Showing 1–50 of 61 results for author: Salem, A

Breaking Agents: Compromising Autonomous LLM Agents Through Malfunction Amplification

Authors: Boyang Zhang, Yicong Tan, Yun Shen, Ahmed Salem, Michael Backes, Savvas Zannettou, Yang Zhang

Abstract: Recently, autonomous agents built on large language models (LLMs) have experienced significant development and are being deployed in real-world applications. These agents can extend the base LLM's capabilities in multiple ways. For example, a well-built agent using GPT-3.5-Turbo as its core can outperform the more advanced GPT-4 model by leveraging external components. More importantly, the usage… ▽ More Recently, autonomous agents built on large language models (LLMs) have experienced significant development and are being deployed in real-world applications. These agents can extend the base LLM's capabilities in multiple ways. For example, a well-built agent using GPT-3.5-Turbo as its core can outperform the more advanced GPT-4 model by leveraging external components. More importantly, the usage of tools enables these systems to perform actions in the real world, moving from merely generating text to actively interacting with their environment. Given the agents' practical applications and their ability to execute consequential actions, it is crucial to assess potential vulnerabilities. Such autonomous systems can cause more severe damage than a standalone language model if compromised. While some existing research has explored harmful actions by LLM agents, our study approaches the vulnerability from a different perspective. We introduce a new type of attack that causes malfunctions by misleading the agent into executing repetitive or irrelevant actions. We conduct comprehensive evaluations using various attack methods, surfaces, and properties to pinpoint areas of susceptibility. Our experiments reveal that these attacks can induce failure rates exceeding 80\% in multiple scenarios. Through attacks on implemented and deployable agents in multi-agent scenarios, we accentuate the realistic risks associated with these vulnerabilities. To mitigate such attacks, we propose self-examination detection methods. However, our findings indicate these attacks are difficult to detect effectively using LLMs alone, highlighting the substantial risks associated with this vulnerability. △ Less

Submitted 30 July, 2024; originally announced July 2024.

Hey, That's My Model! Introducing Chain & Hash, An LLM Fingerprinting Technique

Authors: Mark Russinovich, Ahmed Salem

Abstract: Amid growing concerns over the ease of theft and misuse of Large Language Models (LLMs), the need for fingerprinting models has increased. Fingerprinting, in this context, means that the model owner can link a given model to their original version, thereby identifying if their model is being misused or has been completely stolen. In this paper, we first define a set five properties a successful fi… ▽ More Amid growing concerns over the ease of theft and misuse of Large Language Models (LLMs), the need for fingerprinting models has increased. Fingerprinting, in this context, means that the model owner can link a given model to their original version, thereby identifying if their model is being misused or has been completely stolen. In this paper, we first define a set five properties a successful fingerprint should satisfy; namely, the fingerprint should be Transparent, Efficient, Persistent, Robust, and Unforgeable. Next, we propose Chain & Hash, a new, simple fingerprinting approach that implements a fingerprint with a cryptographic flavor, achieving all these properties. Chain & Hash involves generating a set of questions (the fingerprints) along with a set of potential answers. These elements are hashed together using a secure hashing technique to select the value for each question, hence providing an unforgeability property-preventing adversaries from claiming false ownership. We evaluate the Chain & Hash technique on multiple models and demonstrate its robustness against benign transformations, such as fine-tuning on different datasets, and adversarial attempts to erase the fingerprint. Finally, our experiments demonstrate the efficiency of implementing Chain & Hash and its utility, where fingerprinted models achieve almost the same performance as non-fingerprinted ones across different benchmarks. △ Less

Submitted 17 July, 2024; v1 submitted 15 July, 2024; originally announced July 2024.

SOS! Soft Prompt Attack Against Open-Source Large Language Models

Authors: Ziqing Yang, Michael Backes, Yang Zhang, Ahmed Salem

Abstract: Open-source large language models (LLMs) have become increasingly popular among both the general public and industry, as they can be customized, fine-tuned, and freely used. However, some open-source LLMs require approval before usage, which has led to third parties publishing their own easily accessible versions. Similarly, third parties have been publishing fine-tuned or quantized variants of th… ▽ More Open-source large language models (LLMs) have become increasingly popular among both the general public and industry, as they can be customized, fine-tuned, and freely used. However, some open-source LLMs require approval before usage, which has led to third parties publishing their own easily accessible versions. Similarly, third parties have been publishing fine-tuned or quantized variants of these LLMs. These versions are particularly appealing to users because of their ease of access and reduced computational resource demands. This trend has increased the risk of training time attacks, compromising the integrity and security of LLMs. In this work, we present a new training time attack, SOS, which is designed to be low in computational demand and does not require clean data or modification of the model weights, thereby maintaining the model's utility intact. The attack addresses security issues in various scenarios, including the backdoor attack, jailbreak attack, and prompt stealing attack. Our experimental findings demonstrate that the proposed attack is effective across all evaluated targets. Furthermore, we present the other side of our SOS technique, namely the copyright token -- a novel technique that enables users to mark their copyrighted content and prevent models from using it. △ Less

Submitted 3 July, 2024; originally announced July 2024.

Dataset and Lessons Learned from the 2024 SaTML LLM Capture-the-Flag Competition

Authors: Edoardo Debenedetti, Javier Rando, Daniel Paleka, Silaghi Fineas Florin, Dragos Albastroiu, Niv Cohen, Yuval Lemberg, Reshmi Ghosh, Rui Wen, Ahmed Salem, Giovanni Cherubin, Santiago Zanella-Beguelin, Robin Schmid, Victor Klemm, Takahiro Miki, Chenhao Li, Stefan Kraft, Mario Fritz, Florian Tramèr, Sahar Abdelnabi, Lea Schönherr

Abstract: Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed… ▽ More Large language model systems face important security risks from maliciously crafted messages that aim to overwrite the system's original instructions or leak private data. To study this problem, we organized a capture-the-flag competition at IEEE SaTML 2024, where the flag is a secret string in the LLM system prompt. The competition was organized in two phases. In the first phase, teams developed defenses to prevent the model from leaking the secret. During the second phase, teams were challenged to extract the secrets hidden for defenses proposed by the other teams. This report summarizes the main insights from the competition. Notably, we found that all defenses were bypassed at least once, highlighting the difficulty of designing a successful defense and the necessity for additional research to protect LLM systems. To foster future research in this direction, we compiled a dataset with over 137k multi-turn attack chats and open-sourced the platform. △ Less

Submitted 12 June, 2024; originally announced June 2024.

Are you still on track!? Catching LLM Task Drift with Activations

Authors: Sahar Abdelnabi, Aideen Fay, Giovanni Cherubin, Ahmed Salem, Mario Fritz, Andrew Paverd

Abstract: Large Language Models (LLMs) are routinely used in retrieval-augmented applications to orchestrate tasks and process inputs from users and other sources. These inputs, even in a single LLM interaction, can come from a variety of sources, of varying trustworthiness and provenance. This opens the door to prompt injection attacks, where the LLM receives and acts upon instructions from supposedly data… ▽ More Large Language Models (LLMs) are routinely used in retrieval-augmented applications to orchestrate tasks and process inputs from users and other sources. These inputs, even in a single LLM interaction, can come from a variety of sources, of varying trustworthiness and provenance. This opens the door to prompt injection attacks, where the LLM receives and acts upon instructions from supposedly data-only sources, thus deviating from the user's original instructions. We define this as task drift, and we propose to catch it by scanning and analyzing the LLM's activations. We compare the LLM's activations before and after processing the external input in order to detect whether this input caused instruction drift. We develop two probing methods and find that simply using a linear classifier can detect drift with near perfect ROC AUC on an out-of-distribution test set. We show that this approach generalizes surprisingly well to unseen task domains, such as prompt injections, jailbreaks, and malicious instructions, without being trained on any of these attacks. Our setup does not require any modification of the LLM (e.g., fine-tuning) or any text generation, thus maximizing deployability and cost efficiency and avoiding reliance on unreliable model output. To foster future research on activation-based task inspection, decoding, and interpretability, we will release our large-scale TaskTracker toolkit, comprising a dataset of over 500K instances, representations from 5 SoTA language models, and inspection tools. △ Less

Submitted 19 July, 2024; v1 submitted 2 June, 2024; originally announced June 2024.

Great, Now Write an Article About That: The Crescendo Multi-Turn LLM Jailbreak Attack

Authors: Mark Russinovich, Ahmed Salem, Ronen Eldan

Abstract: Large Language Models (LLMs) have risen significantly in popularity and are increasingly being adopted across multiple applications. These LLMs are heavily aligned to resist engaging in illegal or unethical topics as a means to avoid contributing to responsible AI harms. However, a recent line of attacks, known as "jailbreaks", seek to overcome this alignment. Intuitively, jailbreak attacks aim to… ▽ More Large Language Models (LLMs) have risen significantly in popularity and are increasingly being adopted across multiple applications. These LLMs are heavily aligned to resist engaging in illegal or unethical topics as a means to avoid contributing to responsible AI harms. However, a recent line of attacks, known as "jailbreaks", seek to overcome this alignment. Intuitively, jailbreak attacks aim to narrow the gap between what the model can do and what it is willing to do. In this paper, we introduce a novel jailbreak attack called Crescendo. Unlike existing jailbreak methods, Crescendo is a multi-turn jailbreak that interacts with the model in a seemingly benign manner. It begins with a general prompt or question about the task at hand and then gradually escalates the dialogue by referencing the model's replies, progressively leading to a successful jailbreak. We evaluate Crescendo on various public systems, including ChatGPT, Gemini Pro, Gemini-Ultra, LlaMA-2 70b Chat, and Anthropic Chat. Our results demonstrate the strong efficacy of Crescendo, with it achieving high attack success rates across all evaluated models and tasks. Furthermore, we introduce Crescendomation, a tool that automates the Crescendo attack, and our evaluation showcases its effectiveness against state-of-the-art models. △ Less

Submitted 2 April, 2024; originally announced April 2024.

User Clustering for STAR-RIS Assisted Full-Duplex NOMA Communication Systems

Authors: Abdelhamid Salem, Kai-Kit Wong, Chan-Byoung Chae, Yangyang Zhang

Abstract: In contrast to conventional reconfigurable intelligent surface (RIS), simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has been proposed recently to enlarge the serving area from 180o to 360o coverage. This work considers the performance of a STAR-RIS aided full-duplex (FD) non-orthogonal multiple access (NOMA) communication systems. The STAR-RIS is implemente… ▽ More In contrast to conventional reconfigurable intelligent surface (RIS), simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has been proposed recently to enlarge the serving area from 180o to 360o coverage. This work considers the performance of a STAR-RIS aided full-duplex (FD) non-orthogonal multiple access (NOMA) communication systems. The STAR-RIS is implemented at the cell-edge to assist the cell-edge users, while the cell-center users can communicate directly with a FD base station (BS). We first introduce new user clustering schemes for the downlink and uplink transmissions. Then, based on the proposed transmission schemes closed-form expressions of the ergodic rates in the downlink and uplink modes are derived taking into account the system impairments caused by the self interference at the FD-BS and the imperfect successive interference cancellation (SIC). Moreover, an optimization problem to maximize the total sum-rate is formulated and solved by optimizing the amplitudes and the phase-shifts of the STAR-RIS elements and allocating the transmit power efficiently. The performance of the proposed user clustering schemes and the optimal STAR-RIS design are investigated through numerical results △ Less

Submitted 31 December, 2023; originally announced January 2024.

Comments: arXiv admin note: text overlap with arXiv:2309.15037

Maatphor: Automated Variant Analysis for Prompt Injection Attacks

Authors: Ahmed Salem, Andrew Paverd, Boris Köpf

Abstract: Prompt injection has emerged as a serious security threat to large language models (LLMs). At present, the current best-practice for defending against newly-discovered prompt injection techniques is to add additional guardrails to the system (e.g., by updating the system prompt or using classifiers on the input and/or output of the model.) However, in the same way that variants of a piece of malwa… ▽ More Prompt injection has emerged as a serious security threat to large language models (LLMs). At present, the current best-practice for defending against newly-discovered prompt injection techniques is to add additional guardrails to the system (e.g., by updating the system prompt or using classifiers on the input and/or output of the model.) However, in the same way that variants of a piece of malware are created to evade anti-virus software, variants of a prompt injection can be created to evade the LLM's guardrails. Ideally, when a new prompt injection technique is discovered, candidate defenses should be tested not only against the successful prompt injection, but also against possible variants. In this work, we present, a tool to assist defenders in performing automated variant analysis of known prompt injection attacks. This involves solving two main challenges: (1) automatically generating variants of a given prompt according, and (2) automatically determining whether a variant was effective based only on the output of the model. This tool can also assist in generating datasets for jailbreak and prompt injection attacks, thus overcoming the scarcity of data in this domain. We evaluate Maatphor on three different types of prompt injection tasks. Starting from an ineffective (0%) seed prompt, Maatphor consistently generates variants that are at least 60% effective within the first 40 iterations. △ Less

Submitted 12 December, 2023; originally announced December 2023.

Rethinking Privacy in Machine Learning Pipelines from an Information Flow Control Perspective

Authors: Lukas Wutschitz, Boris Köpf, Andrew Paverd, Saravan Rajmohan, Ahmed Salem, Shruti Tople, Santiago Zanella-Béguelin, Menglin Xia, Victor Rühle

Abstract: Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially private model training, with inherent privacy/utility trade-offs that hurt model performance. Moreover… ▽ More Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially private model training, with inherent privacy/utility trade-offs that hurt model performance. Moreover, these techniques have limitations in scenarios where sensitive information is shared across multiple participants and fine-grained access control is required. By ignoring metadata, we therefore miss an opportunity to better address security, privacy, and confidentiality challenges. In this paper, we take an information flow control perspective to describe machine learning systems, which allows us to leverage metadata such as access control policies and define clear-cut privacy and confidentiality guarantees with interpretable information flows. Under this perspective, we contrast two different approaches to achieve user-level non-interference: 1) fine-tuning per-user models, and 2) retrieval augmented models that access user-specific datasets at inference time. We compare these two approaches to a trivially non-interfering zero-shot baseline using a public model and to a baseline that fine-tunes this model on the whole corpus. We evaluate trained models on two datasets of scientific articles and demonstrate that retrieval augmented architectures deliver the best utility, scalability, and flexibility while satisfying strict non-interference guarantees. △ Less

Submitted 27 November, 2023; originally announced November 2023.

Comprehensive Assessment of Toxicity in ChatGPT

Authors: Boyang Zhang, Xinyue Shen, Wai Man Si, Zeyang Sha, Zeyuan Chen, Ahmed Salem, Yun Shen, Michael Backes, Yang Zhang

Abstract: Moderating offensive, hateful, and toxic language has always been an important but challenging topic in the domain of safe use in NLP. The emerging large language models (LLMs), such as ChatGPT, can potentially further accentuate this threat. Previous works have discovered that ChatGPT can generate toxic responses using carefully crafted inputs. However, limited research has been done to systemati… ▽ More Moderating offensive, hateful, and toxic language has always been an important but challenging topic in the domain of safe use in NLP. The emerging large language models (LLMs), such as ChatGPT, can potentially further accentuate this threat. Previous works have discovered that ChatGPT can generate toxic responses using carefully crafted inputs. However, limited research has been done to systematically examine when ChatGPT generates toxic responses. In this paper, we comprehensively evaluate the toxicity in ChatGPT by utilizing instruction-tuning datasets that closely align with real-world scenarios. Our results show that ChatGPT's toxicity varies based on different properties and settings of the prompts, including tasks, domains, length, and languages. Notably, prompts in creative writing tasks can be 2x more likely than others to elicit toxic responses. Prompting in German and Portuguese can also double the response toxicity. Additionally, we discover that certain deliberately toxic prompts, designed in earlier studies, no longer yield harmful responses. We hope our discoveries can guide model developers to better regulate these AI systems and the users to avoid undesirable outputs. △ Less

Submitted 3 November, 2023; originally announced November 2023.

Last One Standing: A Comparative Analysis of Security and Privacy of Soft Prompt Tuning, LoRA, and In-Context Learning

Authors: Rui Wen, Tianhao Wang, Michael Backes, Yang Zhang, Ahmed Salem

Abstract: Large Language Models (LLMs) are powerful tools for natural language processing, enabling novel applications and user experiences. However, to achieve optimal performance, LLMs often require adaptation with private data, which poses privacy and security challenges. Several techniques have been proposed to adapt LLMs with private data, such as Low-Rank Adaptation (LoRA), Soft Prompt Tuning (SPT), a… ▽ More Large Language Models (LLMs) are powerful tools for natural language processing, enabling novel applications and user experiences. However, to achieve optimal performance, LLMs often require adaptation with private data, which poses privacy and security challenges. Several techniques have been proposed to adapt LLMs with private data, such as Low-Rank Adaptation (LoRA), Soft Prompt Tuning (SPT), and In-Context Learning (ICL), but their comparative privacy and security properties have not been systematically investigated. In this work, we fill this gap by evaluating the robustness of LoRA, SPT, and ICL against three types of well-established attacks: membership inference, which exposes data leakage (privacy); backdoor, which injects malicious behavior (security); and model stealing, which can violate intellectual property (privacy and security). Our results show that there is no silver bullet for privacy and security in LLM adaptation and each technique has different strengths and weaknesses. △ Less

Submitted 17 October, 2023; originally announced October 2023.

STAR-RIS Assisted Full-Duplex Communication Networks

Authors: Abdelhamid Salem, Kai-Kit Wong, Chan-Byoung Chae, Yangyang Zhang

Abstract: Different from conventional reconfigurable intelligent surfaces (RIS), a recent innovation called simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has emerged, aimed at achieving complete 360-degree coverage in communication networks. Additionally, fullduplex (FD) technology is recognized as a potent approach for enhancing spectral efficiency by enabling simul… ▽ More Different from conventional reconfigurable intelligent surfaces (RIS), a recent innovation called simultaneous transmitting and reflecting reconfigurable intelligent surface (STAR-RIS) has emerged, aimed at achieving complete 360-degree coverage in communication networks. Additionally, fullduplex (FD) technology is recognized as a potent approach for enhancing spectral efficiency by enabling simultaneous transmission and reception within the same time and frequency resources. In this study, we investigate the performance of a STAR-RIS-assisted FD communication system. The STAR-RIS is strategically placed at the cell-edge to facilitate communication for users located in this challenging region, while cell-center users can communicate directly with the FD base station (BS). We employ a non-orthogonal multiple access (NOMA) pairing scheme and account for system impairments, such as self-interference at the BS and imperfect successive interference cancellation (SIC). We derive closed-form expressions for the ergodic rates in both the up-link and down-link communications and extend our analysis to bidirectional communication between cell-center and cell-edge users. Furthermore, we formulate an optimization problem aimed at maximizing the ergodic sum-rate. This optimization involves adjusting the amplitudes and phase-shifts of the STAR-RIS elements and allocating total transmit power efficiently. To gain deeper insights into the achievable rates of STAR-RIS-aided FD systems, we explore the impact of various system parameters through numerical results. △ Less

Submitted 26 September, 2023; originally announced September 2023.

Deconstructing Classifiers: Towards A Data Reconstruction Attack Against Text Classification Models

Authors: Adel Elmahdy, Ahmed Salem

Abstract: Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more se… ▽ More Natural language processing (NLP) models have become increasingly popular in real-world applications, such as text classification. However, they are vulnerable to privacy attacks, including data reconstruction attacks that aim to extract the data used to train the model. Most previous studies on data reconstruction attacks have focused on LLM, while classification models were assumed to be more secure. In this work, we propose a new targeted data reconstruction attack called the Mix And Match attack, which takes advantage of the fact that most classification models are based on LLM. The Mix And Match attack uses the base model of the target model to generate candidate tokens and then prunes them using the classification head. We extensively demonstrate the effectiveness of the attack using both random and organic canaries. This work highlights the importance of considering the privacy risks associated with data reconstruction attacks in classification models and offers insights into possible leakages. △ Less

Submitted 23 June, 2023; originally announced June 2023.

Comments: 17 pages, 6 figures, 4 tables

Two-in-One: A Model Hijacking Attack Against Text Generation Models

Authors: Wai Man Si, Michael Backes, Yang Zhang, Ahmed Salem

Abstract: Machine learning has progressed significantly in various applications ranging from face recognition to text generation. However, its success has been accompanied by different attacks. Recently a new attack has been proposed which raises both accountability and parasitic computing risks, namely the model hijacking attack. Nevertheless, this attack has only focused on image classification tasks. In… ▽ More Machine learning has progressed significantly in various applications ranging from face recognition to text generation. However, its success has been accompanied by different attacks. Recently a new attack has been proposed which raises both accountability and parasitic computing risks, namely the model hijacking attack. Nevertheless, this attack has only focused on image classification tasks. In this work, we broaden the scope of this attack to include text generation and classification models, hence showing its broader applicability. More concretely, we propose a new model hijacking attack, Ditto, that can hijack different text classification tasks into multiple generation ones, e.g., language translation, text summarization, and language modeling. We use a range of text benchmark datasets such as SST-2, TweetEval, AGnews, QNLI, and IMDB to evaluate the performance of our attacks. Our results show that by using Ditto, an adversary can successfully hijack text generation models without jeopardizing their utility. △ Less

Submitted 12 May, 2023; originally announced May 2023.

Comments: To appear in the 32nd USENIX Security Symposium, August 2023, Anaheim, CA, USA

Analyzing Leakage of Personally Identifiable Information in Language Models

Authors: Nils Lukas, Ahmed Salem, Robert Sim, Shruti Tople, Lukas Wutschitz, Santiago Zanella-Béguelin

Abstract: Language Models (LMs) have been shown to leak information about training data through sentence-level membership inference and reconstruction attacks. Understanding the risk of LMs leaking Personally Identifiable Information (PII) has received less attention, which can be attributed to the false assumption that dataset curation techniques such as scrubbing are sufficient to prevent PII leakage. Scr… ▽ More Language Models (LMs) have been shown to leak information about training data through sentence-level membership inference and reconstruction attacks. Understanding the risk of LMs leaking Personally Identifiable Information (PII) has received less attention, which can be attributed to the false assumption that dataset curation techniques such as scrubbing are sufficient to prevent PII leakage. Scrubbing techniques reduce but do not prevent the risk of PII leakage: in practice scrubbing is imperfect and must balance the trade-off between minimizing disclosure and preserving the utility of the dataset. On the other hand, it is unclear to which extent algorithmic defenses such as differential privacy, designed to guarantee sentence- or user-level privacy, prevent PII disclosure. In this work, we introduce rigorous game-based definitions for three types of PII leakage via black-box extraction, inference, and reconstruction attacks with only API access to an LM. We empirically evaluate the attacks against GPT-2 models fine-tuned with and without defenses in three domains: case law, health care, and e-mails. Our main contributions are (i) novel attacks that can extract up to 10$\times$ more PII sequences than existing attacks, (ii) showing that sentence-level differential privacy reduces the risk of PII disclosure but still leaks about 3% of PII sequences, and (iii) a subtle connection between record-level membership inference and PII reconstruction. Code to reproduce all experiments in the paper is available at https://github.com/microsoft/analysing_pii_leakage. △ Less

Submitted 23 April, 2023; v1 submitted 1 February, 2023; originally announced February 2023.

Comments: IEEE Symposium on Security and Privacy (S&P) 2023

Multi-limb Split Learning for Tumor Classification on Vertically Distributed Data

Authors: Omar S. Ads, Mayar M. Alfares, Mohammed A. -M. Salem

Abstract: Brain tumors are one of the life-threatening forms of cancer. Previous studies have classified brain tumors using deep neural networks. In this paper, we perform the later task using a collaborative deep learning technique, more specifically split learning. Split learning allows collaborative learning via neural networks splitting into two (or more) parts, a client-side network and a server-side n… ▽ More Brain tumors are one of the life-threatening forms of cancer. Previous studies have classified brain tumors using deep neural networks. In this paper, we perform the later task using a collaborative deep learning technique, more specifically split learning. Split learning allows collaborative learning via neural networks splitting into two (or more) parts, a client-side network and a server-side network. The client-side is trained to a certain layer called the cut layer. Then, the rest of the training is resumed on the server-side network. Vertical distribution, a method for distributing data among organizations, was implemented where several hospitals hold different attributes of information for the same set of patients. To the best of our knowledge this paper will be the first paper to implement both split learning and vertical distribution for brain tumor classification. Using both techniques, we were able to achieve train and test accuracy greater than 90\% and 70\%, respectively. △ Less

Submitted 26 January, 2023; originally announced January 2023.

Journal ref: 2021 Tenth International Conference on Intelligent Computing and Information Systems (ICICIS) (pp. 88-92). IEEE

Impact of Phase-Shift Error on the Secrecy Performance of Uplink RIS Communication Systems

Authors: Abdelhamid Salem, Kai-Kit Wong, Chan-Byoung Chae

Abstract: Reconfigurable intelligent surface (RIS) has been recognized as a promising technique for the sixth generation (6G) of mobile communication networks. The key feature of RIS is to reconfigure the propagation environment via smart signal reflections. In addition, active RIS schemes have been recently proposed to overcome the deep path loss attenuation inherent in the RIS-aided communication systems.… ▽ More Reconfigurable intelligent surface (RIS) has been recognized as a promising technique for the sixth generation (6G) of mobile communication networks. The key feature of RIS is to reconfigure the propagation environment via smart signal reflections. In addition, active RIS schemes have been recently proposed to overcome the deep path loss attenuation inherent in the RIS-aided communication systems. Accordingly, this paper considers the secrecy performance of up-link RIS-aided multiple users multiple-input single-output (MU-MISO) communication systems, in the presence of multiple passive eavesdroppers. In contrast to the existing works, we investigate the impact of the RIS phase shift errors on the secrecy performance. Taking into account the complex environment, where a general Rician channel model is adopted for all the communication links, closed-form approximate expressions for the ergodic secrecy rate are derived for three RIS configurations, namely, i) passive RIS, ii) active RIS, iii) active RIS with energy harvesting (EH RIS). Then, based on the derived expressions, we optimize the phase shifts at the RIS to enhance the system performance. In addition, the best RIS configuration selection is considered for a given target secrecy rate and amount of the power available at the users. Finally, Monte-Carlo simulations are provided to verify the accuracy of the analysis, and the impact of different system parameters on the secrecy performance is investigated. The results in this paper show that, an active RIS scheme can be implemented to enhance the secrecy performance of RIS-aided communication systems with phase shift errors, especially when the users have limited transmission power. △ Less

Submitted 31 December, 2022; originally announced January 2023.

Rethinking Dense Cells for Integrated Sensing and Communications: A Stochastic Geometric View

Authors: Abdelhamid Salem, Kaitao Meng, Christos Masouros, Fan Liu, David López-Pérez

Abstract: The inclusion of the sensing functionality in the coming generations of cellular networks necessitates a rethink of dense cell deployments. In this paper, we analyze and optimize dense cell topologies for dual-functional radar-communication (DFRC) cellular networks. With the aid of tools from stochastic geometry, we derive new analytical expressions of the potential area spectral efficiencies in (… ▽ More The inclusion of the sensing functionality in the coming generations of cellular networks necessitates a rethink of dense cell deployments. In this paper, we analyze and optimize dense cell topologies for dual-functional radar-communication (DFRC) cellular networks. With the aid of tools from stochastic geometry, we derive new analytical expressions of the potential area spectral efficiencies in (bit/sec/m2) of radar and communication systems. Based on the new formulations of the potential area spectral efficiencies, the energy efficiency (bit/Joule) of DFRC systems is provided in a closed-form formula. Then, an optimization problem to obtain the optimal base station (BS) density that maximizes the network-level energy efficiency is formulated and investigated. In this regard, the mathematical expression of the energy efficiency is shown to be a uni-modal and pseudo-concave function in the density of the BSs. Therefore, the optimal density of the BSs that maximizes the energy efficiency can be obtained. Our analytical and numerical results demonstrate that the inclusion of the sensing functionality clearly differentiates the optimal BS topologies for the DFRC systems against classical communication-only systems. △ Less

Submitted 26 August, 2023; v1 submitted 25 December, 2022; originally announced December 2022.

Comments: 30 pages

SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning

Authors: Ahmed Salem, Giovanni Cherubin, David Evans, Boris Köpf, Andrew Paverd, Anshuman Suri, Shruti Tople, Santiago Zanella-Béguelin

Abstract: Deploying machine learning models in production may allow adversaries to infer sensitive information about training data. There is a vast literature analyzing different types of inference risks, ranging from membership inference to reconstruction attacks. Inspired by the success of games (i.e., probabilistic experiments) to study security properties in cryptography, some authors describe privacy i… ▽ More Deploying machine learning models in production may allow adversaries to infer sensitive information about training data. There is a vast literature analyzing different types of inference risks, ranging from membership inference to reconstruction attacks. Inspired by the success of games (i.e., probabilistic experiments) to study security properties in cryptography, some authors describe privacy inference risks in machine learning using a similar game-based style. However, adversary capabilities and goals are often stated in subtly different ways from one presentation to the other, which makes it hard to relate and compose results. In this paper, we present a game-based framework to systematize the body of knowledge on privacy inference risks in machine learning. We use this framework to (1) provide a unifying structure for definitions of inference risks, (2) formally establish known relations among definitions, and (3) to uncover hitherto unknown relations that would have been difficult to spot otherwise. △ Less

Submitted 20 April, 2023; v1 submitted 21 December, 2022; originally announced December 2022.

Comments: 20 pages, to appear in 2023 IEEE Symposium on Security and Privacy

Variation-based Cause Effect Identification

Authors: Mohamed Amine ben Salem, Karim Said Barsim, Bin Yang

Abstract: Mining genuine mechanisms underlying the complex data generation process in real-world systems is a fundamental step in promoting interpretability of, and thus trust in, data-driven models. Therefore, we propose a variation-based cause effect identification (VCEI) framework for causal discovery in bivariate systems from a single observational setting. Our framework relies on the principle of indep… ▽ More Mining genuine mechanisms underlying the complex data generation process in real-world systems is a fundamental step in promoting interpretability of, and thus trust in, data-driven models. Therefore, we propose a variation-based cause effect identification (VCEI) framework for causal discovery in bivariate systems from a single observational setting. Our framework relies on the principle of independence of cause and mechanism (ICM) under the assumption of an existing acyclic causal link, and offers a practical realization of this principle. Principally, we artificially construct two settings in which the marginal distributions of one covariate, claimed to be the cause, are guaranteed to have non-negligible variations. This is achieved by re-weighting samples of the marginal so that the resultant distribution is notably distinct from this marginal according to some discrepancy measure. In the causal direction, such variations are expected to have no impact on the effect generation mechanism. Therefore, quantifying the impact of these variations on the conditionals reveals the genuine causal direction. Moreover, we formulate our approach in the kernel-based maximum mean discrepancy, lifting all constraints on the data types of cause-and-effect covariates, and rendering such artificial interventions a convex optimization problem. We provide a series of experiments on real and synthetic data showing that VCEI is, in principle, competitive to other cause effect identification frameworks. △ Less

Submitted 22 November, 2022; originally announced November 2022.

Quantitative Assessment of Drought Impacts Using XGBoost based on the Drought Impact Reporter

Authors: Beichen Zhang, Fatima K. Abu Salem, Michael J. Hayes, Tsegaye Tadesse

Abstract: Under climate change, the increasing frequency, intensity, and spatial extent of drought events lead to higher socio-economic costs. However, the relationships between the hydro-meteorological indicators and drought impacts are not identified well yet because of the complexity and data scarcity. In this paper, we proposed a framework based on the extreme gradient model (XGBoost) for Texas to predi… ▽ More Under climate change, the increasing frequency, intensity, and spatial extent of drought events lead to higher socio-economic costs. However, the relationships between the hydro-meteorological indicators and drought impacts are not identified well yet because of the complexity and data scarcity. In this paper, we proposed a framework based on the extreme gradient model (XGBoost) for Texas to predict multi-category drought impacts and connected a typical drought indicator, Standardized Precipitation Index (SPI), to the text-based impacts from the Drought Impact Reporter (DIR). The preliminary results of this study showed an outstanding performance of the well-trained models to assess drought impacts on agriculture, fire, society & public health, plants & wildlife, as well as relief, response & restrictions in Texas. It also provided a possibility to appraise drought impacts using hydro-meteorological indicators with the proposed framework in the United States, which could help drought risk management by giving additional information and improving the updating frequency of drought impacts. Our interpretation results using the Shapley additive explanation (SHAP) interpretability technique revealed that the rules guiding the predictions of XGBoost comply with domain expertise knowledge around the role that SPI indicators play around drought impacts. △ Less

Submitted 4 November, 2022; originally announced November 2022.

Comments: 4 pages with 2 figures and 1 table. NeurIPS workshop on Tackling Climate Change with Machine Learning, 2020

NOMA Made Practical: Removing the Receive SIC Processing through Interference Exploitation

Authors: Abdelhamid Salem, Xiao Tong, Ang Li, Christos Masouros

Abstract: Non-orthogonal multiple access (NOMA) is a powerful transmission technique that enhances the spectral efficiency of communication links, and is being investigated for 5G standards and beyond. A major drawback of NOMA is the need to apply successive interference cancellation (SIC) at the receiver on a symbol-by-symbol basis, which limits its practicality. To circumvent this, in this paper a novel c… ▽ More Non-orthogonal multiple access (NOMA) is a powerful transmission technique that enhances the spectral efficiency of communication links, and is being investigated for 5G standards and beyond. A major drawback of NOMA is the need to apply successive interference cancellation (SIC) at the receiver on a symbol-by-symbol basis, which limits its practicality. To circumvent this, in this paper a novel constructive multiple access (CoMA) scheme is proposed and investigated. CoMA aligns the superimposed signals to the different users constructively to the signal of interest. Since the superimposed signal aligns with the data signal, there is no need to remove it at the receiver using SIC. Accordingly, SIC component can be removed at the receiver side. In this regard and in order to provide a comprehensive investigation and comparison, different optimization problems for user paring NOMA multiple-input-single-output (MISO) systems are considered. Firstly, an optimal precoder to minimize the total transmission power for CoMA subject to a quality-of-service constraint is obtained, and compared to conventional NOMA. Then, a precoder that minimizes the CoMA symbol error rate (SER) subject to power constraint is investigated. Further, the computational complexity of CoMA is considered and compared with conventional NOMA scheme in terms of total number of complex operations. The results in this paper prove the superiority of the proposed CoMA scheme over the conventional NOMA technique, and demonstrate that CoMA is an attractive solution for user paring NOMA MISO systems with low number of BS antennas, while circumventing the receive SIC complexity. △ Less

Submitted 15 October, 2022; originally announced October 2022.

UnGANable: Defending Against GAN-based Face Manipulation

Authors: Zheng Li, Ning Yu, Ahmed Salem, Michael Backes, Mario Fritz, Yang Zhang

Abstract: Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, agains… ▽ More Deepfakes pose severe threats of visual misinformation to our society. One representative deepfake application is face manipulation that modifies a victim's facial attributes in an image, e.g., changing her age or hair color. The state-of-the-art face manipulation techniques rely on Generative Adversarial Networks (GANs). In this paper, we propose the first defense system, namely UnGANable, against GAN-inversion-based face manipulation. In specific, UnGANable focuses on defending GAN inversion, an essential step for face manipulation. Its core technique is to search for alternative images (called cloaked images) around the original images (called target images) in image space. When posted online, these cloaked images can jeopardize the GAN inversion process. We consider two state-of-the-art inversion techniques including optimization-based inversion and hybrid inversion, and design five different defenses under five scenarios depending on the defender's background knowledge. Extensive experiments on four popular GAN models trained on two benchmark face datasets show that UnGANable achieves remarkable effectiveness and utility performance, and outperforms multiple baseline methods. We further investigate four adaptive adversaries to bypass UnGANable and show that some of them are slightly effective. △ Less

Submitted 3 October, 2022; originally announced October 2022.

Comments: Accepted by USENIX Security 2023

Bayesian Estimation of Differential Privacy

Authors: Santiago Zanella-Béguelin, Lukas Wutschitz, Shruti Tople, Ahmed Salem, Victor Rühle, Andrew Paverd, Mohammad Naseri, Boris Köpf, Daniel Jones

Abstract: Algorithms such as Differentially Private SGD enable training machine learning models with formal privacy guarantees. However, there is a discrepancy between the protection that such algorithms guarantee in theory and the protection they afford in practice. An emerging strand of work empirically estimates the protection afforded by differentially private training as a confidence interval for the p… ▽ More Algorithms such as Differentially Private SGD enable training machine learning models with formal privacy guarantees. However, there is a discrepancy between the protection that such algorithms guarantee in theory and the protection they afford in practice. An emerging strand of work empirically estimates the protection afforded by differentially private training as a confidence interval for the privacy budget $\varepsilon$ spent on training a model. Existing approaches derive confidence intervals for $\varepsilon$ from confidence intervals for the false positive and false negative rates of membership inference attacks. Unfortunately, obtaining narrow high-confidence intervals for $ε$ using this method requires an impractically large sample size and training as many models as samples. We propose a novel Bayesian method that greatly reduces sample size, and adapt and validate a heuristic to draw more than one sample per trained model. Our Bayesian method exploits the hypothesis testing interpretation of differential privacy to obtain a posterior for $\varepsilon$ (not just a confidence interval) from the joint posterior of the false positive and false negative rates of membership inference attacks. For the same sample size and confidence, we derive confidence intervals for $\varepsilon$ around 40% narrower than prior work. The heuristic, which we adapt from label-only DP, can be used to further reduce the number of trained models needed to get enough samples by up to 2 orders of magnitude. △ Less

Submitted 15 June, 2022; v1 submitted 10 June, 2022; originally announced June 2022.

Comments: 17 pages, 8 figures. Joint main authors: Santiago Zanella-Béguelin, Lukas Wutschitz, and Shruti Tople

Improving VANET's Performance by Incorporated Fog-Cloud Layer (FCL)

Authors: Ghassan Samara, Mohammed Rasmi, Nael A Sweerky, Essam Al Daoud, Amer Abu Salem

Abstract: Because of its usefulness in various fields including as safety applications, traffic control applications, and entertainment applications, VANET is an essential topic that is now being investigated intensively. VANET confronts numerous challenges in terms of reaction time, storage capacity, and reliability, particularly in real-time applications. As a result, merging cloud computing and cloud com… ▽ More Because of its usefulness in various fields including as safety applications, traffic control applications, and entertainment applications, VANET is an essential topic that is now being investigated intensively. VANET confronts numerous challenges in terms of reaction time, storage capacity, and reliability, particularly in real-time applications. As a result, merging cloud computing and cloud computing has recently been researched. The goal of this study is to develop a system that merges the fog and cloud layers into a single layer known as the included fog-cloud layer. To lower the time it takes for real-time applications on VANETs to respond while also improving data flow management over the Internet and achieving an efficient perception service while avoiding the high cost of cloud connectivity. △ Less

Submitted 30 March, 2022; originally announced April 2022.

Comments: 5 pages

Journal ref: 2021 22nd International Arab Conference on Information Technology (ACIT)

Get a Model! Model Hijacking Attack Against Machine Learning Models

Authors: Ahmed Salem, Michael Backes, Yang Zhang

Abstract: Machine learning (ML) has established itself as a cornerstone for various critical applications ranging from autonomous driving to authentication systems. However, with this increasing adoption rate of machine learning models, multiple attacks have emerged. One class of such attacks is training time attack, whereby an adversary executes their attack before or during the machine learning model trai… ▽ More Machine learning (ML) has established itself as a cornerstone for various critical applications ranging from autonomous driving to authentication systems. However, with this increasing adoption rate of machine learning models, multiple attacks have emerged. One class of such attacks is training time attack, whereby an adversary executes their attack before or during the machine learning model training. In this work, we propose a new training time attack against computer vision based machine learning models, namely model hijacking attack. The adversary aims to hijack a target model to execute a different task than its original one without the model owner noticing. Model hijacking can cause accountability and security risks since a hijacked model owner can be framed for having their model offering illegal or unethical services. Model hijacking attacks are launched in the same way as existing data poisoning attacks. However, one requirement of the model hijacking attack is to be stealthy, i.e., the data samples used to hijack the target model should look similar to the model's original training dataset. To this end, we propose two different model hijacking attacks, namely Chameleon and Adverse Chameleon, based on a novel encoder-decoder style ML model, namely the Camouflager. Our evaluation shows that both of our model hijacking attacks achieve a high attack success rate, with a negligible drop in model utility. △ Less

Submitted 8 November, 2021; originally announced November 2021.

Comments: To Appear in NDSS 2022

ML-Doctor: Holistic Risk Assessment of Inference Attacks Against Machine Learning Models

Authors: Yugeng Liu, Rui Wen, Xinlei He, Ahmed Salem, Zhikun Zhang, Michael Backes, Emiliano De Cristofaro, Mario Fritz, Yang Zhang

Abstract: Inference attacks against Machine Learning (ML) models allow adversaries to learn sensitive information about training data, model parameters, etc. While researchers have studied, in depth, several kinds of attacks, they have done so in isolation. As a result, we lack a comprehensive picture of the risks caused by the attacks, e.g., the different scenarios they can be applied to, the common factor… ▽ More Inference attacks against Machine Learning (ML) models allow adversaries to learn sensitive information about training data, model parameters, etc. While researchers have studied, in depth, several kinds of attacks, they have done so in isolation. As a result, we lack a comprehensive picture of the risks caused by the attacks, e.g., the different scenarios they can be applied to, the common factors that influence their performance, the relationship among them, or the effectiveness of possible defenses. In this paper, we fill this gap by presenting a first-of-its-kind holistic risk assessment of different inference attacks against machine learning models. We concentrate on four attacks -- namely, membership inference, model inversion, attribute inference, and model stealing -- and establish a threat model taxonomy. Our extensive experimental evaluation, run on five model architectures and four image datasets, shows that the complexity of the training dataset plays an important role with respect to the attack's performance, while the effectiveness of model stealing and membership inference attacks are negatively correlated. We also show that defenses like DP-SGD and Knowledge Distillation can only mitigate some of the inference attacks. Our analysis relies on a modular re-usable software, ML-Doctor, which enables ML model owners to assess the risks of deploying their models, and equally serves as a benchmark tool for researchers and practitioners. △ Less

Submitted 6 October, 2021; v1 submitted 4 February, 2021; originally announced February 2021.

Don't Trigger Me! A Triggerless Backdoor Attack Against Deep Neural Networks

Authors: Ahmed Salem, Michael Backes, Yang Zhang

Abstract: Backdoor attack against deep neural networks is currently being profoundly investigated due to its severe security consequences. Current state-of-the-art backdoor attacks require the adversary to modify the input, usually by adding a trigger to it, for the target model to activate the backdoor. This added trigger not only increases the difficulty of launching the backdoor attack in the physical wo… ▽ More Backdoor attack against deep neural networks is currently being profoundly investigated due to its severe security consequences. Current state-of-the-art backdoor attacks require the adversary to modify the input, usually by adding a trigger to it, for the target model to activate the backdoor. This added trigger not only increases the difficulty of launching the backdoor attack in the physical world, but also can be easily detected by multiple defense mechanisms. In this paper, we present the first triggerless backdoor attack against deep neural networks, where the adversary does not need to modify the input for triggering the backdoor. Our attack is based on the dropout technique. Concretely, we associate a set of target neurons that are dropped out during model training with the target label. In the prediction phase, the model will output the target label when the target neurons are dropped again, i.e., the backdoor attack is launched. This triggerless feature of our attack makes it practical in the physical world. Extensive experiments show that our triggerless backdoor attack achieves a perfect attack success rate with a negligible damage to the model's utility. △ Less

Submitted 7 October, 2020; originally announced October 2020.

BAAAN: Backdoor Attacks Against Autoencoder and GAN-Based Machine Learning Models

Authors: Ahmed Salem, Yannick Sautter, Michael Backes, Mathias Humbert, Yang Zhang

Abstract: The tremendous progress of autoencoders and generative adversarial networks (GANs) has led to their application to multiple critical tasks, such as fraud detection and sanitized data generation. This increasing adoption has fostered the study of security and privacy risks stemming from these models. However, previous works have mainly focused on membership inference attacks. In this work, we explo… ▽ More The tremendous progress of autoencoders and generative adversarial networks (GANs) has led to their application to multiple critical tasks, such as fraud detection and sanitized data generation. This increasing adoption has fostered the study of security and privacy risks stemming from these models. However, previous works have mainly focused on membership inference attacks. In this work, we explore one of the most severe attacks against machine learning models, namely the backdoor attack, against both autoencoders and GANs. The backdoor attack is a training time attack where the adversary implements a hidden backdoor in the target model that can only be activated by a secret trigger. State-of-the-art backdoor attacks focus on classification-based tasks. We extend the applicability of backdoor attacks to autoencoders and GAN-based models. More concretely, we propose the first backdoor attack against autoencoders and GANs where the adversary can control what the decoded or generated images are when the backdoor is activated. Our results show that the adversary can build a backdoored autoencoder that returns a target output for all backdoored inputs, while behaving perfectly normal on clean inputs. Similarly, for the GANs, our experiments show that the adversary can generate data from a different distribution when the backdoor is activated, while maintaining the same utility when the backdoor is not. △ Less

Submitted 8 October, 2020; v1 submitted 6 October, 2020; originally announced October 2020.

Maat: Automatically Analyzing VirusTotal for Accurate Labeling and Effective Malware Detection

Authors: Aleieldin Salem, Sebastian Banescu, Alexander Pretschner

Abstract: The malware analysis and detection research community relies on the online platform VirusTotal to label Android apps based on the scan results of around 60 antiviral scanners. Unfortunately, there are no standards on how to best interpret the scan results acquired from VirusTotal, which leads to the utilization of different threshold-based labeling strategies (e.g., if ten or more scanners deem an… ▽ More The malware analysis and detection research community relies on the online platform VirusTotal to label Android apps based on the scan results of around 60 antiviral scanners. Unfortunately, there are no standards on how to best interpret the scan results acquired from VirusTotal, which leads to the utilization of different threshold-based labeling strategies (e.g., if ten or more scanners deem an app malicious, it is considered malicious). While some of the utilized thresholds may be able to accurately approximate the ground truths of apps, the fact that VirusTotal changes the set and versions of the scanners it uses makes such thresholds unsustainable over time. We implemented a method, Maat, that tackles these issues of standardization and sustainability by automatically generating a Machine Learning (ML)-based labeling scheme, which outperforms threshold-based labeling strategies. Using the VirusTotal scan reports of 53K Android apps that span one year, we evaluated the applicability of Maat's ML-based labeling strategies by comparing their performance against threshold-based strategies. We found that such ML-based strategies (a) can accurately and consistently label apps based on their VirusTotal scan reports, and (b) contribute to training ML-based detection methods that are more effective at classifying out-of-sample apps than their threshold-based counterparts. △ Less

Submitted 1 July, 2020; originally announced July 2020.

Towards Accurate Labeling of Android Apps for Reliable Malware Detection

Authors: Aleieldin Salem

Abstract: In training their newly-developed malware detection methods, researchers rely on threshold-based labeling strategies that interpret the scan reports provided by online platforms, such as VirusTotal. The dynamicity of this platform renders those labeling strategies unsustainable over prolonged periods, which leads to inaccurate labels. Using inaccurately labeled apps to train and evaluate malware d… ▽ More In training their newly-developed malware detection methods, researchers rely on threshold-based labeling strategies that interpret the scan reports provided by online platforms, such as VirusTotal. The dynamicity of this platform renders those labeling strategies unsustainable over prolonged periods, which leads to inaccurate labels. Using inaccurately labeled apps to train and evaluate malware detection methods significantly undermines the reliability of their results, leading to either dismissing otherwise promising detection approaches or adopting intrinsically inadequate ones. The infeasibility of generating accurate labels via manual analysis and the lack of reliable alternatives force researchers to utilize VirusTotal to label apps. In the paper, we tackle this issue in two manners. Firstly, we reveal the aspects of VirusTotal's dynamicity and how they impact threshold-based labeling strategies and provide actionable insights on how to use these labeling strategies given VirusTotal's dynamicity reliably. Secondly, we motivate the implementation of alternative platforms by (a) identifying VirusTotal limitations that such platforms should avoid, and (b) proposing an architecture of how such platforms can be constructed to mitigate VirusTotal's limitations. △ Less

Submitted 1 July, 2020; originally announced July 2020.

BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements

Authors: Xiaoyi Chen, Ahmed Salem, Dingfan Chen, Michael Backes, Shiqing Ma, Qingni Shen, Zhonghai Wu, Yang Zhang

Abstract: Deep neural networks (DNNs) have progressed rapidly during the past decade and have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model's training set to mislead any i… ▽ More Deep neural networks (DNNs) have progressed rapidly during the past decade and have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model's training set to mislead any input with an added secret trigger to a target class. Previous backdoor attacks predominantly focus on computer vision (CV) applications, such as image classification. In this paper, we perform a systematic investigation of backdoor attack on NLP models, and propose BadNL, a general NLP backdoor attack framework including novel attack methods. Specifically, we propose three methods to construct triggers, namely BadChar, BadWord, and BadSentence, including basic and semantic-preserving variants. Our attacks achieve an almost perfect attack success rate with a negligible effect on the original model's utility. For instance, using the BadChar, our backdoor attack achieves a 98.9% attack success rate with yielding a utility improvement of 1.5% on the SST-5 dataset when only poisoning 3% of the original set. Moreover, we conduct a user study to prove that our triggers can well preserve the semantics from humans perspective. △ Less

Submitted 4 October, 2021; v1 submitted 1 June, 2020; originally announced June 2020.

Comments: To appear in Annual Computer Security Applications Conference (ACSAC) 2021

Dynamic Backdoor Attacks Against Machine Learning Models

Authors: Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, Yang Zhang

Abstract: Machine learning (ML) has made tremendous progress during the past decade and is being adopted in various critical real-world applications. However, recent research has shown that ML models are vulnerable to multiple security and privacy attacks. In particular, backdoor attacks against ML models have recently raised a lot of awareness. A successful backdoor attack can cause severe consequences, su… ▽ More Machine learning (ML) has made tremendous progress during the past decade and is being adopted in various critical real-world applications. However, recent research has shown that ML models are vulnerable to multiple security and privacy attacks. In particular, backdoor attacks against ML models have recently raised a lot of awareness. A successful backdoor attack can cause severe consequences, such as allowing an adversary to bypass critical authentication systems. Current backdooring techniques rely on adding static triggers (with fixed patterns and locations) on ML model inputs which are prone to detection by the current backdoor detection mechanisms. In this paper, we propose the first class of dynamic backdooring techniques against deep neural networks (DNN), namely Random Backdoor, Backdoor Generating Network (BaN), and conditional Backdoor Generating Network (c-BaN). Triggers generated by our techniques can have random patterns and locations, which reduce the efficacy of the current backdoor detection mechanisms. In particular, BaN and c-BaN based on a novel generative network are the first two schemes that algorithmically generate triggers. Moreover, c-BaN is the first conditional backdooring technique that given a target label, it can generate a target-specific trigger. Both BaN and c-BaN are essentially a general framework which renders the adversary the flexibility for further customizing backdoor attacks. We extensively evaluate our techniques on three benchmark datasets: MNIST, CelebA, and CIFAR-10. Our techniques achieve almost perfect attack performance on backdoored data with a negligible utility loss. We further show that our techniques can bypass current state-of-the-art defense mechanisms against backdoor attacks, including ABS, Februus, MNTD, Neural Cleanse, and STRIP. △ Less

Submitted 3 March, 2022; v1 submitted 7 March, 2020; originally announced March 2020.

MemGuard: Defending against Black-Box Membership Inference Attacks via Adversarial Examples

Authors: Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, Neil Zhenqiang Gong

Abstract: In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of… ▽ More In a membership inference attack, an attacker aims to infer whether a data sample is in a target classifier's training dataset or not. Specifically, given a black-box access to the target classifier, the attacker trains a binary classifier, which takes a data sample's confidence score vector predicted by the target classifier as an input and predicts the data sample to be a member or non-member of the target classifier's training dataset. Membership inference attacks pose severe privacy and security threats to the training dataset. Most existing defenses leverage differential privacy when training the target classifier or regularize the training process of the target classifier. These defenses suffer from two key limitations: 1) they do not have formal utility-loss guarantees of the confidence score vectors, and 2) they achieve suboptimal privacy-utility tradeoffs. In this work, we propose MemGuard, the first defense with formal utility-loss guarantees against black-box membership inference attacks. Instead of tampering the training process of the target classifier, MemGuard adds noise to each confidence score vector predicted by the target classifier. Our key observation is that attacker uses a classifier to predict member or non-member and classifier is vulnerable to adversarial examples. Based on the observation, we propose to add a carefully crafted noise vector to a confidence score vector to turn it into an adversarial example that misleads the attacker's classifier. Our experimental results on three datasets show that MemGuard can effectively defend against membership inference attacks and achieve better privacy-utility tradeoffs than existing defenses. Our work is the first one to show that adversarial examples can be used as defensive mechanisms to defend against membership inference attacks. △ Less

Submitted 18 December, 2019; v1 submitted 23 September, 2019; originally announced September 2019.

Comments: ACM CCS 2019, code is available at this: https://github.com/jjy1994/MemGuard

Rate Splitting with Finite Constellations: The Benefits of Interference Exploitation vs Suppression

Authors: Abdelhamid Salem, Christos Masouros, Bruno Clerckx

Abstract: Rate-Splitting (RS) has been proposed recently to enhance the performance of multi-user multiple-input multiple-output (MU-MIMO) systems. In RS, a user message is split into a common and a private part, where the common part is decoded by all users, while the private part is decoded only by the intended user. In this paper, we study RS under a phase-shift keying (PSK) input alphabet for multi-user… ▽ More Rate-Splitting (RS) has been proposed recently to enhance the performance of multi-user multiple-input multiple-output (MU-MIMO) systems. In RS, a user message is split into a common and a private part, where the common part is decoded by all users, while the private part is decoded only by the intended user. In this paper, we study RS under a phase-shift keying (PSK) input alphabet for multi-user multi-antenna system and propose a constructive interference (CI) exploitation approach to further enhance the sum-rate achieved by RS under PSK signaling. To that end, new analytical expressions for the ergodic sum-rate are derived for two precoding techniques of the private messages, namely, 1) a traditional interference suppression zero-forcing (ZF) precoding approach, 2) a closed-form CI precoding approach. Our analysis is presented for perfect channel state information at the transmitter (CSIT), and is extended to imperfect CSIT knowledge. A novel power allocation strategy, specifically suited for the finite alphabet setup, is derived and shown to lead to superior performance for RS over conventional linear precoding not relying on RS (NoRS). The results in this work validate the significant sum-rate gain of RS with CI over the conventional RS with ZF and NoRS. △ Less

Submitted 19 July, 2019; originally announced July 2019.

QoS Categories Activeness-Aware Adaptive EDCA Algorithm for Dense IoT Networks

Authors: Mohammed A. Salem, Ibrahim F. Tarrad, Mohamed I. Youssef, Sherine M. Abd El-Kader

Abstract: IEEE 802.11 networks have a great role to play in supporting and deploying of the Internet of Things (IoT). The realization of IoT depends on the ability of the network to handle a massive number of stations and transmissions, and to support Quality of Service (QoS). IEEE 802.11 networks enable the QoS by applying the Enhanced Distributed Channel Access (EDCA) with static parameters regardless of… ▽ More IEEE 802.11 networks have a great role to play in supporting and deploying of the Internet of Things (IoT). The realization of IoT depends on the ability of the network to handle a massive number of stations and transmissions, and to support Quality of Service (QoS). IEEE 802.11 networks enable the QoS by applying the Enhanced Distributed Channel Access (EDCA) with static parameters regardless of existing network capacity or which Access Category (AC) of QoS is already active. Our objective in this paper is to improve the efficiency of the uplink access in 802.11 networks; therefore we proposed an algorithm called QoS Categories Activeness-Aware Adaptive EDCA Algorithm (QCAAAE) which adapts Contention Window (CW) size, and Arbitration Inter-Frame Space Number (AIFSN) values depending on the number of associated Stations (STAs) and considering the presence of each AC. For different traffic scenarios, the simulation results confirm the outperformance of the proposed algorithm in terms of throughput (increased on average 23%) and retransmission attempts rate (decreased on average 47%) considering acceptable delay for sensitive delay services. △ Less

Submitted 7 June, 2019; originally announced June 2019.

Comments: 17 pages, 10 figures

Journal ref: International Journal of Computer Networks & Communications (IJCNC) vol. 11, No. 3, May 2019, pp. 67-83

Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning

Authors: Ahmed Salem, Apratim Bhattacharya, Michael Backes, Mario Fritz, Yang Zhang

Abstract: Machine learning (ML) has progressed rapidly during the past decade and the major factor that drives such development is the unprecedented large-scale data. As data generation is a continuous process, this leads to ML model owners updating their models frequently with newly-collected data in an online learning scenario. In consequence, if an ML model is queried with the same set of data samples at… ▽ More Machine learning (ML) has progressed rapidly during the past decade and the major factor that drives such development is the unprecedented large-scale data. As data generation is a continuous process, this leads to ML model owners updating their models frequently with newly-collected data in an online learning scenario. In consequence, if an ML model is queried with the same set of data samples at two different points in time, it will provide different results. In this paper, we investigate whether the change in the output of a black-box ML model before and after being updated can leak information of the dataset used to perform the update, namely the updating set. This constitutes a new attack surface against black-box ML models and such information leakage may compromise the intellectual property and data privacy of the ML model owner. We propose four attacks following an encoder-decoder formulation, which allows inferring diverse information of the updating set. Our new attacks are facilitated by state-of-the-art deep learning techniques. In particular, we propose a hybrid generative model (CBM-GAN) that is based on generative adversarial networks (GANs) but includes a reconstructive loss that allows reconstructing accurate samples. Our experiments show that the proposed attacks achieve strong performance. △ Less

Submitted 30 November, 2019; v1 submitted 1 April, 2019; originally announced April 2019.

Comments: USENIX Security 2020

Don't Pick the Cherry: An Evaluation Methodology for Android Malware Detection Methods

Authors: Aleieldin Salem, Sebastian Banescu, Alexander Pretschner

Abstract: In evaluating detection methods, the malware research community relies on scan results obtained from online platforms such as VirusTotal. Nevertheless, given the lack of standards on how to interpret the obtained data to label apps, researchers hinge on their intuitions and adopt different labeling schemes. The dynamicity of VirusTotal's results along with adoption of different labeling schemes si… ▽ More In evaluating detection methods, the malware research community relies on scan results obtained from online platforms such as VirusTotal. Nevertheless, given the lack of standards on how to interpret the obtained data to label apps, researchers hinge on their intuitions and adopt different labeling schemes. The dynamicity of VirusTotal's results along with adoption of different labeling schemes significantly affect the accuracies achieved by any given detection method even on the same dataset, which gives subjective views on the method's performance and hinders the comparison of different malware detection techniques. In this paper, we demonstrate the effect of varying (1) time, (2) labeling schemes, and (3) attack scenarios on the performance of an ensemble of Android repackaged malware detection methods, called dejavu, using over 30,000 real-world Android apps. Our results vividly show the impact of varying the aforementioned 3 dimensions on dejavu's performance. With such results, we encourage the adoption of a standard methodology that takes into account those 3 dimensions in evaluating newly-devised methods to detect Android (repackaged) malware. △ Less

Submitted 25 March, 2019; originally announced March 2019.

Stimulation and Detection of Android Repackaged Malware with Active Learning

Authors: Aleieldin Salem

Abstract: Repackaging is a technique that has been increasingly adopted by authors of Android malware. The main problem facing the research community working on devising techniques to detect this breed of malware is the lack of ground truth that pinpoints the malicious segments grafted within benign apps. Without this crucial knowledge, it is difficult to train reliable classifiers able to effectively class… ▽ More Repackaging is a technique that has been increasingly adopted by authors of Android malware. The main problem facing the research community working on devising techniques to detect this breed of malware is the lack of ground truth that pinpoints the malicious segments grafted within benign apps. Without this crucial knowledge, it is difficult to train reliable classifiers able to effectively classify novel, out-of-sample repackaged malware. To circumvent this problem, we argue that reliable classifiers can be trained to detect repackaged malware, if they are allowed to request new, more accurate representations of an app's behavior. This learning technique is referred to as active learning. In this paper, we propose the usage of active learning to train classifiers able to cope with the ambiguous nature of repackaged malware. We implemented an architecture, Aion, that connects the processes of stimulating and detecting repackaged malware using a feedback loop depicting active learning. Our evaluation of a sample implementation of Aion using two malware datasets (Malgenome and Piggybacking) shows that active learning can outperform conventional detection techniques and, hence, has great potential to detect Android repackaged malware. △ Less

Submitted 3 August, 2018; originally announced August 2018.

MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

Authors: Lucjan Hanzlik, Yang Zhang, Kathrin Grosse, Ahmed Salem, Max Augustin, Michael Backes, Mario Fritz

Abstract: With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by… ▽ More With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by sending it to the client for protecting its intellectual property and pay-per-query business model. In this paper, we propose MLCapsule, a guarded offline deployment of machine learning as a service. MLCapsule executes the model locally on the user's side and therefore the data never leaves the client. Meanwhile, MLCapsule offers the service provider the same level of control and security of its model as the commonly used server-side execution. In addition, MLCapsule is applicable to offline applications that require local execution. Beyond protecting against direct model access, we couple the secure offline deployment with defenses against advanced attacks on machine learning models such as model stealing, reverse engineering, and membership inference. △ Less

Submitted 6 February, 2019; v1 submitted 1 August, 2018; originally announced August 2018.

ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models

Authors: Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, Michael Backes

Abstract: Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has sever… ▽ More Machine learning (ML) has become a core component of many real-world applications and training data is a key factor that drives current progress. This huge success has led Internet companies to deploy machine learning as a service (MLaaS). Recently, the first membership inference attack has shown that extraction of information on the training set is possible in such MLaaS settings, which has severe security and privacy implications. However, the early demonstrations of the feasibility of such attacks have many assumptions on the adversary, such as using multiple so-called shadow models, knowledge of the target model structure, and having a dataset from the same distribution as the target model's training data. We relax all these key assumptions, thereby showing that such attacks are very broadly applicable at low cost and thereby pose a more severe risk than previously thought. We present the most comprehensive study so far on this emerging and developing threat using eight diverse datasets which show the viability of the proposed attacks across domains. In addition, we propose the first effective defense mechanisms against such broader class of membership inference attacks that maintain a high level of utility of the ML model. △ Less

Submitted 14 December, 2018; v1 submitted 4 June, 2018; originally announced June 2018.

Comments: NDSS 2019

Performance Analysis of Dynamic Source Routing Protocol

Authors: Amer O. Abu Salem, Ghassan Samara, Tareq Alhmiedat

Abstract: Dynamic Source Routing (DSR) is an efficient on-demand routing protocol for mobile ad-hoc networks (MANET). It depends on two main procedures: Route Discovery and Route Maintenance. Route discovery is the procedure used at the source of the packets to discover a route to the destination. Route Maintenance is the procedure that discovers link failures and repairs them. Route caching is the sub proc… ▽ More Dynamic Source Routing (DSR) is an efficient on-demand routing protocol for mobile ad-hoc networks (MANET). It depends on two main procedures: Route Discovery and Route Maintenance. Route discovery is the procedure used at the source of the packets to discover a route to the destination. Route Maintenance is the procedure that discovers link failures and repairs them. Route caching is the sub procedure serviceable to avoid the demand for discovering a route or to reduce route discovery delay before every data packet is sent. The goal of this paper is to evaluate the performance of DSR. Different performance expressions are investigated including, delivery ratio, end to-end delay, and throughput, depending on different cache sizes and different speeds. All of that as a study to develop a new caching strategy as a future work. △ Less

Submitted 13 December, 2017; originally announced December 2017.

Comments: 4 pages

Report number: Vol. 5, No. 2 February 2014

Journal ref: Journal of Emerging Trends in Computing and Information Sciences, 2014

Comparative study of space filling curves for cache oblivious TU Decomposition

Authors: Fatima K. Abu Salem, Mira Al Arab

Abstract: We examine several matrix layouts based on space-filling curves that allow for a cache-oblivious adaptation of parallel TU decomposition for rectangular matrices over finite fields. The TU algorithm of \cite{Dumas} requires index conversion routines for which the cost to encode and decode the chosen curve is significant. Using a detailed analysis of the number of bit operations required for the en… ▽ More We examine several matrix layouts based on space-filling curves that allow for a cache-oblivious adaptation of parallel TU decomposition for rectangular matrices over finite fields. The TU algorithm of \cite{Dumas} requires index conversion routines for which the cost to encode and decode the chosen curve is significant. Using a detailed analysis of the number of bit operations required for the encoding and decoding procedures, and filtering the cost of lookup tables that represent the recursive decomposition of the Hilbert curve, we show that the Morton-hybrid order incurs the least cost for index conversion routines that are required throughout the matrix decomposition as compared to the Hilbert, Peano, or Morton orders. The motivation lies in that cache efficient parallel adaptations for which the natural sequential evaluation order demonstrates lower cache miss rate result in overall faster performance on parallel machines with private or shared caches, on GPU's, or even cloud computing platforms. We report on preliminary experiments that demonstrate how the TURBO algorithm in Morton-hybrid layout attains orders of magnitude improvement in performance as the input matrices increase in size. For example, when $N = 2^{13}$, the row major TURBO algorithm concludes within about 38.6 hours, whilst the Morton-hybrid algorithm with truncation size equal to $64$ concludes within 10.6 hours. △ Less

Submitted 19 December, 2016; originally announced December 2016.

Efficient sparse polynomial factoring using the Funnel heap

Authors: Fatima K. Abu Salem, Khalil El-Harake, Karl Gemayel

Abstract: This work is a comprehensive extension of Abu-Salem et al. (2015) that investigates the prowess of the Funnel Heap for implementing sums of products in the polytope method for factoring polynomials, when the polynomials are in sparse distributed representation. We exploit that the work and cache complexity of an Insert operation using Funnel Heap can be refined to de- pend on the rank of the inser… ▽ More This work is a comprehensive extension of Abu-Salem et al. (2015) that investigates the prowess of the Funnel Heap for implementing sums of products in the polytope method for factoring polynomials, when the polynomials are in sparse distributed representation. We exploit that the work and cache complexity of an Insert operation using Funnel Heap can be refined to de- pend on the rank of the inserted monomial product, where rank corresponds to its lifetime in Funnel Heap. By optimising on the pattern by which insertions and extractions occur during the Hensel lifting phase of the polytope method, we are able to obtain an adaptive Funnel Heap that minimises all of the work, cache, and space complexity of this phase. Additionally, we conduct a detailed empirical study confirming the superiority of Funnel Heap over the generic Binary Heap once swaps to external memory begin to take place. We demonstrate that Funnel Heap is a more efficient merger than the cache oblivious k-merger, which fails to achieve its optimal (and amortised) cache complexity when used for performing sums of products. This provides an empirical proof of concept that the overlapping approach for perform- ing sums of products using one global Funnel Heap is more suited than the serialised approach, even when the latter uses the best merging structures available. △ Less

Submitted 16 December, 2016; originally announced December 2016.

The Case for Dynamic Key Distribution for PKI-Based VANETs

Authors: Ahmed H. Salem, Ayman Abdel-Hamid, Mohamad Abou El-Nasr

Abstract: Vehicular Ad hoc Networks (VANETs) are becoming a reality where secure communication is a prerequisite. Public key infrastructure (PKI) can be used to secure VANETs where an onboard tamper proof device (TPD) stores a number of encryption keys which are renewed upon visiting a certificate authority (CA). We previously proposed a dynamic key distribution protocol for PKI-based VANETs [1] to reduce t… ▽ More Vehicular Ad hoc Networks (VANETs) are becoming a reality where secure communication is a prerequisite. Public key infrastructure (PKI) can be used to secure VANETs where an onboard tamper proof device (TPD) stores a number of encryption keys which are renewed upon visiting a certificate authority (CA). We previously proposed a dynamic key distribution protocol for PKI-based VANETs [1] to reduce the role of the TPD. A vehicle dynamically requests a key from its nearest road side unit. This request is propagated through network infrastructure to reach a CA cloud and a key is securely returned. A proposed key revocation mechanism reduced the number of messages needed for revocation through Certificate Revocation List (CRL) distribution. In this paper, performance evaluation and security of the proposed dynamic key distribution is investigated analytically and through network simulation. Furthermore, extensive analysis is performed to demonstrate how the proposed protocol can dynamically support efficient and cost-reduced key distribution. Analysis and performance evaluation results clearly make the case for dynamic key distribution for PKI-based VANETS. △ Less

Submitted 16 May, 2016; originally announced May 2016.

Journal ref: International Journal of Computer Networks & Communications (IJCNC) Vol.6, No.1, pp. 61-78, January 2014

Innovative Method for enhancing Key generation and management in the AES-algorithm

Authors: Omer K. Jasim Mohammad, Safia Abbas, El-Sayed M. El-Horbaty, Abdel-Badeeh M. Salem

Abstract: With the extraordinary maturity of data exchange in network environments and increasing the attackers capabilities, information security has become the most important process for data storage and communication. In order to provide such information security the confidentiality, data integrity, and data origin authentication must be verified based on cryptographic encryption algorithms. This paper p… ▽ More With the extraordinary maturity of data exchange in network environments and increasing the attackers capabilities, information security has become the most important process for data storage and communication. In order to provide such information security the confidentiality, data integrity, and data origin authentication must be verified based on cryptographic encryption algorithms. This paper presents a development of the advanced encryption standard (AES) algorithm, which is considered as the most eminent symmetric encryption algorithm. The development focuses on the generation of the integration between the developed AES based S-Boxes, and the specific selected secret key generated from the quantum key distribution. △ Less

Submitted 13 April, 2015; originally announced April 2015.

Comments: 7 pages, 10 figures. arXiv admin note: text overlap with arXiv:1503.04796

Evolution of an Emerging Symmetric Quantum Cryptographic Algorithm

Authors: Omer K. Jasim, Safia Abbas, El-Sayed M. Horbaty, Abdel-Badeeh M. Salem

Abstract: With the rapid evolution of data exchange in network environments, information security has been the most important process for data storage and communication. In order to provide such information security, the confidentiality, data integrity, and data origin authentication must be verified based on cryptographic encryption algorithms. This paper presents a new emerging trend of modern symmetric e… ▽ More With the rapid evolution of data exchange in network environments, information security has been the most important process for data storage and communication. In order to provide such information security, the confidentiality, data integrity, and data origin authentication must be verified based on cryptographic encryption algorithms. This paper presents a new emerging trend of modern symmetric encryption algorithm by development of the advanced encryption standard (AES) algorithm. The new development focuses on the integration between Quantum Key Distribution (QKD) and an enhanced version of AES. A new quantum symmetric encryption algorithm, which is abbreviated as Quantum-AES (QAES), is the output of such integration. QAES depends on generation of dynamic quantum S-Boxes (DQS-Boxes) based quantum cipher key, instead of the ordinary used static S-Boxes. Furthermore, QAES exploits the specific selected secret key generated from the QKD cipher using two different modes (online and off-line). △ Less

Submitted 14 March, 2015; originally announced March 2015.

A New Trend of Pseudo Random Number Generation using QKD

Authors: Omer K. Jasim, Safia Abbas, El-Sayed M. El-Horbaty, Abdel-Badeeh M. Salem

Abstract: Random Numbers determine the security level of cryptographic applications as they are used to generate padding schemes in the encryption/decryption process as well as used to generate cryptographic keys. This paper utilizes the QKD to generate a random quantum bit rely on BB84 protocol, using the NIST and DIEHARD randomness test algorithms to test and evaluate the randomness rates for key generati… ▽ More Random Numbers determine the security level of cryptographic applications as they are used to generate padding schemes in the encryption/decryption process as well as used to generate cryptographic keys. This paper utilizes the QKD to generate a random quantum bit rely on BB84 protocol, using the NIST and DIEHARD randomness test algorithms to test and evaluate the randomness rates for key generation. The results show that the bits generated using QKD are truly random, which in turn, overcomes the distance limitation (associated with QKD) issue, its well-known challenges with the sending/ receiving data process between different communication parties △ Less

Submitted 1 October, 2014; originally announced November 2014.

Comments: 5 pages, 5 figures, 1 table, International Journal of Computer Applications, 2014

Analogy-Based and Case-Based Reasoning: Two sides of the same coin

Authors: Michael Gr. Voskoglou, Abdel-Badeeh M. Salem

Abstract: Analogy-Based (or Analogical) and Case-Based Reasoning (ABR and CBR) are two similar problem solving processes based on the adaptation of the solution of past problems for use with a new analogous problem. In this paper we review these two processes and we give some real world examples with emphasis to the field of Medicine, where one can find some of the most common and useful CBR applications. W… ▽ More Analogy-Based (or Analogical) and Case-Based Reasoning (ABR and CBR) are two similar problem solving processes based on the adaptation of the solution of past problems for use with a new analogous problem. In this paper we review these two processes and we give some real world examples with emphasis to the field of Medicine, where one can find some of the most common and useful CBR applications. We also underline the differences between CBR and the classical rule-induction algorithms, we discuss the criticism for CBR methods and we focus on the future trends of research in the area of CBR. △ Less

Submitted 29 May, 2014; originally announced May 2014.

Comments: 47 pages, 2 figures, 1 table, 124 references

MSC Class: 68T05; 68T20

Journal ref: International Journal of Applications of Fuzzy Sets and Artificial Intelligence (IJAFSAI), Vol. 4, 5-51, 2014

Intelligent Techniques for Resolving Conflicts of Knowledge in Multi-Agent Decision Support Systems

Authors: Khaled M. Khalil, M. Abdel-Aziz, Taymour T. Nazmy, Abdel-Badeeh M. Salem

Abstract: This paper focuses on some of the key intelligent techniques for conflict resolution in Multi-Agent Decision Support Systems. This paper focuses on some of the key intelligent techniques for conflict resolution in Multi-Agent Decision Support Systems. △ Less

Submitted 17 January, 2014; originally announced January 2014.

Comments: 5 pages, 1 table, Sixth International Conference on Intelligence Computing and Information Systems, Cairo, Egypt, 2013