it could leak the data it processes. An attacker could exploit this flaw not just to siphon off data but also to gain insights into the ML model's workings, including potentially reverse-engineering the model itself (thus, going back to the issue of [model theft](@sec-model_theft). A real-world scenario where this could be devastating would be in the healthcare industry. ML systems routinely process highly sensitive patient data to help diagnose, plan treatment, and forecast outcomes. A bug in the system's hardware could lead to the unauthorized disclosure of personal health information, violating patient privacy and contravening strict regulatory standards like the [Health Insurance Portability and Accountability Act (HIPAA)](https://www.cdc.gov/phlp/publications/topic/hipaa.html) -The [Meltdown and Spectre](https://meltdownattack.com/) vulnerabilities are stark reminders that hardware security is not just about preventing unauthorized physical access but also about ensuring that the hardware's architecture does not become a conduit for data exposure. Similar hardware design flaws regularly emerge in CPUs, accelerators, memory, buses, and other components. This necessitates ongoing retroactive mitigations and performance trade-offs in deployed systems. Proactive solutions like confidential computing architectures could mitigate entire classes of vulnerabilities through fundamentally more secure hardware design. Thwarting hardware bugs requires rigor at every design stage, validation, and deployment. +The Meltdown and Spectre vulnerabilities are stark reminders that hardware security is not just about preventing unauthorized physical access but also about ensuring that the hardware's architecture does not become a conduit for data exposure. Similar hardware design flaws regularly emerge in CPUs, accelerators, memory, buses, and other components. This necessitates ongoing retroactive mitigations and performance trade-offs in deployed systems. Proactive solutions like confidential computing architectures could mitigate entire classes of vulnerabilities through fundamentally more secure hardware design. Thwarting hardware bugs requires rigor at every design stage, validation, and deployment. ### Physical Attacks @@ -358,27 +345,25 @@ Side-channel attacks constitute a class of security breaches that exploit inform The fundamental premise of a side-channel attack is that a device's operation can inadvertently reveal information. Such leaks can come from various sources, including the electrical power a device consumes [@kocher1999differential], the electromagnetic fields it emits [@gandolfi2001electromagnetic], the time it takes to process certain operations, or even the sounds it produces. Each channel can indirectly glimpse the system's internal processes, revealing information that can compromise security. -For instance, consider a machine learning system performing encrypted transactions. Encryption algorithms are supposed to secure data but require computational work to encrypt and decrypt information. An attacker can analyze the power consumption patterns of the device performing encryption to figure out the cryptographic key. With sophisticated statistical methods, small variations in power usage during the encryption process can be correlated with the data being processed, eventually revealing the key. Some differential analysis attack techniques are Differential Power Analysis (DPA) [@Kocher2011Intro], Differential Electromagnetic Analysis (DEMA), and Correlation Power Analysis (CPA). - -For example, consider an attacker trying to break the AES encryption algorithm using a differential analysis attack. The attacker would first need to collect many power or electromagnetic traces (a trace is a record of consumptions or emissions) of the device while performing AES encryption. +Consider a machine learning system performing encrypted transactions. Encryption algorithms are designed to secure data but require computational work to encrypt and decrypt information. One widely used encryption standard is the Advanced Encryption Standard (AES), which encrypts data to prevent unauthorized access. However, attackers can analyze the power consumption patterns of a device performing encryption to deduce sensitive information, such as the cryptographic key. With sophisticated statistical methods, small variations in power usage during the encryption process can be correlated with the data being processed, eventually revealing the key. Some differential analysis attack techniques are Differential Power Analysis (DPA) [@Kocher2011Intro], Differential Electromagnetic Analysis (DEMA), and Correlation Power Analysis (CPA). -Once the attacker has collected sufficient traces, they would use a statistical technique to identify correlations between the traces and the different values of the plaintext (original, unencrypted text) and ciphertext (encrypted text). These correlations would then be used to infer the value of a bit in the AES key and, eventually, the entire key. Differential analysis attacks are dangerous because they are low-cost, effective, and non-intrusive, allowing attackers to bypass algorithmic and hardware-level security measures. Compromises by these attacks are also hard to detect because they do not physically modify the device or break the encryption algorithm. +An attacker attempting to break AES encryption could collect power or electromagnetic traces (records of power consumption or emissions) from the device while it performs encryption. By analyzing these traces with statistical techniques, the attacker could identify correlations between the traces and the plaintext (original, unencrypted text) or ciphertext (encrypted text). These correlations could then be used to infer individual bits of the AES key and, eventually, reconstruct the entire key. Differential analysis attacks are particularly dangerous because they are low-cost, effective, and non-intrusive, allowing attackers to bypass algorithmic and hardware-level security measures. Compromises through these attacks are also challenging to detect, as they do not physically alter the device or break the encryption algorithm itself. -Below, a simplified visualization illustrates how analyzing the encryption device's power consumption patterns can help extract information about the algorithm's operations and, in turn, the secret data. Consider a device that takes a 5-byte password as input. The different voltage patterns measured while the encryption device performs operations on the input to authenticate the password will be analyzed and compared. +Below, a simplified visualization illustrates how analyzing the encryption device's power consumption patterns can help extract information about the algorithm's operations and, in turn, the secret data. The example shows a device that takes a 5-byte password as input. The password entered in this scenario is `0x61, 0x52, 0x77, 0x6A, 0x73`, which represents the correct password. The power consumption patterns during authentication provide insights into how the algorithm functions. -First, the power analysis of the device's operations after entering a correct password is shown in the first picture in @fig-encryption. The dense blue graph outputs the encryption device's voltage measurement. What is significant here is the comparison between the different analysis charts rather than the specific details of what is happening in each scenario. +In @fig-encryption, the red waveform represents the serial data lines as the bootloader receives the password data in chunks (i.e. `0x61, 0x52, 0x77, 0x6A, 0x73`). Each labeled segment (e.g., "Data: 61") corresponds to one byte of the password being processed by the encryption algorithm. The blue graph shows the power consumption of the encryption device as it processes each byte. When the correct password is entered, the device processes all 5 bytes successfully, and the blue voltage graph displays consistent patterns throughout. This chart gives you a baseline to understand how the device's power consumption looks when a correct password is entered. In the next figures, you'll see how the power profile changes with incorrect passwords, helping you spot the differences in the device's behavior when authentication fails. -![Power analysis of an encryption device with a correct password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_correct_password.png){#fig-encryption} +![Power consumption profile of the device during normal operations with a valid 5-byte password (0x61, 0x52, 0x77, 0x6A, 0x73). The red line represents the serial data being received by the bootloader, which in this figure is receiving the correct bytes. Notice how the blue line, representing power usage during authentication, corresponds to receiving and verifying the bytes. In the next figures, this blue power consumption profile will change. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_correct_password.png){#fig-encryption} -When an incorrect password is entered, the power analysis chart is shown in @fig-encryption2. The first three bytes of the password are correct. As a result, the voltage patterns are very similar or identical between the two charts, up to and including the fourth byte. After the device processes the fourth byte, a mismatch between the secret key and the attempted input is determined. A change in the pattern at the transition point between the fourth and fifth bytes is noticed: the voltage increases (the current decreases) because the device has stopped processing the rest of the input. +When an incorrect password is entered, the power analysis chart is shown in @fig-encryption2. The first three bytes of the password are correct (i.e. `0x61, 0x52, 0x77`). As a result, the voltage patterns are very similar or identical between the two charts, up to and including the fourth byte. After processing the fourth byte (`0x42`), the device detects a mismatch with the correct password and stops processing further. This results in a noticeable change in the power pattern, shown by the sudden jump in the blue line as the voltage increases. -![Power analysis of an encryption device with a (partially) wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_(partially)_wrong_password.png){#fig-encryption2} +![Power consumption profile of the device when an incorrect 5-byte password (0x61, 0x52, 0x77, 0x42, 0x42) is entered. The red line represents the serial data received by the bootloader, showing the input bytes being processed. The first three bytes (0x61, 0x52, 0x77) are correct and match the expected password, as indicated by the consistent blue power consumption line. However, upon processing the fourth byte (0x42), a mismatch is detected. The bootloader stops further processing, resulting in a noticeable jump in the blue power consumption line, as the device halts authentication and enters an error state. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_(partially)_wrong_password.png){#fig-encryption2} -@fig-encryption3 describes another chart of a completely wrong password. After the device finishes processing the first byte, it determines that it is incorrect and stops further processing - the voltage goes up and the current down. +@fig-encryption3 shows another example but where the password is entirely incorrect (`0x30, 0x30, 0x30, 0x30, 0x30`), unlike the previous example with the first three bytes correct. Here, the device identifies the mismatch immediately after processing the first byte and halts further processing. This is reflected in the power consumption profile, where the blue line exhibits a sharp jump following the first byte, indicating the device's early termination of authentication. -![Power analysis of an encryption device with a wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_wrong_password.png){#fig-encryption3} +![Power consumption profile of the device when an entirely incorrect password (0x30, 0x30, 0x30, 0x30, 0x30) is entered. The blue line shows a sharp jump after processing the first byte, indicating that the device has halted the authentication process. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_wrong_password.png){#fig-encryption3} -The example above demonstrates how information about the encryption process and the secret key can be inferred by analyzing different inputs and attempting to 'eavesdrop' on the device's operations on each input byte. For a more detailed explanation, watch @vid-powerattack below. +The example above demonstrates how information about the encryption process and the secret key can be inferred by analyzing different inputs and brute-force testing variations of each password byte, effectively 'eavesdropping' on the device's operations. For a more detailed explanation, watch @vid-powerattack below. :::{#vid-powerattack .callout-important} @@ -448,7 +433,7 @@ Strategies like supply chain audits, screening suppliers, validating component p Rigorous validation of hardware sources coupled with fault-tolerant system architectures offers the most robust defense against the pervasive risks of convoluted, opaque global supply chains. -### Case Study +### Case Study: A Wake-Up Call for Hardware Security In 2018, Bloomberg Businessweek published an alarming [story](https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies) that got much attention in the tech world. The article claimed that Supermicro had secretly planted tiny spy chips on server hardware. Reporters said Chinese state hackers working with Supermicro could sneak these tiny chips onto motherboards during manufacturing. The tiny chips allegedly gave the hackers backdoor access to servers used by over 30 major companies, including Apple and Amazon. @@ -518,7 +503,7 @@ Here are some examples of TEEs that provide hardware-based security for sensitiv * **[Apple SecureEnclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web):** A TEE for biometric data and cryptographic key management on iPhones and iPads, facilitating secure mobile payments. -@fig-enclave is a diagram demonstrating a secure enclave isolated from the host processor to provide an extra layer of security. The secure enclave has a boot ROM to establish a hardware root of trust, an AES engine for efficient and secure cryptographic operations, and protected memory. It also has a mechanism to store information securely on attached storage separate from the NAND flash storage used by the application processor and operating system. This design keeps sensitive user data secure even when the Application Processor kernel becomes compromised. +@fig-enclave is a diagram demonstrating a secure enclave isolated from the host processor to provide an extra layer of security. The secure enclave has a boot ROM to establish a hardware root of trust, an AES engine for efficient and secure cryptographic operations, and protected memory. It also has a mechanism to store information securely on attached storage separate from the NAND flash storage used by the application processor and operating system. NAND flash is a type of non-volatile storage used in devices like SSDs, smartphones, and tablets to retain data even when powered off. By isolating sensitive data from the NAND storage accessed by the main system, this design ensures user data remains secure even if the application processor kernel is compromised. ![System-on-chip secure enclave. Source: [Apple.](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)](images/png/System-on-chip_secure_enclave.png){#fig-enclave} @@ -548,11 +533,11 @@ While Trusted Execution Environments offer significant security benefits, their #### About -A Secure Boot is a fundamental security standard that ensures a device only boots using software trusted by the Original Equipment Manufacturer (OEM). During startup, the firmware checks the digital signature of each boot software component, including the bootloader, kernel, and base operating system. This process verifies that the software has not been altered or tampered with. If any signature fails verification, the boot process is halted to prevent unauthorized code execution that could compromise the system’s security integrity. +A Secure Boot is a fundamental security standard that ensures a device only boots using software trusted by the device manufacturer. During startup, the firmware checks the digital signature of each boot software component, including the bootloader, kernel, and base operating system. This process verifies that the software has not been altered or tampered with. If any signature fails verification, the boot process is halted to prevent unauthorized code execution that could compromise the system’s security integrity. #### Benefits -The integrity of an embedded machine learning (ML) system is paramount from the moment it is powered on. Any compromise in the boot process can lead to the execution of malicious software before the operating system and ML applications begin, resulting in manipulated ML operations, unauthorized data access, or repurposing the device for malicious activities such as botnets or crypto-mining. +The integrity of an embedded ML system is paramount from the moment it is powered on. Any compromise in the boot process can lead to the execution of malicious software before the operating system and ML applications begin, resulting in manipulated ML operations, unauthorized data access, or repurposing the device for malicious activities such as botnets or crypto-mining. Secure Boot offers vital protections for embedded ML hardware through the following critical mechanisms: @@ -572,15 +557,15 @@ Secure Boot works with TEEs to further enhance system security. @fig-secure-boot A real-world example of Secure Boot's application can be observed in Apple's Face ID technology, which uses advanced machine learning algorithms to enable [facial recognition](https://support.apple.com/en-us/102381) on iPhones and iPads. Face ID relies on a sophisticated integration of sensors and software to precisely map the geometry of a user's face. For Face ID to operate securely and protect users' biometric data, the device's operations must be trustworthy from initialization. This is where Secure Boot plays a pivotal role. The following outlines how Secure Boot functions in conjunction with Face ID: -**Initial Verification:** Upon booting up an iPhone, the Secure Boot process commences within the Secure Enclave, a specialized coprocessor designed to add an extra layer of security. The Secure Enclave handles biometric data, such as fingerprints for Touch ID and facial recognition data for Face ID. During the boot process, the system rigorously verifies that Apple has digitally signed the Secure Enclave's firmware, guaranteeing its authenticity. This verification step ensures that the firmware used to process biometric data remains secure and uncompromised. +1. **Initial Verification:** Upon booting up an iPhone, the Secure Boot process commences within the Secure Enclave, a specialized coprocessor designed to add an extra layer of security. The Secure Enclave handles biometric data, such as fingerprints for Touch ID and facial recognition data for Face ID. During the boot process, the system rigorously verifies that Apple has digitally signed the Secure Enclave's firmware, guaranteeing its authenticity. This verification step ensures that the firmware used to process biometric data remains secure and uncompromised. -**Continuous Security Checks:** Following the system's initialization and validation by Secure Boot, the Secure Enclave communicates with the device's central processor to maintain a secure boot chain. During this process, the digital signatures of the iOS kernel and other critical boot components are meticulously verified to ensure their integrity before proceeding. This "chain of trust" model effectively prevents unauthorized modifications to the bootloader and operating system, safeguarding the device's overall security. +2. **Continuous Security Checks:** Following the system's initialization and validation by Secure Boot, the Secure Enclave communicates with the device's central processor to maintain a secure boot chain. During this process, the digital signatures of the iOS kernel and other critical boot components are meticulously verified to ensure their integrity before proceeding. This "chain of trust" model effectively prevents unauthorized modifications to the bootloader and operating system, safeguarding the device's overall security. -**Face Data Processing:** Once the secure boot sequence is completed, the Secure Enclave interacts securely with the machine learning algorithms that power Face ID. Facial recognition involves projecting and analyzing over 30,000 invisible points to create a depth map of the user's face and an infrared image. This data is converted into a mathematical representation and is securely compared with the registered face data stored in the Secure Enclave. +3. **Face Data Processing:** Once the secure boot sequence is completed, the Secure Enclave interacts securely with the machine learning algorithms that power Face ID. Facial recognition involves projecting and analyzing over 30,000 invisible points to create a depth map of the user's face and an infrared image. This data is converted into a mathematical representation and is securely compared with the registered face data stored in the Secure Enclave. -**Secure Enclave and Data Protection:** The Secure Enclave is precisely engineered to protect sensitive data and manage cryptographic operations that safeguard this data. Even in the event of a compromised operating system kernel, the facial data processed through Face ID remains inaccessible to unauthorized applications or external attackers. Importantly, Face ID data is never transmitted off the device and is not stored on iCloud or other external servers. +4. **Secure Enclave and Data Protection:** The Secure Enclave is precisely engineered to protect sensitive data and manage cryptographic operations that safeguard this data. Even in the event of a compromised operating system kernel, the facial data processed through Face ID remains inaccessible to unauthorized applications or external attackers. Importantly, Face ID data is never transmitted off the device and is not stored on iCloud or other external servers. -**Firmware Updates:** Apple frequently releases updates to address security vulnerabilities and enhance system functionality. Secure Boot ensures that all firmware updates are authenticated, allowing only those signed by Apple to be installed. This process helps preserve the integrity and security of the Face ID system over time. +5. **Firmware Updates:** Apple frequently releases updates to address security vulnerabilities and enhance system functionality. Secure Boot ensures that all firmware updates are authenticated, allowing only those signed by Apple to be installed. This process helps preserve the integrity and security of the Face ID system over time. By integrating Secure Boot with dedicated hardware such as the Secure Enclave, Apple delivers robust security guarantees for critical operations like facial recognition. @@ -655,7 +640,7 @@ PUF key generation avoids external key storage, which risks exposure. It also pr #### Utility -Machine learning models are rapidly becoming a core part of the functionality for many embedded devices, such as smartphones, smart home assistants, and autonomous drones. However, securing ML on resource-constrained embedded hardware can be challenging. This is where physical unclonable functions (PUFs) come in uniquely handy. Let's look at some examples of how PUFs can be useful. +Machine learning models are rapidly becoming a core part of the functionality for many embedded devices, such as smartphones, smart home assistants, and autonomous drones. However, securing ML on resource-constrained embedded hardware can be challenging. This is where PUFs come in uniquely handy. Let's look at some examples of how PUFs can be useful. PUFs provide a way to generate unique fingerprints and cryptographic keys tied to the physical characteristics of each chip on the device. Let's take an example. We have a smart camera drone that uses embedded ML to track objects. A PUF integrated into the drone's processor could create a device-specific key to encrypt the ML model before loading it onto the drone. This way, even if an attacker somehow hacks the drone and tries to steal the model, they won't be able to use it on another device! @@ -735,23 +720,19 @@ Data minimization can be broken down into [3 categories](https://dl.acm.org/doi/ 2. The data collected from users must be _relevant_ to the purpose of the data collection. -3. Users' data should be limited to only the necessary data to fulfill the purpose of the initial data collection. If similarly robust and accurate results can be obtained from a smaller dataset, any additional data beyond this smaller dataset should not be collected. +3. Users' data should be limited to only the _necessary_ data to fulfill the purpose of the initial data collection. If similarly robust and accurate results can be obtained from a smaller dataset, any additional data beyond this smaller dataset should not be collected. -Emerging techniques like differential Privacy, federated learning, and synthetic data generation allow useful insights derived from less raw user data. Performing data flow mapping and impact assessments helps identify opportunities to minimize raw data usage. +Emerging techniques like differential privacy, federated learning, and synthetic data generation allow useful insights derived from less raw user data. Performing data flow mapping and impact assessments helps identify opportunities to minimize raw data usage. Methodologies like Privacy by Design [@cavoukian2009privacy] consider such minimization early in system architecture. Regulations like GDPR also mandate data minimization principles. With a multilayered approach across legal, technical, and process realms, data minimization limits risks in embedded ML products. -#### Case Study - Performance-Based Data Minimization +#### Case Study: Performance-Based Data Minimization Performance-based data minimization [@Biega2020Oper] focuses on expanding upon the third category of data minimization mentioned above, namely _limitation_. It specifically defines the robustness of model results on a given dataset by certain performance metrics, such that data should not be additionally collected if it does not significantly improve performance. Performance metrics can be divided into two categories: -1. Global data minimization performance +1. Global data minimization performance: Satisfied if a dataset minimizes the amount of per-user data while its mean performance across all data is comparable to the mean performance of the original, unminimized dataset. -a. Satisfied if a dataset minimizes the amount of per-user data while its mean performance across all data is comparable to the mean performance of the original, unminimized dataset. - -2. Per user data minimization performance - -a. Satisfied if a dataset minimizes the amount of per-user data while the minimum performance of individual user data is comparable to that of individual user data in the original, unminimized dataset. +2. Per user data minimization performance: Satisfied if a dataset minimizes the amount of per-user data while the minimum performance of individual user data is comparable to that of individual user data in the original, unminimized dataset. Performance-based data minimization can be leveraged in machine-learning settings, including movie recommendation algorithms and e-commerce settings. @@ -769,7 +750,7 @@ Consent flows should provide granular controls beyond just binary yes/no choices Privacy and security concerns have also risen with the public use of generative AI models, including OpenAI's GPT4 and other LLMs. ChatGPT, in particular, has been discussed more recently about Privacy, given all the personal information collected from ChatGPT users. In June 2023, [a class action lawsuit](https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rIZH4FXwShJE/v0) was filed against ChatGPT due to concerns that it was trained on proprietary medical and personal information without proper permissions or consent. As a result of these privacy concerns, [many companies](https://www.businessinsider.com/chatgpt-companies-issued-bans-restrictions-openai-ai-amazon-apple-2023-7) have prohibited their employees from accessing ChatGPT, and uploading private, company related information to the chatbot. Further, ChatGPT is susceptible to prompt injection and other security attacks that could compromise the privacy of the proprietary data upon which it was trained. -##### Case Study +##### Case Study: Bypassing ChatGPT Safeguards While ChatGPT has instituted protections to prevent people from accessing private and ethically questionable information, several individuals have successfully bypassed these protections through prompt injection and other security attacks. As demonstrated in @fig-role-play, users can bypass ChatGPT protections to mimic the tone of a "deceased grandmother" to learn how to bypass a web application firewall [@Gupta2023ChatGPT]. @@ -839,7 +820,7 @@ There are several tradeoffs to make with differential Privacy, as is the case wi While differential Privacy provides strong formal privacy guarantees, implementing it rigorously requires additions and modifications to the machine learning pipeline at a computational cost. Managing these overheads while preserving model accuracy remains an active research area. -#### Case Study +#### Case Study: Differential Privacy at Apple [Apple's implementation of differential Privacy](https://machinelearning.apple.com/research/learning-with-privacy-at-scale#DMNS06) in iOS and MacOS provides a prominent real-world example of [how differential Privacy can be deployed at large scale](https://docs-assets.developer.apple.com/ml-research/papers/learning-with-privacy-at-scale.pdf). Apple wanted to collect aggregated usage statistics across their ecosystem to improve products and services, but aimed to do so without compromising individual user privacy. @@ -903,23 +884,14 @@ There are several system performance-related aspects of FL in machine learning s **Energy Consumption:** The energy consumption of client devices in FL is a critical factor, particularly for battery-powered devices like smartphones and other TinyML/IoT devices. The computational demands of training models locally can lead to significant battery drain, which might discourage continuous participation in the FL process. Balancing the computational requirements of model training with energy efficiency is essential. This involves optimizing algorithms and training processes to reduce energy consumption while achieving effective learning outcomes. Ensuring energy-efficient operation is key to user acceptance and the sustainability of FL systems. -#### Case Studies - -Here are a couple of real-world case studies that can illustrate the use of federated learning: - -##### Google Gboard - -Google uses federated learning to improve predictions on its Gboard mobile keyboard app. The app runs a federated learning algorithm on users' devices to learn from their local usage patterns and text predictions while keeping user data private. The model updates are aggregated in the cloud to produce an enhanced global model. This allows for providing next-word predictions personalized to each user's typing style while avoiding directly collecting sensitive typing data. Google reported that the federated learning approach reduced prediction errors by 25% compared to the baseline while preserving Privacy. - -##### Healthcare Research +#### Case Study: Federated Learning for Collaborative Healthcare Datasets -The UK Biobank and American College of Cardiology combined datasets to train a model for heart arrhythmia detection using federated learning. The datasets could not be combined directly due to legal and Privacy restrictions. Federated learning allowed collaborative model development without sharing protected health data, with only model updates exchanged between the parties. This improved model accuracy as it could leverage a wider diversity of training data while meeting regulatory requirements. +In healthcare and pharmaceuticals, organizations often hold vast amounts of valuable data, but sharing it directly is fraught with challenges. Strict regulations like GDPR and HIPAA, as well as concerns about protecting IP, make combining datasets across companies nearly impossible. However, collaboration remains essential for advancing fields like drug discovery and patient care. Federated learning offers a unique solution by allowing companies to collaboratively train machine learning models without ever sharing their raw data. This approach ensures that each organization retains full control of its data while still benefiting from the collective insights of the group. -##### Financial Services +The MELLODDY project, a landmark initiative in Europe, exemplifies how federated learning can overcome these barriers [@heyndrickx2023melloddy]. MELLODDY brought together ten pharmaceutical companies to create the largest shared chemical compound library ever assembled, encompassing over 21 million molecules and 2.6 billion experimental data points. Despite working with sensitive and proprietary data, the companies securely collaborated to improve predictive models for drug development. -Banks are exploring using federated learning for anti-money laundering (AML) detection models. Multiple banks could jointly improve AML Models without sharing confidential customer transaction data with competitors or third parties. Only the model updates need to be aggregated rather than raw transaction data. This allows access to richer training data from diverse sources while avoiding regulatory and confidentiality issues around sharing sensitive financial customer data. +The results were remarkable. By pooling insights through federated learning, each company significantly enhanced its ability to identify promising drug candidates. Predictive accuracy improved while the models also gained broader applicability to diverse datasets. MELLODDY demonstrated that federated learning not only preserves privacy but also unlocks new opportunities for innovation by enabling large-scale, data-driven collaboration. This approach highlights a future where companies can work together to solve complex problems without sacrificing data security or ownership. -These examples demonstrate how federated learning provides tangible privacy benefits and enables collaborative ML in settings where direct data sharing is impossible. ### Machine Unlearning @@ -929,7 +901,7 @@ Machine unlearning is a fairly new process that describes how the influence of a ![Applications of Machine Unlearning. Source: [BBVA OpenMind](https://www.bbvaopenmind.com/en/technology/artificial-intelligence/ai-and-machine-unlearning-forgotten-path/)](images/png/machineunlearning.png){#fig-machine-unlearning} -#### Case Study +#### Case Study: The Harry Potter Experiment Some researchers have demonstrated a real-life example of machine unlearning approaches applied to SOTA machine learning models through training an LLM, LLaMA2-7b, to unlearn any references to Harry Potter [@eldan2023whos]. Though this model took 184K GPU hours to pre-train, it only took 1 GPU hour of fine-tuning to erase the model's ability to generate or recall Harry Potter-related content without noticeably compromising the accuracy of generating content unrelated to Harry Potter. @fig-hp-prompts demonstrates how the model output changes before (Llama-7b-chat-hf column) and after (Finetuned Llama-b column) unlearning has occurred. @@ -947,7 +919,7 @@ Deep learning models have previously been shown to be vulnerable to adversarial Homomorphic encryption is a form of encryption that allows computations to be carried out on ciphertext, generating an encrypted result that, when decrypted, matches the result of operations performed on the plaintext. For example, multiplying two numbers encrypted with homomorphic encryption produces an encrypted product that decrypts the actual product of the two numbers. This means that data can be processed in an encrypted form, and only the resulting output needs to be decrypted, significantly enhancing data security, especially for sensitive information. -Homomorphic encryption enables outsourced computation on encrypted data without exposing the data itself to the external party performing the operations. However, only certain computations like addition and multiplication are supported in partially homomorphic schemes. Fully homomorphic encryption (FHE) that can handle any computation is even more complex. The number of possible operations is limited before noise accumulation corrupts the ciphertext. +Homomorphic encryption enables outsourced computation on encrypted data without exposing the data itself to the external party performing the operations. However, only certain computations like addition and multiplication are supported in partially homomorphic schemes. Fully Homomorphic Encryption (FHE) that can handle any computation is even more complex. The number of possible operations is limited before noise accumulation corrupts the ciphertext. To use homomorphic encryption across different entities, carefully generated public keys must be exchanged for operations across separately encrypted data. This advanced encryption technique enables previously impossible secure computation paradigms but requires expertise to implement correctly for real-world systems. @@ -1059,21 +1031,11 @@ Ongoing MPC research closes this efficiency gap through cryptographic advances, #### Core Idea -Synthetic data generation has emerged as an important privacy-preserving machine learning approach that allows models to be developed and tested without exposing real user data. The key idea is to train generative models on real-world datasets and then sample from these models to synthesize artificial data that statistically matches the original data distribution but does not contain actual user information. For example, a GAN could be trained on a dataset of sensitive medical records to learn the underlying patterns and then used to sample synthetic patient data. +Synthetic data generation has emerged as an important privacy-preserving machine learning approach that allows models to be developed and tested without exposing real user data. The key idea is to train generative models on real-world datasets and then sample from these models to synthesize artificial data that statistically matches the original data distribution but does not contain actual user information. For instance, techniques like GANs, VAEs, and data augmentation can be used to produce synthetic data that mimics real datasets while preserving privacy. Simulations are also commonly employed in scenarios where synthetic data must represent complex systems, such as in scientific research or urban planning. -The primary challenge of synthesizing data is to ensure adversaries cannot re-identify the original dataset. A simple approach to achieving synthetic data is adding noise to the original dataset, which still risks privacy leakage. When noise is added to data in the context of differential privacy, sophisticated mechanisms based on the data's sensitivity are used to calibrate the amount and distribution of noise. Through these mathematically rigorous frameworks, differential Privacy generally guarantees Privacy at some level, which is the primary goal of this privacy-preserving technique. Beyond preserving privacy, synthetic data combats multiple data availability issues such as imbalanced datasets, scarce datasets, and anomaly detection. +The primary challenge of synthesizing data is to ensure adversaries cannot re-identify the original dataset. A simple approach to achieving synthetic data is adding noise to the original dataset, which still risks privacy leakage. When noise is added to data in the context of differential privacy, sophisticated mechanisms based on the data's sensitivity are used to calibrate the amount and distribution of noise. Through these mathematically rigorous frameworks, differential privacy generally guarantees privacy at some level, which is the primary goal of this technique. Beyond preserving privacy, synthetic data combats multiple data availability issues such as imbalanced datasets, scarce datasets, and anomaly detection. -Researchers can freely share this synthetic data and collaborate on modeling without revealing private medical information. Well-constructed synthetic data protects Privacy while providing utility for developing accurate models. Key techniques to prevent reconstructing the original data include adding differential privacy noise during training, enforcing plausibility constraints, and using multiple diverse generative models. Here are some common approaches for generating synthetic data: - -* **Generative Adversarial Networks (GANs):** GANs are an AI algorithm used in unsupervised learning where two neural networks compete against each other in a game. @fig-gans is an overview of the GAN system. The generator network (big red box) is responsible for producing the synthetic data, and the discriminator network (yellow box) evaluates the authenticity of the data by distinguishing between fake data created by the generator network and the real data. The generator and discriminator networks learn and update their parameters based on the results. The discriminator acts as a metric on how similar the fake and real data are to one another. It is highly effective at generating realistic data and is a popular approach for generating synthetic data. - -![Flowchart of GANs. Source: @rosa2021.](images/png/Flowchart_of_GANs.png){#fig-gans} - -* **Variational Autoencoders (VAEs):** VAEs are neural networks capable of learning complex probability distributions and balancing data generation quality and computational efficiency. They encode data into a latent space where they learn the distribution to decode the data back. - -* **Data Augmentation:** This involves transforming existing data to create new, altered data. For example, flipping, rotating, and scaling (uniformly or non-uniformly) original images can help create a more diverse, robust image dataset before training an ML model. - -* **Simulations:** Mathematical models can simulate real-world systems or processes to mimic real-world phenomena. This is highly useful in scientific research, urban planning, and economics. +Researchers can freely share this synthetic data and collaborate on modeling without revealing private medical information. Well-constructed synthetic data protects privacy while providing utility for developing accurate models. Key techniques to prevent reconstructing the original data include adding differential privacy noise during training, enforcing plausibility constraints, and using multiple diverse generative models. #### Benefits @@ -1114,14 +1076,18 @@ While all the techniques we have discussed thus far aim to enable privacy-preser | | - Data remains decentralized improving security | - Potentially slower model convergence | | | - No need for encrypted computation | - Uneven client device capabilities | +-------------------------------+--------------------------------------------------------------------------+----------------------------------------------------------------------------+ -| Secure Multi-Party Computation| - Enables joint computation on sensitive data | - Very high computational overhead | -| | - Provides cryptographic privacy guarantees | - Complexity of implementation | -| | - Flexible protocols for various functions | - Algorithmic constraints on function depth | +| Machine Unlearning | - Enables selective removal of data influence from models | - May degrade model performance on related tasks | +| | - Useful for compliance with privacy regulations | - Implementation complexity in large-scale models | +| | - Prevents unintended retention of adversarial or outdated data | - Risk of incomplete or ineffective unlearning | +-------------------------------+--------------------------------------------------------------------------+----------------------------------------------------------------------------+ | Homomorphic Encryption | - Allows computation on encrypted data | - Extremely high computational cost | | | - Prevents intermediate state exposure | - Complex cryptographic implementations | | | | - Restrictions on function types | +-------------------------------+--------------------------------------------------------------------------+----------------------------------------------------------------------------+ +| Secure Multi-Party Computation| - Enables joint computation on sensitive data | - Very high computational overhead | +| | - Provides cryptographic privacy guarantees | - Complexity of implementation | +| | - Flexible protocols for various functions | - Algorithmic constraints on function depth | ++-------------------------------+--------------------------------------------------------------------------+----------------------------------------------------------------------------+ | Synthetic Data Generation | - Enables data sharing without leakage | - Synthetic-real gap in distributions | | | - Mitigates data scarcity problems | - Potential for reconstructing private data | | | | - Biases and labeling challenges |