TIFS2025

Abstract:
Modern integrated circuits (ICs) require a complex, outsourced supply-chain, involving computer-aided design (CAD) tools, expert knowledge, and advanced foundries. This complexity has led to various security threats, such as Trojans inserted by adversaries during outsourcing, but also run-time threats like physical probing. Our proposed design-time solution, DEFense, is an extensible CAD framework for holistic assessment and proactive mitigation of multiple prominent threats. The goal is to prioritize security concerns during the physical design of ICs, alongside traditional power, performance, and area (PPA) objectives. DEFense utilizes an iterative and modular approach to assess and mitigate various known vulnerabilities in the IC layout, which are targeting on sensitive active devices and wires. It is a flexible and extensible scripting framework without the need for modifications to commercial CAD flows, yet with the same high level of design quality. We have conducted extensive case studies on representative modern IC designs to “DEFend” layouts against Trojan insertion, probing, and crosstalk attacks. We are providing the framework to the community.

Abstract:
Zero-knowledge range proof (ZKRP) asserts that a committed integer V lies in a given range like [0, 2^n-1] without other leakages of V. It is vital in various privacy-preserving systems. Moving forward, the quest for post-quantum security is still in its infancy; the proof size of state-of-the-art lattice-based ZKRP (Lyubashevsky et al., CCS 20 and Couteau et al., Eurocrypt 21) remains linear in n, directly impacting the long-term sustainability in applications such as immutable ledgers. Confronting this unresolved impasse, we propose SHARP-PQ, i.e., succinct hash-based arbitrary-range proof with post-quantum security. SHARP-PQ offers proof size poly-logarithmic to n, optimized batch proofs, and versatile (new) capabilities. Its success stems from the improved inner product argument and exploitation of homomorphism. Empirically, SHARP-PQ features at least 10× smaller proof size for multiple ranges over lattice-based ZKRPs while maintaining competitive prover and verifier times. SHARP-PQ also outperforms ZKRPs directly constructed from hash-based generic zero-knowledge proofs at most 10 × .

Abstract:
We investigate the problems of privately repairing erasures and evaluating their linear combinations for Reed-Solomon codes with low communication bandwidths. We propose two approaches: one based on hiding subspaces used to form parity-check equations, and another based on multiplying parity-check equations with random polynomials. We also derive a lower bound on the repair bandwidth for the single erasure case under reasonable assumptions about the schemes being used and demonstrate the optimality of the proposed schemes for codes of specific lengths.

Abstract:
Deep learning draws heavily on the latest progress in semantic communications. The present paper aims to examine the security aspect of this cutting-edge technique from a novel shuffling perspective. Our goal is to improve upon the conventional secure coding scheme to strike a desirable tradeoff between transmission rate and leakage rate. To be more specific, for a wiretap channel, we seek to maximize the transmission rate while minimizing the semantic error probability under the given leakage rate constraint. Toward this end, we devise a novel semantic security communication system wherein the random shuffling pattern plays the role of the shared secret key. Intuitively, the permutation of feature sequences via shuffling would distort the semantic essence of the target data to a sufficient extent so that eavesdroppers cannot access it anymore. The proposed random shuffling method also exhibits its flexibility in working for the existing semantic communication system as a plugin. Simulations demonstrate the significant advantage of the proposed method over the benchmark in boosting secure transmission, especially when channels are prone to strong noise and unpredictable fading.

Abstract:
Person re-identification (Re-ID) is an important task and has significant applications for public security and information forensics, which has progressed rapidly with the development of deep learning. In this work, we investigate a novel and challenging setting of Re-ID, i.e., cross-domain video-based person Re-ID. Specifically, we utilize synthetic video datasets as the source domain for training and real-world videos for testing, notably reducing the reliance on expensive real data acquisition and annotation. To harness the potential of synthetic data, we first propose a self-supervised domain-invariant feature learning strategy for both static and dynamic (temporal) features. Additionally, to enhance person identification accuracy in the target domain, we propose a mean-teacher scheme incorporating a self-supervised ID consistency loss. Experimental results across five real datasets validate the rationale behind cross-synthetic-real domain adaptation and demonstrate the efficacy of our method. Notably, the discovery that synthetic data outperforms real data in the cross-domain scenario is a surprising outcome. The code and data are publicly available at https://github.com/XiangqunZhang/UDA_Video_ReID

Abstract:
This paper presents a stochastic sampling framework for privacy-aware data sharing, where a sensor observes a process correlated with private information. A sampler determines whether to retain or discard sensor observations, balancing the tradeoff between data utility and privacy. Retained samples are shared with an adversary who may attempt to infer the private process, with privacy leakage quantified using mutual information. The sampler design is formulated as an optimization problem with two objectives: (i) minimizing the reconstruction error of the observed process using the sampler’s output, (ii) reducing the privacy leakages. For a general class of processes, we show that the optimal reconstruction policy is deterministic and derive the optimality conditions for the sampling policy using a dynamic decomposition method, which enables the sampler to control the adversary’s belief about private inputs. For linear Gaussian processes, we propose a simplified design by restricting the sampling policy to a specific collection, providing analytical expressions for the reconstruction error, belief state, and sampling objectives based on conditional means and covariances. Additionally, we develop a numerical optimization algorithm to optimize the sampling and reconstruction policies, wherein the policy gradient theorem for the optimal sampling design is derived based on the implicit function theorem. Simulations demonstrate the effectiveness of the proposed method in achieving accurate state reconstruction, privacy protection, and data size reduction.

Abstract:
Password-based threshold single-sign-on authentication (PbTA) allows multiple identity servers to in a threshold manner authenticate a user and issue a token, with which the user accesses relevant services. We analyze existing PbTA schemes and reveal a potential threat: vulnerability against perpetual credential leakage, in which “perpetual” adversaries could perpetually attempt to compromise long-lived credential databases maintained by identity servers. Compromising a threshold number of credential databases enables the adversaries to launch offline dictionary guessing attacks (DGA) or illegally obtain users’ tokens. To address these issues, we first propose a basic device-enhanced PbTA scheme (DE-PbTA), where an auxiliary device collaborates with identity servers in hardening a user’s password during authentication, such that perpetual adversaries cannot learn the password from compromised credentials via offline DGA. Using the hardened password, a private key can be derived to decrypt ciphertexts from identity servers for token construction, which protects the user’s tokens against perpetual adversaries. Then, we extend basic DE-PbTA to support dynamic usage of multiple devices, where a user can actively choose t^\prime devices out of n^\prime for authentication. Provable security and high efficiency of the basic/enhanced DE-PbTA scheme are demonstrated by comprehensive analysis and experimental evaluations.

Affiliations: College of Computing and Information Technology, University of Doha for Science and Technology, Doha, Qatar; Department of Electrical Engineering, IIPL Laboratory, Qatar University, Doha, Qatar; Department of Computer Science and Engineering, Qatar University, Doha, Qatar; Department of Mathematics and Statistics, College of Arts and Sciences, Qatar University, Doha, Qatar; Division of Information and Computing Technology, College of Science and Engineering, Hamad Bin Khalifa University, Doha, Qatar; Machine Learning Department, Mohamed Bin Zayed University of Artificial Intelligence, Abu Dhabi, United Arab Emirates

Abstract:
Federated learning (FL) has gained attention for enabling efficient distributed learning while maintaining data privacy. However, the data privacy constraint reduces the transparency in the agents’ model update making the learning process vulnerable to Byzantine attacks. In this paper, a mathematical proof is provided to show that when the traditional model-combining scheme is used, the model will eventually diverge to non-useful solutions in the presence of Byzantine agents independently from their number or their contributions. A low complexity norm-control based aggregation approach is also proposed and shown to converge to the optimal and sub-optimal solutions in the absence or presence of Byzantine nodes, respectively. Monte-Carlo simulations are also conducted to verify and validate the mathematical derivations and the efficiency of the proposed approach in protecting the FL model.

Abstract:
The widespread use of modern network communications necessitates effective resource control and management in TCP/IP networks. However, most existing network traffic classification methods are limited to labeled known classes and struggle to handle open-set scenarios, where known classes coexist with significant volumes of unknown classes of traffic. To solve this problem more accurately and reliably, we propose RoNeTC. This method achieves high-precision classification by enhancing feature extraction and quantifying the reliability of classification decisions through uncertainty estimation. For feature extraction, we divide each packet of a flow into three views for parallel training, integrating both local and global feature representations across multiple packets to enhance accuracy. We devise a second-order classification probability to quantify the reliability of the classifier’s results and to visualize the reliability of open-set flow classification in terms of uncertainty. Additionally, we dynamically fuse classification decisions from multiple views, evaluating decision uncertainty to classify known and unknown flows and ensure robust, reliable results. We compare RoNeTC with four state-of-the-art (SOTA) methods in six open-set scenarios. RoNeTC outperforms the other methods by an average of 25.94% in F1 across all open-set scenarios, indicating its superior performance in open-set network traffic classification.

Abstract:
Physical layer security is a promising approach to enhancing the security of multi-user networks. However, user interference causes constellation points from different users to overlap, limiting both network reliability and security. To address this, we propose a parallel pulse amplitude modulation (PAM) scheme that ensures constellations are regularly superimposed at the legitimate receiver while appearing chaotic to the eavesdropper. Consequently, the eavesdropper experiences a consistently high bit/symbol error rate, whereas the legitimate receiver maintains a very low error rate. Furthermore, we extend the parallel PAM scheme to both the in-phase and quadrature components of the signal, forming a heterogeneous quadrature amplitude modulation (QAM) scheme. This enhances transmission efficiency while preserving security. We analyze the bit/symbol error rates at both the legitimate receiver and the eavesdropper, deriving a lower bound for the eavesdropper’s error rate. Finally, simulation results validate our theoretical analysis.

Abstract:
Privacy-preserving voice protection approaches primarily suppress privacy-related information derived from paralinguistic attributes while preserving the linguistic content. Existing solutions focus particularly on single-speaker scenarios. However, they lack practicality for real-world applications, i.e., multi-speaker scenarios. In this paper, we present an initial attempt to provide a multi-speaker anonymization benchmark by defining the task and evaluation protocol, proposing benchmarking solutions, and discussing the privacy leakage of overlapping conversations. The proposed benchmark solutions are based on a cascaded system that integrates spectral-clustering-based speaker diarization and disentanglement-based speaker anonymization using a selection-based anonymizer. To improve utility, the benchmark solutions are further enhanced by two conversation-level speaker vector anonymization methods. The first method minimizes the differential similarity across speaker pairs in the original and anonymized conversations, which maintains original speaker relationships in the anonymized version. The other minimizes the aggregated similarity across anonymized speakers, which achieves better differentiation between speakers. Experiments conducted on both non-overlap simulated and real-world datasets demonstrate the effectiveness of the multi-speaker anonymization system with the proposed speaker anonymizers. Additionally, we analyzed overlapping speech regarding privacy leakage and provided potential solutions (Code and audio samples are available at https://github.com/xiaoxiaomiao323/MSA), evaluation datasets can be download from https://zenodo.org/records/14249171

Abstract:
One-Time Passwords (OTPs) play a crucial role in Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) by adding an additional layer of security. OTPs effectively reduce the risk of static passwords being intercepted and reused. Nevertheless, both academic schemes and industrial solutions face security threats stemming from server/device compromises and OTP factor forgery. Chain-based asymmetric OTP schemes are a promising approach to addressing the problem of server compromise but still face threats from device compromise and pre-generated chain leakage. We emphasize that since devices directly store the OTP seed, OTP authentication is essentially equivalent to verifying device possession. This means that in existing OTP schemes, OTP forgery and device compromise remain prevalent and difficult to overcome. In this work, we propose a brand new scheme to address OTP factor forgery and server/device compromises. For the first time, our scheme constructs a tightly coupled architecture between the password factor and the OTP factor. The OTP seed is derived from a password and a device-stored salt, preventing OTP seed extraction and OTP forgery even in the event of a device compromise. Through the integration of “honeywords” with the tightly coupled OTP architecture, the server stores decoy OTP seeds generated by decoy passwords, providing resistance against server compromises and partial password guessing from devices. We conduct a comprehensive evaluation of our OTP schemes. The computational overhead is correlated with the number of honeywords, and with the recommended set size of 20, the total verification overhead is approximately 0.24~ms . Additionally, we propose formal security properties and application metrics, and rigorously prove our scheme’s resistance against server/device compromise attacks and guessing attacks. Our scheme is the first to achieve comprehensive OTP security with low overhead.

Affiliations: School of Cyber Science and Engineering, Southeast University, Nanjing, China; School of Cyber Science and Engineering, the Engineering Research Center of Blockchain Application, Supervision and Management, Ministry of Education, and Purple Mountain Laboratories, Southeast University, Nanjing, China; College of Computer, Nanjing University of Posts and Telecommunications, Nanjing, China; Department of Computer and Information Science, University of Macau, Macau, China; Department of Computer Science and Engineering, The Hong Kong University of Science and Technology, Hong Kong, China

Abstract:
Vein recognition technologies have become one of the primary solutions for high-security identification systems. However, the issue of biometric information leakage can still pose a serious threat to user privacy and anonymity. Currently, there is no cancelable biometric template generation scheme specifically designed for vein biometrics. Therefore, this paper proposes an innovative cancelable vein biometric generation scheme: ColorVein. Unlike previous cancelable template generation schemes, ColorVein does not destroy the original biometric features and introduces additional color information to grayscale vein images. This method significantly enhances the information density of vein images by transforming static grayscale information into dynamically controllable color representations through interactive colorization. ColorVein allows users/administrators to define a controllable pseudo-random color space for grayscale vein images by editing the position, number, and color of hint points, thereby generating protected cancelable templates. Additionally, we propose a new secure center loss to optimize the training process of the protected feature extraction model, effectively increasing the feature distance between enrolled users and any potential impostors. Finally, we evaluate ColorVein’s performance on all types of vein biometrics, including recognition performance, unlinkability, irreversibility, and revocability, and conduct security and privacy analyses. ColorVein achieves competitive performance compared with state-of-the-art methods.

Abstract:
Recent progress of randomized fully asynchronous BFT consensus not only presents appealing performance but also ensures superior robustness against an asynchronous adversary that can arbitrarily delay network communication. But these results are mostly discussed in a static setting with fixed nodes. The root reason for the limit is the heavy dependence on a pre-configured threshold cryptosystem, which is critical to practically generate common randomness for overcoming FLP impossibility, but also fixes a designated set of participants. Even worse, most existing asynchronous BFT protocols rely on another strong assumption that messages sent among honest nodes must eventually be delivered, which could be plausible in the static setting (as all nodes can stay online forever to deliver messages) but becomes elusive in a dynamic blockchain, because a departing node might stop transmitting messages and subsequently cause inevitable message omissions as well as potential security violations. To accommodate the enticing asynchronous BFT consensus into real-world blockchains where participating nodes are joining and leaving, we introduce \textsf Turritopsis , a novel dynamic asynchronous BFT framework that can 1) efficiently re-configure threshold cryptosystem to accommodate the change of consensus nodes and 2) tolerate admissible message omissions caused by leaving participants. We first propose a dedicatedly optimized asynchronous distributed key refresh protocol that can quickly reset key materials of discrete logarithm threshold cryptosystem (e.g. BLS threshold signature), from which common randomness can be derived to ensure both safety and liveness despite the rotation of participating nodes. We then extend asynchronous BFT to tolerate a combination of t Byzantine nodes and l honest leaving nodes, where 3t+2l is smaller than the total number n of currently participating nodes. This allows us to tolerate up to l leaving nodes that might behave like crashes due to their departures, while simultaneously preserving maximal resilience against \lfloor (n - 2l) /3 \rfloor malicious corruptions. We instantiated \textsf Turritopsis and implemented it in Python 3. Extensive experiments were conducted, spanning a network of up to n=60 AWS EC2 nodes across 15 cities, revealing that \textsf Turritopsis exhibits performance closely comparable to its fixed-committee counterpart in both latency and throughput.

Abstract:
This paper introduces the Deferred Byzantine Generals Problem, a variant of the Byzantine Generals Problem which focuses on ensuring replicas maintain consistency over timed-release secret operations (operations that can only be known after a specified time or event). The solution to the problem is called the Deferred Byzantine Fault Tolerant (DBFT) consensus. DBFT can operate exclusive or be interleave with BFTs to handle specific tasks at designated sequence numbers or views, thereby facilitating the implementation of certain system-desirable features or supporting novel applications. It does not rely on existing timed-release primitives, but instead ensures its timed-release property through voting interactions. We presents the system model of DBFT SMR under partial synchronization using Threshold Public Key Encryption (TPKE) as the cryptographic primitives, highlighting the core issues. Then we design and implement the DBFT protocol using PBFT notations, focusing on the unique parts to facilitate expansions to other paradigms. Through experimental results, we show the impact of different executing modes and parameter choices on performance and discuss potential optimizations.

Abstract:
With the rise of e-commerce, sealed-bid auctions are widely used in various online scenarios. In auctions, bidders’ bids and participants’ identities are considered critical private information. However, existing works either only achieve bid privacy or fail to provide complete protection of identity. In this work, we propose the first sealed-bid auction scheme that achieves both bid privacy and identity privacy, called Boreas. We propose three fundamental protocols as the building blocks. In particular, anonymous submission enables sellers to submit items anonymously, oblivious bidding and locker transaction enable the seller and the winner to confirm the auction results and complete the transaction without knowing each other’s identity. Meanwhile, we formally define the security goal of identity privacy and formalize a new security property called: fully anonymous. We prove the security of our scheme in the semi-honest adversary model. We implement Boreas and run experiments comparing its performance against existing schemes. Our experiments show that Boreas improves computation time by 12.6% and reduces communication costs by 10^3 × in handling a large-scale auction, while offering stronger security guarantee.

Abstract:
Fuzzing is a prevalent technology for identifying software vulnerabilities. Existing fuzzing techniques predominantly focus on maximizing code coverage to unearth potential security issues. However, the mere expansion of explored code does not necessarily correlate with an increased discovery of vulnerabilities. Additionally, existing fuzzers often neglect comprehensive execution path information in code exploration. Consequently, potential vulnerabilities may be delayed or overlooked in the fuzzing process. To address this, we propose VPGFuzz, a vulnerable path-guided fuzzer that can not only explore new code but also exploit known vulnerability path knowledge for vulnerability discovery. It employs a vulnerable path recognition model to identify test cases with potentially vulnerable paths. This model is trained with various execution paths derived from real-world vulnerability PoCs (Proof of Concepts). Based on this model, VPGFuzz applies an explore-exploit seed selection strategy to effectively choose test cases for testing. Unlike traditional seed selection methods that maintain a single queue for exploring new code, this strategy includes a separate queue for retaining test cases identified as potentially vulnerable, allowing for more thorough testing. Experimental results demonstrate that VPGFuzz discovers 24 previously unknown vulnerabilities, with 18 receiving vulnerability identifiers from third-party organizations such as CVE. Our evaluation also shows VPGFuzz’s superior efficiency by uncovering the first vulnerability approximately 1.2 to 70 times faster than popular fuzzers in most programs.

Abstract:
Machine Learning (ML) has proven effective in Integrated Circuits (IC) security, particularly in Hardware Trojan (HT) detection. However, a model’s generalization potential depends on its ability to address distribution shifts (DS) in unseen data. Mitigating DS enhances a model’s adaptability to novel variations and threats within the dynamic realm of IC designs and HTs. We formulate HT detection as a DS problem, introducing DART, a novel Distribution-Aware HT detection framework, to enhance model generalization. Applying DART on state-of-the-art Graph Neural Network architecture yields up to 22.96% and 17.37% F1-score improvements for unseen IC designs diverging significantly from the training data.

Abstract:
Studies have shown that machine learning systems are vulnerable to adversarial examples in theory and practice. Where previous attacks have focused mainly on visual models that exploit the difference between human and machine perception, text-based models have also fallen victim to these attacks. However, these attacks often fail to maintain the semantic meaning of the text and similarity. This paper introduces AdvChar, a black-box attack on Interpretable Natural Language Processing Systems, designed to mislead the classifier while keeping the interpretation similar to benign inputs, thus exploiting trust in system transparency. AdvChar achieves this by making less noticeable modifications to text input, forcing the deep learning classifier to make incorrect predictions and preserve the original interpretation. We use an interpretation-focused scoring approach to determine the most critical tokens that, when changed, can cause the classifier to misclassify the input. We apply simple character-level modifications to measure the importance of tokens, minimizing the difference between the original and new text while generating adversarial interpretations similar to benign ones. We thoroughly evaluated AdvChar by testing it against seven NLP models and three interpretation models using benchmark datasets for the classification task. Our experiments show that AdvChar can significantly reduce the prediction accuracy of current deep learning models by altering just two characters on average in input samples.

Abstract:
Differential Privacy (DP) is a preeminent technique for data privacy by introducing noise to sensitive information. However, traditional DP mechanisms excessively rely on third parties to ensure traceability, necessitating strong background assumptions that are frequently impractical in real-world scenarios. This reliance makes it difficult to preserve both privacy and traceability. To address these challenges, we propose a novel Traceable and Collision-Resilient Differential Privacy (TCRDP) mechanism. The TCRDP mechanism simultaneously publishes perturbed results and data fingerprints, retaining partial information from the original data in a collision-resilient manner to facilitate future verification. Moreover, the TCRDP mechanism integrates an innovative noise generation process, leveraging hash values and a customized Laplace-like distribution to produce noise. This strategy mitigates the risk of adversaries compromising privacy through enumeration and yields a more concentrated noise distribution with reduced variance. We evaluated the TCRDP mechanism using three datasets: ICUs, Diabetes, and RAHRD, across various query types. The experimental results demonstrated significant improvements in data utility, with the TCRDP mechanism achieving great reductions in Mean Absolute Error (MAE) and Mean Squared Error (MSE) compared to traditional mechanisms. The TCRDP mechanism also maintained lower Accuracy Loss (AL) across different privacy budgets and dataset sizes, highlighting its robustness and scalability. These findings underscore the potential of the TCRDP mechanism to advance privacy-preserving data analysis, offering significant enhancements over existing methods in both accuracy and utility.

Abstract:
Most existing MPC protocols consider the homogeneous setting, where all the MPC players are assumed to have identical communication and computation resources. In practice, the player with the least resources often becomes the bottleneck of the entire MPC protocol execution. In this work, we initiate the study of so-called load-balanced MPC in heterogeneous computing. A load-balanced MPC protocol can adjust the workload of each player accordingly to maximize the overall resource utilization. In particular, we propose new notions called composite circuit and composite garbling scheme, and construct two efficient server-aided protocols with malicious security and semi-honest security, respectively. Our maliciously secure protocol is over 400× faster than the authenticated garbling protocol (CCS ’17) and up to 4.3× faster than the state-of-the-art server-aided MPC protocol of Lu et al. (TDSC ’23); our semi-honest protocol is up to 173× faster than the optimized BMR protocol (CCS ’16) and is up to 3.8× faster than the protocol of Lu et al.

Abstract:
Conventional Byzantine fault tolerance (BFT) requires replicated state machines to execute deterministic operations only. In practice, numerous applications and scenarios, especially in the era of blockchains, contain various sources of non-determinism. Meanwhile, it is even sometimes desirable to support non-determinism, and replicas still agree on the execution results. Despite decades of research on BFT, we still lack an efficient and easy-to-deploy solution for BFT with non-determinism—BFT-ND, especially in the asynchronous setting. We revisit the problem of BFT-ND and provide a formal and asynchronous treatment of BFT-ND. In particular, we design and implement Block-ND that insightfully separates the task of agreeing on the order of transactions from the task of agreement on the state: Block-ND allows reusing existing BFT implementations; on top of BFT, we reduce the agreement on the state to multivalued Byzantine agreement (MBA), a somewhat neglected primitive by practical systems. Block-ND is completely asynchronous as long as the underlying BFT is asynchronous. We provide a new MBA construction that is significantly faster than existing MBA constructions. We instantiate Block-ND in both the partially synchronous setting (with PBFT, OSDI 1999) and the purely asynchronous setting (with PACE, CCS 2022). Via a 91-instance WAN deployment on Amazon EC2, we show that Block-ND has only marginal performance degradation compared to conventional BFT.

Abstract:
With the increasing scale and complexity of online activities, accountability, as an after-the-fact mechanism, has become an effective complementary approach to ensure system security. Decades of research have delved into the connotation of accountability. They fail, however, to achieve practical accountability of decryption. This paper seeks to address this gap. We consider the scenario where a client (called encryptor, her) encrypts her data and then chooses a delegate (a.k.a. decryptor, him) that stores data for her. If the decryptor initiates an illegitimate decryption on the encrypted data, there is a non-negligible probability that this behavior will be detected, thereby holding the decryptor accountable for his decryption. We make three contributions. First, we review key definitions of accountability known so far. Based on extensive investigations, we formalize new definitions of accountability specifically targeting the decryption process, denoted as accountable decryption, and discuss the (im)possibilities when capturing this concept. We also define the security goals in correspondence. Second, we present a novel Trusted Execution Environment(TEE)-assisted solution aligning with definitions. Instead of fully trusting TEE, we take a further step, making TEE work in the “trust, but verify” model where we trust TEE and use its service, but empower users (i.e., decryptors) to detect the potentially compromised state of TEEs. Third, we implement a full-fledged system and conduct a series of evaluations. The results demonstrate that our solution is efficient. Even in a scenario involving 300,000 log entries, the decryption process concludes in approximately 5.5ms, and malicious decryptors can be identified within 69ms.

Abstract:
Data sharing facilitates the integration and in-depth exploration of cross-domain data, thereby fostering innovative research and model development. However, privacy leakage emerges as a critical barrier to the sharing and circulating of such data. Existing privacy-preserving technologies face challenges in handling complex scenarios involving multiple participants due to the following reasons: 1) Divergent privacy permission. Data sharing is constrained by various privacy limitations, necessitating the consideration of privacy permissions across different domains, akin to a cross-border process. 2) High collaboration cost. Collaboration among multiple domains to determine the privacy constraint and sharing ways incur additional costs. 3) Large noise magnitude. Traditional privacy techniques to protect the privacy of a single domain using local differential privacy (LDP) may introduce excessive noise, thereby reducing data utility. Drawing inspiration from the cross-border visa issuance process, we present an innovative framework called PriVisa for enabling privacy-preserving data sharing across different domains. It consists of four key modules to overcome the mentioned challenges: the hybrid pattern, optimized sharing path construction, personalized grouping, and LDP-based perturbation. 1) The hybrid pattern for coordination among organizations, considering authentication, privacy constraints, and sharing methods. 2) The optimized sharing path construction using a privacy constraint hierarchy tree to maximize data utility while adhering to privacy requirements. 3) The feature similarity grouping and perturbing mechanism satisfying LDP to protect privacy and optimize data utility. The theoretical and experimental validation confirms PriVisa’s effectiveness in addressing divergent privacy constraints and promoting data utility in cross-domain data sharing.

Abstract:
Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key cannot be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Abstract:
Homomorphically encrypted matrix operations are extensively used in various privacy-preserving applications. Consequently, reducing the cost of encrypted matrix operations is a crucial topic on which numerous studies have been conducted. In this paper, we introduce a novel matrix encoding method, named bicyclic encoding, under which we propose two new algorithms \textsf BMM\text -\textsf I and \textsf BMM\text -\textsf II for encrypted matrix multiplication. \textsf BMM\text -\textsf II outperforms the stat-of-the-art algorithms in theory, while \textsf BMM\text -\textsf I , combined with the segmented strategy, performs well in practice, particularly for matrices with high dimensions. Another noteworthy advantage of bicyclic encoding is that it allows for transposing an encrypted matrix entirely free. A comprehensive experimental study based on our proof-of-concept implementation shows that each algorithm introduced in this paper has specific scenarios outperforming existing algorithms, achieving speedups ranging from 2x to 38x.

Abstract:
Coverless generative steganography is a highly secure method of information hiding. With the advent of the AI-generated content (AIGC) era, the widespread dissemination of generative content on the internet provides an excellent hiding environment for generative steganographic images. Generative steganographic images do not require the participation of carrier images, making existing steganalysis methods expired. However, there are currently no detection methods specifically targeting generative steganographic content. To address this gap, we propose a steganalysis method for generative steganographic images. Our approach focuses on the intrinsic differences between generative steganographic images and ordinary generative images. Through comparative analysis, we propose optimizing the detection model using mutual information estimation. We hypothesize about the distribution characteristics of steganographic signals and design a feature discrimination loss function to further guide the model’s optimization. In addition to designing a feature extraction network to extract features from different image regions, we also incorporate an image classification model pretrained on a large dataset to extract classification features for the final classification. Experimental results in various training and testing scenarios demonstrate that the proposed model not only possesses excellent detection capability but also exhibits reliable generalization compared to other models. Furthermore, we provide necessary descriptions and analysis to validate the rationale behind the network design.

Abstract:
Model extraction attacks currently pose a non-negligible threat to the security and privacy of deep learning models. By querying the model with a small dataset and using the query results as the ground-truth labels, an adversary can steal a piracy model with performance comparable to the original model. Two key issues that cause the threat are, on the one hand, accurate and unlimited queries can be obtained by the adversary; on the other hand, the adversary can aggregate the query results to train the model step by step. The existing defenses usually employ model watermarking or fingerprinting to protect the ownership. However, these methods cannot proactively prevent the violation from happening. To mitigate the threat, we propose QUEEN (QUEry unlEarNing) that proactively launches counterattacks on potential model extraction attacks from the very beginning. To limit the potential threat, QUEEN has sensitivity measurement and outputs perturbation that prevents the adversary from training a piracy model with high performance. In sensitivity measurement, QUEEN measures the single query sensitivity by its distance from the center of its cluster in the feature space. To reduce the learning accuracy of attacks, for the highly sensitive query batch, QUEEN applies query unlearning, which is implemented by gradient reverse to perturb the softmax output such that the piracy model will generate reverse gradients to worsen its performance unconsciously. Experiments show that QUEEN outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy. The artifact is publicly available at https://github.com/MaraPapMann/QUEEN.

Abstract:
The latest pandemic COVID-19 brought governments worldwide to use various containment measures to control its spread, such as contact tracing, social distance regulations, and curfews. Epidemiological simulations are commonly used to assess the impact of those policies before they are implemented. Unfortunately, the scarcity of relevant empirical data, specifically detailed social contact graphs, hampered their predictive accuracy. As this data is inherently privacy-critical, a method is urgently needed to perform powerful epidemiological simulations on real-world contact graphs without disclosing any sensitive information. In this work, we present RIPPLE, a privacy-preserving epidemiological modeling framework enabling standard models for infectious disease on a population’s real contact graph while keeping all contact information locally on the participants’ devices. As a building block of independent interest, we present PIR-SUM, a novel extension to private information retrieval for secure download of element sums from a database. Our protocols are supported by a proof-of-concept implementation, demonstrating a 2-week simulation over half a million participants completed in 7 minutes, with each participant communicating less than 50 KB.

Abstract:
Searchable Symmetric Encryption (SSE) enables clients to make confidential queries over encrypted data while revealing some formally-defined leakage profiles. Despite the promising performance and application prospects of SSE, the recent leakage-abuse attacks show that a passive adversary can recover queries by exploiting patterns about data disclosed from leakage profiles. Among those attacks, the size pattern is a frequently exploited leakage. Although several countermeasures have been proposed, they can provide neither sufficient protection to mitigate size pattern leakage, nor sufficient scalability for large-scale databases. To address those challenges, we present an SGX-based size-pattern mitigation SSE scheme SMSSE with two tailored response padding approaches and an I/O efficient disk-based index construction. In addition, we evaluate the size pattern leakage after padding through conditional entropy and differential privacy. Furthermore, we demonstrate the scalability robustness of SMSSE on different databases by theoretically deducing the approximate boundary of index reading efficiency under a reasonable query distribution. Experiment results on representative real-world datasets show that SMSSE can provide high utility and strong protection against newly size pattern-based leakage-abuse attacks.

Abstract:
The advent of local continuous image function (LIIF) has garnered significant attention for arbitrary-scale super-resolution (SR) techniques. However, while the vulnerabilities of fixed-scale SR have been assessed, the robustness of continuous representation-based arbitrary-scale SR against adversarial attacks remains an area warranting further exploration. The elaborately designed adversarial attacks for fixed-scale SR are scale-dependent, which will cause time-consuming and memory-consuming problems when applied to arbitrary-scale SR. To address this concern, we propose a simple yet effective “scale-invariant” SR adversarial attack method with good transferability, termed SIAGT. Specifically, we propose to construct resource-saving attacks by exploiting finite discrete points of continuous representation. In addition, we formulate a coordinate-dependent loss to enhance the cross-model transferability of the attack. The attack can significantly deteriorate the SR images while introducing imperceptible distortion to the targeted low-resolution (LR) images. Experiments carried out on three popular LIIF-based SR approaches and four classical SR datasets show remarkable attack performance and transferability of SIAGT.

Abstract:
Privacy preservation are becoming increasingly significant in machine learning, with recent privacy regulations requiring the deletion of personal data and its impact on models. Although erasing data from storage is simple, removing the influence of data on models remains a challenge. Federated unlearning is an emerging paradigm that aims to forget the knowledge contributed by some specific data to the federated model. In this paper, we design a novel federated unlearning strategy, named FedWiper, which enables exact unlearning in federated learning by erasing specific data and its impact from the federated model. Specifically, based on the granularity of the dataset, we propose training multiple federated submodels to construct a federated unlearning framework, thereby narrowing the scope of the impact of wiped data. Furthermore, the proposed Uni-Adapter structure effectively mitigates the negative impact on model performance from diminishing the dataset scale, while also reducing communication cost. Rather than focusing solely on achieving indistinguishability unlearning of the model for classification task, we extend FedWiper to unlearning for multiple types of tasks and achieve the exact unlearning. Experiments demonstrate that FedWiper can not only accelerate federated unlearning, but also achieve exact unlearning across multiple types of tasks in federated learning while ensuring minimal loss of model performance. Our Code: https://github.com/grey1989/FedWiper.

Abstract:
The Invariant Risk Minimization (IRM) approach aims to address the security challenge of out-of-distribution robustness (domain generalization) by training a feature representation that remains invariant across multiple environments. However, in noisy environments, noise can distort invariant features, leading to different environment-specific losses. Current IRM-related methods such as IRMv1 and VREx underperform in these settings because they enforce uniform losses across environments. While environmental noise causes environment-specific losses, it does not alter the fundamental correlation between invariant representations and labels. Based on this observation, we propose ICorr (Invariant Correlation), which leverages this correlation to extract invariant representations in noisy settings. Unlike existing approaches, ICorr accommodates different environment-specific inherent losses while maintaining a necessary condition for identifying IRM classifiers. We present a detailed case study demonstrating why previous methods may lose ground while ICorr can succeed. Through a theoretical lens, particularly from a causality perspective, we illustrate that the invariant correlation of representation with label is a necessary condition for the optimal invariant predictor in noisy environments, where as the optimization motivations for other methods may not be. Furthermore, we empirically demonstrate the effectiveness of ICorr by comparing it with other domain generalization methods on various noisy datasets.

Abstract:
Model inversion (MI) attacks, for which effective defense strategies are still lacking, pose significant risks to privacy by reconstructing private training data through access to well-trained classifiers. Addressing this concern, this study introduces TrapNet, designed to defend against advanced MI attacks while maintaining good model utility. TrapNet intentionally injects trapdoors into the classification manifold of the protected target model. In this way, TrapNet can effectively mislead MI attack optimization. Specifically, TrapNet leverages a conditional GAN (cGAN) trained on the private dataset to generate diverse and realistic trapdoor samples. In addition, we propose a graph-matching self-obfuscation strategy and an entropy regularization technique to optimize trapdoor injection while preserving model utility. Compared to the existing defense, TrapNet can provide universal protection to all target classes without access to any auxiliary public data. Extensive experiments on CelebA, VGG-Face, and VGG-Face2 datasets demonstrate TrapNet’s superior performance over existing defenses, including the most advanced NetGuard and BiDO, against state-of-the-art model inversion attacks, i.e., PLG-MI, LOMMA, and Plug&Play.

Abstract:
We propose a threshold password-hardening updatable oblivious key management system dubbed TPH-UOKM for cloud storage. In TPH-UOKM, a group of key servers share a user-specific secret key for a user, and assist the user in producing her/his password-derived private key in a threshold and oblivious way, where the password is hardened to resist offline dictionary guessing attacks. Anyone can outsource data protected with the user’s password-derived public key to the cloud server, and merely the user holding the correct password can recover the password-derived private key for data access. TPH-UOKM can accomplish decryption of N ciphertexts with the complexity O(1) of communication between a user and the key servers, which outperforms existing schemes. TPH-UOKM supports password update. The cloud server can update all protected data of a user with an update token to be accessible only with the new password, which resists password leakage. We present a two-level proactivization mechanism to periodically update user-specific secret key shares and the key servers to thwart perpetual compromise of them, where the renewal of user-specific secret key shares reduces computation and communication costs compared to existing approaches. Provable security and high efficiency of TPH-UOKM are demonstrated by comprehensive analyses and performance evaluations.

Abstract:
Video-based Visible-Infrared Person Re-Identification (VVI-ReID) aims to match pedestrian sequences across modalities by extracting modality-invariant sequence-level features. As a high-level semantic representation, language provides a consistent description of pedestrian characteristics in both infrared and visible modalities. Leveraging the Contrastive Language-Image Pre-training (CLIP) model to generate video-level language prompts and guide the learning of modality-invariant sequence-level features is theoretically feasible. However, the challenge of generating and utilizing modality-shared video-level language prompts to address modality gaps remains a critical problem. To address this problem, we propose a simple yet powerful framework, video-level language-driven VVI-ReID (VLD), which consists of two core modules: invariant-modality language prompting (IMLP) and spatial-temporal prompting (STP). IMLP employs a joint fine-tuning strategy for the visual encoder and the prompt learner to effectively generate modality-shared text prompts and align them with visual features from different modalities in CLIP’s multimodal space, thereby mitigating modality differences. Additionally, STP models spatiotemporal information through two submodules, the spatial-temporal hub (STH) and spatial-temporal aggregation (STA), which further enhance IMLP by incorporating spatiotemporal information into text prompts. The STH aggregates and diffuses spatiotemporal information into the [CLS] token of each frame across the vision transformer (ViT) layers, whereas STA introduces dedicated identity-level loss and specialized multihead attention to ensure that the STH focuses on identity-relevant spatiotemporal feature aggregation. The VLD framework achieves state-of-the-art results on two VVI-ReID benchmarks. On the HITSZ-VCM dataset, it improves the Rank-1 accuracy by 7.3% and mAP by 7.6% (infrared-to-visible) and the Rank-1 accuracy by 10.4% and the mAP accuracy by 9.3% (visible to infrared) and requires only 2 hours of training, 2.39M additional parameters, and 0.12G FLOPs. The code will be released at https://github.com/Visuang/VLD.

Abstract:
Deep neural networks (DNNs) have been confirmed to exhibit vulnerability, as they are susceptible to deception by adversarial examples. Transfer-based attacks perturb a surrogate model and use the transferability of adversarial examples to attack other models. The effectiveness of these attacks relies heavily on the surrogate model, which often focuses on non-critical regions like backgrounds or object edges, leading to poor transferability. The intrinsic properties of the surrogate model fundamentally determine the performance of transfer-based attacks, yet this aspect has rarely been the focus of research. Therefore, we respectively design image masking operations for Convolutional Neural Networks (CNNs) and Vision Transformers (ViTs), forcing the model to reallocate attention to the critical regions. The attention of the surrogate model on the masked image and the original image is then aligned by inserting an alignment network inside the model. The modified surrogate model becomes more proficient in capturing the critical regions within the image, thereby generating more powerful adversarial examples. The proposed alignment network can be integrated into existing transfer-based attacks, significantly enhancing their performance. In addition, we also propose a novel feature-level attack based on the aligned attention, demonstrating superior performance compared to existing state-of-the-art feature-level attacks.

Abstract:
In blockchain, proof-of-work (PoW) is a popular consensus mechanism in which block publishers secure block contents through competitive computation. This competition has led to the emergence of specialized computing devices, such as application-specific integrated circuits (ASICs). Consequently, block publishing has become monopolized by a small group of top publishers equipped with ASICs and benefiting from economy of scale. This monopoly undermines immutability and security that are derived from the decentralized structure of blockchains. In this paper, we introduce a type of blockchain consensus algorithm named error-correction code verifiable computation consensus (ECCVCC), which includes conventional PoW. After that, we propose a novel ECCVCC utilizing a syndrome decoding problem as its crypto puzzle. The ECCVCC algorithm suppresses the development of efficient ASICs by utilizing time-varying cryptographic puzzles. As a result, the decentralization of a blockchain with ECCVCC can be improved compared to the blockchains with other consensus algorithms. Our analysis and simulation demonstrate that ECCVCC achieves robust control over block-generation time and difficulty under practical scenarios. Finally, we discuss that ASIC-resistant consensus algorithms, such as ECCVCC, sustain a blockchain network decentralized for a significantly longer period compared to conventional hash-PoW.

Abstract:
We propose a novel covert message authentication technique designed to completely obscure the existence of the digital signature, rendering it secure against integrity attacks. This innovative approach not only thwarts counterfeiting attempts of digital signatures but also effectively evades the scrutiny of potential hackers, thereby protecting the authentication scheme proactively. The core idea involves superimposing the digital signature onto the message and harnessing the capabilities of multiple input multiple output (MIMO) techniques to obfuscate the signature. We demonstrate that the total detection error probability (sum of false alarm and miss detection probability) of the signature approaches unity with an increasing number of transmitter antennas, indicating the undetectability of the signature, regardless of its transmission power. Furthermore, we analyze the impact of this covert verification on the signature decoding error probability and the authenticated message throughput, providing insights into the overall effectiveness of the proposed technique in protecting the authenticity of the message. We also investigate how artificial noise affects the total detection error probability and the authenticated message throughput. Finally, we compare two approaches to signature protection: signature secrecy which prevents eavesdroppers from gaining any meaningful information about the signature and signature covertness which hides the signature transmission.

Abstract:
Sketch-based person re-identification (Sketch re-ID) aims to match pedestrian figures in hand-drawn sketches with their corresponding RGB photos. This technique allows for person retrieval or tracking in surveillance systems when the target person’s RGB photo is not available. While previous research predominantly focused on bridging the modality gap between sketches and RGB photos, the influence of the inherent subjectivity in hand-drawn sketches on re-ID performance remains under-explored. This subjectivity, originating from the artist’s unique style, perceptions, and interpretations, introduces inaccuracies in depicting pedestrian appearances, thereby posing additional challenges such as feature distortion and stylistic variation. This paper introduces a Contrastive-Generative-Contrastive (CGC) framework for subjective style-insensitive re-ID. The framework employs a generative model optimized through self-supervision by contrasting positive and negative pairs of pedestrian sketches and RGB photos. In this manner, it simulates an additional artist specializing in transforming original sketches from various subjective styles into uniform ones. Besides, a simple yet effective weighted contrastive learning loss is proposed to further enhance the model’s focus on pedestrian ID-relevant features. Experimental results demonstrate that the proposed method significantly reduces the influence of subjectivity in feature extraction, achieving new state-of-the-art results on benchmark datasets.

Abstract:
Electric network frequency (ENF) is an important criterion in audio forensic analysis. However, environmental uncertainties often introduce various types of noises, diminishing the number of useful ENF samples in audio recordings. This issue is even more challenging in short-duration recordings. To address this issue, we propose an adaptive-window-based harmonic recombination (AWHR) method, which can accurately estimate ENF from noisy audio. Initially, we identify noisy samples and use a metric called noise ratio (NR) to determine the optimal harmonic. Adaptive windows are selectively applied to the noisy samples of the optimal harmonic to mitigate frequency spikes, prevent distortions, and preserve signal quality. This step also reduces computational complexity by minimizing the number of samples requiring enhancement. Finally, via a proposed harmonic recombination mechanism, we improve the number of useful ENF samples, which reduces the NR. Given the lack of ENF datasets designed to evaluate considerably contaminated audio, we have also built an ENF noisy audio harmonic (ENF-NAH) dataset. Experiments on public ENF-WHU and our ENF-NAH datasets show that the proposed AWHR method is effective in handling varying levels of contamination and is applicable to both long and short audio recordings.

Abstract:
Model watermarking is a widely adopted mechanism for protecting deep learning (DL) model intellectual property (IP). Black-box verifiable watermarking typically involves injecting backdoors that cause the model to produce predetermined outputs for specific inputs. In contrast, white-box verifiable watermarking uses steganographic techniques to embed watermarks into weight parameters or activation values. However, the former poses new security risks, while the latter often lacks robustness against removal techniques. In this paper, we propose a latent model watermarking, constructing upon the model Division and Union operating concept, dubbed as DUO, leveraging the strengths of two watermarking methods above while eliminating each shortcoming. Once the model owner or provider embeds a watermark into the model using watermark data, the watermarked model is divided into two parts: the main model, which corresponds to the primary task and is made publicly available, and a small sub-network privately reserved by the owner. The watermark resides latently within the main model and can only be activated through the private sub-network (the reserved parameters) when they are united. Consequently, DUO does not adversely affect the performance of the main model on its primary task and does not induce any security risks, even in the presence of watermark data. We extensively validate DUO on four benchmark datasets (CIFAR-10, ImageNette, CIFAR-100, and Tiny-ImageNet) using various model architectures, including standardized ResNet and VGG. The results affirm its capability to accurately verify model ownership without compromising model accuracy. It exhibits a 100% detection accuracy on pirated/positive testing models (96 models are tested) with a 0% false positive rate on normal/negative testing models (64 models are tested). Due to its latent nature, DUO is both effective and robust, capable of withstanding a wide range of state-of-the-art watermark laundering including severe model fine-tuning and pruning. We further evaluate and demonstrate that DUO remains robust against adaptive attacks, even when both the watermark data and the reserved parameters are known to the adversary.

Abstract:
Model Extraction (ME) replicates the performance of another entity’s pretrained model without authorization. While extensively studied in image classification, object detection, and other tasks, ME for image restoration has been scarcely studied despite its broad applications. This paper presents a novel ME framework for image denoising networks, a fundamental one in image restoration. The framework tackles unique challenges like the black-box nature of the victim model, limiting access to its parameters, gradients, and outputs, and the difficulty of acquiring data that matches the original noise distribution while having adequate diversity. Our solution involves simulating the victim’s noise conditions to transform clean images into noisy ones and introducing loss functions to optimize the generator and substitute model. Experiments show that our method closely approximates the victim model’s performance and improves generalization in some scenarios. To the best of our knowledge, this work is the first to address ME in the field of image restoration, paving the way for future research in this area.

Abstract:
In order to ensure data security and improve data usability, searchable encryption has been widely used in cloud computing systems. However, the evil single users with search privileges bring heavy privacy threats to the system. Threshold searchable encryption provides a collaborative search service for group users; a single user cannot search for ciphertext. However, the threshold searchable encryption based on the Shamir secret sharing mechanism cannot achieve flexible user dynamic since the Lagrange interpolation polynomial for recovering the secret value changes with the group user add or delete, resulting in the ciphertext or trapdoor containing Lagrange interpolation formula needs to be recreated. In this paper, the conjunctive keyword search with dynamic group-user scheme (CKSDGU) is proposed to realize group-user flexible addition and deletion. The proposed CKSDGU scheme can match successfully without the data owner resetting ciphertext and the original data user generating trapdoors. In addition, multi-keyword conjunctive retrieval is implemented in the CKSDGU scheme, and group users can search the target ciphertexts that contain all users’ query keyword sets. The security analysis illustrates that the CKSDGU scheme can resist chosen keyword attacks and keyword guessing attacks. The performance analysis presents that our scheme has considerable overhead and efficient computational cost in the user dynamic stage.

Abstract:
Passwords remain one of the most widely used forms of authentication in modern systems. However, their inherent predictability, stemming from common user behaviors in password creation, renders password-based authentication vulnerable to guessing attacks. To balance memorability and security, users often construct isomorphic variants of a base password by altering its structure, such as transforming 123abc into 1a2b3c. These variants pose significant challenges to traditional password guessing models. In particular, mainstream approaches such as Markov model and Probabilistic Context-Free Grammar (PCFG) model struggle to capture the structural relationships among these variants. To address this challenge, we propose PassGIN, a password guessing framework based on Graph Isomorphism Networks (GIN). By modeling a password as a graph, PassGIN captures both local adjacency and character rearrangement patterns, enabling the model to distinguish subtle structural differences between base passwords and their isomorphic variants. To further enhance performance, we introduce PassCluster, a dynamic edge-weighting mechanism that leverages adjacency frequencies observed in large-scale password datasets. This allows GIN to more effectively learn structural variations and generate accurate guesses. Extensive experiments on eight real-world datasets demonstrate that PassGIN consistently outperforms state-of-the-art models in both intra-site and cross-site password guessing scenarios, achieving relative improvements of 23.49% and 74.53%, respectively.

Abstract:
Strings (sequences of elements) are often disseminated to support applications, e.g., in bioinformatics, web analysis, and transportation. Unfortunately, this may expose sensitive patterns that model confidential knowledge. Concealing the occurrences of sensitive patterns in a string (e.g., by deleting some elements) while minimizing the associated quality loss has been the objective of several string sanitization methods. However, real-world attackers are likely to possess background knowledge about the string, e.g., an individual’s genome sequence is almost identical to a reference genome sequence. In addition, it is good security practice to assume that the attacker will know the algorithm that has been used to sanitize the string (Kerckhoffs’ principle). Yet, all existing methods fail to protect strings against such attackers, risking privacy breaches in critical applications. In our work, we consider for the first time how to defend against strategic attackers who possess such knowledge. To achieve this, we propose a novel framework to sanitize a string by probabilistically replacing carefully selected patterns. As part of this framework, we design three mathematical programming algorithms which compute the optimal replacement probabilities under different objectives and constraints, offering different privacy gain / quality loss tradeoffs. Our algorithms protect against strategic attackers using new concepts and measures, protect sensitive patterns of any length, and can construct one or more optimally sanitized strings that can be used in applications such as frequent pattern mining. Our experiments using five real-world datasets from different domains show that all our algorithms are substantially more effective than a natural baseline (e.g., they offer up to 2 times more privacy when they are configured to incur the same quality loss, and up to 3 times lower quality loss when they are configured to offer the same privacy). They also show that two “hybrid” algorithms that we propose, based on combining elements of the above algorithms, inherit the advantages of their constituent algorithms. These results, coupled with the generality of our approach, make our algorithms practical and beneficial for deployment.

Abstract:
Byzantine fault-tolerant state machine replication (BFT-SMR) replicates a deterministic state machine across a set of replicas, and processes requests as a single machine even in the presence of Byzantine faults. BFT-SMR is crucial for ensuring system reliability in distributed computing, where the integrity of data and the correct execution of operations are of utmost importance. Recently, synchronous BFT-SMRs have received tremendous attention due to their simple design and high fault-tolerance threshold. However, existing solutions are not efficient enough to achieve high throughput. In this paper, we propose Arena, the first multi-leader synchronous BFT-SMR. Thanks to the synchrony assumption, Arena gains high throughput benefit from multi-leader with a much simpler design (compared to other partially synchronous multi-leader designs). Furthermore, it is more robust: “no progress” of a leader will not trigger a view-change. Our experimental results show that Arena achieves a peak throughput of up to 7.7× higher than the state-of-the-art.

Abstract:
We consider the problem of collaborative personalized mean estimation under a privacy constraint in an environment of several agents continuously receiving data according to arbitrary unknown agent-specific distributions. In particular, we provide a method based on hypothesis testing coupled with differential privacy and data variance estimation. Two differential privacy mechanisms protecting the releases of each agent’s current sample mean and two data variance estimation schemes are proposed, and we provide a theoretical convergence analysis of the proposed algorithm for any bounded unknown distributions on the agents’ data, showing that collaboration provides faster convergence than a fully local approach where agents do not share data. Moreover, we provide analytical performance curves for the case with an oracle class estimator, i.e., the class structure of the agents, where agents receiving data from distributions with the same mean are considered to be in the same class, is known. The theoretical faster-than-local convergence guarantee is backed up by extensive numerical results showing that for a considered scenario with 200 agents from two or three classes the proposed approach indeed converges much faster than a fully local approach, and performs comparably to the ideal (all-data-public) case. This illustrates the benefit of private collaboration in an online setting.

Abstract:
Unlearning is challenging in generic learning frameworks with the continuous growth and updates of models exhibiting complex inheritance relationships. This paper presents a novel unlearning framework that enables fully parallel unlearning among models exhibiting inheritance. We use a chronologically Directed Acyclic Graph (DAG) to capture various unlearning scenarios occurring in model inheritance networks. Central to our framework is the Fisher Inheritance Unlearning (FIUn) method, designed to enable efficient parallel unlearning within the DAG. FIUn utilizes the Fisher Information Matrix (FIM) to assess the significance of model parameters for unlearning tasks and adjusts them accordingly. To handle multiple unlearning requests simultaneously, we propose the Merging-FIM (MFIM) function, which consolidates FIMs from multiple upstream models into a unified matrix. This design supports all unlearning scenarios captured by the DAG, enabling one-shot removal of inherited knowledge while significantly reducing computational overhead. Experiments confirm the effectiveness of our unlearning framework. For single-class tasks, it achieves complete unlearning with 0% accuracy for unlearned labels while maintaining 94.53% accuracy for retained labels. For multi-class tasks, the accuracy is 1.07% for unlearned labels and 84.77% for retained labels. Our framework accelerates unlearning by 99% compared to alternative methods.

Abstract:
As a widely adopted protocol for anomaly detection in attributed networks, reconstruction error prioritizes comprehensive feature extraction to detect anomalies over interrogating the differential representation between normal and abnormal nodes. Intuitively, in attributed networks, normal nodes and their neighbors often exhibit similarities, whereas abnormal nodes demonstrate behaviors distinct from their neighbors. Hence, normal nodes can be accurately represented through their neighbors and effectively reconstructed. As opposed to normal nodes, abnormal nodes represented by their neighbors may be erroneously reconstructed as normal, resulting in increased reconstruction error. Leveraging from this observation, we propose a novel anomaly detection protocol called Neighbor-aware Mask-Filling Anomaly Detection (NMFAD) for attributed networks, aiming to maximize the variability between original and reconstructed features of abnormal nodes filled with information from their neighbors. Specifically, we utilize random-mask on nodes and integrate them into the backbone Graph Neural Networks (GNNs) to map nodes into a latent space. Subsequently, we fill the masked nodes with embeddings from their neighbors and smooth the abnormal nodes closer to the distribution of normal nodes. This optimization improves the likelihood of the decoder to reconstructing abnormal nodes as normal, thereby maximizing the reconstruction error of abnormal nodes. Experimental results demonstrate that, compared to the existing models, NMFAD exhibits superior performance.in attributed networks.

Abstract:
Due to the different privacy and local model quality requirements for each participant, federated learning (FL) is vulnerable to membership inference attacks. To solve this issue, we propose a risk-aware reinforcement learning (RL)-based personalized differentially private FL framework. This framework uses local model accuracy and privacy loss as the constraints to satisfy the user’s personalized requirements. By designing a multi-agent RL, this framework optimizes perturbation policy including perturbation mechanisms and parameters (such as privacy budget and probabilistic relaxation). The goal of each participant is to improve global accuracy and reduce privacy loss, attack success rate, and short-term risk value. Firstly, the framework designs a two-level hierarchical policy selection module to choose the perturbation policy to accelerate learning speed. Secondly, our proposed framework designs a punishment function to evaluate short-term risk and an R-network to estimate long-term risk, which guarantees safe exploration. Thirdly, this framework formulates an improved Boltzmann policy distribution to increase the impact of risk, thus avoiding risky policies that may cause severe privacy leakage or local task failure. We also analyze the convergence performance and provide privacy analysis for both Gaussian and Laplace mechanisms. Experimental results based on the MNIST dataset demonstrate the effectiveness of our framework compared with benchmarks.

Abstract:
The security in networked systems depends greatly on recognizing and identifying adversarial behaviors. Traditional detection methods target specific categories of attacks and have become inadequate against increasingly stealthy and deceptive attacks that are designed to bypass detection strategically. This work proposes game-theoretical frameworks to recognize and combat such evasive attacks. We focus on extending a fundamental class of statistical-based detection methods based on Neyman-Pearson’s (NP) hypothesis testing formulation. We capture the conflicting relationship between a strategic evasive attacker and an evasion-aware NP detector. By analyzing both the equilibrium behaviors of the attacker and the NP detector, we characterize their performance using Equilibrium Receiver-Operational-Characteristic (EROC) curves. We show that the evasion-aware NP detectors outperform the non-strategic ones by allowing them to take advantage of the attacker’s messages to adaptively modify their decision rules to enhance their success rate in detecting anomalies. In addition, we extend our framework to a sequential setting where the user sends out identically distributed messages. We corroborate the analytical results with a case study of an intrusion detection evasion problem.

Abstract:
Existing research has demonstrated that deep neural networks are susceptible to model extraction attacks, where an attacker can construct a substitute model with similar functionality to the victim model by querying the black-box victim model. To counter such attacks, various disruption-based defenses have been proposed. These defenses disrupt the output results of queries before returning them to potential attackers. In this paper, we propose the first defense-penetrating model extraction attack framework, aimed at breaking disruption-based defense methods. Our proposed attack framework comprises two key modules: disruption detection and disruption recovery, which can be integrated into generic model extraction attacks. Specifically, the disruption detection module uses a novel meta-learning-based algorithm to infer the defense strategy employed by the defender, by learning the key differences between the distributions of disrupted and undisrupted query results. Once the defense method is inferred, the disruption recovery module is designed to restore clean query results from the disrupted query results, using a carefully-designed generative model. We conducted extensive experiments on 5 commonly-used datasets to evaluate the effectiveness of our proposed framework. The results demonstrate that the substitute model accuracy of current model extraction attacks can be significantly improved by up to 82.42%, even when faced with four state-of-the-art model extraction defenses. Moreover, our attack approach shows promising results in penetrating unknown defenses in real-world cloud service APIs hosted by Microsoft Azure and Face++.

Abstract:
Extensive investigations have revealed that the gait recognition system is always vulnerable to impersonation attacks, which pose significant threats to the identity access security. Previous impersonation strategies have primarily focused on mimicking the victim’s walking style or probing the similar gait features to merely manipulate the input samples, without concurrently undermining the built-in model of the gait recognizer, thereby failing to achieve cost-effective attacks. In contrast to these existing heuristic approaches, we propose an optimal adversarial complicity strategy, called collusion attack, which leverages the tight collaboration between an external attacker and an internal spy to tie up into the close colluder, simultaneously enabling the input-&model-corrupted tampering modes and misleading the gait recognizer more powerfully and stealthily for misidentifying the illegitimate Alice as legitimate Bob. Specifically, we formulate a bilevel optimization problem to model such a leader-follower Stackelberg game with sequentially adversarial interaction process between the colluders and gait recognizer. Further, to solve this challenging bilevel problem efficiently, we absorb the Lagrangian dual theory and linearization representation method to reformulate a tractable mixed integer program. Finally, we perform comparison and ablation experiments with the state-of-the-art attack modes on single-&multi-source gait datasets to verify the validity of our collusion strategy in inducing the mistaken identity with great success rate, high confidence, and low cost. Empirical results also shed light on key insights in mitigating the collusion attacks and enhancing the gait recognition robustness to safeguard the identity access applications.

Abstract:
Due to the increasing trend of performing spamming activities (e.g., Web spam, deceptive reviews, fake followers, etc.) on various online platforms to gain undeserved benefits, spam detection has emerged as a hot research issue. Previous attempts to combat spam mainly employ features related to metadata, user behaviors, or relational ties. These studies have made considerable progress in understanding and filtering spamming campaigns. However, this problem remains far from fully solved. Almost all the proposed features focus on a limited number of observed attributes or explainable phenomena, making it difficult for existing methods to achieve further improvement. To broaden the vision about solving the spam problem and address long-standing challenges (class imbalance and graph incompleteness) in the spam detection area, we propose a new attempt of utilizing signed latent factors to filter fraudulent activities. The spam-contaminated relational datasets of multiple online applications in this scenario are interpreted by the unified signed network. Two competitive and highly dissimilar algorithms of latent factors mining (LFM) models are designed based on multi-relational likelihoods estimation (LFM-MRLE) and signed pairwise ranking (LFM-SPR), respectively. We then explore how to apply the mined latent factors to spam detection tasks. Experiments on real-world datasets of different kinds of Web applications (social media and Web forum) indicate that LFM models outperform state-of-the-art baselines in detecting spamming activities. By specifically manipulating experimental data, the effectiveness of our methods in dealing with incomplete and imbalanced challenges is validated.

Abstract:
Security concerns in large-scale networked environments are becoming increasingly critical. To further improve the algorithm security from the design perspective of decentralized optimization algorithms, we introduce a new measure: Privacy Leakage Frequency (PLF), which reveals the relationship between communication and privacy leakage of algorithms, showing that lower PLF corresponds to lower privacy budgets. Based on such assertion, a novel differentially private decentralized primal-dual algorithm named DP-RECAL is proposed to take advantage of operator splitting method and relay communication mechanism to experience less PLF so as to reduce the overall privacy budget. To the best of our knowledge, compared with existing differentially private algorithms, DP-RECAL presents superior privacy performance and communication complexity. In addition, with uncoordinated network-independent stepsizes, we prove the convergence of DP-RECAL for general convex problems and establish a linear convergence rate under the metric subregularity. Evaluation analysis on least squares problem and numerical experiments on real-world datasets verify our theoretical results and demonstrate that DP-RECAL can defend some classical gradient leakage attacks.

Abstract:
Large models require larger datasets. While people gain from using massive amounts of data to train large models, they must be concerned about privacy issues. To address this issue, we propose a novel approach for private generative modeling using the Sliced Wasserstein Distance (SWD) metric in a Differential Private (DP) manner. We propose Normalized Clipping, a parameter-free clipping technique that generates higher-quality images. We demonstrate the advantages of Normalized Clipping over the traditional clipping method in parameter tuning and model performance through experiments. Moreover, experimental results indicate that our model outperforms previous methods in differentially private image generation tasks.

Affiliations: Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China; School of Computer Science and Technology, Hainan University, Haikou, China; School of Economics, Wuhan Textile University, Wuhan, China; School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China; School of Computer Science and Artificial Intelligence, Zhengzhou University, Zhengzhou, China

Abstract:
Secure two-party neural network (2P-NN) inference allows the server with a neural network model and the client with inputs to perform neural network inference without revealing their private data to each other. However, the state-of-the-art 2P-NN inference still suffers from large computation and communication overhead especially when used in ImageNet-scale deep neural networks. In this work, we design and build Panther, a lightweight and efficient secure 2P-NN inference system, which has great efficiency in evaluating 2P-NN inference while safeguarding the privacy of the server and the client. At the core of Panther, we have new protocols for 2P-NN inference. Firstly, we propose a customized homomorphic encryption scheme to reduce burdensome polynomial multiplications in the homomorphic encryption arithmetic circuit of linear protocols. Secondly, we present a more efficient and communication concise design for the millionaires’ protocol, which enables non-linear protocols with less communication cost. Our evaluations over three sought-after varying-scale deep neural networks show that Panther outperforms the state-of-the-art 2P-NN inference systems in terms of end-to-end runtime and communication overhead. Panther achieves state-of-the-art performance with up to 24.95× speedup for linear protocols and 6.40 × speedup for non-linear protocols in WAN when compared to prior arts.

Abstract:
Searchable symmetric encryption (SSE) allows the client to search encrypted documents on an untrusted server without revealing the document content and queried keywords. To improve search efficiency and enrich expressiveness, most SSE schemes leak some information that could be exploited for attacks, characterized by leakage patterns. The traditional leakage patterns encompass the search pattern, the access pattern and the response length pattern. Recent research has demonstrated that these three patterns could be exploited to launch attacks, resulting in a high probability of compromising the confidentiality of encrypted documents and queried keywords. Moreover, while there exist SSE schemes that hide multiple leakage patterns, most of them do not resist the malicious server, which may carry out incorrect search operations. In this paper, we propose a leakage-suppressed verifiable SSE (VSSE) scheme that not only hides the three patterns but also allows the client to verify the server’s response. We utilize the privacy set intersection based on polynomial coding and additive symmetric homomorphism encryption to construct a VSSE scheme that supports a conjunctive query. Specifically, we design an efficient random token generation algorithm to protect the search pattern and a verification algorithm that does not require server-generated proofs. Formal security analysis shows that our scheme achieves the desired correctness, security and verifiability. Lastly, we simulate the proposed scheme and compare it with the recent leakage suppression schemes in multiple aspects. The comparison results show that our scheme achieves a good balance in expressiveness, efficiency and security.

Abstract:
Due to the high similarity between hidden objects and the surrounding background, camouflaged object detection (COD) remains a challenge. While many recently proposed methods have shown remarkable performance, most of them begin object perception by indiscriminately considering every pixel of the image. However, these early-stage region-insensitive perception methods still struggle to resist background interference, potentially missing subtle pixel changes by not prioritizing potential camouflaged areas initially. Fortunately, we reveal that the availability of an accurate mutation map can significantly enhance camouflaged discrimination ability. To this end, we propose MRNet (Mutation Region Network). MRNet initially generates a mutation map that identifies potential mutation regions exhibiting subtle pixel changes. The generation method involves amplifying and differing pixel changes based on the position and corresponding values of pixels. Subsequently, the selective expansion search operation utilizes the mutation map to extract the mapped graph, effectively reducing interference from background pixels that are distant from the mutation regions. Finally, decoding the mapped graph generates precise masks. Furthermore, we have created the largest test dataset with known categories to advance community research. Extensive experiments conducted on three widely used datasets and our proposed dataset show that MRNet surpasses other methods with superior performance. Source code is publicly available at https://github.com/XinyueZhangHust/MRNet

Abstract:
Recent Face Anti-Spoofing (FAS) methods have improved generalization to unseen domains by leveraging domain generalization techniques. However, they overlooked the semantic relationships between local features, resulting in suboptimal feature alignment and limited performance. To this end, pixel-wise supervision has been introduced to offer contextual guidance for better feature alignment. Unfortunately, the semantic ambiguity in coarsely designed pixel-wise supervision often leads to misalignment. This paper proposes a novel Dual Consistency Regularization Network (DCRN). It promotes the fine-grained alignment of local features with dense semantic correspondence for FAS. Specifically, a Dual Consistency Learning module (DCL) is devised to capture the inter- and intra-similarity between each region of sample pairs. In this module, a dual consistency regularization learning objective enhances the semantic consistency of local features by minimizing both the variance of inter-similarity and the distance between inter- and intra-similarity. Further, a weight matrix is estimated based on the inter-similarity, representing the possibility that each region belongs to the living class. Based on this weight matrix, WMSE loss is designed to guide the model in avoiding mapping the live regions to the spoofing class, thus alleviating semantic ambiguity in pixel-wise supervision. Extensive experiments on four widely used datasets clearly demonstrate the superiority and high generalization of the proposed DCRN.

Abstract:
Federated Learning (FL) is an alternative approach that facilitates training machine learning models on distributed users’ data while preserving privacy. However, clients have different local model structures and most local data are non-independent and identically distributed, so that FL encounters heterogeneity and catastrophic forgetting issues when clients continuously accumulate new knowledge. In this work, we propose a scheme called MUFTI (Multi-Domain Distillation-based Heterogeneous Federated ConTInuous Learning). On one hand, we have extended domain adaptation to FL via extracting features to obtain feature representations on unlabeled public datasets for collaborative training, narrowing the distance between feature outputs of different models under the same sample. On the other hand, we propose a combining knowledge distillation method to solve the catastrophic forgetting issue. Within a single task, dual-domain distillation is used to avoid data forgetting between different domains; for cross task learning in task flow, the logits output of the previous model is used as the teacher to avoid forgetting old tasks. The experiment results showed that MUFTI had a better performance in accuracy and robustness comparing to state-of-the-art methods. The evaluation also demonstrated that MUFTI could perform well in handling task increment issues, reducing catastrophic forgetting, and achieving trade-offs between multiple objectives.

Abstract:
Due to the powerful feature extraction capabilities of deep neural networks (DNNs), deep image hashing has extensive applications in the fields such as image authentication, copy detection and content retrieval, making its security a critical concern. Among various security metrics, collision resistance serves as a crucial indicator of deep image hashing methods. Research on collision attacks not only reveals the potential vulnerabilities of deep image hashing but also can promote the development of more robust and secure hashing methods. In this paper, we propose a novel generative collision attack scheme, which achieves several advantages over existing attack schemes based on adversarial examples. Our scheme requires no additional perturbations added to the image, and can simultaneously generate multiple hash collision images of different classes specified by the attacker. To the best of our knowledge, this is the first generative collision attack scheme effective across various deep image hashing methods. Specifically, our attack framework consists of three parts, i.e., a Hash-to-Noise Network (HTNN), a pretrained BigGAN generator and a conditional discriminator. The designed HTNN embeds the hash code of the target image and the attacker-specified generation class information into a “noise” vector. By optimizing various hash distance loss functions between the generated and target images, this “noise” guides the generator to directly generate images that meet the collision requirement. At the same time, the discriminator ensures that the generated images are visually realistic. Extensive experimental results verify that our scheme can effectively generate multiple high-quality images with attacker-specified classes, achieving the high success rate of hash collision attack and the applicability across state-of-the-art deep hashing methods.

Affiliations: School of Cyber Science and Engineering, Southeast University, Nanjing, China; Department of Computer Science, City University of Hong Kong, Hong Kong, China; School of Cyber Science and Engineering and the Engineering Research Center of Blockchain Application, Supervision and Management, Ministry of Education, Southeast University, Nanjing, China; School of Information Science and Engineering, Ocean University of China, Qingdao, China; Department of Computer and Information Science, University of Macau, Macau, China; Department of Computer Science and Engineering, The Hong Kong University of Science and Technology, Hong Kong, China

Abstract:
Adversarial training has achieved remarkable advancements in defending against adversarial attacks. Among them, fast adversarial training (FAT) is gaining attention for its ability to achieve competitive robustness with fewer computing resources. Existing FAT methods typically employ a uniform strategy that optimizes all training data equally without considering the influence of different examples, which leads to an imbalanced optimization. However, this imbalance remains unexplored in the field of FAT. In this paper, we conduct a comprehensive study of the imbalance issue in FAT and observe an obvious class disparity regarding their performances. This disparity could be embodied from a perspective of alignment between clean and robust accuracy. Based on the analysis, we mainly attribute the observed misalignment and disparity to the imbalanced optimization in FAT, which motivates us to optimize different training data adaptively to enhance robustness. Specifically, we take disparity and misalignment into consideration. First, we introduce self-knowledge guided regularization, which assigns differentiated regularization weights to each class based on its training state, alleviating class disparity. Additionally, we propose self-knowledge guided label relaxation, which adjusts label relaxation according to the training accuracy, alleviating the misalignment and improving robustness. By combining these methods, we formulate the Self-Knowledge Guided FAT (SKG-FAT), leveraging naturally generated knowledge during training to enhance the adversarial robustness without compromising training efficiency. Extensive experiments on four standard datasets demonstrate that the SKG-FAT improves the robustness and preserves competitive clean accuracy, outperforming the state-of-the-art methods. Code and checkpoints are available at SFG-FAT Code Implementation.

Abstract:
With the increasing popularity of autonomous driving systems (ADS) in autonomous vehicles (AV), in recent years, there have been many attacks targeting AVs and ADSs. Meanwhile, recent studies have attempted to improve the safety and security of AVs from different perspectives, and they mainly focus on the spoofing attacks against the sensors and the injection attacks against the vehicle chassis and actuators. However, direct attacks on ADSs (i.e., communication hijacking and malicious codes) remain inadequately addressed, and even worse, such attacks can cause AVs to make unsafe driving decisions rapidly. In this paper, we introduce DSAD, a driving state-aware anomaly detection framework designed to enhance AV safety and security by identifying ADS attacks, such as communication hijacking and malicious codes, through chassis states. First, DSAD models ADS operations (i.e., driving states) as a two-layer state machine, utilizing real-time chassis data to infer driving states and detect anomalies in ADS outputs. This reduces false positives and negatives by aligning detection with the diverse operational modes of AVs. To achieve this, we develop a prototype system, DSAD, incorporating a Detection Policy Update mechanism that dynamically adjusts detection policies based on the vehicle’s driving states, such as lane changing and obstacle avoidance. Second, DSAD considers both collision avoidance and control stability, addressing potential conflicts through hard and soft requirements. Furthermore, DSAD integrates a fault handling module compatible with existing autonomous driving fault handling mechanisms, ensuring timely response to detected anomalies. We develop a prototype anomaly detection system called DSAD and deploy it on four ADSs. We evaluate DSAD using various attack scenarios, and the results show that DSAD can identify over 90% of attacks on ADSs.

Abstract:
Aiming to provide people with great convenience and comfort, smart home systems have been deployed in thousands of homes. In this paper, we focus on handling the security and privacy issues in such a promising system by customizing a new cryptographic primitive to provide the following security guarantees: 1) fine-grained, privacy-preserving authorization for smart home users and integrity protection of communication contents; 2) flexible self-sovereign permission delegation; 3) forward security of previous messages. To our knowledge, no previous system has been designed to consider these three security and privacy requirements simultaneously. To tackle these challenges, we put forward the first-ever efficient cryptographic primitive called the Forward-secure Hierarchical Delegable Signature (FS-HDS) scheme for smart homes. Specifically, we first propose a new primitive, efficient Hierarchical Delegable Signature (HDS) scheme, which is capable of supporting partial delegation capability while realizing privacy-preserving authorization and integrity guarantee. Then, we present an FS-HDS for smart homes with the efficient HDS as the underlying building block, which not only inherits all the desirable features of HDS but also ensures that the past content integrity is not affected even if the current secret key is compromised. We provide comprehensively strict security proofs to prove the security of our proposed solutions. Its performance is also validated via experimental simulations to showcase its practicability and effectiveness.

Abstract:
In recent years, Federated Unlearning (FU) has gained attention for addressing the removal of a client’s influence from the global model in Federated Learning (FL) systems, thereby ensuring the “right to be forgotten” (RTBF). State-of-the-art methods for unlearning use historical data from FL clients, such as gradients or locally trained models. However, studies have revealed significant information leakage in this setting, with the possibility of reconstructing a user’s local data from their uploaded information. Addressing this, we propose Starfish, a privacy-preserving federated unlearning scheme using Two-Party Computation (2PC) techniques and shared historical client data between two non-colluding servers. Starfish builds upon existing FU methods to ensure privacy in unlearning processes. To enhance the efficiency of privacy-preserving FU evaluations, we suggest 2PC-friendly alternatives for certain FU algorithm operations. We also implement strategies to reduce costs associated with 2PC operations and lessen cumulative approximation errors. Moreover, we establish a theoretical bound for the difference between the unlearned global model via Starfish and a global model retrained from scratch for certified client removal. Our theoretical and experimental analyses demonstrate that Starfish achieves effective unlearning with reasonable efficiency, maintaining privacy and security in FL systems.

Abstract:
Multimodal handwritten signatures usually involve offline images and online sequences. Since in real-world scenarios, different modalities of the same signature are generated simultaneously, most research hypothesizes that the different modalities are consistent. However, attacks launched on a partial modality (e.g., only tampering on the image modality) of signature data are commonly seen, and will cause the inter-modal inconsistency. In this paper, we propose and analyze the multimodal security and attack levels for handwritten signatures, and provide a multimodal consistency learning method to detect different levels of attacks of signatures. The modalities include not only traditional offline and online data, but also videos capturing hand movements. We collect a number of triple modal signatures to address the scarcity of public handwritten video datasets. Then, we extract hand joint sequences from videos and utilize them to analyze subtle multimodal consistency with the online modality. We provide extensive experiments for the consistency between online and offline signatures, as well as between online signatures and movement videos. The verification involves distance-based and classification-based fusion models, showing the most effective discriminative networks for attack detection and the superiority of consistency learning.

Affiliations: School of Cyber Science and Engineering, Sichuan University, Chengdu, China; School of Cyber Science and Engineering, the Cyber Science Research Institute, and the Key Laboratory of Data Protection and Intelligent Management, Ministry of Education, Sichuan University, Chengdu, China; Key Laboratory of Knowledge Engineering with Big Data, Ministry of Education, the School of Computer Science and Information Engineering, and the Intelligent Interconnected Systems Laboratory of Anhui Province, Hefei University of Technology, Hefei, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; Cyber Science Research Institute and the Key Laboratory of Data Protection and Intelligent Management, Ministry of Education, Sichuan University, Chengdu, China

Abstract:
Android malware authors often use packers to evade analysis. Although many unpacking tools have been proposed, they face two significant challenges: 1) They are easily impeded by anti-analysis techniques employed by packers, preventing efficient collection of hidden Dex data. 2) They are typically designed to unpack a specific packer and cannot handle malware packed with mixed packers. Consequently, many packed malware samples evade detection. To bridge this gap, we propose \textsf Gupacker , a novel generalized unpacking framework. \textsf Gupacker offers a generic solution for first-generation holistic packer by customizing the Android system source code. It identifies the type of packer and selects an appropriate unpacking function, constructs a deeper active call chain to achieve generic unpacking of second-generation function extraction packers, and uses JNI function and instruction monitoring to handle third-generation virtual obfuscation packer. On this basis, we counteract a diverse array of anti-analysis techniques. We conduct extensive experiments on 5K packed Android malware samples, comparing \textsf Gupacker with 2 commercial and 4 state-of-the-art academic unpacking tools. The results demonstrate that \textsf Gupacker significantly improves the efficiency of Android malware unpacking with acceptable system overhead. We analyze real packed applications based on \textsf Gupacker and found several are second-packed by attackers, including WPS for Android, with tens of millions of users. We receive and responsibly report 13 0day vulnerabilities and also assist in the remediation of all vulnerabilities.

Abstract:
Mobile Edge Computing (MEC) revolutionizes real-time applications by extending cloud capabilities to network edges, enabling efficient computation offloading from mobile devices. In recent years, the location privacy concern within MEC offloading has been recognized, prompting the proposal of various methodologies to mitigate this concern. However, this paper demonstrates that the prevailing privacy protection methods exhibit vulnerabilities. First, we analyze the shortcomings of current methodologies through both system modeling and evaluation metrics. Then, we introduce a Learning-based Trajectory Reconstruction Attack (LTRA) to expose the weaknesses, achieving up to 91.2% reconstruction accuracy against the state-of-the-art protection method. Further, based on w-event differential privacy, we propose an \ell -trajectory differentially private mechanism, i.e., OffloadingBD. Compared to the existing works, OffloadingBD provides more flexible and enhanced protection with sound privacy theoretical guarantee. Lastly, we conduct extensive experiments to evaluate LTRA and OffloadingBD. The experiment results show that LTRA has good generalization ability and OffloadingBD showcases a superior balance between privacy and utility compared with baselines.

Abstract:
Fingerprinting is a network reconnaissance technique utilized for gathering information about online computing systems, including operation systems and applications. Unfortunately, attackers typically leverage fingerprinting techniques to locate, enumerate, and subsequently target vulnerable systems, which is the first primary stage of a cyber attack. In this work, we explore the susceptibility of machine learning (ML)-based classifiers to misclassification, where a slight perturbation in the packet is included to spoof OS fingerprints. We propose SoFi (Spoof OS Fingerprints), an adversarial example generation algorithm under TCP/IP specification constraints, to create effective perturbations in a packet for deceiving an OS fingerprint. Specifically, SoFi has three major technical innovations: (1) it is the first to utilize adversarial examples to automatically perturb fingerprinting techniques; (2) it complies with constraints and integrity of network packets; (3) it achieves a high success rate in spoofing OS fingerprints. We validate the effectiveness of adversarial packets against active and passive OS fingerprints, verifying the transferability and robustness of SoFi. Comprehensive experimental results demonstrate that SoFi automatically identifies applicable and available OS fingerprint features, unlike existing tools relying on expert knowledge.

Abstract:
As the leading privacy coin, Monero is widely recognized for its high level of anonymity. Monero utilizes linkable ring signature to hide the sender of a transaction. Although the anonymity is preferred by users, it poses challenges for authorities seeking to regulate financial activities. Researchers are actively engaged in studying methods to de-anonymize Monero. Previous methods usually relied on a specific type of ring called zero-mixin ring. However, these methods have become ineffective after Monero enforced the minimum ringsize. In this paper, we propose a novel approach based on maximum weighted matching to de-anonymize Monero. The proposed approach does not rely on the existence of zero-mixin rings. Specifically, we construct a weighted bipartite graph to represent the relationship between rings and transaction outputs. Based on the empirical probability distribution derived from users’ spending patterns, three weighting methods are proposed. Accordingly, we transform the de-anonymization problem into a maximum weight matching (MWM) problem. Due to the scale of the graph, traditional algorithms for solving the MWM problem are not applicable. Instead, we propose a deep reinforcement learning-based algorithm that achieves near-optimal results. Experimental results on both real-world dataset and synthetic dataset demonstrate the effectiveness of the proposed approach.

Abstract:
The right to be forgotten has incentivized machine unlearning, but a key challenge persists: the lack of reliable methods to verify unlearning conducted by model providers. This gap facilitates dishonest model providers to deceive data contributors. Current approaches often rely on invasive methods like backdoor injection. However, it poses security concerns and is also inapplicable to legacy data—already released data. To tackle this challenge, this work initializes the first non-invasive unlearning verification framework which operates at triple-granularity (class-, volume-, sample-level) to assess the data facticity and volume integrity of machine unlearning. In this paper, we propose a framework, named TruVRF, encompasses three Unlearning-Metrics, each tailored to counter different types of dishonest model providers or servers (Neglecting Server, Lazy Server, Deceiving Server). TruVRF leverages non-invasive model sensitivity to enable multi-granularity verification of unlearning. Specifically, Unlearning-Metric-I checks if the removed class matches the data contributor’s unlearning request, Unlearning-Metric-II measures the amount of unlearned data, and Unlearning-Metric-III validates the correspondence of a specific unlearned sample with the requested deletion. We conducted extensive evaluations of TruVRF efficacy across three datasets, and notably, we also evaluated the effectiveness and computational overhead of TruVRF in real-world applications for the face recognition dataset. Our experimental results demonstrate that TruVRF achieves robust verification performance: Unlearning-Metric-I and -III achieve over 90% verification accuracy on average against dishonest servers, while Unlearning-Metric-II maintains an inference deviation within 4.8% to 8.2%. Additionally, TruVRF demonstrates generalizability across diverse conditions, including varying numbers of unlearned classes and sample volumes. Significantly, TruVRF is applied to two state-of-the-art unlearning frameworks: SISA (presented at Oakland’21) and Amnesiac Unlearning, representing exact and approximate unlearning methods, respectively, which affirm TruVRF’s practicality. In addition, we conducted extensive evaluations around TruVRF, including ablation experiments, trade-offs in computational overhead, and the robustness of model sensitivity, among others.

Abstract:
In the era of digital media, the proliferation of forged images and videos poses a significant threat to societal stability. With the rapid advancement of deep learning, the generation of realistic fake images has become increasingly simple, presenting unprecedented challenges in discerning the authenticity of images. While some existing methods have shown promising results in forgery detection, they often underutilize facial semantic information. To address this issue, this paper introduces the Semantic Token Transformer for Face Forgery Detection. By incorporating facial semantic information with a transformer network, the input tokens of the transformer are transformed into tokens of varying shapes and sizes based on their importance, thereby enhancing the accuracy of the detector. To achieve this objective, we first employ an image processing stage to manipulate the image based on facial semantic information. Subsequently, we introduce a scoring network, guided by prior knowledge, which adaptively categorizes tokens into different clusters based on their importance and relevance to the results of the preprocessing stage. Finally, we merge the tokens within the clusters using an attention mechanism and input them into the detector for forgery detection. Through experiments conducted on multiple datasets and cross-dataset evaluations, we demonstrate that our approach outperforms state-of-the-art detection methods.

Abstract:
Current Face Anti-spoofing (FAS) models tend to make overly confident predictions even when encountering unfamiliar scenarios or unknown presentation attacks, which leads to serious potential risks. To solve this problem, we propose a Confidence Aware Face Anti-spoofing (CA-FAS) model, which is aware of its capability boundary, thus achieving reliable liveness detection within this boundary. To enable the CA-FAS to “know what it doesn’t know”, we propose to estimate its confidence during the prediction of each sample. Specifically, we build Gaussian distributions for both the live faces and the known attacks. The prediction confidence for each sample is subsequently assessed using the Mahalanobis distance between the sample and the Gaussians for the “known data”. We further introduce the Mahalanobis distance-based triplet mining to optimize the parameters of both the model and the constructed Gaussians as a whole. Extensive experiments show that the proposed CA-FAS can effectively recognize samples with low prediction confidence and thus achieve much more reliable performance than other FAS models by filtering out samples that are beyond its reliable range.

Abstract:
Increasing attention is being paid to machine unlearning, which supports individuals’ “right to be forgotten.” While most studies focus on the efficiency and effectiveness of unlearning algorithms, the evaluation of machine unlearning effectiveness remains underexplored. Offering robust evaluation services for unlearning is critical, not only to uphold privacy legislation but also to assess and improve existing unlearning methods. Lots of existing methods employ backdoor methods to evaluate unlearning effectiveness, which can only verify the unlearning effect of backdoored samples and negatively impact the model utility as they need to embed backdoors into the model first. In this paper, we propose an evaluating machine unlearning (EMU) method, which aims to evaluate the effectiveness of unlearning and verify data removal without the aforementioned adverse effects. Machine unlearning inherently creates a difference on the model before and after unlearning. The model difference contains information about the unlearned samples, which can be extracted through reconstruction models for unlearning effectiveness evaluation. To efficiently generate the model differences as input for evaluation, we simulate the model changes based on the influence function theory. Additionally, we design a multi-task information bottleneck structure to enhance the scalability of EMU and simplify the analysis of different learning tasks. We provide a theoretical analysis of how the similarity between erased and remaining samples, as well as task types, affects the extent of unlearning—factors that have been largely overlooked. Extensive experiments on various model architectures and representative datasets confirm our analysis, demonstrating the effective evaluation for unlearning without any degradation in the service model utility.

Abstract:
With the rapid development of image generation technologies, especially the advancement of Diffusion Models, the quality of synthesized images has significantly improved, raising concerns among researchers about information security. To mitigate the malicious abuse of diffusion models, diffusion-generated image detection has proven to be an effective countermeasure. However, a key challenge for forgery detection is generalising to diffusion models not seen during training. In this paper, we address this problem by focusing on image noise. We observe that images from different diffusion models share similar noise patterns, distinct from genuine images. Building upon this insight, we introduce a novel Noise-Aware Self-Attention (NASA) module that focuses on noise regions to capture anomalous patterns. To implement a SOTA detection model, we incorporate NASA into Swin Transformer, forming an novel detection architecture NASA-Swin. Additionally, we employ a cross-modality fusion embedding to combine RGB and noise images, along with a channel mask strategy to enhance feature learning from both modalities. Extensive experiments demonstrate the effectiveness of our approach in enhancing detection capabilities for diffusion-generated images. When encountering unseen generation methods, our approach achieves the state-of-the-art performance.

Abstract:
Millimeter-wave (mmWave) radar imaging has shown remarkable potential in critical applications. While previous researches have explored attacks on high-level radar perception, the vulnerability of low-level radar imaging to adversarial attacks remains largely unexplored. In this work, we introduce mmHide, the first general attack framework on mmWave radar imaging that utilizes neural rendering of meta-materials to hide imaging targets (e.g., handguns). mmHide’s novelty lies in its three-fold approach: 1) an implicit neural rendering network that efficiently represents and optimizes complex 3D meta-material structures, 2) an explicit differentiable forward imaging model that provides physical constraints, and 3) a self-supervised learning strategy that iteratively refines the meta-material design. This unique combination enables mmHide to create an “invisible cloak” for target objects while maintaining plausible imaging results. Extensive real-world experiments demonstrate mmHide’s effectiveness in significantly reducing target visibility while preserving background similarity. A user study confirms its high success rate in deceiving human observers, outperforming existing methods. These findings not only showcase the potential of our approach but also underscore the urgent need for robust defense mechanisms in mmWave imaging systems.

Abstract:
For deep learning-enabled semantic communication, existing privacy protection methods only take into account the presence of eavesdropper while ignoring malicious receiver aiming to detect confidential information. Only information-theoretical security can transmitter defend against malicious receiver. However, private information are always entangled with pragmatic information in feature space, which leads global perturbation to degrade communication performance. To handle these difficulties, in this paper a privacy preserving semantic communication system is proposed. Different from traditional paradigm, a novel privacy preserving semantic encoder is designed to realize targeted privacy protection while remaining useful information unaffected. Within proposed privacy preserving semantic encoder, feature decoupling module aims to disentangle semantic information by learning two sets of basis vectors which can express private and pragmatic information of data, respectively. Accordingly differential privacy mechanism is employed to provide information-theoretical security. Experimental results demonstrate that proposed method not only achieves better communication performance in both data recovery and pragmatic task, but also more effectively degrades the accuracy of malicious receiver to infer sensitive information than global perturbation does.

Abstract:
Deep learning based person re-identification (re-id) models have been widely employed in surveillance systems. Recent studies have demonstrated that black-box single-modality and cross-modality re-id models are vulnerable to adversarial examples (AEs), leaving the robustness of multi-modality re-id models unexplored. Due to the lack of knowledge about the specific type of model deployed in the target black-box surveillance system, we aim to generate modality unified AEs for omni-modality (single-, cross- and multi-modality) re-id models. Specifically, we propose a novel Modality Unified Attack method to train modality-specific adversarial generators to generate AEs that effectively attack different omni-modality models. A multi-modality model is adopted as the surrogate model, wherein the features of each modality are perturbed by metric disruption loss before fusion. To collapse the common features of omni-modality models, Cross Modality Simulated Disruption approach is introduced to mimic the cross-modality feature embeddings by intentionally feeding images to non-corresponding modality-specific subnetworks of the surrogate model. Moreover, Multi Modality Collaborative Disruption strategy is devised to facilitate the attacker to comprehensively corrupt the informative content of person images by leveraging a multi modality feature collaborative metric disruption loss. Extensive experiments show that our MUA method can effectively attack the omni-modality re-id models, achieving 55.9%, 24.4%, 49.0% and 62.7% mean mAP Drop Rate, respectively.

Abstract:
Recent advances have heightened the interest in the adversarial transferability of Vision-Language Pre-training (VLP) models. However, most existing strategies constrained by two persistent limitations: suboptimal utilization of cross-modal interactive information, and inherent discrepancies across hierarchical textual representation. To address these challenges, we propose the Modality-Specific Interactive Attack (MSI-Attack), a novel approach that integrates semantic-level image perturbations with embedding-level text perturbations, all while maintaining minimal inter-modal constraints. In our image attack methodology, we introduce Multi-modal Integrated Gradients (MIG) to guide perturbations toward the core semantics of images, enriched by their associated deeply text information. This technique enhances transferability by capturing consistent features across various models, thereby effectively misleading similar-model perception areas. Additionally, we employ a momentum iteration strategy in conjunction with MIG, which amalgamates current and historical gradients to expedite the perturbation updates. For text attacks, we streamline the perturbation process by operating exclusively at the embedding level. This reduces semantic gaps across hierarchical structures and significantly enhances the generalizability of adversarial text. Moreover, we delve deeper into how semantic perturbations with varying degrees of similarity affect the overall attack effectiveness. Our experimental results on image-text retrieval tasks using the multi-modal datasets Flickr30K and MSCOCO underscore the efficacy of MSI-Attack. Our method achieves superior performance, setting a new state-of-the-art benchmark, all without the need for additional mechanisms.

Abstract:
Text-based person search aims to identify specific target person from the database according to the given text description. Early work adopted separately pretrained encoders to extract visual and textual features, but benefit from the bloom of visual language pre-training, recent work uses unified pretrained visual language models such as CLIP as backbone. However, visual language models are generally pretrained from coarse-grained image-text pairs, while image-text pairs in text-based person search are more fine-grained to distinguish different persons. In addition, visual and linguistic concepts naturally organize themselves in a hierarchy, which is not explicitly captured by current large-scale vision and language models such as CLIP. To bridge this gap, we propose a novel Granularity-Aware Hyperbolic Representation learning method for mining granularity and capturing semantic hierarchy. Notably, we consider both token-level and instance-level granularity. For token-granularity alignment, we present a Bidirectional Attention Interaction module to explicitly learn the matching between fine-grained visual tokens and text tokens. For instance-granularity alignment, we equip the contrastive learning loss with Semantic Margin Softmax so that image-text pairs can perceive the similarity granularity of different samples during training. Besides, the global features of images and texts are mapped into hyperbolic space through Hyperbolic Representation Learning to embed tree-like data to capture semantic hierarchy. Extensive experiments verify the effectiveness of our proposed modules and show that our method achieves state-of-the-art results on the three widely acknowledged benchmarks, namely CUHK-PEDES, ICFG-PEDES, and RSTPReID. Our code is available at https://github.com/7chQ/GAHR

Abstract:
Reconfigurable intelligent surfaces (RISs) have been shown effective in strengthening the physical layer security of wireless systems, and the two-timescale design was proposed to tackle the challenges in channel estimation and phase-shift control. However, existing maximum ratio transmission (MRT) based precoding design is not efficient in mitigating information leakage. To this end, this paper considers the performance analysis and two-timescale design for RIS-aided multiple-input single-output (MISO) secure communications with regularized zero-forcing (RZF) and zero-forcing (ZF) precoding, which is not available in the literature. The major challenges come from the two-hop channel and the inverse structure in the precoding matrix. By utilizing random matrix theory, we first evaluate the fundamental limits of the considered system by deriving a closed-form expression for the ergodic secrecy sum rate (ESSR). Then, we determine the optimal regularization factor of the RZF precoder and evaluate the ESSR over independent and identically distributed (i.i.d.) channels in the high SNR regime. The results indicate that when the number of reconfigurable elements at the RIS is overwhelmingly larger than that of transmit antennas and users, the ESSR of the two-hop channel approaches that of the single-hop channel. Based on the performance analysis, we propose a two-timescale algorithm to maximize the ESSR by optimizing the regularization factor of RZF and the phase shifts of the RIS alternatively. Simulation results validate the accuracy of the theoretical analysis and the effectiveness of the proposed algorithm.

Abstract:
Differential private learning is widely used in machine learning (ML) to protect continuous and scalar-valued data. The demand for discrete and matrix-valued computations is increasing, particularly in quantized neural networks and graph learning, which require discrete-valued parameters and large-scale matrix operations for efficient data processing. However, privacy protection for discrete and matrix-valued data is less explored. Traditional differential private mechanisms fail to maintain the discrete nature of data after perturbation and often overlook data correlations, struggling to balance privacy and utility. In this paper, we propose a Discrete Matrixing Differentially Private Learning (DM-DPL) framework, which protects the privacy of discrete and matrix-valued data during ML training by adding discrete matrix-variate Gaussian noise. First, we propose a novel Discrete Matrix-Variate Gaussian (DMVG) mechanism with rigorous conditions necessary to guarantee (\epsilon, \delta) -differential privacy. Additionally, we present an eigenvalue-weighted analysis-based precision budget allocation strategy, designed to maintain the utility of significant dimensions while providing consistent privacy guarantees. Finally, the results illustrate that our approach significantly surpasses existing state-of-the-art methods when applied to quantized federated learning. To the best of our knowledge, this is the first work to specifically protect discrete and matrix-valued data during ML training.

Affiliations: National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Laboratory, Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Jinyinhu Laboratory, Huazhong University of Science and Technology, Wuhan, China; Department of Computer Science, Laboratory for Cybersecurity Dynamics, University of Colorado at Colorado Springs, Colorado Springs, CO, USA; Ant Technology Group Company Ltd., Hangzhou, China; National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Laboratory, Cluster and Grid Computing Laboratory, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, China

Abstract:
The Node Package Manager (npm) registry contains millions of JavaScript packages widely shared between worldwide developers. However, npm has also been abused by attackers to spread malicious packages, highlighting the importance of detecting malicious npm packages. Existing malicious npm package detectors suffer from, among other things, high false positives and/or high false negatives. In this paper, we propose a novel Malicious npm Package Detector (MalPacDetector), which leverages Large Language Model (LLM) to automatically and dynamically generate features (rather than asking experts to manually define them). To evaluate the effectiveness of MalPacDetector and existing detectors, we construct a new npm package dataset, which overcomes the weaknesses of existing datasets (e.g., a small number of examples and a high repetition rate of malicious fragments). The experimental results show that MalPacDetector outperforms existing detectors by achieving a false positive rate of 1.3% and a false negative rate of 7.5%. In particular, MalPacDetector detects 39 previously unknown malicious packages, which are confirmed by the npm security team.

Affiliations: State Key Laboratory of Opto-Electronic Information Acquisition and Protection Technology, the Key Laboratory of Intelligent Computing and Signal Processing of Ministry of Education, Anhui Provincial Key Laboratory of Security Artificial Intelligence, and the School of Artificial Intelligence, Anhui University, Hefei, China; State Key Laboratory of Opto-Electronic Information Acquisition and Protection Technology, the Key Laboratory of Intelligent Computing and Signal Processing of Ministry of Education, Anhui Provincial Key Laboratory of Multimodal Cognitive Computation, and the School of Computer Science and Technology, Anhui University, Hefei, China; School of Internet, Anhui University, Hefei, China; Department of Computer Science, The University of Hong Kong, Pokfulam, Hong Kong

Abstract:
Medical image segmentation in X-ray images is beneficial for computer-aided diagnosis and lesion localization. Existing methods mainly fall into a centralized learning paradigm, which is inapplicable in the practical medical scenario that only has access to distributed data islands. Federated Learning has the potential to offer a distributed solution but struggles with heavy training instability due to client-wise domain heterogeneity (including distribution diversity and class imbalance). In this paper, we propose a novel Federated Client-tailored Adapter (FCA) framework for medical image segmentation, which achieves stable and client-tailored adaptive segmentation without sharing sensitive local data. Specifically, the federated adapter stirs universal knowledge in off-the-shelf medical foundation models to stabilize the federated training process. In addition, we develop two client-tailored federated updating strategies that adaptively decompose the adapter into common and individual components, then globally and independently update the parameter groups associated with common client-invariant and individual client-specific units, respectively. They further stabilize the heterogeneous federated learning process and realize optimal client-tailored instead of sub-optimal global-compromised segmentation models. Extensive experiments on three large-scale datasets demonstrate the effectiveness and superiority of the proposed FCA framework for federated medical segmentation.

Abstract:
Unlearning in Federated Learning (FL) presents significant challenges, as models grow and evolve with complex inheritance relationships. This complexity is amplified when blockchain is employed to ensure the integrity and traceability of FL, where the need to edit multiple interlinked blockchain records and update all inherited models complicates the process. In this paper, we introduce Blockchained Federated Unlearning (BlockFUL), a novel framework with a dual-chain structure-comprising a live chain and an archive chain-for enabling unlearning capabilities within Blockchained FL. BlockFUL introduces two new unlearning paradigms, i.e., parallel and sequential paradigms, which can be effectively implemented through gradient-ascent-based and re-training-based unlearning methods. These methods enhance the unlearning process across multiple inherited models by enabling efficient consensus operations and reducing computational costs. Our extensive experiments validate that these methods effectively reduce data dependency and operational overhead, thereby boosting the overall performance of unlearning inherited models within BlockFUL on CIFAR-10 and Fashion-MNIST datasets using AlexNet, ResNet18, and MobileNetV2 models.

Abstract:
Vertical Federated Learning (VFL), as one of the key paradigms in federated learning, is commonly employed in scenarios where multiple parties share the same sample set but possess different features for these samples. Previous studies have demonstrated that VFL is vulnerable to backdoor attacks due to its inherent characteristics. However, the issue of backdoor attacks in encryption-protected VFL has been underexplored. In such scenarios, adversaries cannot directly access plaintext sample-level gradients, which seemingly offers enhanced security for VFL. Adversaries are restricted to leveraging their own bottom model and a small subset of auxiliary samples to conduct backdoor attacks, rendering many existing attack strategies ineffective. In this paper, we propose a powerful backdoor attack: BAEVFL (Backdoor Attack on Encryption-protected Vertical Federated Learning), which is executed through three key stages: pseudo-label inference, trigger optimization, and backdoor poisoning. Our attack can be successfully launched without access to plaintext gradient information or auxiliary samples including all classes. Instead, it requires only the adversary’s bottom model and a minimal set of target class samples. We conducted extensive experiments demonstrating that BAEVFL outperforms various state-of-the-art baseline methods, achieving over 98% ASR on four benchmark datasets, while maintaining a utility drop of less than 0.3%. Additionally, we evaluated the effectiveness of current representative defense methods against our BAEVFL. The results indicate that existing defenses fail to strike a balance between defense and utility, and we provide key suggestions for potential improvements to these methods. The BAEVFL, with its stealth and effectiveness, exposes significant security vulnerabilities in encryption-protected VFL, underscoring the urgent need for future research on robust defense mechanisms for this paradigm.

Abstract:
Generalizable face anti-spoofing is a challenging task due to the variations of fake materials (e.g., paper, plastic, and silicon), attack types (e.g., physical and digital), and acquisition environment (e.g., lighting). In this paper, we propose a novel Hyperbolic Metric Learning method for generalizable Face Anti-Spoofing, namely HML-FAS. Compared with the widely used Euclidean metric learning, the inherent hierarchical structure of anti-spoofing data can be well captured in the hyperbolic metric space. In particular, HML-FAS consists of an initial hyperbolic feature embedding step, followed by a Hyperbolic adversarial Data Augmentation (HDA), a Hyperbolic Optimal Transport (HOT), and a final hyperbolic classifier. To learn robust features, the hyperbolic Stein variational gradient descent algorithm is used for HDA to broaden the feature distribution bounds of each training domain. To learn domain-invariant features, the Kantorovich potential network is utilized for HOT to map the feature distributions of all training domains to a common hyperbolic space. Combined with the final hyperbolic classifier, out-of-distribution robust, domain-invariant, and discriminative face anti-spoofing features can be learned by our HML-FAS. Extensive experiments and visualizations demonstrate the effectiveness of HML-FAS compared with its Euclidean version EML-FAS, and the previous state-of-the-art methods under unseen scenarios and for unknown attacks.

Abstract:
Distributed computations, such as distributed matrix multiplication, can be vulnerable to significant security issues, notably Byzantine attacks. These attacks may target either worker nodes or servers, potentially leading to faulty results that can significantly degrade the overall performance. Therefore, detecting Byzantine attackers and mitigating their effects are crucial in such systems. Motivated by the goal of establishing a secure decentralized matrix-multiplication system, we first introduce a verification method named Common Tag, inspired by the well-known Freivalds’ algorithm, able to verify the multiplication results independent of their associated input matrices. Then, we propose two schemes for sparse matrix multiplication where a group of nodes collaboratively performs a computation task over a logical ring. We consider a subset of Byzantine nodes in the system that may arbitrarily corrupt either their result or any other result passing through them. In Scheme I considering the highly sparse nature of input matrices, we assume that each node has sufficient capacity to store the entire input matrices, and the nodes forward the read-only versions of their computed blocks so that other nodes cannot corrupt them. In Scheme II, we relax the above assumptions, firstly, by considering a limited storage capacity for each node. Secondly, we introduce more powerful adversaries capable of corrupting other nodes’ results by relaxing the read-only assumption. The results demonstrate the feasibility of both schemes and show a significant improvement in terms of distortion over the case where no detection happens. The results also provide a trade-off between the computational complexity required at each node and the reconstruction distortion in both schemes.

Abstract:
Bayesian networks are widely used for causal discovery and probabilistic modeling across diverse domains including healthcare, multi-dimensional data analysis, environmental modeling, and industrial processes. Although previous work has studied the learning of Bayesian networks under centralized differential privacy, to the best of our knowledge, the problem of learning Bayesian networks under local differential privacy (LDP) remains open. In this paper, we address this problem by proposing two solution methods for learning Bayesian networks under LDP: LDP-BN and LDP-BN+. Our first solution called LDP-BN utilizes a novel algorithm for computing mutual information values necessary for building a Bayesian network under LDP, but it suffers from high utility loss since the privacy budget needs to be divided into many pairs of attributes and candidate parent sets. To reduce the amount of noise, we propose LDP-BN+ which utilizes a novel density-aware covering design algorithm that ensures all necessary mutual information values will be computed while the privacy budget is used more effectively. We experimentally evaluate LDP-BN and LDP-BN+ using multiple utility metrics and datasets. Results show that LDP-BN+ outperforms LDP-BN and enables the generation of high-utility Bayesian networks that can be used in practice.

Abstract:
The pseudonymity nature of Ethereum provides a protective umbrella for criminal activities, allowing criminals to develop a series of black industries such as phishing scams in unregulated areas. In order to exploit the relational inductive bias to discover the real identity of anonymous accounts, graph neural networks (GNNs) have been widely used in Ethereum fraud detection tasks as an effective and powerful framework. However, the expressive power of GNN’s 1-hop message passing mechanism is bounded by the Weisfeiler-Leman (1-WL) test, degrading the fraud detection performance on the Ethereum network. This paper proposes a structure-aware Mamba framework, named SAMamba. Specifically, SAMamba uses a subgraph encoding strategy to capture complex structural patterns and introduces Mamba’s exceptional sequence modeling capabilities to route global information. In order to filter task-relevant information from dense information, the attention mechanism and the selection mechanism are introduced from local and global perspectives, respectively. These tailor-made designs enable SAMamba to distinguish subtle differences in structural patterns and selectively aggregate task-oriented information, thereby demonstrating exceptional performance in fraud detection tasks. Extensive experiments on real-world Ethereum data demonstrate that SAMamba outperforms state-of-the-art methods. The codes are publicly available on Github: https://github.com/deepang-ai/SAMamba

Abstract:
Recently, deep neural networks (DNNs) based emitter recognition or identification has received increasing interest. However, most of them are purely data-driven and require a large number of labeled instances. In this paper, a new Knowledge Driven Signal Transformer (KDSiT) is proposed, which introduces the knowledge graph (KG) into a signal Transformer (ST) model for accurate emitter recognition in real-world scenarios. On the one hand, KDSiT use a unified multimodal Transformer structure to explore the latent long-range dependencies in signals, and capture the subtle differences of emitters. On the other hand, KDSiT introduces domain knowledge, such as relationships and attributes between emitters, by constructing an emitter knowledge graph. By combining the powerful feature learning capability of DNNs with the rich semantic information in KG, KDSiT can extract more discriminative features of emitters from multimodal learning, to improve the identification accuracy in degraded environments. Extensive experiments are conducted, and the results prove the superiority of KDSiT over its counterparts, especially in the case of low signal-to-noise ratio (SNR), incomplete signals, and a limited number of labeled instances.

Abstract:
Smartphone users are susceptible to a privacy leakage attack called App Fingerprinting (AF), where traffic analysis is used to infer the apps in use. Despite packet encryption, AF attacks leverage packet size and timing information to identify apps, posing a privacy threat. However, existing attacks fail when a few apps are used concurrently, causing unsegmented traffic with app multiplexing and overlapping. The key reason is that they cannot accurately identify active time boundaries for the apps. This paper presents a novel AF attack, FOADA, the first to accurately predict both the location and label of a target app in traffic. FOADA approaches AF as an object detection problem, training a deep learning model to estimate boundary positions and classify traffic segments. Accurate boundary predictions help the model focus on the most relevant traffic segment, enhancing its classification performance. FOADA excels in handling noisy app traffic. With app multiplexing, it achieves an F1-score of 0.96 for predicting only app labels and an F1-score of 0.92 for predicting both app labels and their locations. FOADA surpasses the state-of-the-art attack PacketPrint, which achieves F1-scores of 0.80 and 0.48 in these two scenarios, respectively. The inference time of FOADA is 2,000 times faster than PacketPrint.

Abstract:
To protect both local gradients and estimated parameters in distributed learning, this paper introduces a masked diffusion (MD) strategy, leading to two algorithms: the MD stochastic gradient (MD-SG) and the MD primal-dual stochastic gradient (MPD-SG). The two algorithms distinguish themselves from existing privacy diffusion methods by incorporating two mechanisms: non-zero mean protection noise and a random matrix step-size. The first mechanism ensures the confidentiality of the transmitted values, while the second protects the gradient information. We analyze the mean-square stability and privacy of the proposed methods under standard assumptions. The results indicate that the MPD-SG algorithm, with a sufficiently small parameter \gamma , can achieve better steady-state performance than the MD-SG algorithm in heterogeneous data scenarios. Finally, simulations illustrate the effectiveness of the proposed algorithms and support the theoretical analysis.

Abstract:
A threshold key encapsulation mechanism (TKEM) facilitates the secure distribution of session keys among multiple participants, allowing key recovery through a threshold number of shares. TKEM has gained significant attention, especially for decentralized systems, including blockchains. However, existing constructions often rely on trusted setups, which pose security risks such as a single point of failure and are limited by fixed participant numbers and thresholds. To overcome this issue, we propose a dynamic TKEM with a transparent setup, allowing for a flexible selection of both recipients and thresholds without relying on trusted third parties in the setup phase. In addition, our construction does not rely on pairing operations, which are less efficient compared to exponentiation. We prove the selective chosen-ciphertext security of our construction under the decisional Diffie-Hellman assumption, zero-knowledge, and soundness of a non-interactive zero-knowledge (NIZK) proof system. We also show that our scheme satisfies decapsulation consistency when the underlying NIZK system is sound. Our proof-of-concept implementation highlights the practicality and efficiency of this approach, further advancing the field of threshold cryptography.

Abstract:
The graph contrastive learning (GCL) framework has gained remarkable achievements in graph representation learning. However, similar to graph neural networks (GNNs), GCL models are susceptible to graph structural attacks. As an unsupervised method, GCL faces greater challenges in defending against adversarial attacks. Furthermore, there has been limited research on enhancing the robustness of GCL. To thoroughly explore the failure of GCL on the poisoned graphs, we investigate the detrimental effects of graph structural attacks against the GCL framework. We discover that, in addition to the conventional observation that graph structural attacks tend to connect dissimilar node pairs, these attacks also diminish the mutual information between the graph and its representations from an information-theoretical perspective, which is the cornerstone of the high-quality node embeddings for GCL. Motivated by this theoretical insight, we propose a robust graph contrastive learning framework with a learnable sanitation view that endeavors to sanitize the augmented graphs by restoring the diminished mutual information caused by the structural attacks. Additionally, we design a fully unsupervised tuning strategy to tune the hyperparameters without accessing the label information, which strictly coincides with the defender’s knowledge. Extensive experiments demonstrate the effectiveness and efficiency of our proposed method compared to competitive baselines.

Abstract:
Obtaining commercial value of private information from big data has become commonplace, which leads to misuse of information knowledge as well as violation of information owners’ rights, and curbing such behaviors has become a challenge. In this paper, we design an embedding scheme that can be applied to privacy protection of secret information, i.e., embedding confidential information such as copyright as secret information in cover images. The secret information is divided into multiple clusters, encrypted and compressed through the use of multiple-zone folding method to optimize the embedding efficiency and minimize the distortion caused by the embedding process, it realizes the privacy feature of traceability and security protection of secret information in circulation. Evaluated by security analysis and experimental results, this proposed scheme achieves IND-CPA high information security level for information protection. Compared with the state-of-the-art scheme, the computational complexity of this proposed scheme is O(Y) (Y denotes the total number of pixels), at least 6 bits of information can be embedded per pixel which improves the efficiency of embedding. In terms of the impact on the quality of cover image information after the embedding of secret information, it has better performance, and improves the manageable traceability of information.

Abstract:
The primary challenge in unsupervised gait recognition lies in generating meaningful and diverse supervisory signals to guide representation learning. The effectiveness of such methods largely depends on the richness of the supervisory signals. Unlike previous methods that construct supervisory signals solely from a single modality, we propose a novel framework, named Multimodal Mutual Learning (M3L), that leverages the identity consistency and complementary nature of both silhouette and skeleton modalities to generate richer and more informative supervisory signals. To fully leverage the richer supervisory signals, M3L encourages mutual prediction between the silhouette and skeleton modalities, guiding the network toward modality-invariant representations. However, mutual prediction alone is hindered by the inherent modality gap, so we introduce a Multimodal Collaborative Module to explicitly bridge this gap and promote cross-modal knowledge transfer. Moreover, to make the framework practical when only one modality is available at inference, we introduce a Multimodal Disentanglement Module. Multimodal Disentanglement Module decouples the two branches and distills a shared representation, preserving the gains of multimodal training while allowing the model to maintain robust performance under single-modality conditions. Extensive experiments on four widely used gait datasets—Gait3D, GREW, CASIA-B, and SUSTech1K—demonstrate the effectiveness of our approach and highlight its potential to advance unsupervised gait recognition.

Abstract:
Electroencephalography (EEG) biometrics draws increasing attention in high-security requirements due to its advantages of anti-spoofing, live traits, and non-duplicated. However, existing EEG datasets, which rely on external stimuli or task-specific instructions for data collection, often intertwine identity-related information with biases such as emotional states, cognitive tasks, and disease markers. Besides, EEG signals are time-varying, while identity information within EEG signals is relatively fixed, which poses challenges for extracting identity features from EEG to perform accurate person identification. This high correlation hampers the promotion of brainprint recognition in real-life applications. In this paper, we propose a disentangled representation learning based identity recognition framework, which disentangles the EEG signal into intrinsic identity-related information and biased identity-invariant information, thus enhancing the performance of EEG biometrics. First, two parallel encoders are used to extract intrinsic identity-relevant and bias identity-irrelevant factors, respectively, and each encoder consists of a temporal filter module and a novel spatial-temporal attention module. Then, we further refine the disentanglement process through a correlation-driven loss that minimizes factor similarity across spatial-temporal and global representational domains. Adversarial training and reconstruction regularization are introduced to facilitate the identity and biased representations to be independent and complementary to each other. Additionally, we extend supervised contrastive learning to the component level, minimizing cross-component similarity and encouraging each component to independently reflect its unique information, thereby improving the disentanglement efficacy. Our proposed framework achieves state-of-the-art performance on diverse datasets encompassing emotional, motor imagery, and pathological conditions, demonstrating the robustness and effectiveness of our proposed brainprint identity recognition model.

Abstract:
The Uniform Resource Locator (URL) is a primary vector for numerous security threats, including phishing, malware propagation, and spam attacks, making URL-based analysis a critical task in security systems. However, existing research often focuses on static lexical features of individual URLs, overlooking deeper semantic, structural, and behavioral signals that can indicate malicious intent or evasive patterns. In this paper, we propose Behavior-Enhanced Semantic URL Embedding, a novel framework that integrates semantic, structural, and contextual information to improve the detection of security threats embedded in URLs. Our model is composed of three core modules: a semantic understanding module to extract token-level and contextual semantics, a topology structure learning module to capture hierarchical and sequential patterns of URL components, and a downstream multi-task adaptation module that fine-tunes embeddings with supervised contrastive learning for various security detection tasks. We evaluate our method across five public datasets covering key security applications such as malicious URL detection, phishing website identification, and spam filtering, consistently achieving superior performance over existing baselines. Additionally, we demonstrate the extensibility of our approach to related security tasks, showcasing its potential integration into real-world threat detection and security monitoring systems.

Abstract:
As interactions among elements in applications such as social networks, transaction networks, and IP-IP networks dynamically evolve, anomaly detection in dynamic graphs to mitigate potentially threatening interactions has become increasingly important. Existing methods often assume noise-free graph structures and primarily focus on monitoring structural changes to discover anomalies. Regrettably, practical applications often involve inaccurate information, individual non-response and dropout, and sampling biases. These factors contribute to the pervasiveness of dynamic noisy graphs that encompass structural noises, making anomaly detection more challenging. To address this issue, we propose a novel Hypergraph-driven Anomaly Detection Framework (HADF), which resists the interference of structural noises and adapts to dynamic noisy graphs. HADF consists of a hyper encoder and an embedding enhancer. The hyper encoder leverages inter-edge correlations to generate hyperedges and design their resistant weights, further employing hypergraph convolutional layers to extract the basic hyper-embeddings of edges. The embedding enhancer exploits temporal structural correlation and reconstructs multi-head attention to achieve noise-resistant enhancement of basic hyper-embeddings. Extensive experiments show that our proposed HADF can realize resistance to structural noises and outperform state-of-the-art methods in identifying anomalous edges in dynamic noisy graphs.

Abstract:
The widespread usage of Microsoft Windows has unfortunately led to a surge in malware, posing a serious threat to the security and privacy of millions of users. In response, the research community has mobilized, with numerous efforts dedicated to strengthening defenses against these threats. The primary goal of these techniques is to detect malicious software early, preventing attacks before any damage occurs. However, many of these methods either claim that packing has minimal impact on malware detection or fail to address the reliability of their approaches when applied to packed samples. Consequently, they are not capable of assisting victims in handling packed programs or recovering from the damages caused by untimely malware detection. To address these challenges, we propose VisUnpac, a static analysis-based data visualization framework for bolstering attack prevention while aiding recovery post-attack by unveiling malware patterns and offering more detailed information including both malware class and family. Our method includes unpacking packed malware programs, calculating local similarity descriptors based on basic blocks, enhancing correlations between descriptors, and refining them by minimizing noises to obtain self-analysis descriptors. Moreover, we employ machine learning to learn the correlations of self-analysis descriptors through architectural learning for final classification. Our comprehensive evaluation of VisUnpac based on a freshly gathered dataset with over 27,106 samples confirms its capability in accurately classifying malware programs with a precision of 99.7%. Additionally, VisUnpac reveals that most antivirus products in VirusTotal can not handle packed samples properly or provide precise malware classification information. We also achieve over 97% space savings compared to existing data visualization based methods.

Abstract:
Information bottleneck (IB) is a promising defense solution against adversarial attacks on deep neural networks. However, these methods often suffer from spurious correlations. A correlation exists between the prediction and the non-robust features, yet it does not reflect the causal relationship well. Such spurious correlations induce the neural networks to learn fragile and incomprehensible (non-robust) features. This issue limits its potential for further improving adversarial robustness. This paper addresses this issue by incorporating causal inference into the IB-based defense framework. Specifically, we propose a novel defense method that use the instrumental variables to enhance the adversarial robustness. Our proposed method divides the features into two parts for causal effect estimation: robust and non-robust features. The robust features relate to understanding semantic information, and the non-robust features link to the vulnerable style information. By employing this framework, the IB method can mitigate the influence of non-robust features and extract the robust features linking to the semantic information of objects. We conduct a thorough analysis of the effectiveness of our proposed method. Notably, the experiments on MNIST, FashionMNIST, CIFAR-10, CIFAR-100, and Tiny-ImageNet demonstrate that our method significantly boosts the adversarial robustness against multiple adversarial attacks compared to previous methods. Our regularization method can improve adversarial robustness in both natural and adversarial training frameworks. Besides, CausalIB can be applied to both Convolutional Neural Networks and Vision Transformers as a plug-and-play module. Our code is available at https://github.com/HydrogenWasser/CausalIB

Abstract:
Given the substantial increase in the number of antennas in extremely large-scale antenna array (ELAA) systems, polar-domain channel modeling has been introduced to capture both angular and distance information in near-field environments. The fine-grained polar-domain channel provides additional sources of randomness, making it well-suited for physical layer key generation (PLKG). To minimize the pilot overhead in multi-user key generation and leverage the randomness from the polar-domain channel paths, we implement a zero-forcing (ZF)-based precoding scheme to mitigate the inter-path and inter-user interference. Using ZF precoding, we derive an analytical expression for the sum secret key rate (SKR) as a function of the power allocation variables, and then optimize these variables in the presence of eavesdroppers. Since the ZF method may not fully eliminate interference with imperfect channel state information (CSI), there could be correlation between the measurements of polar-domain channel paths and users. We present a channel decorrelation and reciprocity compensation approach that leverages principal component analysis (PCA) and deep neural networks (DNNs) to mitigate channel correlation issues. Specifically, PCA is first applied at the base station (BS) to decorrelate the composite CSI vector that aggregates the CSI of all users. Following this preprocessing, a DNN is trained to learn the mapping from the decorrelated uplink CSI to the corresponding original downlink CSI. This trained DNN then reconstructs a new version of the downlink CSI, enhancing the cross-correlation between the BS and the users’ CSI, thereby improving uplink/downlink reciprocity. Our simulations evaluate the effectiveness of the DNN-based reciprocity compensation by assessing the normalized mean squared error (NMSE) and the correlation between uplink and downlink CSI, the bit disagreement ratio (BDR) and the randomness of secret keys after quantization.

Affiliations: College of Electronics and Information Engineering, Tongji University, Shanghai, China; College of Electronics and Information Engineering, Shanghai Institute of Intelligent Science and Technology, and the National College of Elite Engineers, Tongji University, Shanghai, China; College of Electronics and Information Engineering and the Department of Ophthalmology, Tongji Hospital, School of Medicine, Tongji University, Shanghai, China; School of Engineering, Edith Cowan University, Perth, WA, Australia; School of Computer Science and Engineering, Nanyang Technological University, Jurong West, Singapore; School of Electrical and Computer Engineering, The University of Sydney, Sydney, NSW, Australia

Abstract:
Federated learning (FL) contributes to data privacy by not disclosing raw data, but encounters challenges of privacy leakage from local gradient uploading. This paper introduces a novel over-the-air computation (AirComp)-based FL system that balances privacy and accuracy by leveraging the waveform superposition and channel propagation characteristics of AirComp. Specifically, we derive the privacy leakage metric to explicitly account for the effects of waveform aggregation and communication noise. We analyze the convergence upper bound to capture model update errors stemming from artificial and communication noise. We formulate a new joint privacy-accuracy optimization problem by incorporating privacy leakage in the model training objective, guiding the learning process towards enhanced privacy protection. We then employ convex optimization techniques to derive the optimal power scaling and artificial noise intensity. Simulations demonstrate up to 80% reduction in privacy leakage compared to baselines under stringent privacy constraints, while maintaining competitive learning performance. Our method exhibits enhanced robustness under low signal-to-noise ratios, achieving 40% lower privacy leakage under equivalent privacy budgets.

Abstract:
Deep neural networks (DNNs) are increasingly used in critical applications such as identity authentication and autonomous driving, where robustness against adversarial attacks is crucial. These attacks can exploit minor perturbations to cause significant prediction errors, making it essential to enhance the resilience of DNNs. Traditional defense methods often rely on access to detailed model information, which raises privacy concerns, as model owners may be reluctant to share such data. In contrast, existing black-box defense methods fail to offer a universal defense against various types of adversarial attacks. To address these challenges, we introduce DUCD, a universal black-box defense method that does not require access to the target model’s parameters or architecture. Our approach involves distilling the target model by querying it with data, creating a white-box surrogate while preserving data privacy. We further enhance this surrogate model using a certified defense based on randomized smoothing and optimized noise selection, enabling robust defense against a broad range of adversarial attacks. Comparative evaluations between the certified defenses of the surrogate and target models demonstrate the effectiveness of our approach. Experiments on multiple image classification datasets show that DUCD not only outperforms existing black-box defenses but also matches the accuracy of white-box defenses, all while enhancing data privacy and reducing the success rate of membership inference attacks.

Abstract:
Multi-factor authentication (MFA) is widely used to secure high-value digital assets in web applications. Traditional t -factor authentication ( t -FA) enhances security by requiring users to present t factors, which often becomes inconvenient as the number of required factors increases. Threshold (t,n) -MFA (T-MFA) improves usability by allowing users to authenticate with any t factors from a set of n . However, T-MFA treats all factors as equal, ignoring the varying security strengths of different factors. For instance, passwords are generally less secure than smart cards, yet T-MFA fails to account for these differences. This restricts its ability to balance security and usability effectively. To overcome this, we propose AS-MFA, a new primitive allowing users to configure factor combinations based on the security strength of each factor. Our scheme employs secret sharing for general access structures, ensuring that authentication is granted only when a valid combination of factors is presented. Unlike T-MFA limited to threshold configurations, AS-MFA supports arbitrary factor combinations, offering greater user autonomy. We formally define the security of AS-MFA and prove the security of our design. In terms of performance, the protocol requires only two communication rounds and achieves computational efficiency, involving t_2 fuzzy extractor operations, 2 + 3t_1 + 3t_2 exponentiations, and 2 multi-exponentiations for a factor combination consisting of t_1 passwords, t_2 biometrics, and t_3 devices. For threshold configurations, AS-MFA outperforms Li et al.’s T-MFA by requiring fewer exponentiation operations, offering a constant and lower computation cost compared to the linear cost in t of T-MFA.

Abstract:
With the extensive use of machine learning technologies, data providers encounter increasing privacy risks. Recent legislation, such as GDPR, obligates organizations to remove requested data and its influence from a trained model. Machine unlearning is an emerging technique designed to enable machine learning models to erase users’ private information. Although several efficient machine unlearning schemes have been proposed, these methods still have limitations. First, removing the contributions of partial data may lead to model performance degradation. Second, discrepancies between the original and generated unlearned models can be exploited by attackers to obtain target sample’s information, resulting in additional privacy leakage risks. To address above challenges, we proposed a game-theoretic machine unlearning algorithm that simulates the competitive relationship between unlearning performance and privacy protection. This algorithm comprises unlearning and privacy modules. The unlearning module possesses a loss function composed of model distance and classification error, which is used to derive the optimal strategy. The privacy module aims to make it difficult for an attacker to infer membership information from the unlearned data, thereby reducing the privacy leakage risk during the unlearning process. Additionally, the experimental results on real-world datasets demonstrate that this game-theoretic unlearning algorithm’s effectiveness and its ability to generate an unlearned model with a performance similar to that of the retrained one while mitigating extra privacy leakage risks.

Abstract:
The Payment Channel Network (PCN) provides an off-chain payment model to alleviate the problem of limited blockchain throughput. However, PCNs typically rely on third-party regulators to monitor the blockchain states continuously to prevent honest users’ funds from being lost, which increases user overhead and compromises transaction privacy. To overcome these challenges, we propose a highly compatible bidirectional Self-Regulatory Virtual Channel (SRVC) that eliminates third-party reliance while enhancing privacy and reducing overhead. By leveraging absolute time locks, we establish a self-regulatory mechanism where users only need to monitor the blockchain online for a short time window to ensure the security of their funds, effectively removing the need for third-party monitoring. Additionally, we introduce a novel payment paradigm and a punishment mechanism based on adaptor signatures across underlying channels to ensure transaction privacy and security, while also reducing transaction overhead. We formalize the security properties of SRVC as an ideal functionality and prove that SRVC is secure in the Universal Composability framework. Performance analysis demonstrates that, compared to other virtual channel protocols based on Lightning channels, SRVC reduces communication overhead by approximately 46.8% in the open operation and 62.9% in the update operation. In high-concurrency payment scenarios, SRVC further decreases communication overhead by about 57.8% and reduces the number of transactions by around 52.8% compared to Sleepy Channel’s Virtual Channel (SCVC) implementation.

Abstract:
Allowing users to assure that their files are reliably stored into multiple replicas is critically important but challenging for secure cloud storage. Recently, Damgård et al. designed the first publicly verifiable proof of replicated storage (abbreviated as PRI-POREP) in the private client setup without the fine-grained timing assumption. However, it relies on an “ideal” invertible random permutations (IRPs), whose construction with the structured domain/range remains open even in the random oracle model. Also, it is computationally inefficient in terms of both replicas generation and file update. To address challenges regarding both practicality and efficiency while guaranteeing the security of PRI-POREP, this paper aims at constructing a new proof of replicated storage scheme without timing assumption, named as \mu PRI-POREP. \mu PRI-POREP is secure against server-side deletion of replica blocks and it works efficiently, saving computation cost by orders of magnitude, compared to PRI-POREP. Moreover, we demonstrate that \mu PRI-POREP can also support efficient dynamic update and can be further applied to secure the RSA-Hourglass schemes. Finally, we evaluate \mu PRI-POREP with a prototype implementation and exhibit that it can achieve comparable performance compared to PRI-POREP and support efficient file update operation.

Abstract:
Two-dimensional pose estimation plays a crucial role in fingerprint recognition by facilitating global alignment and reduce pose-induced variations. However, existing methods are still unsatisfactory when handling with large angle or small area inputs. These limitations are particularly pronounced on fingerprints captured by under-screen fingerprint sensors in smartphones. In this paper, we present a novel dual-modal input based network for under-screen fingerprint pose estimation. Our approach effectively integrates two distinct yet complementary modalities: texture details extracted from ridge patches through the under-screen fingerprint sensor, and rough contours derived from capacitive images obtained via the touch screen. This collaborative integration endows our network with more comprehensive and discriminative information, substantially improving the accuracy and stability of pose estimation. A decoupled probability distribution prediction task is designed, instead of the traditional supervised forms of numerical regression or heatmap voting, to facilitate the training process. Additionally, we incorporate a Mixture of Experts (MoE) based feature fusion mechanism and a relationship driven cross-domain knowledge transfer strategy to further strengthen feature extraction and fusion capabilities. Extensive experiments are conducted on several public datasets and two private datasets. The results indicate that our method is significantly superior to previous state-of-the-art (SOTA) methods and remarkably boosts the recognition ability of fingerprint recognition algorithms. Our code is available at https://github.com/XiongjunGuan/DRACO

Abstract:
Over-Threshold Multi-Party Private Set Intersection (OT-MPSI) is a variant of MPSI that aims to return items that appear in at least \mathcal T of participants’ sets without revealing any other information. OT-MPSI is applicable to many practical scenarios and offers an advantage over MPSI when identifying items held by most but not all participants. The existing work processes binary vector representations of sets in a bit-wise manner and utilizes Secure Computation Protocols to achieve over-threshold functionality. This results in low computational efficiency, with the number of communication rounds scaling linearly with the number of participants. We propose an efficient OT-MPSI protocol (EoTMP) by utilizing ring learning with errors based multi-party homomorphic encryption. By introducing a new over-threshold functionality and leveraging additional optimization techniques, our EoTMP requirs only three communication rounds and offers faster computation than the state-of-the-art. In addition, our scheme supports the t - N threshold access-structure for participant collaboration. Specially, with 45 participants and a threshold of 40, EoTMP processes sets of size 256 in 0.6 seconds, achieving a reduction in computational overhead by three orders of magnitude compared to prior work.

Abstract:
It is critical to achieve the following objectives in partially synchronous Byzantine Fault Tolerance (BFT) protocols: 1) two-phase commit regime; 2) standard optimistic responsiveness; and 3) linear communication complexity. These three properties significantly affect the efficiency of BFT protocols. A number of attempts, such as HotStuff and Tendermint, have been made to solve this problem, but they typically manage to achieve only a subset of these properties. In this work, we propose a two-phase BFT protocol called TockCuckoo that fully achieves the aforementioned three properties. A primary challenge in two-phase BFT protocols is HiddenLock: when a leader lacks visibility into the latest locked block states of honest replicas, it cannot safely proceed, potentially stalling the protocol. To address this issue, we introduce the proactive voting paradigm, which explicitly distinguishes between rejection and non-receipt states. After global stable time, an honest leader can always collect sufficient votes through proactive voting, enabling quick responses. TockCuckoo operates in continuous rounds of proactive voting, ensuring responsiveness. The proactive voting process requires only linear communication overhead, which directly results in TockCuckoo achieving linear communication complexity overall. Furthermore, we introduce TockCuckoo+, an extension of TockCuckoo. By introducing a cross-pipelined design, TockCuckoo+ enables more frequent block proposals without sacrificing the key characteristics of TockCuckoo, leading to improved throughput. Our experiments in wide-area networks demonstrate that, TockCuckoo reduces commit latency by 20% to 40% compared to HotStuff across different network sizes, and TockCuckoo+ achieves a throughput increase of 1.1× to 1.5× over HotStuff.

Abstract:
Homomorphic encryption enables secure control of networked systems with untrusted computing entities but greatly increases communication overhead compared with plaintext-based control. To address this, we propose a dynamic mode-switching secure control framework that alternates between plaintext and encrypted operations. In plaintext mode, sensor measurements are obfuscated using random dithered quantization, while in encrypted mode, measurements are fully encrypted to provide enhanced system security. To evaluate the framework, a worst-case eavesdropping scenario is introduced, where the adversary has complete knowledge of the system model and access to all plant-controller communications. Within this setting, we develop three switching strategies—periodic, random, and error-based—to govern the operational mode. Rigorous theoretical analysis establishes formal guarantees for both control performance and security, alongside deriving a critical parameter condition for decryption correctness. Ensuring the signal-to-noise ratio of the eavesdropper’s estimate remains below 10 dB, simulations show that periodic and random switching reduce communication by at least 30%. Error-based switching with an appropriate threshold ( \beta =1× 10^-4 ) achieves more than 70% reduction. These results confirm that the proposed framework effectively balances control performance, system security, and communication overhead, rendering it well-suited for resource-constrained networked systems.

Abstract:
With the growing popularity of various Internet of Things (IoT) applications, securing data transmission over these networks become critical. The authenticated key exchange (AKE) protocol is a fundamental cryptographic primitive that achieves this goal by creating a shared session key. However, since IoT end devices are usually resource-constrained, devising secure and efficient AKE protocols for IoT applications remains challenging. In this paper, we investigate the design of zero round-trip time (0-RTT) session resumption protocols based on pre-shared keys, which enables an end device to send encrypted data to a server without prior key exchange. Specifically, we first propose a new construction of puncturable pseudo-random function (PRF), and prove its security under the RSA assumption. Then, based on the proposed puncturable PRF and authenticated encryption with associated data, we put forward a new construction of 0-RTT session resumption protocol that simultaneously provides forward security and resistance against replay attacks. We further demonstrate how to combine the proposed 0-RTT session resumption protocol with other symmetric AKE protocols for IoT applications. Both theoretical comparisons and experimental results indicate that our proposal has significant advantages in terms of computation and storage costs for practical parameter settings. Thus, it is especially desirable for constrained devices.

Abstract:
Adversarial training (AT) is widely considered the state-of-the-art technique for improving the robustness of deep neural networks (DNNs) against adversarial examples (AEs). Nevertheless, recent studies have revealed that adversarially trained models are prone to unfairness problems. Recent works in this field usually apply class-wise regularization methods to enhance the fairness of AT. However, this paper discovers that these paradigms can be sub-optimal in improving robust fairness. Specifically, we empirically observe that the AEs that are already robust (referred to as “easy AEs” in this paper) are useless and even harmful in improving robust fairness. To this end, we propose the hard adversarial example mining (HAM) technique which concentrates on mining hard AEs while discarding the easy AEs in AT. Specifically, HAM identifies the easy AEs and hard AEs with a fast adversarial attack method. By discarding the easy AEs and reweighting the hard AEs, the robust fairness of the model can be efficiently and effectively improved. Extensive experimental results on four image classification datasets demonstrate the improvement of HAM in robust fairness and training efficiency compared to several state-of-the-art fair adversarial training methods. Our code is available at https://github.com/yyl-github-1896/HAM.

Abstract:
In recent years, blockchain anonymity has led to more illicit accounts participating in various money laundering transactions. Existing studies typically detect money laundering transactions, known as AML (Anti-money Laundering), through learning transaction features on transaction graphs of transactional blockchains. However, transaction graphs fail to represent the accounts’ social features within transactional organizations. Account graphs reveal such features well, and detecting illicit accounts on account graphs provides a new perspective on AML. For example, it helps uncover illegal transactions whose transaction features are not distinct in transaction graphs, with a loose assumption that illicit accounts are likely involved in illegal transactions. In this paper, we propose a Social Attention Graph Neural Network ( \textsf SGNN ) on account graphs converted from transaction graphs. To detect illicit accounts, \textsf SGNN learns the social features on two sub-graphs, a heterogeneous graph and a hypergraph, extracted from the account graph, and fuses these features into account attribute vectors through attention. The experimental results on the Elliptic++ dataset demonstrate \textsf SGNN ’s advances. It outperforms the best baseline by 14.18% in precision, 7.37% in F1 score, 0.96% in accuracy, and 0.64% in recall when detecting illicit accounts on account graphs, as well as detects 20.3% more recall of illegal transactions through these illicit accounts than state-of-the-art methods based on transaction graphs when the mappings between illegal transactions and illicit accounts are provided. Moreover, thanks to social features, \textsf SGNN has a novel capability that works under many account scales and activity degrees. We release our code on https://github.com/CloudLab-NEU/SGNN.

Abstract:
In contrast to prevalent Federated Learning (FL) privacy inference techniques such as generative adversarial networks attacks, membership inference attacks, property inference attacks, and model inversion attacks, we devise an innovative privacy threat: the Data Distribution Decompose Attack on FL, termed Decaf. This attack enables an honest-but-curious FL server to meticulously profile the proportion of each class owned by the victim FL user, divulging sensitive information like local market item distribution and business competitiveness. The crux of Decaf lies in the profound observation that the magnitude of local model gradient changes closely mirrors the underlying data distribution, including the proportion of each class. Decaf addresses two crucial challenges: accurately identify the missing/null class(es) given by any victim user as a premise and then quantify the precise relationship between gradient changes and each remaining non-null class. Notably, Decaf operates stealthily, rendering it entirely passive and undetectable to victim users regarding the infringement of their data distribution privacy. Experimental validation on five benchmark datasets (MNIST, FASHION-MNIST, CIFAR-10, FER-2013, and SkinCancer) employing diverse model architectures, including customized convolutional networks, standardized VGG16, and ResNet18, demonstrates Decaf’s efficacy. Results indicate its ability to accurately decompose local user data distribution, regardless of whether it is IID or non-IID distributed. Specifically, the dissimilarity measured using L_\infty distance between the distribution decomposed by Decaf and ground truth is consistently below 5% when no null classes exist. Moreover, Decaf achieves 100% accuracy in determining any victim user’s null classes, validated through formal proof.

Abstract:
Deep learning-based website fingerprinting (WF) attacks dominate website traffic classification. In the real world, the main challenges limiting their effectiveness are, on the one hand, the difficulty in countering the effect of content updates on the basis of accurate descriptions of page features in traffic representations. On the other hand, the model’s accuracy relies on training numerous samples, requiring constant manual labeling. The key to solving the problem is to find a website traffic representation that can stably and accurately display page features, as well as to perform self-supervised learning that is not reliant on manual labeling. This study introduces the multi-level resource-coherented graph convolutional neural network (MRCGCN), a self-supervised learning-based WF attack. It analyzes website traffic using resources as the basic unit, which are coarser than packets, ensuring the page’s unique resource layout while improving the robustness of the representations. Then, we utilized an echelon-ordered graph kernel function to extract the graph topology as the label for website traffic. Finally, a two-channel graph convolutional neural network is designed for constructing a self-supervised learning-based traffic classifier. We evaluated the WF attacks using real data in both closed- and open-world scenarios. The results demonstrate that the proposed WF attack has superior and more comprehensive performance compared to state-of-the-art methods.

Abstract:
The recent advancements in deep learning have brought about significant changes in various aspects of people’s lives. Meanwhile, these rapid developments have raised concerns about the legitimacy of the training process of deep neural networks. To protect the intellectual properties of AI developers, directly examining the training process by accessing the model parameters and training data is often prohibited for verifiers. In response to this challenge, we present zero-knowledge deep learning (zkDL), an efficient zero-knowledge proof for deep learning training. To address the long-standing challenge of verifiable computations of non-linearities in deep learning training, we introduce zkReLU, a specialized proof for the ReLU activation and its backpropagation. zkReLU turns the disadvantage of non-arithmetic relations into an advantage, leading to the creation of FAC4DNN, our specialized arithmetic circuit design for modelling neural networks. This design aggregates the proofs over different layers and training steps, without being constrained by their sequential order in the training process. With our new CUDA implementation that achieves full compatibility with the tensor structures and the aggregated proof design, zkDL enables the generation of complete and sound proofs in less than a second per batch update for an 8-layer neural network with 10M parameters and a batch size of 64, while provably ensuring the privacy of data and model parameters. To our best knowledge, we are not aware of any existing work on zero-knowledge proof of deep learning training that is scalable to million-size networks.

Abstract:
Gradient inversion attacks (GIAs) pose significant challenges to the privacy-preserving paradigm of distributed learning. These attacks employ carefully designed strategies to reconstruct victim’s private training data from their shared gradients. However, existing work mainly focuses on attacks and defenses for image-modal data, while the study for text-modal data remains scarce. Furthermore, the performance of the limited attack researches on text-modal data is also unsatisfactory, which can be partially attributed to the finer granularity of text data compared to image. To bridge the existing research gap, we propose a high-fidelity attack method tailored for Transformer-based language models (LMs). In our method, we initially reconstruct the label space of the victim’s training data by leveraging the characteristics of the Transformer architecture. After that, we propose a shallow-to-deep paradigm to facilitate gradient matching, which can significantly improve the attack performance. Furthermore, we develop a weighted surrogate loss that resolves the consistent deviation issue present in current attack researches. A substantial number of experiments on Transformer-based LMs (e.g., Bert and GPT) demonstrate that our attack is competitive and significantly outperforms existing methods. In the final part of this paper, we investigate the influence of the inherent position embedding module within the Transformer architecture on attack performance, and based on the analysis results, we propose a countermeasure to alleviate part of the privacy leakage issue in distributed learning.

Abstract:
This paper is concerned with the security issues related to integrated attack-defense strategy for a category of multi-sensor networked control systems with state saturation constraints. In general, existing denial-of-service (DoS) attack models typically conduct indiscriminate attacks on data packets, disregarding the significance of the attacked data packets to the system. Note that the measurement data from different sensor nodes possesses varying levels of importance. In light of this, we first propose a novel form of attack from the perspective of attack design, known as a data-importance-aware attack. The importance of data refers to the quantitative impact of the measured values at each sensor node on the stable and safe operation of the entire system. As such, the proposed attack has the awareness to launch attacks against critical sensor nodes, rendering data unable to be transmitted. Then, an attack-node-dependent security controller is devised from the defender’s perspective against the constructed attack, which can effectively resist the impact of attacks and stabilize the system. By employing the Lyapunov functional method, sufficient conditions are derived to ensure the asymptotic stability of the closed-loop system. Finally, the reliability and effectiveness of the node importance-aware attack strategy and control countermeasure are validated by numerical simulation.

Abstract:
The rapid evolution of the Industrial Internet of Things (IIoT) has necessitated increased device interactions across various management domains. This entails devices from different domains collaborating on the same production task. This poses significant challenges for the dynamics of cross-domain authentication schemes. Traditional cross-domain authentication schemes struggle to support seamless switching between domains and face difficulties when accommodating devices that join and leave the same domain. Moreover, these schemes suffer from intricate interactions and suboptimal efficiency. To address these issues, we propose a dynamic group signature scheme based on a dynamic accumulator and a non-interactive zero-knowledge proof. We integrated this scheme with blockchain technology to construct an efficient revocation cross-domain authentication scheme. The proposed scheme enables cross-domain anonymous authentication with simple interactions and provides an efficient revocation function for illegal devices. This approach ensures conditional privacy-preserving and enables efficient member joining and exiting through a dynamic accumulator. It effectively addresses the dynamic requirements of devices involved in IIoT production and manufacturing processes. We prove the security of the proposed scheme using a random Oracle model and conduct thorough analyses to verify its resistance against various attacks. Furthermore, the experimental results demonstrate that the proposed scheme achieves better performance in terms of computational and communication costs.

Abstract:
Model Inversion Attacks (MIAs) pose a certain threat to the data privacy of learning-based systems, as they enable adversaries to reconstruct identifiable features of the training distribution with only query access to the victim model. In the context of deep learning, the primary challenges associated with MIAs are suboptimal attack success rates and the corresponding high computational costs. Prior efforts assumed that the expansive search space caused these limitations, employing generative models to constrain the dimensions of the search space. Despite the initial success of these generative-based solutions, recent experiments have cast doubt on this fundamental assumption, leaving two open questions about the influential factors determining MIA performance and how to manipulate these factors to improve MIAs. To answer these questions, we reframe MIAs from the perspective of information flow. This new formulation allows us to establish a lower bound for the error probability of MIAs, determined by two critical factors: (1) the size of the search space and (2) the mutual information between input and output random variables. Through a detailed analysis of generative-based MIAs within this theoretical framework, we uncover a trade-off between the size of the search space and the generation capability of generative models. Based on the theoretical conclusions, we introduce the Query-Efficient Model Inversion Approach (QE-MIA). By strategically selecting an appropriate search space and introducing additional mutual information, QE-MIA achieves a reduction of 60%～ 70% in query overhead while concurrently enhancing the attack success rate by 5%～ 25% .

Abstract:
Optical coherence tomography (OCT) technology enables imaging of 3D fingerprint structures. Extracting surface and internal fingerprints for identity recognition is possible by processing OCT images with layer segmentation and contour extraction. However, due to domain shift effects, OCT fingerprint extraction models often struggle to perform well across different devices. In this paper, a cross-device OCT fingerprint extraction method based on test-time image reconstruction is proposed. This method simultaneously trains layer segmentation and image reconstruction tasks during training. Additionally, a contour classification task is integrated to ensure the continuity and robustness of the contour extraction results. During the testing phase, image reconstruction is performed on test images, and the shared modules are updated to adapt the layer segmentation and contour classification network to the test domain. The result with the minimum inconsistency during the testing phase is selected as the final prediction. Experiments and comparisons are performed in terms of the distance between the ground truth and the extracted contours.

Abstract:
Person re-identification (re-ID) is a research hotspot in the field of intelligent monitoring and security. Domain generalizable (DG) person re-identification transfers the trained model directly to the unseen target domain for testing, which is closer to the practical application than supervised or unsupervised person re-ID. Meta-learning strategy is an effective way to solve the DG problem, nevertheless, existing meta-learning-based DG re-ID methods mainly simulates the test process in a single aspect such as identity or style, while ignoring the completely different person identities and styles in the unseen target domain. As to this problem, we consider a double disentangling from two levels of training strategy and feature learning, and propose a novel dualistic disentangled meta-learning (D ^\mathbf 2 ML) model. D ^\mathbf 2 ML is composed of two disentangling stages, one is for learning strategy, which spreads one-stage meta-test into two-stage, including an identity meta-test stage and a style meta-test stage. The other is for feature representation, which decouples the shallow layer features into identity-related features and style-related features. Specifically, we first conduct identity meta-test stage on different person identities of the images, and then employ a feature-level style perturbation module (SPM) based on Fourier spectrum transformation to conduct the style meta-test stage on the image with diversified styles. With these two stages, abundant changes in the unseen domain can be simulated during the meta-test phase. Besides, to learn more identity-related features, a feature disentangling module (FDM) is inserted at each stage of meta-learning and a disentangled triplet loss is developed. Through constraining the relationship between identity-related features and style-related features, the generalization ability of the model can be further improved. Experimental results on four public datasets show that our D ^\mathbf 2 ML model achieves superior generalization performance compared to the state-of-the-art methods.

Abstract:
Blockchain transaction privacy is a highly researched topic across various application scenarios. Current privacy-preserving schemes in blockchain employ advanced cryptographic techniques, such as homomorphic encryption and zero-knowledge proofs, to balance transaction privacy with regulatory requirements. However, these schemes encounter challenges, including computational inefficiency, data expansion, and overlooked metadata privacy, such as timestamp protection. In this paper, we first propose a privacy-enhanced traceable anonymous transaction scheme based on data transaction scenarios. This scheme integrates ring signature and Merkle hash tree techniques, effectively shortening the signature size and optimizing the verification process compared to existing combinations of ring signatures and zero-knowledge proofs. A novel verifiable timestamp privacy protection method is introduced, which obfuscates timestamps to prevent tampering without compromising integrity. To enhance scalability, this method extends to multiple transaction processing scenarios and implements a timestamp-sharing strategy to reduce the computational burden. It also allows tracking authorities to monitor the long-term addresses of both transaction parties if necessary. Rigorous security analysis and extensive experimental evaluations demonstrate that this scheme achieves superior privacy, traceability, and scalability compared to existing approaches.

Abstract:
Anonymous Payment Channel Hub (PCH), one of the most promising layer-two solutions, settles the scalability issue in blockchain while guaranteeing the unlinkability of transacting parties. However, such developments bring conflicting requirements, i.e., hiding the sender-to-receiver relationships from any third party but opening the relationship to the auditor. Existing works do not support these requirements simultaneously since off-chain transactions are not recorded in the blockchain. Further, the privacy protection strategies hinder auditors from capturing the payment relationships. Thus, it is still a challenge to audit the finance activities of PCH transacting parties. This paper proposes a novel anonymous PCH solution called AuditPCH to achieve privacy and auditability. Concretely, we design a Linkable Randomizable Puzzle scheme for constructing conditional transactions, allowing a sender to pay for a receiver via the hub. As such, AuditPCH, with the new LRP scheme, ensures that 1) payment relationships can be protected from the hub and 2) an auditor with necessary trapdoors can associate the sender and receiver of a payment. We prove the security of AuditPCH under the Global Universal Composability framework. The extensive experimental evaluations on AuditPCH are established to demonstrate its functionality and flexibility.

Abstract:
Though deep neural networks exhibit superior performance on various tasks, they are still plagued by adversarial examples. Adversarial training has been demonstrated to be the most effective method to defend against adversarial attacks. However, existing adversarial training methods show that the model robustness has apparent oscillations and overfitting issues in the training process, degrading the defense efficacy. To address these issues, we propose a novel framework called Parameter Interpolation Adversarial Training (PIAT). PIAT tunes the model parameters between each epoch by interpolating the parameters of the previous and current epochs. It makes the decision boundary of model change more moderate and alleviates the overfitting issue, helping the model converge better and achieving higher model robustness. In addition, we suggest using the Normalized Mean Square Error (NMSE) to further improve the robustness by aligning the relative magnitude of logits between clean and adversarial examples rather than the absolute magnitude. Extensive experiments conducted on several benchmark datasets demonstrate that our framework could prominently improve the robustness of both Convolutional Neural Networks (CNNs) and Vision Transformers (ViTs).

Abstract:
Image inpainting, the process of filling in missing areas in an image, is a common image editing technique. Inpainting can be used to conceal or alter image contents in malicious manipulation of images, driving the need for research in image inpainting detection. Most existing methods use a basic encoder-decoder structure, which often results in a high number of false positives or misses the inpainted regions, especially when dealing with targets of varying semantics and scales. Additionally, the lack of an effective approach to capture boundary artifacts leads to less accurate edge localization. In this paper, we describe a new method for inpainting detection based on a Dense Feature Interaction Network (DeFI-Net). DeFI-Net uses a novel feature pyramid architecture to capture and amplify multi-scale representations across various stages, thereby improving the detection of image inpainting by better strengthening feature-level interactions. Additionally, the network can adaptively direct the lower-level features, which carry edge and shape information, to refine the localization of manipulated regions while integrating the higher-level semantic features. Using DeFI-Net, we develop a method combining complementary representations to accurately identify inpainted areas. Evaluation on seven image inpainting datasets demonstrates the effectiveness of our approach, which achieves state-of-the-art performance in detecting inpainting across diverse models. Code and models are available at https://github.com/Boombb/DeFI-Net_Inpainting.

Abstract:
In open-set recognition scenarios, deep learning models are required to handle samples from unknown categories, which better reflects real-world conditions. However, this task poses significant challenges to current closed-set recognition models, and the emergence of adversarial samples further exacerbates the issue. Existing open-set adversarial defense methods still lack a comprehensive exploration of model architectures, and the efficacy of adversarial training methods remains suboptimal in generalizing to various types of noise. In this paper, we propose a novel network called the Robust Generative Adaptation Network (RGAN), which enhances closed-set recognition accuracy and open-set detection performance by optimizing the model architecture for open-set adversarial defense. We optimize the robust block that can be embedded within deep learning models to constrain the propagation effects of adversarial attacks, thereby enhancing the model’s robustness. Simultaneously, we employ a noise generator to create perturbations tailored to specific adversarial samples and leverage these perturbations to increase the model’s generalization ability to different forms of noise. We conduct comprehensive experiments on five widely used datasets and various classification architectures, and the experimental results demonstrate that our RGAN achieves State-Of-The-Art (SOTA) performance in open-set adversarial defense tasks. The code and models are available at https://github.com/ycLi-CV/RGAN-main.

Abstract:
Post-click conversion rate (CVR) estimation is a fundamental task in developing effective recommender systems, yet it faces challenges from data sparsity and sample selection bias. To handle both challenges, the entire space multitask models are employed to decompose the user behavior track into a sequence of exposure \rightarrow click \rightarrow conversion, constructing surrogate learning tasks for CVR estimation. However, these methods suffer from two significant defects: (1) intrinsic estimation bias (IEB), where the CVR estimates are higher than the actual values; (2) false independence prior (FIP), where the causal relationship between clicks and subsequent conversions is potentially overlooked. To overcome these limitations, we develop a model-agnostic framework, namely Entire Space Counterfactual Multitask Model (ESCM2), which incorporates a counterfactual risk minimizer within the entire space multitask framework to regularize CVR estimation. Experiments conducted on large-scale industrial recommendation datasets and an online industrial recommendation service demonstrate that ESCM2 effectively mitigates IEB and FIP defects and substantially enhances recommendation performance.

Abstract:
Watermark is essential for protecting the intellectual property of private images. However, a wide range of watermark removal attacks, especially many AI-powered ones, can automatically predict and remove watermarks, posing serious concerns. In this paper, we present the design of Imprints, a defensive watermarking framework that fortifies watermarks against watermark removal attacks. By formulating an optimization problem that deters watermark removal attacks, we design image-independent/dependent defensive watermark models for effective batch/customized protection. We further enhance the watermark to be transferable to unseen watermark removal attacks and robust to editing distortions. Extensive experiments verify that Imprints outperforms existing baselines in terms of its immunity to 8 state-of-the-art watermark removal attacks and 3 commercial black-box watermark removal software. The source code is available at https://github.com/Imprints-wm/Imprints.

Abstract:
Considering the close connection between action recognition and human pose estimation, we design a Collaboratively Self-supervised Video Representation (CSVR) learning framework specific to action recognition by jointly factoring in generative pose prediction and discriminative context matching as pretext tasks. Specifically, our CSVR consists of three branches: a generative pose prediction branch, a discriminative context matching branch, and a video generating branch. Among them, the first one encodes dynamic motion feature by utilizing Conditional-GAN to predict the human poses of future frames, and the second branch extracts static context features by contrasting positive and negative video feature and I-frame feature pairs. The third branch is designed to generate both current and future video frames, for the purpose of collaboratively improving dynamic motion features and static context features. Extensive experiments demonstrate that our method achieves state-of-the-art performance on multiple popular video datasets.

Abstract:
Unsupervised visible-infrared person re-identification (UVI-ReID) aims at retrieving pedestrian images of the same individual across distinct modalities, presenting challenges due to the inherent heterogeneity gap and the absence of cost-prohibitive annotations. Although existing methods employ self-training with clustering-generated pseudo-labels to bridge this gap, they always implicitly assume that these pseudo-labels are predicted correctly. In practice, however, this presumption is impossible to satisfy due to the difficulty of training a perfect model let alone without any ground truths, resulting in pseudo-labeling errors. Based on the observation, this study introduces a new learning paradigm for UVI-ReID considering Pseudo-Label Noise (PLN), which encompasses three challenges: noise overfitting, error accumulation, and noisy cluster correspondence. To conquer these challenges, we propose a novel robust duality learning framework (RoDE) for UVI-ReID to mitigate the adverse impact of noisy pseudo-labels. Specifically, for noise overfitting, we propose a novel Robust Adaptive Learning mechanism (RAL) to dynamically prioritize clean samples while deprioritizing noisy ones, thus avoiding overemphasizing noise. To circumvent error accumulation of self-training, where the model tends to confirm its mistakes, RoDE alternately trains dual distinct models using pseudo-labels predicted by their counterparts, thereby maintaining diversity and avoiding collapse into noise. However, this will lead to cross-cluster misalignment between the two distinct models, not to mention the misalignment between different modalities, resulting in dual noisy cluster correspondence and thus difficult to optimize. To address this issue, a Cluster Consistency Matching mechanism (CCM) is presented to ensure reliable alignment across distinct modalities as well as across different models by leveraging cross-cluster similarities. Extensive experiments on three benchmark datasets demonstrate the effectiveness of the proposed RoDE.

Abstract:
In the era of ubiquitous computing devices, malware is the primary weapon of cyber attacks, and malware-related security breaches remain a significant security concern. Nowadays, adversaries require fewer resources to exploit a system with the help of contemporary malicious payloads and AI tools than in the old days. Despite many advances in malware defense research, adversaries continually employ sophisticated tools and techniques to evade existing defense mechanisms and create chaos. Moreover, it is challenging to recognize these malicious binaries with shallow features such as section names, entropies, virtual sizes, and strings, which are not robust. The proposed work mainly focuses on identifying robust features that can help to detect more sophisticated (i) seen and (ii) never-seen-before malware effectively. Unlike the existing research works, D^24D concentrates on four types of analysis: Registry key, API function, network, and memory analysis. Above all, D^24D identifies the binaries that perform fast-flux attacks, DGA-based attacks, homoglyphs attacks, and other attack types. The evaluation results indicate that the D^24D achieves an accuracy of 99.67%, with a 0.10% False Positive Rate for seen binaries and more than 91% accuracy for never-seen-before binaries. Beyond that, D^24D outperforms 33 existing anti-malware. The extracted features prove robust in identifying seen and never-seen-before binaries based on the experimental analysis, comparison with the state-of-the-art models, and ablation study.

Abstract:
FL is vulnerable to model poisoning attacks due to the invisibility of local data and the decentralized nature of FL training. The adversary attempts to maliciously manipulate local model gradients to compromise the global model (i.e., victim model). Commonly-studied model poisoning attacks heavily depend on accessing additional knowledge, such as local data and the aggregation algorithm from the victim model, which easily encounter practical obstacles due to limited adversarial knowledge. In this paper, we first reveal that aggregated gradients in FL can serve as an attack carrier, exposing the latent knowledge of the victim model. In particular, we propose a data-free model poisoning attack named FedGhost, which aims to redirect the training objective of FL towards the adversary’s objective without any auxiliary information. In FedGhost, we design a black-box adaptive optimization algorithm to dynamically adjust the perturbation factor for malicious gradients, maximizing the poisoning impact of FL. Experimental results on five datasets in IID and Non-IID FL settings demonstrate that FedGhost achieves the highest attack success rate, outperforming other state-of-the-art model poisoning attacks by more than 10%-60% .

Abstract:
The Visual Language Model, known for its robust cross-modal capabilities, has been extensively applied in various computer vision tasks. In this paper, we explore the use of CLIP (Contrastive Language-Image Pretraining), a vision-language model pretrained on large-scale image-text pairs to align visual and textual features, for acquiring fine-grained and domain-invariant representations in generalizable person re-identification. The adaptation of CLIP to the task presents two primary challenges: learning more fine-grained features to enhance discriminative ability, and learning more domain-invariant features to improve the model’s generalization capabilities. To mitigate the first challenge thereby enhance the ability to learn fine-grained features, a three-stage strategy is proposed to boost the accuracy of text descriptions. Initially, the image encoder is trained to effectively adapt to person re-identification tasks. In the second stage, the features extracted by the image encoder are used to generate textual descriptions (i.e., prompts) for each image. Finally, the text encoder with the learned prompts is employed to guide the training of the final image encoder. To enhance the model’s generalization capabilities to unseen domains, a bidirectional guiding method is introduced to learn domain-invariant image features. Specifically, domain-invariant and domain-relevant prompts are generated, and both positive (i.e., pulling together image features and domain-invariant prompts) and negative (i.e., pushing apart image features and domain-relevant prompts) views are used to train the image encoder. Collectively, these strategies contribute to the development of an innovative CLIP-based framework for learning fine-grained generalized features in person re-identification. The effectiveness of the proposed method is validated through a comprehensive series of experiments conducted on multiple benchmarks. Our code is available at https://github.com/Qi5Lei/CLIP-FGDI.

Abstract:
We describe how to securely implement the masked logical AND of two bits in hardware in the presence of glitches without the need for fresh randomness, and we provide guidelines for the composition of circuits. As a case study, we design, implement, and evaluate masked DES cores. We focus on first-order secure Boolean masking and do not aim for provable security. Our goal is a practically relevant trade-off between area, latency, randomness cost, and security. We provide two low-cost solutions. Our first solution focuses on strong security while simultaneously aiming for low implementation costs. The resulting DES engine shows no evidence of first-order leakage in a non-specific leakage assessment with 50M traces. Our second solution follows the opposite approach: we focus on lowering implementation costs, latency to be specific, while not sacrificing much on security. Our low-latency DES engine exhibits signs of first-order leakage only after approximately 15M traces.

Abstract:
UAV surveillance offers a unique aerial perspective, enabling the monitoring of large areas and capturing targets from angles that fixed ground cameras cannot achieve. UAV-based object re-identification (ReID) differs from the extensively studied city camera scenarios, as it involves identifying specific objects in aerial images captured from a dynamic bird’s-eye view. The challenge lies in the significant variation in object perspectives and the often uncertain rotational changes captured by UAVs. Existing ReID methods designed for city cameras struggle to adapt to these rotational variations. To address these challenges, we propose a Transformer-based learnable rotation generalization enhancement method specifically for UAV-based ReID. To improve the model’s adaptability to uncertain rotational changes, we introduce a learnable feature-level rotation simulation technique that generates multiple rotated features. Building on this, we design a rotation diversification loss to decorrelate different rotated features, ensuring a rich feature representation. Additionally, to mitigate the negative effects of image-level rotation augmentation, we propose instance-level and distribution-level rotation invariance regularization. This approach establishes explicit associations between images and their rotated counterparts, facilitating the learning of visually consistent rotation-invariant features. Instance-level constraints ensure that detailed features remain consistent during rotation, while distribution-level constraints maintain the model’s semantic understanding. Notably, our method demonstrates strong versatility, covering a wide range of objects, including persons, vehicles, and various animals. Evaluations on multiple UAV-collected person and vehicle ReID datasets, as well as several animal datasets, consistently show outstanding performance, underscoring its robustness and adaptability to the unique challenges posed by UAV-based ReID.

Abstract:
This paper presents Hamster, a novel synchronous Byzantine Fault Tolerant protocol that achieves high throughput and weaker dependency on synchrony. Specifically, Hamster is the first to introduce coding techniques into synchronous BFT, addressing the challenges posed by higher fault tolerance requirements and significantly reducing communication complexity. Consequently, Hamster achieves linear throughput gains as the number of nodes increases, surpassing Sync HotStuff. Additionally, with minor modifications, Hamster can operate effectively in mobile sluggish environments, further reducing its dependency on strict synchrony. We implement Hamster, and experimental results highlight its performance advantages. Specifically, Hamster achieves 2.5× the throughput of Sync HotStuff in a network of 9 nodes, with this gain growing to 10× as the network scales to 65 nodes. This increasing throughput advantage makes Hamster more applicable to large-scale distributed systems.

Abstract:
More palm features, such as veins and shapes obtained from an enlarged contactless palm vein region of interest (ROI), have been shown to improve recognition performance. However, a few efforts have been made to adequately utilize these features for mining identity information. To address this issue, we propose a Region-Specific Network (RSNet) for contactless palm vein authentication. Our RSNet is a dual-branch structure for global and local feature extraction. Firstly, a Region-based Local feature Enhancement Block (RLEB) is proposed at the local branch to extract region-specific features. In the RLEB, the intermediate feature maps are divided into three asymmetrical patches based on the physiological characteristics of palm vein and palm shape for extracting diversified features, enhancing the local feature representation. Then, a Multi-scale Aggregation Block (MAB) is proposed that efficiently aggregates multi-scale features at a more granular level. Furthermore, to guide the global and local branches in learning complementary feature aspects, a difference loss is introduced to apply a soft subspace orthogonality constraint between the global and local vectors during training. The global branch is designed to assist the learning process of local features, without being adopted for inference. Extensive experiments have demonstrated the effectiveness and superiority of our method, and the RSNet achieves new State-Of-The-Art (SOTA) authentication performance on seven public contactless palm vein databases in the open-set scenario.

Abstract:
Private Set Intersection (PSI) allows two mutually distrusting parties to compute the intersection of their sets without revealing any additional information, and has found numerous applications. A part of applications require labeled PSI in the unbalanced setting, where a server holds a label for each item in a set that is much larger than the set held by a client, and the client obtains the intersection and the corresponding labels. In this paper, we present a new concretely efficient labeled PSI protocol in the unbalanced setting, without using computation-heavy homomorphic encryption. Our protocol is based on Distributed Point Function (DPF) with hardware acceleration from fixed-key AES-NI, and has communication complexity linear in the size of a small set of the client and sublinear in the size of a large set of the server. Our protocol exploits two Oblivious Pesudorandom Function (OPRF) protocols, based on Diffle-Hellman PRFs or block ciphers, to achieve a trade-off between computation and communication. Our implementation demonstrates that our protocol outperforms the previous labeled and unbalanced PSI protocols. In particular, for two sets with respective 2^24 and 1 items, where each item has a 32-byte label, our protocol takes 1.19 seconds for an end-to-end performance, resulting in 26 × improvement compared to the state-of-the-art protocol by Cong et al. (CCS 2021). In terms of the cost of the one-time initialization, we speed up the computations more than 325× in the above comparison.

Abstract:
Blockchain and cryptocurrencies are developing rapidly, and the scalability issue has become a constraint on their practical application and development. Off-chain payment channel is an effective solution to the scalability problem of blockchain. Currently, various payment channel protocols have been proposed. However, privacy issues are vital in payment channels. Existing works that consider privacy issues mainly focus on payment channel networks and payment channel hubs, while there is little work on two-party and multi-party channels. In addition, many existing payment channel works that consider privacy protection fix the transaction amounts to ensure the hiding of payment relationships or rely on smart contracts, which will hinder the practical application of payment channels. In this work, we propose a two-party privacy-preserving payment channel protocol that is compatible with Bitcoin (TBPChannel), achieving value privacy and unlinkability, while supporting variable transaction amounts. On this basis, we propose a privacy-preserving multi-party payment channel protocol (MBPChannel), which removes the role of untrusted operators in previous multi-party settings and further achieves robustness. We formally model the protocols in the universal composability framework and prove the security. Finally, we implement the protocols and provide a performance evaluation. The results demonstrate the scalability and practicality of our protocols. Compared to current protocols, even though we use privacy-preserving methods, our protocols are still efficient and applicable in practice.

Abstract:
The technique of hiding secret messages within seemingly harmless covertext to evade examination by censors with rigorous security proofs is known as provably secure steganography (PSS). PSS evolves from symmetric key steganography to public-key steganography, functioning without the requirement of a pre-shared key and enabling the extension to multi-party covert communication and identity verification mechanisms. Recently, a public-key steganography method based on elliptic curves was proposed, which uses point compression to eliminate the algebraic structure of curve points. However, this method has strict requirements on the curve parameters and is only available on half of the points. To overcome these limitations, this paper proposes a more general elliptic curve public key steganography method based on admissible encoding. By applying the tensor square function to the known well-distributed encoding, we construct admissible encoding, which can create the pseudo-random public-key encryption function. The theoretical analysis and experimental results show that the proposed provable secure public-key steganography method can be deployed on all types of curves and utilize all points on the curve.

Abstract:
Database de-anonymization typically involves matching an anonymized database with correlated publicly available data. Existing research focuses either on practical aspects without requiring knowledge of the data distribution yet provides limited guarantees, or on theoretical aspects assuming known distributions. This paper aims to bridge these two approaches, offering theoretical guarantees for database de-anonymization under synchronization errors and obfuscation without prior knowledge of data distribution. Using a modified replica detection algorithm and a new seeded deletion detection algorithm, we establish sufficient conditions on the database growth rate for successful matching, demonstrating a double-logarithmic seed size relative to row size is sufficient for detecting deletions in the database. Importantly, our findings indicate that these sufficient de-anonymization conditions are tight and are the same as in the distribution-aware setting, avoiding asymptotic performance loss due to unknown distributions. Finally, we evaluate the performance of our proposed algorithms through simulations, confirming their effectiveness in more practical, non-asymptotic, scenarios.

Abstract:
Data confidentiality, a fundamental security element for dependable cloud storage, has been drawing widespread concern. Public-key encryption with keyword search (PEKS) has emerged as a promising approach for privacy protection while enabling efficient retrieval of encrypted data. One of the typical applications of PEKS is searching sensitive electronic medical records (EMR) in healthcare clouds. However, many traditional countermeasures fall short of balancing privacy protection with search efficiency, and they often fail to support multi-user EMR sharing. To resolve these challenges, we propose a novel lightweight multi-user public-key authenticated encryption scheme with keyword search (LM-PAEKS). Our design effectively counters the inside keyword guessing attack (IKGA) while maintaining the sizes of ciphertext and trapdoor constant in multi-user scenarios. The novelty of our approach relies on introducing a dedicated receiver server that skillfully transforms the complex many-to-many relationship between senders and receivers into a streamlined one-to-one relationship. This transformation prevents the sizes of ciphertext and trapdoor from scaling linearly with the number of participants. Our approach ensures ciphertext indistinguishability and trapdoor privacy while avoiding bilinear pairing operations on the client side. Comparative performance analysis demonstrates that LM-PAEKS features significant computational efficiency while meeting higher security requirements, positioning it as a robust alternative to existing solutions.

Abstract:
Generative models have demonstrated remarkable capabilities in synthesizing realistic content, creating new opportunities for secure communication through steganography---the practice of embedding covert messages within seemingly innocuous data. While prefix-based steganography, which encodes secret messages into shared probability intervals during generative sampling, has emerged as a promising paradigm for provably secure communication, its practical adoption remains constrained by inherent tradeoffs between security, capacity, and efficiency. To address these challenges, we propose two enhancements. The first enhancement optimizes quantization distortion in existing frameworks to minimize KL divergence, thereby enhancing theoretical security. The second redesigns the sampling mechanism via distribution coupling to amplify steganographic capacity, achieving this without incurring substantial computational overhead. Experimental validation on text generation task confirms our enhancements substantially outperform previous implementations, demonstrating notable capacity improvements, marked security enhancements, and efficiency gains on consumer-grade hardware. Cross-task comparisons with popular provably secure steganography further establish the proposed enhancements as achieving superior security-capacity-efficiency tradeoffs across diverse generative scenarios, advancing the practical deployment of provably secure steganography systems.

Affiliations: State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, China; College of Computing and Data Science, Nanyang Technological University, Nanyang, Singapore, Singapore; School of Computer Science and Engineering, University of New South Wales, Kensington, NSW, Australia; School of Mathematical Sciences, Soochow University, Suzhou, China; State Key Laboratory for Novel Software Technology and Shenzhen Research Institute, Nanjing University, Nanjing, China; School of Computer Sciences, Purdue University, West Lafayette, IN, USA

Abstract:
Self-supervised learning (SSL) is increasingly attractive for pre-training encoders without requiring labeled data. Downstream tasks built on top of those pre-trained encoders can achieve nearly state-of-the-art performance. The pre-trained encoders by SSL, however, are vulnerable to backdoor attacks as demonstrated by existing studies. Numerous backdoor mitigation techniques are designed for downstream task models. However, their effectiveness is impaired and limited when adapted to pre-trained encoders, due to the lack of label information when pre-training. To address backdoor attacks against pre-trained encoders, in this paper, we innovatively propose a mutual information guided backdoor mitigation technique, named MIMIC(Mutual Information guided backdoor MItigation for pre-trained enCoders). MIMIC uses the potentially backdoored encoder as the teacher network and applies knowledge distillation to create a clean student encoder from it. Different from existing knowledge distillation approaches, MIMIC initializes the student with random weights, inheriting no backdoors from teacher nets. Then MIMIC leverages mutual information between each layer and extracted features to locate where benign knowledge lies in the teacher net, with which distillation is deployed to clone clean features from teacher to student. We craft the distillation loss with two aspects, including clone loss and attention loss, aiming to mitigate backdoors and maintain encoder performance at the same time. Our evaluation conducted on two backdoor attacks in SSL demonstrates that MIMIC can significantly reduce the attack success rate by only utilizing \leq 5 % of clean pre-training data that is accessible to the defender, surpassing seven state-of-the-art backdoor mitigation techniques. The source code of MIMIC is available at https://github.com/wssun/MIMIC.

Abstract:
Privacy-preserving federated learning can protect the privacy of model gradients/parameters in the model aggregation phase. Most existing schemes only consider the scenario where user models have the same weight in model aggregation. However, users often hold different numbers of training samples in practice. This makes the model convergence speed of existing schemes very slow. To solve this problem, we propose a privacy-preserving federated learning scheme with secure weighted aggregation. It is able to allocate appropriate user weights based on the user’s local data size with privacy protection. In addition, it is impossible for the cloud server to obtain the user’s original model parameters and local data size in the proposed scheme. Specifically, we use Lagrange interpolation to combine the model parameters and local data size into a set of ciphertexts. The cloud server can smoothly perform weighted aggregation based on these ciphertexts. Leveraging the Chinese Remainder Theorem, we convert the local data size into a series of verification values. This enables the user to verify the correctness of results returned from the server. We provide a theoretical analysis for the proposed scheme, demonstrating its effectiveness, privacy, and verifiability. We perform extensive experiments on the MNIST dataset. Experimental results demonstrate its model performance, computation overhead, and communication overhead.

Abstract:
Modern deep neural networks are known highly vulnerable to adversarial examples. As a pioneering work, the fast gradient sign method (FGSM) is proved more transferable in black-box attacks than its multi-small-step extension, i.e., iterative-FGSM, particularly being restricted by a limited number of iterations. This paper revisits their early, representative successor MI-FGSM as a baseline, i.e., iterative-FGSM with momentum, and introduces an innovative boosting idea different from either FGSM-inspired algorithms or other mainstream methods. For one thing, during gradient backpropogation of MI-FGSM, the proposed approach merely requires amending the chain rule with respect to adversarial images using the counterpart original images. For another, a credible analysis has revealed that such a naively boosted MI-FGSM essentially performs a special kind of intermediate-layer attacks. In specific, the notable finding in the paper is a new principle of adversarial transferability guided by the relative feature importance, emphasizing the significance of semantically non-critical information for the first time in the literature, although originally thought to be weak in large. Experimental results on various leading victim models, both undefended and defended, demonstrate that the new approach incorporating robust gradients has indeed attained stronger adversarial transferability than state-of-the-art works. The code is available at:https://github.com/ljwooo/RFIA-main.

Abstract:
Hand-based multimodal biometrics has garnered significant attention in information security and identity authentication. However, prevalent multimodal recognition techniques often extract the discriminant features from different modalities separately, ignoring the structural consistency between various modalities of the same class. Moreover, these methods generally focus on specific-scenarios, where recognition performance will be compromised when faced with different databases or multiple application scenarios. To solve these limitations, we present an innovative Dual-Cohesion Metric Learning (DCML) framework embedded in noise decomposition for few-shot hand multimodal biometrics. This approach comprehensively exploits multimodal features from both intra-modal and inter-modal structural consistency to improve its robustness across multiple applications. Specifically, DCML imposes a dual-cohesion mechanism to pull in the cross-modal distance of the same label and the within-class distance for each modal, while concurrently pushing away the between-class distance in the projected space. Furthermore, in the procedure of feature learning, the proposed DCML incorporates the low-rank constraint to mitigate the interference of noise in the raw data and enforces a sparsity constraint to extract more salient and compact features. Notably, our DCML can be flexibly extended to other multimodal biometrics. Extensive experimental results on six multimodal datasets demonstrated that our DCML outperforms the latest approaches in multiple multimodal recognition scenarios and has strong generalization ability even when the training samples are small.

Abstract:
Recent years have witnessed a spurt progress in steganography, which poses challenges for steganalysis. However, previous steganalysis methods attach equal attention to various feature information, while key feature information in detection is ubiquitously ignored, and the detection time-space cost is burdened consequently. To alleviate this predicament, this paper proposes an enhanced image steganalysis via opposition-based evolutionary algorithm (EIS-OBEA), which can guide steganalysis showing more solicitude for key feature information and reduce detection time overhead. Specifically, evolutionary algorithm is introduced into enhanced steganalysis. To elevate searching ability for steganalysis key feature submodels, Tent map is applied in enhanced steganalysis population initialization because of its great randomness. Secondly, considering that opposition-based learning can dynamically adjust searching space of enhanced steganalysis population, opposition-based learning via lens imaging strategy is proposed to help enhanced steganalysis escape from local optimal solutions. Then, to reasonably evaluate the detection contribution of steganalysis key feature submodels, the pearson correlation coefficient for steganalysis is designed. On this basis, fitness function is devised to select superior individuals and obtain steganalysis key feature submodels after iteration. It is noted that EIS-OBEA can optimize steganalysis training samples into quite small-size data, so that computational cost can be significantly reduced when maintaining or even improving detection accuracy. Extensive experimental results substantiate that compared with the state-of-the-art peer algorithms, EIS-OBEA not only achieves highly competitive or even better detection performance, but also meliorates steganalysis time-space cost to a large extent.

Abstract:
While Deep Neural Networks demonstrate remarkable performance in practical tasks, they are vulnerable to membership inference attacks aimed at identifying whether a certain object belongs to the training dataset. To conduct a membership inference attack on a target model, an adversary has to train a set of shadow models and conduct a statistical test to determine the membership status of the particular input object. Usually, shadow models are trained without taking into account the target model; we argue that utilizing the predictions of the target model can guide the training process of the shadow model. To improve the efficiency of shadow model-based membership inference attacks, we propose GLiRA, a knowledge distillation-guided approach to membership inference attacks. We observe that the knowledge distillation significantly improves the efficiency of a likelihood ratio membership inference attack when the architecture of the target model is both known and unknown to an attacker. We evaluate the proposed method across multiple image classification datasets and model architectures and demonstrate that knowledge distillation-guided likelihood ratio attack outperforms the current state-of-the-art membership inference attacks in the majority of experimental settings.

Abstract:
Proof of Retrievability (POR) is an important cryptographic primitive that has attracted considerable attention in the research community for its ability to enable users to audit the integrity of outsourced files on cloud servers without retrieving them. A POR scheme with public verifiability further enhances usability by allowing users to delegate the auditing task to a third party, making it highly desirable for a wide range of applications. However, most existing publicly verifiable POR schemes derive their security from the computational hardness of discrete logarithm or factoring, making them vulnerable to quantum attacks. Although it is possible to construct quantum-resistant POR schemes with public verifiability upon hash trees or general lattices, the resulting schemes often exhibit performance limitations when compared to existing constructions, thereby limiting their deployment in real-world applications. In this work, we address this gap by constructing a publicly verifiable POR scheme on structured lattices. We show that our scheme is provably secure in the random oracle model under the Ring-LWE and Ring-SIS assumptions. We provide an implementation of our scheme and the experimental results show that its performance is comparable to certain well-known constructions based on traditional assumptions.

Abstract:
We study the problem of learning adaptive security response strategies for an IT infrastructure. We formulate the interaction between an attacker and a defender as a partially observed, non-stationary game. We relax the standard assumption that the game model is correctly specified and consider that each player has a probabilistic conjecture about the model, which may be misspecified in the sense that the true model has probability 0. This formulation allows us to capture uncertainty and misconception about the infrastructure and the intents of the players. To learn effective game strategies online, we design Conjectural Online Learning (COL), a novel method where a player iteratively adapts its conjecture using Bayesian learning and updates its strategy through rollout. We prove that the conjectures converge to best fits, and we provide a bound on the performance improvement that rollout enables with a conjectured model. To characterize the steady state of the game, we propose a variant of the Berk-Nash equilibrium. We present COL through an intrusion response use case. Testbed evaluations show that COL produces effective security strategies that adapt to a changing environment. We also find that COL enables faster convergence than current reinforcement learning techniques.

Abstract:
Text-based person retrieval aims to identify specific individuals within an image database using textual descriptions. Due to the high cost of annotation and privacy protection, researchers resort to synthesized data for the paradigm of pretraining and fine-tuning. However, these generated data often exhibit domain biases in both images and textual annotations, which largely compromise the scalability of the pre-trained model. Therefore, we introduce a domain-agnostic pretraining framework based on Cross-modality Adaptive Meta-Learning (CAMeL) to enhance the model generalization capability during pretraining to facilitate the subsequent downstream tasks. In particular, we develop a series of tasks that reflect the diversity and complexity of real-world scenarios, and introduce a dynamic error sample memory unit to memorize the history for errors encountered within multiple tasks. To further ensure multi-task adaptation, we also adopt an adaptive dual-speed update strategy, balancing fast adaptation to new tasks and slow weight updates for historical tasks. Albeit simple, our proposed model not only surpasses existing state-of-the-art methods on real-world benchmarks, including CUHK-PEDES, ICFG-PEDES, and RSTPReid, but also showcases robustness and scalability in handling biased synthetic images and noisy text annotations. Our code is available at https://github.com/Jahawn-Wen/CAMeL-reID

Abstract:
The Model Inversion Attack (MIA) aims to reconstruct the privacy data used to train the target model, raising significant public concerns about the privacy of machine learning models. Therefore, proposing effective methods to defend against MIA has become crucial. The relationship between MIA and defense is a typical adversarial process. If the upper bound of the attacker’s capability can be estimated through theoretical analysis, a more robust defense method can be achieved by weakening this upper bound. To achieve this goal, we simplify MIA to a problem of reconstructing estimates, and analyze the lower bound of the reconstruction error obtained by the attacker, from which we infer the theoretical upper bound of the attacker’s capability, providing a foundation for designing the defense mechanism. We find that the lower bound of reconstruction error is inversely proportional to the Fisher information. This means that smaller Fisher information can lead to a larger reconstruction error. If the attacker cannot obtain second-order information during the reconstruction estimation, the corresponding Fisher information will be reduced. Consequently, we propose a defense against model inversion attacks via feature purification (DMIAFP). To reduce the Fisher information, DMIAFP hides the private data contained within the features and its second-order information (the relationships between private data) by minimizing the first-order and second-order correlations between private data and output features. Additionally, we introduce Principal Inertia Components (PIC) for the correlation metric, and infer the theoretical upper bound of the attacker’s reconstruction ability through PIC, thereby avoiding the issue of poor defensive performance caused by data-driven instability in defense methods that train by adversarially inverse models. Experimental results show that our method achieves good performance in defense and exhibits significant advantages in removing redundant information contained in features.

Abstract:
The XOR Arbiter PUF was introduced as a strong PUF in 2007 and was broken in 2015 by a Machine Learning (ML) attack, which allows the underlying Arbiter PUFs to be modeled individually by exploiting reliability information of the measured responses. To mitigate the reliability-based attacks, state-of-the-art understanding shows that the reliability of individual Arbiter PUFs and the overall XOR Arbiter PUF can be boosted to an arbitrarily high level, thus rendering all known reliability-based ML attacks infeasible; alternatively, an access control interface around the XOR Arbiter PUF can prevent the same challenge-response pairs from being accessed repeatedly, thus eliminating the leakage of reliability information. We show that, for the first time, a perfectly reliable XOR Arbiter PUF can be successfully attacked in a divide-and-conquer manner, meaning each underlying Arbiter PUF in an XOR Arbiter PUF can be attacked individually. This allows us to attack large XOR Arbiter PUFs efficiently, even without reliability information or any side-channel information. Our key insight is that, instead of reliability information, the responses of highly correlated challenges also reveal how close the responses are to the response decision boundary. This leads to a chosen challenge attack on XOR Arbiter PUFs by carefully choosing correlated challenges to measure and aggregate the collected information. We validate our attack by using PUF simulation, as well as an XOR Arbiter PUF implemented on FPGA. We also demonstrate that our chosen challenge methodology is compatible with the state-of-the-art combined gradient-based multi-objective optimization attack. Finally, we discuss an effective countermeasure that can prevent our attack but with a relatively large area overhead compared to the PUF itself.

Abstract:
Decentralized identity (DID) is a transformative paradigm that leverages blockchain, decentralized identifiers and verifiable credentials (VCs) to enable self-sovereign and decentralized identity management with myriad application areas. However, existing DID implementations are confronted with two key challenges: insufficient decentralization and vulnerability to mobile adversary attacks. First, they paradoxically introduce central identity resolvers, intermediaries or static committees to manage critical identity services, key management or credential issuance, which violates the decentralized controlling aim against a single point of failure. Second, these systems are vulnerable to mobile adversaries who can gradually compromise multiple nodes or committee members over a long period, eventually seizing control of the system. In this paper, we propose DP-DID, the first dynamic and proactive decentralized identity system specifically designed to resist mobile adversary attacks in dynamic committee settings. To eliminate centralized authorities, DP-DID leverages blockchain, dynamic committees and BLS (Named after Boneh, Lynn, and Shacham) signatures, which achieves decentralization. In addition, we design a dynamic and batch proactive secret sharing (DBPSS) scheme for DP-DID to ensure proactive security against mobile adversary attacks. This is achieved by allowing at most t (threshold) committees to be corrupted per period, with the set of corrupted committees changing dynamically even if all players are eventually compromised. By incorporating DBPSS, DP-DID achieves efficient key management for multiple users in dynamic settings, enhancing overall system scalability. Through rigorous analysis, DP-DID is proven to be forward secure and secure against mobile adversary attacks under a widely adopted malicious model. Extensive experiments show that DP-DID has efficient performance, and our DBPSS scheme outperforms FaB-DPSS by over 11.67× in key handover efficiency.

Abstract:
The rapid growth of electric vehicle and autonomous vehicle populations has led to explosive expansion of IoV data being transmitted in the wireless communication infrastructure. Advances in IoV technologies also resulted in more complex and dynamic communication protocols/patterns, which are hard for the underlying wireless network to satisfy. Besides, security considerations of IoV communications require that key management must be stringently prohibit global failure mode of key management, meaning that, if a single IoV node compromises its private key, it will not lead to total security failure of the entire IoV network. To address these issues, in this paper, we propose a heterogeneous parallel key-insulated multi-receiver signcryption scheme for IoV (HPKI-MRSC). Firstly, the proposed scheme can realize one-to-many heterogeneous transmission, in which RSUs are deployed on certificateless cryptography (CLC) system, while vehicles are allocated in identity-based cryptography (IBC) system. In this manner, we observe that message transmission efficiency is improved greatly. Secondly, the parallel key-insulated mechanism can employ two helper keys to update private key periodically, and then solve key disclosure problem. Finally, when the number of receiver n is greater than or equal to 3, the proposed scheme has a lower signcryption overhead than other comparative schemes, and thus it is more suitable for IoV.

Abstract:
Privacy in federated learning is crucial, encompassing two key aspects: safeguarding the privacy of clients’ data and maintaining the privacy of the federator’s objective from the clients. While the first aspect has been extensively studied, the second has received much less attention. We present a novel approach that addresses both concerns simultaneously, drawing inspiration from techniques in knowledge distillation and private information retrieval to provide strong information-theoretic privacy guarantees. Traditional private function computation methods could be used here; however, they are typically limited to linear or polynomial functions. To overcome these constraints, our approach unfolds in three stages. In stage 0, clients perform the necessary computations locally. In stage 1, these results are shared among the clients, and in stage 2, the federator retrieves its desired objective without compromising the privacy of the clients’ data. The crux of the method is a carefully designed protocol that combines secret-sharing-based multi-party computation and a graph-based private information retrieval scheme. We show that our method outperforms existing tools from the literature when properly adapted to this setting.

Abstract:
Recent advancements in deep learning have significantly improved linguistic steganalysis, but challenges persist when labeled samples are scarce in the target domain. Existing cross-domain linguistic steganalysis methods seek to improve model generalization by minimizing the domain discrepancy between the source and target domains. However, these steganalysis methods often struggle with incorrect alignment between stego and cover texts in both domains, which hampers the generalization of steganalysis models. Additionally, they struggle to capture domain-specific features of the target domain, reducing the effectiveness of steganalysis models in discriminating stego texts. To address these issues, we propose a novel Class-aware Adversarial unsupervised Domain Adaptation (CADA) method, which operates in two stages. In the first stage, Class-aware Adversarial Pre-Training (CAPT), we design the Weighted Class-Aware Domain Distance (WCADD) to leverage class information of stego and cover texts. This ensures accurate class-aware alignment across domains. In the CAPT stage, the steganalysis model is pre-trained with WCADD, Class-Aware Adversarial Training (CAAT), and Class-Aware Label Smoothing (CALS) to enhance its ability to extract domain-invariant features, thereby improving its generalization. In the second stage, Class-aware Fine-Tuning (CFT), we employ the pre-trained steganalysis model alongside the Class-Aware Progressive Strategy (CAPS) to generate pseudo-labels for the target domain. Fine-tuning the model with these pseudo-labels enhances its ability to recognize domain-specific features, thereby improving its performance in discriminating stego texts within the target domain. Extensive experiments demonstrate that our proposed method outperforms the existing baseline methods.

Abstract:
This paper focuses on the visible-infrared person re-identification (VIReID) task, which is essential for information forensics and security as it enables accurate person re-identification across low-light or nighttime conditions. The primary challenge in the VIReID task is to reduce the modality discrepancy between visible and infrared images. Current methods mainly utilize the spatial information, often neglecting the discriminative potential of frequency information. To address this issue, this paper aims to mitigate the modality discrepancy from a frequency domain perspective. Specifically, we propose a novel Frequency Domain Nuances Mining (FDNM) method, which mainly includes a Salience-guided Phase Enhancement (SPE) module and an Amplitude Nuances Mining (ANM) module, to effectively explore the cross-modality frequency domain information. These two modules are mutually beneficial to jointly explore frequency-domain visible-infrared nuances, thereby significantly reducing the modality discrepancy in the frequency domain. Additionally, we propose a Center-guided Nuances Mining (CNM) loss to ensure that the ANM module retains discriminative identity information while discovering diverse cross-modality nuances. Extensive experiments show that the proposed FDNM has significant advantages in improving the performance of VIReID. For instance, our method respectively outperforms the second-best method by 5.2% in Rank-1 accuracy and 5.8% in mAP on the SYSU-MM01 dataset under the indoor search mode. Furthermore, we also demonstrate the effectiveness and generalization of the proposed FDNM method in the challenging visible-infrared face recognition task.

Abstract:
The focus of Face Anti-Spoofing (FAS) is shifting toward improving generalization performance in unseen scenarios. Traditional methods employing adversarial learning and meta-learning aim to extract or decouple generalizable features to address these challenges. However, enhancing performance solely through facial features remains challenging without additional informative inputs. To address this, Vision-Language Models (VLMs) with robust generalization capabilities have recently been introduced to FAS. Despite their potential, these VLMs typically adopt a late alignment strategy, relying only on encoder output features for modality alignment, which largely neglects mutual guidance between modalities. To bridge this gap, inspired by recent advancements in prompt learning, we employ learnable prompts and masking as intermediaries to enhance interaction between text and visual modalities, enabling the extraction of more generalizable features. Specifically, we propose ME-FAS, a Modality-Enhanced cross-domain FAS model integrating Prompt Fusion Transfer (PFT) and Text-guided Image Masking (TIM). PFT facilitates the integration of text features with visual information, improving domain adaptability in alignment with the textual context. Meanwhile, TIM leverages text features to mask image patches, directing visual features toward critical generalizable facial information, such as the eyes and mouth. Comprehensive evaluations across multiple benchmarks and various visualizations demonstrate significant performance gains, validating the effectiveness of our proposed approach. Our code and models are available at https://github.com/clpbc/ME-FAS

Affiliations: School of Internet of Things, Nanjing University of Posts and Telecommunications (NJUPT), Nanjing, China; School of Computer Science and Technology, Anhui University, Hefei, China; School of Computer Engineering, Jiangsu University of Technology, Changzhou, China; School of Computer, South China Normal University, Guangzhou, Guangdong, China; School of Computer Science, NJUPT, Nanjing, China; National Engineering Research Center for Multimedia Software, Hubei Key Laboratory of Multimedia and Network Communication Engineering, Institute of Artificial Intelligence, School of Computer Science, Wuhan University, Wuhan, China

Abstract:
Text-based Person Retrieval (TPR) plays a pivotal role in video surveillance systems for safeguarding public safety. As a fine-grained retrieval task, TPR faces the significant challenge of precisely capturing highly discriminative features across image and text modalities. Existing methods primarily focus on establishing modality-shared feature spaces to bridge cross-modal discrepancies. However, these methods are prone to disturbances from irrelevant information, such as background noises in the visual modality, and often over-emphasize specific local regions while neglecting the capture of diverse discriminative modal features, thereby limiting the robustness of cross-modal matching. In this paper, we introduce a novel framework, termed the Diverse Co-saliency Feature Learning Network (DCFL), which mines the co-saliency information between image and text modalities and enhances the diversity of cross-modal discriminative features while mitigating the interference of noise. Specifically, to construct cross-modal co-saliency features, we devise the Intra-modal Saliency Feature Learning (ISFL) and Cross-modal Saliency Feature Matching (CSFM) modules. ISFL employs a weighted mask mechanism to guide the model in reducing the impact of noise information in both modalities. Complementing ISFL, CSFM establishes consistent relationships between saliency features across modalities, leveraging text descriptions to align pedestrian-relevant visual regions. Furthermore, we propose the Diverse Co-saliency Feature Mining (DCFM) to bolster the diversity of discriminative co-saliency features across both image and text modalities. This module integrates a diversity regularization term, enabling the extraction of varied visual cues and capturing comprehensive features of the target individual. Extensive benchmark experiments demonstrate a substantial superiority of our approach over the state-of-the-art methods. Our code is available at https://github.com/ysh-strive/DCFL

Abstract:
Multi-party private set intersection (PSI) enables multiple parties to compute the common items of private sets without disclosing any other information beyond the result; thus, it has gained significant importance in various distributed computation scenarios. As the number of participants increases, the performance of multi-party PSI protocols is significantly influenced, primarily by the number of interaction rounds needed. In this study, we propose two novel multi-party PSI protocols: the first one is 1\textsf M\mathbb P\textsf SI , and the second is 2\textsf M\mathbb P\textsf SI . The 1\textsf M\mathbb P\textsf SI appears as a wheel structure where the parties need only one round of interactive communication online. 1\textsf M\mathbb P\textsf SI is based on the Ring version of Oblivious Linear-function Evaluation (OLE). Benefiting from the wheel structure, 1\textsf M\mathbb P\textsf SI supports parallel computation and achieves competitive efficiency between the leader and the other participants (OLE receivers) after input-independent precomputation. The 2\textsf M\mathbb P\textsf SI adopts a dual-core star structure and introduces Oblivious Key-Value Store (OKVS), which results in better performance when handling larger set sizes and more participants. Our protocols are designed with simplicity and ease of implementation in mind. Experimental evaluations demonstrate the superiority of our protocols over current open-source multi-party PSI protocols as the set size increases from 2^12 to 2^20 when involving 10 and 16 parties. In a test with 16 parties each inputting 2^20 elements, 2\textsf M\mathbb P\textsf SI achieves a runtime of only 65 seconds.

Abstract:
Deep neural networks are proven to be vulnerable to finely designed adversarial examples, and adversarial defense algorithms draw more and more attention nowadays. Pre-processing based defense is a major strategy, as well as learning robust feature representation, has been proven an effective way to boost generalization. However, existing defense works lack considering different depth-level visual features in the training process. In this paper, we first highlight two novel properties of robust features from the feature distribution perspective: 1)Diversity (robust features within the same class should maintain appropriate variety). 2) Discriminability (robust features from different classes should be sufficiently separated). We find that state-of-the-art defense methods aim to address both of these mentioned issues well. It motivates us to increase intra-class variance and decrease inter-class discrepancy simultaneously in adversarial training. Specifically, we propose a simple but effective defense based on decoupled visual representation masking. The designed Decoupled Visual Feature Masking (DFM) block can adaptively disentangle visual discriminative features and non-visual features with diverse mask strategies, while the suitable discarding information can disrupt adversarial noise to improve robustness. Our work provides a generic and easy-to-plugin block unit for any former adversarial training algorithm to achieve better protection integrally. Extensive experimental results prove that the proposed method can achieve superior performance compared with state-of-the-art defense approaches. The code is publicly available at https://github.com/chenboluo/Adversarial-defense

Abstract:
In recent years, there has been an increasing number of information hiding techniques based on network streaming media, focusing on how to covertly and efficiently embed secret information into real-time transmitted network media signals to achieve concealed communication. The misuse of these techniques can lead to significant security risks, such as the spread of malicious code, commands, and viruses. Current steganalysis methods for network voice streams face two major challenges: efficient detection under low embedding rates and short duration conditions. These challenges arise because, with low embedding rates (e.g., as low as 10%) and short transmission durations (e.g., only 0.1s), detection models struggle to acquire sufficiently rich sample features, making effective steganalysis difficult. To address these challenges, this paper introduces a Dual-View VoIP Steganalysis Framework (DVSF). The framework first randomly obfuscates parts of the native steganographic descriptors in VoIP stream segments, making the steganographic features of hard-to-detect samples more pronounced and easier to learn. It then captures fine-grained local features related to steganography, building on the global features of VoIP. Specially constructed VoIP segment triplets further adjust the feature distances within the model. Ultimately, this method effectively address the detection difficulty in VoIP. Extensive experiments demonstrate that our method significantly improves the accuracy of streaming voice steganalysis in these challenging detection scenarios, surpassing existing state-of-the-art methods and offering superior near-real-time performance.

Abstract:
Money laundering using cryptocurrency poses significant threats to the blockchain ecosystem. Due to the decentralized and anonymous nature of cryptocurrencies, detecting such laundering activities is difficult. Although substantial research has been conducted, almost all existing methods detect cryptocurrency laundering from an individual perspective, ignoring the fact that money laundering is typically a group behavior. Group information should be very helpful in laundering behavior analysis, but such laundering groups are hard to be recognized due to anonymity and diversity of purposes of cryptocurrency transactions. To address this challenge, we design a multi-persona grouping algorithm that can effectively group accounts into persona subgraphs. Then, we extract two subgraph features: cycle basis number and cycle overlapping ratio, and build an unsupervised model to evaluate laundering scores of each subgraph. Extensive experiments on both synthetic and real-world datasets demonstrate that, compared with existing methods, our proposed method can improve detection accuracy by 17.4percentage points on average. To the best of our knowledge, this is the first work on group-based detection of cryptocurrency laundering.

Abstract:
Deep neural networks (DNNs) are inherently vulnerable to adversarial examples (AEs), severely deteriorating model performance on various tasks. Adversarial training (AT) is one of the most effective approaches to enhance model robustness by incorporating AEs into the training process. Notwithstanding the efficacy of AT, recent studies have unveiled that adversarial perturbations on AEs predominantly impact core features—essential for accurate predictions—more than spurious features, which are incidentally aligned with training labels but irrelevant to the model’s classification. This unequal impact induces the models trained with AT to excessively rely on spurious features, resulting in a pronounced feature shift that compromises robustness and generalization against AEs at inference. In this work, we introduce a novel Core Feature-aware Adversarial Training (CoFAT) framework to cope with these challenges. CoFAT employs core feature extraction to dynamically generate core partners by selectively retaining benign sample regions on feature maps with high-weight while masking low-weight ones, thereby ensuring the model focuses on core features. Furthermore, contrastive feature alignment is proposed to reduce intra-class feature distances and increase inter-class separability by maintaining a center bank of class feature representations, thus mitigating reliance on spurious features. Compared to state-of-the-art AT methods, CoFAT demonstrates superior performance against diverse adversarial attacks. Remarkably, CoFAT improves the robustness of ResNet-18 against AutoAttack on CIFAR-10, SVHN, CIFAR-100, and Tiny ImageNet by approximately 2.14%, 3.20%, 1.69%, and 1.86%, respectively, embodying significant advancements in AT. Our code is publicized at https://github.com/Feng-peng-Li/CoFAT

Abstract:
Deep neural networks (DNNs) are susceptible to backdoor attacks, where adversaries poison datasets with adversary-specified triggers to implant hidden backdoors, enabling malicious manipulation of model predictions. Dataset purification serves as a proactive defense by removing malicious training samples to prevent backdoor injection at its source. We first reveal that the current advanced purification methods rely on a latent assumption that the backdoor connections between triggers and target labels in backdoor attacks are simpler to learn than the benign features. We demonstrate that this assumption, however, does not always hold, especially in all-to-all (A2A) and untargeted (UT) attacks. As a result, purification methods that analyze the separation between the poisoned and benign samples in the input-output space or the final hidden layer space are less effective. We observe that this separability is not confined to a single layer but varies across different hidden layers. Motivated by this understanding, we propose FLARE, a universal purification method to counter various backdoor attacks. FLARE aggregates abnormal activations from all hidden layers to construct representations for clustering. To enhance separation, FLARE develops an adaptive subspace selection algorithm to isolate the optimal space for dividing an entire dataset into two clusters. FLARE assesses the stability of each cluster and identifies the cluster with higher stability as poisoned. Extensive evaluations on benchmark datasets demonstrate the effectiveness of FLARE against 22 representative backdoor attacks, including all-to-one (A2O), all-to-all (A2A), and untargeted (UT) attacks, and its robustness to adaptive attacks. Codes are available at BackdoorBox and backdoor-toolbox.

Abstract:
Audio anti-spoofing algorithms struggle with fake samples from unseen spoofing techniques, even when trained with diverse data sets or data augmentation strategies. Unsupervised domain adaptation (UDA) algorithms have the potential to mitigate this challenge. Typically, UDA assumes that the source and target domains are distinct distributions with clear boundaries and seeks to align model representations between them. However, in anti-spoofing, various spoofing algorithms could cause the distributions of the generated samples to overlap, resulting in unclear domain boundaries. This hinders UDA algorithms from effectively measuring and aligning domain discrepancies. Moreover, forcibly aligning samples with significant discrepancies could diminish the model’s discriminative capability. To solve this problem, we propose a domain attention algorithm with optimal transport (OT), termed Sinkhorn Domain Attention (SHDA). Unlike traditional attention mechanisms, SHDA identifies the optimal transfer plan by analyzing the global probability differences among cross-domain samples. Specifically, we first extract audio representations from various domains to compute the overall cost matrix between the source and target domains. Next, we employ Sinkhorn’s iteration to calculate the OT coupling matrix, where cross-domain samples with minor differences receive higher transfer weights, while those with substantial differences receive lower weights. Finally, we use the coupling and cost matrices to compute the adaptation loss, effectively transferring the anti-spoofing model from multiple sources to the target domain. We conducted eight cross-domain experiments using eleven well-known anti-spoofing corpora. The results indicate that our label-free SHDA surpassed the state-of-the-art model by 40%.

Abstract:
Recent studies show that privacy leakages may occur in vertical federated learning (VFL), where parties hold split features of the same samples. While various attacks, including label and feature inference, focus on record-level privacy risks in VFL, few studies delve into the distribution-level privacy threat. In this paper, we explore property inference attacks (PIAs) in VFL, where an adversarial party seeks to deduce global distribution information about a target property in the victim party’s training set. Our key observation is that the L_p -norm distribution of intermediate results in VFL could reflect the fraction of the target property in a training set. Inspired by this, we present ProVFL, a novel PIA framework involving distribution comparison and correlation augmentation modules. To achieve property inference, we design a distribution comparison module by creating various intermediate-result populations with different proportions, aiming to learn the relationship between L_p -norm distributions and their fractions. Then, we theoretically analyze the factors that contribute to the attack effectiveness and develop a correlation augmentation module based on label replacement and model refinement to amplify property information leakage. Extensive experimental results demonstrate that our attacks can achieve inferences with low estimation errors as low as 1%. This poses the immediate threat of property information leakage from private training data in the VFL setting.

Abstract:
Community search on attributed graphs has gained significant attention in recent years for its ability to provide meaningful and personalized results. Given a query community, a similar community search aims to identify the communities that are similar in structural and attributed characteristics to the query community. As real-world networks continue to grow in complexity and size, outsourcing graph data and search tasks to cloud servers not only saves local storage space but also significantly enhances search efficiency. Nonetheless, this inevitably raises concerns about data privacy since cloud servers are not completely trustworthy. In this paper, we research on privacy-preserving similar community search on graphs. We propose a privacy-preserving closest similar community search scheme for attributed graphs that leverages cloud servers to enhance search efficiency while safeguarding the sensitive information in the graph. We consider packaging communities using center vertices to evaluate relationships across communities without accessing details within the communities. To achieve this, we design a centrality score function that integrates attribute contribution and closeness centrality to identify the center vertex of a community. To ensure the security of sensitive information in the attribute graph, we construct three secure indexes for the original graph utilizing diverse cryptographic primitives. By searching secure indexes, cloud servers can answer the closest similar community searches without possessing any sensitive information about the attribute graph. We employ Paillier homomorphic cryptosystem and related protocols to support efficient and secure evaluation of the distance and similarity between two communities on secure indexes. The security analysis confirms that the proposed scheme can be against adaptive chosen-query attacks so as to achieve CQA2-security and experimental results demonstrate the efficiency of the proposed scheme.

Abstract:
Byzantine Fault Tolerance (BFT) protocols can be divided into synchronous BFT protocols, partially synchronous BFT protocols, and asynchronous BFT protocols according to communication delay. Asynchronous BFT protocols are widely used because they can tolerate uncertain communication delays in the real world. However, asynchronous BFT protocols need to perform many rounds of broadcasts to reach agreement on a transaction subset, which consumes a lot of communication, computing, and storage resources. In this paper, we present Volia, an asynchronous BFT protocol which resolves above problem. We design new broadcast protocol to reduce the number of broadcast rounds needed for agreement. It reduces the communication overhead. Voting broadcast is used to maintain the order of transaction subsets rather than threshold signature to reduce computation cost. Above mechanisms speeds up the agreement phase, reduces the accumulated transaction subsets waiting for agreement and thus saves storage resources. We conduct experiment on Volia and the results show that Volia exhibits about 2～ 65× throughput, 2～ 25 % latency, and 30% storage cost compared to other asynchronous BFT protocols.

Abstract:
Quantum Federated Learning (QFL) has emerged as a promising research direction by combining the strengths of quantum computing and federated learning. However, existing QFL solutions have consistently failed to simultaneously improve client training efficiency and ensure communication security. In this paper, we present a novel Multi-qubit Broadcast-based QFL framework (MB-QFL) to address the efficiency and security challenges of existing approaches. The framework employs a novel multi-qubit broadcast protocol and a quantum average method to secure the information transmission process. The multi-qubit broadcast protocol overcomes the limitations of existing protocols by allowing the transmission of an arbitrary S-qubit state from one sender to multiple (Q) receivers, whereas earlier protocols were restricted to broadcast one or two qubit state to recipients. Additionally, we propose an averaging method for quantum states, which exploits the probabilistic cloning technique to achieve aggregation in MB-QFL. The security analysis demonstrates that MB-QFL can effectively protect against inference attacks from malicious clients, as well as eavesdropping and intercept-and-resend attacks during communication. The algorithm complexity of MB-QFL is significantly lower than existing QFLs. Besides, the experimental results indicate that MB-QFL achieves higher classification accuracy than other QFLs.

Affiliations: School of Cyber Science and Engineering and the Engineering Research Center of Blockchain Application, Supervision and Management, Ministry of Education, Southeast University, Nanjing, China; Division of Emerging Interdisciplinary Areas, Hong Kong University of Science and Technology, Hong Kong, SAR, China; Information Coding and Transmission Key Laboratory of Sichuan Province, CSNMT International Cooperation Research Centre (MoST), Southwest Jiaotong University, Chengdu, China; Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA, USA; Institute of AI and Blockchain, Guangzhou University, Guangzhou, China

Abstract:
Representation learning plays a pivotal role in modern applications by enabling high-quality embeddings that support various downstream tasks such as recommendation, clustering, and personalized services. In federated representation learning (FRL), a central server collaborates with N clients, each holding private data, to jointly learn representations of entities (e.g., users in a social network). However, existing embedding aggregation protocols often fall short in either ensuring privacy protections or fully leveraging aggregation opportunities, leaving sensitive data exposed or vulnerable to collusion. To address these challenges, we propose SecEA, a secure embedding aggregation protocol that fully exploits all potential aggregation opportunities across all entities among clients while providing provable privacy guarantees. SecEA defends both local entities and their embeddings—ensuring computational security against a curious server and statistical privacy against up to T \lt N/2 colluding clients. Comprehensive experiments on various representation learning tasks in cross-silo scenarios demonstrate that SecEA incurs a negligible performance loss (within 5%) compared to protocols with weaker or no privacy guarantees, and its additional computational latency significantly diminishes when training deeper models on larger datasets. A parallel mechanism is also included, which helps further improve the efficiency linearly. These results underscore that SecEA not only provides full privacy protections for both entity and embedding, but also preserves the utility of the learned representations.

Abstract:
With the rapid development and widespread adoption of digital media, deceptive behaviors have raised numerous ethical and security issues, making the research and advancement of deception detection technology particularly important. Most previous automated deception detection methods primarily focus on facial information in a visual context. However, from a psychological perspective, deceptive behavior extends beyond mere changes in facial expressions; it can also manifest through limb behaviors and subtle incoordination among body components. Motivated by this inconsistency, this paper attempts to model body behaviors and their relationships for deception detection. It is worth noting that some mainstream video understanding methods can roughly model head and limb information, but their holistic video input approach is easily affected by background interference. This limits their ability to focus on key body regions and subtle motion cues that reflect deception, thereby restricting detection performance. To address the above challenges, this paper proposes a Dynamic Learning Framework leveraging Body Part Relationship-Aware Modeling (DLF-BRAM). Within this framework, we segment and model the head and limb regions to reduce irrelevant background interference and enhance the accuracy of feature learning. The framework includes two main components: the Head-Limb Relationship-Aware Representation (HLRAR) module and the Dynamic Assessment Learning Strategy (DALS). The HLRAR module reveals the spatiotemporal relationship of the head, limbs, and their interactions, and learns deep feature representations for each cue, thereby highlighting the uniqueness of these cues. DALS evaluates the learning effectiveness of the three spatiotemporal relationships during training and dynamically adjusts their learning weights, preventing dominance by any single branch and promoting balanced learning. Extensive benchmark and ablation experiments demonstrate that our method outperforms most existing approaches, verifying its effectiveness.

Abstract:
In the realm of large vision language models (LVLMs), jailbreak attacks serve as a red-teaming approach to bypass guardrails and uncover safety implications. Existing jailbreaks predominantly focus on the visual modality, perturbing solely visual inputs in the prompt for attacks. However, they fall short when confronted with aligned models that fuse visual and textual features simultaneously for generation. To address this limitation, this paper introduces the Bi-Modal Adversarial Prompt Attack (BAP), which executes jailbreaks by optimizing textual and visual prompts cohesively. Initially, we adversarially embed universally adversarial perturbations in an image, guided by a few-shot query-agnostic corpus (e.g., affirmative prefixes and negative inhibitions). This process ensures that the adversarial image prompt LVLMs to respond positively to harmful queries. Subsequently, leveraging the image, we optimize textual prompts with specific harmful intent. In particular, we utilize a large language model to analyze jailbreak failures and employ chain-of-thought reasoning to refine textual prompts through a feedback-iteration manner. To validate the efficacy of our approach, we conducted extensive evaluations on various datasets and LVLMs, demonstrating that our BAP significantly outperforms other methods by large margins (+29.03% in attack success rate on average). Additionally, we showcase the potential of our attacks on black-box commercial LVLMs, such as GPT-4o and Gemini. Our code is available at https://anonymous.4open.science/r/BAP-Jailbreak-Vision-Language-Models-via-Bi-Modal-Adversarial-Prompt-5496

Abstract:
The most commonly adopted password management technique is to store web account passwords on a password manager and lock them using a master password. However, current online password managers do not hide the account passwords or the master password from the password manager itself, which highlights their real-world vulnerability and lack of user confidence in the face of malicious insiders and outsiders that compromise the password management service especially given its online nature. We attempt to address this crucial vulnerability in the design of online password managers by proposing a cloud-based password manager that does not learn or store master passwords and account passwords. We introduce the protocol design and report on a full implementation of the system. Our implementation provides several security features, including enforcement of a unique and secure password per each service, robustness to online password guessing attacks against the password manager and the web service, robustness to password dictionary attacks upon compromise of the password manager and the web service, and security against phishing attacks. Furthermore, to assess users’ perceptions of the security and usability of our password manager, we conducted a lab-based study. The findings from the study suggest that our system is close to being practical for everyday use and is viewed by users as both usable and more secure/trustworthy.

Abstract:
Network access detection plays a crucial role in global network management, enabling efficient network monitoring and topology measurement by identifying unauthorized network access and gathering detailed information about mobile devices. Existing methods for endpoint-based detection primarily rely on deploying monitoring software to recognize network connections. However, the challenges associated with developing and maintaining such systems have limited their universality and coverage in practical deployments, especially given the cost implications of covering a wide array of devices with heterogeneous operating systems. To tackle the issues, we propose Magnifier for mobile device network access detection that, for the first time, passively infers access patterns from backbone traffic at the gateway level. Magnifier’s foundation is the creation of device-specific access patterns using the innovative Domain Name Forest (dnForest) fingerprints. We then employ a two-stage distillation algorithm to fine-tune the weights of individual Domain Name Trees (dnTree) within each dnForest, emphasizing the unique device fingerprints. With these meticulously crafted fingerprints, Magnifier efficiently infers network access from backbone traffic using a lightweight fingerprint matching algorithm. Our experimental results, conducted in real-world scenarios, demonstrate that Magnifier exhibits exceptional universality and coverage in both initial and repetitive network access detection in real-time. To facilitate further research, we have thoughtfully curated the NetCess2025 dataset, comprising network access data from 42 different models across 9 brands, covering the majority of mainstream mobile devices. We have also made both the Magnifier prototype and the NetCess2025 dataset publicly available (https://github.com/SecTeamPolaris/Magnifier).

Abstract:
Federated learning (FL) has become a promising technology to provide edge Artificial Intelligence (AI) due to its advantages in privacy protection and reduced communication costs. However, FL is still confronted with privacy leakage issues because the sharing local model may expose the training data information. Existing works typically utilize secure aggregation techniques to eliminate privacy leakage, where local model parameters in FL are obfuscated before they are sent to the aggregator. Nevertheless, secure aggregation makes poisoning attacks more convenient given that existing anomaly detection methods mostly require access to plaintext local models. A Poisoning-Defense Secure Aggregation in FL (PDSA-FL) is proposed to enhance the privacy protection of honest clients and defend against poisoning attacks from malicious clients. Specifically, a Secure Aggregation scheme based on Random Parameters Decomposition (SARPD) is designed to protect client privacy during the FL aggregation process and eliminates the impact of dropped clients on the aggregation results. Secondly, a Poisoning Detection method based on Similarity Grouping (PDSG) is proposed to mitigate the impact of poisoning attacks on the global model of FL without leaking client model parameters. The security analysis discusses the effectiveness of the proposed PDSA-FL in terms of privacy protection. Extensive simulation results show that PDSA-FL can effectively defend against poisoning attacks, significantly improve the convergence performance of global models, and reduce the computation time of clients.

Abstract:
Speaker attribute perturbation offers a feasible approach to asynchronous voice anonymization by employing adversarially perturbed speech as anonymized output. In order to enhance the identity unlinkability among anonymized utterances from the same original speaker, the targeted attack training strategy is usually applied to anonymize the utterances to a common designated speaker. However, this strategy may violate the privacy of the designated speaker who is an actual speaker. To mitigate this risk, this paper proposes an any-to-any training strategy. It is accomplished by defining a batch mean loss to anonymize the utterances from various speakers within a training mini-batch to a common pseudo-speaker, which is approximated as the average speaker in the mini-batch. Based on this, a speaker-adversarial speech generation model is proposed, incorporating the supervision from both the untargeted attack and the any-to-any strategies. The speaker attribute perturbations are generated and incorporated into the original speech to produce its anonymized version. The effectiveness of the proposed model was justified in asynchronous voice anonymization through experiments conducted on the LibriSpeech datasets. Additional experiments were carried out to explore the potential limitations of speaker-adversarial speech in voice privacy protection. With them, we aim to provide insights for future research on its protective efficacy against black-box speaker extractors and adaptive attacks, as well as generalization to out-of-domain datasets and stability. Audio samples and open-source code are published in https://github.com/VoicePrivacy/any-to-any-speaker-attribute-perturbation.

Abstract:
Benefiting from its superior feature learning capabilities and efficiency, deep hashing has achieved remarkable success in large-scale image retrieval. Recent studies have demonstrated the vulnerability of deep hashing models to backdoor attacks. Although these studies have shown promising attack results, they rely on access to the training dataset to implant the backdoor. In the real world, obtaining such data (i.e.e.g., identity information) is often prohibited due to privacy protection and intellectual property concerns. Embedding backdoors into deep hashing models without access to the training data, while maintaining retrieval accuracy for the original task, presents a novel and challenging problem. In this paper, we propose DarkHash, the first data-free backdoor attack against deep hashing. Specifically, we design a novel shadow backdoor attack framework with dual-semantic guidance. It embeds backdoor functionality and maintains original retrieval accuracy by fine-tuning only specific layers of the victim model using a surrogate dataset. We consider leveraging the relationship between individual samples and their neighbors to enhance backdoor attacks during training. By designing a topological alignment loss, we optimize both individual and neighboring poisoned samples toward the target sample, further enhancing the attack capability. Experimental results on four image datasets, five model architectures, and two hashing methods demonstrate the high effectiveness of DarkHash, outperforming existing state-of-the-art backdoor attack methods. Defense experiments show that DarkHash can withstand existing mainstream backdoor defense methods.

Abstract:
Anonymous credential is widely used in online services, where issuers in authorities issue credentials to users and then users can selectively and privately prove their identities and attributes. However, users may misbehave under anonymous settings. Therefore, we need to trace the credential proof to obtain the user’s identity and link credential proofs to achieve supervision. Existing solutions either have the single point of failure problem or require multiple supervisors perform threshold computations on all users’ identities, it is inefficient in practice especially when the number of users increases. In this paper, we present a credential management system in multiple authorities with efficient and decentralized supervision. Specifically, we design a multi-authority credential management architecture, where each issuer in authorities issues credentials to users and supervisors trace and link credential proofs in multiple authorities. Then, we present efficient and decentralized credential proof tracing and linking protocols, where more than threshold supervisors can trace credential proofs to obtain users’ identities and generate users’ linking keys. Verifiers can link each malicious user’s credential proofs efficiently with those linking keys. We conduct experiments on our system in the WAN and LAN settings and compare it with another threshold attribute-based credential scheme. The experimental results demonstrate that our solution is efficient in practice.

Abstract:
Specific emitter identification (SEI) is a physical-layer authentication technique that identifies devices by extracting radio frequency fingerprints (RFFs) from received signals. Open-set SEI (OS-SEI) refers to classifying known classes while rejecting unknown classes, which typically requires a sufficient amount of labeled training samples. However, in open-world scenarios, labeled samples are often limited, and unlabeled samples may contain unknown classes. Moreover, open-world recognition not only requires detecting unknown class samples but also identifying specific novel classes within these unknown samples and integrating them into the recognition model. Current OS-SEI methods can only categorize all unknown samples as a single class, lacking the ability to further differentiate these unknown classes. To address these challenges, we formulate a novel semi-supervised open-world SEI (SSOW-SEI) problem, which aims to overcome the shortcomings of OS-SEI in utilizing unlabeled data, distinguishing unknown classes, and addressing class distribution mismatches between labeled and unlabeled data. Furthermore, we develop an end-to-end similarity-adaptive (SAA) framework for SSOW-SEI. Specifically, after automatically extracting sample features, SAA first identifies novel classes by measuring pairwise similarities between the features, and then recognizes known classes using adaptive cross-entropy, which balances the learning rate between known and novel classes to prevent model bias toward known classes. Additionally, entropy regularization is applied to mitigate model overfitting. Extensive experimental results demonstrate that the proposed SAA framework effectively leverages limited labeled data, handles large volumes of unlabeled data, and accurately identifies both known and novel classes. The results also highlight its strong generalization, stability, and enhanced adaptability to novel classes.

Abstract:
Similarity Digest Schemes are used in various applications (e.g. digital forensics, spam filtering, malware detection and malware clustering), which require them to be resistant against attacks aiming at generating (A) semantically similar inputs with very different similarity digest values, or (B) completely different inputs with very similar digest values. We show that TLSH, a widely used similarity digest function, is not robust enough against either kinds of attacks. More specifically, we propose automated methods to modify executable software binaries in a way that the modified binary has the exact same functionality as the original one, yet (A) its TLSH difference score from the original version becomes high, or (B) its TLSH digest becomes very similar to another arbitrary TLSH digest up to a complete digest collision. We evaluate our methods on a large data set containing malware binaries, and we also show that they can be used effectively to generate adversarial samples that evade detection by SIMBIoTA, a recently proposed similarity-based malware detection approach.

Abstract:
Certifiable robustness gives the guarantee that small perturbations around an input to a classifier will not change the prediction. There are two approaches to provide certifiable robustness to adversarial examples– 1) explicitly training classifiers with small Lipschitz constants, and 2) Randomized smoothing, which adds random noise to the input to create a smooth classifier. We propose SPLITZ, a practical and novel approach which leverages the synergistic benefits of both the above ideas into a single framework. Our main idea is to split a classifier into two halves, constrain the Lipschitz constant of the first half, and smooth the second half via randomization. Motivation for SPLITZ comes from the observation that many standard deep networks exhibit heterogeneity in Lipschitz constants across layers. SPLITZ can exploit this heterogeneity while inheriting the scalability of randomized smoothing. We present a principled approach to train SPLITZ and provide theoretical analysis to derive certified robustness guarantees during inference. We present a comprehensive comparison of robustness-accuracy trade-offs and show that SPLITZ consistently improves on existing state-of-the-art approaches in the MNIST, CIFAR-10 and ImageNet datasets. For instance, with \ell _2 norm perturbation budget of \epsilon =1 , SPLITZ achieves 43.2% top-1 test accuracy on CIFAR-10 dataset compared to state-of-art top-1 test accuracy 39.8%.

Abstract:
This paper provides an overview of the recent advancements in foundation models and discusses potential applications of these models in the field of biometrics. Foundation models (such as large language models, vision language models, audio-language models, and large multi-modal models) are based on large neural networks which are trained with massive amounts of data and enable robust feature extraction for transfer learning. These models allow efficient zero-shot and few-shot learning, achieving state-of-the-art performance in downstream tasks. Foundation models have been studied and used in different domains, including natural language processing, computer vision, audio processing, and multi-modal processing. Biometrics is also an active field of research, which involves various research problems, ranging from robust recognition to security and privacy in biometric systems. In this paper, we present an in-depth analysis of state-of-the-art methodologies regarding foundation multi-modal models, their advancements, and their applicability to biometrics tasks. We also highlight current limitations and provide insights into potential future research directions in the applications of foundation models in biometrics. To our knowledge, this paper is the first survey which investigates the applications of foundation models in biometrics.

Abstract:
Quantum computers leverage qubits to solve certain computational problems significantly faster than classical computers. This capability poses a severe threat to traditional cryptographic algorithms, leading to the rise of post-quantum cryptography (PQC) designed to withstand quantum attacks. FALCON, a lattice-based signature algorithm, has been selected by the National Institute of Standards and Technology (NIST) as part of its post-quantum cryptography standardization process. However, due to the computational complexity of PQC, especially in cloud-based environments, throughput limitations during peak demand periods have become a bottleneck, particularly for FALCON. In this paper, we introduce GOLF (GPU-accelerated Optimization for Lattice-based FALCON), a novel GPU-based parallel acceleration framework for FALCON. GOLF includes algorithm porting to the GPU, compatibility modifications, multi-threaded parallelism with distinct data, single-thread optimization for single tasks, and specific enhancements to the Fast Fourier Transform (FFT) module within FALCON. Our approach achieves unprecedented performance in FALCON acceleration on GPUs, setting the highest throughput record in the history of FALCON digital signature generation and verification. On the NVIDIA RTX 4090, GOLF reaches a signature generation throughput of 420.25 kops/s and a signature verification throughput of 10,311.04 kops/s. These results represent a 58.05× / 73.14× improvement over the reference FALCON implementation and a 7.17× / 3.79× improvement compared to the fastest known GPU implementation to date. Additionally, since we have not modified the content of the algorithm, but only optimized its engineering implementation, the security of the algorithm has not changed, and the security of the original algorithm has been maintained. GOLF demonstrates that GPU acceleration is not only feasible for post-quantum cryptography but also crucial for addressing throughput bottlenecks in real-world applications.

Abstract:
Quantum private query (QPQ) has emerged as a pivotal quantum cryptographic solution for symmetric private information retrieval, representing one of the most viable protocols for practical implementation following quantum key distribution. However, comprehensive practical security analysis remains imperative before deployment, particularly addressing concurrent vulnerabilities at both the optical source and detection components. This study makes dual fundamental contributions: 1) We unveil a sophisticated multiphoton attack strategy that enables malicious users to completely compromise database confidentiality by exploiting inherent multiphoton emissions from practical light sources across multiple established QPQ protocols; 2) We develop a novel decoy-state measurement-device-independent QPQ protocol specifically designed for weak coherent sources that simultaneously mitigates security vulnerabilities at both system endpoints. Our rigorous security analysis demonstrates that the proposed protocol achieves remarkable security enhancement - reducing an attacker’s information extraction capability from complete database access (100% items) to merely approximately 2.51 database items under standard operational parameters, while preserving practical implementability. This work establishes a critical framework for bridging theoretical security guarantees with practical implementation requirements, providing essential foundations for real-world QPQ deployment within existing quantum communication infrastructures.

Abstract:
The Proof-of-Stake (PoS) protocol is emerging as one of the most promising blockchain consensus mechanisms, and Ethereum is also undergoing a significant transition to PoS, specifically by adopting Gasper. However, a particularly critical threat faced by existing view-dependent PoS, such as Gasper, lies in view-interference attacks, exemplified by balance attack and reorg attack. These attacks enable adversaries to prevent honest proposals from being committed, thereby directly compromising the fundamental liveness property of blockchain. Currently, there is no effective solution to mitigate such view-interference attacks. In this paper, we present Chitin, a novel view-dependent PoS protocol that is designed to enhance security and effectively mitigate all varieties of view-interference attacks. The core design of Chitin comprises a common set protocol that leverages an innovative deletion mechanism to achieve both a consistent message set and strong termination, while requiring only minimal support from Trusted Execution Environment through its basic validation module. Furthermore, we prove that Chitin not only satisfies safety and liveness, but also possesses resilience against view-interference attacks. Finally, we implement Chitin and conduct comparisons with existing works. The experimental results show that our protocol exhibits superior efficiency, resulting in significant improvements in throughput ranging from 33%-50%, along with reduced communication costs.

Abstract:
Passwordless user authentication schemes with FIDO as the standard have been widely deployed in web applications. Users use hardware tokens to store their identity credentials (i.e., signing keys) and implement strong authentication through a challenge-response mechanism, avoiding the security risks associated with traditional password-based authentication. Distributed Web services can greatly alleviate the system reliability problem caused by single points of failure, and thus have received increasing attention and research. In distributed systems, resources are distributed across multiple servers, and users must interact with them (or a subset of them in thresholding) to obtain network services. User authentication among the distributed (threshold) systems also poses a challenge: how to ensure security and ease of use at the same time? In particular, users need to authenticate to multiple servers when accessing distributed services, and in the case of using FIDO authentication, users need to authenticate to each server using challenge-response authentication, which will greatly reduce the user experience. In this work, we propose the concept named Threshold Passwordless Authentication (ThPlA) to address this issue. ThPlA allows users to authenticate to a t-of-n thresholding system. ThPlA is designed to be compatible with existing FIDO tokens and requires no extra hardware modifications; the user only needs to interact with the hardware token once during an authentication session; and on the service side, the servers do not need to communicate with each other. ThPlA is based on the component named Non-interactive Threshold Nonce Generation (NI-ThNG), which extends the two-party challenge-response mechanism to t-of-n settings. We provide a formal definition of ThPlA and NI-ThNG and give practical constructions. We also provide a performance evaluation of ThPlA and NI-ThNG, respectively. Our experimental results show that the schemes are efficient and practical for real-world applications, even in large-scale distributed systems.

Abstract:
Cross-modal semantic retrieval systems face significant privacy risks due to storing plaintext data on cloud servers. We propose PCSR, a privacy-preserving framework enabling semantic search directly on encrypted high-dimensional data. It consists of three essential modules: a cross-modal encoder, an approximate nearest neighbor (ANN) search algorithm, and an encryption algorithm. Specifically, we utilize CLIP, a deep neural network model, to extract features of images and texts. We design two ANN search methods for high-dimensional feature vectors by utilizing the space partitioning technique and Singular Value Decomposition algorithms, respectively. Furthermore, we employ adapted Random Matrix Multiplication (RMM) for efficient and secure vector similarity computations. Our rigorous security analysis demonstrates that our proposed schemes are secure. We conduct experiments on four datasets and systematically compare the performance of different encrypted retrieval methods. The superior performance validates the feasibility and efficiency of our proposed schemes.

Abstract:
Currently global features are usually extracted directly from local patterns in palmprint verification. Furthermore, sequence features for palmprint verification are only used as local features, but the properties of sequence features are not fully utilized. To solve this issue, this paper introduces Sequence Feature Fusion Network (SF2Net) for palmprint verification. SF2Net proposes a new paradigm: using stable and spatially correlated sequence features as an intermediate bridge to generate robust global representations. SF2Net’s core mechanism is to first extract fine-grained local features that are then converted into sequence features by a Sequence Feature Extractor (SFE). Finally, the sequence features are used as a superior input to capture high-quality global features. By fusing multi-order texture-based local features with globally extracted sequence features, SF2Net achieves superior discrimination. To ensure high accuracy even with limited training data, a hybrid loss function is proposed, which integrate a cross-entropy loss and a triplet loss. Triplet loss effectively optimizes feature separation by explicitly considering negative samples. Extensive experiments on multiple publicly available palmprint datasets demonstrate that SF2Net achieves state-of-the-art (SOTA) performance. Remarkably, even with a small training-to-testing ratio (1:9), SF2Net achieves 100% accuracy, surpassing SOTA methods under several benchmark datasets. The code is released at https://github.com/20201422/SF2Net

Abstract:
Access control encryption (ACE) is an innovative cryptographic primitive that realizes fine-grained read/write control of data and protects data privacy and security while facilitating the effective flow of information. However, existing ACE schemes face several limitations: 1) Inability to adequately mitigate the risks of a single point of failure in the sanitizer. 2) Lack of an effective accountability mechanism for disputes arising during the sanitization process. To solve these problems, this paper proposes the notion of traceable access control encryption with parallel multiple sanitizers for the first time and designs a specific structure of traceable parallel ACE to prevent the single point of failure, effectively deter abnormal sanitizer behaviors, and optimize system performance. Additionally, computationally intensive operations in the encryption and decryption processes are outsourced to third-party servers, resulting in a significant reduction of computational overhead. Furthermore, theoretical analysis and experimental simulations validate the effectiveness of the proposed scheme. Comprehensive security analysis demonstrates its no-read security under the decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption and its no-write security under the Discrete Logarithm (DL) assumption, ensuring its reliability in practical applications.

Abstract:
To boost the encoder stealing attack under the perturbation-based defense that hinders the attack performance, we propose a boosting encoder stealing attack with perturbation recovery named BESA. It aims to overcome perturbation-based defenses. The core of BESA consists of two modules: perturbation detection and perturbation recovery, which can be combined with canonical encoder stealing attacks. The perturbation detection module utilizes the feature vectors obtained from the target encoder to infer the defense mechanism employed by the service provider. Once the defense mechanism is detected, the perturbation recovery module leverages the well-designed generative model to restore a clean feature vector from the perturbed one. Through extensive evaluations based on various datasets, we demonstrate that BESA significantly enhances the surrogate encoder accuracy of existing encoder stealing attacks by up to 24.63% when facing state-of-the-art defenses and combinations of multiple defenses.

Abstract:
With the rapid development of blockchain technology, the widespread adoption of smart contracts—particularly in decentralized finance (DeFi) applications—has introduced significant security challenges, such as reentrancy attacks, phishing, and Sybil attacks. To address these issues, we propose a novel model called TrxGNNBERT, which combines Graph Neural Network (GNN) and the Transformer architecture to effectively handle both graph-structured and textual data. This combination enhances the detection of suspicious transactions and accounts on blockchain platforms like Ethereum. TrxGNNBERT was pre-trained using a masked language model (MLM) on a dataset of 60,000 Ethereum transactions by randomly masking the attributes of nodes and edges, thereby capturing deep semantic relationships and structural information. In this work, we constructed transaction subgraphs, using a GNN module to enrich the embedding representations, which were then fed into a Transformer encoder. The experimental results demonstrate that TrxGNNBERT outperforms various baseline models—including DeepWalk, Trans2Vec, Role2Vec, GCN, GAT, GraphSAGE, CodeBERT, GraphCodeBERT, Zipzap and BERT4ETH—in detecting suspicious transactions and accounts. Specifically, TrxGNNBERT achieved an accuracy of 0.755 and an F1 score of 0.756 on the TrxLarge dataset; an accuracy of 0.903 and an F1 score of 0.894 on the TrxSmall dataset; and an accuracy of 0.790 and an F1 score of 0.781 on the AddrDec dataset. We also explored different pre-training configurations and strategies, comparing the performance of encoder-based versus decoder-based Transformer structures. The results indicate that pre-training improves downstream task performance, with encoder-based structures outperforming decoder-based ones. Through ablation studies, we found that node-level information and subgraph structures are critical for achieving optimal performance in transaction classification tasks. When key features were removed, the model performance declined considerably, demonstrating the importance of each component of our method. These findings offer valuable insights for future research, suggesting further improvements in node attribute representation and subgraph extraction.

Abstract:
Backdoor attacks pose a significant threat to the security and reliability of deep learning models. To mitigate such attacks, one promising approach is to learn to extract features from the target model and use these features for backdoor detection. However, we discover that existing learning-based neural backdoor detection methods do not generalize well to new architectures not seen during the learning phase. In this paper, we analyze the root cause of this issue and propose a novel black-box neural backdoor detection method called ArcGen. Our method aims to obtain architecture-invariant model features, i.e., aligned features, for effective backdoor detection. Specifically, in contrast to existing methods directly using model outputs as model features, we introduce an additional alignment layer in the feature extraction function to further process these features. This reduces the direct influence of architecture information on the features. Then, we design two alignment losses to train the feature extraction function. These losses explicitly require that features from models with similar backdoor behaviors but different architectures are aligned at both the distribution and sample levels. With these techniques, our method demonstrates up to 42.5% improvements in detection performance (e.g., AUC) on unseen model architectures. This is based on a large-scale evaluation involving 16,896 models trained on diverse datasets, subjected to various backdoor attacks, and utilizing different model architectures. Our code is available at https://github.com/SeRAlab/ArcGen

Abstract:
Deep learning (DL)-based techniques have garnered significant attention as an innovative method for profiled side-channel analysis (SCA). Despite their proven effectiveness, recent studies have highlighted challenges faced by DL-based profiled attacks in a more realistic portability threat model, where two devices are used respectively for profiling and the attack. In this paper, we propose a novel approach for cross-device attack by incorporating the Denoising Diffusion Probabilistic Model (DDPM) to develop a generalized model. Additionally, an adaptive multi-task loss is employed to balance multiple training objectives that respectively focus on model generalization and precision. We evaluate our strategy on five cross-device SCA datasets. The experimental results show that, compared to baseline methods, our approach achieves significantly enhanced performance, as measured by the number of traces required to recover the secret key. Specifically, on a more challenging dataset obtained from three SAKURA-G evaluation boards, our method successfully recovers the secret key using approximately 300 traces, whereas baseline methods fail to guarantee a successful cross-device attack even with 5,000 traces. Furthermore, our method demonstrates remarkably enhanced attack efficiency, reducing attack time by over an hour compared to the baselines.

Abstract:
In crowdsourcing applications, gathering and analyzing users’ strong positive (1) or negative (−1) reactions to a large number of items is crucial for improving service quality, particularly in recommendation systems. However, protecting users’ privacy while handling diverse sparse patterns in contexts with a large dimension size d poses significant challenges for efficient and privacy-preserving data aggregation. To address these challenges, in this paper, we propose an optimized k -sparse vector mean estimation scheme under Local Differential Privacy (LDP), ensuring that each user’s entire set of up to k private values from \-1, 1\ satisfies \varepsilon -LDP. Specifically, our proposed scheme employs a seed mining technique in conjunction with PRNG Randomizer, which allows users to send their data only once while enabling the server to accurately estimate any value’s mean in the domain. Our scheme achieves an asymptotically optimal per-coordinate error of O\left (\frac 1\varepsilon \sqrt n \right) , equivalent to that of a 1-sparse case, while also ensuring efficient communication costs. The communication cost remains at a minimal level of O(1) (only 2 bytes per user’s report) for smaller k values and scales to O(k) for larger k , due to efficient binning strategies. Extensive experimental results confirm that our results align with theoretical expectations, demonstrating that our scheme not only preserves user privacy but also ensures higher accuracy compared to other schemes.

Affiliations: School of Biomedical Engineering, Tsinghua Medicine, Tsinghua University, Beijing, China; School of Computer Science and Technology, Beijing Jiaotong University, Beijing, China; School of Computing, National University of Singapore, Queenstown, Singapore; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; Key Laboratory of Big Data and Artificial Intelligence in Transportation, Ministry of Education, and the Frontiers Science Center for Smart High-Speed Railway System, Beijing Jiaotong University, Beijing, China; School of Computer Science and Engineering, Beihang University, Beijing, China; Hebei Province Key Laboratory of Big Data Calculation, School of Artificial Intelligence, Hebei University of Technology, Tianjin, China; School of Cyber Science and Technology, Sun Yat-sen University, Shenzhen Campus, Shenzhen, China

Abstract:
Deep learning models excel in various applications but remain vulnerable to adversarial attacks. Previous adversarial attacks focused on the vulnerability of direct content understanding tasks such as classification and object detection. Implicit interactions play a vital role in intelligent tasks. However, limited attention has been paid to implicit interaction understanding, such as relationships and behaviours. This paper addresses this gap by investigating the vulnerability of implicit interaction understanding in the context of adversarial attacks. Specifically, we introduce a novel adversarial attack task, Interaction Attack (IA), which aims to interfere with scene interaction understanding without affecting direct instance recognition. This task presents unique challenges: (a) interactions are intrinsically tied to scene objects, making independent exploration difficult, and (b) interactions often lack explicit visual cues, complicating direct optimization processes. We propose a novel adversarial attack framework for implicit interactions, named Hard-label Black-box Adversarial Instance Attack (HB-AIA). HB-AIA comprises three key modules, including an Interaction Area Sampling module identifying vulnerable anchors for adversarial instance positioning, an Object Category Search module exploring surrogate categories with higher obfuscation scores for vulnerable anchors, and an Adversarial Instance Generation module crafting adversarial instances with targeted co-occurrence obfuscation to disrupt specific interactions in vulnerable areas. Furthermore, we establish an adversarial attack benchmark based on the Human-Object Interaction task to estimate the vulnerability of implicit interactions. Experiments demonstrate the effectiveness.

Abstract:
Uncrewed aerial vehicle (UAV) swarms, featured by low cost, rapid deployment, and high mobility, have been regarded as one of key enabling technologies for Industrial Internet of Things (IIoT). However, as the UAV swarm scales up, the large number of UAVs poses challenges in data consensus, which is essential for decision-making in UAV tasks. In particular, due to the limited resources of UAVs and complex environments, data consensus for swarms requires low energy consumption, high robustness, and high security. To this end, we design a lightweight data consensus mechanism suitable for large-scale UAV swarms. Firstly, considering the high mobility of UAVs, we cluster the UAV swarms based on motion similarity to maintain the stability of clustering. Subsequently, we propose a consensus algorithm named FHotStuff, which achieves low resource consumption by integrating HotStuff and flexible round-optimized Schnorr threshold signatures (Frost). Then, we develop a cross-cluster consensus mechanism. By cooperating with intra-cluster and inter-cluster consensus processes, the mechanism efficiently achieves data consensus in large-scale UAV swarms. Security analyses and performance evaluations show that the proposed scheme can resist common attacks against UAV networks, and validate its lightweight and efficiency.

Abstract:
On low-power, low-cost Internet of Things (IoT) edges, coarse-grained entropy source-based physical-layer key generation (PKG) is often used, which results in a very low bit generation rate (BGR). In this paper, a novel PKG scheme, Hinge, designed to adapt to varying environmental conditions is introduced to optimize the trade-off between the bit mismatch rate (BMR) and BGR using fine-grained entropy sources on IoT devices. Hinge predicts channel reciprocity levels from one side and dynamically adjusts the quantization strategy, maintaining a low BMR while maximizing BGR. Compared with existing PKG solutions on Bluetooth devices, Hinge yields significant improvements in BGR, with a comparable BMR. Through extensive experiments, Hinge showcases its potential for providing a secure and efficient key generation mechanism for IoT devices in complex real-world scenarios.

Abstract:
The cyber-threat landscape has evolved tremendously in recent years, with new threat variants emerging daily and large-scale coordinated campaigns becoming more prevalent. In this study, we propose CELEST (CollaborativE LEarning for Scalable Threat detection), a federated machine learning framework for global threat detection over HTTP, which is one of the most commonly used protocols for malware dissemination and communication. CELEST leverages federated learning in order to collaboratively train a global model across multiple clients who keep their data locally. Through a novel active learning component integrated with the federated learning technique, our system continuously discovers and learns the behavior of new, evolving, and globally-coordinated cyber threats. We show that CELEST is able to expose attacks that are largely invisible to individual organizations. For instance, in one challenging attack scenario with data exfiltration malware, the global model achieves a three-fold increase in Precision-Recall AUC compared to the local model. We also design a poisoning detection and mitigation method, DTrust, for federated learning in the collaborative threat detection domain. We deploy CELEST on two university networks and show that it is able to detect the malicious HTTP communication with high precision and low false positive rates. Furthermore, during its deployment, CELEST detected a set of 42 previously unknown malicious URLs and 20 malicious domains in one day, which were confirmed to be malicious by VirusTotal.

Abstract:
Multi-modal face anti-spoofing (FAS) is crucial for defending against presentation attacks in complex attack types and high-security scenarios. However, existing multi-modal FAS methods encounter two main limitations: 1) Most methods rely on classification supervision, which often fails to fully capture the distinctions between real faces and presentation attacks (PAs). 2) These methods depend solely on source domain data with limited PA types, leading to significant performance degradation when encountering unseen PA types and scenarios. To address these limitations, we propose a novel multi-modal fusion framework called Fine-grained Textual Guidance Multi-Modal Face Anti-Spoofing (FTG-FAS), which aligns natural language descriptions with multi-modal fused features to guide learning. Specifically, we propose a textual-guided token dropout module to select semantic invariant patch tokens for multi-modal fusion, thereby enhancing the model’s generalization capability. In the testing phase, we propose FTG-FAS++, which leverages a self-distillation scheme with online source-free adaptation to further enhance model’s performance in unseen scenarios. Specifically, we establish a teacher-student distillation framework, where the teacher model is fed with the complete image while the student model only receives masked tokens. During adaptation, we minimize the prediction discrepancy between the teacher and student in a unidirectional manner. Meanwhile, we propose a class-balanced sample selection strategy for stable source-free adaptation to prevent the model from overfitting to either real or spoof during the tuning process. Experiments show that FTG-FAS and FTG-FAS++ outperform SOTA methods by 6.91% and 8.72% in AUC on the cross-dataset leave-one-out protocols. Code will be available at https://github.com/iamcoming233/FTG-FAS.git

Abstract:
Graph neural networks (GNNs) are extensively employed in location-related scenarios, relying on aggregation to gather features from neighboring nodes based on edge weights. Features are closely bound to nodes’ locations and edge weights mirror distance correlations. In this sense, certain privacy concerns exist while providing location-based services if there is insufficient privacy protection. To this end, we propose a privacy-preserving and distance-aware data aggregation framework (PEDA) for GNNs. Specifically, PEDA achieves location privacy by combining circular-based positional coding with inner product functional encryption. Because of the masks in the codes, the decryption returns masked distances, preventing distance leakage. Following this, in order to protect feature privacy, we employ secret sharing. To preserve the collection strategy’s privacy, we implement an oblivious transfer for collecting the shared features. Additionally, we securely generate the adjacency matrix and aggregate features based on multi-party computation. Thorough security analysis and comprehensive evaluation demonstrate the privacy, feasibility and practicality of our approach. When compared to related works, PEDA offers four types of privacy, maintains distance awareness and feature utility, and allows for oblivious data collecting with little computational cost sacrifice.

Abstract:
Including TOR, most of the anonymous communication systems adopt source routing, that the source has to share the globally consistent view of all relays and maintain the up-to-date information. To increase the scalability of TOR, researchers mainly utilize hop-by-hop routing during circuit extension. However, hop-by-hop routing has not been widely deployed since it suffers from route capture attacks, and most of the countermeasures require the source participate in the route extension indirectly, help verify the selection of next hop by intermediate nodes, thus introduces communication overhead. In this paper, we introduce a novel routing scheme called Jump Routing. In jump routing, the route extension follows the jumping way, that each relay chooses the successor of the next hop rather than the next hop itself. In particular, to the best of our knowledge, we are the first to route in the jumping way. In addition, to defend route capture attacks, enhance data privacy, and defend collusion attacks, we propose multiple schemes including jump verification, jump encryption, and corporative jump verification. Different from previous measures on route capture attacks, jump routing does not need the participation of the source, but deals with the attack by intermediate nodes only. We manage to realize the full jump routing prototype, and the evaluation results show that our jump routing is scalable, lightweight, and resilient.

Abstract:
Person re-identification aims at retrieving a person of interest across multiple non-overlapping cameras and scenarios, often suffering from high intra-identity pose variations. To alleviate the issue, some previous works try to obliterate the pose variability through normalizing, suffering from computation overhead. Furthermore, most previous methods obtain ranking lists according to the feature similarity evaluated based on the Euclidean distance in the feature space, leading to unstable and sensitive person retrieval. To this end, we propose a novel method to make good use of the pose variation based on optimal transport (OT) from a distributional point of view for robust person identification rather than obliterating the variability. During training, we introduce a prototype-matching strategy to embed correlations into representation learning and propose a posture-aware mixture of expert networks to leverage diverse characteristics to improve the model’s generalization dynamically. During testing, we perceive the ranking process as an optimal transport (OT) problem between two distributions. We view the gallery set as one distribution and employ OT to transport it to another distribution over the credible set of corresponding query images. In this way, we consider not only the statistical information of the base query image but also the credible images with more variations, treating them as multiple references with distinct learnable weights. Compared with existing methods, our proposed one expands towards a generalized representation, disengaging the limitation of relying solely on a single representation of the query image for each person. Note that our proposal is appropriate for both traditional single-modal and visible-infrared multi-modal person identification. Extensive experiments on benchmark datasets quantitatively and qualitatively demonstrate the effectiveness and superiority of our proposed model for both single-modal and multi-modal person identification.

Abstract:
Unsupervised network-based intrusion detection system (UNIDS) identifies suspicious traffic and alerts administrators without using any traffic labels. Existing Graph Convolutional Network (GCN)-based UNIDS approaches show great potential with collaboratively utilizing traffic features and network topologies. However, these methods suffer from an excessively high false-positive rate (FPR), e.g., 3.27% FPR in a supervised NIDS approach, while increases dramatically to 19.37% under the unsupervised setting. We reveal that the high FPR stems from a single-scale spatial-frequency learning paradigm, which blurs the distinction between benign and malicious traffic and misleads UNIDS systems. Therefore, we propose a Multi-scale Spatial-Frequency Intrusion Detection System (MSF-IDS) to mitigate the high FPR. Specifically, we propose multi-scale frequency encoders, thereby differentiating abnormal feature patterns. Then we propose NAPH as a spatial encoder, mining intrinsic abnormal topology patterns by tracking tens of thousands of evolving traffic nodes. To the best of our knowledge, NAPH takes the first step toward differentiable persistent homology analysis over dynamic network data. We also develop an executable application for NAPH to provide easy-access visualization insights. Finally, a self-supervised representation augmentor and an intrusion detector are proposed to refine and highlight the attack-specific information. Equipped with MSF-IDS, administrators effectively identify the unknown attack traffic, freeing security staff from labor-intensive engineering. Extensive experiments demonstrate the superiority of MSF-IDS, including binary classification, multi-classification, online intrusion detection, and visualized discussions. Our codes, datasets, and an executable application are available at https://github.com/qcydm/MSF-IDS

Abstract:
Cloth-Changing Person Re-Identification (CC-ReID) aims to match persons who have changed clothes over extended periods. The key challenge of CC-ReID lies in extracting features independent of clothing. In recent years, many studies have focused on pedestrian multi-modal features that are less variable compared to clothing color features. Among these studies, some focus solely on biometric features, ignoring the easily accessible and editable textual features in images. On the other hand, methods leveraging textual features always utilize prior knowledge to explore explicit part alignment but lack the necessary low-level alignment capabilities, which limits their effectiveness in matching multi-modal data. To address these, we propose masked text adversarial training for cloth-changing person re-identification method (MTAT), which integrates textual features containing sequential textual descriptions of masked color information of persons with visual cues into a cross-attention encoder to learn the relationships between local visual and textual tokens, enabling cross-modal interaction. Furthermore, we employ a textual adversarial loss to penalize the ability of the ReID model to predict clothing attributes, thus mining clothing independent features from raw RGB images. Notably, we introduce a learned textual perturbation strategy to simulate real-world description inaccuracies, which significantly enhances the robustness of the model. Experiments were conducted on several CC-ReID benchmark datasets, including LTCC, Celeb-reID and Celeb-reID-light. The results demonstrate that the MTAT method effectively integrates textual features, significantly improving cloth-changing person re-identification performance and outperforming state-of-the-art methods.

Abstract:
The metaverse is a virtual world that mirrors real life, allowing users to engage in activities and access services without the constraints of time and space. In the metaverse, users can create one or more avatars that reflect their personal pReferences, enabling them to participate in activities that match their tastes and needs. To protect users’ freedom and anonymity, it is imperative for metaverse platforms to support the creation of unlinkable avatars. This ensures that the different avatars a user creates cannot be connected, keeping their virtual identities separate and reducing the risk of retaliation for their actions. In this paper, we propose an unlinkable avatar authentication scheme, \mathsfUAVA , which leverages cryptographic group signatures to enable metaverse users to create and certify their avatars without interaction with service providers. These certified avatars can then be anonymously authenticated, ensuring unlinkability between multiple avatars belonging to the same user. \mathsfUAVA maintains anonymity between users and their avatars, while allowing service providers to trace malicious avatars back to their users. We formally define and prove the security properties of \mathsfUAVA , and implement the protocol using socket programming, and report on its cryptographic overheads. We also evaluate its cryptographic overhead and compare it to related protocols in terms of efficiency, security, and scalability.

Abstract:
The widespread use of digital imaging devices has exposed a key challenge: the moiré distortion in screen-shooting content preservation significantly weakens the robustness of visual information extraction. The existing methods are difficult to achieve effective feature extraction and moiré distortion suppression simultaneously. This paper proposes a dual module solution based on a generative adversarial network architecture. This framework combines the Multi-Token-ViT (MTV) mechanism for hierarchical feature aggregation and the Dense-net Feature Fusion (DFF) module with cross-layer connections. Specifically, MTV captures multi-scale visual semantics through tokenized paths and generates attention masks to guide adaptive watermark embedding in texture areas. DFF establishes dense cross-layer connections between convolutional blocks, gradually refining features through multi-level information loops. The combination of dual modules effectively enhances the invisibility of watermarks. In addition, this paper proposes a Stacked Moiré Distortion (SMD) simulation technique based on the superposition principle of waves, which uses the waveform superposition of multiple periodic signals to generate realistic training samples that match the spectral complexity of the actual scene, in order to improve the robustness of the model. Our solution demonstrates superior information fidelity and generalization ability in complex interference modes through extensive experiments across various device categories and distortion modes. The code is available at https://github.com/Jane9921/MTVDGAN-Multi-Token-ViT-Dense-GAN-for-Robust-Screen-Shooting-Watermarking.git

Abstract:
The recently proposed Join Cross-Tags Protocol (JXT) addresses the long-standing issue of excessive query overhead in table joins within Searchable Symmetric Encryption (SSE). As a purely symmetric-key solution, JXT supports efficient conjunctive queries over equi-joins of encrypted tables without requiring any pre-computation during the setup phase. However, JXT has a potential limitation: it may inadvertently reveal the actual volumes of identifiers corresponding to attribute-value pairs, as well as the result values of the join queries. In this paper, we propose JXTMM (JXT multi-map), the first join query scheme designed to hide both volume patterns and result patterns. JXTMM is capable of concealing identifier volumes, preventing the server from learning the actual volumes of attribute-value pairs, and shifting the checkability of join results to the client side, thereby eliminating result pattern leakage. We provide a formal security proof for JXTMM, along with a comprehensive efficiency analysis. Experimental results demonstrate that JXTMM not only performs efficiently on table join queries but also effectively achieves volume-hiding in such queries.

Abstract:
In industrial cyber-physical systems (ICPSs), the strong coupling characteristics between the cyber and physical systems increase the complexity of security strategy decision-making. A trade-off exists in current methods: complex decision models hinder the fulfillment of real-time demands, whereas simplified coupling characteristics compromise strategy effectiveness. In recent years, digital twin (DT) technology has gained increasing attention in industrial security because of its high-fidelity modeling and real-time interaction capabilities. Motivated by this trend, we propose an integrated security strategy generation and optimization method for ICPSs that incorporates DT to tackle the challenge of balancing real-time performance with strategy reliability. Leveraging the high fidelity of the existing DT in ICPS, the coupling characteristics can be directly mapped to the virtual model, avoiding the cumbersome modeling operations. We first quickly generate an initial strategy space through a lightweight basic decision model. Subsequently, a DT-based closed-loop evaluation mechanism is introduced to facilitate rapid convergence toward the optimal strategy. It reduces computational complexity while preserving the authenticity of coupling characteristics, thereby enhancing the efficiency and accuracy of security decision-making. Experimental verification and analysis demonstrate that our method provides a feasible solution for efficient security decision-making in ICPSs.

Abstract:
CRYSTALS-Dilithium (referred to as Dilithium) is a standard in NIST’s post-quantum cryptography project. However, its design does not include protections against attacks exploiting intermediate data leakage. Since Ravi and Bruinderink introduced schemes to forge Dilithium signatures, numerous works have leveraged power analysis attack to exploit vulnerabilities in Dilithium implementations. In this paper, we revisit previous attacks and identify promising optimization strategies for hints-oriented attacks. In such attacks, an adversary first utilizes side-channel leakage to derive hint equations related to the secret key and then solves for the secret key using these equations. Our new strategy enables each signature to generate more valid hint equations, significantly reducing the number of required signatures for a successful attack. By incorporating machine learning techniques, specifically the Convolutional Neural Network (CNN), we can efficiently detect hint equations with high accuracy. Furthermore, by combining a lattice-based algorithm with hybrid filtering methods, our scheme can further reduce the required number of hint equations. Additionally, our attack method is applicable to Dilithium security levels 2, 3, and 5. For Dilithium-2, the proposed attack successfully recovers the complete secret key even under low Signal-to-Noise Ratio (SNR) conditions, requiring 395, 330, and 305 signatures at SNRs of 0.0167, 0.0210, and 0.0406, respectively.

Abstract:
Unsupervised Learning Visible-Infrared Person Re-identification (USL-VI-ReID) aims to learn uniform feature representations for retrieving persons from unlabeled cross-modality data, which can accomplish 24-hour surveillance without expensive manual annotations. However, USL-VI-ReID is a cross-modality retrieval task that suffers from cross-modality label association and cross-modality feature discrepancy problems. To address these two problems, we propose a Part-based Bidirectional Enhancement (PBE) framework for learning a cross-modality uniform representation of USL-VI-ReID. The PBE consists of both forward and backward enhancements: 1) To alleviate the cross-modality label association problem, we propose a Part-based Label Forward Enhancement (PLFE) module. The PLFE module employs part features to complement global features during the label association process, thus generating higher-quality VI-associated pseudo-labels for the forward enhancement of the feature learning process. 2) To mitigate the cross-modality feature discrepancy problem, we propose a Part-based Feature Backward Enhancement (PFBE) module. The PFBE module utilizes part features to augment global features during the feature learning process, thus learning more robust uniform features for the backward enhancement of the label association process. Based on the part features, our PBE method achieves bi-directional enhancement during the label association and feature learning processes for robust recurrent training. Extensive experiments on SYSU-MM01 and RegDB datasets demonstrate that the proposed PBE framework outperforms existing USL-VI-ReID methods. Code is available at https://github.com/heqlin5/PBE

Abstract:
Deep neural networks are highly vulnerable to adversarial examples, which are inputs with small, carefully crafted perturbations that cause misclassification—making adversarial attacks a critical tool for evaluating robustness. Existing black-box methods typically entail a trade-off between precision and flexibility: pixel-sparse attacks (e.g., single- or few-pixel attacks) provide fine-grained control but lack adaptability, whereas patch- or frequency-based attacks improve efficiency or transferability, but at the cost of producing larger and less precise perturbations. We present GreedyPixel, a fine-grained black-box attack method that performs brute-force-style, per-pixel greedy optimization guided by a surrogate-derived priority map and refined by means of query feedback. It evaluates each coordinate directly without any gradient information, guaranteeing monotonic loss reduction and convergence to a coordinate-wise optimum, while also yielding near white-box-level precision and pixel-wise sparsity and perceptual quality. On the CIFAR-10 and ImageNet datasets, spanning convolutional neural networks (CNNs) and Transformer models, GreedyPixel achieved state-of-the-art success rates with visually imperceptible perturbations, effectively bridging the gap between black-box practicality and white-box performance. The implementation is available at https://github.com/azrealwang/greedypixel

Abstract:
Radio frequency fingerprint identification (RFFI) is an emerging method for authenticating Internet of Things (IoT) devices. RFFI exploits the intrinsic and unique hardware imperfections for classifying IoT devices. Deep learning-based RFFI has shown excellent performance. However, there are still remaining research challenges, such as limited public training datasets as well as impacts of channel and receive effects. In this paper, we proposed a three-stage RFFI approach involving contrastive learning-enhanced pretraining, Siamese network-based classification network training, and inference. Specifically, we employed spectrogram as signal representation to decouple the transmitter impairments from channel effects and receiver impairments. We proposed an unsupervised contrastive learning method to pretrain a channel-robust RFF extractor. In addition, the Siamese network-based scheme is enhanced by data augmentation and contrastive loss, which is capable of jointly mitigating the effects of channel and receiver impairments. We carried out a comprehensive experimental evaluation using three public LoRa datasets and one self-collected LoRa dataset. The results demonstrated that our approach can effectively and simultaneously mitigate the effects of channel and receiver impairments. We also showed that pretraining can significantly reduce the required amount of the fine-tuning data. Our proposed approach achieved an accuracy of over 90% in dynamic non-line-of-sight (NLOS) scenarios when there are only 20 packets per device.

Abstract:
This study investigates secret-key generation for device authentication using physical identifiers, such as responses from physical unclonable functions (PUFs). The system includes two legitimate terminals (encoder and decoder) and an eavesdropper (Eve), each with access to different measurements of the identifier. From the device identifier, the encoder generates a secret key, which is securely stored in a private database, along with helper data that is saved in a public database accessible by the decoder for key reconstruction. Eve, who also has access to the public database, may use both her own measurements and the helper data to attempt to estimate the secret key and identifier. Our setup focuses on authentication scenarios where channel statistics are uncertain, with the involved parties employing multiple antennas to enhance signal reception. Our contributions include deriving inner and outer bounds on the optimal trade-off among secret-key, storage, and privacy-leakage rates for general discrete sources, and showing that these bounds are tight for Gaussian sources.

Abstract:
Fluid Antenna (FA) systems hold significant potential for enhancing physical layer security (PLS) by dynamically adjusting the positions of transmit antennas to suppress information leakage to eavesdroppers. However, the joint optimization of secure beamforming and FA positions is very challenging and remains unsolved, given the mutually coupled, non-convex and NP-hard nature of the problem. In this paper, we investigate the FA-assisted multi-user multiple-input single-output (MU-MISO) system for maximizing the downlink secrecy rate. First of all, we propose an alternating optimization (AO) framework to decouple the problem. For efficient FA position optimization, we introduce a low-sampling successive selection and successive convex approximation (L3S-SCA) method, which first selects a proper port in discrete space and subsequently refines the FA positions via continuous optimization. For secure beamforming, we reformulate the problem as an unconstrained optimization on Riemannian manifold, eliminating the errors from relaxing per-antenna power constraints (PAPC). We design the necessary Riemannian tools and propose a Limited-memory Riemannian Broyden-Fletcher-Goldfarb-Shanno (LRBFGS) method with low computational complexity. Comprehensive convergence and complexity analyses are conducted, and simulation results demonstrate the advantages of FA-assisted secure beamforming, as well as the superiority of our proposed algorithms in terms of performance and complexity.

Abstract:
The evolution of decentralized identity (DID) and self-sovereign identity (SSI) frameworks, as endorsed by W3C Verifiable Credentials (VC) and eIDAS 2.0, underscores the need for secure, efficient, and privacy-preserving credential management. However, existing credential systems often depend on centralized issuers, lack efficient aggregation mechanisms, or fail to ensure unlinkability across authentication sessions. To address these challenges, we propose DISC (Decentralized Identity System with Self-Sovereign Credential Aggregation), a novel credential system that enables multi-authority credential issuance, user-controlled credential aggregation, and unlinkable authentication. DISC allows users to aggregate credentials from multiple issuers while maintaining constant-size authentication tokens and supporting batch verification for scalable authentication. Additionally, DISC ensures unlinkability of aggregated authentication tokens, preventing verifiers from correlating sessions even when credentials share attributes. Security analysis proves DISC’s unforgeability, anonymity, and unlinkability, while experimental results confirm its efficiency in credential issuance, aggregation, and verification. Compared to existing schemes, DISC offers a scalable, privacy-preserving, and efficient decentralized identity solution, making it well-suited for real-world applications requiring secure and privacy-preserving identity verification.

Abstract:
The current 5G-AKA protocol faces significant security challenges, including the lack of Perfect Forward Secrecy and Post-Quantum (PQ) security. In particular, the absence of PQ protection makes current communications vulnerable to future quantum adversaries who may decrypt stored messages once large-scale quantum computers become available. To mitigate this risk, a transition to PQ security must be implemented as soon as possible. Two primary approaches exist for this transition: 1) symmetric key-based techniques, which require a secure channel for key distribution, leading to increased costs, and 2) modern PQ public-key primitives, which offer stronger security but come with high communication overhead. In this paper, we propose a solution that leverages PQ cryptographic primitives for confidentiality and privacy protection, while retaining classical public-key cryptography for authentication. This approach is viable because digital signatures must be secure today, even if they are compromised in the future. Moreover, our framework allows for a seamless transition to fully PQ-secure authentication when quantum threats become imminent. In addition, the framework also supports the zero-trust architecture in which no secure channel between Serving Network (SN) and Home Network (HN) is assumed. We have carefully analysed the security of the proposed protocol using both informal and formal (Real-Or-Random (ROR) logic and Scyther Validation tool) methods. We also compared its performance in terms of computation, communication, and storage, and found that it performs better than existing protocols.

Abstract:
Image steganalysis has always been an important topic in the field of information security, and researchers have designed many excellent steganalysis models. However, the existing steganalysis models tend to construct a single path and increase the convolution kernels to reduce the size of feature maps, which is not comprehensive enough to extract the features and may boost the number of parameters. In addition, the single residual block stacking may pay attention to protecting stego signals and neglect the mining of hidden features. To address these issues, we propose a steganalysis model based on dual-path enhancement and fractal downsampling, which is suitable for both spatial and JPEG domains. The model reuses and strengthens noise residuals through two dual-path enhancement blocks, and designs a fractal downsampling block for downsampling at multiple levels, angles, and composition structures. The experimental results demonstrate that the proposed model achieves the best detection performance in both spatial and JPEG domains compared with other start-of-the-art methods. Besides, we design a series of ablation experiments to verify the rationality of each component.

Abstract:
The deep learning-based profiling attacks have received significant attention for their potential against masking-protected devices. Currently, additional capabilities like exploiting only a segment of the side-channel traces or having knowledge of the specific countermeasure scheme have been granted to attackers during the profiling phase. In case either capability is removed, a practical profiling attack faces great difficulty and complexity. To address this challenge, we propose an efficient and scheme-agnostic Leakage Distillation-based Profiling Attack (LD-PA). By distilling univariate leakage from a reference, we can train an encoder that extracts multivariate leakage from raw traces and transforms it into an effective representation (transitional leakage). An indirect connection between multivariate leakage and the target variable is established by bridging through the transitional leakage, thereby facilitating the inference of leaked values. Remarkably, LD-PA achieves successful attacks on multiple public datasets using a simple multilayer perceptron (MLP) without necessitating an exhaustive hyperparameter search, while its performance is competitive with state-of-the-art methods. Simultaneously, we delve into the nature of transitional leakage, confirming the existence of combined leakage. This, in turn, validates that the guidance from univariate leakage references aids in the combination of multivariate leakage. Besides that, each component of the multivariate leakage is extracted and stacked in a highly aligned manner. Moreover, we explored several factors impacting LD-PA performance, covering scenarios with limited profiling traces, noisy references, alternative references, and hyperparameter tuning.

Abstract:
Three significant challenges have been limiting the stable palmprint recognition via mobile devices: 1) rotations and unconsensus scales of the unconstrait hand; 2) noises generated in the open imaging environments; and 3) low quality images captured in the low-illumination conditions. Current palmprint representation methods rely on rich prior knowledge and lack any adaptability to its environment. In this paper, we propose a multi-view hierarchical graph learning based palmprint recognition (MVHG_PR) method, which comprehensively presents the discriminant palmprint features from multiple views. Fully exploiting different types of characteristics, it aims to adaptively perform multi-view feature description and feature selection. To this end, a novel regularized heterogeneous graph learning strategy is proposed for construction of the intra- and inter-class relationships, learning high-order structures for different views between four tuples, rather than just pair-wise intrinsic structures. In the proposed model, the learned hierarchical graph is given an elastic power from the label information to precisely reflect the intra-class and the inter-class relationships in each view, such that the projected structures can be aligned locally and globally. Besides this, we constructed a mobile palmprint dataset to simulate as many open application circumstance as possible to verify the effectiveness of contactless palmprint recognition methods. Experimental results have proven the superiority of the proposed MVHG_PR by achieving the best recognition performances on a number of real-world palmprint databases. The proposed mobile palmprint database and the code of the proposed MVHG_PR are available at https://github.com/ShupingZhao/MVHG_PR-for-contactless-palmprint-recognition.

Abstract:
Currently, portable electronic devices are becoming more and more popular. For lightweight considerations, their fingerprint recognition modules usually use limited-size sensors. However, partial fingerprints have few matchable features, especially when there are differences in finger pressing posture or image quality, which makes partial fingerprint verification challenging. Most existing methods regard fingerprint position rectification and identity verification as independent tasks, ignoring the coupling relationship between them—relative pose estimation typically relies on paired features as anchors, and authentication accuracy tends to improve with more precise pose alignment. In this paper, we propose a novel framework for joint identity verification and pose alignment of partial fingerprint pairs, aiming to leverage their inherent correlation to improve each other. To achieve this, we present a multi-task CNN (Convolutional Neural Network)-Transformer hybrid network, and design a pre-training task to enhance the feature extraction capability. Experiments on multiple public datasets (NIST SD14, FVC2002 DB1_A & DB3_A, FVC2004 DB1_A & DB2_A, FVC2006 DB1_A) and an in-house dataset demonstrate that our method achieves state-of-the-art performance in both partial fingerprint verification and relative pose estimation, while being more efficient than previous methods. Code is available at: https://github.com/XiongjunGuan/JIPNet.

Abstract:
Automatic Modulation Classification (AMC)-oriented Deep Neural Networks (ADNNs) have received much attention in recent years for their wide range of applications. However, they are vulnerable to attacks. Adversarial Examples (AEs) of modulation signals with added weak perturbations can easily fool ADNNs. The study of AEs on AMC, on one side, can enhance the security of wireless communication systems; on the other side, it can provide an effective defence against potential attacks. Nevertheless, most existing attack methods generate AEs with low transferability. In this paper, we propose a Multiscale Discriminative Attack Method (MDAM) for modulated signals. The method strives to alleviate such transferability issue by destroying discriminative features in multi-layer. Specifically, we utilize interpretable class activation maps to distinguish the discriminative regions, ignoring the noise and focusing on the interference of the discriminative features. Beyond that, we propose a multi-layer activation disruption loss to constrain activations in the middle layers. In so doing, the AEs do not erroneously retain deep features of the original signal. We conduct extensive experiments on RadioML datasets and the local area network (LAN) communication dataset we collected to evaluate the effectiveness of MDAM in both white-box and black-box attack scenarios. The results show that MDAM outperforms existing methods.

Abstract:
Deep neural networks (DNNs) have been widely used in remote sensing but demonstrated to be sensitive with adversarial examples. By introducing carefully designed perturbations to clean images, DNNs can be led to incorrect predictions. Adversarial patch is commonly used to conduct adversarial attack, where traditional methods optimize its content and position separately, neglecting the coupling relation of two factors. In this paper, we propose a black-box attack framework targeting fine-grained aircraft recognition, named PatchGen, simultaneously optimizing both content and position of physical adversarial patches. For the requirements of physical attack, we further constrain the patch in object region and utilize elaborate criteria to evaluate its naturalness to alleviate the distortion when applying the patch in real world. We comprehensively validate our method in fine-grained aircraft classification, extending to object detection subsequently. Extensive experiments demonstrate that the proposed method achieves superior attack performance efficiently for classification and detection tasks in digital domain. Moreover, we validate the effectiveness of the adversarial patch under diverse circumstances in the physical world and prove that our method can be applied to different models as well as various domains.

Abstract:
Design and manufacturing of integrated circuits predominantly use a globally distributed semiconductor supply chain involving diverse entities. The modern semiconductor supply chain has been designed to boost production efficiency, but is filled with major security concerns such as malicious modifications (hardware Trojans), reverse engineering (RE), and cloning. While being deployed, digital systems are also subject to a plethora of threats such as power, timing, and electromagnetic (EM) side channel attacks. Many Design-for-Security (DFS) solutions have been proposed to deal with these vulnerabilities, and such solutions (DFS) relays on strategic modifications (e.g., logic locking, side channel resilient masking, and dummy logic insertion) of the digital designs for ensuring a higher level of security. However, most of these DFS strategies lack robust formalism, are often not human-understandable, and require an extensive amount of human expert effort during their development/use. All of these factors make it difficult to keep up with the ever growing number of microelectronic vulnerabilities. In this work, we propose X-DFS, an explainable Artificial Intelligence (AI) guided DFS isolution-space exploration approach that can dramatically cut down the mitigation strategy development/use time while enriching our understanding of the vulnerability by providing human-understandable decision rationale. We implement X-DFS and comprehensively evaluate it for reverse engineering threats (SAIL, SWEEP, and OMLA) and formalize a generalized mechanism for applying X-DFS to defend against other threats such as hardware Trojans, fault attacks, and side channel attacks for seamless future extensions.

Abstract:
Physical Layer Authentication (PLA) emerges as a promising security solution, offering efficient identity verification for the Internet of Things (IoT). The advent of 5G/6G technologies has ushered in an era of extensive device connectivity, diverse networks, and complex application scenarios within IoT ecosystems. These advancements necessitate PLA systems that are highly secure, robust, capable of online processing, and adaptable to unknown channel conditions. In this paper, we introduce a novel two-stage PLA framework that synergizes channel prediction with power-delay attributes, ensuring superior performance in mobile and time-varying channel environments. Specifically, our approach employs Sparse Variational Gaussian Processes (SVGP) to accurately model and track real-time channel variations, leveraging historical data for online predictions without incurring significant computational or storage overhead. The second stage of our framework enhances the robustness of the authentication process by incorporating power-delay features, which are inherently resistant to temporal fluctuations, thereby eliminating the need for additional feature extraction in noisy settings. Moreover, our authentication scheme is designed to be distribution-agnostic, utilizing Kernel Density Estimation (KDE) for non-parametric threshold determination in hypothesis testing. Theoretical analysis underpins the generalization capabilities of our proposed method. Simulation results in mobile scenarios reveal that our two-stage PLA framework reduces complexity and significantly improves identity authentication performance, particularly in scenarios with low signal-to-noise ratios.

Abstract:
The rampant fraudulent activities on Ethereum hinder the healthy development of the blockchain ecosystem, necessitating the reinforcement of regulations. However, multiple imbalances involving account interaction frequencies and interaction types in the Ethereum transaction environment pose significant challenges to data mining-based fraud detection research. To address this, we first propose the concept of meta-interactions to refine interaction behaviors in Ethereum, and based on this, we present a dual self-supervision enhanced Ethereum fraud detection framework, named Meta-IFD. This framework initially introduces a generative self-supervision mechanism to augment the interaction features of accounts, followed by a contrastive self-supervision mechanism to differentiate various behavior patterns, and ultimately characterizes the behavioral representations of accounts and mines potential fraud risks through multi-view interaction feature learning. Extensive experiments on real Ethereum datasets demonstrate the effectiveness and superiority of our framework in detecting common Ethereum fraud behaviors such as Ponzi schemes and phishing scams. Additionally, the generative module can effectively alleviate the interaction distribution imbalance in Ethereum data, while the contrastive module significantly enhances the framework’s ability to distinguish different behavior patterns. The source code will be available in https://github.com/GISec-Team/Meta-IFD.

Abstract:
Assessing the stealthiness of adversarial perturbations is challenging due to the lack of appropriate evaluation metrics. Existing evaluation metrics, e.g., L_p norms or Image Quality Assessment (IQA), fall short of assessing the pixel-level stealthiness of subtle adversarial perturbations since these metrics are primarily designed for traditional distortions. To bridge this gap, we present the first comprehensive study on the subjective and objective assessment of the stealthiness of adversarial perturbations from a visual perspective at a pixel level. Specifically, we propose new subjective assessment criteria for human observers to score adversarial stealthiness in a fine-grained manner. Then, we create a large-scale adversarial example dataset comprising 10586 pairs of clean and adversarial samples encompassing twelve state-of-the-art adversarial attacks. To obtain the subjective scores according to the proposed criterion, we recruit 60 human observers, and each adversarial example is evaluated by at least 15 observers. The mean opinion score of each adversarial example is utilized for labeling. Finally, we develop a three-stage objective scoring model that mimics human scoring habits to predict adversarial perturbation’s stealthiness. Experimental results demonstrate that our objective model exhibits superior consistency with the human visual system, surpassing commonly employed metrics like PSNR and SSIM.

Abstract:
Unsupervised visible-infrared person re-identification (USL-VI-ReID) aims to explore the cross-modal associations and learn modality-invariant representations without manual labels. The field provides flexible and economical methods for person re-identification across light and dark scenes. Existing approaches utilize cluster-level strong association methods, such as graph matching and optimal transport, to correlate modal differences, which may result in mis-linking between clusters and introduce noise. To overcome this limitation and gradually acquire reliable cross-modal associations, we propose a Progressive Cross-modal Association Learning (PCAL) method for USL-VI-ReID. Specifically, our PCAL naturally integrates Triple-modal Adversarial Learning (TAL), Cross-modal Neighbor Expansion (CNE) and Modality-invariant Contrastive Learning (MCL) into a unified framework. TAL fully utilizes the advantage of Channel Augmented (CA) technique to reduce modal differences, which facilitates subsequent mining of cross-modal associations. Furthermore, we identify the modal bias problem in existing clustering methods, which hinders the effective establishment of cross-modal associations. To address this problem, CNE is proposed to balance the contribution of cross-modal neighbor information, linking potential cross-modal neighbors as much as possible. Finally, MCL is then introduced to refine the cross-modal associations and learn modality-invariant representations. Extensive experiments on SYSU-MM01 and RegDB datasets demonstrate the competitive performance of PCAL method. Code is available at https://github.com/YimingYang23/PCA_USLVIReID.

Abstract:
The Approximate Homomorphic Encryption scheme CKKS offers a distinctive and effective approach to privacy-preserving computation, with significant potential applications in IoT and machine learning domains. Recent advancements have introduced bootstrapping techniques tailored for CKKS, including the EvalMod and EvalRound bootstrapping techniques. These bootstrapping techniques mainly focus on approximate computation of modular reduction functions. However, the approximation of modular functions encounters challenges related to computational efficiency and bootstrapping precision, thus emerging as a major bottleneck in the advancement of bootstrapping techniques. Motivated by these concerns, in this paper, we introduce a novel bootstrapping scheme named EvalComp, which eliminates the need to fit modular functions. Unlike existing approaches, EvalComp constructs a homomorphic rounding function using the Homomorphic Comparison Function (HCF) and thus removes the integer multiples of the modulus \boldsymbol q from the ciphertext. For \boldsymbol N = 2^9 , EvalComp enhances bootstrapping precision by over 11 bits and computational efficiency by 16.7% compared with the latest EvalMod scheme (JM22). Additionally, compared with the EvalRound scheme (KPK22+), our scheme improves bootstrapping precision by 2-3 bits and computational efficiency by 20.2%. According to the bootstrapping performance comparison criterion, the performance of EvalComp achieves 1.80 times that of JM22 and 1.69 times that of KPK22+.

Abstract:
Privacy information existing in the scene text will be leaked with the spread of images in cyberspace. Vanishing the scene text from the image is a simple yet effective method to prevent privacy disclosure to the machine and the human. Previous visual text vanishing methods have achieved promising results but the performance still fell short of expectations for complicated-shape scene texts with various scales. In this paper, we propose a novel hierarchical context-aware interaction reconstruction method to make the visual text vanish in the natural scene image. To avoid the interference of the non-text regions, we narrow down the reconstruction regions by the guidance of the hierarchical refined text region masks, helping provide accurate position information. Meanwhile, we propose to learn the long-range context-aware interaction in a lightweight way, which can ensure the smoothing of the artifacts that are easily generated by the convolutional layers. To be more specific, we first simultaneously generate the coarse text region mask and the initially vanishing scene text image. Then, we obtain more accurate refined masks to better capture the locations of complicated-shape texts via a hierarchical mask generation network. Next, based on the refined masks, we exploit a channel-wise context-aware interaction mechanism to model the long-range relationships between the reconstruction region and the backgrounds for better removing the artifacts. Finally, we fuse the reconstructed text regions with the non-masked regions to obtain the ultimate protected image. Experiments on two frequently-used benchmarks SCUT-EnsText and SCUT-Syn demonstrate that our proposed method outperforms previous related methods by a large margin.

Abstract:
Adversarial examples have posed a serious threat to deep neural networks due to their transferability. Existing transfer-based attacks tend to improve the transferability of adversarial examples by destroying intrinsic features. However, prior work typically employed single-dimensional or additive importance estimates, which provide inaccurate representations of features. In this work, we propose the Multi-Feature Attention Attack (MFAA), which fuses multiple layers of feature representations to disrupt category-related features and thus improve the transferability of the adversarial examples. First, MFAA introduces a layer-aggregation gradient (LAG) to obtain guidance maps, which reflect the importance of features in multiple scales. Second, it generates ensemble attention (EA), preserving object-specific features and offsetting model-specific features based on the guidance maps. Third, EA is iteratively disturbed to achieve high transferability of the adversarial examples. Empirical evaluation on the standard ImageNet dataset shows that adversarial examples crafted by MFAA can effectively attack different networks. Compared to the state-of-the-art transferable attacks, our attack improves the average attack success rate of the black-box model with defense from 88.5% to 94.1% on single-model attacks and from 86.6% to 95.1% on ensemble attacks. Our code is available at Github: https://github.com/KWPCCC/MFAA.

Abstract:
In this paper, we introduce SeiFS, a Secure and Lightweight Feature Selection system designed to ensure high-quality inputs for Machine Learning (ML) tasks. Unlike previous approaches involving multiple non-colluding servers, SeiFS operates in a natural ML scenario where multiple entities interact with a single server, without relying on additional strong assumptions. Our work presents intrinsic optimizations in feature selection that yield substantial performance improvements, including a customized data encoding method, a size-optimized comparison circuit, and a shared oblivious dimensionality reduction technique. The customized data encoding method, combined with an optimized secure data access protocol, reduces expensive comparison operations from O(m) to O(\log m) , where m represents the number of samples. The size-optimized comparison circuit achieves up to a quadruple reduction in size compared to naïve implementations. Additionally, the shared oblivious dimensionality reduction technique incorporates a novel approximated top-k selection algorithm, resulting in a circuit size reduction of approximately k× . Comprehensive experiments conducted across various network settings demonstrate that our protocols outperform existing solutions, delivering efficiency improvements of an order of magnitude. Specifically, the end-to-end execution of SeiFS on real-life datasets achieves at least 62.7× improvements in runtime compared to the naïve implementation and takes up to 112.9× fewer runtimes than the state-of-the-art in the LAN setting.

Abstract:
We investigate the rate-distortion-leakage region of the Chief Executive Officer (CEO) problem, considering the presence of a passive eavesdropper and privacy constraints. We start by examining the region where a general distortion measure quantifies the distortion. While the inner bound of the region is derived from previous work, this paper newly develops an outer bound. To derive the outer bound, we introduce a new lemma tailored for analyzing privacy constraints. Next, as a specific instance of the general distortion measure, we demonstrate that the tight bound for discrete and Gaussian sources is obtained when the eavesdropper has no side information, and the distortion is quantified by the log-loss distortion measure. We further investigate the rate-distortion-leakage region for a scenario where the eavesdropper has side information, and the distortion is quantified by the log-loss distortion measure and provide an outer bound for this case. The derived outer bound differs from the inner bound by only a minor quantity that appears in the constraints associated with the privacy-leakage rates, and these bounds match when the distortion is large.

Abstract:
The rapid and widespread adoption of unmanned aerial vehicles (UAVs) poses significant threats to public safety and security in sensitive areas and subsequently underscores the urgent need for effective UAV surveillance solutions, where UAV classification emerges as a vital technology. Deep learning (DL) methods can autonomously extract implicit features from UAV signals and subsequently infer their types, provided that sufficient signal samples are available. Due to the high mobility of UAVs, it is challenging to ensure continuous monitoring between UAVs and the surveillance system to obtain sufficient samples. Moreover, DL models developed from sufficient but environment-specific datasets tend to be less generalized. This paper proposes a novel federated semantic regularization for learning an UAV classification model and further classifying UAVs across diverse environmental conditions. The approach enhances model generalization by regularizing semantic features during the local model training process on each participant. Subsequently, these local models are aggregated into a robust global model. Extensive testing across multiple environments demonstrates the superior classification performance of our approach compared to existing non-federated and federated approaches. The average classification accuracy of the proposed method in the three environments is 95.68%, which is improved by 13.39% compared to the non-federated methods and by 2.75% compared to the federated methods.

Abstract:
With the rapid evolution of deepfake technologies, attackers can arbitrarily alter the intended message of a video by modifying just a few frames. To this extent, simplistic binary judgments of entire videos increasingly seem less convincing and interpretable. Although numerous efforts have been made to develop fine-grained interpretations, these typically depend on elaborate annotations, which are both costly and challenging to obtain in real-world scenarios. To push the related frontier research, we introduce a novel task called Weakly-Supervised Deepfake Localization (WSDL), which aims to identify manipulated frames only with cushy video-level labels. Meanwhile, we propose a new framework named Bi-stream coteaching Deepfake Localization (CoDL), which advances the WSDL task through a progressive mutual refinement strategy across complementary spatial and temporal modalities. The CoDL framework incorporates an inconsistency perception module that discerns subtle forgeries by assessing spatial and temporal incoherence, and a prototype-based enhancement module that mitigates frame noise and amplifies discrepancies to create a robust feature space. Additionally, a progressive coteaching mechanism is implemented to facilitate the exchange of valuable knowledge between modalities, enhancing the detection of subtle frame-level forgery features and thereby improving the model’s generalization capabilities. Extensive experiments are conducted to demonstrate the superiority of our approach, particularly achieving an impressive 8.83% improvement in AUC on highly compressed datasets when learning from weak supervision.

Abstract:
Large language models (LLMs) demonstrate general intelligence across a variety of machine learning tasks, thereby enhancing the commercial value of their intellectual property (IP). To protect this IP, model owners typically allow user access only in a black-box manner, however, adversaries can still utilize model extraction attacks to steal the model intelligence encoded in model generation. Watermarking technology offers a promising solution for defending against such attacks by embedding unique identifiers into the model-generated content. However, existing watermarking methods often compromise the quality of generated content due to heuristic alterations and lack robust mechanisms to counteract adversarial strategies, thus limiting their practicality in real-world scenarios. In this paper, we introduce an adaptive and robust watermarking method (named ModelShield) to protect the IP of LLMs. Our method incorporates a self-watermarking mechanism that allows LLMs to autonomously insert watermarks into their generated content to avoid the degradation of model content. We also propose a robust watermark detection mechanism capable of effectively identifying watermark signals under the interference of varying adversarial strategies. Besides, ModelShield is a plug-and-play method that does not require additional model training, enhancing its applicability in LLM deployments. Extensive evaluations on two real-world datasets and three LLMs demonstrate that our method surpasses existing methods in terms of defense effectiveness and robustness while significantly reducing the degradation of watermarking on the model-generated content.

Abstract:
Transferable adversarial examples cause practical security risks since they can mislead a target model without knowing its internal knowledge. A conventional recipe for maximizing transferability is to keep only the optimal adversarial example from all those obtained in the optimization pipeline. In this paper, for the first time, we revisit this convention and demonstrate that those discarded, sub-optimal adversarial examples can be reused to boost transferability. Specifically, we propose “Adversarial Example Soups” (AES), with AES-tune for averaging discarded adversarial examples in hyperparameter tuning and AES-rand for stability testing. In addition, our AES is inspired by “model soups”, which averages weights of multiple fine-tuned models for improved accuracy without increasing inference time. Extensive experiments validate the global effectiveness of our AES, boosting 10 state-of-the-art transfer attacks and their combinations by up to 13% against 10 diverse (defensive) target models. We also show the possibility of generalizing AES to other types, e.g., directly averaging multiple in-the-wild adversarial examples that yield comparable success. A promising byproduct of AES is the improved stealthiness of adversarial examples since the perturbation variances are naturally reduced.

Abstract:
AI-driven algorithmic systems are increasingly adopted across various sectors, yet the lack of transparency can raise accountability concerns about claimed privacy protection measures. While machine-based audits offer one avenue for addressing these issues, they are often costly and time-consuming. Herd audit, on the other hand, offers a promising alternative by leveraging collective intelligence from end-users. However, the presence of epistemic disparity among auditors, resulting in varying levels of domain expertise and access to relevant knowledge, captured by the rational inattention model, may impact audit assurance. An effective herd audit must establish a credible accountability threat for algorithm developers, incentivizing them not to breach user trust. In this work, our objective is to develop a systematic framework that explores the impact of herd audits on algorithm developers through the lens of the Stackelberg game. Our analysis reveals the importance of easy access to information and the appropriate design of rewards, as they increase the auditors’ assurance in the audit process. In this context, herd audit serves as a deterrent to negligent behavior. Therefore, by enhancing herd accountability, herd audit contributes to responsible algorithm development, fostering trust between users and algorithms.

Abstract:
Despite significantly enhancing system flexibility and reliability, the adoption of distributed secondary control in DC microgrids (DCmGs) introduces new vulnerabilities to false data injection (FDI) attacks. As a typical FDI attack, the zero trace stealthy (ZTS) attack has been recently disclosed for DCmGs, which can deteriorate the control objective while keeping stealthy to unknown input observer (UIO)-based detectors. In this work, we investigate the optimal deployment of ZTS attacks, where the adversary with limited resources aims to compromise a set of communication links such that the system state convergence error can be maximized. Specifically, we formulate the optimal ZTS attack deployment problem as a combinatorial optimization problem and unveil its NP-hard characteristic. Then, we discover the submodularity in the state convergence error function, enabling us to transform the original NP-hard problem into a tractable submodular maximization problem. Furthermore, based on the submodular optimization theory, we propose a novel distributed algorithm for the optimal ZTS attack deployment in DCmGs, which effectively balances the attack benefits and computation cost. Finally, comparisons between the centralized and distributed algorithms are illustrated through extensive simulations.

Abstract:
Federated Learning (FL) has emerged as a privacy-preserving training paradigm, which enables distributed devices to jointly learn a shared model without raw data sharing. However, the inaccessible client-side data and unverifiable local training leave FL vulnerable to Byzantine attacks. Most defense strategies focus on penalizing malicious clients in server-side aggregations and ignore clients-side weight units poisoning assessment, failing to maintain robustness and convergence in non-IID settings. In this paper, we propose Federated learning with Benignity-assessable Bayesian Dropout and variational Attention (FedBDA) to achieve local robust training based on fine-grained benignity indicators and guarantee global robustness over non-IID data. Specifically, FedBDA integrates variational inference explanation of dropout into local training, where each client individually quantifies the benign degree of weight units to determine a resilient dropping pattern for the local Bayesian model, enabling client-side robust training with Bayesian interpretability. To accommodate variational distributions of local Bayesian models and globally assess their benign potentials, we design a joint attention mechanism based on Jensen-Shannon divergence among local, global, and median distributions for robust weighted aggregation. Theoretical analysis proves the robustness and convergence of FedBDA. We conduct extensive experiments on four benchmark datasets with five typical attacks, and the results demonstrate that FedBDA outperforms status quo approaches in model performance and running efficiency.

Abstract:
Federated Learning (FL) is a distributed machine learning framework that allows multiple clients to collaboratively train an intermediate model with keeping data local, however, sensitive information may be still inferred during exchanging local models. Although homomorphic encryption and multi-party computation are applied into FL solutions to mitigate such privacy risks, they lead to costly communication overhead and long training time. As a result, functional encryption (FE) is introduced into the field of privacy-preserving FL (PPFL) for boosting efficiency and enhancing security. Nevertheless, existing FE-based PPFL frameworks that support dynamic participation either required a trusted third party that may lead to single-point failure, or require multiple rounds of interaction that inevitably incur large communication overhead. Therefore, we propose PrivLDFL, a lightweight and dynamic PPFL framework for resource-constrained devices. Technically, we formalize dynamic decentralized multi-client FE and give instantiations, then present efficiency optimizations via designing a vector compression funnel based on Chinese Remainder Theorem, and finally achieve client dropouts via a client partitioning strategy. Besides formal security analysis on PrivLDFL, we implement it and state-of-the-art solutions on Raspberry Pi to conduct extensive experiments, confirming the practical performance of PrivLDFL on best-known public datasets.

Abstract:
Physical layer (PHY) secret key generation (SKG) has been widely studied as a promising approach to achieving One-Time-Pad security. The improvement of SKG rate is quite a huge challenge, especially in scenarios with untrusted internal helpers or eavesdroppers that aim to wiretap the negotiated secret keys between legitimate parties. In this paper, we propose a token-based SKG scheme to deal with the problem of information leakage with internal eavesdropping attacks. The basic idea is to cover random pilots with protective tokens to confuse eavesdroppers. Three scenarios including passive external eavesdropping, active internal eavesdropping with a reconfigurable intelligent surface (RIS)-assisted untrusted helper, and active internal eavesdropping with an untrusted relay are considered and analyzed to evaluate the performance of the proposed anti-eavesdropping scheme. Theoretical analysis shows that the proposed token-based SKG scheme can perfectly secure the key negotiation, achieving zero information leakage even in the untrusted relaying scenario without a direct link between Alice and Bob. Moreover, closed-form expressions for secret key capacity (SKC) are obtained. Finally, numerical results indicate that the proposed scheme outperforms the state-of-the-art methods. Using a token-generation mapping function with greater diversity in amplitude and phase, our approach achieves enhanced SKC performance across various scenarios, including those with a passive eavesdropper, a RIS-assisted untrusted helper, and an untrusted relay.

Abstract:
In this paper, we propose an HSM-based architecture to detect insider attacks on server-side data. Our proposed architecture combines four cryptography-based defense mechanisms: Nonce-Based Process Authentication (NBPA), Hash-Based Field Integrity (HBFI), Hash-Based Field Availability (HBFA), and Hash-Based Row Availability (HBRA). This novel architecture is designed to detect a predefined comprehensive attack model on server-side data tailored for an HSM-based architecture. The implementation results show that the throughput decrease is mostly manageable (14% for NBPA, 30-50% for HBFI, 25% for HBFA, and 43.74% for the combination of all mechanisms), with the indication that some mechanisms are more or less appropriate depending on the situation. Moreover, the HBRA mechanism performed well regarding the attack detection time (5 minutes for a database of 1000 entries).

Abstract:
The prevalence of face capturing along with the advancement of face recognition poses a potential threat to individual privacy. To protect privacy, plenty of methods have been proposed to change identity in the face, thus blocking malicious face recognition. However, these methods fail to satisfy authentication requirements for special application scenarios, e.g., face authentication in surveillance capture. In this paper, we propose a novel face privacy protection model, which supports robust image authentication via information-conditional identity transformation. Specifically, we first introduce a basic face manipulation model (FMM), which can preserve identity-irrelevant attributes when manipulating identity. Based on FMM, we further design a lightweight protector called AIDPro, outputting a transformed identity which is different from the original one and is embedded a message presenting authentication information. Benefiting from the semantic robustness, our model does not require noise layers to achieve accurate message extraction after various image distortions. In addition, the message can be the condition to guide the identity transformation for privacy protection, which avoids extra resource consumption from supporting image authentication. Extensive experimental results demonstrate our model has comparable privacy protection performance, superior attribute preservation performance, and robust authentication performance especially in JPEG compression and screen shooting. Our code is available at https://github.com/daizigege/AIDPro.

Abstract:
Vertical federated learning (VFL) provides a privacy-preserving method for machine learning, enabling collaborative training across multiple institutions with vertically distributed data. Existing VFL methods assume that participants passively gain local models of the same structure and communicate with active pary during each training batch. However, due to the heterogeneity of participating institutions, VFL with heterogeneous models for efficient communication is indispensable in real-life scenarios. To address this challenge, we propose a new VFL method called Practical Heterogeneous Vertical Federated Learning via Representation Learning (PraVFed) to support the training of parties with heterogeneous local models and reduce communication costs. Specifically, PraVFed employs weighted aggregation of local embedding values from the passive party to mitigate the influence of heterogeneous local model information on the global model. Furthermore, to safeguard the passive party’s local sample features, we utilize blinding factors to protect its local embedding values. To reduce communication costs, the passive party performs multiple rounds of local pre-model training while preserving label privacy. We conducted a comprehensive theoretical analysis and extensive experimentation to demonstrate that PraVFed reduces communication overhead under heterogeneous models and outperforms other approaches. For example, when the target accuracy is set at 60% under the CINIC10 dataset, the communication cost of PraVFed is reduced by 70.57% compared to the baseline method. Our code is available at https://github.com/wangshuo105/PraVFed_main.

Abstract:
In privacy-preserving machine learning with vertically distributed data, private entity alignment methods are used to securely match and utilize features of the same samples. However, existing methods not only risk exposing sample intersections and introducing unnecessary samples but also face a gap in adapting to multi-party scenarios. To address these limitations, we propose Peafowl, a novel multi-party private entity alignment protocol. Peafowl achieves entity alignment among multiple parties through a mapping from original datasets to intersections, termed permutation. This method mitigates intersection disclosure and sample redundancy concerns by avoiding direct use of the intersection. The proposed protocol leverages a cloud server that utilizes secret-shared shuffle to protect the privacy of the permutation, in case of colluding data providers reconstructing intersections. Further, by integrating a seed homomorphic pseudorandom generator, Peafowl avoids the intensive communication of secret sharing and achieves superior runtime performance. Additionally, an offline/online variant is introduced to ensure a linear growth in communication and computation complexity relative to the dataset size by pre-computing permutation calculations. Implemented on a real PPML framework, the protocol demonstrates practical efficiency in various multi-party settings. Experimental results indicate that Peafowl’s overhead is less than 1% of the total training cost, while the offline/online variant achieves approximately a 50% reduction in online runtime. Overall, Peafowl offers an efficient and straightforward solution for multi-party PPML, making it an attractive option for implementation and future improvements.

Abstract:
As cloud computing continues to gain widespread adoption, safeguarding the confidentiality of data entrusted to third-party cloud service providers becomes a critical concern. While traditional encryption methods offer protection for data at rest and in transit, they fall short when it comes to where it matters the most, i.e., during data processing. To address this limitation, we present HELM, a framework for privacy-preserving data processing using homomorphic encryption. HELM automatically transforms arbitrary programs expressed in a Hardware Description Language (HDL), such as Verilog, into equivalent homomorphic circuits, which can then be efficiently evaluated using encrypted inputs. HELM features three modes of encrypted evaluation: a) a gate mode that consists of Boolean gates, b) a small-precision lookup table mode which significantly reduces the size of the circuit by combining multiple gates into lookup tables, and c) a high-precision lookup table mode tuned for multi-bit arithmetic evaluations. Finally, HELM introduces a scheduler that leverages the parallelism inherent in arithmetic and Boolean circuits to efficiently evaluate encrypted programs. We evaluate HELM with the ISCAS’85 and ISCAS’89 benchmark suites, as well as real-world applications such as image filtering and neural network inference. In our experimental results, we report that HELM can outperform prior works by up to 65× .

Abstract:
The continuous evolution of malware is posing a serious threat to personal privacy, enterprise data security, and global network infrastructure. For example, attackers can use phishing emails, botnets, etc. to induce victims to execute malware for nefarious purposes such as stealing sensitive information. Therefore, it is significant to develop effective and efficient methods to detect malware. Towards this, most state-of-the-art methods are focused on learning-based method. In order to adapt to the characteristics of sample scarcity and dynamic evolution of malware detection tasks, few-shot class incremental learning has been proposed as an efficient pairwise solution. Nevertheless, they still face two major challenges: 1) Catastrophic Forgetting: the erosion of existing knowledge by newly acquired knowledge during incremental learning. 2) Decision boundary confusion: after continuous multiple incremental sessions, the discriminative ability of the classification model is weakened. To address the above challenges, we propose a new Malware detection framework based on Few-Shot Class Incremental Learning, MalFSCIL, which utilizes a decoupled training strategy combined with a variational autocoder to mitigate catastrophic forgetting, and designs a dynamic boundary delineation method based on class prototyping to achieve accurate delineation of incremental decision boundaries. Extensive experimental results show that the proposed method outperforms the state-of-the-art techniques in malware detection and classification with high classification accuracy with open-source dataset and Internal enterprise dataset.

Abstract:
Devices in real-world networked systems typically exhibit a consistent communication behavior over time. Hence, anomalous communication behaviors may often indicate cyber-attacks taking place in these systems. As a result, identifying anomalous communication links can help us to activate appropriate response mechanisms to ensure the integrity and security of such networked systems. In this study, we propose an approach to detect anomalous communication links in dynamically evolving networked systems. Furthermore, we employ the External Direct Sum of Vector Spaces (EDSoVS) to enable edge/dyad representation learning from node representations. We then use the dyad representations as features to train an SVM model and detect future anomalous links. We evaluate our approach on a synthetic dataset representing a real-world communication network provided by the MITRE Corporation and twelve real-world datasets provided by Cisco. Our empirical results show that the accuracy rates of the proposed model vary between 70.54% to 95.79%, while the F1 score is between 78.22% and 95.97%. We compare our approach against four techniques involving neural networks and graph neural networks. We show that our approach achieves higher accuracy, precision, and recall rates.

Abstract:
With the prevalence of online social networks (OSNs), much personal information is collected and maintained by trusted service providers for third-party queries and analyses. Existing works regarding differentially private social network data publication overlook the fact that different users exhibit distinct privacy preferences or sensitivity inclinations. Neglecting these individual nuances may lead to privacy mechanisms that are overly conservative or inadequately protective. Furthermore, the injection of excessive noise into OSN data perceived by users as non-personal or less sensitive can incur additional privacy costs, resulting in lower service quality. This paper introduces a fine-grained, sensitivity-aware personalized edge differential privacy model (SPEDP) for OSNs. Specifically, SPEDP enables each OSN user to individually define the sensitivity level of their social connections, facilitating user-friendly personalized privacy settings. We design a privacy-aware mechanism that operates within a trusted service provider, capable of establishing privacy protection levels based on user-perceived sensitivity settings. Additionally, we propose a sensitivity-aware sampling mechanism to implement SPEDP. To further optimize the privacy mechanism, we explore a privacy threshold optimization strategy aimed at minimizing privacy budget waste. Finally, the personalized privacy protections and utility improvements achieved by the SPEDP mechanism are rigorously validated through theoretical analysis and comprehensive comparative experiments on benchmark datasets.

Abstract:
Remote data integrity auditing enables a client to efficiently ensure the integrity of entire data stored in untrusted servers via auditing. Yet, existing solutions generally emphasize on various metrics (such as minimal storage, fast update, metadata privacy), but not audit performance (e.g., low audit time, small proof size). To this end, a label-aggregating remote data integrity auditing scheme (LARDA) was proposed in ESORICS ’22, which is the state-of-the-art work in terms of proof size and storage cost. However, LARDA needs a trusted third party (TTP) for performing data auditing for all data owners, which introduces a single point of failure since the audit process routinely needs to interact with the TTP. To address this issue, we introduce a new concept called threshold label-aggregating data auditing and propose two novel schemes. Our first solution is based on Pedersen secret sharing technique, which can significantly alleviate the key escrow problem of LARDA. Our second solution is an efficient batch verifying scheme for multiple TTP’s secret key shares, utilizing the KZG (Kate, Zaverucha and Goldberg) secret sharing technique. This scheme can maintain the size of commitment for TTP’s secret key constant rather than a linear factor with the number of TTPs. We conduct comprehensive experiments to demonstrate the scalability of our schemes. In particular, our second scheme improves the verification time for TTP’s secret key shares in constant, only requiring two pairings and one exponentiation in group with an average of 7.39 ms, regardless of the number of TTPs increasing. For our first scheme, the verification procedure requires 2t exponentiations in group (where t is the threshold value), ranging from 2.37 ms ( t = 2 ) to 26.85 ms ( t = 35 ).

Abstract:
Local differential privacy (LDP) provides lightweight and provable privacy protection and has wide applications in private data collection. Key-value data, as a popular NoSQL structure, requires simultaneous frequency and mean estimations of each key, which poses a challenge to traditional LDP-based collection methods. Despite many schemes proposed for the privacy protection of key-value data, they inadequately solve the condensed perturbation for keys and the advanced combination of privacy budgets, leading to suboptimal estimation accuracy. To address this issue, we propose an efficient key-value collection scheme (COKV) with tight privacy budget composition. In our scheme, we first design a padding and sampling protocol for key-value data to avoid privacy budget splitting. Second, to enhance the utility of key perturbation, we design a key perturbation primitive and optimize the perturbation range to improve computational efficiency. After that, we propose a key-value association perturbation algorithm whose value perturbation strategy guarantees the output expectation equals the original value. Finally, we demonstrate that through a tight privacy budget composition, COKV can provide higher data utility under the same privacy level. Theoretical analysis shows that COKV possesses lower frequency and mean estimations variance. Extensive experiments on both synthetic and real-world datasets also indicate that COKV outperforms the current state-of-the-art methods for secure key-value data collection.

Abstract:
Among various blockchain applications, decentralized anonymous payment (DAP) systems stand out for their enhanced privacy protection compared to traditional payment methods. However, DAPs face challenges such as the lack of asset recovery and identity verification features. To ensure the long-term healthy development of DAP systems, adherence to legal regulations and privacy protection is equally critical. In response to these requirements, we propose a \textsf CR - \textsf DAP system that offers a secure and efficient solution without compromising on practicality. Our innovation lies in introducing an identity-based traceable anonymous signature scheme, which skillfully balances anonymity with traceability. This scheme supports private key retrieval and allows for identity tracking when necessary, addressing key pain points in existing anonymous payment systems and enhancing user trust. We have implemented the prototype of this signature scheme and the \textsf CR - \textsf DAP system, evaluating its performance to demonstrate its practicality.

Abstract:
Federated learning (FL) allows multiple clients to train an efficient deep-learning model collaboratively but is susceptible to backdoor attacks. Traditional detection-based defenses depend on specific metrics to distinguish client gradients. Defense-aware attackers exploit this by constraining attack gradients on these metrics to evade detection, leading to metric-constrained attacks. This paper concretely instantiates such threats and introduces cosine-constrained attacks, which successfully compromise advanced defenses based on cosine distance. To address the aforementioned challenge, we propose Scope, a novel defense that detects cosine-constrained attacks using cosine distance by exposing the constrained backdoor dimensions of attack gradients. Scope employs dimension-wise normalization and differential scaling to amplify the distinction between backdoor dimensions and benign or unused ones, countering sophisticated attackers’ attempts to obscure them. Moreover, we develop a novel clustering approach, namely Dominant Gradient Clustering (DGC), to isolate and eliminate backdoor gradients. Extensive experiments across various datasets, models, FL settings, and adversary scenarios demonstrate that Scope consistently outperforms existing defenses by a significant margin, especially against the cosine-constrained attack. Additionally, we present a Scope-tailored attack designed to evade Scope, but it remains ineffective even when maximizing stealthiness, further underscoring the robustness of Scope. We release our source code at: https://github.com/siquanhuang/Scope.

Abstract:
Privacy preservation is a challenging problem in decentralized nonconvex optimization containing sensitive data. Prior approaches to decentralized nonconvex optimization are either not strong enough to protect privacy or exhibit low utility under a high privacy guarantee. To address these issues, we propose a differentially private linearized alternating direction method of multipliers (DP-LADMM), which achieves fast convergence property for nonconvex objective functions while achieving saddle/maximum avoidance under differential privacy guarantee. We also apply the Analytic Gaussian Mechanism to track the cumulative privacy loss and provide a tight global differential privacy guarantee for DP-LADMM. The theoretical analysis offers an explicit convergence rate for our algorithm. To the best of our knowledge, this is the first paper to provide explicit convergence for decentralized nonconvex optimization with differential privacy and saddle/maximum avoidance. Numerical simulations and comparison studies on decentralized estimation confirm the superiority of the algorithm and the effectiveness of global privacy preservation.

Abstract:
As the sole NIST-standardized quantum-resistant key encapsulation mechanism, CRYSTALS-Kyber demands rigorous scrutiny of its side-channel countermeasures. However, there is a lack of research on side-channel security for the message decoding module in masked CRYSTALS-Kyber. In this paper, we seek to address this gap. First, we conduct a side-channel security evaluation of the first-order masked message decoding function in mkm4 of CRYSTALS-Kyber, finding that an incremental storage vulnerability still exists. Then, we implement a practical experiment in the Cortex-M4 CPU using the sum-of-squared difference method, with the accuracy of the message recovery reaching 90.6% and the secret key recovery achieving 77.2%. Furthermore, we theoretically analyze that any order of masking strategy cannot effectively protect the message decoding function, except by increasing the attack difficulty to a limited extent. We also provide our idea for solving this problem by emulating the data behavior of the dual-rail pre-charge logic circuit at the software level, which can effectively ensure the implementation security of CRYSTALS-Kyber.

Abstract:
Federated learning, hailed as a privacy-preserving collaboration paradigm, has garnered significant attention in research circles. Typically, it involves multiple clients collaborating to integrate multi-party knowledge, facilitating the learning of a shared global model with decentralized local data. Despite the popularity of federated learning, the surge in approaches addressing various realistic challenges has highlighted a critical issue. The aggregated model may struggle to capture diverse domain knowledge across participants, leading to limited performance in cross-client domain scenarios. Furthermore, the incorporation of knowledge from participating parties can hinder generalization on out-of-client distributions. To comprehensively address this challenge, we dissect federated generalization into two dimensions: the participating domain and the unseen domain. In this paper, we propose a novel solution incorporating domain-specialized and invariant experts. These experts are designed to faithfully represent individual domain characteristics and different domain universality. Additionally, we introduce a pioneering test-time expert aggregation strategy that utilizes prediction consistency metrics to aggregate different experts, specifically tailored for handling agnostic testing distributions. Empirical results validate that our proposed methodology significantly enhances federated performance on both cross-client and out-of-client generalization under different scenarios and with various related methods. A comprehensive ablation study demonstrates the effectiveness of the proposed modules.

Abstract:
Feature selection is a critical data preprocessing stage that has been proven beneficial in data mining and machine learning applications. As most current works focus on privacy during the training and inference tasks in machine learning, implementing privacy preservation in preprocessing is a powerful complement. In this paper, we present an efficient and privacy-preserving feature selection protocol (EPFS) based on secure multiparty computation (MPC). We customize a novel method called approximate fixed-point representation to reduce the bitwidth of the sample distribution probability, thereby decreasing communication overhead. We optimize the comparison protocol by reducing the high-order bits of values according to the characteristics of the datasets and design the feature score calculation protocol together with several other MPC-based sub-protocols. We also construct an efficient feature selection workflow to obtain the reduced feature matrix, which avoids the numerous calls of secure comparison and equality test protocols in loops. Experiments on several real-world datasets show that the improved comparison protocol achieves a 29%-53% improvement in runtime and a 6%-32% reduction in communication compared to the general comparison protocol. The optimized feature selection workflow exhibits an upper performance bound, achieving a 38% improvement in runtime compared to prior work. Besides, we implement secure logistic regression training based on the selection features, where the accuracy has improved by an average of 8% compared to training on raw features.

Abstract:
Is it secure to measure the reliability of local models by similarity in federated learning (FL)? This paper delves into an unexplored security threat concerning applying similarity metrics, such as the L_2 norm, Euclidean distance, and cosine similarity, in protecting FL. We first uncover the deficiencies of similarity metrics that high-dimensional local models, including benign and poisoned models, may be evaluated to have the same similarity while being significantly different in the parameter values. We then leverage this finding to devise a novel untargeted model poisoning attack, Faker, which launches the attack by simultaneously maximizing the evaluated similarity of the poisoned local model and the difference in the parameter values. Experimental results based on seven datasets and eight defenses show that Faker outperforms the state-of-the-art benchmark attacks by 1.1-9.0X in reducing accuracy and 1.2-8.0X in saving time cost, which even holds for the case of a single malicious client with limited knowledge about the FL system. Moreover, Faker can degrade the performance of the global model by attacking only once. We also preliminarily explore extending Faker to other attacks, such as backdoor attacks and Sybil attacks. Lastly, we provide a model evaluation strategy, called the similarity of partial parameters (SPP), to defend against Faker. Given that numerous mechanisms in FL utilize similarity metrics to assess local models, this work suggests that we should be vigilant regarding the potential risks of using these metrics. The code will be released soon.

Affiliations: State Key Laboratory of Complex and Critical Software Environment (SKLCCSE) and the School of Computer Science and Engineering (SCSE), Beihang University, Beijing, China; School of Computing, National University of Singapore, Queenstown, Singapore; Zhongguancun Laboratory, Beijing, China; College of Computing and Data Science, Nanyang Technological University, Jurong West, Singapore; School of Cyberspace Security, University of Science and Technology of China, Hefei, China; Agency for Science, Technology and Research (A*STAR), Fusionopolis, Singapore

Abstract:
Large language models (LLMs) have transformed the development of embodied intelligence. By providing a few contextual demonstrations (such as rationales and solution examples) developers can utilize the extensive internal knowledge of LLMs to effortlessly translate complex tasks described in abstract language into sequences of code snippets, which will serve as the execution logic for embodied agents. However, this paper uncovers a significant backdoor security threat within this process and introduces a novel method called Contextual Backdoor Attack. By poisoning just a few contextual demonstrations, attackers can covertly compromise the contextual environment of a closed-box LLM, prompting it to generate programs with context-dependent defects. These programs appear logically sound but contain defects that can activate and induce unintended behaviors when the operational agent encounters specific triggers in its interactive environment. To compromise the LLM’s contextual environment, we employ adversarial in-context generation to optimize poisoned demonstrations, where an LLM judge evaluates these poisoned prompts, reporting to an additional LLM that iteratively optimizes the demonstration in a two-player adversarial game using chain-of-thought reasoning. To enable context-dependent behaviors in downstream agents, we implement a dual-modality activation strategy that controls both the generation and execution of program defects through textual and visual triggers. We expand the scope of our attack by developing five program defect modes that compromise key aspects of confidentiality, integrity, and availability in embodied agents. To validate the effectiveness of our approach, we conducted extensive experiments across various tasks, including robot planning, robot manipulation, and compositional visual reasoning. Additionally, we demonstrate the potential impact of our approach by successfully attacking real-world autonomous driving systems. The contextual backdoor threat introduced in this study poses serious risks for millions of downstream embodied agents, given that most publicly available LLMs are third-party-provided. This paper aims to raise awareness of this critical threat. Our code and demos are available at https://contextual-backdoor.github.io/.

Abstract:
Gao et al. (2023)recently proposed a collusion-resistant and verifiable federated learning framework named VCD-FL (IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol. 18, pp. 3760–3773, 2023). However, in this letter, we show that VCD-FL fails to achieve its claimed security goals. In particular, we demonstrate that their designed commitment scheme, which serves as the core component of the proposed collusion-resistant verification mechanism, is unsafe, and then we present a feasible collusion attack launched by the aggregation server and corrupt clients by leveraging the existing security vulnerabilities.

Abstract:
Current state-of-the-art plug-and-play countermeasures for mitigating adversarial examples (i.e., purification and detection) exhibit several fatal limitations, impeding their deployment in safety-critical real-world applications. These limitations include susceptibility to adaptive attacks, adverse impact on benign samples, high time consumption for conducting a complete defense cycle, etc. To bridge the gap, developing more advanced plug-and-play countermeasures is urgently needed to safeguard these applications. Specifically, this paper first proposes a novel method named Gaussian-augmented GAN-based Adversarial Purification (GA-GAP). Unlike previous methods, GA-GAP enhances the density of the training data in low-robustness regions by using random Gaussian noise. Moreover, GA-GAP incorporates a pre-trained deep learning classifier into the training architecture and integrates its classification loss into the training loss function. Then, following the development of GA-GAP, this paper innovatively proposes a dual-function defense framework named Adversarial Detection on Purification (ADoP) to mitigate adversarial examples further. In ADoP, purification and detection complement each other, achieving the effect of \mathbf 1+1\gt 2 , which can more efficiently avoid adaptive attacks. Extensive experiments on ImageNet demonstrate that ADoP outperforms other countermeasures in multiple aspects. These aspects include superior generalization capability in purifying and detecting various adversarial examples, less adverse impact on benign samples, and practical time consumption for conducting a complete defense cycle.

Abstract:
The online realm has witnessed a surge in the buying and selling of data, prompting the emergence of dedicated data marketplaces. These platforms cater to servers (sellers), enabling them to set prices for access to their data, and clients (buyers), who can subsequently purchase these data, thereby streamlining and facilitating such transactions. However, the current data market is primarily confronted with the following issues. Firstly, they fail to protect client privacy, presupposing that clients submit their queries in plaintext. Secondly, these models are susceptible to being impacted by malicious client behavior, for example, enabling clients to potentially engage in arbitrage activities. To address the aforementioned issues, we propose payable secure computation, a novel secure computation paradigm specifically designed for data pricing scenarios. It grants the server the ability to securely procure essential pricing information while protecting the privacy of client queries. Additionally, it fortifies the server’s privacy against potential malicious client activities. As specific applications, we have devised customized payable protocols for two distinct secure computation scenarios: Keyword Private Information Retrieval (KPIR) and Private Set Intersection (PSI). We implement our two payable protocols and compare them with the state-of-the-art related protocols that do not support pricing as a baseline. Since our payable protocols are more powerful in the data pricing setting, the experiment results show that they do not introduce much overhead over the baseline protocols. Our payable KPIR achieves the same online cost as baseline, while the setup is about 1.3-1.6× slower than it. Our payable PSI needs about 2× more communication cost than that of baseline protocol, while the runtime is 1.5-3.2× slower than it depending on the network setting.

Abstract:
Anonymous single sign-on (ASSO) is an anonymous multi-service authentication method for end users. However, existing ASSO schemes suffer from heavy ticket requesting and verifying overheads, limiting their applications in large-scale settings. To address this problem, we propose a novel concept called keyed-verification anonymous credentials with disposable delegation (KVAC-DD) in the multi-verifier setting. Next, we extend KVAC-DD to build an efficient ASSO system, dubbed DkvSSO. The construction of DkvSSO can be instantiated in efficient prime-order groups, avoiding costly operations required in previous ASSO systems. We formally prove the security of our proposed constructions. Extensive experiments show that DkvSSO is significantly more efficient than existing ASSO schemes, making it suitable to be deployed in large-scale settings.

Abstract:
Digital audio watermarking is a critical technology widely used for copyright protection, content authentication, and broadcast monitoring. However, its robustness is significantly challenged by recapturing and hybrid attacks, which can easily remove watermarks. To address this issue, this work proposes a novel scheme based on the light gradient boosting machine (LightGBM), named LRAW (LightGBM-based Robust Audio Watermarking), which is designed to increase the robustness of audio watermarking against various attacks. Specifically, the scheme begins by analysing coefficients derived from the discrete wavelet transform (DWT), graph-based transform (GBT), and singular value decomposition (SVD). The extracted singular values consistently maintain a stable descending order even under recapturing attacks at a slightly greater distance. Leveraging this stability, the watermark information is implicitly embedded into the audio signal using a quantization rule. To simulate a hybrid attack scenario, a comprehensive feature dataset comprising 396,000 pieces of DWT-GBT-SVD feature data is constructed based on 60 original recordings and 9 types of attack. Furthermore, considering the distinct influences of embedding watermark bits 0 and 1 on the quantization of singular values, the watermark extraction process is formulated as a binary classification problem. LightGBM is trained using Bayesian optimization and the feature dataset to classify the watermark bits accurately. Finally, the complete watermark is recovered using a watermark sequence matching algorithm. Theoretical analysis and experimental results demonstrate that the proposed LRAW scheme outperforms state-of-the-art watermarking methods in robustness against various recapturing and hybrid attacks, even when the distance between the acoustic source and the receiver is considerable.

Abstract:
Traffic encryption is widely used to protect communication privacy but is increasingly exploited by attackers to conceal malicious activities. Existing malicious encrypted traffic detection methods rely on large amounts of labeled samples for training, limiting their ability to quickly respond to new attacks. These methods also are vulnerable to traffic obfuscation strategies, such as injecting dummy packets. In this paper, we propose SmartDetector, a robust malicious encrypted traffic detection method via contrastive learning. We first propose a novel traffic representation named Semantic Attribute Matrix (SAM), which can effectively distinguish between malicious and benign traffic. We also design a data augmentation method to generate diverse traffic samples, which makes the detection model more robust against different traffic obfuscation strategies. We propose a malicious encrypted traffic classifier that first pre-trains a model via contrastive learning to learn deep representations from unlabeled data, then fine-tunes the model with a supervised classifier to achieve accurate detection even with only a few labeled samples. We conduct extensive experiments with five public datasets to evaluate the performance of SmartDetector. The results demonstrate that it outperforms the state-of-the-art (SOTA) methods in three typical scenarios. Specifically, in the evasion attack detection scenario, SmartDetector achieves an F1 score and AUC above 93%, with average improvements of 19.84% and 18.17% over the SOTA method, respectively.

Abstract:
Virtual cloud network (VCN) is a fundamental cloud resource for endpoints (VMs or containers) to communicate with each other and with the outside. Anomaly detection, a key security approach for VCNs, faces serious challenges: 1) Current feature models are difficult to apply to VCNs with significant differences from traditional networks. 2) Current anomaly detection models lack the adaptability to learn multiple normal patterns simultaneously. The need to train a dedicated model for each endpoint causes serious scalability problems in VCNs. 3) Current anomaly detection models have difficulty addressing the complex temporal dependency and non-stationarity of VCNs. To address these challenges, we propose a new multilevel feature model MFM and a new unsupervised time-series anomaly detection model GTGmVAE. By combining the basic features with the topology features specifically designed for VCNs, MFM effectively characterizes the patterns of VCNs. GTGmVAE combines the new local-global feature extractor with the latent space following a Gaussian mixture distribution to achieve the strong adaptability to learn multiple normal patterns simultaneously, and achieves the strong temporal modeling capability to effectively address the complex temporal dependency and non-stationarity of VCNs by adequately modeling the global temporal dependencies of the input samples and latent variables. Extensive experiments on the VCN anomaly detection dataset CIC-IDS2018 and the time-series anomaly detection benchmark dataset SMD show that GTGmVAE with MFM achieves the desirable performance, and GTGmVAE outperforms all nine representative state-of-the-art detection models.

Abstract:
Privacy-preserving statistical analysis enables the data center to analyze datasets from multiple data owners, extracting valuable insights while safeguarding privacy. However, the observation of microdata involvement in various analysis tasks within the data center can indirectly lead to privacy breaches. For instance, when the data center observes microdata involved in a disease-related task, it may reveal information about the corresponding user’s disease. Existing schemes process the entire dataset for each analysis task to prevent privacy breaches, resulting in significant redundancy overhead due to the large amount of task-irrelevant data involved in processing. In this paper, we propose FDC, which can protect privacy and effectively reduce the redundancy overhead. It frees the data center from huge redundancy overhead. Specifically, we propose a co-design of local differential privacy and multiparty computation with preprocessing by the data owner. This design enables the data center to process only task-relevant and LDP noise-induced microdata instead of the entire dataset while maintaining analysis results without accuracy loss. In some scenarios where preprocessing by the data owner is unfeasible, we present a data center-assisted method to complete preprocessing within the data center. Additionally, we design and optimize a secure shuffle protocol within this method. Finally, we implement and evaluate FDC using the aggregation task as a baseline. With different proportions of task-relevant microdata, experimental results show that the runtime of FDC is 2～ 11 x faster than existing schemes on LAN and 2～ 22 x on WAN, and the communication overhead is up to 3～ 153 x lower.

Abstract:
Recent advances in AI-powered image editing tools have significantly lowered the barrier to image modification, raising pressing security concerns those related to spreading misinformation and disinformation on social platforms. Image provenance analysis is crucial in this context, as it identifies relevant images within a database and constructs a relationship graph by mining hidden manipulation and transformation cues, thereby providing concrete evidence chains. This paper introduces a novel end-to-end deep learning framework designed to explore the structural information of provenance graphs. Our proposed method distinguishes from previous approaches in two main ways. First, unlike earlier methods that rely on prior knowledge and have limited generalizability, our framework relies upon a patch attention mechanism to capture image provenance clues for local manipulations and global transformations, thereby enhancing graph construction performance. Second, while previous methods primarily focus on identifying tampering traces only between image pairs, they often overlook the hidden information embedded in the topology of the provenance graph. Our approach aligns the model training objectives with the final graph construction task, incorporating the overall structural information of the graph into the training process. We integrate graph structure information with the attention mechanism, enabling precise determination of the direction of transformation. Experimental results show the superiority of the proposed method over previous approaches, underscoring its effectiveness in addressing the challenges of image provenance analysis.

Abstract:
The utilization of machine learning algorithms in distributed web applications is experiencing significant growth. One notable approach is Federated Learning (FL) Recent research has brought attention to the vulnerability of FL to gradient inversion attacks, which seek to reconstruct the original training samples, posing a substantial threat to client privacy. Most existing gradient inversion attacks, however, require control over the central server and rely on substantial prior knowledge, including information about batch normalization and data distribution. In this study, we introduce Poisoning Gradient Leakage from Client (PGLC), a novel attack method that operates from the clients’ side. For the first time, we demonstrate the feasibility of a client-side adversary with limited knowledge successfully recovering training samples from the aggregated global model. Our approach enables the adversary to employ a malicious model that increases the loss of a specific targeted class of interest. When honest clients employ the poisoned global model, the gradients of samples become distinct in the aggregated update. This allows the adversary to effectively reconstruct private inputs from other clients using the aggregated update. Furthermore, our PGLC attack exhibits stealthiness against Byzantine-robust aggregation rules (AGRs). Through the optimization of malicious updates and the blending of benign updates with a malicious replacement vector, our method remains undetected by these defense mechanisms. We conducted experiments across various benchmark datasets, considering representative Byzantine-robust AGRs and exploring different FL settings with varying levels of adversary knowledge about the data. Our results consistently demonstrate the ability of PGLC to extract training data in all tested scenarios.

Abstract:
This paper addresses the problem of designing stealthy attacks on distributed estimation using historical data. The distributed sensors transmit innovations to remote state estimators and neighboring nodes, which attackers can intercept and tamper with. To bypass the configured false data detectors, the attack parameters must satisfy the stealthiness constraints. The determination of the optimal stealthy attack strategy is reformulated as a series of convex optimization problems. Additionally, a lower bound on the compromised estimation error covariance is derived, and analytical solutions for the suboptimal stealthy attack strategy that maximizes the bound are provided. These solutions are proven to be piecewise constant with smaller computational complexity. Finally, numerical simulations validate the theoretical results.

Abstract:
We propose an encrypted controller framework for linear time-invariant systems with actuator non-linearity based on fully homomorphic encryption (FHE). While some existing works explore the use of partially homomorphic encryption (PHE) in implementing linear controller systems, the impacts of the non-linear behaviors of the actuators on the systems are often left unconcerned. In particular, when the inputs to the controller become too small or too large, actuators may burn out due to unstable system state oscillations. To solve this dilemma, we design and implement FHECAP, an FHE-based controller framework that can homomorphically apply non-linear functions to the actuators to rectify the system inputs. In FHECAP, we first design a novel data encoding scheme tailored for efficient gain matrix evaluation. Then, we propose a high-precision homomorphic algorithm to apply non-arithmetic piecewise function to realize the actuator normalization. In the experiments, compared with the existing state-of-the-art encrypted controllers, FHECAP achieves 4× – 1000× reduction in computational latency. We evaluate the effectiveness of FHECAP in the real-world application of encrypted control for spacecraft rendezvous. The simulation results show that the FHECAP achieves real-time spacecraft rendezvous with negligible accuracy loss.

Abstract:
This paper introduces Flexible Secure Biometrics (FSB), a novel learning framework that protects biometric templates across face-periocular modalities in intra- and cross-modality recognition tasks. The increasing flexibility of biometric recognition systems, which can match multiple template modalities, also escalates the security risks of tampering and misuse. To address these challenges, we propose the FSB-HashNet architecture, which integrates two key components: a periocular-face feature extractor and an adversarial hash generator. The feature extractor identifies and emphasizes shared prominent features between periocular and face modalities, creating modality-invariant representations. Meanwhile, the adversarial network simultaneously generates secure hash codes and ensures alignment across different modalities, preserving modality-invariant characteristics. The FSB-HashNet employs a two-factor protection mechanism using a subject’s biometric data and a user-specific key, resulting in robust, protected hash codes that offer image-level security without compromising recognition performance. Our comprehensive experiments on diverse, in-the-wild datasets under open-set conditions demonstrate the framework’s ability to maintain key security properties—unlinkability, revocability, and non-invertibility while preserving decent recognition accuracy. Codes are publicly available at https://github.com/tiongsikng/fsb_hashnet

Affiliations: School of Information Science and Technology, Qingdao University of Science and Technology, Qingdao, China; Thomas Lord Department of Computer Science, University of Southern California, Los Angeles, CA, USA; INRIA, Rennes, Brittany, France; Institute of Computing Technologies, China Academy of Railway Sciences Corporation Ltd., Beijing, China; Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing, China; Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing, Tianjin University, Tianjin, China; Zhejiang Key Laboratory of Artificial Intelligence of Things (AIoT) Network and Data Security, Hangzhou, China; College of Computer Science and Technology, Zhejiang University, Zhejiang, China; Ministry of Education Key Laboratory for Intelligent Networks and Network Security, Xi’an Jiaotong University, Xi’an, China

Abstract:
Vertical Federated Learning (VFL) is susceptible to various one-party hijacking attacks, such as Replay and Generation attacks, where a single malicious client can manipulate the model to produce attacker-specified results, thereby compromising its reliability in real-world deployments. In this paper, we first uncover the underlying mechanisms of these attacks and observe that successful attacks induce significant discrepancies in the embedding-label associations across different clients. We establish a theoretical framework demonstrating how these discrepancies can serve as reliable indicators for detecting hijacking attempts. Building upon this insight, we propose VFLMonitor, a robust defense mechanism that leverages these embedding-label discrepancies to detect and mitigate hijacking attacks. Specifically, VFLMonitor identifies suspicious queries by analyzing differences in label estimations from multiple clients and applies a majority voting rule to correct or filter out these malicious queries. Moreover, VFLMonitor introduces a novel regularization strategy during training to reduce intra-class variance in embeddings, thereby enhancing their discriminative power and improving defense effectiveness. Extensive experiments were conducted on 5 real-world datasets against 2 different attack types under 3 attack scenarios. The results demonstrate that VFLMonitor can effectively identify and exclude potential hijacked requests in all types of one-party hijacking attacks, while maintaining a meager false positive rate for legitimate queries.

Abstract:
As drones are increasingly used in various civilian applications, the security of drone communications is a growing concern. In this context, we propose novel strategies for challenge-response physical layer authentication (CR-PLA) of drone messages. The ground receiver (verifier) requests the drone to move to a defined position (challenge), and authenticity is verified by checking whether the corresponding measured channel gain (response) matches the expected statistic. In particular, the challenge is derived from a mixed strategy obtained by solving a zero-sum game against the intruder, which in turn decides its own positions. In addition, we derive the optimal strategy for multi-round authentication, where the CR-PLA procedure is iterated over several rounds. We also consider the energy minimization problem, where legitimate users want to minimize the energy consumption without compromising the security performance of the protocol. The performance of the proposed scheme is tested in terms of both security and energy consumption through numerical simulations, considering different protocol parameters, different scenarios (urban and rural), different drone altitudes, and also in the context of drone swarms.

Abstract:
In multi-user adversarial scenarios involving external malicious jamming and internal co-channel interference, environmental instability and increased decision-making dimensions cause traditional deep reinforcement learning (DRL)-based anti-jamming schemes to suffer from insufficient exploration. Agents must choose policies from a large action set, leading to a significant decline in anti-jamming performance. To address these issues, this paper proposes a multi-agent discrete soft actor-critic (MA-DSAC) algorithm-based collaborative anti-jamming strategy, integrating frequency, power, and modulation-coding domains. This strategy first introduces a Markov game to model and analyze the multi-user anti-jamming problem. Next, the soft actor-critic (SAC) algorithm is discretized to handle the multi-dimensional discrete action space. Finally, through information exchange between communication transceivers and based on a centralized training with decentralized execution (CTDE) framework, it is extended to a multi-agent DRL algorithm to achieve efficient multi-user cooperative anti-jamming. Simulation results show that in various anti-jamming scenarios with both fixed-mode and intelligent jammers, the proposed anti-jamming strategy’s performance improves by more than 25% compared to traditional value-based DRL strategies, including independent deep Q-network (I-DQN) and multi-agent virtual exploration in deep Q-learning (MA-VEDQL). Furthermore, through information exchange between communication transceivers, the instability problem of multi-agent DRL is effectively alleviated, enabling the communication transceivers to balance competition and cooperation. Consequently, its anti-jamming performance improves by more than 6% compared to the independent DSAC (I-DSAC) strategy.

Abstract:
Research on electroencephalogram (EEG)-based person identification is increasing because EEG signals must be collected from the living body, making them difficult to steal or alter. However, EEG signals are greatly influenced by subjects’ states, and most studies on EEG-based person identification have overlooked this influence. In this study, we proposed an interpretable contrastive learning transformer to tackle the impact of state changes on EEG-based person identification. Contrastive learning transformers construct pairs of EEG signal feature samples to capture state-independent and identity-distinct features. Specifically, the power spectral density (PSD) of EEG signals from the same user in different paradigms is used as positive samples, while the PSD from other users is used as negative samples. Pairs of samples are encoded to obtain corresponding features and then projected into a contrastive space through a multi-layer perceptron. Then, the NT-Xent loss function minimizes the distance between positive samples within the same batch and maximizes the distance between negative samples. Finally, to eliminate bias between positive sample pairs from different paradigms, we introduced the cross-paradigm alignment loss for the first time to capture individual consistency. We evaluated our model on two datasets. Dataset 1 contains EEG signals from 109 individuals, recorded across multiple paradigms designed to elicit different states. Dataset 2 consists of EEG signals from 71 individuals, collected across two sessions, with each session including two paradigms. We evaluated the accuracy of both single-paradigm and cross-paradigm recognition. Our proposed model outperforms state-of-the-art models for EEG-based person identification. We also conducted experiments on electrode attention visualization to capture the brain regions that the model focuses on, and the results demonstrate that, unlike in a single-paradigm, models trained in cross-paradigm focus on fewer electrodes and more concentrated regions.

Abstract:
Side-channel analysis (SCA) based on machine learning, particularly neural networks, has gained considerable attention in recent years. However, previous works predominantly focus on establishing connections between labels and related profiled traces. These approaches primarily capture label-related features and often overlook the connections between traces of the same label, resulting in the loss of some valuable information. Besides, the attack traces also contain valuable information that can be used in the training process to assist model learning. In this paper, we propose a profiled SCA approach based on contrastive learning named CL-SCA to address these issues. This approach extracts features by emphasizing the similarities among traces, thereby improving the effectiveness of key recovery while maintaining the advantages of the original SCA approach. Through experiments of different datasets from different platforms, we demonstrate that CL-SCA significantly outperforms other approaches. Moreover, by incorporating attack traces into the training process using our approach, we can further enhance its performance. This extension can improve the effectiveness of key recovery, which is fully verified through experiments on different datasets.

Affiliations: College of Computing and Data Science, Nanyang Technological University, Nanyang Ave, Singapore; Department of Electrical and Electronic Engineering, The University of Hong Kong, Pok Fu Lam, Hong Kong; College of Computer Science and Technology, Jilin University, Changchun, China; Department of Electrical and Computer Engineering, Auburn University, Auburn, AL, USA; Department of Electrical and Computer Engineering, Sungkyunkwan University, Suwon, South Korea; Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, Canada

Abstract:
Integrated sensing and communications (ISAC) is one of the crucial technologies for 6G, and channel state information (CSI) based sensing serves as an essential part of ISAC. However, current research on ISAC focuses mainly on improving sensing performance, overlooking security issues, particularly the unauthorized sensing of users. Hence, this paper proposes a diffusion model based secure sensing system (DFSS). Specifically, we first propose a discrete conditional diffusion model to generate graphs with nodes and edges, which guides the ISAC system to appropriately activate wireless links and nodes, ensuring the sensing performance while minimizing the operation cost. Using the activated links and nodes, DFSS then employs the continuous conditional diffusion model to generate safeguarding signals, which are next modulated onto the pilot at the transmitter to mask fluctuations caused by user activities. As such, only authorized ISAC devices with the safeguarding signals can extract the true CSI for sensing, while unauthorized devices are unable to perform the effective sensing. Experiment results demonstrate that DFSS can reduce the activity recognition accuracy of the unauthorized devices by approximately 70%, effectively shield the user from the illegitimate surveillance.

Abstract:
Model Inversion (MI) attacks based on Generative Adversarial Networks (GAN) aim to recover private training data from complex deep learning models by searching codes in the latent space. However, this method merely searches in a deterministic latent space, resulting in suboptimal latent codes. Additionally, existing distributional MI schemes assume that an attacker can access the structures and parameters of the target model, which is not always feasible in practice. To address these limitations, this paper proposes a novel Distributional Black-Box Model Inversion (DBB-MI) attack by constructing a probabilistic latent space for searching private data. Specifically, DBB-MI does not require the target model’s parameters or specialized GAN training. Instead, it identifies the latent probability distribution by integrating the output of the target model with multi-agent reinforcement learning techniques. Then, it randomly selects latent codes from the latent probability distribution to uncover private data. As the latent probability distribution closely mirrors the target privacy data in the latent space, the recovered data effectively leaks the privacy of the target model’s training samples. Extensive experiments conducted on diverse datasets and networks demonstrate that our DBB-MI outperforms state-of-the-art MI attacks in terms of attack accuracy, K-nearest neighbor feature distance, and peak signal-to-noise ratio.

Abstract:
Deep neural networks(DNNs) have been demonstrated to be vulnerable to meticulously crafted adversarial examples. Transfer-based attacks do not require access to the target model’s information, have emerged as a substantial threat to the deployment of DNNs in real-world scenarios. Although considerable works have been conducted to enhance adversarial transferability from various perspectives, the transferability remains suboptimal. In this work, we propose a novel transfer-based attack, termed Gradient Aggregation Attack (GAA). Inspired by the observation that flatter local minima can improve transferability, GAA incorporates both the worst-aware loss and substitute loss into the objective function. The worst-aware loss represents the maximum loss within the neighborhood of the adversarial example, while the substitute loss quantifies the difference between the worst-aware loss and the empirical loss, serving as a measure of the flatness of the local minima region. By optimizing the empirical loss alongside these two losses, GAA is capable of generating adversarial examples within a flat local minimum region while simultaneously enhancing its flatness, ultimately surpassing all baselines. Specifically, since directly optimizing the worst-aware loss incurs substantial computation during adversarial example generation, we approximate the worst-aware loss with a first-order Taylor expansion to mitigate this computational cost. Via rigorous theoretical analysis and extensive experiments demonstrate that our proposed GAA method generates adversarial examples corresponding to flatter local minima regions. Compared to existing transfer-based attacks, GAA effectively enhances adversarial transferability, regardless of whether the model is a normally trained or an advanced defense model.

Abstract:
Owing to flexible management and low overhead, wireless physical layer security (PLS) has been applied to support many critical applications (e.g., data dissemination) of unmanned aerial vehicles (UAVs)-based mobile communication networks in emergency scenarios. Although the impact of static network scenarios or receiver mobility on PLS has been well studied, there is no much work that studies the impact of UAV-based transmitter mobility on PLS. To fill this gap, in this paper, we investigate PLS of a scenario, where a random mobile UAV-based transmitter transmits information to a static ground entity under Rayleigh fading channel. More specifically, we consider a communication system, in which a mobile UAV hovers over a region to collect information and then disseminates this information to a static ground network entity in a confidential manner under the presence of an eavesdropper. Because of popularity and practicality, the UAV is assumed to hover following the random way point (RWP) mobility model. We investigate the secrecy characteristics of the UAV under steady running state in terms of ergodic secrecy capacity (ESC), positive secrecy capacity probability (PSCP) and secrecy outage probability (SOP) for the communication between the UAV and the receiver. We then investigate the secrecy performance of the proposed system while considering the pause time of the RWP mobility model adopted by the UAV. We further extend our proposed theoretical model to other realistic scenarios, including the presence of multiple cooperative and non-cooperative eavesdroppers, and study the PSCP and SOP metrics of the corresponding system. Furthermore, we propose three types of secrecy improvement strategies for the considered communication model. We strike a good trade-off between the secrecy improvement and transmit outage probability. Extensive simulations have been conducted to validate our theoretical analysis as well as the effectiveness of the proposed secrecy improvement strategies.

Affiliations: College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University, Changchun, China; College of Software, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University, Changchun, China; Department of Electronic and Computer Engineering, The Hong Kong University of Science and Technology, Hong Kong, China; School of Computer Science and Engineering, Ministry of Education Key Laboratory of Information Technology, Guangdong Province Key Laboratory of Information Security Technology, Sun Yat-sen University, Guangzhou, China; School of Information Science and Technology, University of Science and Technology of China, Hefei, China

Abstract:
The rapid advancement of AI-generated content has intensified concerns over deepfakes due to increasingly sophisticated and visually convincing forgeries. To this end, the pre-trained Vision Transformer (ViT) model has become a de facto choice for deepfake detection, thanks to its powerful learning capability. Despite favorable results achieved by existing ViT-based methods, they have inherent limitations that could result in suboptimal performance in scenarios with continuously evolving forgery techniques, such as overfitting to single forgery patterns or placing excessive emphasis on dominant forgery regions. In this paper, we propose CUTA, a simple yet effective deepfake detection paradigm that utilizes ViT adapters as the medium and fully exploits the spatial- and frequency-domain features of given images to overcome the limitations of existing methods. Specifically, CUTA focuses on frequency domain masking within the input space, which obscures parts of the high-frequency image to intensify the training challenge while preserving subtle forgery cues in the frequency domain to facilitate comprehensive forgery representations. Furthermore, we propose two task-customized modules within the ViT model, i.e., the texture enhancement module and the multi-scale perceptron module, to seamlessly integrate local texture and rich contextual features. These two modules ensure an organic interaction between the task-specific forgery patterns and general semantic features within the pre-trained ViT framework. The experimental results on several publicly available benchmarks demonstrate CUTA’s superiority in performance, particularly showcasing its significant advantages in both cross-dataset and cross-manipulation scenarios. Code and models are available at https://github.com/Zenanshi92/CUTA

Abstract:
Iris segmentation is a deterministic and critical part of the iris recognition system. However, its performance is usually degraded by data uncertainty in acquisition and annotation, impeding more accurate recognition of the iris recognition system. In the paper, we propose a bilateral self-attention by exploring spatial and visual relationships to effectively distinguish between iris and non-iris regions, then design a bilateral Transformer by enhancing spatial perception and hierarchical feature fusion to mitigate the impact of acquisition uncertainty. Besides, iris segmentation uncertainty learning is developed to estimate the uncertainty map according to prediction discrepancy. With the estimated uncertainty, a weighting scheme and a regularization term are designed to minimize the effect of annotation uncertainty. To investigate data uncertainty, the paper presents a challenging near-infrared iris dataset named UTIris. It comprises 3,690 images with high acquisition uncertainty and provides rich segmentation masks to explore annotation uncertainty. Furthermore, we manually label a large-scale iris dataset, ND-0405, with additional binary maps of iris masks to evaluate segmentation performance. Experimental results on UTIris and four other databases demonstrate the effectiveness of the proposed method in iris segmentation, and its segmentation improvement consequently promotes recognition accuracy.

Abstract:
Generative steganography stands as a promising technique for information hiding, primarily due to its remarkable resistance to steganalysis detection. Despite its potential, hiding a secret image using existing generative steganographic models remains a challenge, especially in lossy or noisy communication channels. This paper proposes a robust generative steganography model for hiding full-size image. It lies on three reversible concatenated mappings proposed. The first mapping uses VQGAN with an order-preserving codebook to compress an image into a more concise representation. The second mapping incorporates error correction to further convert the representation into a robust binary representation. The third mapping devises a distribution-preserving sampling mapping that transforms the binary representation into the latent representation. This latent representation is then used as input for a text-to-image Diffusion model, which generates the final stego image. Experimental results show that our proposed scheme can freely customize the stego image content. Moreover, it simultaneously attains high stego and recovery image quality, high robustness, and provable security.

Abstract:
Generative steganography is renowned for its exceptional undetectability. However, prevalent generative methods often have insufficient capacity for concealing secret images. Furthermore, the sensitivity of commonly utilized generative models exacerbates the challenge of ensuring robustness against channel distortions such as JPEG compression. In this paper, we introduce a generative image hiding network that employs two invertible generators to transform secret images into stego images within a disparate image domain. Additionally, we seamlessly integrate an up-and-down sampling module (UDM) within these generators to facilitate efficient decoupling of the intermediate representations obtained by each generator. The UDM serves multiple purposes: preserving coherence between the intermediate representations, enhancing resilience against JPEG compression, and safeguarding the confidentiality of the concealed images. To address the complexity of mapping both uncompressed and compressed stego images to a unified intermediary representation, we implement two distinct flows for the forward and backward processes of the generator associated with the stego images. The experimental results show that our scheme offers concurrent advantages in terms of full-size image hiding ability, undetectability, confidentiality, and robustness.

Abstract:
Physical adversarial examples in optical remote sensing have garnered significant attention in recent years due to their practicality and high adversarial threat potential. However, existing methods focus on position-fixed adversarial patches, neglecting tailored considerations for the domain-specific texture patterns and mobility required by aerial platforms. To address the issues above, we proposed a novel method of physical adversarial camouflage generation for the first time in optical remote sensing, which paints adversarial camouflage with specialized textures onto the targets to escape detection from DNN-based models. In pursuit of achieving a synthesis of visual harmony and adversarial attack potency, we propose a “latent variable-based” adversarial camouflage generation approach, in which we introduce a texture generator controlled by a group of latent variables to generate camouflage patterns with adversarial properties. By employing this idea, we can constrain the searching domain for adversarial examples to the domain characterized by camouflage exhibiting textures with high visual harmony, and easily focus on finding the most threatening ones during the optimization. We chose airplanes as the object of interest and object detection as the typical reconnaissance method in experiments. Our method achieved high attack success rates (ASRs) against a majority of existing detection models. Comparison with existing pixel-level optimization methods confirmed that the integration of a dedicated generator helps solve the trade-off dilemma between visual harmony and adversarial potency. Real-world experiments involving targets painted by our developed adversarial camouflage confirmed the adversarial attack potency and practicality, with a more than 50% increase on average in the ASRs compared to the conventional camouflage.

Abstract:
Specific emitter identification (SEI), a crucial technology at the physical layer of communication protocols, exploits unique radio frequency fingerprints (RFFs) to distinguish between individual emitters. Deep learning (DL) has been widely applied to SEI due to its remarkable capability in uncovering hidden features and distinguishing between different devices. However, DL-based SEI approaches typically require extensive labeled datasets, which are difficult to obtain in real-world scenarios, thus limiting their practical applicability. To address this challenge, we propose a novel few-shot SEI (FS-SEI) method based on bi-interpolative metric learning (Bi-InterML), highly reducing the amount of data needed to adapt the algorithm to a new environment and simultaneously avoiding pretraining. Our approach enhances data quality through wavelet coefficient-based and sequence bi-interpolation, generating enriched data used alongside the original dataset for classification via a complex-valued convolutional neural network (CVCNN). Additionally, interpolative metric learning (IML) is employed to constrain feature distances, enhancing feature discriminability. Experimental results on a real-world Wi-Fi dataset demonstrate the effectiveness of the proposed Bi-InterML-based FS-SEI method, achieving an identification accuracy of 91.48% with 10 samples per category, while it outperforms comparative methods by a margin of 9.64% to 43.18% in the case of 1 sample per category. Furthermore, its generalizability is validated on the base station (BS) dataset, where the proposed method consistently outperforms existing approaches in few-shot scenarios.

Abstract:
Security patches play a crucial role in the battle against Open Source Software (OSS) vulnerabilities. Meanwhile, to facilitate the development of OSS projects, both upstream and downstream developers often maintain multiple branches. Due to the different code contexts among branches, multiple security patch variants exist for the same vulnerability. Hence, to ease the management of OSS vulnerabilities, locating all patch variants of an OSS vulnerability is pretty important. However, existing works are mainly designed for locating a patch or several patches for a vulnerability but cannot locate all its patch variants. In this paper, we study the problem of how to accurately locate all variants of a given security patch. We motivate the problem with a preliminary study, which shows that it is rather challenging to locate all patch variants, even with a reference patch, due to the diverse practice of OSS developers in backporting patches. To overcome these challenges, we propose a new patch location method to locate all variants of a patch in a code repository (e.g., a software or a specific version). Based on our findings in the preliminary study, our method employs a rule-based model and incorporates two-dimensional code commit features that are specifically designed for the task of patch variant location: similarity features and representative features. With a ground truth patch variants dataset, our method achieves a precision of 99.68% and a recall of 98.81% and significantly outperforms two state-of-the-art baselines (PatchScout and Tracer). Besides, our method shows strong capability in locating patch variants at both upstream and downstream code repositories.

Affiliations: School of Cyber Engineering and the School of Computer Science and Technology, Xidian University, Xi’an, China; School of Telecommunications Engineering, Xidian University, Xi’an, China; School of Cyberspace Security, Hainan University, Haikou, China; School of Cyber Engineering, Xidian University, Xi’an, China; College of Information Science and Engineering, Yanshan University, Qinhuangdao, China; Hangzhou Institute of Technology, Xidian University, Hangzhou, China; The Pennsylvania State University, State College, PA, USA; School of Informatics, Computing and Cyber Systems, Northern Arizona University, Flagstaff, AZ, USA

Abstract:
Membership inference (MI) attacks pose a significant threat to user privacy in machine learning systems. While numerous attack mechanisms have been proposed in the literature, the lack of standardized evaluation parameters and metrics has led to inconsistent and even conflicting comparison results. To address this issue and facilitate a systematic analysis of these disparate findings, we introduce MIBench, a comprehensive benchmark that includes a suite of carefully designed evaluation scenarios (ESs) and evaluation metrics to provide a consistent framework for assessing the efficacy of various MI techniques. The ESs are crafted to encompass four critical factors: intra-dataset distance distribution, inter-sample distance within the target dataset, differential distance analysis, and inference withholding ratio. In total, MIBench includes ten typical evaluation metrics and incorporates 84 distinct ESs for each dataset. Using MIBench, we conducted a thorough comparative analysis of 15 state-of-the-art MI attacks across 588 ESs, seven widely adopted datasets, and seven representative model architectures. Our analysis revealed 83 instances of Conflicting Comparison Results (CCR), providing substantial evidence for the CCR Phenomenon. We identified two CCR types: Type 1 (single-factor) and Type 2 (dual-factor). The distribution of CCR instances across the four critical factors was: inter-sample distance (40.96%), differential distance (37.35%), inference withholding ratio (19.28%), and intra-dataset distance (2.41%). All MIBench codes and evaluations are available at https://github.com/MIBench/MIBench.github.io/blob/main/README.md.

Abstract:
Log-based anomaly detection (LAD) is one of the dominant approaches to improving the reliability and security of software systems. Presently, despite the efficacy demonstrated by state-of-the-art LAD approaches in processing static log events, their performance significantly degrades when confronting changes of log event types from system updates. To construct a reliable LAD model that could adapt well to the evolution of log data, we propose a method grounded in semi-supervised domain adaptation on the rationale of incremental log anomaly detection dubbed as SSDALog, which dynamically updates the model utilizing limited labeled samples to reconcile distributional shifts between evolving and historical data. Specifically, the proposed approach addresses the issue through two primary mechanisms: (i) creation of a cross-domain mixup algorithm, which computes the feature salience of log discrete sequences through occlusion strategy, thus enhancing the adaptability of the model to unknown patterns by mixing evolving features; and (ii) design of an incremental semi-supervised domain adaptation training framework based on noisy label learning to obtain a robust feature extractor, thus improving the generalization ability of the detection model. We empirically assess the efficacy of the SSDALog approach across two publicly available datasets. The experimental results show that our method outperforms the SOTA LAD approach, particularly for evolving systems.

Abstract:
Many Web Application Firewalls (WAFs) leverage the OWASP Core Rule Set (CRS) to block incoming malicious requests. The CRS consists of different sets of rules designed by domain experts to detect well-known web attack patterns. Both the set of rules and the weights used to combine them are manually defined, yielding four different default configurations of the CRS. In this work, we focus on the detection of SQL injection (SQLi) attacks, and show that the manual configurations of the CRS typically yield a suboptimal trade-off between detection and false alarm rates. Furthermore, we show that these configurations are not robust to adversarial SQLi attacks, i.e., carefully-crafted attacks that iteratively refine the malicious SQLi payload by querying the target WAF to bypass detection. To overcome these limitations, we propose (i) using machine learning to automate the selection of the set of rules to be combined along with their weights, i.e., customizing the CRS configuration based on the monitored web services; and (ii) leveraging adversarial training to significantly improve its robustness to adversarial SQLi manipulations. Our experiments, conducted using the well-known open-source ModSecurity WAF equipped with the CRS rules, show that our approach, named ModSec-AdvLearn, can (i) increase the detection rate up to 30%, while retaining negligible false alarm rates and discarding up to 50% of the CRS rules; and (ii) improve robustness against adversarial SQLi attacks up to 85%, marking a significant stride toward designing more effective and robust WAFs. We release our open-source code at https://github.com/pralab/modsec-advlearn

Abstract:
Facial sketch synthesis (FSS) has advanced significantly in recent years, but challenges remain in few-shot settings. Some few-shot learning methods can convert photos (source domain) into sketches of a specified style (target sketch domain). However, they overlook the available samples of other sketch styles (non-target sketch domains). We argue that the information in these samples can help the model enhance its mapping ability from the source domain to the target domain. This paper proposes a progressive domain gap reduction (PDGR) method for few-shot facial sketch synthesis, which consists of three stages: teacher training, knowledge distillation, and intra-domain few-shot adaptation. In the first stage, we adapt a pretrained StyleGAN to a non-target sketch domain with more available samples than the target sketch domain. To generate diverse and high-quality sketches, we employ a dual-discriminator adversarial mechanism to guide the model in focusing on the overall structure and style, as well as multi-scale details and textures. In the second stage, the knowledge from StyleGAN is transferred to a U-Net for more efficient image translation. In the third stage, we adapt the output of the U-Net from the non-target sketch domain to the target sketch domain in few-shot settings. To alleviate overfitting, preserve individual characteristics, and enhance detail representation, we leverage the FFHQ dataset to construct dual training paths and design a domain-directional triple loss. Experiments show that PDGR significantly outperforms previous few-shot learning methods and even outperforms the state-of-the-art FSS methods trained on the full dataset.

Abstract:
With the rapid growth of Internet of Things (IoT) and edge computing platforms, the Internet of Medical Things (IoMT) has become popular and important in healthcare industry, i.e., there is an increase of brainwave headsets and headbands. However, the security and privacy of shared data can be easily compromised if an attacker can access the IoMT devices and check all the data. There is a need to authenticate users before they can use the healthcare devices. For this reason, Electroencephalography (EEG) based authentication is a necessary security solution. In recent years, EEG-based authentication has witnessed significant advancements, but traditional models face challenges in capturing the complex spatial and temporal dependencies present in EEG signals. This work aims to address these limitations and explore the effect of Transformer model in the domain of EEG-based authentication. In particular, we devise a modified Vision Transformer model (ViT) to handle the specific characteristics of EEG data, such as spatial and temporal dependencies. In the evaluation, we compare our approach with the similar methods in the literature and examine the effect of fine-tune based on two datasets. The results demonstrate that our approach can effectively capture long-range dependencies and outperform conventional models.

Abstract:
Computer-aided prohibited item detection is applied in X-ray security inspection to maintain public safety. However, existing prohibited item detectors are limited to a small set of categories in current X-ray datasets, posing potential risks to public security. Since constructing bigger datasets and annotating hundreds of categories is time-consuming and labor-intensive, scaling detectors to more categories with minimal supervision is of great importance. To this end, in this paper, we adopt an open-vocabulary object detection (OVOD) method to detect arbitrary unlabeled novel categories of prohibited item. OVOD methods typically rely on datasets with caption annotations, which are lacking in the domain of prohibited item detection. To support the research on OVOD in X-ray security inspection scenarios, we contribute PIXray Caption dataset, the first X-ray dataset with image-caption pair annotations, which could benchmark and facilitate researches in the community. Further, we propose a novel Open-Vocabulary Prohibited Item Detection (OVPID) network to leverage textual information from captions. OVPID contains two core modules, i.e., Interference Resistant Module (IRM) and Prediction Module (PM). Specifically, IRM includes two submodules, namely Edge Perception (EP) and Foreground Activation (FA), which are designed to address the dilemma of interference caused by overlapping problem and complex background in X-ray images. PM consists of two branches for classification and localization. In classification branch, PM generates more accurate prompts for X-ray dataset via large multimodal model (LMM). In localization branch, PM aligns the student embeddings with both teacher and caption embeddings. Extensive experiments on PIXray Caption dataset demonstrate that OVPID outperforms other OVOD methods by delivering a higher accuracy on novel categories.

Affiliations: Shaanxi International Joint Research Centre for the Battery-Free Internet of Things, Xi’an Advanced Battery-Free Sensing and Computing Technology International Science and Technology Cooperation Base, Xi’an Key Laboratory of Advanced Computing and Software Security, and the School of Information Science and Technology, Northwest University, Xi’an, China; Shaanxi Key Laboratory of Passive Internet of Things and Neural Computing, Xi’an Key Laboratory of Advanced Computing and Software Security, and the School of Information Science and Technology, Northwest University, Xi’an, China; State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou, China; Internet of Things Research Center, Xi’an Key Laboratory of Advanced Computing and Software Security, and the School of Information Science and Technology, Northwest University, Xi’an, China; School of Computer Science, University of Leeds, Leeds, U.K.

Abstract:
Homomorphic encryption (HE) and secret sharing (SS) enable computations on encrypted data, providing significant privacy benefits for large transformer-based models (TBM) in sensitive sectors like medicine and finance. However, private TBM inference incurs significant costs due to the coarse-grained application of HE and SS. We present FASTLMPI, a new approach to accelerate private TBM inference through fine-grained computation optimization. Specifically, through the fine-grained co-design of homomorphic encryption and secret sharing, FASTLMPI achieves efficient protocols for matrix multiplication, SoftMax, LayerNorm, and GeLU. In addition, FASTLMPI introduces a precise segmented approximation technique for differentiable non-linear functions, improving its fitting accuracy while maintaining a low polynomial degree. Compared to solution BOLT (S&P’24), FASTLMPI shows a remarkable 25.1% to 55.3% decrease in runtime and an impressive 39.0% reduction in communication costs.

Abstract:
In videos containing spoofed faces, we may uncover the spoofing evidence based on either photometric or dynamic abnormality, or a combination of both. Prevailing face anti-spoofing (FAS) approaches generally concentrate on the single-frame scenario; however, purely photometric-driven methods overlook the dynamic spoofing clues that may be exposed over time. This may lead FAS systems to conclude incorrect judgments, especially in cases where it is easily distinguishable in terms of dynamics but challenging to discern in terms of photometrics. To this end, we propose the Graph Guided Video Vision Transformer (G2V2former), which combines faces with facial landmarks for the fusion of photometric and dynamic features. We factorize the attention into space and time and fuse them via a spatiotemporal block. Specifically, we design a novel temporal attention, called Kronecker temporal attention, which has a wider receptive field and is beneficial for capturing dynamic information. Moreover, we leverage the low-semantic motion of facial landmarks to guide the high-semantic change of facial expressions based on the motivation that regions containing landmarks may reveal more dynamic clues. Extensive experiments on nine benchmark datasets demonstrate that our method achieves superior performance under various scenarios. The codes will be released at https://github.com/yjyddq/GVformer

Affiliations: School of Artificial Intelligence, Anhui University of Science and Technology, Hefei, China; Information Materials and Intelligent Sensing Laboratory of Anhui Province, Anhui Provincial Key Laboratory of Multimodal Cognitive Computation, and the School of Artificial Intelligence, Anhui University, Hefei, China; Institute of Automation, University of Chinese Academy of Sciences, Beijing, China; Anhui Provincial Key Laboratory of Multimodal Cognitive Computation, School of Computer Science and Technology, Anhui University, Hefei, China

Abstract:
Audio-visual matching techniques aim to recognize and match information across different identities by learning a similarity metric across modalities. However, modal differences arise from insufficient cross-modal correlations and noise interference, which substantially hinder the performance of traditional deep metric learning methods in audio-visual matching tasks. To address the modal differences issue, we propose a novel Adaptive Interactive and Correction Attention Network (AICANet). This network efficiently captures deep information connections, generating modality-consistent feature embeddings within a unified metric framework. The core of AICANet is its two-pronged approach to reducing modal differences. First, we propose the Adaptive Interactive Attention (AIA) module, which flexibly establishes associations among cross-modal local features using dynamically generated pseudo-labels. Second, we propose the Adaptive Correction Attention (ACA) mechanism, which employs an adaptive threshold to de-interference effectively and accurately adjust the representation of local feature associations. Notably, the ACA mechanism is suitable for both intra-modal and inter-modal refined attention correction. Additionally, we design a relative distance stretching metric loss ( \mathcal L_RDSM ), which reinforces the similarity invariance of feature embeddings in a uniform space and enhances matching accuracy. Extensive tests on the VoxCeleb and VoxCeleb2 datasets demonstrate that AICANet outperforms leading existing algorithms across several evaluation metrics, validating its superior performance. The codes can be found at https://github.com/w1018979952/AICANet.

Abstract:
Recently, deep learning techniques have gained popularity in multimedia forensics research designed to accomplish tasks such as camera model identification. However, despite the success of deep learning techniques, research has shown that they are vulnerable to adversarial perturbations. These adversarial perturbations can cause deep learning classifiers to misclassify images even though the perturbations are imperceptible to human eyes. To understand the vulnerabilities of deep-learning-based forensic algorithms, we propose a novel anti-forensic framework inspired by generative adversarial networks that is capable of falsifying an image’s source camera model. To accomplish this, we design a generator to anti-forensically falsify camera model traces in an image without introducing visually perceptible changes or artifacts. We propose two techniques to adversarially train this generator depending on the knowledge available to the attacker. In a white-box scenario when complete knowledge of an investigator’s camera model identification network is available to an attacker, we directly incorporate the network into our generator’s adversarial training strategy. In a black-box scenario when no internal details of the camera model classifier are available to the attacker, we construct a substitute network to mimic its decisions, then utilize this substitute network to adversarially train our generator. We conduct a series of experiments to evaluate the performance of our attack against several well-known CNN-based camera model classifiers. Experimental results show that our attack can successfully fool these CNNs in both white-box and black-box scenarios. Furthermore, our attack maintains high image quality and can be generalized to attack images from arbitrary source camera models.

Abstract:
With the rise of digital media, protecting image property has become a critical issue. Visible watermarks, once a key tool for copyright protection, have become increasingly vulnerable to removal methods using deep neural networks (DNNs). This poses a significant threat to the ability of visible watermarks to protect image ownership and copyright. To address this increasingly severe challenge, we propose a novel visible watermark protection mechanism based on information hiding. Unlike traditional methods of directly adding perturbations to protected images, we hide adversarial perturbations in watermarked images through a specially designed reversible information exchange (RIE) module, which includes multiple discrete wavelet transform (DWT) and affine coupling blocks. This design can concentrate the perturbations on textured areas of the watermarked images, making them less visually noticeable. Meanwhile, theoretical analysis indicates that the difference between the adversarial image (i.e., the watermarked image after embedding the adversarial perturbation) generated by our method and the watermarked image is completely controllable. To evaluate the proposed mechanism in various scenarios, based on several widely used datasets (i.e., LOGO-Gray, LOGO-H, and LOGO-L), we further synthesize two new datasets, namely LOGO-Multi and LOGO-Full. LOGO-Multi contains images embedded with multiple watermarks, and LOGO-Full contains images embedded with a watermark covering the whole image. Extensive testing on five datasets demonstrates that, compared to the baseline methods, the proposed scheme can greatly improve the visual quality of adversarial images and enhance their capability to resist various watermark removal techniques. Code will be available at https://github.com/Aitchson Hwang/adversarial_visible_watermarking.

Affiliations: State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, Shaanxi, China; Department of Engineering, University of Durham, Durham, U.K.; School of Information and Communication Engineering, Dalian University of Technology, Dalian, China; School of Electronic and Information Engineering, South China University of Technology, Guangzhou, China; Department of Electronic and Electrical Engineering, University College London, London, U.K.; Department of Electrical and Computer Engineering, Aristotle University of Thessaloniki, Thessaloniki, Greece

Abstract:
In wireless communications, the communication channel between the transmitter and receiver can be monitored by an eavesdropper. The eavesdropper uses deep learning (DL) to quickly identify the modulation parameters of signals and further disrupt legitimate communications. Since DL has been proven to be vulnerable to adversarial attacks, this paper proposes to attack the eavesdropper’s model by designing adversarial waveforms, preventing the eavesdropper from correctly identifying the modulation schemes used by legitimate users, and thereby preventing the eavesdropper from interfering with normal communications. This paper proposes an attention-based black-box attack method, which uses the prediction of different networks in the ensemble model to assign adversarial attention factors to each network. This greatly improves the transmission attack performance of the designed adversarial examples. In addition, by analysing the influence of the channel on the adversarial waveform, we further design the adversarial waveform that can be transmitted in the channel to improve the practicability of the attack algorithm. Finally, we theoretically derive the bounds of the adversarial risk increase that the attack brings to the target model. Simulation results show that the proposed method can improve the success rate of the attack on the eavesdropper’s modulation detection model, cause the model to misidentify the signal modulation type, and improve the security and reliability of legitimate transceivers in wireless communication systems.

Affiliations: School of Information Engineering and Key Laboratory of Ethnic Language Intelligent Analysis and Security Governance of MOE, Minzu University of China, Beijing, China; School of Cyberspace Security, Beijing Institute of Technology, Beijing, China; School of Automation, Guangdong University of Technology, Guangzhou, China; College of Cyber Security, Jinan University, Guangzhou, China; School of Computing and Information Systems, Singapore Management University, Bras Basah, Singapore; School of Computer Science and Engineering, Nanyang Technological University, Jurong West, Singapore

Abstract:
Federated Learning (FL) allows multiple data owners to jointly train machine learning models by sharing local models instead of raw private data, alleviating data privacy concerns. However, as the local computation of data owners is unpredictable, it increases its vulnerability to Byzantine attacks, where compromised data owners submit abnormal local models that can severely degrade global model accuracy. Existing Byzantine-robust FL methods depend on a semi-honest server executing predefined Byzantine-robust aggregation rules (ByRules) to filter out abnormal local models, but these methods fail when the server is compromised. Although recent serverless Byzantine-robust FL approaches mitigate the risk of a compromised server, they suffer from challenges in achieving consensus on ByRules and impose a heavy burden on privacy protection. In this paper, we propose ROBY, a novel serverless FL framework that extends existing ByRules to a decentralized setting, effectively defending against Byzantine attacks and ensuring privacy protection for local models. ROBY introduces a shared, dynamically updated consensus dataset that serves as a reliable benchmark for applying ByRules and enabling efficient consensus on ByRules among decentralized data owners. Moreover, we design a dual-layer privacy shielding strategy in ROBY to protect local model privacy without sacrificing global model accuracy or incurring extra computational and communication overhead. Extensive evaluations demonstrate that ROBY substantially enhances both Byzantine robustness and privacy protection compared to server-based FL methods.

Abstract:
Voice assistants (VAs) have become ubiquitous in smart devices, and are highly valued for their ability to perform a variety of tasks through voice interaction, offering users hands-free convenience. However, the always-on microphones of VAs have raised significant privacy concerns in recent years. In this paper, we propose and implement NUSGuard, a novel and practical anti-eavesdropping system. To our knowledge, it is the first system to utilize the built-in speakers of commercial off-the-shelf (COTS) devices for anti-eavesdropping, thereby eliminating the need for dedicated ultrasonic transmitters. Specifically, it exploits human ears’ insensitivity to near-ultrasonic signals and the inherent non-linearity of mic to inject jamming noises into the microphones of unauthorized smart devices. Furthermore, we propose a robust mixed-noise scheme and a lexical-level automatic jammer control strategy, effectively disrupting unauthorized recordings while maintaining seamless voice interaction with authorized VA devices. Extensive digital and real-world experiments have demonstrated NUSGuard’s superior performance in terms of jamming effectiveness and security.

Affiliations: School of Computing and Artificial Intelligence, Southwest Jiaotong University, Chengdu, Sichuan, China; College of Information Science and Technology, Nanjing Forestry University, Nanjing, Jiangsu, China; Jiangsu Provincial Key Laboratory of E-Business, Nanjing University of Finance and Economics, Nanjing, Jiangsu, China; School of Computing and Informatics, University of Louisiana at Lafayette, Lafayette, LA, USA; Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA; School of Management, Hefei University of Technology, Hefei, Anhui, China

Abstract:
Crime prediction, which focuses on forecasting the occurrence of criminal activities across city regions before they occur, constitutes an essential capability of surveillance systems designed to enhance urban security. While much effort has been invested in this field, most of the existing studies pay little attention to the influence of situational contexts on criminal activities, which hinders further improvement in prediction performance. To address this challenge, we propose a novel context-aware Bayesian tensor decomposition framework, namely cBTD-Crime, for citywide multi-step crime prediction. More specifically, cBTD-Crime first constructs a third-order tensor to simultaneously model spatial, temporal, and contextual factors and then applies the CP decomposition to exploit the intricate relationships between the three factors to facilitate the prediction process. To reduce the parameter tuning cost, cBTD-Crime further reformulates the problem from a probabilistic perspective, where a range of carefully selected distributions are placed on the spatial, temporal, and contextual latent factors. Finally, an efficient Gibbs sampling procedure is developed to generate a series of samples and the arithmetic mean is computed to obtain the predicted number of crime incidents. Experimental results show that cBTD-Crime achieves superior performance on real-world crime datasets in terms of different evaluation metrics.

Abstract:
This paper investigates the asynchronous PID control problem of switched systems under denial-of-service (DoS) attacks and proposes a collaborative framework combining a resilient adaptive event-triggering protocol (RAETP) and robust model predictive control (RMPC). In response to the limitations of the traditional Bernoulli-type DoS attack model, a variable-frequency DoS attack model is innovatively introduced, which describes the dynamic uncertainty of the attack frequency through a random variable, thereby enhancing the ability to characterize real-world network threats. Based on the switching mechanism of piecewise homogeneous sojourn probabilities, an asynchronous PID-RMPC controller is designed, which uses time-varying mode estimation probabilities to compensate for the mode mismatch caused by attacks, and the mean square stability conditions of the closed-loop system are rigorously derived. Simulation experiments show that the proposed RAETP can increase the effective data transmission rate under attacks compared with the static event-triggered (SETP) protocol, and the PID-RMPC strategy has achieved rapid convergence and robust stability in two simulation examples, verifying the engineering applicability of the theoretical method.

Abstract:
Text-to-image person re-identification aims to utilize textual descriptions to retrieve specific person images from large image databases. The core challenge of this task lies in the significant feature differences between the abstract nature of text and the intuitiveness of images. Existing solutions primarily rely on explicit alignment of global or fine-grained local features, which lack flexibility and struggle to effectively capture and leverage subtle features and relationship information in multimodal data. Particularly, for different images of the same person, the emphasis in feature extraction should be adjusted according to the differences in text descriptions. To address these issues, this paper proposes a Cross-Modal Symbiotic Network (CMSN) based on implicit alignment. First, CMSN employs an Implicit Multi-scale Feature Integration (IMFI) module to implicitly extract and fuse multi-scale features from images and text, thereby adaptively capturing the feature relationships between the two modalities. Second, a Combined Representation Learning (CRL) module is used to produce a combined representation of the text and image features, utilizing a Combined-Representation Identity Alignment (CRIA) loss to align and constrain the identity centers of the three feature vectors. Finally, we design a Semi-Positive Triplet (SPT) loss function, which defines semi-positive samples using other images and texts of the same identity, providing additional supervisory information to the model and further reducing modality heterogeneity. Extensive experiments on the CUHK-PEDES dataset demonstrate that CMSN achieves an impressive Rank-1 and mAP accuracy of 76.46% and 70.28%, respectively, significantly outperforming existing SOTA methods.

Abstract:
Malware developers exploit packing techniques to protect malicious apps from analysis. These evolving techniques, coupled with diverse anti-unpacker strategies, often render current studies ineffective in unpacking Android apps. In this study, we introduce BPFDex, a novel Android unpacking framework that leverages eBPF, a kernel component of the Android system. We successfully apply eBPF’s excellent kernel observability and tracing capability to Android unpacking, both on real devices and emulators. Operating within the kernel space, BPFDex avoids drawbacks of common unpacking techniques. BPFDex monitors apps across both native and kernel layers, restores Dex data from memory, and adapts to different packing strategies according to observed packing behaviors. Furthermore, we summarize patterns in anti-unpacker behaviors among Android packers, establishing criteria to improve existing unpacking strategies. We conduct extensive experiments on BPFDex by leveraging more than 3k apps packed by over eight different packers. The results demonstrate that BPFDex successfully bypasses anti-unpacker strategies and unpacks apps packed by various packers, in contrast to other unpackers that can handle at most two packers.

Abstract:
Backdoor attacks pose a serious security threat to Natural Language Processing (NLP) models, allowing adversaries to manipulate model outputs through hidden triggers. Although backdoor detection methods have been developed to address this issue, existing approaches based on trigger inversion are effective only for simple, visible triggers. These methods struggle to handle semantically enhanced, invisible triggers and often fail to provide accurate backdoor determinations due to reliance on unreliable heuristics, making it difficult to reliably distinguish backdoored models from benign ones. This presents a critical gap in current detection techniques. To address these challenges, we propose a novel trigger inversion SemInv that consists of two key contributions: consistent semantics inversion and identifiable condition inspection. Consistent semantics inversion introduces a new regularization technique into the trigger optimization process, enabling more effective inversion of semantically constrained triggers. Identifiable condition inspection assesses the attack performance margin across different identifiable conditions, providing robust evidence for distinguishing backdoored models from benign ones. We evaluate SemInv using the TrojAI round 6–8 datasets and demonstrate that it significantly outperforms state-of-the-art approaches in both backdoor detection accuracy and trigger inversion performance. Our method also proves effective against models with stealthy triggers, advancing the field of NLP security by offering a more comprehensive solution for identifying backdoor attacks. The code repository is in https://github.com/Bluedask/SemInv

Abstract:
Ring signatures enable a user to sign a message on behalf of a group while preserving both anonymity and unforgeability. Despite these strong privacy guarantees, they present regulatory challenges. To address these issues, we introduce a novel cryptographic primitive: timed anonymous ring signatures (TARS). Unlike group signatures, which rely on a trusted third party, TARS maintains the decentralization and unforgeability of traditional ring signatures while incorporating timed anonymity, allowing the signer’s identity to be disclosed by any user after a predetermined time period, denoted as T. To realize this, we propose a new CCA-secure timed public key encryption (TPKE) scheme that ensures correct decryption without the secret key after the time T. Building upon TPKE, we present two concrete TARS constructions that guarantee anonymity until time T and unforgeability at all times. To demonstrate its applicability, we apply TARS to a decentralized bidding system that is anti-collusion between the auctioneer and the bidders. The system ensures anonymous bidding while disclosing the winner’s identity after the bid announcement, maintaining a transparent, fair, and decentralized bidding process. Finally, experimental evaluations confirm the practicality and efficiency of the proposed schemes. Crucially, the TARS scheme extends conventional ring signature schemes with timed anonymity by introducing only a moderate computational overhead (experimentally measured at \approx 1.37 seconds under our configuration) while preserving their cryptographic robustness.

Affiliations: Key Laboratory of High Confidence Software Technologies, Ministry of Education, and the School of Computer Science, Peking University, Beijing, China; Key Laboratory of Interdisciplinary Research of Computation and Economics, Ministry of Education, and the School of Information Management and Engineering, Shanghai University of Finance and Economics, Shanghai, China; Key Laboratory of Data Intelligence and Management, Ministry of Industry and Information Technology, and the School of Economics and Management, Beihang University, Beijing, China

Abstract:
Publishing graph data is widely desired to enable a variety of structural analyses and downstream tasks. However, it also potentially poses severe privacy leakage, as attackers may leverage the released graph data to launch attacks and precisely infer private information such as the existence of hidden sensitive links in the graph. Prior studies on privacy-preserving graph data publishing relied on heuristic graph modification strategies and it is difficult to determine the graph with the optimal privacy–utility trade-off for publishing. In contrast, we propose the first privacy-preserving graph structure learning framework against sensitive link inference attacks, named PPGSL, which can automatically learn a graph with the optimal privacy–utility trade-off. The PPGSL operates by first simulating a powerful surrogate attacker conducting sensitive link attacks on a given graph. It then trains a parameterized graph to defend against the simulated adversarial attacks while maintaining the favorable utility of the original graph. To learn the parameters of both parts of the PPGSL, we introduce a secure iterative training protocol. It can enhance privacy preservation and ensure stable convergence during the training process, as supported by the theoretical proof. Additionally, we incorporate multiple acceleration techniques to improve the efficiency of the PPGSL in handling large-scale graphs. The experimental results confirm that the PPGSL achieves state-of-the-art privacy–utility trade-off performance and effectively thwarts various sensitive link inference attacks.

Abstract:
Cash et al. [ \mathsf CRYPTO 2013 ] proposed the oblivious cross-tags ( \mathsf OXT ) protocol to enable highly scalable searchable symmetric encryption (SSE) with support for Boolean queries. More recently, Lai et al. [ \mathsf CCS 2018 ] introduced the hidden cross-tags ( \mathsf HXT ) protocol, an enhancement of \mathsf OXT designed to eliminate “keyword-pair result pattern” (KPRP) leakage in conjunctive queries. However, while \mathsf HXT prevents KPRP leakage in conjunctive queries, it suffers from low efficiency and remains vulnerable to KPRP leakage in disjunctive queries. In this paper, we propose the first efficient structured encryption scheme for Boolean queries ( \mathsf STE - \mathsf BQ ) that eliminates KPRP leakage for both disjunctive and conjunctive multi-keyword queries. Our approach introduces a novel index construction method based on prime number aggregation, which significantly reduces the number of comparisons required in multi-keyword searches, thereby improving efficiency. Security analysis confirms that \mathsf STE - \mathsf BQ satisfies CQA2-security. Experimental evaluations further demonstrate that \mathsf STE - \mathsf BQ achieves optimal performance in conjunctive query processing. While its disjunctive query time is slightly slower than that of \mathsf OXT , \mathsf STE - \mathsf BQ is the only scheme that fully eliminates KPRP leakage for both conjunctive and disjunctive queries.

Abstract:
Model Inversion Attacks (MIAs) against face recognition systems aim to reconstruct facial images of specific individuals from the recognition models. Existing MIA approaches commonly optimize the latent variables of Generative Adversarial Networks (GANs) iteratively, which can result in non-smooth optimizations due to the complexity and entanglement of latent space. Furthermore, the optimization guided by the target model’s gradients may generate high-confidence images with poor perceptual similarity to the target class. This paper introduces a novel perspective by reformulating the inversion attack as a conditional data distribution learning task. Based on this, we propose a Feature-Guided Model Inversion Attack (FGMIA), which learns the facial data distribution and integrates feature guidance as a conditional signal. Specifically, we treat the deconstructed target model as a feature encoder, which provides guidance during the training of a specialized feature-guided diffusion model. During the attack, feature encodings implicit in the target model are extracted and utilized to guide the reconstruction of private data. Extensive experiments demonstrate that FGMIA accurately reconstructs private data from face recognition models and significantly improves evaluation accuracy and perceptual similarity compared to state-of-the-art methods while maintaining comparable target confidence scores. Our code is available at https://github.com/MMCTTT/FGMIA_codes

Abstract:
Previous studies identified NTT-based polynomial multiplication in Dilithium as a primary target for side-channel analysis. Specifically, the leakage of \hat \mathbf u = \hat \mathbf c \hat \mathbf s_1 has been exploited to recover the private key \mathbf s_1 using correlation power analysis (CPA). However, evaluating the side-channel resistance of NTT-based polynomial multiplication solely through CPA is insufficient. Given that template attack (TA) is information-theoretically the most powerful form of side-channel attack, it is imperative to evaluate the resistance of NTT-based polynomial multiplication in Dilithium under TA. Moreover, previous studies have not exploited the leakage of \hat \mathbf w = \hat \mathbf A \hat \mathbf y to recover \mathbf s_1 . In this paper, we demonstrate for the first time that the leakage of \hat \mathbf w = \hat \mathbf A \hat \mathbf y can be effectively exploited in TA to recover \mathbf s_1 . Notably, the leakage of \hat \mathbf w = \hat \mathbf A \hat \mathbf y can be up to K times the leakage of \hat \mathbf u = \hat \mathbf c \hat \mathbf s_1 , offering significant improvements in the efficiency of TA. We further propose a multivariate template attack (MTA) that jointly exploits both leakage sources \hat \mathbf w = \hat \mathbf A \hat \mathbf y and \hat \mathbf u = \hat \mathbf c \hat \mathbf s_1 to recover \mathbf s_1 , thus achieving even higher efficiency in key recovery. We evaluate three versions of TA in both simulated and real-world scenarios. In the simulated scenario where the signal-to-noise ratio of both leakage sources ranges from 1 to 0.1, MTA consistently performs the best. In a real-world scenario targeting the Dilithium reference implementation on a Cortex-M4 processor, MTA again achieves the best performance, requiring only 15, 11, and 9 traces to recover \mathbf s_1 for Dilithium 2, 3, and 5, respectively. Overall, MTA is proved to be a powerful tool for evaluating the side-channel resistance of NTT-based polynomial multiplication in Dilithium in leakage profiling scenarios.

Abstract:
Byzantine broadcast (BC) is a fundamental problem in distributed systems. To build communication-efficient BC protocols, erasure coding is a key tool. In systems under the f\lt n/3 setting, where n is the total number of parties (also called replicas) and f is the number of Byzantine failures, correct replicas can simply encode the data block through erasure coding, share data fragments, and interact to validate that the decoded data is consistent with the original data block. Such a paradigm is powerful in primitives such as BC, asynchronous verifiable information dispersal, and atomic broadcast. However, in systems with corrupt majority or even in the f\lt n/2 setting, it becomes less straightforward to use erasure coding to build communication-efficient protocols. In this work, we introduce an erasure coding proof (ECP) system which allows the encoder to prove succinctly and non-interactively that an erasure-coded fragment is consistent with a constant-sized commitment to the original data block. Each fragment can be verified independently of the other fragments. We present two synchronous BC protocols from the ECP system, one under the f\lt (1-\epsilon)n assumption and one under the f\lt n/2 assumption, where \epsilon is a constant and \epsilon \in (0,1) . Both protocols improve the communication complexity and time complexity compared to the state-of-the-art BC protocols.

Abstract:
Differential privacy federated learning (DPFL) has garnered tremendous attentions for its ability to preserve clients’ privacy during model training. However, directly training multi-modal models within DPFL frameworks often results in inferior learning performance because: 1) Multi-modal imbalance, a common issue in model training, is not considered in DPFL when determining scales of artificial noises (ANs) generated by differential privacy (DP); 2) ANs will alter the impacts of individual modalities on the training process, further deteriorating the performance of multi-modal learning. In this paper, we propose a novel multi-modal differential privacy federated learning (MDPFL) framework to address these issues. To be specific, we first design a parameter-clipping method that is capable of handling heterogeneous quality of modalities. Then we theoretically analyze the influence of variations in modality quality on learning performance by deriving the upper bound of loss functions. Next, based on our analysis, we construct a heuristic criterion to effectively assess the contributions of each client’s uni-modal models (obfuscated by ANs) to the overall learning performance. We further design a modality selection algorithm to enhance learning performance by discarding modalities with low contributions (due to the influence of ANs). Extensive experimental results validate our theoretical analysis on modality contributions to the learning performance in terms of accuracy. Also, experimental results demonstrate that our parameter-clipping method tailored for the MDPFL significantly enhances the accuracy performance compared to conventional clipping method within DPFL frameworks, yielding improvements of up to 10%, and the proposed modality selection algorithm can further boost classification accuracy by 4%.

Abstract:
With the rapid development of location-based services in the mobile Internet, a large amount of spatial-keyword data for range queries is outsourced to the cloud to alleviate local storage and computational burdens. However, directly outsourcing such data to the untrusted cloud could lead to potential privacy issues because of data abuse or breaches. To address this issue, we propose an efficient privacy-preserving spatial-keyword range query processing in cloud in this paper. First, a keyword, location and range vectorization model is proposed. By using the vectorization and vector encryption, the spatial-keyword information is encrypted for confidentiality preservation. On the basis of the vectorization model and vector encryption, an equal partition-based keyword-location inverted index (EPKI-index) is constructed, and then we introduce the baseline spatial-keyword range query scheme (EPSRQ) by adopting the EPKI-index. To improve query efficiency, a binary keyword-filtering tree index (BKFtree-index) is designed, and the corresponding optimized range query scheme (EPSRQ+) is proposed. In addition, the game simulation-based proof is presented to analyze the security of the proposed scheme. Experimental results demonstrate that the proposed scheme has better performance on the query efficiency and storage.

Abstract:
This paper studies the online reward poisoning problem, wherein an adversary deliberately manipulates the reward function during training to mislead the learning agent into adopting a mischievous policy. While the majority of existing reward poisoning research focuses on offline attacks, which assume prior knowledge of the transition probability, our work explores a more practical yet challenging dynamics-agnostic scenario. Specifically, we consider the scenario where the adversary has access to the agent’s replay buffer and can modify the reward data without the knowledge of transition probabilities. We formalize the poisoning task as an optimization problem and employ a reformulation method to circumvent the double-sampling issue. The proposed algorithm is provably convergent in the tabular setting and can be extended to the function approximation setting, where the poisoned reward network and the poisoned Q-value network are jointly learned to solve the problem. The algorithm’s effectiveness is validated through four distinct experimental evaluations.

Abstract:
Text-based Person Search (TBPS) is a critical task in multimodal retrieval that seeks to identify target individuals in an image gallery using textual descriptions. The core challenge lies in establishing robust cross-modal alignment to reconcile the inherent heterogeneity between textual and visual representations. While recent advances leverage large-scale vision-language pretrained models (e.g., CLIP and ALBEF) to embed both modalities into a shared latent space, they often prioritize global feature alignment, neglecting localized interactions between textual tokens and image regions. To address these limitations, we propose the Learnable Prompts with Neighbor-aware Correction (LPNC) framework, which aligns identity-specific semantics across modalities while resolving fine-grained domain discrepancies. Specifically, we design a Learnable Prompt-guided Semantic Alignment (LPSA) module that dynamically fuses visual region features and textual token embeddings into a unified pseudo-token within a language-conditioned latent space. By introducing a cross-modal attention mechanism, LPSA enforces part-aware consistency, i.e., localized interactions between noun phrases and their corresponding visual patches, while suppressing modality-specific noise. To mitigate retrieval bias, we further propose the k-nearest Neighbor Correction (kNC), a training-free strategy that calibrates initial scores by leveraging local neighborhood relationships in a reference embedding space, ensuring balanced accuracy. Extensive experiments on three widely-used TBPS datasets demonstrate the superiority of the proposed LPNC method. Notably, our method exhibits consistent performance gains, demonstrating robust improvements of 1%–4% in Rank-1 accuracy compared to competing methods on various datasets. The code is available at https://github.com/DrLazywh/LPNC

Abstract:
Deep neural network (DNN) models embody the intellectual property of a model owner, as the process of training the DNN model is a complex and resource-intensive task that requires significant investments in data preparation and computing resources. Numerous efforts have been made to protect the intellectual property of DNN models. However, existing methods often come with a critical limitation: they lack robustness, proving effective only in specific intellectual property threat scenarios or they either sacrifice the utility/accuracy of the model owner’s classifier because it interferes with the classifier’s training. To address these issues, we propose GMFIP, a novel generator-based model fingerprinting technology tailored for DNN intellectual property protection. GMFIP stands out for its robustness, extending its utility to various intellectual property threat scenarios rather than specific ones. Furthermore, GMFIP ensures that the utility/accuracy of the model is not affected by protection measures. Specifically, GMFIP begins with the training of the generator, which lays the groundwork for the model fingerprint. The generator generates fingerprints of the unique properties of the source model for verifying model ownership. To further improve the quality of these fingerprints, an extra selection phase dedicated to refining the fingerprints is integrated. Moreover, GMFIP is complemented by a binary classifier, which adapts the threshold setting to get optimal results. Our empirical evaluation includes an ablation study over four state-of-the-art technologies and three image benchmark datasets. Our results demonstrate that GMFIP outperforms other state-of-the-art technologies in effectively distinguishing pirated models from benign models.

Abstract:
Textual backdoor attacks present a substantial security risk to Large Language Models (LLM). It embeds carefully chosen triggers into a victim model at the training stage and makes the model erroneously predict inputs containing the same triggers as a certain class. Prior backdoor defense methods primarily target special-token-based triggers, leaving syntax-based triggers insufficiently addressed. To fill this gap, this paper proposes a novel defense algorithm that effectively counters syntax-based as well as special-token-based backdoor attacks. The algorithm replaces semantically meaningful words in sentences with entirely different ones but preserves the syntactic templates or special tokens, and then compares the predicted labels before and after the substitution to determine whether a sentence contains triggers. Experimental results confirm the algorithm’s performance against these two types of triggers, offering a comprehensive defense strategy for model integrity.

Abstract:
The issue of transaction security has attracted widespread attention due to the frequent occurrence of financial fraud. Graph neural networks (GNNs) can effectively detect financial fraudulent behavior by capturing transaction relationships. However, many existing methods lack the consideration of modeling user behavior patterns at diverse timescales. Moreover, GNN-based approaches usually fail to adaptively perceive neighborhood information from global and local perspectives, resulting in some transaction node embeddings merging the information from partially irrelevant neighboring transaction nodes and leading to suboptimal performance. Therefore, this work proposes a Multi-Temporal Partitioned graph attention Network (MTPNet) for financial fraud detection. In particular, we design a multi-temporal partitioned graph construction algorithm that generates multi-temporal series graphs at various timescales. These graphs effectively express the periodic variations in users’ transaction behavior pattern, allowing GNNs to learn knowledge from these graphs and extract richer semantic information. Then, we propose a global-local neighborhood-aware encoder to enable transaction node embeddings to adaptively aggregate their most relevant neighborhood information based on the attention mechanism. We perform extensive experiments to evaluate the performance of MTPNet on large-scale financial fraud datasets and demonstrate its effectiveness.

Abstract:
Threshold Signature (TS) is one of the fundamental cryptographic primitives adopted in many practical applications. Current Threshold, Accountable, and Private Signature (TAPS) schemes suffer from delayed combining, unverifiable combining, and message-independent tracing. More precisely, a malicious combiner may delay the combination of signature shares and replace some signature shares from honest signers with ones from colluding signers, and an unrestricted tracer can reveal signers’ identities arbitrarily. In this work, we introduce a new scheme called TiMTAPS under a stronger security model. First, we sew homomorphic time-lock puzzles into the Schnorr signature, allowing puzzles to be combined and opened as needed. Second, we knit the Schnorr signature with homomorphic commitment for verifiable combining. Third, we infuse the combining phase with an identity-based key encapsulation mechanism for message-dependent tracing. Next, formalize the definitions and requirements for TiMTAPS. Then, we present a concrete construction and formally prove its privacy and security. We build a prototype of TiMTAPS based on Ethereum. Results from extensive experiments exhibit its practicability and efficiency, e.g., combining (tracking) 10 signature sets with a threshold value of 5 requires only 3.72 s (12.44 s) for the threshold signature.

Abstract:
Prediction-based min-entropy estimation methods, also known as predictors, are essential tools for assessing the security of entropy sources. As recommended in NIST SP 800-90B (90B), these methods estimate min-entropy by forecasting the outputs of entropy sources. Owing to their computational efficiency, considerable research has focused on enhancing the accuracy of predictors, including approaches based on deep neural networks (DNNs). However, concerns remain about their interpretability, reliability, and applicability, particularly for DNN-based predictors. In this paper, we first identify key deficiencies in existing prediction-based methods, including those in 90B and DNN-based predictors, which lead to unreliable estimates and poor adaptability across diverse entropy sources. To improve reliability, we model the predictor output distribution and revise the local predictability metric to produce more stable estimates with associated confidence levels. To enhance the interpretability of DNN-based predictors in entropy estimation, we provide the first theoretical analysis linking neural network optimization objectives to min-entropy, clarifying the suitability and learnability of different architectures. We further reveal the inapplicability of existing methods under time-varying sources and propose a new estimation framework that combines online learning, change detection, and Bayesian optimization for dynamic model updates. The experimental results demonstrate that our methods surpass existing approaches in terms of reliability and applicability, especially when dealing with time-varying sources.

Abstract:
A compiler converts smart contract source code into bytecode, ensuring behavior consistency between them. However, as compiler is also a program, it may contain bugs that disrupt this consistency, known as Compiler-Introduced Bugs (CIBs). Of the latest 4,857 verified smart contracts coded in Solidity, approximately 58% still use compilers that contain at least one CIB. These CIBs can be exploited by attackers to bypass security checks or inject malicious data, leading to significant security issues, which becomes even more serious for smart contracts in blockchain as they cannot be modified after being deployed. To this end, this paper proposes sBugChecker, to the best of our knowledge, the first systematic framework designed to automatically and effectively detect CIBs for smart contracts coded in Solidity. sBugChecker can be readily extended with the rule customization suite we propose based on domain specific language. Additionally, it employs two static analytical methods, i.e., pattern matching, and symbolic execution, to identify CIBs’ triggering conditions and confirm their impacts, broadening its detection scope and improving its detection efficiency. To evaluate sBugChecker’s performance, we construct a CIB mutated smart contract dataset, which is the first publicly-available one for this study. According to the evaluation based on this dataset, sBugChecker performs exceptionally well, with detection precision, recall, and F-measure on average achieving 96.6%, 95.5% and 96.0%, respectively. Moreover, sBugChecker has been applied to successfully discover real-world deployed smart contracts capable of triggering CIBs.

Abstract:
Detecting anomalous BGP (Border Gateway Protocol) messages is critical for securing inter-domain routing systems over autonomous system (AS)-level networks. The dynamic nature of routing policies, massive scale of global routes, and incomplete global topology visibility make BGP anomalies exceptionally challenging to identify—let alone trace back to malicious or misconfigured ASes. To effectively overcome these barriers, this paper proposes GraphBGP, a novel BGP anomaly detection method that dynamically constructs real-time AS-level topologies, achieves precise anomaly detection and classification, and accurately traces malicious or misconfigured ASes. Specifically, to address the evolving nature of BGP routing status, GraphBGP constructs an attributed AS-level graph that dynamically integrates node and edge attributes. It intelligently tracks BGP updates to refresh this graph efficiently. Leveraging this enriched, up-to-date representation, GraphBGP employs tailored detection and tracing models grounded in graph convolutional networks (GCNs), enabling precise anomaly identification and source tracing. Comprehensive experiments with real-world and synthetic datasets demonstrate that GraphBGP achieves state-of-the-art anomaly detection accuracy while significantly reducing inference time, even under partial BGP network visibility. Furthermore, GraphBGP precisely traces malicious or misconfigured ASes within a short time period of 7 milliseconds after anomaly detection, enabling rapid mitigation.

Abstract:
Ring Confidential Transactions (RingCT) is a classic cryptographic protocol for anonymous transactions on blockchains, currently used in the popular anonymous cryptocurrency Monero. The proof size of RingCT transactions is linearly related to the ring size, which limits the use of larger ring sizes due to the significant communication overhead it incurs. However, reducing the ring size also leads to decreased anonymity. Therefore, in recent years, many studies have focused on optimizing the proof sizes for RingCT, with the latest known solutions reducing the proof size to be logarithmic with the ring size. In this paper, we propose a new compact RingCT protocol (CRCT) for smaller proof sizes. To this end, we first design three extended schemes of the Sum Argument (CRYPTO’21), which are used to generate logarithmic-sized proofs for three distinct zero-knowledge arguments, respectively. We then introduce a new zero-knowledge proof scheme called the Difference Argument. It is used to prove that one has the knowledge of two secret values, with their difference being public. Based on these schemes, we construct our CRCT protocol, whose proof size is independent of the ring size and logarithmic with the number of source accounts. We provide concrete constructions and security proofs for the proposed cryptographic schemes. The experimental results demonstrate that CRCT exhibits significant advantages in computational efficiency and proof size over existing solutions when dealing with large ring sizes and moderate numbers of source accounts.

Abstract:
Transfer-based adversarial attacks pose a severe threat to real-world deep learning systems since they do not require access to target models. Adversarial training (AT), which is recognized as the most effective defense against white-box attacks, also ensures high robustness against (black-box) transfer-based attacks. However, AT suffers from significant computational overhead because it repeatedly generates adversarial examples (AEs) throughout the entire training process. In this paper, we demonstrate that such repeated generation is unnecessary to achieve robustness against transfer-based attacks. Instead, pre-generating AEs all at once before training is sufficient, as proposed in our new defense paradigm called Data-Centric Robust Training (DCRT). DCRT employs clean data augmentation and adversarial data augmentation techniques to enhance the dataset before training. Our experimental results show that DCRT outperforms widely-used AT techniques (e.g., PGD-AT, TRADES, EAT, and FAT) in terms of transfer-based black-box robustness and even surpasses the top-1 defense on RobustBench when combined with common model-centric techniques. We also highlight additional benefits of DCRT, such as improved training efficiency and class-wise fairness. Our code will be available on GitHub.

Abstract:
Finger vein recognition offers significant advantages in biometric authentication, while federated learning addresses data silo challenges in distributed environments. However, label noise issues severely impact recognition performance due to variations in data acquisition environments, fluctuations in user registration quality, and privacy constraints preventing centralized annotation review. Existing label noise research typically focuses on sample-level processing, overlooking quality variations between authentication systems and noise distribution characteristics across multiple source devices. This paper proposes FedRDA, a federated optimization framework that achieves precise identification and adaptive correction of noisy samples through a three-tier progressive mechanism. We first construct a hierarchical noise detection system that identifies label noise from both noisy client and noisy sample perspectives. Then, we design a dynamic pseudo-label learning module with an improved adaptive label ambiguation loss function that dynamically adjusts sample learning difficulty parameters and incorporates momentum update mechanisms, significantly enhancing model adaptability to label noise of varying difficulty, while integrating predictive uncertainty entropy with unsupervised consistency constraints for more accurate label correction. Finally, we propose an adaptive aggregation strategy based on distance awareness and gradient consistency metrics to address data isolation and label noise issues in distributed environments. Experiments on SDUMLA, MMCBNU_6000, FV-USM, and combined datasets demonstrate that FedRDA maintains high model accuracy even under high noise rate conditions, with approximately 14% accuracy improvement over existing methods. The proposed framework effectively mitigates the negative impact of label noise on model training, ensuring robust operation of finger vein recognition systems in practical distributed environments while protecting user privacy.

Abstract:
This paper develops a security mechanism against inference attacks for industrial systems where an adversary with access to the states of a (linear or nonlinear) system attempts to infer the system model using the state values. Under an inference attack, an adversary with access to the sensor measurements of the system attempts to infer the system’s parameters. The proposed security mechanism consists of two components: ( i ) a collection of feedback control gains, ( ii ) a randomized gain selection policy. To mitigate the inference attack, the gain selection policy randomly selects a feedback gain from the set of available feedback control gains at regular intervals. We cast the optimal design of the gain selection policy as an optimization problem such that (i) quadratic control cost is minimized and (ii) the uncertainty level of the adversary about selected control gain is maximized. In our formulation, the uncertainty level of the adversary about the control gain is captured by the Kullback-Leibler (KL) divergence between a uniform distribution and the posterior distribution of the feedback gains, given the history of the system states. We first derive the backward Bellman optimality equation for the gain selection problem and study the structural properties of the optimal gain selection policy. Our results show that the optimal gain selection policy only depends on the current state of the system, rather than the entire history of the states, which renders the optimal gain selection problem to a nonlinear Markov decision process. Next, we derive a policy gradient theorem for the gain selection problem, which provides an expression for the gradient of the objective function of the gain selection problem with respect to the parameter of a stationary (time-invariant) policy. The policy gradient theorem allows us to develop a stochastic gradient descent algorithm for computing an optimal policy. We finally demonstrate the effectiveness of our results for different linear and nonlinear systems. Our results indicate that the proposed security mechanism significantly decreases the inference ability of the adversary, while having a negligible impact on the control cost.

Abstract:
Radio frequency fingerprint (RFF) is a promising solution for realizing secure and efficient device identification. However, the accuracy of currently existing solutions suffer from multipath effects in practical scenarios. In this paper, we provide a robust RFF identification method that leverages channel state information (CSI) feedback to counteract the effect of the channel on the extracted RFF features. A straightforward zero-forcing (ZF) equalization fails to fully decouple RF impairments from the channel, making conventional approaches ineffective. To overcome this challenge, we utilize the potential of multi-antenna and introduce a new device-specific feature called Relative-RFF (R-RFF), which represents the relation between different RF chains in a multi-antenna transmitter. We propose an enhanced ZF post-equalization algorithm to eliminate the multipath channels and preserve the users’ R-RFF to the greatest extent. We evaluate the robustness of R-RFF under various channel conditions and noise levels and the performance of R-RFF in terms of identification accuracy under different channel scenarios. The results show that the proposed R-RFF method can achieve an identification accuracy of 91.2% for 70 devices in tapped delay line channel with a signal-to-noise ratio (SNR) of 30 dB.

Abstract:
In this paper, we propose a novel physical layer security optical transmission scheme utilizing randomized quantization noise. The proposed approach encrypts low-order plaintext signals into ultra-high-order ciphertext using principles similar to quantum noise stream cipher (QNSC). While, the ultra-dense quadrature amplitude modulation (QAM) ciphertext waveforms are masked by intrinsic quantization noise. The combination of digital delta-sigma quantization and analog chaotic random scrambling not only produces randomized quantization noise, but also naturally supports one-time processing of masking ciphertext and generating keystream. Whereby, the in-band quantization noise (IBN) conceals nearby ciphertext levels bolstering security, and the out-of-band quantization noise (OOBN) is digitized to generate keystream using the Toeplitz hashing extractor. Experimental results show that 256-QAM plaintext signals were securely transmitted over standard single-mode fiber: 163-Gbps signals over 400 km, and 79.7-Gbps signals over 1800 km. To evaluate system performance, theoretical models for signal-to-noise ratio (SNR), bit error rate (BER), and number of masked signals (NMS) are derived as functions of the oversampling ratio (OSR). Our findings reveal a trade-off between transmission performance and security performance. Our results confirm that this scrambling effectively eliminates the correlation between the masking noise components. Toeplitz hashing extractor can effectively reduce the complexity of keystream generation and obtain a source-independent random keystream.

Abstract:
Existing X-ray prohibited item detection methods primarily focus on boosting the detection performance of uniformly distributed items. However, in the real-world scenarios, various prohibited items exhibit the long-tailed distribution, thus posing the huge challenge to the detection task. To support this study, we introduce LTXRay, a dedicated X-ray benchmark that better assesses long-tailed prohibited item detection. LTXRay consists of 18,718 images from 12 common classes with an imbalance factor of 280.35. Meanwhile, we propose a novel Memory-Guided Learning Network(MGLNet) to develop baseline methods on LTXRay, which enhance the within-class diversity for the tail classes and consequentially improves long-tailed object detection. Specifically, we first introduce a frequency-based feature refinement module to extract discriminative contextual representations, then store the various instance features in the memory bank and dynamically generate the sample according to the historical features. Extensive experiments have been performed on the LTXRay to demonstrate the effectiveness of the proposed method. The experimental results indicate that the proposed method can consistently improve the performance of baseline methods.

Abstract:
The misuse of AI-generated techniques in face forgery has raised significant concerns, driving advancements in detection methods. However, existing algorithms struggle with generalization in cross-domain scenarios due to domain shifts, limiting their practical applications. Prompt tuning, which learns soft prompts while freezing the backbone, enables the generalizable Vision-Language Models (VLMs) pre-trained on large-scale datasets to adapt to downstream tasks. Though effective, prompt tuning confronts challenges in face forgery detection, where its performance is sensitive to initialization and may undermine the generalizability of pre-trained VLMs. To address this issue, we propose a novel Gradient-aware Adaptive Meta-Prompt Learner (GAMP-Learner). The core idea is to learn a meta-general gradient from multiple source domains through the Direction-shared Gradient Pruning Module (DGPM) for efficient initialization in the inner-loop, while addressing gradient conflicts via the Adaptive Gradient Calibration Module (AdaGCM) to enhance generalization in the outer-loop. Notably, our GAMP-Learner can be seamlessly integrated into any prompt-based fine-tuning VLM in a model-agnostic way. Additionally, to capture fine-grained forgery clues, we design a Multi-Granularity Conditional Prompt Generator (MGCP), which constructs instance-level prompts by incorporating multi-scale content-style feature representations. Simulating practical scenarios, we devise three protocols which evaluate generalization performance trained on multiple source domains. Extensive experiments demonstrate that the proposed framework achieves competitive cross-domain detection performance compared to state-of-the-art methods.

Abstract:
The proliferation of decentralized applications across different autonomous blockchains raises the need to enable cross-chain data interoperability (CCDI). However, prior approaches for supporting CCDI often hit scalability bottlenecks regarding critical metrics, e.g., memory, or remain prone to withholding and censorship attacks. This paper proposes two protocols to implement secure and efficient CCDI under adversarial conditions. The cross-chain token exchange (CCTE) protocol for atomic swaps is proposed. It adopts a deposit mechanism, a blockchain-of-blockchains (BoB), and Merkle proofs to ensure the completion of token exchanges even under withholding attacks. It utilizes a parallelized design to support concurrent token exchanges, thereby improving its efficiency and avoiding censorship attacks that target sequential token exchanges. The CCDI protocol is proposed to support any CCDI application. It authorizes a unique BoB to execute arbitrary CCDI application logic. It integrates a “transfer and in place data update” mechanism to improve its efficiency, and this mechanism enables a blockchain update its state data items using a single transaction, without requiring any information from other blockchains. Moreover, the CCDI protocol integrates a state data migration scheme, which supports a user to migrate its state data item to censorship-resilient blockchains, and incorporates a malicious user nodes elimination scheme, which enables the updates of state data items in a CCDI process even under withholding attacks. Systematic performance evaluations are conducted to compare the two protocols with existing ones. The CCTE protocol reduces latency by at least 52% compared to existing protocols under probabilistic consensus setting. The CCDI protocol outperforms prior protocols, lowering communication cost by 59%, computation overhead by 41%, memory burden by 12%, and latency cost by 33%.

Abstract:
In this paper, we investigate the problem of distributed learning (DL) in the presence of Byzantine attacks. For this problem, various robust bounded aggregation (RBA) rules have been proposed at the central server to mitigate the impact of Byzantine attacks. However, current DL methods apply RBA rules for the local gradients from the honest devices and the disruptive information from Byzantine devices, and the learning performance degrades significantly when the local gradients of different devices vary considerably from each other. To overcome this limitation, we propose a new DL method to cope with Byzantine attacks based on coded robust aggregation (CRA-DL). Before training begins, the training data are allocated to the devices redundantly. During training, in each iteration, the honest devices transmit coded gradients to the server computed from the allocated training data, and the server then aggregates the information received from both honest and Byzantine devices using RBA rules. In this way, the global gradient can be approximately recovered at the server to update the global model. Compared with current DL methods applying RBA rules, the improvement of CRA-DL is attributed to the fact that the coded gradients sent by the honest devices are closer to each other. This closeness enhances the robustness of the aggregation against Byzantine attacks, since Byzantine messages tend to be significantly different from those of honest devices in this case. We theoretically analyze the convergence performance of CRA-DL. Finally, we present numerical results to verify the superiority of the proposed method over existing baselines, showing its enhanced learning performance under Byzantine attacks.

Abstract:
As software systems grow in complexity, scale, and update frequency, parallel fuzzing has become essential for mitigating the efficiency limitations of traditional fuzzing. Effective task allocation is vital for maximizing parallel fuzzing efficiency and has garnered significant attention. However, current strategies often overlook critical code areas, treating all regions uniformly, which results in suboptimal exploration. To address the limitations of current approaches, we present FlexFuzz, a novel parallel fuzzing system. First, we identify boundary basic blocks that connect covered and uncovered areas, dynamically adapting them as fuzzing progresses. Second, we introduce a boundary-sensitive task allocation scheme that assigns fuzzing tasks based on the identified boundary basic blocks and their potential for exploration. Finally, to ensure focused exploration, we implement a multi-target, distance-guided approach that directs each instance to concentrate on its relevant task area. We have implemented a prototype of FlexFuzz and comprehensively evaluated it against the state-of-the-art parallel fuzzing systems. Across standard benchmarks, FlexFuzz surpasses other parallel tools: it increases coverage by 18.17% over the next best tool (PAFL), and identifies 33.75% more vulnerabilities than the next best tool (AFL++).

Abstract:
Advanced Persistent Threats (APTs) pose escalating risks to large enterprises and institutions. While current research has predominantly focused on data source analysis for identifying known attack patterns or anomalous behaviors, three critical challenges remain inadequately addressed: 1) APTs demonstrate sophisticated concealment capabilities, embedding malicious operations within legitimate business activities; 2) The sparse nature of APT attacks leads to low-frequency malicious activities that prove exceptionally challenging to detect within massive log datasets; 3) APTs employ multi-stage attack chains, whereas existing solutions exhibit limitations in reconstructing complete attack pathways to enable effective forensic analysis. In this paper, we address the detrimental effects of the sparsity of malevolent interactions and attack intent camouflaging on anomaly detection by introducing SauronEyes, the pioneering APT detection system tailored to resolve these challenges. SauronEyes constructs audit logs into both knowledge and interaction views, disentangling these to learn representations through graph learning enhanced with an attention-based neighbor allocation mechanism. Additionally, we incorporate self-supervised contrastive learning to discern the subtle similarities and distinctions among disentangled samples, facilitating a deeper understanding of the inherent structures within system interactions. SauronEyes thus boasts heightened sensitivity and granular detection capabilities. Finally, SauronEyes reconstructs the attack chain at the node level and presents an attack-chain that is more accessible for security analysis. Our evaluations in real-world scenarios and simulated attack environments demonstrate that SauronEyes achieves outstanding accuracy, with an average detection rate of 99%.

Abstract:
Distributed multi-exit neural networks (MeNNs) enable mobile devices to handle complex tasks such as image classification, but their performance is highly dependent on transmission quality and is therefore vulnerable to side-channel attacks. In this paper, we design a side-channel attack model and propose an efficient inference framework based on the distributed MeNN to resist the designed attack. First, we design an intelligent side-channel attack model, in which the attacker can eavesdrop on the communication channel and use deep reinforcement learning (RL) to predict the early exit decision of each sample. Next, we develop a defense method that employs a hierarchical and multi-agent RL to determine whether to infer locally or offload to a chosen early exit on the server, and to adjust the transmit power accordingly. We further propose a critic-guided safety mechanism that steers local agents away from risky policies that would cause inference failures or severe data leakage. We prove that our framework enforces a strict instantaneous security constraint and asymptotically achieves the optimum by deriving a regret bound. Extensive experiments on several datasets (including CIFAR-10, CIFAR-100, STL-10, EMNIST, FMNIST, and Stanford Cars) show that our method reduces inference latency, improves classification accuracy, and significantly enhances robustness against side-channel attacks, as compared with two benchmarks SCAN and PCE.

Abstract:
Federated learning (FL) enables cross-device collaboration by sharing local model updates without exposing raw data. However, its distributed nature introduces complex, multi-layered security threats that threaten both data privacy and model robustness. One of the most significant threats is the model poisoning attack, which exploits the server’s limited verification of client updates to inject malicious gradients, undermining aggregated model integrity and amplifying vulnerabilities in dynamic FL environments. Traditional defense mechanisms are notably vulnerable to highly adaptive, dynamic model poisoning attacks, struggling to respond effectively to attackers’ real-time adjustments in strategy. To expose these vulnerabilities and advance federated learning defense strategies, we propose a Dynamic Adaptive Model Poisoning Attack (DamPa), the first adaptive poisoning method that combines multiobjective optimization with dynamic strategy adjustments. DamPa exploits dynamic optimization to generate malicious updates that closely imitate benign patterns. It achieves significant early-stage performance degradation while maintaining both stealth and effectiveness throughout training. Our experimental evaluation on multiple real-world datasets demonstrates that DamPa outperforms existing attack methods in terms of effectiveness, particularly against robust aggregation defenses like Bulyan, DnC, FLtrust. It drastically reduces model accuracy to near-random classification levels (e.g., on the CIFAR-10 dataset, accuracy drops to 10.53%). This work reveals the limitations of existing defenses against dynamic attacks and highlights the urgent need to advance FL security. The DamPa framework offers valuable insights for designing more resilient defense mechanisms. Code is available at: https://github.com/HUFangjie/code

Abstract:
Deep Neural Networks with natural training are quite vulnerable to adversarial attacks, so it’s necessary to defend these attacks with effective defense methods like adversarial training. However, while defending against adversarial attacks, adversarially trained models’ robustness between classes shows severe unfairness. To mitigate the disparity, a lot of methods have been proposed, while many of them sacrifice the overall accuracy to leverage the worst-class accuracy. Inspired by previous works, we propose a new fairness methodology, and we name it Class Encourage-suppress Robust Learning (CRL). Based on the overall accuracy and the class-wise accuracies of the dataset, we introduce a new measurement named Class Diversity Ratio to adjust the weights of different classes in the loss function. Additionally, we propose a new learning strategy called the Competitor Encourage-suppress Strategy to mitigate the disparity between diverse classes, which is simple but effective. Experimental results on representative datasets show that our method outperforms state-of-the-art (SOTA) methods.

Abstract:
Palm-vein recognition is gaining significant attention as a high-security biometric recognition technology. However, the vein image acquisition process is easily affected by several factors, making vein texture segmentation a challenging task. Recently, foundation models such as Segment Anything Model (SAM) have shown remarkable potential in image segmentation without requiring prior retraining. Nevertheless, due to the large domain discrepancy between the resource and target domains, as well as limited datasets, existing solutions that rely heavily on abundant training images often struggle to extract robust vein texture patterns. To address this challenge, we propose AdVeinSAM, an adversarial learning-based large model for palm-vein texture extraction, which leverages rich knowledge of large models to enhance vein pattern segmentation. Specifically, by alternately optimizing the vein segmentation model and the image generator, AdVeinSAM generates diverse training samples, effectively transferring knowledge from the large model to enhance feature extraction robustness. First, we incorporate the wavelet transform into xLSTM-UNet to design Wavelet-xLSTM-UNet, which generates diverse and realistic vein images for data augmentation. Then, we improve the NOLA model to fine-tune the segmentation anything model (SAM) and develop a specialized vein segmentation model (VeinSAM), which effectively extracts palm-vein texture features. Finally, the image generator (Wavelet-xLSTM-UNet) and the vein segmentation model (VeinSAM) are combined to form AdVeinSAM, where the generator and the VeinSAM are alternatively updated through adversarial training. Concretely, the image generator generates challenging samples to increase the segmentation difficulty for VeinSAM, while VeinSAM learns more robust feature representations from these challenging samples to improve the generalization and segmentation accuracy. We conduct extensive experiments on three public palm-vein databases and experimental results demonstrate that the proposed AdVeinSAM model outperforms state-of-the-art solutions, achieving the lowest equal error rates (EERs) of 1.48%, 4.76%, and 0.72%, respectively. These results confirm the effectiveness and robustness of AdVeinSAM in palm-vein texture extraction.

Abstract:
In the field of gait recognition, regarding gait as a set has emerged as a seminal approach, notably eliminating the dependence on template-based input. Although set-based methods offer notable advantages, such as insensitivity to frame order permutations and robustness to varying frame counts, their performance has consistently lagged behind that of sequence-based methods in subsequent studies. In this work, we advocate for treating gait as an unordered set and argue that the lack of set context aggregation in frame-level feature extraction is the primary limitation hindering the full potential of set-based gait recognition. To substantiate this claim, we develop a gait-oriented self-attention module and introduce a Gating Mechanism that facilitates set context awareness for each silhouette while preserving the permutation-invariant property. Specifically, the context aggregation operates on diverse bins of feature maps, interleaving fine-grained shape and motion details in an almost parameter-free manner. The Gating Mechanism is employed to ensure that frame-level features are not overwhelmed by the aggregated context. Furthermore, the sampling strategy is carefully enhanced to better support set context modeling. Our research demonstrates that set-based gait recognition can achieve state-of-the-art accuracy on in-the-wild benchmarks (77.6% on Gait3D and 81.1% on GREW) while retaining its inherent advantages.

Affiliations: Faculty of Electrical Engineering and Computer Science, Ningbo University, Ningbo, China; Department of Electronic Engineering, State Key Laboratory of Terahertz and Millimeter Waves, City University of Hong Kong, Kowloon Tong, Hong Kong; National Mobile Communications Research Laboratory, Southeast University, Nanjing, China; School of Electronic Engineering and Computer Science, Queen Mary University of London, London, U.K.; School of Electrical and Electronic Engineering, Nanyang Technological University, Jurong West, Singapore; Department of Electrical and Computer Engineering, Aristotle University of Thessaloniki, Thessaloniki, Greece; Faculty of Engineering and Applied Science, Memorial University, St. John’s, NL, Canada

Abstract:
The allocation of secure resources in non-orthogonal multiple access (NOMA) systems has gained significant recognition as a vital research focus in the realm of the Internet of Things (IoT). Previous studies have overlooked the security challenges associated with integrating NOMA with finite blocklength (FBL) transmission. Therefore, this paper examines a secure downlink NOMA system utilizing FBL transmission, which includes a base station (BS), a near user, a far user, and an external eavesdropper. We develop an optimization problem with the objective of maximizing the near user’s effective secrecy throughput, considering the secrecy rates, decoding error probabilities (DEPs), and effective secrecy throughput for both users. Notably, by meticulously defining the DEPs of the users as optimization variables, the monotonicity and concavity of these DEPs in relation to the blocklength, transmission power, and transmission rate can be established effectively. The problem is divided into two sub-problems focusing on the essential conditions for the secrecy rate of the near user, especially in scenarios where successive interference cancellation (SIC) is unsuccessful. These sub-problems are addressed using the block coordinate descent (BCD) algorithm and an exact penalty method. For comparison, the BCD algorithm is also applied to solve the optimization problem using the orthogonal multiple access (OMA) scheme. Numerical simulations confirm the effectiveness of our proposed approaches in improving secure resource allocation when NOMA is combined with FBL transmission.

Abstract:
Federated Learning (FL) has emerged as a promising distributed machine learning paradigm that allows clients to jointly train a global model without sharing their raw training datasets. However, FL is vulnerable to backdoor attacks, where malicious clients inject specific backdoors into their local models to manipulate the global model’s outputs. Recent studies widely applied gradient compression to construct efficient and robust FL systems against backdoor attacks, but we argue that gradient compression cannot be seen as a reliable defense strategy against backdoor attacks. In this work, we systematically evaluate the effectiveness of gradient compression against backdoor attacks. The experimental results indicate that, in addition to the effectiveness of SignSGD in preventing backdoor injection without significantly reducing the accuracy of the global model, most gradient compression methods do not provide effective defenses against backdoor attacks. Furthermore, we develop a novel adaptive backdoor attack, named FinBack, that can effectively infiltrate the gradient compressor SignSGD and implant backdoors in FL, by inducing small weight changes on specific neurons that do not conflict with benign clients while avoiding counteraction by benign clients and perturbation triggers thereby ensuring the effectiveness and persistence of backdoors. FinBack encompasses two attack modes: FinBack with the server collusion and FinBackR without the server collusion. Extensive experiments demonstrate the effectiveness and persistence of the proposed attacks, which increases the Attack Success Rate (ASR) from 10% to over 90% in SignSGD, even with 1% of malicious clients.

Abstract:
Adversarial patch attacks pose a significant threat to deep learning models in real-world applications, such as autonomous driving, due to their physical feasibility and ease of deployment. Although several defenses exist, they often have limitations, such as requiring prior knowledge of adversarial patches, being tied to specific model architectures, or struggling to balance robustness with accuracy on clean inputs. In this work, we propose a novel Mask-Reconstruction-assisted Adversarial Training (MRAT) framework to enhance model robustness against adversarial patches while preserving accuracy. To achieve this, we first develop an adversarial example generation method that applies masks comprising randomly positioned square blocks with adversarial perturbations to clean images. This technique generates diverse adversarial examples for training, preventing the model from overfitting to a specific type of adversarial patch. To maintain accuracy on clean inputs while enhancing adversarial robustness, we incorporate a mask-reconstruction task into standard adversarial training paradigms. This task utilizes feature representations extracted from the backbone to reconstruct clean versions of adversarial examples. By jointly optimizing the reconstruction network and the classification model, the feature representations of adversarial examples retain essential features of their original images, leading to robust feature extraction and high classification accuracy. Extensive experimental results in both digital and physical domains demonstrate that MRAT significantly enhances the model’s defensive performance against adversarial patch attacks while maintaining high accuracy on clean inputs. Our code is available at: https://github.com/wanggroupAI/AI_Security/tree/main/Adversarial%20Example/MRAT

Abstract:
Multi-signatures have recently garnered considerable attention, particularly within the domain of smart contracts in blockchain ecosystems, as they enhance account security and mitigate single points of failure by requiring the approval of multiple key holders for transaction execution. However, most existing multi-signature schemes heavily rely on traditional Public Key Infrastructure (PKI), which requires a trusted authority and conflicts with the decentralized nature of blockchain technology. Certificateless multi-signature (CLMS) schemes, which eliminate the requirement for a trusted authority, represent promising solutions to address this issue. Nevertheless, existing CLMS schemes encounter challenges that limit their suitability for smart contract applications, including high communication overhead, expensive verification costs, and “loose” security reductions. To address these challenges, we propose two novel two-round certificateless multi-signature schemes. These schemes not only support key aggregation but also optimize the signing process with two-round communication, maintaining fixed computational overhead during verification. Furthermore, the security proofs for the proposed schemes are independent of the Forking lemma, resulting in tighter security reductions and strengthened security assurance. Finally, experimental results demonstrate that the proposed schemes significantly reduce both communication and computational overhead compared to existing CLMS schemes, making them more efficient and practical for blockchain-based smart contract applications.

Abstract:
Deep learning models are intrinsically susceptible to textual adversarial attacks on social media, where the perturbed text can trigger aberrant behaviours of victim models and threaten security and privacy. In this paper, we present a novel word-level attack called SCALA: a Synonym-based desCending And repLace-back Ascending mechanism. Our focus is on the efficient production of adversarial examples, with a particular emphasis on minimizing human perceptibility while ensuring the visual resemblance and semantic correctness. The merits of our attacking solution lie in being: i) imperceptible – it keeps a very low word perturbation rate based on the Hamming ( L_0 -norm) distance, thus achieving heightened deceptiveness validated through human evaluations; ii) efficient – our tensor-based parallelization strategy ensures the attacking efficiency compared with baselines; iii) effective – it surpasses seven state-of-the-art attacks on five target models in terms of reducing after-attack accuracy; iv) practical – black-box score-based setting ensures that the adversary only needs to query target models for confidence scores; and v) transferable – our attack shows competitive transferability on the generated adversarial examples. We release our code SCALA via https://github.com/TrustAI/SCALA

Abstract:
We propose an expected constant-time asynchronous distributed key generation (ADKG) protocol that significantly outpaces prior protocols. Our protocol supports all desirable properties for ADKG (supporting a high threshold, private keys from field elements, and optimal resilience). At the core of our protocol is a new ADKG paradigm from weak leader election and multivalued Byzantine agreement (MBA). We have implemented our protocol and performed thus far the largest WAN evaluation using up to 202 Amazon EC2 nodes. We show that the latency of the state-of-the-art ADKG protocol due to Das, Xiang, Kokoris-Kogias, and Ren is approximately 1.6-4.8x that of our ADKG protocol.

Abstract:
Self-supervised learning utilizes unlabelled data to train encoders, acquiring high-quality representations of input data, significantly advancing the field of computer vision. However, recent studies have demonstrated that self-supervised learning suffers from numerous adversarial attacks. Among them, backdoor attack is one of the focal issues, where downstream classifiers inherit the backdoor behavior of the pre-trained encoder. Existing defense methods against backdoor attacks primarily focus on supervised learning, which heavily relies on labeled data and cannot be directly migrated to self-supervised scenarios. Furthermore, defense methods for self-supervised backdoor aims to separate poisoned samples on assumed small-scale datasets and retraining to obtain a clean encoder. However, these approaches are useless against encoders that have been implanted with a backdoor. To address these issues, we propose SSLDefender, a novel image-based backdoor mitigation method specially designed for self-supervised learning, which can remove backdoor attributes directly from the backdoor encoder. Specifically, we employ a trigger recovery method based on mutual information maximization to efficiently obtain trigger that resembles the target backdoor’s influence. Additionally, we design a distillation-guided unlearning strategy to purify backdoor features steadily and ensure the retention of clean knowledge to prevent over-forgetting. Extensive experimental evaluations on six benchmark datasets demonstrate that SSLDefender can successfully reduce the attack success rate of Badencoder to around 2% while maintaining high model accuracy on the main task. Its performance surpasses state-of-the-art methods.

Abstract:
Speaker recognition systems (SRS) play a vital role in identity authentication. At the same time, researchers have found that these systems are highly vulnerable to backdoor attacks, where the poisoned model will misclassify poisoned inputs. Most backdoor attack methods primarily focus on improving attack success rates (ASR), achieving ASR as high as 99%. However, these methods reveal a significant concern in terms of stealthiness. Poisoned audio often exhibits detectable differences from the clean audio, which can be detected by human listeners or through visualization. To overcome this issue, we prioritize stealthiness in our attack design and propose StealthPhase. Motivated by preliminary experiments on frequency-domain random noise backdoor attacks, our method implants a predefined trigger into the phase spectrum through frequency decomposition to ensure inherent stealth. The predefined trigger uses the natural phase pattern derived from real speech. Therefore, it is both learnable, as it addresses the challenge of designing effective phase-based triggers, and stealthy, as it remains imperceptible in both spectrogram visualizations and auditory perception. A key advantage of our method is that it avoids complex algorithms to optimize triggers and does not require an extra loss function to balance stealthiness and effectiveness. Extensive experimental results demonstrate that StealthPhase achieves 99% ASR with minimal impact on the model’s benign accuracy (BA). Meanwhile, its stealthiness is validated from three perspectives. First, visualizations show that the backdoor audio samples are nearly indistinguishable from clean samples. Second, an audio quality assessment confirms that the trigger introduces minimal perceptual distortion, preserving the overall audio quality. Finally, speech recognition performance evaluation shows that the word error rate (WER) remains largely unaffected. Furthermore, we validate the effectiveness of StealthPhase in real-world scenarios, where it achieves an ASR of 80%, and demonstrate its ability to bypass defense mechanisms.

Affiliations: School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; resides, Beijing, China; Baidu Inc., Beijing, China; College of Command and Control Engineering, Army Engineering University of PLA, Nanjing, China; Department of Oral Implantology, Peking University School and Hospital of Stomatology, National Center for Stomatology, National Clinical Research Center for Oral Diseases, National Engineering Research Center of Oral Biomaterials and Digital Medical Devices, Beijing, China

Abstract:
Large language models (LLMs) have exceptional linguistic capabilities, but their ability to verbatim reproduce copyrighted data from high-quality training datasets raises concerns about improper exploitation through artificial intelligence (AI) data traceability. Such copyrighted data may include general information (e.g., historical knowledge, or common sense), so LLMs would need to generate content that preserves key information instead of producing exact replicas. However, the primary goal of current unlearning methods is to fully forget targeted knowledge or key information, which may lead to hallucinations of general information. To address these challenges, we propose an unlearning method that is based on attention flattening in autoregressive models combined with simulation tasks for targeted information forgetting. During optimization, the model is trained only on real tasks while acquiring knowledge from simulation task learning to suppress the memorization of copyrighted data. In inference, we compare the sensitivity of attention heads between simulation and real tasks, identify those most relevant to copyrighted data, and perform attention head pruning to suppress the generation of such data. The experimental results show that, compared to existing unlearning baselines, our method achieves lower perplexity and BLEU scores while maintaining higher entity coverage scores and semantic textual similarity in text generation tasks.

Abstract:
Aggregating metadata in the ciphertext field is an attractive property brought by homomorphic encryption (HE) for privacy-sensitive computing tasks, therefore, research on the next-generation wireless networks has treated it as one of the promising cryptographic techniques for various scenarios. However, existing schemes are far from being deployed in various computing scenarios due to their high computational complexity and ciphertext expansion, especially for bandwidth-limited and latency-sensitive wireless scenarios. In this paper, we propose the AirHE scheme to achieve homomorphic evaluation via the over-the-air computation in the physical layer. Moreover, we propose a new encryption scheme that can be integrated with the physical layer procedure. A new error control mechanism for ciphertext is further proposed to solve the error accumulation problem. The novelty of the AirHE scheme is to take advantage of the intrinsic superposition characteristic of the wireless channel, such that the communication and computation cost is greatly reduced by achieving homomorphic evaluation and error control of ciphertext in the physical layer. We implement the AirHE scheme based on the LTE system and validate its feasibility. Simulation results are also presented to show the performance of the AirHE scheme under different channel conditions.

Abstract:
Trusted Execution Environment (TEE)-assisted confidential smart contracts (TCSC) have attracted extensive attention from both academia and industry. Despite an enormous number of TCSC projects, the extent of confidentiality offered by them remains being questioned: the factual and fictional aspects are not well distinguished, which limits their adoption. In this paper, we provide a formal treatment of TCSC, endowing them with an expressive syntax and security definitions. Based on these definitions, we propose a provably secure TCSC instantiation. Then, we investigate each algorithm and identify the implementation flaws that may make a TCSC system violate its security properties. Our analysis reveals the gap between theoretical security models and real-world implementations: even assuming a TCSC is provably secure by design, it may still fail in practice. We further compare our TCSC instantiation with 16 representative TCSC systems. Our results show that, surprisingly, all these surveyed projects are subject to practical attacks. Finally, we implement a TCSC prototype and conduct a comprehensive evaluation, revealing the overheads of distributed key management and the performance challenges of executing complex contracts within TEEs.

Abstract:
Byzantine agreement is the most fundamental primitive in distributed computing. All known Byzantine agreement protocols achieve quadratic or sub-quadratic messages and communication. We show that surprisingly, by directly assuming a random leader election oracle (that can be built from the verifiable random function), threshold signatures, and the 1/3 corruption bound, we can build Linear-BA, a binary agreement (BA) that has linear message complexity, constant expected time complexity, and a normal case that has linear communication. We extend Linear-BA to construct Linear-MBA, a multi-valued Byzantine agreement (MBA) protocol also with O(n) messages and O(1) expected time. Finally, we present Linear-MBA-SV, an MBA protocol with the strong validity property via a no-cost transformation from Linear-MBA. All the protocols above are secure under a static adversary, where a static adversary corrupts a set of replicas at the beginning of the protocol. We go on and show an impossibility result that in the adaptive adversary model (in which the adversary can selectively corrupt the replicas while the protocol is running), one cannot build a Byzantine agreement protocol with O(n) messages and O(1) expected time. Accordingly, we revise our protocol to obtain Byzantine agreement protocols with O(n) messages per round and O(n) time. Our results offer a fresh view of what is needed for linear Byzantine agreement: by examining the “needed” assumptions, one can identify the performance bottlenecks for Byzantine agreement. Meanwhile, all our protocols are efficient, as all the building blocks have efficient instantiations.

Abstract:
Cyber-Physical Systems (CPS) consist of various physical devices and have a significant impact on both industry and the economy. In CPS, controllers or control centers typically send continuous commands to actuators. Due to the limited computational and storage resources of CPS devices, existing Message Authentication Code and digital signature algorithms face challenges in terms of being non-interactive, lightweight, and continuous on the actuator side. To address this issue, we propose a lightweight continuous message authentication (LCMA) scheme that ensures the continuity of signatures through a mechanism involving random numbers and incrementing sub-private keys. The multidimensional Bloom filters is designed and used togather with precomputed verification points generated by Key Generation Center to enable non-interactive verification. Additionally, we design a redundancy-free hash tree for CPS to reduce information redundancy. The proposed solution requires only hash operations and Bloom filter queries for verification, achieving sufficient lightweight performance. Finally, we provide a formal security proof for the proposed scheme and simulate it on the ESP32 platform. The results show that the implementation times for signature generation and verification are 0.779 milliseconds and 0.792 milliseconds, respectively. Compared to other non-interactive lightweight message authentication schemes, the proposed LCMA is more suitable for CPS devices.

Abstract:
Determining dense feature points on fingerprints used in constructing deep fixed-length representations for accurate matching, particularly at the pixel level, is of significant interest. To explore the interpretability of fingerprint matching, we propose a multi-stage interpretable fingerprint matching network, namely Interpretable Fixed-length Representation for Fingerprint Matching via Vision Transformer (IFViT), which consists of two primary modules. The first module, an interpretable dense registration module, establishes a Vision Transformer (ViT)-based Siamese Network to capture long-range dependencies and the global context in fingerprint pairs. It provides interpretable dense pixel-wise correspondences of feature points for fingerprint alignment and enhances the interpretability in the subsequent matching stage. The second module takes into account both local and global representations of the aligned fingerprint pair to achieve an interpretable fixed-length representation extraction and matching. It employs the ViTs trained in the first module with the additional fully connected layer and retrains them to simultaneously produce the discriminative fixed-length representation and interpretable dense pixel-wise correspondences of feature points. Extensive experimental results on diverse publicly available fingerprint databases demonstrate that the proposed framework not only exhibits superior performance on dense registration and matching but also significantly promotes the interpretability in deep fixed-length representations-based fingerprint matching.

Abstract:
The importance of social network alignment (SNA) for various downstream applications, such as social network information fusion and e-commerce recommendation, has prompted numerous professionals to develop and share SNA tools. However, malicious actors can exploit these tools to integrate sensitive user information, thereby posing cybersecurity risks. Although many researchers have explored attacking SNA (ASNA) through network modification attacks to protect users, practical feasibility remains challenging. In this study, we propose an effective node injection attack via a dynamic programming framework (DPNIA) to address the problem of modeling and solving ASNA within a limited time and balancing the costs and benefits. DPNIA models ASNA as a problem of maximizing the number of confirmed incorrect correspondent node pairs with greater similarity scores than the pairs between existing nodes, thereby making ASNA solvable. A cross-network evaluation method is employed directly to identify node vulnerabilities, facilitating progressive attacking from easy to difficult. In addition, an optimal injection strategy searching method based on dynamic programming is used to determine which links should be added between the injected and existing nodes, thereby enhancing the effectiveness of the attack at a low cost. Experiments on four real-world datasets demonstrated that DPNIA consistently and significantly surpasses various baselines when attacking both multiple networks simultaneously and a single network.

Abstract:
Copy detection is crucial for protecting image copyright. This paper proposes a robust image hashing approach via Weighted Saliency Map (WSM) and Laplacian Eigenmaps (LE) (hereafter WSM-LE approach). An important contribution is the WSM construction via the edge map and the saliency map. As the WSM can indicate the interest regions of image, hash calculation based on WSM can provide robustness of our WSM-LE approach. Another contribution is the low-dimensional feature learning by the LE technique. As the LE technique can effectively learn the internal geometric relationships of image, the extracted low-dimensional features can improve discrimination of our WSM-LE approach. In addition, the low-dimensional features are treated as vectors and the vector distances are used to create a compact and encrypted hash. Numerous experiments and comparisons are conducted to confirm the effectiveness and superiority of our WSM-LE approach. The results indicate that our WSM-LE approach has excellent classification and copy detection performances than some baseline approaches.

Abstract:
Federated learning (FL) emerged as a paradigm designed to improve data privacy by enabling data to reside at its source, thus embedding privacy as a core consideration in FL architectures, whether centralized or decentralized. Contrasting with recent findings by Pasquini et al., which suggest that decentralized FL does not empirically offer any additional privacy or security benefits over centralized models, our study provides compelling evidence to the contrary. We demonstrate that decentralized FL, when deploying distributed optimization, provides enhanced privacy protection - both theoretically and empirically - compared to centralized approaches. The challenge of quantifying privacy loss through iterative processes has traditionally constrained the theoretical exploration of FL protocols. We overcome this by conducting a pioneering in-depth information-theoretical privacy analysis for both frameworks. Our analysis, considering both eavesdropping and passive adversary models, successfully establishes bounds on privacy leakage. In particular, we show information theoretically that the privacy loss in decentralized FL is upper bounded by the loss in centralized FL. Compared to the centralized case where local gradients of individual participants are directly revealed, a key distinction of optimization-based decentralized FL is that the relevant information includes differences of local gradients over successive iterations and the aggregated sum of different nodes’ gradients over the network. This information complicates the adversary’s attempt to infer private data. To bridge our theoretical insights with practical applications, we present detailed case studies involving logistic regression and deep neural networks. These examples demonstrate that while privacy leakage remains comparable in simpler models, complex models like deep neural networks exhibit lower privacy risks under decentralized FL. Extensive numerical tests further validate that decentralized FL is more resistant to privacy attacks, aligning with our theoretical findings.

Abstract:
As person image variations are likely to cause a part misalignment problem, most previous person Re-Identification (ReID) works may adopt local feature partition or additional landmark annotations to acquire aligned person features and boost ReID performance. However, such approaches either only achieve coarse-grained part alignments without considering detailed image variations within each part, or require extra annotated landmarks to train an available pose estimation model. In this work, we propose an effective Discriminable and Reliable Transformer (DRFormer) framework to learn part-aligned person representations with only person identity labels. Specifically, the DRFormer framework consists of Discriminable Feature Transformer (DFT) and Reliable Feature Transformer (RFT) modules, which generate discriminable and reliable high-order features, respectively. For reducing the dimension of high-order features, the DFT module utilizes a Self-Attentive Kronecker Product (SAKP) algorithm to promote the representational capabilities of compressed features via a self-attention strategy. For eliminating the background noise, the RFT module mines the foreground regions to adaptively aggregate foreground features via a Gumbel-Softmax strategy. Moreover, the proposed framework derives from an interpretable motivation and elegantly solves part misalignments without using feature partition or pose estimation. This paper theoretically and experimentally demonstrates the superiority of the proposed DRFormer framework, achieving state-of-the-art performance on various person ReID datasets.

Abstract:
Radio frequency fingerprint identification (RFFI) is regarded as one of the most promising techniques for managing and regulating Internet of Things (IoT) devices. This technology analyzes the unique electromagnetic signals emitted by wireless devices to enable precise identification and authentication. Most existing RFFI methods focus on RF signals collected in specific scenarios. However, in real-world applications, signals are often collected at different times or from varying deployment locations, leading to differences between the training and testing distributions. The study of RFFI methods under these conditions remains underexplored. To address this gap, this paper introduces a cross-domain RFFI framework centered on adaptive semantic augmentation (ASA). The framework integrates a computationally efficient multi-resolution spectrogram decomposition strategy with a feature-sensitive multi-scale network. The ASA method enhances RFFI accuracy in cross-domain settings by linearly interpolating between two distinct semantic features to create new semantics for further identification. The proposed approach leverages two-dimensional discrete wavelet transform (2D-DWT) to decompose the raw spectrogram into four sub-bands, followed by a multi-scale network to extract critical semantic features for the ASA method. Simulation results show that the proposed ASA method significantly improves Unmanned Aerial Vehicle (UAV) identification performance, achieving accuracies of 93.05% and 98.90% on two different cross-domain datasets, respectively, outperforming existing data augmentation (DA) methods. Furthermore, generalizability validation demonstrates that the proposed method performs outstandingly across other Internet of Things (IoT) applications.

Abstract:
The Internet of Medical Things (IoMT) has gained significant research focus in both academic and medical institutions. Nevertheless, the sensitive data involved in IoMT raises concerns regarding user validation and data privacy. To address these concerns, certificateless signcryption (CLSC) has emerged as a promising solution, offering authenticity, confidentiality, and unforgeability. Unfortunately, most existing CLSC schemes are impractical for IoMT due to their heavy computational and storage requirements. Additionally, these schemes are vulnerable to quantum computing attacks. Therefore, research focusing on designing an efficient post-quantum CLSC scheme is still far-reaching. In this work, we propose PQ-CLSCL, a novel post-quantum CLSC scheme with linkability for IoMT. Our proposed design facilitates secure transmission of medical data between physicians and patients, effectively validating user legitimacy and minimizing the risk of private information leakage. To achieve this, we leverage lattice sampling algorithms and hash functions to generate the partial secret key, then employ the sign-then-encrypt method and design a link label. We also formalize and prove the security of our design, including indistinguishability against chosen-ciphertext attacks (IND-CCA2), existential unforgeability against chosen-message attacks (EU-CMA), and linkability. Finally, through comprehensive performance evaluation, our computation overhead is just 5% of other existing schemes. The evaluation results demonstrate that our solution is practical and efficient.

Abstract:
Anti-spoofing of deepfake or forged speech is an important technique for the security usage of generative artificial intelligence. Beyond binary classification of real and forged speech, method attribution of forged speech is becoming a practical solution of interpretable anti-spoofing strategies. However, existing related methods have poor performance on analyzing speech forgery methods unseen in their training data, which is inefficient in open-world scenarios with emerging new forgery methods. In this paper, Open-World Forged Speech Attribution (OW-FSA) is firstly defined towards the attribution of forged speech on the methods generating it, where the recognized methods are not limited to the seen ones in training data and the properties of the unseen methods should also be depicted adequately. A novel algorithm, Soft-contrastive Pseudo Learning (SPL), is proposed to address the challenges outlined in OW-FSA, which introduces two key innovations: 1) Based on similarities between features at different scales, the proposed similarity-based soft filtering module filters and matches utterances from the same forgery class to enhance the intra-class compactness of features through contrastive learning. 2) The proposed similarity-based soft pseudo-labeling module integrates label-smoothing-like and similarity weighting techniques to mitigate possible errors in pseudo-labeling. Besides, an iterative algorithm based on SPL is proposed to predict the number of unseen classes. Extensive experiments have validated the superiority of the proposed algorithm over other recently proposed methods on the task of OW-FSA with or without the knowledge of the number of unseen classes. Intuitive visualization and ablation studies have also been conducted to illustrate the advantages of the proposed algorithm. The newly defined task OW-FSA and the proposed algorithm SPL in this paper will help advance the research in speech anti-spoofing.

Abstract:
The immutability of blockchain has exposed its limitations in adapting to rapidly evolving legal requirements and preventing malicious misuse. To address these issues, transaction-level redactable blockchain solutions based on the policy-based chameleon hash (PCH) have been introduced. These solutions allow users to create transactions and encrypt trapdoors under specific attribute policies. However, current transaction-level rewriting schemes face two security challenges: Firstly, transactions encrypted with the invalid trapdoor are difficult to rewrite; Secondly, due to lacking version detection on transactions, malicious modifiers may rollback the version of the transaction to launch a reversion attack. In this paper, we present a resilient and redactable blockchain (RRB) with 2-level rewriting and transaction version detection. Specifically, we propose a new redactable blockchain structure that supports both transaction-level and block-level rewriting. To tackle the invalid trapdoor problem, we propose two protocols: a fine-grained, controllable transaction-level rewriting protocol and a centrally controlled block-level rewriting protocol. Moreover, for the transaction reversion attack, we design a version detection mechanism for RRB by using an accumulator. Through security analysis and performance evaluation, we demonstrate the security and practicality of our RRB scheme.

Abstract:
Federated Learning (FL) has emerged as an unparalleled machine learning paradigm where multiple edge clients jointly train a global model without sharing the raw data. However, sharing local models or gradients still compromises clients’ privacy and could be susceptible to delivery failures due to unreliable communication links. To address these issues, this paper considers a multi-server FL where E edge clients wish to jointly train the global model with the help of H servers while guaranteeing data privacy and meanwhile combating s\leq H unreliable links per client. We first propose a hybrid coding scheme based on repetition coding and MDS Coding, such that any T_s colluding servers cannot deduce any client data besides the aggregated model, and any T_e colluding clients remain unaware of honest clients’ data. Furthermore, we propose a Lagrange coding with mask (LCM) to ensure more stringent privacy protection that additionally demands that colluding servers possess no knowledge about either the local or global models. Furthermore, we establish lower bounds for both the uplink and downlink communication loads and theoretically prove that the hybrid scheme and LCM scheme can achieve the optimal uplink communication loads under the first and second threat models, respectively. For the second threat model with no straggling link, the LCM scheme is optimal. These demonstrate the communication efficiency, robustness, and privacy guarantee of our schemes.

Abstract:
The diverse properties of wireless networks are fulfilled with the assistance of digital twin (DT), which utilizes a virtual model of the physical object (PO) to provide predictions and control decisions. However, the open wireless channels and key leakage of compromised entities (including DT and PO) pose significant security issues, highlighting the need for secure data transmission schemes. Meanwhile, it is impractical to directly apply the existing works and cryptographic primitives to DT-empowered wireless networks (DTWNs) due to the absence of a solution to capture the security requirements comprehensively. Moreover, the essential characteristics for protecting historical data cannot be met. Therefore, this paper proposes a security-enhanced data transmission scheme with fine-grained and flexible revocation by customizing a novel cryptographic primitive named forward-secure puncturable signed encryption (FS-PSE). Our scheme enables confidential data dissemination/acquisition between the physical and virtual space while ensuring authentication of the real-time information and feedback results. In addition, three revocation modes are defined. Based on these modes, the entities can flexibly revoke any decryption-&-signature, decryption, and signature capability in a fine-grained approach, thereby providing security protections for the historically transmitted data even though the entity is compromised. Moreover, our scheme is instantiated with a concrete FS-PSE construction and extended to support outsourced computing to improve efficiency. Finally, the formal security proof and performance evaluation demonstrate the security and practicality of our scheme.

Abstract:
This paper investigates a centralized cooperative cognitive radio network (CCRN) where a primary base station (PBS) transmits a message to a primary user while a secondary user transmitter (SU-Tx) function as a friendly jammer. The jammer sends jamming signals to protect the PBS’s messages from a potential eavesdropper (Eve). However, the SU-Tx also attempts to covertly transmit its own messages to a secondary user receiver using the allocated spectrum resource, contravening the PBS regulations. To address this issue, the PBS requests its partner CBS to help detect jammer’s behavior. Specifically, we propose a generative adversarial network (GAN) optimization framework that models the strategic game between the CBS monitoring and the covert transmission of cooperative jammers. We introduce a novel GAN-based beamforming design algorithm, termed GAN-BD, to determine the power allocation at the jammer for covert communication. Additionally, we develop the detection error probability (DEP) at the CBS and derive its expression using a hypothesis testing problem. Through extensive simulation results, we demonstrate that the proposed GAN-BD algorithm can achieve near-optimal solutions for conducting covert communication, leveraging knowledge of the current network environment and exhibiting rapid convergence capabilities. The simulation results highlight the effectiveness of our GAN-BD algorithm.

Abstract:
Prevalent nighttime person re-identification (ReID) methods typically combine image relighting and ReID networks in a sequential manner. However, their performance (recognition accuracy) is limited by the quality of relighting images and insufficient collaboration between image relighting and ReID tasks. To handle these problems, we propose a novel Collaborative Enhancement Network called CENet, which performs the multilevel feature interactions in a parallel framework, for nighttime person ReID. In particular, the designed parallel structure of CENet can not only avoid the impact of the quality of relighting images on ReID performance, but also allow us to mine the collaborative relations between image relighting and person ReID tasks. To this end, we integrate the multilevel feature interactions in CENet, where we first share the Transformer encoder to build the low-level feature interaction, and then perform the feature distillation that transfers the high-level features from image relighting to ReID, thereby alleviating the severe image degradation issue caused by the nighttime scenario while avoiding the impact of relighting images. In addition, the sizes of existing real-world nighttime person ReID datasets are limited, and large-scale synthetic ones exhibit substantial domain gaps with real-world data. To leverage both small-scale real-world and large-scale synthetic training data, we develop a multi-domain learning algorithm, which alternately utilizes both kinds of data to reduce the inter-domain difference in training procedure. Extensive experiments on two real nighttime datasets, Night600 and RGBNT 201_rgb , and a synthetic nighttime ReID dataset are conducted to validate the effectiveness of CENet. We release the code and synthetic dataset at: https://github.com/Alexadlu/CENet.

Abstract:
Economic dispatch problems (EDPs), as a basic issue of smart grids, have appealed to a wide range of research interests owing to the expansion of network scales and the increase of system complexity. The flexibility of economic dispatch algorithms puts forward urgent requirements of distributed optimization methods dependent on information exchanges, which may lead to the leakage of private information. To solve this problem, a privacy-preserving strategy in a distributed paradigm is proposed by adding artificial sequences to the transmitted multi-step gradient information. In light of such a strategy, a new distributed privacy-preserving optimization approach in light of multi-step gradient information is developed to handle the addressed EDPs. When introduced parameter sequences satisfy suitable conditions, both the convergence to the optimal solution and the privacy of sensitive parameters in the generator cost are effectively guaranteed. Finally, an illustrative simulation is specially offered to verify the validity of the developed strategy.

Abstract:
Provable Data Possession (PDP) is an alternative technique that guarantees the integrity of remote data. However, most current PDP schemes are inapplicable to similarity-like data checking with the same attribute, i.e., when there are numerous similar files to be checked by Data Owners (DOs). Some traditional models cannot resist the corrupt auditors who always generate biased challenge information. Besides, a copy-summation attack exists in some schemes, which means the Cloud Server (CS) can bypass the verification by storing the median value instead of initial data via summation operation. To address the issues above, in this work, we propose a keyword searchable PDP scheme for large similar data checking. To achieve searchability, we introduce the notion of a keyword in PDP and design a specific index structure to match the authenticator. The scheme enables all matched files to be auditable and verifiable, while guaranteeing privacy protections. Unlike existing methods, our Third Party Auditor (TPA) checks all similar data containing the same keyword simultaneously. We utilize unpredictable yet verifiable public information on the blockchain to generate challenge information, rather than relying on a centralized TPA. The proposed scheme can resist copy-summation attacks. Theoretical analysis demonstrates that the proposed scheme satisfies the security requirements, and our evaluations demonstrate its efficiency.

Abstract:
The fifth-generation new radio (NR) cellular communication is featured with numerous advancements over Long Term Evolution (LTE) and earlier technologies. It enables more flexible physical-layer resource scheduling across multiple dimensions, and two representative techniques are beamspace transmissions and time-frequency numerology selection. Nevertheless, the lightweight physical-layer secure transmission in NR remains under investigation, especially taking NR beamspace and mobility into consideration. In this work, we propose a physical-layer wireless key generation (KG) efficient beamspace adaptation scheme for NR, where the KG capacity is theoretically characterized by critical NR components including beam direction and beamwidth. In addition, we consider the impacts of user mobility on KG performance. Since NR beamspace plays a key role in deciding the channel probing window in the spatial dimension, the NR beamspace directly affects channel probing results and hence the KG efficiency. To this end, NR beam parameters are obtained to improve the KG performance. Especially, we propose to optimize the NR beamwidth for maximizing the secrecy-delay efficiency, because a tradeoff exists in adapting the beamwidth where smaller beamwidth can improve the channel estimation accuracy but increase the beam sweeping delay. Theoretical analysis and simulation results show that the beam direction adaptation provides spatial degrees of freedom for NR to enhance KG, by enabling beam selection pointing at target areas with richer multipath scatterings. Experimental results demonstrate that the narrow beam is beneficial to enhancing the channel estimation accuracy and the resultant key agreements.

Abstract:
Software based cryptographic implementations provide flexibility but they face performance limitations. In contrast, hardware based cryptographic accelerators utilize application-specific customization to provide real-time security solutions. Cryptographic instruction-set extensions (CISE) combine the advantages of both hardware and software based solutions to provide higher performance combined with the flexibility of atomic-level cryptographic operations. While CISE is widely used to develop security solutions, side-channel analysis of CISE-based devices is in its infancy. Specifically, it is important to evaluate whether the power usage and electromagnetic emissions of CISE-based devices have any correlation with its internal operations, which an adversary can exploit to deduce cryptographic secrets. In this paper, we propose a test vector leakage assessment framework to evaluate the pre-silicon prototypes at the early stages of the design life-cycle. Specifically, we first identify functional units with the potential for leaking information through power side-channel signatures and then evaluate them on system prototypes by generating the necessary firmware to maximize the side-channel signature. Our experimental results on two RISC-V based cryptographic extensions, RISCV-CRYPTO and XCRYPTO, demonstrated that seven out of eight prototype AES- and SHA-related functional units are vulnerable to leaking cryptographic secrets through their power side-channel signature even in full system mode with a statistical significance of \alpha = 0.05 .

Abstract:
Federated learning faces challenges associated with privacy breaches, client communication efficiency, stragglers’ effect, and heterogeneity. To address these challenges, this paper reformulates the optimal client selection problem as a sparse optimization task, proposes a secure and efficient optimal client selection method for federated learning, named secure orthogonal matching pursuit federated learning (SecOMPFL). Therein, we first introduce a method to identify correlations in the local model parameters of participating clients, addressing the issue of duplicated client contributions highlighted in recent literature. Next, we establish a secure variant of the OMP algorithm in compressed sensing using secure multiparty computation and propose a novel secure aggregation protocol. This protocol enhances the global model’s convergence rate through sparse optimization techniques while maintaining privacy and security. It relies entirely on the local model parameters as inputs, minimizing client communication requirements. We also devise a client sampling strategy without requiring additional communication, resolving the bottleneck encountered by the optimal client selection policy. Finally, we introduce a strict yet inclusive straggler penalty strategy to minimize the impact of stragglers. Theoretical analysis confirms the security and convergence of SecOMPFL, highlighting its resilience to stragglers’ effect and systematic/statistical heterogeneity with high client communication efficiency. Numerical experiments were conducted to compare the convergence rate and client communication efficiency of SecOMPFL with those of FedAvg, FOLB, and BN2. These experiments used natural and synthetic with statistical heterogeneity datasets, considering varying numbers of clients and client sampling scales. The results demonstrate that SecOMPFL achieves a competitive convergence rate, with communication overhead 39.96% lower than that of FOLB and 28.44% lower than that of BN2. Furthermore, SecOMPFL shows good resilience to statistical heterogeneity.

Abstract:
The Satellite-Terrestrial Integrated Network (STIN) is an emerging paradigm offering seamless network services across geographical boundaries, yet it faces significant security challenges, including limited intrusion prevention capabilities. Federated learning (FL) provides a viable solution by aggregating traffic data from STIN clients (e.g., ground stations and edge routers) to train models for network intrusion detection systems (NIDS). However, satellite and terrestrial domain data’s non-independent and identically distributed (non-IID) nature hinders training efficiency and performance. This paper proposes STINIDF, a novel STIN intrusion detection framework leveraging FL-based data augmentation. STINIDF utilizes FL to collaboratively train a conditional diffusion model across STIN nodes while preserving privacy via differential privacy mechanisms, generating global traffic data representative of the STIN distribution. Each node then integrates global and local traffic data to train a local model for NIDS, addressing non-IID challenges by balancing data distribution through data augmentation. Using a simulation environment developed with OMNeT++ and INET, a Satellite-Terrestrial Integrated (STI) traffic dataset was created, including intrusion scenarios such as signal disruption, UDP flooding, and jamming attacks. Experimental results indicate that STINIDF outperforms existing data augmentation-based approaches under non-IID conditions, achieving \mathbf 96.63%(2.41%\uparrow) accuracy, \mathbf 96.71% (3.14%\uparrow) precision, \mathbf 96.54%(1.65%\uparrow) recall and \mathbf 96.66%(2.7%\uparrow) F1 score. Furthermore, when compared to methods integrating data augmentation with differential privacy, STINIDF demonstrates an effective balance between privacy preservation and intrusion detection performance, attaining an accuracy of \mathbf 96.14%(2.57%\uparrow) and a FID of \mathbf 17.88(7.41\downarrow) .

Affiliations: College of Cyber Security, Tarim University, Xinjiang, China; Data Science and Analytics (DSA) Thrust at the Information Hub, The Hong Kong University of Science and Technology (Guangzhou), Guangdong, Guangzhou, China; School of Computer, Sun Yat-sen University, Guangdong, Guangzhou, China; College of Electronic and Information Engineering, Southwest University, Chongqing, China; College of Computer Science, Chongqing University, Chongqing, China; College of Computer Science and Technology and Shaanxi Key Laboratory of Network and System Security, Xidian University, Xi’an, China

Abstract:
Location-based mobile services, while improving user daily life, also raise significant privacy concerns in the sharing of location data. These trajectories indicate users’ traveling behavioural traces with rich semantics derived from open-source information. Behavioral-semantic analysis reveals users’ travelling motivations and underlying behavioral patterns. It contributes to attackers launching inferential attacks for behavior prediction, identity identification, or other privacy invasions, even when the location data is protected. It remains open to the issues of behavioral-semantic privacy-risk quantification and privacy-protection evaluation. This paper aims to reveal such semantic privacy risks of user behaviors arising from the publication of location trajectories in mobile scenarios. We formalize user semantic-mobility process to analyze his underlying behavior patterns. Then, we design semantic inference algorithms conditional on the released trajectory to reason about the observation-based likelihood of the user’s actual staying and transfer behaviours and behavioural-trace tracking. Extensive experiments with real-world data demonstrate their performance on inference accuracy and semantic similarity, offering a quantification criterion for deploying mobile privacy protection.

Abstract:
Person re-identification (Re-ID) is a classical computer vision task and has significant applications for public security and information forensics. Recently, long-term Re-ID with clothes-changing has attracted increasing attention. However, existing methods mainly focus on image-based setting, where richer temporal information is overlooked. In this paper, we focus on the relatively new yet practical problem of Clothes-Changing Video-based Re-ID (CCVReID), which is less studied. First, given the dataset shortage, we build two new benchmark datasets for CCVReID problem, including a large-scale synthetic video dataset and a real-world one, both containing human sequences with various clothing changes. Moreover, we systematically study this problem by simultaneously considering the classical appearance feature and temporal feature contained in the video. We develop a dual-branch fusion framework that makes use of the information from both clothes-aware appearance feature and clothes-free gait feature. For better information fusion, a confidence-guided re-ranking strategy is proposed to adaptively balance the weight of these two categories of features. We have released the benchmark and code proposed in this work to the public at https://github.com/kkw98/CCVReID.

Abstract:
Anti-money laundering (AML) is crucial to maintaining national financial security. Contemporary AML methods focus on homogeneous mining or unitary money laundering pattern. These methods ignore a characteristic of gang operation in money laundering. Thus, in this paper, we propose a multi-view graph-based hierarchical representation learning method, named MG-HRL, to mine organized money laundering groups. In particular, we extract multi-level representations of transaction subgraphs, including transaction features, user features, structural features, and high-order association features from multiple observational perspectives. To learn the correlation between users, we model transaction networks as heterogeneous information networks (HINs) and design six meta-paths related to money laundering scenarios to mine correlations among users. Combining with correlation representations of users, we propose a heterogeneous hypergraph representation learning method to learn high-order representations of transaction subgraphs. Through hierarchical representation learning, the MG-HRL achieves full exploration of money laundering groups. Finally, we conduct experiments on two public transaction datasets. The result shows that MG-HRL method performs better than other state-of-the-art baselines.

Abstract:
Smart contracts, the cornerstone of decentralized applications, have become increasingly prominent in revolutionizing the digital landscape. However, vulnerabilities in smart contracts pose great risks to user assets and undermine overall trust in decentralized systems. Fuzzing, a prominent security testing technique, is extensively explored to detect vulnerabilities. But current smart contract fuzzers fall short of expectations in testing efficiency for two primary reasons. Firstly, smart contracts are stateful programs, and existing approaches, primarily coverage-guided, lack effective feedback from the contract state. Consequently, they struggle to effectively explore the contract state space. Secondly, coverage-guided fuzzers, aiming for comprehensive program coverage, may lead to a wastage of testing resources on benign code areas. This wastage worsens in smart contract testing, as the mix of code and state spaces further complicates comprehensive testing. To address these challenges, we propose Vulseye, a stateful directed graybox fuzzer for smart contracts guided by vulnerabilities. Different from prior works, Vulseye achieves stateful directed fuzzing by prioritizing testing resources to code areas and contract states that are more prone to vulnerabilities. We introduce Code Targets and State Targets into fuzzing loops as the testing targets of Vulseye. We use static analysis and pattern matching to pinpoint Code Targets, and propose a scalable backward analysis algorithm to specify State Targets. We design a novel fitness metric that leverages feedback from both the contract code space and state space, directing fuzzing toward these targets. With the guidance of code and state targets, Vulseye alleviates the wastage of testing resources on benign code areas and achieves effective stateful fuzzing. In comparison with state-of-the-art fuzzers, Vulseye demonstrated superior effectiveness and efficiency. Notably, it uncovered 4,845 vulnerabilities in 42,738 real-world smart contracts, outperforming existing approaches by up to 9.7× , and identified 11 previously unknown vulnerabilities within the top 50 Ethereum DApps, involving approximately 2,500,000 USD.

Abstract:
As we transition from Narrow Artificial Intelligence towards Artificial Super Intelligence, users are increasingly concerned about their privacy and the trustworthiness of machine learning (ML) technology. A common denominator for the metrics of trustworthiness is the quantification of uncertainty inherent in DL algorithms, and specifically in the model parameters, input data, and model predictions. One of the common approaches to address privacy-related issues in DL is to adopt distributed learning such as federated learning (FL), where private raw data is not shared among users. Despite the privacy-preserving mechanisms in FL, it still faces challenges in trustworthiness. Specifically, the malicious users, during training, can systematically create malicious model parameters to compromise the models’ predictive and generative capabilities, resulting in high uncertainty about their reliability. To demonstrate malicious behaviour, we propose a novel model poisoning attack method named Delphi which aims to maximise the uncertainty of the global model output. We achieve this by taking advantage of the relationship between the uncertainty and the model parameters of the first hidden layer of the local model. Delphi employs two types of optimisation, Bayesian Optimisation and Least Squares Trust Region, to search for the optimal poisoned model parameters, named as Delphi-BO and Delphi-LSTR. We quantify the uncertainty using the KL Divergence to minimise the distance of the predictive probability distribution towards an uncertain distribution of model output. Furthermore, we establish a mathematical proof for the attack effectiveness demonstrated in FL. Numerical results demonstrate that Delphi-BO induces a higher amount of uncertainty than Delphi-LSTR highlighting vulnerability of FL systems to model poisoning attacks.

Abstract:
The post-processed Differential Privacy (DP) framework has been routinely adopted to preserve privacy while maintaining important invariant characteristics of datasets in data-release applications such as census data. Typical invariant characteristics include non-negative counts and total population. Subspace DP has been proposed to preserve total population while guaranteeing DP for sub-populations. Non-negativity post-processing has been identified to inherently incur fairness issues. In this work, we study privacy and unfairness (i.e., accuracy disparity) concerns in the post-processed DP framework. On one hand, we propose the post-processed DP framework with both non-negativity and accurate total population as constraints would inadvertently violate privacy guarantee desired by it. Instead, we propose the post-processed subspace DP framework to accurately define privacy guarantees against adversaries. On the other hand, we identify unfairness level is dependent on privacy budget, count sizes as well as their imbalance level via empirical analysis. Particularly concerning is severe unfairness in the setting of strict privacy budgets. We further trace unfairness back to uniform privacy budget setting over different population subgroups. To address this, we propose a varying privacy budget setting method and develop optimization approaches using ternary search and golden ratio search to identify optimal privacy budget ranges that minimize unfairness while maintaining privacy guarantees. Our extensive theoretical and empirical analysis demonstrates the effectiveness of our approaches in addressing severe unfairness issues across different privacy settings and several canonical privacy mechanisms. Using datasets of Australian Census data, Adult dataset, and delinquent children by county and household head education level, we validate both our privacy analysis framework and fairness optimization methods, showing significant reduction in accuracy disparities while maintaining strong privacy guarantees.

Abstract:
In real-world applications, screen capturing represents a significant scenario where this process can induce substantial distortion to the original image. Previous methods for simulating screen-shooting distortion often involved combining different formulas. We found that these simulation methods still have a significant gap compared to real distortions, making it urgently necessary to develop a realistic and credible comprehensive noise layer to achieve robustness against screen-shooting distortion. This paper presents a watermarking scheme capable of withstanding severe screen-shooting distortion. First, a dataset is constructed to train a screen-shooting distortion simulation network based on style transfer. Subsequently, a comprehensive noise layer is built upon this network to achieve robustness against severe screen-shooting distortion. Additionally, this paper incorporates structural re-parameterization techniques into the traditional U-shaped encoder to improve the quality of encoded images. Extensive experiments demonstrate the proposed scheme’s superior performance in terms of robustness and generalization, especially under severe screen-shooting distortion conditions.

Abstract:
With the widespread use of machine learning (ML), privacy concerns during neural network inference are attracting growing attention. Secure two-party neural network (2PC-NN) inference is the privacy-preserving inference method, which allows client to obtain the inference result without disclosing client’s input to the server. The server’s model parameters are also confidential to the client. However, current 2PC-NN inference schemes still have large overhead, especially for non-linear functions. In this paper, we present Swift, a fast secure 2PC-NN inference scheme based on fully homomorphic encryption (FHE) and secret sharing (SS). FHE protects the input and model parameters in linear functions, while SS is integrated to protect the non-linear functions. Concretely, Swift integrates FHE and SS to design secure and efficient non-linear protocols used for ReLU and max pooling. To further optimize performance, Swift employs FHE with computation-friendly coefficient encoding for fast execution of linear functions, and SIMD encoding for non-linear functions. Swift constructs efficient encoding conversion protocol between the coefficient-encoded ciphertext and the SIMD-encoded ciphertext. Finally, Swift achieves secure neural network inference framework for MNIST dataset. Compared with Cheetah (USENIX 2022), the execution time of ReLU, max pooling, secure inference under a WAN setting improves 7.4× , 13.3× , 1.9× , respectively.

Abstract:
As malware as a service (MaaS) and organized attacks develop and drive a shift in malware variant generation mechanism, current variant detection, designed to counter conventional obfuscation and anti-detection strategies, falls short in facing new challenges, particularly in identifying variants that maintain core functionalities while altering local behaviors, or those sharing similar code logic but diverge in actual functionalities. To tackle the problems, we present ISCMVD, an Instruction Stream-augmented CFG-based Malware Variant Detection scheme, melding control flow structures with machine semantic information from instruction streams within blocks to build a comprehensive functional representation for variants’ basic and detailed behaviors. Leveraging a global-enhanced attentive graph neural network to integrate local and global functional features, we significantly boost the capture of representative stable primary behaviors’ similarity from variants within the same family identifying variants generated under attackers’ code rewriting, module modification, and other transformation means. Additionally, through cross-family associative analysis, we eliminate classification interference of variants’ logic similarities stemming from the same organization generating. Evaluation results on public and real-world datasets demonstrate the superiority and robustness of ISCMVD with an average of 99.29% in AC and 99.25% in F1 and perform well even in few-shot cases. What’s more important, we achieve a breakthrough in two special sample sets including variants related to MaaS and APT group, and outperform state-of-the-art methods under the current variant generation mechanism, proving its suitability for future trends.

Abstract:
Privacy-preserving Federated Learning (FL) based on Differential Privacy (DP) protects clients’ data by adding DP noise to samples’ gradients and has emerged as a de facto standard for data privacy in FL. However, the accuracy of global models in DP-based FL may be reduced significantly when rogue clients occur who deviate from the preset DP-based FL approaches and selfishly inject excessive DP noise beyond expectations, thereby applying a smaller privacy budget in the DP mechanism to ensure a higher level of security. Existing DP-based FL fails to prevent such attacks as they are imperceptible. Under the DP-based FL system and random Gaussian noise, the local model parameters of the rogue clients and the honest clients have identical distributions. In particular, the rogue local models show a low performance, but directly filtering out lower-performance local models compromises the generalizability of global models, as local models trained on scarce data also behave with low performance in the early epoch. In this paper, we propose ReFL, a novel privacy-preserving FL system that enforces DP and avoids the accuracy reduction of global models caused by excessive DP noise of rogue clients. Based on the observation that rogue local models with excessive DP noise and honest local models trained on scarce data have different performance patterns in long-term training epochs, we propose a long-term contribution incentives scheme to evaluate clients’ reputations and identify rogue clients. Furthermore, we design a reputation-based aggregation to avoid the damage of rogue clients’ models on the global model accuracy, based on the incentive reputation. Extensive experiments demonstrate ReFL guarantees the global model accuracy performance 0.77% - 81.71% higher than existing DP-based FL methods in the presence of rogue clients.

Abstract:
Visible-infrared person re-identification (V-I ReID) seeks to retrieve images of the same individual captured over a distributed network of RGB and IR sensors. Several V-I ReID approaches directly integrate the V and I modalities to represent images within a shared space. However, given the significant gap in the data distributions between V and I modalities, cross-modal V-I ReID remains challenging. A solution is to involve a privileged intermediate space to bridge between modalities, but in practice, such data is not available and requires selecting or creating effective mechanisms for informative intermediate domains. This paper introduces the Adaptive Generation of Privileged Intermediate Information (AGPI2) training approach to adapt and generate a virtual domain that bridges discriminative information between the V and I modalities. AGPI2 enhances the training of a deep V-I ReID backbone by generating and then leveraging bridging privileged information without modifying the model in the inference phase. This information captures shared discriminative attributes that are not easily ascertainable for the model within individual V or I modalities. Towards this goal, a non-linear generative module is trained with adversarial objectives, transforming V attributes into intermediate spaces that also contain I features. This domain exhibits less domain shift relative to the I domain compared to the V domain. Meanwhile, the embedding module within AGPI2 aims to extract discriminative modality-invariant features for both modalities by leveraging modality-free descriptors from generated images, making them a bridge between the main modalities. Experiments conducted on challenging V-I ReID datasets indicate that AGPI2 consistently increases matching accuracy without additional computational resources during inference.

Abstract:
With the widespread deployment of Deep-Learning-as-a-Service, secure multi-party computation-based outsourcing neural network (NN) inference has garnered significant attention for its high-security guarantee. Nevertheless, under the dishonest-majority setting with malicious adversaries, prior secure inference works are still costly in terms of communication and run-time. Additionally, existing outsourcing frameworks impose a substantial client-side design, which leads to obstacles in resource-constrained devices. To address the above challenges, we propose MD-SONIC, an online efficient and maliciously-secure framework for outsourcing NN inference with a dishonest majority. We first construct communication-efficient n-party protocols for the basic primitives such as fixed-point multiplication and most significant bit extraction by combining mask-sharing and TinyOT-sharing with SPD \mathbb Z_2^k seamlessly. Then, we build fast secure blocks for the widely used NN operators, including matrix multiplication, ReLU, and Maxpool, on top of our basic primitives. To enable an arbitrary number of users to outsource the secure inference task to n computing servers, we propose a lightweight-client and fast \Sigma paradigm named SPIN, stemming from zero-knowledge proofs. Our SPIN can be instantiated into a set of efficient outsourcing protocols over multiple algebraic structures (e.g., finite field and ring). We also conduct extensive evaluations of MD-SONIC on various neural networks. Compared to the work by Damgård et al. (IEEE S&P’19) and MD-ML (USENIX Security’24), we achieve up to 594.4× and 45.1× online communication improvements, and improve the online execution time by at most 14.3× (resp. 20.5× ) and 1.8× (resp. 2.3× ) in LAN (resp. WAN).

Abstract:
Global Navigation Satellite Systems (GNSS) are fundamental in ubiquitously providing position and time to a wide gamut of systems. Jamming remains a realistic threat in many deployment settings, civilian and tactical. Specifically, in drones sustained denial raises safety critical concerns. This work presents a strategy that allows detection, localization, and classification both in the frequency and time domain of interference signals harmful to navigation. A high-performance Vertical Take Off and Landing (VTOL) drone with a single antenna and a commercial GNSS receiver is used to geolocate and characterize RF emitters at long range, to infer the navigation impairment. Raw IQ baseband snapshots from the GNSS receiver make the application of spectral correlation methods possible without extra software-defined radio payload, paving the way to spectrum identification and monitoring in airborne platforms, aiming at RF situational awareness. Live testing at Jammertest, in Norway, with portable, commercially available GNSS multi-band jammers demonstrates the ability to detect, localize, and characterize harmful interference. Our system pinpointed the position with an error of a few meters of the transmitter and the extent of the affected area at long range, without entering the denied zone. Additionally, further spectral content extraction is used to accurately identify the jammer frequency, bandwidth, and modulation scheme based on spectral correlation techniques.

Abstract:
This article investigates the vulnerability of the nearest neighbors search, which is a pivotal tool in pattern analysis and data science. The vulnerability is gauged as the relative amount of perturbation that an attacker needs to add to a dataset point in order to modify its proximity to a given query. The statistical distribution of the relative amount of perturbation is derived from simple assumptions, outlining the key factor that drives its typical values: The higher the intrinsic dimensionality, the more vulnerable is the nearest neighbors search. Experiments on six large-scale datasets validate this model up to some outliers, which are explained as violations of the assumptions.

Abstract:
The high cost of developing high-performance deep models highlights their value as intellectual property for creators. However, it is important to consider the potential risks of theft. Although various techniques have been developed to protect the intellectual property of deep models, there is still room for improvement in terms of efficiency, comprehensiveness, and generalization. Compared with the intrusiveness of watermarking methods, fingerprinting methods do not affect the training process of the source model. Consequently, this paper proposes a fingerprinting method to address the paucity of attempts in fingerprinting methods for model protection. Our method consists of two efficient algorithms for generating fingerprinting samples, where the first one possesses the advantage of efficiency, while the second one is better in terms of robustness. The first algorithm takes a comprehensive approach to modeling the fingerprint of the deep model. The generated samples are distributed within the stable region and near the decision boundary of the model, taking into account both the duality and the conviction factors. Then, a heuristic sample perturbation algorithm is introduced, which generates a fingerprint with solid stability and generalization across multiple domains. The two algorithms proposed in this paper have been shown to be capable of withstanding attacks on intellectual property removal, detection, and evasion. They also show some advantages in terms of efficiency. In addition, the proposed method is the first to apply fingerprinting techniques in a cross-domain context.

Abstract:
In the context of escalating advancements in AI generative technologies, Deepfakes, the sophisticated face forgeries created using deep learning methods, have emerged as a significant security threat. The predominant countermeasures are Deepfake detectors based on deep learning (DL). However, due to the opaque nature of DL-model, they struggle to offer understandable explanations for their predictive decisions, which undermines their reliability and effectiveness in real-world applications. Existing mainstream DL-oriented interpretation approaches, the feature attribution methods, struggle to work on Deepfake detectors due to issues of low interpretation fidelity, poor intelligibility, and limited applicability across different types of detectors. This paper addresses these critical challenges by proposing the Deepfake Detector Lens (DDL), a novel framework designed to enhance the interpretability of diverse architectural Deepfake detectors, encompassing those based on image, frequency domain, and video. DDL employs a heuristic algorithm to enhance interpretation efficacy and incorporates image segmentation and face parsing techniques to bridge the gap between the machine-generated interpretation saliency map and human understanding. Comprehensive evaluations of DDL demonstrate its superiority over existing feature attribution methods in terms of fidelity, intelligibility, and applicability. The proposed DDL significantly advances the interpretability of Deepfake detection technology, offering a more reliable and understandable tool for combating AI-generated face forgeries.

Abstract:
Public Key Infrastructure (PKI) has gained widespread attention for ensuring the security and integrity of data communication. While existing PKI mainly supports digital signatures, it is lacking in crucial anonymity, leading to the leakage of a signer’s identity information. To alleviate the issue, ring signatures are a suitable choice to provide anonymity as they allow users to create their own rings without the need for an administrator. Unfortunately, the utilization of ring signatures in PKI may present compatibility challenges within the system. Thus, proposing a general mechanism to convert a standardized \Sigma -based signature to a ring signature is far-reaching. In this paper, we propose a general construction for converting \Sigma -based signatures into ring signatures. To achieve this, we first introduce a \Sigma -based general model, providing a general transformation to convert existing \Sigma -based signatures into a \Sigma -protocol form. Subsequently, we incorporate our redesigned one-out-of-many relation within our general model and proceed to devise ring signatures leveraging on one-out-of-many proofs. Furthermore, to reduce the signature size, we employ the Bulletproofs folding technique, enabling the attainment of logarithmic size ring signatures. To demonstrate the wide applicability of our general construction, we present four prominent signatures as case studies. Ultimately, we conduct a rigorous security analysis and benchmark experimental evaluation. The signing and verification times are 0.44 to 0.97 times and 0.27 to 0.91 times compared to other state-of-the-art schemes, respectively. Additionally, we exhibit the lowest signature size to date.

Abstract:
Adversarial examples, characterized by imperceptible perturbations, pose significant threats to deep neural networks by misleading their predictions. A critical aspect of these examples is their transferability, allowing them to deceive unseen models in closed-box scenarios. Despite the widespread exploration of defense methods, including those on transferability, they show limitations: inefficient deployment, ineffective defense, and degraded performance on clean images. In this work, we introduce a novel training paradigm aimed at enhancing robustness against transferable adversarial examples (TAEs) in a more efficient and effective way. We propose a model that exhibits random guessing behavior when presented with clean data \boldsymbol x as input, and generates accurate predictions when with triggered data \boldsymbol x+\boldsymbol \tau . Importantly, the trigger \boldsymbol \tau remains constant for all data instances. We refer to these models as models with trigger activation. We are surprised to find that these models exhibit certain robustness against TAEs. Through the consideration of first-order gradients, we provide a theoretical analysis of this robustness. Moreover, through the joint optimization of the learnable trigger and the model, we achieve improved robustness to transferable attacks. Extensive experiments conducted across diverse datasets, evaluating a variety of attacking methods, underscore the effectiveness and superiority of our approach.

Abstract:
Online/offline identity-based signature (OO-IBS) is a versatile cryptographic tool to provide the message authentication and integrity in mobile devices, since it lightens the computational burden after the signer receiving the message and eliminates the overhead of certificate management. It has several valuable applications, for instance, wireless sensor networks. Identity-based chameleon hash (IB-CH), as an alternative building block to construct OO-IBS, has been explored in numerous literatures. Nevertheless, there still exist two major issues. 1) Nearly all of the previous IB-CH schemes with weak collision-resistance (W-CollRes) are with random oracles, which may lead to security risks in practicality. The only IB-CH scheme in the standard model suffers from the large size of public parameters and inefficient setup process. 2) The only IB-CH scheme without key exposure also relies on random oracles. In this paper, we propose two novel IB-CH schemes in the standard model. The first scheme is adaptive identity, W-CollRes secure and efficient, significantly reducing the computation costs of all algorithms and the size of public parameters compared with the existing scheme in the standard model. The second scheme is the first IB-CH achieving key exposure freeness without random oracles. Both theoretical and experimental analyses demonstrate the good performance of our proposed schemes. Furthermore, we apply our schemes to optimizing the existing generic OO-IBS construction. The optimized generic constructions reduce computational overhead by 50.0% in the online phase and enable the hash value/signature tuple generated in the offline phase to be reusable, respectively.

Abstract:
As a new paradigm of distributed learning, Federated Learning (FL) has been applied in industrial fields, such as intelligent retail, finance and autonomous driving. However, several schemes that aim to attack robust aggregation rules and reducing the model accuracy have been proposed recently. These schemes do not maintain the sign statistics of gradients unchanged during attacks. Therefore, the sign statistics-based scheme SignGuard can resist most existing attacks. To defeat SignGuard and most existing cosine or distance-based aggregation schemes, we propose an enhanced model poisoning attack, ScaleSign. Specifically, ScaleSign uses a scaling attack and a sign modification component to obtain malicious gradients with higher cosine similarity and modify the sign statistics of malicious gradients, respectively. In addition, these two components have the least impact on the magnitudes of gradients. Then, we propose MSGuard, a Multi-Strategy Byzantine-robust scheme based on cosine mechanisms, symbol statistics, and spectral methods. Formal analysis proves that malicious gradients generated by ScaleSign have a closer cosine similarity than honest gradients. Extensive experiments demonstrate that ScaleSign can attack most of the existing Byzantine-robust rules, especially achieving a success rate of up to 98.23% for attacks on SignGuard. MSGuard can defend against most existing attacks including ScaleSign. Specifically, in the face of ScaleSign attack, the accuracy of MSGuard improves by up to 41.78% compared to SignGuard.

Abstract:
The secure and privacy-preserving federated learning scheme, NSPFL, aims to safeguard data privacy while also auditing data integrity. The solution provided by this scheme is highly novel. However, NSPFL has significant design shortcomings in terms of both privacy protection and data integrity verification. This work identifies specific issues within NSPFL and proposes effective countermeasures. Furthermore, our proposed solution can serve as a general approach for privacy-preserving multiparty computations, safeguarding privacy while enhancing efficiency.

Abstract:
Inner Product Masking (IPM) is one representative masking scheme, which captivates by so-called Security Order Amplification (SOA) property. It is commonly recognized that SOA holds under linear leakages. In this paper, we revisit SOA from a non-profiling attack perspective. Specifically, we conduct statistical analyses on three non-profiling distinguishers, including Pearson Coefficient Distinguisher (PCD), Spearman Coefficient Distinguisher (SCD) and Kruskal-Wallis Distinguisher (KWD). We find a fundamental connection between SCD and KWD such that SCD is a more generic distinguisher which encompasses KWD. Theoretical explanations for why KWD outperforms SCD under non-linear leakages are provided. We also propose a new adjusted SCD and present its optimal form, which bridges the efficiency gap with KWD. Grounded on this, SOA is extensively assessed and the observations are two-fold. On the one hand, we confirm again the effectiveness of SOA under Hamming weight leakage through the statistical analysis of PCD. On the other hand, we show that SOA can not resist rank-based distinguishers even under linear leakages, which has never been revealed before (to the best of our knowledge). At last, we verify the theoretical findings through both simulated and real-world measurements. Our results demonstrate the advantage of rank-based distinguishers in uncovering non-linear relationships hidden in leakage, enriching the tool-set for non-profiling class of side-channel attacks. Remarkably, we provide an adversary perspective to investigate SOA, highlighting that the side-channel resistance promised by SOA is vulnerable even considering the ideal linear leakage models.

Abstract:
Network intrusion detection systems (NIDS) utilize signature and anomaly-based methods to detect malicious activities within networks. Advances in machine learning (ML) and deep learning (DL) algorithms have enabled NIDS to analyze large volumes of data and identify complex patterns. However, traditional ML/DL approaches in NIDS have primarily relied on flow-based features and utilized flat data formats, such as vectors or grids, which limit their ability to recognize the structural and contextual nuances of network attacks, particularly in real-time. Additionally, most NIDS depend on supervised or semi-supervised learning, requiring extensive labeled data that is time-consuming to generate and not always feasible. This reliance restricts their ability to detect novel attacks, as they typically only recognize threats similar to those encountered during training. Hence, there is a significant need to develop NIDS that can operate in near real-time, eliminate the need for labeled data, and effectively identify novel attack patterns. We propose GTAE-IDS, a novel unsupervised packet-based graph neural network framework aimed at early and precise anomaly detection in network traffic. GTAE-IDS employs graph embeddings to capture and process network traffic data swiftly, creating sequential packet-based graphs that reflect network communications. Our approach employs graph autoencoders to identify structural and global patterns in benign data without needing labeled graph data, enhancing detection capabilities against novel attacks. Incorporating transformers in the encoder segment, GTAE-IDS effectively discerns contextual patterns in network traffic, achieving over 98% accuracy in identifying malicious activities on benchmark network intrusion data sets.

Abstract:
Detecting advanced persistent threats (APTs) at a host via data provenance has emerged as a valuable yet challenging task. Compared with attack rule matching, machine learning approaches offer new perspectives for efficiently detecting attacks by leveraging their inherent ability to autonomously learn from data and adapt to dynamic environments. However, the scarcity of APT samples poses a significant limitation, rendering supervised learning methods that have demonstrated remarkable capabilities in other domains (e.g., malware detection) impractical. Therefore, we propose a system called TAGAPT, which is able to automatically generate numerous APT samples with provenance-level granularity. First, we introduce a deep graph generation model to generalize various graph structures that represent new attack patterns. Second, we propose an attack stage division algorithm to divide each generated graph structure into stage subgraphs. Finally, we design a genetic algorithm to find the optimal attack technique explanation for each subgraph and obtain fully instantiated APT samples. Experimental results demonstrate that TAGAPT can learn from existing attack patterns and generalize to novel attack patterns. Furthermore, the generated APT samples 1) exhibit the ability to help with efficient threat hunting and 2) provide additional assistance to the state-of-the-art (SOTA) attack detection system (Kairos) by filtering out 73% of the observed false positives. We have open-sourced the code and the generated samples to support the development of the security community.

Abstract:
Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.

Abstract:
To mitigate the risk of data breaches, an increasing number of biometric recognition systems are introducing encryption biometric template protection methods and directly matching in the encrypted domain. Depending on the approach to key management, prevailing biometric template protection strategies can be categorized into declarative and distributive methods. The former are challenged by complexities and vulnerabilities linked to key loss, while the latter are compromised by fixed mapping rules that may expose personal information. We present a biometric template protection method that combines random-fixed factors to handle these challenges, thereby protecting the user’s biometric privacy. Firstly, we introduce a random activation factor generation module that extracts scaling and offset factors from the user’s biometric data. This module randomly binds factors to different positions in each authentication process, rendering distance-dependent bitwise cracking algorithms ineffective. Secondly, we propose a fixed multi-branch mapping module that enhances feature expression and minimizes information loss post-encryption. We also develop a trainable min-max hash method, optimized using an improved approximate contrastive loss. Employing palm veins as a case study, we conducted experiments across five datasets, where our method outperformed other encrypted domain methods and showed competitive advantages over mainstream non-encrypted methods. Moreover, we have demonstrated that our method ensures robust performance while meeting essential security requirements of irreversibility, unlinkability, and revocability.

Abstract:
As edge computing and the Internet of Things (IoT) expand, horizontal collaboration (HC) emerges as a distributed data processing solution for resource-constrained devices. In particular, a convolutional neural network (CNN) model can be deployed on multiple IoT devices, allowing distributed inference execution for image recognition while ensuring model and data privacy. Yet, this distributed architecture remains vulnerable to adversaries who want to make subtle alterations that impact the model, even if they lack access to the entire model. Such vulnerabilities can have severe implications for various sectors, including healthcare, military, and autonomous systems. However, security solutions for these vulnerabilities have not been explored. This paper presents a novel framework for Secure Horizontal Edge with Adversarial Threat Handling (SHEATH) to detect adversarial noise and eliminate its effect on CNN inference by recovering the original feature maps. Specifically, SHEATH aims to address vulnerabilities without requiring complete knowledge of the CNN model in HC edge architectures based on sequential partitioning. It ensures data and model integrity, offering security against adversarial noise in diverse HC environments. Our evaluations demonstrate SHEATH’s adaptability and effectiveness across diverse CNN configurations.

Abstract:
Precise uncrewed aerial vehicle (UAV) detection over long distances is of crucial importance for guaranteeing the airspace security. Although deep learning-based vision detectors have been developed, they still rely on a large amount of hand-crafted fixed feature priors. The existing static dense-based detectors suffer from the severe mismatch and imbalance between the small size and the high mobility of UAVs. To solve the problem, a novel multimodal fusion-based dynamic sparse UAV detection framework is proposed. The framework reformulates the feature priors in a completely dynamic sparse paradigm by using the radar data. Based on the framework, a vision-radar fusion-based dynamic sparse network (Vira-DSNet) is proposed for more balanced and robust UAV detection. The Vira-DSNet exploits our designed dynamic sparse candidate generator and radar-guided semantic feature transform to generate a small set of customized high-quality object candidates and semantic features based on the radar data. Moreover, based on Hungarian bisection matching, our Vira-DSNet eliminates the post-processing and is completely end-to-end differentiable. Furthermore, the Vira-DSNet is deployed in our developed actual vision-radar fusion-based UAV detection system to evaluate the performance in the practical applications. Experimental results demonstrate that our Vira-DSNet achieves an average precision \rm AP_50 of 88.2%. It is also shown that the average recall \rm AR_1 of Vira-DSNet is higher than the state-of-the-art scheme by 10.1%, while maintaining the real-time performance.

Abstract:
Building encrypted databases has been a long-standing challenge in the field of database security. In recent years, Structured Encryption (STE) has emerged as a promising approach to constructing encrypted databases, striking a balance between security and efficiency. Although existing STE-based encrypted database systems achieve high efficiency in query processing, all these schemes struggle to support rich queries with minimal information leakage. In this paper, we present a new STE-based encrypted database system, named Filter-integrated Encrypted Database (FinEDB), which supports exact-match and range queries, conjunctive queries and join operations, while maintaining limited information leakage. We first design a novel secure inverted index to avoid storage overhead blow-up when extending to support rich query capabilities. Then, we integrate Binary Fuse filters into our proposed inverted index to enable efficient query processing. By leveraging the homomorphic property of Binary Fuse filters, our approach leaks less information than existing STE-based solutions. Besides, we provide rigorous proof for our proposed scheme under the simulation paradigm. To evaluate the performance, we implement the prototype of FinEDB and compare it with the baseline STE-based scheme. Experiment results demonstrate that FinEDB is practical and can support rich queries on real-world databases.

Abstract:
Minimum distortion steganography is currently the mainstream method for modification-based steganography. A key issue in this method is how to define steganographic distortion. With the rapid development of deep learning technology, the definition of distortion has evolved from manual design to deep learning design. Concurrently, rapid advancements in image generation have made generated images viable as cover media. However, existing distortion design methods based on machine learning do not fully leverage the advantages of generated cover media, resulting in suboptimal security performance. To address this issue, we propose GIFDL (Generated Image Fluctuation Distortion Learning), a steganographic distortion learning method based on the fluctuations in generated images. Inspired by the idea of natural steganography, we take a series of highly similar fluctuation images as the input to the steganographic distortion generator and introduce a new GAN training strategy to disguise stego images as fluctuation images. Experimental results demonstrate that GIFDL, compared with state-of-the-art GAN-based distortion learning methods, exhibits superior resistance to steganalysis, increasing the detection error rates by an average of 3.30% across three steganalysis.

Affiliations: Department of Electrical and Electronic Engineering, Next Generation Internet of Everything Laboratory, University of Nottingham Ningbo China, Ningbo, China; School of Computer Science, University of Nottingham Ningbo China, Ningbo, China; School of Electrical and Information Engineering, Zhengzhou University, Zhengzhou, China; College of Information Science and Electronic Engineering, Zhejiang University, Hangzhou, China; School of Electrical and Electronics Engineering, Nanyang Technological University, Jurong West, Singapore

Abstract:
In this paper, we propose a reconfigurable intelligent surface (RIS)-aided wireless powered anti-jamming communication network (WPAJCN), where the RIS is utilized to participate in downlink wireless power transfer (WPT), as well as uplink anti-jamming wireless information transfer (AJ-WIT). To evaluate the network anti-jamming performance, we maximize a sum anti-jamming throughput, with the constraints of downlink WPT and uplink AJ-WIT time scheduling, and unit-modulus RIS phase shifts. The formulated problem is not convex in terms of these two types of coupled variables, which cannot be directly solved. To address this problem, the Lagrange dual method and Karush-Kuhn-Tucker conditions are presented to transform its sum-of-logarithmic objective function into the logarithmically fractional counterpart, which reformulate the original problem into that with respect to RIS phase shift vectors and WPT time scheduling. Next, we propose to apply the Dinkelback algorithm to solve a non-linear fractional programming with respect to the downlink WPT and uplink AJ-WIT RIS phase shifts in an alternating fashion, each of which is derived into a semi-closed solution by utilizing the Riemannian Manifold Optimization (RMO). In addition, the optimal WPT time scheduling is obtained by numerical search. Finally, the numerical results are demonstrated to confirm the improved performance of the proposed approach compared to the benchmark counterparts, which highlights the that RIS can effectively enhance the uplink anti-jamming WIT capability as well as the downlink WPT efficiency.

Abstract:
Effective communication is a necessary condition for intelligent agents to collaborate in multi-agent environments. Although increasing attention has been paid to communicative multi-agent reinforcement learning (CMARL), the vulnerability of the communication mechanism in CMARL has not been well investigated, especially when there exist malicious agents that send adversarial communication messages to other regular agents. Existing works about adversarial communication in CMARL focus on black-box attacks where the attacker cannot access any model within the multi-agent system (MAS). However, grey-box attacks are a type of more practical attack, where the attacker has access to the models of its controlled agents. To the best of our knowledge, no research has been conducted to investigate grey-box attacks on communication in CMARL. In this paper, we propose the first grey-box attack method on communication in CMARL, which is called victim-simulation based adversarial attack (VSAA). At each timestep, the attacker simulates a victim attacked by other regular agents’ communication messages and generates adversarial perturbations on its received communication messages. The attacker then sends the aggregation of these perturbations to the regular agents through communication messages, which will induce non-optimal actions of the regular agents and subsequently degrade the performance of the MAS. Experimental results on multiple tasks show that VSAA can effectively degrade the performance of the MAS. The findings in this paper will make researchers aware of the grey-box attack in CMARL.

Abstract:
Random beacons are of paramount importance in distributed systems (e.g., blockchain, electronic voting, governance). The sheer scale of nodes inherent in distributed environments necessitates minimizing communication overhead per node while ensuring protocol availability, particularly under adversarial conditions. Existing solutions have managed to reduce the optimistic overhead to a minimum of O(n^2) , where n represents the node count of the system. In this paper, we step further by proposing and implementing RandFlash, a leaderless random beacon protocol that achieves an optimistic communication complexity of O(n\log n) . Evaluation results demonstrate that RandFlash outperforms existing constructions, RandPiper (CCS’21) and OptRand (NDSS’23), in terms of the number of random beacons generated within large-scale networks comprising 64 nodes or more (e.g., in sizes of 80 and 128). Furthermore, RandFlash exhibits resilience, capable of withstanding up to one-third of the nodes acting maliciously, all without the need for strongly trusted setups (i.e., embedding a secret trapdoor by trusted third parties). We also provide formal security proofs validating all properties upheld by this lineage.

Abstract:
Despite the end-to-end encryption capabilities provided by network protocols such as QUIC in HTTP/3 and the additional tunneling functions offered by proxy tools like virtual private networks (VPNs) and the onion router (Tor), website fingerprinting (WF) techniques can still identify specific network services by exploiting the spatio-temporal characteristics of network traffic. Therefore, defending against WF attacks is crucial for ensuring comprehensive privacy protection for network services. Existing WF defenses typically rely on proxy-based solutions that require coordinated packet manipulations between the client and the proxy node to counteract WF attacks. These symmetric architectures cannot protect network traffic between proxy nodes and web servers from WF attacks. Furthermore, the ability to counter more powerful traffic analysis tools remains a challenging issue. In this paper, we propose WF-A2D, an asymmetric adversarial defense method against website fingerprinting for HTTP/3. WF-A2D employs a two-stage cascading adversarial learning strategy, leveraging packet direction and length patterns to enhance defense performance. Position-based perturbation vectors representing packet operations are generated for packet-by-packet manipulations to achieve real-time WF defense. Experimental results on a real-world HTTP/3-QUIC website browsing traffic dataset demonstrate that WF-A2D can achieve a defense success rate of 97.10% on average against seven state-of-the-art traffic analysis tools, while incurring less than 2% bandwidth overhead. More importantly, WF-A2D can operate independently on the client side and ensure end-to-end protection to web servers.

Abstract:
Cloud-based outsourced Location-based services significantly impact various aspects of daily life but also raise security concerns. Existing secure retrieval schemes for spatio-temporal data exhibit significant shortcomings regarding dynamic updates; they either compromise privacy through information leakage during updates (lacking forward security) or incur excessively high update costs, hindering practical application. To address these limitations, we first propose a basic filter-based spatio-temporal range query scheme Trinity-I that supports low-cost dynamic updates and automatic expansion. Furthermore, to improve security, reduce storage cost, and false positives, we propose a forward secure and verifiable scheme Trinity-II that simultaneously minimizes storage overhead. Formal security analysis demonstrates that both Trinity-I and Trinity-II achieve Indistinguishability under Selective Chosen-Plaintext Attack (IND-SCPA). Finally, extensive experiments demonstrate that our design Trinity-II significantly reduces storage requirements by 80%, enables data retrieval at the 1 million-record level in just 0.01 seconds, and achieves 10× update efficiency than state-of-art.

Affiliations: School of Computer Science, Beijing Institute of Technology, Beijing, China; School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China; Key Laboratory for Intelligent Networks and Network Security, Ministry of Education, Xi’an Jiaotong University, Xi’an, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; School of Computer Science and Engineering, Macau University of Science and Technology, Taipa, Macau, China; School of Computer and Information Science, Qinghai institute of Technology, Xining, China

Abstract:
With the rapid evolution of Web3.0, cryptocurrency has become a cornerstone of decentralized finance. While these digital assets enable efficient and borderless financial transactions, their pseudonymous nature has also attracted malicious activities such as money laundering, fraud, and other financial crimes. Effective detection of malicious accounts is crucial to maintaining the security and integrity of the Web 3.0 ecosystem. Existing malicious account detection methods rely on large amounts of labeled data and suffer from low generalization. Label-efficient and generalizable malicious account detection remains a challenging task. In this paper, we propose ShadowEyes, a framework for detecting malicious accounts by leveraging interaction feature learning with only a small labeled dataset. Specifically, We first propose a generalized account representation named TxGraph, which captures the universal interaction features of Ethereum and Bitcoin. Then we carefully design an account representation augmentation method tailored to simulate the evolution of malicious accounts to generate positive pairs. We conduct extensive experiments using public datasets to evaluate the performance of ShadowEyes. The results demonstrate that it outperforms state-of-the-art (SOTA) methods in four typical scenarios. Specifically, in the scenario of across-platform malicious account detection, ShadowEyes maintains an F1 score of around 90%, which is 10% higher than the SOTA method. In the zero-shot learning scenario, it can achieve an F1 score of 79.56% for detecting gambling accounts, surpassing the SOTA method by 10.44%.

Abstract:
Remote Photoplethysmography (rPPG) aims to measure physiological signals and Heart Rate (HR) from facial videos. Recent unsupervised rPPG estimation methods have shown promising potential in estimating rPPG signals from facial regions without relying on ground truth rPPG signals. However, these methods seem oblivious to interference existing in rPPG signals and still result in unsatisfactory performance. In this paper, we propose a novel De-interfered and Descriptive rPPG Estimation Network (DD-rPPGNet) to eliminate the interference within rPPG features for learning genuine rPPG signals. First, we investigate the characteristics of local spatial-temporal similarities of interference and design a novel unsupervised model to estimate the interference. Next, we propose an unsupervised de-interfered method to learn genuine rPPG signals with two stages. In the first stage, we estimate the initial rPPG signals by contrastive learning from both the training data and their augmented counterparts. In the second stage, we use the estimated interference features to derive de-interfered rPPG features and encourage the rPPG signals to be distinct from the interference. In addition, we propose an effective descriptive rPPG feature learning by developing a strong 3D Learnable Descriptive Convolution (3DLDC) to capture the subtle chrominance changes for enhancing rPPG estimation. Extensive experiments conducted on five rPPG benchmark datasets demonstrate that the proposed DD-rPPGNet outperforms previous unsupervised rPPG estimation methods and achieves competitive performances with state-of-the-art supervised rPPG methods. The code is available at: https://github.com/Pei-KaiHuang/TIFS2025-DD-rPPGNet

Abstract:
As the digitalization of power systems progresses, data-driven models have garnered widespread attention due to their performance advantages, leading to the emergence of numerous data-driven intelligent models for power tasks, such as attack detection and stability assessment. However, data-driven models are susceptible to adversarial attacks, even when deployed in highly secure control centers. Considering the similarity in the semantic features extracted by structurally diverse data-driven models when addressing the same downstream tasks, this paper proposes a transferable attention-distracting adversarial attack tailored for power systems. This attack first introduces an adversarial perturbation selection framework with physical constraints specific to power systems. It also offers different loss functions to distract attention and strategies to weaken the significance of features. Simulation experiments confirm that distracting the model’s attention results in more stable transferable attack effects and significantly reduces the performance of data-driven models across different task scenarios. The experimental results underscore the importance of not neglecting the security and robustness of models in security-critical scenarios like power systems, even while achieving optimal performance.

Affiliations: College of Information Science and Technology, Shihezi University, Shihezi, China; School of Cyber Security, Tianjin University, Tianjin, China; Beijing National Research Center for Information Science and Technology (BNRist), KLISS, and the School of Software, Tsinghua University, Beijing, China; School of Cyber Science and Engineering, Sichuan University, Chengdu, China; School of Cyber Science and Engineering, Xi’an Jiaotong University, Xi’an, China; the Software Engineering Institute,, East China Normal University, Shanghai, China; Cyberspace Institute of Advanced Technology, Guangdong Key Laboratory of Industrial Control System Security, and Huangpu Research School, Guangzhou University, Guangzhou, China; School of Computing, Macquarie University, Sydney, Australia

Abstract:
In the era where Web3.0 values data security and privacy, adopting groundbreaking methods to enhance privacy in recommender systems is crucial. Recommender systems need to balance privacy and accuracy, while also having the ability to overcome cold start problems. The Differential Trust Mechanism (DTM) introduced in this paper is such an approach. The DTM provides a unique use of Gaussian distributions in modeling trust relationships within data, offering a novel way to balance recommendation accuracy with user privacy. This mechanism innovatively applies differential privacy principles, using Gaussian noise addition to protect individual user data from inference attacks, while maintaining the integrity and utility of the overall dataset. Unlike traditional anonymization techniques that often compromise data utility or vulnerability to reverse engineering, DTM provides a robust solution by dynamically adjusting privacy levels based on the trustworthiness of data requests. By combining DTM with existing mainstream recommendation algorithms, the prediction accuracy of MAE and RMSE increases by at least 6.60% and 2.69%, respectively. This dual benefit positions DTM as a significant advancement in secure data processing, especially relevant for online businesses and platforms where personalized recommendations are crucial yet privacy concerns are paramount.

Abstract:
Clustering is a crucial unsupervised machine learning algorithm extensively used in various practical applications, such as patient refinement and fraud detection, which often involve vertically distributed data across multiple data centers. However, sharing datasets directly is typically prohibited under GDPR due to potential privacy breaches. Therefore, privacy-preserving joint clustering for vertically distributed datasets is highly desired. In this paper, we propose Privacy-Preserving Vertically Federated Clustering (PPVFC), a solution that not only achieves this goal but also significantly reduces computational and communication overhead for each data owner (DO). Unlike most previous works that achieve the goal with a single privacy-enhancing technology, PPVFC jointly leverages multiparty homomorphic encryption (MHE) and multiparty computation (MPC) to efficiently interleave communication-lightweight homomorphic computations on the local dataset with operations over collectively secret-shared intermediate data. Specifically, we design a coefficient-wise encoding for MHE to pack large datasets and minimize communication costs. Additionally, we develop a round-efficient bit extraction protocol for determining the minimum distance. Through extensive experiments and security analysis, we demonstrate the practical performance and robust security guarantees of PPVFC.

Abstract:
Image processing networks are known to be vulnerable to adversarial examples, where adding carefully crafted adversarial perturbations to the inputs can mislead the model. This paper addresses the problem of robust blind face restoration (BFR) against adversarial attacks. BFR refers to recovering the HQ images from the LQ images, which suffer from diverse unknown degradation, such as noise, blur, artifact removal, low resolution, etc. Although existing BFR methods exhibit good performance, they experience significant degradation when subtle distortions and perturbations are introduced into the input images. This paper is the first to investigate, improve comprehensively, and evaluate BFR methods towards adversarial attacks. Project Gradient Descent (PGD) is employed to generate adversarial examples, and multiple types of attacks were used to thoroughly assess the robustness of various BFR methods across different objectives, regions, and levels. We evaluate the robustness of multiple BFR methods and analyze the advantages of their structures and modules towards adversarial attacks. Experimental results demonstrate that the method utilizing latent feature encoding and pre-trained discrete HQ codebook achieves better robustness than other methods, with the latter outperforming the former. Similarly, multi-scale semantic guidance information also exhibits superior performance in enhancing robustness. Therefore, we propose a powerful BFR method to mitigate this issue while maintaining better performance. Extensive experiments on three real-world datasets demonstrate our method’s state-of-the-art robustness in different scenarios.

Abstract:
Reverse engineering of agnostic industrial control protocols (ICPs) based on traffic traces is significant for the security analysis of industrial control systems. Field semantics deduction is an essential step in protocol reverse engineering following the discovery of the message field. Most existing methods rely on knowledge-based analysis for specific fields of common protocols, which require too numerous assumptions and lack semantic knowledge about ICPs. In this paper, we propose a new concept, pattern series, and design the first classification framework for inferring the semantic types of unknown ICPs. Specifically, we first present the definition of pattern series and design the field pattern series generation algorithm for building training data, then develop a field semantics classification model to learn and apply semantic features from known protocols to predict semantic types in unknown protocols. Lastly, we implement a probability-maximizing selection algorithm to obtain optimal semantic types. We demonstrate the effectiveness of the proposed method through extensive experiments with five popular ICPs, including their mixed protocols. Evaluations show that our approach significantly outperforms baseline methods in field semantic recognition, achieving \geq 90.8 % F1-score.

Abstract:
High throughput is demanding in real-world iris recognition applications. The challenges mainly originate from the variability in image quality under high-throughput capture conditions. Most of the degraded images are typically filtered out by traditional iris systems through Image Quality Assessment (IQA) module, adversely affecting efficiency and leading to low throughput and poor user experience. Therefore, a better and practical solution is to make the utmost of degraded iris images. In order to investigate the key problems of high-throughput iris recognition, we collect a novel iris sequence dataset under Near-infrared (NIR) illumination. This dataset is specifically constructed for high-throughput evaluation, which faithfully simulates the process of iris sequence acquisition in real-world iris systems. Comprehensive evaluations were conducted to figure out the deficiencies of current iris recognition algorithms. To this end, a testing methodology along with specific evaluation metrics is proposed. It is capable of assessing the throughput performance, e.g., the newly proposed Frame Consumption per Match (FCM). Through performance analysis, several insights were gathered to guide potential directions for developing high-throughput iris recognition algorithms. Furthermore, we consider to leverage iris sequence features for better throughput performance. Continuity sequence criteria and cumulative sequence feature strategy are proposed to enhance the throughput performance of existing algorithms with minimal cost. In summary, this work provides valuable data and rational insights for high-throughput iris recognition studies. The datasets and evaluation toolkit are publicly available on our website (http://biometrics.idealtest.org/#/).

Abstract:
In this paper, we study the problem of distributed learning (DL) with devices transmitting sign information of the local gradients to the server under communication constraints, where the devices are susceptible to Byzantine attacks. For this problem, a sign-based gradient descent method with majority vote and stochastic 1-bit quantization (Sign-M-stochastic) has been proposed very recently. However, the Byzantine resilience of Sign-M-stochastic is inherently limited, based on the fact that all Byzantine devices and honest devices participate equally in the training process. To overcome this drawback and enhance the resilience to Byzantine attacks, inspired by the audit-based distributed detection systems, we propose a novel DL method with an audit mechanism (DL-AM). In each iteration, the sign information of the local gradients are obtained by the devices from stochastic 1-bit quantization. All devices, partitioned into groups, send the sign information to the server through multiple paths, both directly and via other devices in the same group. This approach provides the server with additional information about the identities of the devices, which enables the server to form the global model update by aggregating the sign information of different devices with varying weights. We analyze the convergence performance of the proposed method from a theoretical perspective. Finally, numerical results demonstrate the superiority of DL-AM over the baseline methods.

Abstract:
In Vehicular Ad-hoc Networks (VANETs), vehicles must authenticate their identities before accessing services. However, existing authentication schemes based on anonymous credentials still face single-point failure in multi-authority scenarios. In addition, in traditional anonymous credential schemes, the public key of credential authority is used directly to verify the credential, which may increase the risk of vehicle privacy being misused. To address these issues, we propose a decentralized threshold credential management system with fine-grained authentication for VANETs. The decentralized credential management architecture is proposed for VANETs with multiple credential authorities, each credential authority consists of multiple credential managers who issue credentials using the threshold mechanism, effectively solving the single-point failure. Based on this architecture, we design a fine-grained, privacy-preserving authentication scheme that allows vehicles to autonomously perform selective attribute disclosure, credential aggregation, and randomization before requesting verification from the Cloud Service Provider, thereby achieving a balance between privacy preservation and authentication efficiency. The security proofs and analysis show that our scheme satisfies the target security properties. Performance evaluations indicate that our scheme enables efficient, flexible credential management and authentication in VANETs while ensuring privacy preservation.

Abstract:
Face sketch recognition focuses on retrieving face photos that have the same identity as query face sketches, and plays a vital role in the field of information forensics and security. Owing to the large cross-modal differences between face sketches and photos, extracting and aligning cross-modal features is still considered a challenging task in the face sketch recognition community. This paper presents a novel cross-modal aligned identity-discriminative feature learning network (CAIFL-Net) for face sketch recognition. Specifically, in this paper, an identity-discriminative feature preservation module is designed to capture the identity-discriminative features of face sketches and photos by eliminating features that are weakly related to recognition. In addition, a sketch-photo cross-reconstructed feature alignment module is proposed to obtain cross-modal aligned features for effective recognition by reconstructing and embedding global features of one modality into another. Extensive experiments on the Uom-SGFS and CUFSF datasets demonstrate the effectiveness of the proposed CAIFL-Net.

Affiliations: Faculty of Computer Science and Technology, Qilu University of Technology (Shandong Academy of Sciences), Jinan, China; School of Computing, National University of Singapore, Singapore, Singapore; School of Computing and Information Technology, Great Bay University, Dongguan, China; Shandong Artificial Intelligence Institute, Qilu University of Technology (Shandong Academy of Sciences), Jinan, China; Shenzhen Institute of Artificial Intelligence and Robotics for Society, Shenzhen, China; Key Laboratory of Computer Vision and System, Ministry of Education, Tianjin University of Technology, Tianjin, China

Abstract:
The rapid development of photo-realistic face generation methods has raised significant concerns in society and academia, highlighting the urgent need for robust and generalizable face forgery detection (FFD) techniques. Although existing approaches mainly capture face forgery patterns using image modality, other modalities like fine-grained noises and texts are not fully explored, which limits the generalization capability of the model. In addition, most FFD methods tend to identify facial images generated by GAN, but struggle to detect unseen diffusion-synthesized ones. To address the limitations, we aim to leverage the cutting-edge foundation model, contrastive language-image pre-training (CLIP), to achieve generalizable diffusion face forgery detection (DFFD). In this paper, we propose a novel multi-modal fine-grained CLIP (MFCLIP) model, which mines comprehensive and fine-grained forgery traces across image-noise modalities via language-guided face forgery representation learning, to facilitate the advancement of DFFD. Specifically, we devise a fine-grained language encoder (FLE) that extracts fine global language features from hierarchical text prompts. We design a multi-modal vision encoder (MVE) to capture global image forgery embeddings as well as fine-grained noise forgery patterns extracted from the richest patch, and integrate them to mine general visual forgery traces. Moreover, we build an innovative plug-and-play sample pair attention (SPA) method to emphasize relevant negative pairs and suppress irrelevant ones, allowing cross-modality sample pairs to conduct more flexible alignment. Extensive experiments and visualizations show that our model outperforms the state of the arts on different settings like cross-generator, cross-forgery, and cross-dataset evaluations. Our code will be available at https://github.com/Jenine-321/MFCLIP

Abstract:
Digital steganography is the practice of embedding secret information in original normal data to enable covert communication. With the rapid advancement of generative models, generative steganography has gained renewed vitality. As a key medium on the Internet, audio has also become a focus of steganographic research. However, existing audio steganography methods rely on traditional audio synthesis models, which often suffer from suboptimal synthesis quality. In contrast, diffusion models perform well in audio synthesis tasks, but there is a lack of targeted secure audio steganography methods based on them. In addition, existing steganography schemes are generally limited to transmitting only the steganographic object, and other key elements need to be negotiated in advance, which limits their practicality. To address these issues, we propose CoAS, a composite audio steganography method based on text and speech synthesis. Firstly, we use a provably secure linguistic steganography method to embed the synchronous side information required for audio steganography, and then replace the gaussian noise in the diffusion models with message-driven sampling during the audio generation process. Both theoretical analysis and experimental results validate the security and practicality of our composite steganography method in the real world. Audio samples are available at https://meterial.github.io/coas.github.io

Abstract:
As social media gains popularity, users frequently share personal photos without recognizing the risks of exposing their faces to advanced facial attribute detection technologies. These technologies can extract sensitive attributes such as age, race, sexual orientation, and potential health information from facial images, raising significant privacy concerns. Despite the availability of various anonymization techniques, our research reveals that current methods inadequately protect facial attribute privacy. They often fail to balance effectiveness and utility, underscoring the pressing need for more robust solutions in today’s pervasive photo-sharing culture. To remedy this gap, we introduce Invisible-Face, a tool designed to safeguard users’ facial attribute privacy using advanced adversarial perturbation techniques. Invisible-Face uses local, directional, and resilient perturbation generative strategies to obfuscate multiple facial attributes effectively, thus ensuring privacy while retaining the utility of the facial images. Our comprehensive evaluation across various datasets and model architectures shows that Invisible-Face significantly outperforms existing privacy-preserving methods in terms of effectiveness while maintaining high image naturalness. Furthermore, our extensive real-world evaluations on four popular MLaaS platforms—Baidu Brain, Tencent Cloud, Aliyun, and Face ^++ —reveal that Invisible-Face achieves comparable privacy protection results while preserving the visual naturalness of images, outperforming existing methods. These findings boost public awareness about the importance of facial attribute privacy and urge online social platforms to improve their protection measures.

Abstract:
While Tor provides strong anonymity, it also facilitates the concealment of malicious activities, which poses a significant challenge to cybersecurity surveillance. As an effective anti-anonymity technique, Website Fingerprinting(WF) enables the inference of which websites a user is visiting, thereby uncovering potential attacker activities. State-of-the-art(SOTA) methods have demonstrated remarkable effectiveness. However, a large number of labeled traffic is required to ensure effectiveness, and without timely updates, these models will encounter serious challenges of concept drift due to the dynamic nature of website content and network conditions. The core reasons lie in the independently and identically distributed assumption, while in challenging open-world scenarios, the long-term spatial and temporal dynamics complicates data consistency and effective knowledge transfer. To address these issues, this paper presents WF-TFC, an open-world few-shot anonymous WF model via self-supervised contrastive learning and time-frequency consistency. It aligns time- and frequency-based representations in the latent time-frequency space, enhancing the sustained effectiveness of inherent patterns across various websites. Consequently, it accommodates diverse few-shot target domains with varying dynamics, facilitating data consistency and knowledge transfer in unobserved long-term temporal and spatial environments. For instance, with only 5 traces per website, WF-TFC achieves 92.62% accuracy on traces collected six weeks after pre-training, exceeding the SOTA(i.e., NetCLR) by 2.12%. On similar but mutually exclusive traces, it attains an F1 score of 87.20%, surpassing the SOTA by 6.12%.

Abstract:
Industrial cloud storage systems enhance data availability and offer intelligent services to enterprises. However, they also bring significant concerns about data integrity since the cloud space provider may not consistently retain the outsourced data. Existing cloud storage verification methods impose a significant computational burden on edge devices, so they are unsuitable for industrial cloud storage systems. Although the light-weight homomorphic authenticator somewhat alleviates the computational load on the fog node, its effectiveness remains limited and it further complicates proof generation and verification. To address these problems, we propose Ascina, a new proof of retrievability framework for industrial cloud storage systems. We employ verifiable secret sharing to delegate tag computation tasks to the computing server without disclosing the signing key. Once the fog node completes its initial configuration, no further computations are required. Additionally, we propose the improved Ascina by utilizing Fast Fourier Transform (FFT) and Inverse Fast Fourier Transform (IFFT) technology to further alleviate the computational burden on the fog node. Furthermore, we propose a batch verification algorithm that simultaneously validates the integrity of multiple files while maintaining the same security assurances as single auditing. We evaluate the performance of Ascina through experiments and compare it with state-of-the-art methods. Experimental results demonstrate that the computational overhead on the fog node in Ascina is 5× - 251× lower than that of Edasvic and our proof verification time and proof size are reduced by 5× - 16× and 977× - 3285× , respectively. As the size and quantity of files grow, Ascina demonstrates greater efficiency in both time and space.

Abstract:
The development of wireless technology enables numerous applications of remote-controlled devices (e.g., uncrewed aerial vehicles), yet their intrusion poses significant threats to restricted areas, including military bases, airports, and private spaces belonging to individuals and organizations. To effectively counter the intruders, we propose a novel sensing assisted jamming (SAJA) scheme in two-stage transmission protocol, where we are the first to employ beam scanning to enhance the jamming gain to neutralize intruders. In the first stage, we determine the number of sensing beams L for detecting intruders. We show that a larger L leads to a more accurate angle range, thus enabling a higher jamming beam gain. In the second stage, robust jamming beamforming is designed to disable the intruders within the estimated angle range. The problem facing a single intruder is already non-convex, and we decouple it into two subproblems and develop algorithms for both single- and multi-intruder scenarios. In single-intruder scenarios, we first derive the closed-form expression for robust beamforming design with fixed L, and then apply the bisection search method to determine the minimum L. Facing multiple possible intruders, we further design a multi-round anti-intruder algorithm to address power insufficiency. In each round, we check the problem feasibility with L=L_max ( L_max is the maximum number of sensing beams) and use a jamming-to-noise-ratio based method to selectively target intruders until the problem is feasible. Furthermore, we derive a semi-closed-form solution to the robust jamming beamforming vector using Lagrange duality theory. Finally, simulation results validate the effectiveness and robustness of the proposed SAJA scheme against existing schemes.

Abstract:
Graph unlearning aims to provably remove some training data from graph neural networks (GNNs) while eliminating their impact on model predictions. Although retraining the GNNs from scratch is a direct and legitimate solution, it entails substantial computational resources. To address this issue, graph unlearning methods have been proposed in the domain of graph data. However, applying existing graph unlearning methods directly to hypergraph data affects model utility. Specifically, the graph unlearning methods severely damage the higher-order structural information of hypergraphs and fail to remove all the information that needs to be unlearned. In this paper, we propose Hyperedge Size-Based Core-Sharing Decomposition, a novel hypergraph unlearning framework tailored to the structural characteristics of hypergraph data. Its contributions include a subgraph partitioning method specific to hypergraphs and an aggregation method based on node coverage. We conduct extensive experiments on seven real-world hypergraph datasets to demonstrate the unlearning efficiency and model utility. Compared to the baseline methods, our approach achieves up to 5% higher accuracy and reduces the average unlearning time by 28%. Furthermore, our node-coverage-based aggregation approach achieves up to 6% higher accuracy.

Abstract:
Trajectory publication under local differential privacy (LDP) has recently become a research focus. Existing solutions rely on geospatial discretization, elevating trajectory description granularity to alleviate noise injection. However, discretization itself also leads to trajectory information loss. Determining discretization granularity to balance differential noise and trajectory accuracy is challenging. Besides, these solutions commonly protect trajectory privacy via whole-region perturbation yet ignore the actual reachable range of trajectories, resulting in impractical published trajectories. To address these issues, we propose LDPTP, a novel LDP-based trajectory publication method that achieves high-quality publication by perceiving regional popularity in a privacy-preserving way. Specifically, we design a privacy-accuracy balancing mechanism for discretization granularity selection, which can effectively measure the impact of different granularities on noise error and information loss through the Bernoulli model and information entropy, enabling optimized discrete trajectories acquisition. Furthermore, a regional popularity-based perturbation method is presented, which utilizes trajectory distribution features to capture popular regions and then combines region similarity to generate private mobility patterns that better preserve trajectory utility. Finally, we devise a transition probability correction method to enhance the accuracy of Markov model learned from these private patterns, realizing high-utility trajectory synthesis for publication. Extensive experiments are conducted on real-world and synthetic datasets under three levels of utility metrics. The results demonstrate that our proposed LDPTP significantly outperforms the baseline methods.

Abstract:
Information leakage through wireless channels poses a significant security concern within contemporary cellular networks, such as 5G new radio (NR). Among the myriad of potential attack vectors, passive traffic analysis (PTA) stands out as a pervasive and surreptitious threat, which allows attackers to discern the specific services utilized by unsuspecting victims without their noticing. In this work, we present a pioneering approach to achieve fine-grained service identification by adopting an unexplored perspective: mapping traffic transmission patterns to physical layer time-frequency occupancy patterns, which we refer to as Passive Time-Frequency Traffic (PTTF). Additionally, it selects the uplink control channel that carries the acknowledgment/negative acknowledgment (ACK/NACK) feedback within the Hybrid Automatic Repeat reQuest (HARQ) process as the data source. Statistical features of ACK/NACK time-frequency resources are extracted for traffic classification, and activities are recognized from a three-tier classification algorithm. For validation, we conduct field experiments targeting commercialized smartphones within the real-world operator’s network. This setup effectively mirrors practical scenarios, as the resources within the target frequency band can also be allocated to other equipment in the operator’s network. Furthermore, cross-validation experiments involving different smartphone brands and various network formats are conducted in order to ascertain the generalizability of the proposed PTTF.

Abstract:
This paper focuses on maximizing the sum secrecy rate in secure multi-user MISO communication systems that use stacked intelligent metasurfaces (SIM). SIM technology manipulates electromagnetic waves and improves secure communication by combining several metasurface layers with discrete phase-shifting capabilities. We propose a methodology for optimizing beamforming vectors at the base station and phase shifts across metasurface layers, with the goal of maximizing the sum secrecy rate while adhering to practical power constraints. The non-convex optimization problem, induced by discrete phase shifts and coupled design beamforming parameters, is dealt by using an alternating optimization (AO) method. This method employs successive convex approximation for beamforming and projected gradient ascent for phase shift adjustment, resulting in convergence to locally optimal solutions. The proposed approach is thoroughly assessed in simulated scenarios to discover how it performs under various system configurations. The findings reveal that increasing the number of metasurface layers and meta-atoms significantly increases the sum secrecy rate by improving spatial control, lowering interference, and effectively repelling eavesdropping threats. Furthermore, the AO algorithm demonstrates rapid convergence and computational efficiency, making it appropriate for practical use. The framework demonstrates strong flexibility to changes in transmit power, antenna design, and user densities while retaining stable and scalable performance. This research emphasizes the potential of SIM-assisted systems in improving security in wireless communications by enhancing spatial architecture and beamforming, which can complement existing security strategies.

Abstract:
In wireless communication adversarial scenarios, signals are easily intercepted by non-cooperative parties, exposing the transmission of confidential information. This paper proposes a true-and-false (T/F) frequency multiplexing based anti-intercepting transmission scheme capable of concealing truth while showing fake (CTSF), integrating both offensive and defensive strategies. Specifically, through multi-source cooperation, true and false signals are transmitted over multiple frequency bands using non-orthogonal frequency division multiplexing. The decoy signals are used to deceive non-cooperative eavesdropper, while the true signals are hidden to counter interception threats. Definitions for the interception and deception probabilities are provided, and the mechanism of CTSF is discussed. To improve the secrecy performance of true signals while ensuring decoy signals achieve their deceptive purpose, we model the problem as maximizing the sum secrecy rate of true signals, with constraint on the decoy effect. Furthermore, we propose a bi-stage alternating dual-domain optimization approach for joint optimization of both power allocation and correlation coefficients among multiple sources, and a Newton’s method is proposed for fitting the T/F frequency multiplexing factor. In addition, simulation results verify the efficiency of anti-intercepting performance of our proposed CTSF scheme.

Affiliations: School of Cybersecurity, Northwestern Polytechnical University, Xi’an, Shaanxi, China; State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University, Xi’an, China; Department of Computer Sciences, University of Cincinnati, Cincinnati, OH, USA; Department of Electrical and Computer Engineering, University of Nebraska-Lincoln, Lincoln, NE, USA; Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China

Abstract:
Multi-dimensional range query (MRQ) over outsourced data has been extensively applied in various domains. However, security and efficiency are still two aspects that cannot be easily balanced in private MRQs, as improving security inevitably incurs high computation, storage, and communication costs. Several schemes perform encrypted data retrieval in the trusted execution environment (TEE), which balances security and performance. Unfortunately, they focused on keywords or single-dimensional range queries, failing to address private MRQs. With the TEE (i.e., Intel SGX), we propose a response-hiding MRQ scheme over encrypted data (SGX-MRQ) in this paper. We first design an index structure called SDic, which can achieve efficient range queries while hiding the responses to each query from the server. Moreover, based on the security properties of SGX, we construct the encrypted polynomials of each dimension on the enclave and implement the intersection computation of multi-attribute queries by the server, which greatly improves the system efficiency. We present the formal definition of SGX-MRQ and perform a rigorous proof. We implement a prototype of SGX-MRQ and conduct extensive experiments on real datasets. The evaluation results validate the feasibility of our scheme in practical applications.

Abstract:
While Vision-Language Models (VLMs) based on large-scale models have shown revolutionary advancements across various vision-language tasks, research on improving VLM robustness remains underexplored. Existing studies primarily focus on attacking VLM after the pretrained visual or textual encoders, typically requiring obvious noise or long inference time. In this study, we look into VLM structure and highlight alignment module’s role as a protective filter that enhances VLM robustness against various perturbations. Motivated by these insights, we investigate VLM from both user and model developer perspectives and introduce the alignment perturbation strategy, which consists of multimodal, visual, and textual perturbations. Multimodal perturbation aims to achieve targeted textual output generation and is further utilized to enhance VLM robustness. Minimal perturbations to visual or textual inputs can lead to significant changes in the overall output of VLMs, revealing their sensitivity to both visual and textual input variations. Building on the alignment perturbation strategy, we propose alignment robust training, which efficiently improves VLM robustness by finetuning the parameters of alignment module without excessive resource consumption. Experiment results across various tasks and models demonstrate the effectiveness of the proposed alignment perturbation and alignment robust training. These methods deepen the understanding of VLM robustness, allowing for secure and reliable deployment towards diverse real-world scenarios. Codes are available at https://github.com/zhangconghhh/RobustVLMs

Abstract:
To improve communication efficiency and handle data heterogeneity challenges in federated learning (FL), fine-tuning the pre-trained large models rather than training neural networks from scratch has received increasing attention in recent years, especially under cross-domain settings. However, such a cross-domain federated fine-tuning scenario opens up a broader attack surface for new threats, especially backdoors, posing significant security risks. Existing backdoor attacks mainly focus on label shift scenarios and use explicit triggers, which lack transferability and effectiveness in cross-domain settings, thereby exhibiting significant weaknesses. In this paper, we propose Silent Penetrator, an innovative penetration scheme tailored for cross-domain federated fine-tuning, which exploits a feature shift-induced backdoor to elicit specific symptoms in the trusted private data of targeted victims. In Silent Penetrator, the attacker can obtain a high-quality poisoned dataset by leveraging the available domain information as the text prompts for Stable Diffusion, and inject a domain-sensitive backdoor that can be unconsciously triggered by unmodified private data of the victims. To achieve stronger and more persistent penetration, we thoroughly explore the adversary’s configurable space and enhance our backdoor injection utilizing contrastive-enhanced boundary deviation and cross-domain predictive confrontation. Extensive experiments on three cross-domain datasets and four state-of-the-art federated fine-tuning frameworks validate the effectiveness of Silent Penetrator in successfully compromising target clients. Furthermore, our backdoor enhancement strategy improves the penetration accuracy by over 10% in most scenarios and significantly enhances the durability of the penetration compared to four state-of-the-art backdoor enhancement techniques.

Abstract:
CONTROL-FLOW Integrity (CFI) has been widely recognized as an effective technique for mitigating control-flow hijacking attacks. However, many binary-level CFI approaches suffer from weaknesses in safeguarding forward edges, particularly for the obfuscated binaries, due to the imprecision in binary analysis or heuristic algorithms. Moreover, these approaches often involve non-negligible overhead and are challenging to deploy, as they instrument plenty of code or employ hardware tracing to enforce the CFI policies. This paper introduces Mobius, the first complete implementation of security-instruction-based binary-only CFI solution on commercial processors. Mobius leverages the Branch Target Identification (BTI) technology in Arm v8.5 to safeguard the forward edges of binaries and shared libraries efficiently. It determines the forward-edge targets without false negatives and carefully instruments the \textsf bti instructions to conduct the CFI checking efficiently. Then, it mounts a runtime monitor to detect potential attacks. We deploy Mobius on an Alibaba Cloud server with Yitian 710 processors in practice without modifying the kernel or loader. Remarkably, Mobius successfully provides efficient protection for real-world applications, including obfuscated code, with marginal overhead (5.78% on SPEC2006).

Abstract:
Aiming to retrieve pedestrian images based on a textual description query, Text-Based Pedestrian Search (TBPS) gains increasingly attention due to its applications in security surveillance. As a fine-grained classification task, TBPS requires identifying images of individuals with different semantic contexts yet the same identity, as well as distinguishing images of individuals who share similar appearances but distinct identities. Consequently, TBPS is challenged by semantic variations in positive pairs and appearance similarity between negative pairs. To tackle these challenges, we propose the Prompt-guided Transformer and MLLM Interactive learning (PTMI) model to learn identity-discriminative representations across different modalities. PTMI consists of three components: the Prompt-guided Transformer (Promformer), MLLM Interactive Learning (MIL) and Dual-branch Cross-modal Learning (DCL). Firstly, the Promformer is designed to handle semantic variations in positive pairs by introducing learnable prompts, composing of three types: instance-shared, instance-specific and layer-specific. Optimized by Cross-modal Intra-class Consistency (CIC) loss, these prompts minimize intra-class variations and retrieve positive images with various semantics. Secondly, the MIL component is introduced to address appearance similarity between negative pairs by focusing on key image patches and description words filtering by the local discriminator. Powered by Multimodal Large Language Model (MLLM), the local discriminator adopts soft attention to highlight important image regions and descriptive words, which preserves semantic information while emphasize discriminative details. Lastly, the DCL integrates global and local branches to bridge modality discrepancies. The global branch employs SDM loss for heterogeneous distribution alignment, while the local branch applies Anchor-Based Contrastive (ABC) loss for instance-level contrastive learning. Unlike conventional contrastive loss, ABC loss leverages MLLM features as anchors to decouple modality and semantic differences, enhancing alignment efficiency. Extensive experiments on three TBPS datasets have validated the effectiveness of PTMI.

Abstract:
The private and secure distributed matrix multiplication (PSDMM) has broad applications in fields such as finance, e-health, and machine learning. The PSDMM problem introduces a public matrix library \mathcal L and aims to securely compute the product of a private matrix with a matrix confidentially selected from \mathcal L . In this setting, the user leverages the assistance of d server nodes to perform this computation while ensuring that no information about the private matrix or the index of the selected matrix is disclosed to colluding servers. In most prior works, \mathcal L is stored in a replicated form across the servers, resulting in significant storage inefficiency. This paper proposes the use of (d,K) -maximum distance separable (MDS) codes to encode the library and distribute it across the servers, thus enhancing storage efficiency. Building on this, the orthogonality property of Reed-Solomon (RS) codes and their dual codes is exploited to design PSDMM schemes that consistently achieve the optimal recovery threshold. Compared to existing MDS-coded storage PSDMM schemes, the proposed schemes offer lower decoding complexity, as the user only requires a single Lagrange interpolation during the decoding phase. Furthermore, to minimize download costs during decoding phase, subspace polynomial technique from repairing RS codes is introduced, resulting in a communication-efficient PSDMM (CE-PSDMM) scheme. Theoretical analysis shows that the CE-PSDMM scheme reduces the amount of data downloaded from each server compared to conventional PSDMM schemes.

Abstract:
With the reducing size of fingerprint collection modules in mobile devices, partial fingerprints are increasingly characterized by smaller overlapping areas and higher self-similarity. Existing methods either aggregate similarity scores from individual Single-to-Single recognition or directly employ a Single-to-Multiple network to verify the match between the query and templates. However, these methods either lack sufficient interaction between templates, or fail to provide adequate supervision for the alignment process, a crucial step in fingerprint recognition, thereby limiting overall accuracy. In this paper, we propose a novel partial fingerprint recognition strategy termed Calibrated Single-to-Multiple (CaS2M), which first calibrates template fingerprints individually, then combines them with the query fingerprint in a matcher network for feature fusion. Building upon this strategy, we develop a dual-stage framework tailored to real-world applications. During enrollment, a lightweight patch-based feature indexing algorithm and a template selection strategy are employed accounting for limited hardware resources. For authentication, independent calibration is first applied, followed by an attention-based matcher network to verify identity consistency. Experimental results on multiple public datasets (NIST 302, NIST SD4, SpoofGAN, FVC2002 DB1A & DB3A) and a self-build dataset demonstrate that our framework achieves superior performance over state-of-the-art algorithms, providing new insights for multi-template partial fingerprint recognition.

Abstract:
Industrial control systems (ICSs) govern the production activities of various critical infrastructures, where programmable logic controllers (PLCs) are essential devices for controlling industrial processes. However, PLCs have many vulnerabilities and might be configured inappropriately. With the trend of PLCs connecting to the Internet, such weaknesses will lead to various cyberattacks and have prompted many studies on the threat assessment for PLCs. Previous research has ignored PLCs’ security settings, such as operating mode and read/write authentication etc., which are the general security functionalities significantly affecting PLCs’ security. In this paper, we make the first attempt to propose a security settings-based threat assessment framework (SSTAF) to assess PLCs’ security. SSTAF consists of SScanner, a novel scanner to automatically extract the real-time configurations of security settings from PLCs, and the threat assessment criteria, serving to assess the appropriateness of PLC configurations and analyze risk levels of attacks based on PLCs’ security settings. Subsequently, using SSTAF, we implement an Internet-wide threat assessment for PLCs exposed to the Internet. We deploy SScanner on the Internet and interact with 41K ICS devices in cyberspace to acquire their configurations of security settings. Based on the scanning result and the threat assessment criteria, we reveal that 93.32% of PLCs have not appropriately configured their security settings. Additionally, each PLC might be subject to 4.96 attacks on average, of which 3.32 attacks are due to the inappropriate configurations of security settings.

Abstract:
Gradient Inversion Attacks invert the transmitted gradients in Federated Learning (FL) systems to reconstruct the sensitive data of local clients and have raised considerable privacy concerns. A majority of gradient inversion methods rely heavily on explicit prior knowledge (e.g., a well pre-trained generative model), which is often unavailable in realistic scenarios. This is because real-world client data distributions are often highly heterogeneous, domain-specific, and unavailable to attackers, making it impractical for attackers to obtain perfectly matched pre-trained models, which inevitably suffer from fundamental distribution shifts relative to target private data. To alleviate this issue, researchers have proposed to leverage the implicit prior knowledge of an over-parameterized network. However, they only utilize a fixed neural architecture for all the attack settings. This would hinder the adaptive use of implicit architectural priors and consequently limit the generalizability. In this paper, we further exploit such implicit prior knowledge by proposing Gradient Inversion via Neural Architecture Search (GI-NAS), which adaptively searches the network and captures the implicit priors behind neural architectures. Extensive experiments verify that our proposed GI-NAS can achieve superior attack performance compared to state-of-the-art gradient inversion methods, even under more practical settings with high-resolution images, large-sized batches, and advanced defense strategies. To the best of our knowledge, we are the first to successfully introduce NAS to the gradient inversion community. We believe that this work exposes critical vulnerabilities in real-world federated learning by demonstrating high-fidelity reconstruction of sensitive data without requiring domain-specific priors, forcing urgent reassessment of FL privacy safeguards. The source code is available at https://github.com/cswbyu/GI-NAS

Abstract:
Traffic fingerprinting attack is a promising approach for Tor hidden services (HS) de-anonymization. However, it is inherently difficult to acquire traffic of target HSs (HST) for fingerprinting model training, because the physical location of the services is hidden due to the design of Tor protocol. In order to solve this problem, some alternatives such as mirrored HST (MHST) and client-side HST (CHST) have been proposed for training fingerprinting model. These alternatives are easy to acquire and aim to closely match the characteristics of the target HST. However, they cannot perfectly replace the target HST for the aspects of consistency of both response and protocol. In this paper, we propose a proxied fingerprinting approach called PF. A Proxy HS is deployed to acquire proxied HS traffic (PHST) as an alternative to conduct traffic fingerprinting attack, which satisfies both response and protocol consistency and is easy to acquire. In order to mitigate the impact introduced by Proxy HS, PF also introduces Burst Reshaping which includes burst reconstruction and pseudo-label learning to enhance the similarities between PHST and target HST. Experiments show that, PHST is a superior alternative to target HST, fingerprinting model trained using PF achieved an accuracy of 92.2%, surpassing the models trained with MHST and CHST by 72% and 34%, respectively. Additionally, PF is an add-on approach capable of improving the HS deanonymization effectiveness of any fingerprinting model architecture. The source code and dataset are available at https://github.com/Lzreal/BurstReshapedPHST

Abstract:
The radio frequency fingerprint (RFF) has gained significant traction in the identification of wireless Internet of Things (IoT) devices. However, RFFs extracted from wireless signals are inherently susceptible to noise, particularly for narrowband signals. Furthermore, the noisy domain adaptation (NDA) problem presents a substantial challenge for RFF identification due to the variable noise interference across different noisy domains. To address this, the squared cross power spectral density (SCPSD) as new device RFFs is derived theoretically as a function of signal-to-noise ratio (SNR). Combined with the proposed high-precision SNR estimation algorithm, SCPSDs under low SNR can be reconstructed to the same feature distribution as those under high SNR. Because of the interpretability, ten samples under high SNR from each device under test (DUT) and a shallow convolutional neural network (CNN) are trained for experimental evaluation on the NDA problem. Tested on 60 off-the-shelf ZigBee DUTs, the improvement of identification accuracy is around 26% for SNR between 5 dB and 10 dB, and the overall improvement is more than 20% compared to the baseline. It outperforms the three other compared methods across all testing SNR and is highly practical.

Abstract:
Robot Operating System (ROS) is very popular in robotic software development. To ease the process management of ROS programs, ROS provides a special lifecycle mechanism that can conveniently manage the state of each running process, which often involves resource allocation, initialization, and release; and this mechanism has been widely used in real-world ROS programs. However, due to code concurrency of ROS programs, a lifecycle-related function is inevitably concurrently executed with other functions, introducing the security risk of dangerous concurrency bugs involving null-pointer dereference and use after free. Due to the non-determinism of thread scheduling, these concurrency bugs are difficult to find and reproduce. In this paper, we design and implement a new coverage-guided fuzzing framework named ROCF, which can effectively detect and reproduce lifecycle-related concurrency bugs in ROS programs, with two novel techniques. First, we propose a lifecycle-aware fuzzing approach that uses lifecycle pair sequence as a new coverage metric to effectively describe lifecycle-related thread interleavings, for input-mutation guidance of ROS concurrency fuzzing. Second, we propose a heuristic-based reproducing method that identifies minimal input sequences that can stably and efficiently reproduce the found concurrency bugs, with strategical input pruning and delay injection. We evaluate ROCF on eight popular robotic programs in ROS2, and it finds 32 new and real concurrency bugs, all of which have been confirmed by ROS developers, and 19 have been assigned CVE IDs.

Abstract:
The widespread adoption of face manipulation systems has brought entertainment and convenience to users while posing significant challenges to media forensics. Conventional active defense strategies typically generate adversarial images by introducing perturbations into the original images. When adversarial images undergo facial manipulation, they often exhibit distortions or speckle artifacts, which helps reduce the dissemination of forged content on social media platforms. Nevertheless, the widespread dissemination of degraded images may contribute to facial stigmatization. Furthermore, conventional perturbation techniques are vulnerable to failure under JPEG compression and various image processing operations on OSN platforms. To address these challenges, we introduce a robust and unstigmatized imperceptible perturbation (RUIP) method designed to counteract face manipulation. First, RUIP utilizes an end-to-end adversarial training framework to generate robust and imperceptible perturbations. Second, to mitigate facial stigmatization, we incorporate both pixel-level and feature-level guidance losses during training, ensuring that the output images remain visually natural and closely aligned with the original images. Finally, we develop a novel module, the Flexible Random Enhancement Generator (FREG), to simulate complex JPEG compression and diverse image processing operations on OSN platforms, enhancing the model’s robustness against perturbations. Extensive qualitative and quantitative experiments demonstrate that the proposed method effectively defends against face manipulation attacks while preserving the visual quality of facial images under JPEG compression and other image processing operations on OSN platforms. We propose an effective and unstigmatized defense algorithm to safeguard privacy and maintain the stability of the social media ecosystem. Code is available at https://github.com/silencecmsj/RUIP

Abstract:
With the continuous progress of AI technology, new generative architectures continuously appear, thus driving the attention of researchers towards the development of synthetic image attribution methods capable of working in open-set scenarios. Existing approaches focus on extracting highly discriminative features for closed-set architectures, increasing the confidence of the prediction when the samples come from closed-set models/architectures, or estimating the distribution of unknown samples, i.e., samples from unknown architectures. In this paper, we propose a novel framework for open set attribution of synthetic images, named BOSC (Backdoor-based Open Set Classification), that relies on backdoor injection to design a classifier with rejection option. BOSC works by deliberately including class-specific triggers inside a portion of the images in the training set to induce the network to establish a matching between in-set class features and trigger features. The behavior of the trained model with respect to samples containing a trigger is then exploited at inference time to perform sample rejection using an ad-hoc score. Experiments show that the proposed method has good performance, always surpassing the state-of-the-art. Robustness against image processing is also very good. Although we designed our method for the task of synthetic image attribution, the proposed framework is a general one and can be used for other image forensic applications.

Abstract:
Urban region profiling is essential for forecasting and decision-making in dynamic and noisy urban environments. However, existing approaches struggle with adversarial attacks, data incompleteness, and security vulnerabilities, which undermine predictive accuracy and reliability. This paper introduces Enhanced Urban Region Profiling with Adversarial Self-Supervised Learning (EUPAS), a robust framework that integrates adversarial contrastive learning with self-supervised and supervised objectives. To fortify resilience against adversarial attacks and noisy data, we introduce perturbation augmentation, a trickster generator, and a deviation copy generator, which collectively enhance the robustness of learned embeddings. EUPAS significantly outperforms state-of-the-art models in forecasting tasks, including crime prediction, check-in prediction, and land usage classification, achieving up to 12.2% improvement in forecasting performance. Additionally, our model demonstrates superior resilience against transfer-based black-box and white-box attacks compared to baseline models. By addressing key security challenges in data-driven urban modeling, EUPAS provides a scalable and adversarially robust solution for smart city applications.

Abstract:
Recommender systems (RSs) have become crucial in helping users navigate the vast amount of online content available today. Graph neural networks (GNNs) have been applied to RSs to capture complex user–item relationships, but existing methods compromise privacy or require centralized data storage. Current works attempt to perform GNN-based RSs under federated learning settings to prevent privacy leakage. However, these works need to perform explicit graph propagation during training, which still introduces potential privacy leakage and data collusion. To address these challenges, we propose a Laplacian-based model called Laplacian graded link prediction (LapGLP) that leverages infinite graph propagation with a constant weight matrix. Instead of actually performing infinite graph propagation, the model abstracts the underlying relations between embeddings after propagation with a weighted minimum squared error problem. Furthermore, we propose a federated framework named FedLapGLP to improve privacy in federated GNN-based RSs, which splits the objective loss function into independent parts that are calculated by each user. Experimental comparisons with state-of-the-art federated RS methods demonstrate the advantages of our proposed approach in terms of high-order connectivity, comprehensive graph information, social relations, full-interaction protection, collusion resistance, and user-embedding protection. The implementation of the proposed framework is available at https://github.com/Limhady/LapGLP

Abstract:
Designing an efficient and secure collaborative SQL analysis system that supports large-scale dataset inputs is a very challenging task. In this paper, we present FedQuery, an MPC-based solution for efficient and secure collaborative analysis that is able to handle billion-scale dataset inputs. FedQuery introduces novel designs in its system architecture, the underlying MPC primitives, and oblivious SQL operators as well as their combinations, significantly reducing communication and computation overhead. Comprehensive experiments on real-world datasets show that FedQuery achieves large performance improvements over state-of-the-art baselines at both the operator and query levels. Additionally, it can handle complex SQL queries on datasets up to ten billion entries in less than 14 hours.

Abstract:
The fifth-generation mobile communication technology (5G) supports wireless data transmission across civil, commercial, industrial, and even military networks, where vast amounts of privacy data are constantly transmitted. However, the open nature of the air interface in 5G systems makes them vulnerable to various attacks. Physical-layer key generation (PKG) has been recognized as a highly promising technology for ensuring data security in 5G systems, while existing PKG schemes achieve low key entropy (i.e., low key randomness) due to poor channel probing and quantization. In this paper, we propose a PKG scheme with high key entropy, tailored to the unique characteristics of 5G systems. First, we design a channel probing method based on the demodulation reference signal in accordance with 5G standards, enhancing the similarity between channel measurements. Next, we introduce a quantization method based on local increment and monotonicity, which effectively leverages channel characteristics to achieve high-speed key generation and improve key entropy. Finally, we use both MATLAB simulation and real-world channel measurements to achieve comprehensive verification of the proposed scheme. The simulation results showed that the proposed scheme increases the key entropy by at least 25% with nearly the same key generation rate compared with existing PKG schemes for 5G systems. The experiment using real-world channel measurements also confirmed that the proposed scheme has higher key entropy.

Abstract:
Existing deepfake detectors predominantly process entire facial images as input, which limits their sensitivity to local forgery cues due to representation bias and information loss through CNN feature aggregation. To address these limitations, we propose IDCNet, a novel deepfake detection framework based on image decomposition and cross-view distillation. Our key insight is that decomposing images into complementary views enables specialized processing of global and local forgery cues, while cross-view distillation facilitates their mutual enhancement. Specifically, the framework employs a lightweight U-Net generator with a dual-objective mechanism to decompose input images into global content and local detail views, optimized through reconstruction and classification losses. A cross-view distillation strategy is then applied to enhance complementary feature learning between views. Furthermore, to integrate local artifact information into existing detection models without architectural modifications, we propose a feature alignment method. Extensive experiments across 14 forgery methods demonstrate the effectiveness of our approach, achieving up to 4.4% AUC improvement on the CDFV2 dataset compared to state-of-the-art methods. The source code is available at: https://github.com/wangzhiyuan120/idcnet

Abstract:
Federated learning (FL) emerges as a promising collaborative framework within the field of machine learning (ML), offering the potential to train ML models on sensitive real-world data while maintaining data privacy. The primary security concerns surrounding FL, particularly the protection of local gradients’ privacy and ensuring the correctness of aggregated gradients, have attracted growing attention in both industry and academia. Recently, Du et al. proposed SVHFL, a secure and verifiable hybrid FL system. In this context, the term “secure” means that SVHFL functions as a privacy-preserving federated learning (PPFL) system, capable of protecting the privacy of local gradients from being learned by the server (i.e., the aggregator) and the clients, and “verifiable” implies that SVHFL can achieve the aggregation verification, i.e., it guarantees the correctness of aggregated gradients returned by the server. However, in this article, we propose two attacks that compromise SVHFL, demonstrating that SVHFL cannot protect the privacy of local gradients from being learned by the server and the clients. We analyze the internal causes of these privacy breaches in SVHFL and propose alternative solutions to prevent such privacy leaks. We hope that the exposure of these security vulnerabilities will act as a catalyst to prevent similar incidents from occurring in the future design of PPFL systems.

Abstract:
Authorization is a key component of cloud security. However, the differences in access control mechanisms in heterogeneous cloud environments bring many challenges to cloud users, such as the need to learn multiple policy languages and the difficulty in implementing unified access control across clouds. To address these issues, this paper proposes a new access control policy language called PERM, which achieves flexible support for various fine-grained access control models by separating authorization logic from specific policy rules, and significantly reduces the complexity of policy definition. In addition, we also design a distributed PERM enforcement framework named List-Leafed Decision Tree (L2DT), which leverages a list-tree structure and distributed key-value storage to achieve efficient policy storage and execution. We implement prototypes of PERM and L2DT based on Java and Python, and conduct comprehensive evaluations using OpenStack and XACML datasets. Experimental results show that L2DT can achieve scalable policy execution with small latency overhead (an average of 8.63% in the OpenStack scenario and 5.45% in the XACML scenario). The research in this paper provides new ideas for building flexible, efficient, and scalable access control mechanisms in cloud environments.

Abstract:
HotStuff is a pipelined Byzantine Fault Tolerance (BFT) algorithm that has the good properties of both linear communication complexity and optimistic responsiveness. However, its three-chain model has poor robustness against the performance attacks, particularly the forking attack. Some recent works have employed the two-chain model to enhance the robustness, but they either lose the optimistic responsiveness or introduce huge latency. In our work, we present Short-HotStuff, a two-chain BFT algorithm with linear communication complexity and optimistic responsiveness. In the two-chain model without waiting for a maximum network delay, the leader has to convince the other nodes that its proposed block is on a safe path when the previous leader fails, otherwise, the hidden lock will cause the liveness issue. Contrary to some existing BFT algorithms that rely on broadcasting multiple Quorum Certificates (QCs) or introduce extra phases, our Short-HotStuff requires the leader to broadcast the highest QC, as well as the evidence performed by a threshold signature with only a constant size, and such evidence can prove that its proposed block is indeed extended from a safe path. We have conducted the experiments to compare our Short-HotStuff with HotStuff, Marlin and Fast-HotStuff. The results indicate that compared with HotStuff, Short-HotStuff achieves a 35% reduction in average latency without the leader failing, and doubles the average throughput in the face of forking attacks. In the event of the leader failing, the average latency of Short-HotStuff is reduced by 43% and 82% respectively compared with Marlin and Fast-HotStuff.

Abstract:
Despite the recent significant progress in palmprint recognition, there are still challenges in scaling up this technology for real-world scenarios. One major challenge in developing practical, highly accurate recognition models is the shortage of comprehensive public datasets that can be used to evaluate performance at extremely low false accept rates (FAR). Furthermore, obtaining high-precision recognition models is greatly hindered by pattern variance, a notable challenge with the palmprint modality given the current technology pipeline. To address the above problems, we first collect a palmprint dataset, WebPalm, that contains the largest number of identities as well as images that have been disclosed so far. To reduce pattern variance, we propose RegPalm, a novel framework that unifies palmprint orientations (UPO) and learns pairwise spatial registration of palmprints (PPR) in an end-to-end manner. UPO harmonizes the pattern variance between left and right orientations, hence enhancing the network’s perceptual capabilities. PPR decreases both inter-class and intra-class pattern variance to improve the model’s ability to recognize hard examples. RegPalm reinforces the model by discriminating subtle palmprint features, thereby improving its performance under extremely low FAR. RegPalm not only surpasses the current state-of-the-art by 9.3 percentage points (pp) and 12.2 pp in TAR@FAR=1e-6 under the 1:1 and 1:3 open-set protocols, respectively, but also consistently achieves a 16 pp improvement in TAR@FAR=1e-9 on the WebPalm benchmark. The experimental results fully reveal the practicability and superiority of RegPalm in the real world.

Abstract:
For preeminent unsupervised visible-infrared person re-identification (US-VI-ReID), existing studies typically adhere to a two-step paradigm, i.e., intra-modality clustering and inter-modality matching. Nevertheless, high intra-modality variations may result in suboptimal clusters containing intricate pedestrians, while significant inter-modality discrepancies further complicate their cross-modality associations. Most existing methods fail to adopt a differentiated approach for samples of varying difficulty, especially intricate ones. To address this, we propose enabling the model to gradually establish cross-modality associations from easy to hard, mimicking human learning patterns to avoid error accumulation caused by intricate pedestrians. To this end, we propose a Cross-modality Self-paced Association Network, termed CSANet, embracing Twain Bipartite Graph Matching (TBGM), Cross-curriculum Association Prompter (CAP) and Instance-Prototype Consistency Constraint (IPCC) modules. TBGM conceives a graph-driven metric to tailor a three-level curriculum (plain, moderate and intricate) for self-paced cross-modality learning. CAP transfers high-confidence associations deduced from the plain subsets to intricate ones, prompting exploring more complex cross-modality relationships. Alongside CAP, IPCC further enforces the intricate instances to mimic their prototype characteristics, facilitating their discriminative feature learning. Extensive experiments demonstrate CSANet’s superiority over state-of-the-art methods, highlighting the potential of self-paced learning for US-VI-ReID.

Abstract:
Graph encryption is a form of searchable encryption that enables a cloud server to handle private queries on graphs. Ghosh, Kamara, and Tamassia (ASIA CCS 2021) proposed the first graph encryption scheme (GES) that supports single-pair shortest path (SPSP) queries. This means that given two vertices in a graph, the scheme can return the shortest path between them. In traditional SPSP queries, clients are required to provide complete and precise information about their departure and destination points. However, in real-life situations, individuals often only have a general idea of their intended locations, lacking specific details. To address this issue, we introduce a new type of SPSP query known as the SPSP fuzzy query, which accommodates this uncertainty. In addition, we propose PathFQ-GES, an efficient graph encryption scheme that supports both conventional SPSP queries and the new SPSP fuzzy queries. PathFQ-GES utilizes a novel data structure along with the SP-matrix (ASIA CCS 2021) to effectively perform these query functions while maintaining adaptive security based on the defined leakage profile of PathFQ-GES. We take a method that executes the GKT scheme multiple times for SPSP fuzzy queries as the baseline and have experimentally validated the performance of PathFQ-GES on nine real-world datasets. The results show that PathFQ-GES can effectively handle the proposed SPSP fuzzy queries. It can achieve a decrease of over 50% in response time compared to the baseline.

Abstract:
The ability to distinguish whether an image is generated by artificial intelligence (AI) is a crucial ingredient in human intelligence, usually accompanied by a complex and dialectical forensic and reasoning process. However, current fake image detection models and databases focus on binary classification without understandable explanations for the general populace. This weakens the credibility of authenticity judgment and may conceal potential model biases. Meanwhile, large multimodal models (LMMs) have exhibited immense vision-language capabilities on various tasks, bringing the potential for explainable fake image detection. Therefore, we pioneer the probe of LMMs for explainable fake image detection by presenting a multimodal database encompassing descriptions of textual authenticity, the FakeBench. For construction, we first introduce a fine-grained taxonomy of generative visual forgery concerning human perception, based on which we collect forgery descriptions in human natural language with a human-in-the-loop strategy. FakeBench examines LMMs with four evaluation criteria: detection, reasoning, explanation and fine-grained forgery analysis, to obtain deeper insights into image authenticity-relevant capabilities. Experiments on various LMMs confirm their merits and demerits in different aspects of fake image detection tasks. This research presents a paradigm shift towards transparency for the fake image detection area and reveals the need for greater emphasis on forensic elements in visual-language research and AI risk control. FakeBench will be available at https://github.com/Yixuan423/FakeBench

Abstract:
The Classic McEliece key encapsulation mechanism (KEM), a candidate in the fourth-round post-quantum cryptography (PQC) standardization process by the National Institute of Standards and Technology (NIST), stands out for its conservative design and robust security guarantees. Its deployment is impeded by exceptionally large public and secret keys. Modern GPUs offer abundant parallelism and global memory, making them well suited to such key sizes and to high-throughput cryptographic workloads. However, there has not been a systematic implementation of Classic McEliece on GPU platforms. This paper presents the first high-performance implementation of Classic McEliece on NVIDIA GPUs. Firstly, we present the first GPU-based implementation of Classic McEliece, utilizing a “CPU-GPU” heterogeneous approach and a kernel fusion strategy. We significantly reduce global memory accesses, optimizing memory access patterns. This results in encapsulation and decapsulation performance of 28,628,195 ops/s and 3,051,701 ops/s, respectively, for McEliece348864. Secondly, core operations like Additive Fast Fourier Transforms (AFFT), and Transpose AFFT (TAFFT) are optimized. We introduce the concept of the (T)AFFT stepping chain and propose two universal schemes: Memory Access Stepping Strategy (MASS) and Layer-Fused Memory Access Stepping Strategy (LFMASS), which achieve a speedup of 30.56% and 38.37%, respectively, compared to the native GPU-based McEliece6960119 implementation. Thirdly, extensive experiments on the NVIDIA RTX4090 show significant performance gains, achieving up to 344× higher encapsulation and 125× higher decapsulation compared to the official CPU-based AVX implementation, decisively outperforming existing ARM Cortex-M4 and FPGA implementations.

Abstract:
Speculative execution introduces serious security vulnerabilities, particularly in the form of speculative cache side-channel (SCS) attacks, which exploit the states of the cache system to leak sensitive data from a victim’s memory space. Existing hardware defense solutions against SCS attacks remain limited in effectively addressing these threats in real-world scenarios due to their significant overhead and/or inadequate security. Therefore, this paper proposes SCSGuardian, a practical hardware defense framework against SCS attacks. SCSGuardian addresses two key issues in defending against SCS attacks, i.e., when to initiate and lift protection for unsafe speculative memory access micro-operations ( \mu ops), and what the scope of such \mu ops that require protection is. On the above basis, a low-overhead method is proposed for tracking unsafe speculative memory access \mu ops based on various speculation windows within processors and attack principles of SCS attacks. Tailored hardware \mu op-delaying strategies are then proposed, which delay unsafe speculative memory access \mu ops at different stages of the memory access pipeline based on their impact on various states of the cache system. These strategies efficiently protect cache system components from SCS attacks while avoiding unnecessary delays on memory access \mu ops, ensuring comprehensive security with optimized performance. SCSGuardian has been implemented in two versions, i.e., v1 and v2, targeting single-core and multi-core processors, respectively. SCSGuardian v1 and v2 defend against the SCS attacks with negligible hardware resource overheads of only 0.111 % and 0.268 %, respectively. Moreover, on SPEC2017, SCSGuardian v1 exhibits performance overheads of only 4.62% and 3.82%, and v2 only 5.97% and 5.47%, both in the RISC-V core-based FPGA prototype experiment and the x86 out-of-order CPU model-based Gem5 simulation, respectively.

Abstract:
Due to the widespread use of mobile devices, it is essential to authenticate users on mobile devices to prevent sensitive information leakage. Biometrics-based authentication is prevalent on smart devices to verify the legitimacy of users, but is vulnerable to replay attacks. In this paper, we propose to leverage the distinctive finger tap gesture during unlocking smartphone to establish a secure multi-factor authentication system, named FingerVib. Compared with other biometric-based authentication systems, FingerVib does not require users to remember any complicated information (e.g., hand gestures, doodles) and the working type is unobtrusive. When users unlock their phones by tapping, FingerVib utilizes the microphone to record the sound produced by fingers tapping on the phone and adopts IMU (Inertial Measurement Unit) to extract the vibration of users’ smartphones. One key contribution is that we model the inherent correlation between sounds and vibration signals. Specifically, FingerVib captures two novel reactions to describe how the individual’s contact palm modulates signals in two different domains. Based on these two responses, we develop a real-time noise-resistant unlocking activity detection algorithm, which allows accurate unlocking signal segmentation even if the two modalities are interfered. Further, we develop a modal fusion model where the model extracts cross-modal features and acquires inter-modal correlation features to ensure consistent performance of inference even when modalities are disturbed. In a user study with 41 participants, FingerVib achieves an authentication accuracy of 98.53% and an average performance of 1.36% FAR, 2.76% FRR and 2.72% EER against replay attacks and impersonation attacks. FingerVib’s fusion approach improves identification performance by roughly 9.7% and 11.6% over Wavocie and AUDIOIMU, respectively, within existing multi-modal fusion systems. Extensive experimental results demonstrate the effectiveness and robustness of FingerVib under various conditions.

Abstract:
Evaluating cryptographic implementations with respect to side-channel analysis (SCA) has been mandated at high security levels. Typically, the evaluation involves four stages: detection, modeling, certification and recovery. In pursuit of a specific goal at each stage, inherently different techniques were previously considered necessary. However, since the recent Eurocrypt 2022 and Eurocrypt 2024, linear regression analysis (LRA) has become the unique technique well-applied throughout all the stages. In this paper, we concentrate on this “silver bullet” technique within the field of SCA. In the first part of this paper, we answer three fundamental questions organized progressively. The first one relates to “why use LRA?”. Our discussion of the nominal and binary nature elucidates its critical role in underpinning the state-of-the-art techniques. Having understood the merits, a natural follow-up is “how to use it (correctly and effectively)?”. A theoretical analysis of the design matrix is provided, regarding the sample distribution of plaintext and the chosen degree of polynomial. We summarize the conditions for eliminating multicollinearity, a problem that can be harmful to all LRA-based techniques. The last question “who should use LRA?” reveals an intriguing evaluator-advantageous property: LRA can only unleash its full potential when the key is known. In the second part of this paper, we clarify the connections between LRA and traditional SCA techniques. Our proofs provide new insights into the prior investigation of SCA reduction, fostering a comprehensive understanding of this linear family. The conclusions suggest that the core working mechanisms of the state-of-the-art techniques can be traced back to those of earlier differential side-channel analyses. Experimental results are in line with the theory, confirming its correctness in practice.

Abstract:
Data sharing technology plays an important role in sharing information on mobile devices, ensuring that users can preserve their privacy while guaranteeing secure data transmission. Matchmaking encryption is a novel cryptographic primitive that provides bilateral access control to maintain user trust and data integrity. However, this primitive faces a challenge in terms of achieving secure multi-receiver construction. In a multi-user environment, users need to encrypt the data many times, resulting in inefficiencies under this approach. To address this challenge, we focus on the underlying construction of identity-based broadcast matchmaking encryption (IBBME). This paper presents a new IBBME construction with \textsf DBDH and q\text -\textsf SDH assumptions under the standard model. Specifically, we propose a new approach that abandons the generalized transformations that already existed previously in multiple receivers. Specifically, we adopt the “two-level” method to guarantee privacy and authenticity, where the identity-based broadcast encryption (IBBE) level guarantees privacy, while the signature level guarantees authenticity. In addition, we present a strict security proof, which shows that our construction satisfies privacy and authenticity exactly. Moreover, we compare the existing ME constructions with our construction through theoretical and performance analysis. The analysis shows that the ciphertext size in our construction can be reduced to be independent of the number of receivers, which is more efficient.

Affiliations: Department of Computer Science and Engineering, The Hong Kong University of Science and Technology, Hong Kong, China; Department of Mathematics and Applications, University of Naples Federico II, Naples, Italy; School of Computer and Information Technology and the Beijing Key Laboratory of Traffic Data Mining and Embodied Intelligence, Beijing Jiaotong University, Beijing, China; School of Computing and Information Systems, Singapore Management University, Bras Basah, Singapore; MAIS, Institute of Automation, Chinese Academy of Sciences, Beijing, China

Abstract:
The vulnerability of Deep Neural Networks (DNNs) to adversarial attacks poses a significant challenge to their deployment in safety-critical applications. While extensive research has addressed various attack scenarios, the no-box attack setting—where adversaries have no prior knowledge, including access to training data of the target model—remains relatively underexplored despite its practical relevance. This work presents a systematic investigation into leveraging large-scale Vision-Language Models (VLMs), particularly CLIP, as surrogate models for executing no-box attacks. Our theoretical and empirical analyses reveal a key limitation in the execution of no-box attacks stemming from insufficient discriminative capabilities for direct application of vanilla CLIP as a surrogate model. To address this limitation, we propose MF-CLIP (Margin-based Fine-tuned CLIP), a novel framework that enhances CLIP’s effectiveness as a surrogate model through margin-aware feature space optimization. Comprehensive evaluations across diverse architectures and datasets demonstrate that MF-CLIP substantially advances the state-of-the-art in no-box attacks, surpassing existing baselines by 15.23% on standard models and achieving a 9.52% improvement on adversarially trained models. Our code is made publicly available to facilitate reproducibility and future research in this direction.

Abstract:
With the continuous development of network technology, covert multi-step attacks have become one of the significant attack methods. It is a multi-step attack with the intention of destroying the system- or data-privacy, such as network stealing. Current methods usually generate single-step alerts first and then perform correlation analysis. However, it is difficult for these methods to perform fine-grained annotation and alert amount control for single-step alerts, as well as to completely correlate the alerts of different phases into a chain due to alert fatigue. In this paper, we propose Traffic2Chain, an innovative unsupervised traffic behaviour correlation method to detect covert multi-step attacks from the network side. Traffic2Chain (1) generates alerts at different phases in real-time and annotates to sub-techniques based on MITRE ATT&CK knowledge database; (2) performs alert clustering based on SIMCSE and automatically generates event descriptions based on the Large Language Model (LLM) technique, and (3) extracts the attack chain through multi-dimensional information correlation to reveal the complete attack process. Experimental results demonstrate that the F1 score of Traffic2Chain reaches 98.36%, which has a significant advantage over other methods. In the real-world network, the detection speed can reach 40 Gbps. Most importantly, we discovered an unknown attack pattern based on Traffic2Chain - attackers delivered a variant of the Silver Fox Trojan by impersonating VPN services, eventually building a botnet with stealing capabilities and a node size of more than one million.

Abstract:
With the growth of the Industrial Internet of Things (IIoT), millions of smart devices are transmitting and processing data globally. However, this extensive interconnectivity also poses significant security challenges, particularly in data transmission. Traditional security mechanisms often incur high computational costs and long processing times, which are impractical for resource-constrained devices. In this paper, we propose an efficient and secure data processing and transmission scheme for the IIoT called ECGSH. This scheme combines certificateless signcryption and homomorphic encryption to enable homomorphic processing in an encrypted state, thus enhancing both security and flexibility. Moreover, it reduces the complexity of large-scale data processing by eliminating bilinear pair computations. The ECGSH scheme also supports homomorphic data transmission in the IIoT. A rigorous security analysis proves that the scheme has the properties of confidentiality, non-repudiation, and forward security under the random oracle model. An attack resistance analysis proves that the scheme can effectively resist man-in-the-middle (MITM) attacks, replay attacks, and eavesdropping attacks. The performance evaluation demonstrates that ECGSH excels in terms of security, computational efficiency, and communication overhead. It requires at most 31% CPU utilization, and less than 1.2% memory footprint on IIoT hardware, making it particularly suitable for IIoT environments with limited resources and high transmission costs.

Abstract:
Function Call Graph (FCG) based Android malware detectors can achieve satisfactory detection performance but are vulnerable to adversarial examples (AEs). Existing adversarial attacks generate AEs separately and specifically for different APKs (termed as APK-specific attacks), resulting in significant computational overhead and limited attack efficiency. In this paper, we propose an APK-Agnostic Adversarial Attack Method (termed as A4M) for FCG-based Android malware detection, enabling the deployment of large-scale malware adversarial examples. Meanwhile, this perturbation can also greatly accelerate existing APK-specific attacks. We conduct extensive experiments to evaluate the effectiveness and efficiency of A4M. A4M achieves an average attack success rate (ASR) of 85.17% on 7 target detectors (built with MAMADroid, APIGraph and GNN), significantly surpassing the state-of-the- art attack MalPatch by 28.17%. Experiments also demonstrate A4M can markedly accelerate the APK-specific attacks HIV_CW, HIV_JSMA and DQN, reducing about 88 queries per adversarial example.

Abstract:
With the rapid growth of cloud storage technology, the demand for efficient and secure search of outsourced encrypted data has become increasingly critical. However, existing conjunctive keyword dynamic searchable encryption schemes often expose the Keyword Pair Result Pattern (KPRP) during index matching, compromising privacy. Additionally, frequent index updates require expensive group exponentiations, leading to high client-side overhead. To tackle these challenges, we propose LRP-HDSE, a lightweight dynamic conjunctive keyword searchable encryption scheme that hides KPRP while minimizing client computation costs. To enhance privacy, we introduce the Vector Hidden Subset Predicate Encryption (VH-SPE) mechanism, which enables the server to implicitly detect cross-tag in the membership matching index, effectively mitigating KPRP leakage. For improved efficiency, the scheme designs a lightweight membership matching index structure, LSet, based on low-cost multiset hash operations, reducing reliance on costly exponentiations and lowering client overhead. Our security analysis confirms that LRP-HDSE provides robust KPRP hiding along with forward and backward security in dynamic environments. Asymptotic analysis, along with experiment evaluations on two real-world datasets, show that our scheme offers superior client-side computational efficiency compared to existing approaches, making it both practical and effective.

Abstract:
Remote Attestation (RA) is an effective security service that allows a trusted party (verifier) to initiate the attestation routine on a potentially untrusted remote device (prover) to verify its correct state. Despite their usefulness, traditional challenge-response remote attestation protocols suffer from certain limitations, such as challenges in scaling attestation collection and the forced suspension of normal operation during attestation. Self-attestation tackles these issues by enabling the prover to measure its own state asynchronously with the verifier’s attestation request. Existing self-attestation methods rely on hybrid architectures to provide the required security properties, which may not be compatible with low-end Internet of Things (IoT) devices due to hardware limitations. In addition, these protocols currently lack formal verification of design correctness. In this paper, we present FlashAttest, a formally verified self-attestation protocol for low-end IoT devices. FlashAttest leverages the flash device to fulfill the security properties required by self-attestation, eliminating the requirement for hardware modifications. In particular, FlashAttest allows the prover to initiate the attestation routine and guarantee the trustworthiness of the results based on the verified software-based security architecture. By collaborating with the flash device during attestation to generate timestamped reports, FlashAttest enables the verifier to collect and verify the legitimacy of the attestation results. More importantly, FlashAttest achieves strong security guarantees supported by a formally verified design using the Tamarin prover. We implement and evaluate FlashAttest on MSP430 architecture, showing a reasonable overhead in terms of memory footprint, communication overhead, runtime and power consumption. Compared with state-of-the-art self-attestation schemes, our approach achieves similar runtime overhead, low energy consumption, and reasonable memory overhead while eliminating the need for hardware modifications. The results confirm the suitability of FlashAttest for low-end devices.

Abstract:
Person re-identification (ReID) is vital for surveillance, tracking, and criminal investigations, yet occlusions often lead to partial information loss and noisy features that significantly degrade ReID performance. Recent CLIP-based occluded person ReID methods have demonstrated promising performance by leveraging cross-modal alignment, but still face two limitations: first, generic text prompts fail to capture the fine-grained semantics of specific samples; second, there is a lack of effective enhancement mechanisms for hard local features in occlusion scenarios. To overcome these limitations, we propose a Semantically Guided and Focused Network (SGFNet), which comprises three synergistic modules. First, to tackle the absence of fine-grained textual descriptions, we design a Segmentation and Text Generation (STG) module that segments pedestrian regions and generates sample-specific text features, providing detailed text descriptions and spatial information for local pedestrian regions. In addition, in order to accurately extract fine-grained features, we propose a Dual-guided Feature Refinement (DGFR) module. This module leverages a spatial attention mechanism guided by dual-semantic information to enhance discriminative fine-grained features while effectively suppressing interference from irrelevant regions. Finally, building upon the DGFR module, we further propose a Hardness-aware Semantic Focus (HASF) module. This module leverages segmentation cues to assess the difficulty of distinguishing local regions and employs a carefully designed Semantic-driven Focal Triplet loss to specifically enhance hard local feature learning, thereby improving the model’s robustness in feature extraction under occlusion scenarios. Extensive experiments demonstrate the superiority of SGFNet, achieving state-of-the-art performance on three occluded person ReID datasets while maintaining competitive results on three holistic person ReID datasets.

Abstract:
Broadcast primitives like Reliable Broadcast (RBC) are integral to Directed Acyclic Graph (DAG)-based asynchronous Byzantine Fault Tolerant (BFT) protocols. Despite recent advancements, these protocols often suffer from high latency due to the inherent three communication rounds in RBC. To mitigate this latency, we propose employing Best-Effort Broadcast (BBC) for message dissemination, which requires only one communication round. However, leveraging BBC poses challenges in constructing a DAG-based ledger and ensuring consistent commitment in the face of contradictory blocks. In this paper, we introduce PlainDAG, a low-latency and secure asynchronous DAG-based BFT protocol that eschews complex broadcast primitives. Instead, it achieves lower latency by simplifying broadcast and committing with a larger quorum of votes. Our approach addresses the integrity, agreement, and totality properties lacking in BBC compared to RBC, thus ensuring correctness. Key to the design of PlainDAG is the introduction of an Integral Reference field in blocks, which References previously committed blocks and facilitates voting among contradictory blocks. Additionally, we devise a block query scheme to retrieve missing blocks. Theoretical analysis demonstrates the generalized design applicability of PlainDAG for asynchronous DAG-based BFT, with the best-case latency of 2 communication rounds and practical resilience. Experimental results underscore the superiority of PlainDAG over state-of-the-art asynchronous DAG-based protocols in latency, while achieving comparable throughput performance.

Abstract:
Deep learning is promising in open-world network intrusion detection, but current deep learning-based methods mainly focus on open recognition with properties that may not always hold and significantly neglect the inspection of unknown samples, increasing open space risks and manual inspection overhead for deployed models. To address these challenges in real-world environments, we propose a novel system, ORI, designed to tackle two critical tasks: 1) open recognition, including classifying known class samples while recognizing unknown ones, and 2) inspection, involving further inspecting samples recognized as unknown. Specifically, we reformulate open recognition as a binary classification task and propose a density-based method to recognize low-density samples as unknown while classifying known class samples with a closed-world classifier, thereby minimizing the risk associated with open spaces. To reduce the inspection overhead of samples recognized as unknown, we treat unknown sample inspection as a constrained clustering task, using a few manually inspected samples as constraints, and then assign labels to the remaining unknown samples via clustering. We evaluate our system against established open recognition and unknown sample inspection baselines through extensive experiments on three public datasets. Additionally, we simulated a security analyst inspecting unknown samples labeled by ORI. The experimental results demonstrate that ORI accurately classifies known class samples, recognizes unknown samples, and effectively labels samples recognized as unknown, enhancing both open recognition and inspection capabilities.

Abstract:
As a collaborative framework designed to safeguard privacy, Federated Learning (FL) seeks to protect participants’ data throughout the training process. However, the framework still faces security risks from poisoning attacks, arising from the unmonitored process of client-side model updates. Most existing solutions address scenarios where less than half of clients are malicious, i.e., which leaves a significant challenge to defend against attacks when more than half of partici pants are malicious. In this paper, we propose a FL scheme, named FedAMM, that resists backdoor attacks across various data distributions and malicious client ratios. We develop a novel backdoor defense mechanism to filter out malicious models, aiming to reduce the performance degradation of the model. The proposed scheme addresses the challenge of distance measurement in high-dimensional spaces by applying Principal Component Analysis (PCA) to improve clustering effectiveness. We borrow the idea of critical parameter analysis to enhance discriminative ability in non-iid data scenarios, via assessing the benign or malicious nature of models by comparing the similarity of critical parameters across different models. Finally, our scheme employs a hierarchical noise perturbation to improve the backdoor mitigation rate, effectively eliminating the backdoor and reducing the adverse effects of noise on task accuracy. Through evaluations conducted on multiple datasets, we demonstrate that the proposed scheme achieves superior backdoor defense across diverse client data distributions and different ratios of malicious participants. With 80% malicious clients, FedAMM achieves low backdoor attack success rates of 1.14%, 0.28%, and 5.53% on MNIST, FMNIST, and CIFAR-10, respectively, demonstrating enhanced robustness of FL against backdoor attacks.

Abstract:
Far Field EM Side-Channel Attacks (FEM-SCAs) have emerged as a realistic security threat to widely deployed RF-integrated IoT edge devices. In mixed-signal chips, side-channel leakage may unintentionally couple with transmission signals and be emitted via the on-chip antenna, potentially allowing adversaries to extract sensitive information from the victim at long distances. However, in practical scenarios, far field EM traces captured at long distances usually suffer from noise and interference, which makes the attack less efficient or sometimes even unfeasible. In this paper, we propose a Domain-Adversarial ReFeature Nueral Network (DAR-NN) to facilitate “noisy-clean” adaptation for far field EM traces captured at long distances. By integrating a DAE model with two deep-learning classifiers as regularization terms, the proposed DAR-NN model can reconstruct features of traces obtained remotely in complex environments, thereby achieving a more efficient FEM-SCA. We first test our model by using a publicly available dataset and show that it is feasible to extract the AES key from 141 traces captured at 15 m distance to the victim, which is 58.7% more efficient than existing methods with 80% less profiling data. Afterwards, we set up a more complex experimental environment with a HackRF radio serving as an interference source. We show that the proposed model can still extract the key by using around 2K traces at 15 m even in the presence of 25% active interference, while the state-of-the-art model fails under same conditions.

Abstract:
Security-Sensitive Objects (SSOs) are often critical components in the exploitation of Linux kernel memory corruption vulnerabilities. While existing research has advanced SSOs identification and classification, there remains a significant gap in systematically understanding how these objects can be effectively exploited in real-world security analysis. To address this challenge, we present PREXP, a novel approach to analyzing SSOs exploitability and automating the transformation of Proof-of-Concept (PoC) into exploitable states. Our approach encompasses three key techniques: (1) capability analysis and attribute modeling of vulnerable object (2) extraction and filtering of target SSOs and (3) automatically augmenting PoCs with SSO-specific code to create exploitation capabilities. To evaluate our approach, we tested our prototype on 30 public CVEs, successfully parsing vulnerable object in 22 cases (73.3%) and achieving accurate SSO matches in 18 (60.0%). PREXP outperformed state-of-the-art tools such as SCAVY and AlphaEXP in structure-matching, and enabled the generation of new Control Flow Hijacking Primitives (CFHPs) for 3 previously unexploited vulnerabilities, demonstrating its practical value in real-world exploit development.

Abstract:
The proliferation of Internet of Things (IoT) devices generates substantial data that supports deep learning, significantly advancing intelligent specific emitter identification (SEI) technology. However, challenges such as labeling costs and privacy concerns limit the availability of labeled samples, thereby constraining the training of deep models. To address this problem, this paper focuses on enhancing the data manifold structure through deep feature information, proposing a semi-supervised SEI method named SSME. A well-structured manifold enables the model to capture underlying patterns and relationships within the data more effectively, leading to more accurate and generalizable classification boundaries. First, to maximize the use of supervision information from limited labeled samples, we design a supervised cross-class contrastive (SCCC) loss, which increases the feature distance between anchor samples and cross-class samples based on their labels, achieving better manifold separation of different categories. Second, we propose an instance neighborhood matching regularization (INMR) loss that captures the neighborhood of weakly and strongly augmented samples of unlabeled instances within the feature space. By aligning these neighborhood representations, neighborhood-to-neighborhood consistency learning is achieved, enhancing the structural consistency and smoothness of local manifolds. Evaluated on ADS-B and XSRP datasets across diverse settings, our method demonstrates superior performance over existing approaches. Notably, even with only five labeled samples per class, it surpasses supervised baselines by 24.82% and 12.55% on the respective datasets.

Abstract:
Operational technology (OT) systems face increasing cybersecurity risks from adversarial behavior. This paper describes the development of a Bayesian network risk model to enhance the comprehension of observable cyber-events caused by malicious activity in OT environments. The core of the Bayesian network is a process model that characterizes the stages of adversary behavior. The remainder of the model leverages the MITRE ATT&CKⓇ for Industrial Control Systems (ICS) taxonomy, which includes tactics and techniques that may be used by the adversary. The observables provide evidence for adversary behavior through the intermediary technique and tactic nodes. One challenge in constructing this model is a lack of open-source data from cyber-attacks on OT systems. This paper demonstrates the use of both historical data and expert knowledge to construct the Bayesian network. The historical data was obtained from open-source reporting of 27 cyber-attacks affecting OT systems. The expert knowledge was obtained from a panel of subject matter experts with experience in a variety of OT cybersecurity roles and responsibilities. Finally, the Bayesian network is demonstrated using two historical case studies: the Darkside ransomware attack on the Colonial Pipeline and the destructive cyber-attack targeting the Thyssenkrupp blast furnace. By using this approach, OT cybersecurity professionals can better identify and characterize adversarial behavior in their systems to enable risk-informed investigations and interruptions before impact occurs.

Abstract:
As vehicles have become increasingly connected and intelligent, attacks against in-vehicle networks (IVNs) are becoming more prevalent and pose a great threat to vehicle security and occupant safety. Intrusion detection techniques utilizing deep learning models have become a common approach to secure IVNs. However, existing work has shown some weaknesses. 1) They are unable to directly extract the rich information hidden in the data behavioral patterns. 2) The effectiveness of most supervised models depends on balanced data distributions and high-quality labels, whereas the current state of real-world datasets does not match these demands. 3) The performance of unsupervised learning models is inferior to supervised methods, accompanied by unstable or unpredictable results. In this paper, we design and implement XIPHOS, a novel and adaptive IVN intrusion detection mechanism that is capable of achieving efficient detection performance in the unsupervised environment. XIPHOS utilizes the principle of mutual information maximization to extract as many potential data invariants as possible. By detecting abnormal system behaviors through error offsets of clustered combinations of feature units, XIPHOS is able to perform both graph-level representation and node-level representation from IVN data. In addition, the adaptiveness of XIPHOS is indicated by its ability to update the model parameters over time at different detection scenarios. Experimental results on widely used datasets show that XIPHOS has greater advantages over existing methods in terms of both detection performance and freedom from attack labeling data dependences. The code is available at https://github.com/wangkai-tech23/XIPHOS

Abstract:
This work proposes an efficient two-stage jamming detection and channel estimation algorithm for orthogonal frequency division multiplexing (OFDM)-based uncrewed aerial vehicles (UAVs) communications. The proposed scheme is designed based on the unique time and frequency domain statistical characteristics of OFDM signals. In the time domain (TD), a likelihood ratio test (LRT)-based decision rule is derived as a function of the inherent correlation between the cyclic prefix (CP) samples and their counterparts in the OFDM symbol. In addition, in the frequency domain (FD), a closed-form joint jamming detection and channel estimation scheme is derived using the maximum a posteriori probability (MAP) principle as a function of the statistics of the received pilots and virtual subcarriers (VSCs) signals, which is then re-expressed using the generalized MAP ratio test (GMAPRT). The system’s complexity is reduced by applying the two stages sequentially, where the possible implementation of the second stage is conditioned on the outcome of the first stage. The performance of the proposed algorithm is evaluated using Monte Carlo simulations, where the results demonstrate its effectiveness compared to the TD-only and FD-only approaches. The results confirm the superior performance of the proposed scheme compared to the cyclostationary feature (CF)-based technique under various operating scenarios.

Abstract:
As an effective mechanism for safeguarding information against eavesdropping in semantic communication systems, existing semantic encryption methods face limitations: vulnerability to sophisticated attacks from active eavesdroppers and compromised recovery performance of legitimate receivers in multipath channels with strong effects. To address these challenges, we propose the Model-Hopping Semantic Communication System (MHSCS) by drawing inspiration from frequency hopping technique. Specifically, model-hopping coding is designed to implement an enhanced method of semantic coding by adaptive model selection, boosting transmission reliability over multipath channels. Considering that semantic coding is a natural protection layer, a double-layer semantic encryption method is proposed, which can improve the encryption effects in severe information leakage scenarios. The experimental results show MHSCS increases legitimate receivers’ image recovery performance by up to 18.60% under strong multipath effects compared to baselines’ optimal performance and prevents up to 81.87% of privacy leakage in severe leakage scenarios.

Abstract:
Neural network inference in cloud service offers tangible benefits to users, from individuals and small institutions to large companies. However, two crucial concerns must be addressed. The first arises in satisfying the privacy of the model, the input data, and the inference results throughout the inference process. The second pertains to verifying that the inferences are derived from the designated neural network model. Although Secure Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) are typically adopted to mitigate such issues, the major challenge lies in achieving privacy preservation and verifiability simultaneously. In this study, we address both issues by proposing VSecNN, a verifiable and privacy-preserving neural network inference scheme. Specifically, we integrate MPC with the Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) protocol to achieve zero-knowledge proof generation for multiple parties. Subsequently, we perform adaptive optimizations on the multi-party proof generation approach to align with the neural network, thereby achieving both privacy-preserving capabilities and verifiability. Experimental results demonstrate an improvement in the efficiency. For example, the computation time for completing our multi-party proof generation could be as low as 1.7 times that of the single-party proof generation, while the verification requires only 169ms on the MNIST dataset.

Abstract:
Graph Convolutional Networks (GCNs) are currently the most widely used method for processing graph-structured data. However, recent research has revealed that the performance of GCNs dramatically decreases when confronted with adversarial attacks. This severely hinders their application in security-critical domains. Therefore, the development of GCNs that are resilient to adversarial attacks has emerged as a prominent research focus. Despite this, most current defense models with complex network architectures and optimization objectives are typically designed based on specific feature assumptions or attack manifestations, and do not enhance the inherent robustness of GCNs. They also overlook the changes induced by perturbations of varying intensities and the difference in attack phenomenon across different datasets. In response to this, we have delved into the impact of adversarial attacks on the spectrum, and propose an effective adaptive robust spectrum filter GCN (ASF-GCN). This approach enhances the robustness of GCN models through adaptive filtering without introducing additional conditional assumptions. We theoretically analyze that graphs have different robust frequency intervals under different conditions, validating the necessity of adaptive filtering. Additionally, we elucidate the role of degree distribution and maximum eigenvalue in adaptation. Extensive experiments on real-world graphs reveal that our model surpasses other defense models in overall performance.

Abstract:
The flourishing online social networks provide natural and ideal channels for covert communication, especially image batch steganography, which is characterized by high capacity and efficiency. To address the challenges of covert and reliable messaging, an image robust batch steganography framework (Multi-Stega) is proposed. Utilizing separable steganalysis feature selection and difference measurement, Multi-Stega first designs an embedding sign function to describe steganographic distortion, aiming directly at improving resistance against steganalysis. Then, Multi-Stega applies a cover selection algorithm based on steganographic fitness and a payload distribution strategy based on multi-stage decision optimization, to realize message allocation with minimum embedding signs. On this basis, Multi-Stega can employ any image robust steganography algorithm and universal joint source-channel code to facilitate message embedding and extraction. To analyze its validity, instances are implemented and compared with some state-of-the-art algorithms. Experimental results demonstrate that the separable feature selection provides strong support for precise embedding signs measurement, and Multi-Stega can enhance the detection resistance of representative robust steganography algorithms by 35.10% on average. Covert communication tests on Facebook and Weibo also indicate the concealment and reliability of Multi-Stega, which shows the prospect of practical applications.

Abstract:
Fuzz testing for Internet of Things (IoT) devices has become a critical area of research, as these devices play an increasingly vital role in modern networks and infrastructure. While significant efforts have been made, the Common Gateway Interface (CGI) programs that serve as an important component within these devices remain underexplored. Despite their extensive use in IoT web services, the specific characteristics of CGI programs have posed technical challenges to existing fuzzing infrastructures. To address these gaps, we propose CGIFuzz, the first gray-box fuzzing framework tailored for CGI programs in Linux-based IoT devices. CGIFuzz initially enables dynamic instrumentation of CGI programs through Relay-Pass Instrumentation, then leverages Large Language Models (LLM) for assisting high-quality fuzz test input generation. Furthermore, CGIFuzz devises oracles for detecting command injection and memory corruption vulnerabilities by leveraging multiple critical features during program execution. Our evaluation of CGIFuzz on ten popular IoT devices demonstrates superior coverage exploration and vulnerability detection capabilities compared to the state-of-the-art fuzzers. Notably, CGIFuzz discovered 69 vulnerabilities, including 13 previously unknown ones for which 9 CVEs were assigned.

Abstract:
3D point cloud recognition plays a critical role in autonomous driving, robotics, and medical diagnostics. However, its vulnerability to backdoor attacks remains underexplored, posing significant security risks in real-world applications. Current defense mechanisms against 3D point cloud backdoor attacks are still in their infancy and lacking effective solutions. To address this, we propose a cross-modal driven object restoration framework that leverages 3D reconstruction to mitigate backdoor attacks. Specifically, we introduce a cross-modal semantic encoding module that projects 3D point clouds into multi-view depth maps and utilizes CLIP to extract aligned text-image features, providing semantic guidance for 3D reconstruction. Furthermore, we leverage cross-modal information as conditional guidance to drive dynamic diffusion-based 3D reconstruction and adaptively fuse semantic and geometric features through a gated self-conditioned modulator. This module dynamically selects features for fusion, effectively mitigating noise interference and distribution shifts during latent diffusion, significantly enhancing robustness to noise, and thereby achieving precise restoration of clean point clouds. Extensive experiments on ModelNet40, and ShapeNetPart datasets demonstrate that our method robustly defends against adaptive attacks under varying noise levels and significantly restores classification performance degraded by backdoor triggers.

Abstract:
In this paper, we formulate a Secure Hierarchical Semantic Communication (SH-SC) framework that leverages cloud-edge-device collaboration to enable efficient, robust, and privacy-preserving semantic communications. Firstly, we propose a quantization-aware efficient semantic communication (SemCom) model pre-training scheme running in the cloud. In particular, a semantic quantization method is applied to reduce the data required for transmission, and a quantization-aware multi-splitting points training method is proposed to mitigate the accuracy loss caused by quantization. Secondly, we propose a robust SemCom model deployment strategy in local device and honest but curious edge server for privacy-preserving, where a post-training quantization method on the device is proposed to reduce the computational overhead and enhance privacy preservation. Thirdly, we propose a SemCom model based adaptive device-edge collaborative inferencing mechanism for SemCom quality of AI services (QoAIS), where a Joint Quantization Device-Edge Collaboration Semantic Communication (JQDESC) scheme is formulated. Moreover, we provide a theoretical analysis of the privacy preservation of the proposed quantization scheme against model inversion attack through back-propagation and quantization error accumulation. Experimental results demonstrate that our proposed JQDESC scheme effectively protects privacy under various adversarial capabilities, and has better performance in memory usage and end-to-end latency while maintaining similar accuracy.

Abstract:
With the evolution of artificial intelligence and cloud computing, data owners are increasingly motivated to outsource their data and machine learning services to the cloud. As a practical machine learning method, the k-nearest neighbors (KNN) classification is a popularly outsourced service. However, there exists a risk of privacy leakage in the outsourced environment. How to realize efficient outsourced KNN classification under the premise of protecting data security and privacy is an urgent problem that needs to be solved. This paper introduces a malicious-secure outsourced KNN classification scheme (MSecKNN). To the best of our knowledge, this scheme is the first maliciously secure KNN classification scheme that supports multiple distance metrics such as Hamming distance and Euclidean distance. To implement our MSecKNN scheme, we design 3-party secure Hamming distance protocols under the semi-honest and malicious adversary models. Our protocols based on function secret sharing (FSS) and replicated secret sharing (RSS) technologies circumvent the expensive distributed FSS key generation protocols and eliminate the need for costly public-key operations. These protocols can be considered as independent research results. Finally, we give formal security proofs for the proposed protocols and validate the effectiveness and efficiency of our protocols through experiments.

Abstract:
Recent multi-modal person re-identification methods have improved model performance by leveraging complementary information from multiple spectra. However, existing methods cannot ensure feature stability under varying illumination and rely on inflexible paired data, remaining inadequate against real-world cross-time retrieval and modality-missing challenges. To solve these, we first propose diversity representation that augments illumination-sensitive images to simulate diverse lighting conditions via illumination augmentation and enriches instance features using modality-specific prototypes via multiple interaction modules. Secondly, we propose integrity reconstruction that leverages prototypes and available instance features to recover information, the reconstruction module effectively utilizes identity and modality cues to address unpredictable missing problems. In addition, we build a more comprehensive dataset (AllDay843) to alleviate the inadequate dataset diversity, which comprises 91,371 images of 843 identities captured by multi-modal cameras across various periods throughout the day, while incorporating numerous real-world challenges. By integrating diversity representation and integrity reconstruction, the proposed Prototype-Based Diversity and Integrity learning network (PDINet) establishes excellence on the AllDay843 dataset, surpassing existing state-of-the-art approaches. The data and codes are available in GitHub.

Abstract:
Secret key generation (SKG) between authenticated devices is a pivotal task for secure communications. Diffie-Hellman (DH) is de-facto standard but not post-quantum secure. In this paper, we shall invent and analyze a new security primitive that is specifically designed for WPAN. For WPAN, wireless channel-based SKG has been proposed but was not widely deployed due to its critical dependence on the channel’s entropy which is uncontrollable. We formulate a different approach: We still exploit channel properties but mainly hinge on the reciprocity of the wireless channel and not on the channel’s entropy. The radio advantage comes from the use of full duplex communication. We show that in this situation both legitimate parties can agree on a common secret key even without ever probing the channel at all. At the core is a new bisparse blind deconvolution scheme for which we prove correctness and information-theoretic, i.e. perfect, security. We show that, ultimately, a secret key can be extracted and give a lower bound for the number of secret key bits which is then verified by experiments.

Abstract:
The key of pedestrian attribute recognition (PAR) task lies in accurately extracting various attributes from pedestrian images, such as gender, age, clothing, and accessories. Prior CLIP-based PAR methods primarily rely on static textual prompts or template-based sentences and perform direct classification or one-to-one image-text matching. Although these methods have achieved promising results, their reliance on such static prompts may lack flexibility in capturing the dynamic interactions between multiple attribute labels and their fine-grained visual semantics. To address this, we propose a novel Frequency-Spatial and Image-Attribute (FSIA) method that adopts a dual collaborative learning strategy to effectively model image-attribute associations and enhance feature representation. FSIA consists of two key components: 1) An Image-Attribute Collaborative Learning (IACL) framework that integrates visual data with attribute labels to enable a nuanced semantic understanding. The proposed IACL utilizes learnable attribute prompts, each specifically optimized for an individual attribute category, facilitating expressive and discriminative visual-language alignment; 2) A Frequency-Spatial Collaborative Learning (FSCL) module that leverages frequency-domain information (often overlooked in prior PAR) to exploit dual-domain frequency-spatial information in pedestrian images, thereby enhancing feature robustness. Extensive experiments show that FSIA has significant advantages in improving the performance of PAR and the challenging zero-shot PAR task. Specifically, the proposed FSIA achieves 90.08% in mA, 82.09% in Accu, 87.92% in Prec, 89.73% in Recall and 88.45% in F1 on the PETA dataset.

Abstract:
Decentralized finance (DeFi) protocols are crypto projects developed on the blockchain to manage digital assets. Attacks on DeFi have been frequent and have resulted in losses exceeding \ 80 billion. Current tools detect and locate possible vulnerabilities in contracts by analyzing the state changes that may occur during malicious events. However, this victim-only approaches seldom possess the capability to cover the attacker’s interaction intention logic. Furthermore, only a minuscule percentage of DeFi protocols experience attacks in real-world scenarios, which poses a significant challenge for these detection tools to demonstrate practical effectiveness. In this paper, we propose DeFiTail, the first framework that utilizes deep learning technology for access control and flash loan exploit detection. Through feeding the cross-contract static data flow, DeFiTail automatically learns the attack logic in real-world malicious events that occur on DeFi protocols, capturing the threat patterns between attacker and victim contracts. Since the DeFi protocol events involve interactions with multi-account transactions, the execution path with external and internal transactions requires to be unified. Moreover, to mitigate the impact of mistakes in Control Flow Graph (CFG) connections, DeFiTail validates the data path by employing the symbolic execution stack. Furthermore, we feed the data paths through our model to achieve the inspection of DeFi protocols. Comparative experiment results indicate that DeFiTail achieves the highest accuracy, with 98.39% in access control and 97.43% in flash loan exploits. DeFiTail also demonstrates an enhanced capability to detect malicious contracts, identifying 86.67% accuracy from the CVE dataset. By monitoring existing contracts, we identified five distinct categories of vulnerabilities: repetition abuse, unsafe unintended exploitation, signature violated exploitation, insecure interfaces exploitation, and unrestricted token transfer.

Abstract:
Package delivery is a critical aspect of various industries, but it often incurs high financial costs and inefficiencies when relying solely on human resources. The last-mile transport problem, in particular, contributes significantly to the expenditure of human resources in major companies. Robot-based delivery systems have emerged as a potential solution for last-mile delivery to address this challenge. However, robotic delivery systems still face security and privacy issues, like impersonation, replay, man-in-the-middle attacks (MITM), unlinkability, and identity theft. In this context, we propose a privacy-preserving multi-factor authentication scheme specifically designed for robot delivery systems. Additionally, AI-assisted robotic delivery systems are susceptible to machine learning-based attacks (e.g. FGSM, PGD, etc.). We introduce the first transformer-based audio-visual fusion defender to tackle this issue, which effectively provides resilience against adversarial samples. Furthermore, we provide a rigorous formal analysis of the proposed protocol and also analyse the protocol security using a popular symbolic proof tool called ProVerif and Scyther. Finally, we present a real-world implementation of the proposed robotic system with the computation cost and energy consumption analysis. Code and pre-trained models are available at: https://github.com/YYangNUS/TIFS_RobotMFA

Abstract:
With the rapid advancement of deep face recognition (FR) systems, concerns over the unauthorized use of facial data have become increasingly serious. Although adversarial attacks have been employed to obscure identity information and protect user privacy, existing methods often struggle with degraded visual quality, low success rates in black-box attacks, and dependence on identity-specific training. To overcome these limitations, we introduce Adv-Inversion, a novel and stealthy adversarial attack technique for facial privacy protection. Our approach leverages an encoder-based GAN inversion framework, incorporating a redesigned feature style encoder to prioritize adversarial attacks over traditional editing tasks. By embedding adversarial perturbations iteratively into the feature tensor space, the method ensures high imperceptibility, robust attack transferability, and flexibility without the need for identity-specific training. Additionally, we introduce an Identity Prior Feature Fusion Module for identity-specific scenarios, enabling alignment between reconstructed and target faces while enhancing black-box attack success through an ensemble training strategy. Extensive experiments across two datasets, four open-source FR models on both face verification and face identification tasks, and two commercial FR APIs demonstrate that Adv-Inversion significantly outperforms related methods in both identity-free and identity-specific training scenarios, achieving state-of-the-art results in attack success rate and visual quality metrics, while also exhibiting robustness against common adversarial defense methods. Multiple ablation studies further confirm the effectiveness of our model design. Our code is available at https://github.com/BiiiGerrr/Adv-Inversion

Abstract:
In this paper, resilient distributed set-based estimation is investigated for cyber-physical systems (CPSs) with unknown-but-bounded (UBB) noises which are characterized by constrained polynomial zonotopes (CPZs). Both generalized intersection of CPZs and diffusion strategy are developed to calculate the measurement update and obtain the estimation set. When the system is vulnerable to malicious false-data-injection (FDI) attacks, the encoding-decoding approach is proposed to preserve privacy, which can also be utilized to improve the attack detection rate. After detecting attacks, the corresponding resilient estimation algorithm is provided to alleviate the impact introduced by attacks. Finally, numerical simulations are provided to illustrate the validity of the presented approaches.

Abstract:
The recent popularity of cryptocurrencies like Bitcoin and Ethereum has drawn widespread attention to the blockchain technique. In particular, some private cryptocurrencies like Zerocash and Monero enhance privacy protection by concealing the identities of participants and transaction amounts. However, such comprehensive privacy measures present regulatory challenges to malicious activities like money laundering and extortion. Therefore, building a novel blockchain that maintains privacy while supporting regulatory oversight is crucial. In this paper, we propose a regulatable and privacy-preserving blockchain scheme that introduces a decoupled and preparatory regulatory process. It serves as a privacy-preserving first line of defense, enabling the identification of anomalous transactions without compromising the confidentiality of the underlying data. Our approach pioneers a method for anomaly screening on private transactions, mitigating risks without resorting to key escrow or content recovery, thus preserving end-to-end privacy for legitimate users. Initially, we explore suitable transaction features within private blockchains for training machine learning classifiers to detect anomalous behaviors. Subsequently, we customize a privacy-centric classifier employing homomorphic encryption to achieve private computation of anomaly detection without leaking sensitive information from private transaction content. We then construct the zero-knowledge proof for validating the encrypted computation process. Our work pioneers in fully integrating homomorphic encryption with zero-knowledge proof, enabling credible and trustworthy verification of the homomorphic ciphertext computations. Finally, we conduct comprehensive security analysis and experimental simulations. The experimental results demonstrate the efficiency and scalability of our approach.

Abstract:
Visible-Infrared Person Re-Identification (VI-ReID) is a challenging task due to the large modality discrepancy between visible and infrared images, which complicates the alignment of their features into a suitable common space. Moreover, style noise, such as illumination and color contrast, reduces the identity discriminability and modality invariance of features. To address these challenges, we propose a novel Diverse Semantics-guided Feature Alignment and Decoupling (DSFAD) network to align identity-relevant features from different modalities into a textual embedding space and disentangle identity-irrelevant features within each modality. Specifically, we develop a Diverse Semantics-guided Feature Alignment (DSFA) module, which generates pedestrian descriptions with diverse sentence structures to guide the cross-modality alignment of visual features. Furthermore, to filter out style information, we propose a Semantic Margin-guided Feature Decoupling (SMFD) module, which decomposes visual features into pedestrian-related and style-related components, and then constrains the similarity between the former and the textual embeddings to be at least a margin higher than that between the latter and the textual embeddings. Additionally, to prevent the loss of pedestrian semantics during feature decoupling, we design a Semantic Consistency-guided Feature Restitution (SCFR) module, which further excavates useful information for identification from the style-related features and restores it back into the pedestrian-related features, and then constrains the similarity between the features after restitution and the textual embeddings to be consistent with that between the features before decoupling and the textual embeddings. Extensive experiments on three VI-ReID datasets demonstrate the superiority of our DSFAD. The code will be made publicly available at https://github.com/nengdong96/DSFAD

Abstract:
Blockchain database has been widely applied in various fields, providing a secure architecture for data storage and sharing. In blockchain databases, the use of sharding technology can enhance the system’s scalability and improve transactions in the network to be processed in parallel. However, when applying searchable encryption techniques to query encrypted data in sharding blockchains, frequent data access to different shards results in uneven load distribution, leading to hotspot issues and reducing system efficiency. To tackle the challenge, we present SDB, a scheme integrating searchable encryption with sharding technology to enhance the scalability of blockchain databases. Firstly, we introduce a two-stage sharding mechanism. It performs pre-sharding based on keywords, and then implements fine-grained dynamic adjustments through improved jump consistent hashing, effectively resolving the load imbalance problem. Secondly, we present a cross-shard query strategy based on encrypted indexes, which constructs verifiable indexes for encrypted data and converts user queries into a multiway query tree. This addresses the cross-shard query optimization problem in encrypted environments. Under the experiment and security analysis, SDB achieves efficient cross-shard queries with higher query performance and throughput, at least 30% and 20% higher than state-of-the-art scalable blockchain database schemes.

Abstract:
Graph Neural Networks (GNNs) are highly susceptible to numerous adversarial attacks, among which the backdoor attack is one of the toughest to deal with due to the fact that it can lead to misclassification of the model. Similar to Deep Neural Networks (DNNs), backdoor attacks in GNNs work by an attacker changing a portion of the graph data with a hidden trigger and modifying their labels to target labels, which induces the model to learn the trigger feature during its training phase. Although recent defense techniques have emerged, approaches based on explainability and data isolation often fail to detect malicious samples with covert triggers, while discrepancy learning methods tend to degrade performance by removing useful features. To overcome these limitations, we propose a novel backdoor defense method, named GraphCleanse, on GNNs that can effectively eliminate the possible backdoor features during the training process. Specifically, GraphCleanse can easily break the strong correlation between backdoor features and target labels based on graph contrastive training. To further improve the model accuracy, we present a mutual information maximization method to learn the important feature information in the labeled credible samples and unlabeled suspicious samples by clustering the features obtained from the graph contrastive encoder. Compared with the potential solutions, such as randomized smoothing, GraphCleanse effectively avoids the negative influence of backdoored samples while maintaining a high model performance. Extensive experimental evaluations on four benchmark datasets demonstrate that GraphCleanse can reduce the attack success rate to 10% with less performance degradation (within 7%).

Abstract:
In the last few years, face morphing attacks has been shown to be a complex challenge for Face Recognition Systems (FRSs). Thus, the evaluation of other biometric modalities such as fingerprint, iris, and others must be explored and evaluated to enhance biometric systems. This work proposes an end-to-end framework to produce iris morphs at the image level, creating morphs from periocular iris images. This framework considers different stages such as iris pair selection from different subjects, segmentation, morph creation, and a new iris recognition system. In order to create realistic morphed images, two approaches for subject selection are proposed: random selection and similar pupil radius size selection. A vulnerability analysis and a Single Morphing Attack Detection algorithm were also explored. The results show that this approach obtained very realistic images that can confuse conventional iris recognition systems.

Affiliations: School of Cyber Science and Engineering, Southeast University, Nanjing, China; Department of Electrical and Electronic Engineering, The University of Hong Kong, Kowloon Tong, Hong Kong; College of Computing and Data Science, Nanyang Technological University, Jurong West, Singapore; School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, Australia; Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China; School of Information Systems, Singapore Management University, Bras Basah, Singapore

Abstract:
Graph neural networks (GNNs) have gained increasing popularity in understanding graph-structured data due to their ability to derive meaningful representations by aggregating complicated topological information. However, privacy operations such as differential privacy mechanisms that inject noise into node features or graph structures to protect sensitive information, and distribution shifts in graph data pose tremendous security risks for the wide application of GNN models. Current researches mainly focus on defending the out-of-distribution (OOD) attacks through robust adversarial training and graph structure purification. Nonetheless, privacy perturbations of graph structures may render OOD attacks more deceptive by obfuscating the distinctiveness of nodes, leading to the failure of existing defense methods. To address these shortcomings, we propose an environment-adaptive representation interaction (EARI) scheme that strengthens the privacy perception of GNNs. Specifically, our scheme leverages the interaction between non-private and private data to enable targeted embedding propagation by the guidance of confidence score feedback. Subsequently, the representation-enriched topological aggregation is implemented to capture more discriminative features by exploiting multi-hop neighborhoods rather than stacked multilayers. Finally, the generalization-enhanced cluster-wise adaptation learning is leveraged to highlight the invariant correlations from nodes across different environments. Extensive experimental results demonstrate that our scheme can enhance the capability of learning representations from privacy-protected graph data, enabling GNNs to effectively defend against deceptive OOD attacks on various graph-structured datasets. Moreover, we reveal that the utilization of interactive topological aggregation can extremely enrich the diversity and guarantee the effectiveness for graph representations.

Abstract:
Wildcard keyword search enables the client to perform wildcard queries over the encrypted database. Wildcard symmetric searchable encryption (wildcard SSE) appears to be a practical solution. However, it is vulnerable to false positives in query results due to its reliance on keyword feature extraction and approximate membership data structures. In contrast, wildcard asymmetric searchable encryption (wildcard ASE) ensures accuracy, but its practicality is limited by the high search latency incurred by public-key operations. To achieve the best of wildcard SSE and ASE, we propose F-WSSE , a novel false-positive-free wildcard SSE scheme in the symmetric-key setting that offers both high search efficiency and guaranteed accuracy. Specifically, we design a new cryptographic construction, ciphertext-masked symmetric-key hidden vector encryption ( CM-SHVE ), which ensures ciphertext randomness and features a concise secret key. Based on CM-SHVE , F-WSSE achieves query results without false positives in the symmetric-key setting. Additionally, we leverage a fragmentation technique to support dual-wildcard keyword queries, i.e., queries containing both single- and multi-character wildcards. Our evaluation demonstrates that the search efficiency of F-WSSE outperforms the existing wildcard ASE scheme by several orders of magnitude, while delivering comparable search performance to the state-of-the-art wildcard SSE schemes.

Abstract:
With the rapid advancement of audio generation models, research on audio steganography has entered a new phase of opportunity. Nevertheless, most existing generative steganographic approaches focus primarily on security while neglecting the compression and transcoding processes that are common in real-world communication. This oversight leads to two major issues: the introduction of verification mechanisms would violate its security proof assumptions, and quantization-based compression markedly reduces message extraction accuracy. In this work, we propose a robust audio steganography method that preserves provable security under various compression conditions. The security of our method relies exclusively on the latent space following a fixed distribution, which is independent of the embedded message. The proposed encoding–decoding scheme supports a tunable trade-off between capacity and robustness, allowing the sacrifice of partial capacity to reinforce robustness. Theoretical analysis shows that even with redundant error-checking codes, the latent distribution remains invariant after message embedding, thereby preserving both steganographic security and generation quality while ensuring practical applicability. Experimental results demonstrate that our method maintains message extraction accuracy under both MP3 and AAC compression and re-compression across bitrates of 160 kbps, 128 kbps, 64 kbps, 48 kbps, and even 32 kbps.

Abstract:
This paper investigates secure communication in multi-UAV networks, where each UAV employs rate-splitting multiple access (RSMA) to simultaneously deliver downlink data services to multiple ground terminals (GTs) under eavesdropping threats. To enhance network security, we propose a two-stage collaborative RSMA transmission scheme. Based on this scheme, we study the optimization of multi-UAV cooperative trajectory, time-step sharing and jamming power (MUCTSJ) to maximize the network’s secrecy rate. Additionally, to ensure fairness in throughput allocation among GTs, we incorporate two typical UAV service principles—Channel Quality First (CQF) and Fair Service First (FSF)—into the optimization objectives. Given the non-convex and NP-hard nature of this optimization problem, we reformulate it as a Markov Decision Process (MDP) and introduce a multi-agent reinforcement learning (MARL) framework based on the Centralized Training and Decentralized Execution (CTDE) paradigm. To address the dynamic topological changes induced by UAV mobility and time-varying channel states, as well as the gradient interference among multiple learning tasks, we design a Multi-Task Attention Deep Recurrent Network (MTA-DRNN). This architecture effectively captures the distinct observed attributes of each UAV while enhancing the coordination between diverse actions, thereby improving the adaptability of the agent and the stability of training. Simulation results demonstrate the superiority of the proposed solution enhances the security of multi-UAV networks over other baseline schemes. Furthermore, deployment on corresponding hardware platforms confirms the solution’s effectiveness and robustness in practical applications.

Abstract:
As the artificial intelligence and the cloud computing thrive, transacting data via clouds has become an increasingly profitable business in recent years. Therefore, provable data possession with data transfer (DT-PDP) is proposed to enable transferable auditing ability on data integrity for data owners without downloading the data. However, we found that existing solutions either fail to guarantee secure multi-ownership confirmation or, when fixing multi-ownership, fail to enable scalable and efficient ownership transfer for group transactions. Even worse, during transactions, they leak secret keys to untrusted entities, leading to integrity audit failures for untransacted data. To address primary conflict between fixed ownership distribution and the dynamic nature of group members, and potential collusion attacks due to untrusted entities during transactions. In this paper, we propose a scalable cloud auditing with efficient ownership transfer for group transactions. Specifically, by refining data transaction framework and carefully elaborating tag design in data integrity auditing, we allow 1) partial ownership transfer without disturbing others, if any remaining, inside the group; and 2) efficient ownership transfer between two totally different groups. Additionally, to prevent the risk of key leakage during data transactions, we have incorporated a random mask to maintain the integrity of the audit. The security analysis and evaluations justify the security level and practicality of our design.

Abstract:
Digital images are inherently fragile and vulnerable to malicious tampering, significantly compromising their authenticity and integrity. Image recovery is crucial for restoring altered content and preserving the reliability of digital images. Traditional fragile watermarking methods achieve high-quality recovery but fail under post-processing attacks, while existing deep learning-based approaches offer some robustness, yet often produce lower-quality recovered images, typically with a PSNR of around 28 dB. To address these challenges, we propose a novel Symmetric Self-embedding Mechanism for High-Fidelity Image Recovery against tampering (SSEM-HIR), which is capable of restoring tampered images with high quality while maintaining some robustness against common attacks. Unlike existing methods that use the fragility of watermarking solely for tampering localization, SSEM-HIR is the first work to integrate fragility with spatial symmetry, enabling high-quality tampering recovery. Specifically, our SSEM-HIR employs a hierarchical watermark embedding module to embed an inverted version of the original image, utilizing spatial symmetry to retrieve lost information from the extracted watermark. To further improve recovery quality, we design a Dual-branch Region-based Self-Recovery module, where a Spatial-based Watermark Extraction block restores tampered regions using embedded watermark information, while a Frequency-assisted Image Repair block compensates for quality degradation in the untampered area. Extensive experiments show that our method achieves an average PSNR of 34.14 dB under common attack scenarios, including noise addition, image scaling, Gaussian blurring, and no post-processing. This represents an improvement of over 5 dB and 18% in recovered image quality compared to state-of-the-art approaches.

Abstract:
Reconstruction attackers can exploit facial features to recover the original user’s face, resulting in user privacy leakage. One new strategy to enhance the “Edge-Cloud” face recognition system’s privacy is to add adversarial perturbations to facial features, preventing the attackers from high-quality user image recovery. However, the existing works following this strategy suffer from unacceptable damage to face recognition accuracy. Achieving robust privacy enhancement and face recognition accuracy simultaneously is still challenging. To tackle this challenge, we propose an adversarial perturbation-based plug-and-play privacy-enhancing method (Patronus) with robustness against face image reconstruction attacks and near-lossless face recognition performance. The key insight is derived from our observation that the feature distance between two face images of the same person is significantly lower than the threshold set in the face recognition system. This leaves room for adding adversarial perturbations to the facial features without compromising face recognition accuracy. Our strategy limits the amount of adversarial perturbations in a fine-grained manner to ensure that they are within the range of not damaging face recognition accuracy. Our evaluation shows the superior performance of Patronus in robustness against reconstruction attacks and near-lossless face recognition accuracy compared to state-of-the-art (SOTA) methods. Patronus can be easily integrated into deployed face recognition systems as a plug-in privacy-enhancing module with low overhead.

Abstract:
This paper addresses the secure state estimation problem for multi-agent systems (MASs) against sparse attacks. Under the distributed framework, the sparsity constraints are transformed into a relaxed one via information exchange. To be specific, the proposed sparsity constraint is for the number of attacked agents rather than the existing ones that focus on the number of attacked sensors of agent i , which relaxes the sparsity limitations for a single agent. Then, an iterative reweighted l_2/l_1 minimization algorithm is given to improve the estimation performance, which depends on solving a combinatorial non-convex optimization problem. To overcome this difficulty, a vote location technique is adopted and a distributed state estimation algorithm is further presented. Based on a graph topology, each agent communicates with its neighbors and cooperatively finds the optimal solution, so the scheduling policy can be determined in each iteration. Compared with the existing results, it is proved that the proposed method enhances the number of correctable errors and ensures smaller estimation errors for both system states and attack signals. Simulation results verify the superiority and effectiveness of the developed algorithm.

Abstract:
The private intersection-sum with cardinality (PIS-CA) protocol enables two parties to privately compute the cardinality of the intersection between their datasets and the sum of the values associated with these intersecting elements, while keeping all other information confidential. As a related variant of private set intersection (PSI), private set intersection with cardinality (PSI-CA) protocols compute only the intersection size without considering the associated values. Existing PIS-CA protocols attempt to reduce the amount of communication through batch encryption-based optimization, but their incomplete design and implementation hinder their practical deployment. Moreover, the shuffle proof with \mathcal O(\sqrt n) communication complexity adopted in their protocol incur substantial communication overhead, further limiting their scalability. To address these problems, we propose an optimized two-sided PIS-CA protocol in the malicious model. Our scheme provides a concrete and implementable batch encryption design that achieves practical communication efficiency, together with an enhanced lightweight shuffle proof based on the Curdleproofs framework. The experimental results demonstrate that the proposed protocol significantly reduces the total communication cost, making it suitable for privacy-preserving applications such as ad conversion measurement.

Abstract:
This article focuses on the online distributed optimization with privacy protection in time-varying unbalanced networks. We consider the case where there exist potential passive attackers in the network, having access to all communication channels. The attackers attempt to deduce the privacy of participating nodes. In this case, the differential privacy approach is leveraged to enable privacy protection. Based on this privacy-preserving approach and the stochastic subgradient method, a novel differentially private distributed online stochastic subgradient descent (DP-DOSSD) algorithm is devised for addressing the considered problem. Unlike the existing algorithms that require the weight matrices to be doubly stochastic, our algorithm only depends on two different weight matrices that are column-stochastic and row-stochastic, respectively. Moreover, a stochastic subgradient rescaling technique is adopted to tackle the unbalancedness of time-varying directed networks. It proves that our algorithm not only guarantees \epsilon -differential privacy but also establishes an expected regret of order \mathcal O(\sqrt T) in convex settings, where \epsilon and T are the privacy level and the time horizon, respectively. The established result matches the optimal regret bound derived by state-of-the-art algorithms. The fundamental tradeoff between convergence performance and privacy level is also studied. Finally, simulation results for the sensor network-based online distributed estimation problem and the distributed online ridge regression problem are provided to confirm the effectiveness of our approach.

Abstract:
Android, being one of the most widely used mobile systems, is facing pressing threats from malware. Despite the effectiveness of Android malware detection (AMD) systems, they are still vulnerable to state-of-the-art adversarial attacks. Existing defense methods require the knowledge of target adversaries, such as attack algorithms or obfuscation strategies, which is impractical in real-world scenarios. Additionally, these approaches may adversely affect the performance of the detection model and fail to defend against problem-space attacks, which not only deceive the detection models but also generate executable adversarial software. To address this research gap, we propose a novel interpretable Android guard system, named IADGuard, to help AMD defend against attacks. IADGuard first designs a novel graph explainable method, AGExplainer, to identify suspicious functions and invocations in adversarial malware. With the guidance of AGExplainer, IADGuard develops a rectifier to reverse adversarial modifications on apps’ function invocation relations, which facilitates the detection of adversarial malware by victim AMD. It is noteworthy that IADGuard requires zero knowledge of adversarial models and victim models, thereby preserves the performance of victim AMD. We validate IADGuard over three state-of-the-art problem space attacks that modify apps’ function invocation relations to deceive victim AMD. Experimental results show that IADGuard achieves over 90.5% defense success rate, i.e., helps victim AMD identify adversarial malware. Furthermore, AGExplainer surpasses representative interpreters in identifying essential modifications, helps IADGuard reduce false positives to 1.5%, and improves the detection efficiency by up to 10.4 times.

Abstract:
Deep reinforcement learning has demonstrated remarkable performance in autonomous vehicle control. However, the increasing threat of cyber-physical attacks, which can alter sensor information or vehicle dynamics, poses significant challenges to the robustness of these control policies. To address this, we propose LHADRO (Lambda-History Aware Diversity Robust Oracle), a novel framework that models robust control as a two-player game between control policies and cyber-physical attacks. The key contributions of LHADRO are: (1) A lambda-history aware mechanism that balances past and present meta-policies to enhance training efficiency and mitigates meta-policy thrashing, and (2) A joint diversity introduction mechanism that improves robust control performance by increasing population disparity through a regularization term in parameter updates. We validate the proposed method in MetaDrive-based environments. Experiment results verify that the LHADRO framework improves the robust control performance, and the effectiveness of some critical factors is investigated and discussed.

Abstract:
The integration of unmanned aerial vehicles (UAVs) and artificial intelligence (AI) has garnered significant interest as a promising paradigm for facilitating intelligent and pervasive mobile crowdsensing (MCS) services. In traditional AI methodologies, the centralization of large volumes of privacy-sensitive sensory data shared by UAVs for model training entails substantial privacy risks. Federated learning (FL) emerges as an appealing privacy-preserving paradigm that enables participating UAVs to collaboratively train shared models while safeguarding the privacy of their data. However, given that the execution of FL tasks inherently requires the consumption of resources such as power and bandwidth, rational and self-interested UAVs may not actively engage in FL or launch free-riding attacks (i.e., sharing fake local models) to mitigate costs. To address the above challenges, we propose a truthful incentive scheme in FL-based UAV-assisted MCS. Specifically, we first present a learning framework tailored for realistic scenarios in UAV-assisted MCS that enhances privacy preservation and optimizes communication efficiency during AI model training for collaborative UAVs, where the sensing platform (i.e., the aggregation server) is the finite-rational decision maker. Then, based on prospect theory (PT), we design an incentive mechanism to motivate UAVs to participate in FL. In this mechanism, a PT-based game is exploited to model the interactions between the sensing platform and UAVs, where the equilibrium is derived. Moreover, we employ a zero-payment mechanism to curb the self-interested behavior of UAVs. Finally, simulation results show that the proposed scheme can facilitate high-quality model sharing while suppressing free-riding attacks.

Abstract:
Split federated learning (SFL) is a recently proposed distributed collaborative learning architecture that integrates federated learning (FL) with split learning (SL), offering an ingenious solution for safeguarding privacy in resource-limited environments. Despite the compelling potential of SFL and its appealing attributes, its robustness remains uncharted territory. In this paper, we investigate the security and robustness of SFL, with a specific focus on its susceptibility to malicious client-driven poisoning attacks. Specifically, we study the weaknesses of SFL against the well-known poisoning attacks designed for FL, like dataset poisoning, weight poisoning, and label poisoning. We also introduce a novel type of poisoning attacks tailored for SFL, named smash poisoning, and evaluate the robustness against smash poisoning attacks and advanced hybrid attacks (DatasetSmash, LabelSmash, and WeightSmash) that amalgamate smash poisoning with the other three methods for FL. By simulating these attacks across diverse domains over four datasets, we find that most of these attacks (including weight, WeightSmash, and LabelSmash poisoning) can disrupt the converged models with straightforward poisoning actions or have persistent negative influence on the model accuracy even after the termination of the attacks. Furthermore, our findings reveal that the robustness of SFL can be augmented by strategically adjusting the system parameters, such as client quantity, bottleneck size or split type. Finally, we verify the effectiveness of the typical defense mechanisms of poisoning attacks intended for FL and design a new defense strategy that filters out malicious smashed data to improve the robustness of SFL. We observe that the adoption of properly chosen defense mechanisms is beneficial in decreasing the security risks of SFL, but entirely eliminating the impacts of poisoning attacks in SFL is still challenging.

Abstract:
This paper presents DeepCRF, a new framework that harnesses deep learning to extract subtle micro-signals from channel state information (CSI) measurements, enabling robust and resilient radio-frequency fingerprinting (RFF) of commercial-off-the-shelf (COTS) WiFi devices across diverse channel conditions. Building on our previous research, which demonstrated that micro-signals in CSI, termed micro-CSI, most likely originate from RF circuitry imperfections and can serve as unique RF fingerprints, we develop a new approach to overcome the limitations of our prior signal space-based method. While the signal space-based method is effective in strong line-of-sight (LoS) conditions, we show that it struggles with the complexities of non-line-of-sight (NLoS) scenarios, compromising the robustness of CSI-based RFF. To address this challenge, DeepCRF incorporates a carefully trained convolutional neural network (CNN) with model-inspired data augmentation, supervised contrastive learning, and decision fusion techniques, enhancing its generalization capabilities across unseen channel conditions and resilience against noise. Our evaluations demonstrate that DeepCRF significantly improves device identification accuracy across diverse channels, outperforming both the signal space-based baseline and state-of-the-art neural network-based benchmarks. Notably, it achieves an average identification accuracy of 99.53% among 19 COTS WiFi network interface cards in real-world unseen scenarios using 4 CSI measurements per identification procedure.

Affiliations: Key Laboratory of Analytical Mathematics and Applications (Ministry of Education) and Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Computer and Cyber Security, Fujian Normal University, Fuzhou, China; State Key Laboratory of Cryptology, Beijing, China; School of Computer Science and Engineering (School of Cyber Security), University of Electronic Science and Technology of China, Chengdu, China; College of Education Sciences, Hong Kong University of Science and Technology (Guangzhou), Guangzhou, China

Abstract:
Privacy concerns have been persistently afflicting individuals within online social networks (OSNs), rendering privacy-preserving communications over the Internet with authentication especially important. Unfortunately, the guarantees of privacy and authenticity are not always provided in OSNs. Individuals are still facing the challenges of being deceived or exploited. To mitigate these issues, anonymous social networks (ASNs) have emerged as a remedy for OSNs, facilitating individuals to connect with others anonymously and authentically. Despite the existence of numerous and remarkable cryptographic primitives, there are no formal solutions for ASNs except for matchmaking encryption (ME), since ME can simultaneously provide various key functionalities, i.e. bilateral access control, identity anonymity, and message authentication, to address the requirements of ASNs. In this paper, we design a system for ASNs by adopting fuzzy identity-based matchmaking encryption (fuzzy IB-ME), and the proposed scheme in this work is highly efficient. The scheme also realizes adaptive security in generic group model (GGM), which is generally adopted in pairing-based cryptography. The proposed ASNs system offers various advantages compared to the previous solutions, including 1) bilateral access control, 2) enhanced security, 3) high scalability, and 4) high efficiency. In addition to theoretical evaluations, we conduct extensive experiments to evaluate our scheme’s computational and storage efficiency. These evaluations indicate that our solution outperforms previous solutions and as well as preserves many desired functionalities.

Abstract:
Differentially Private Federated learning (DPFL) applies differential privacy (DP) techniques to preserve clients’ privacy in Federated Learning (FL). Existing methods based on Gaussian Mechanism require the operations of model updates clipping and noise injection, which lead to a serious degradation in model accuracies. Several improved methods are proposed to mitigate the accuracy degradation by decreasing the scale of the injected noise. Different from previous methods, we firstly propose to enhance the model robustness against the DP noise for the accuracy improvement. In this paper, we develop a novel FL scheme with improved model robustness, called FedIMR, which can provide the client-level DP guarantee while maintaining a high model accuracy. We find that the injected noise leads to the fluctuation of loss values in the local training, hindering the model convergence seriously. This motivates us to improve the model robustness for narrowing down the bias of model outputs caused by the noise. The model robustness is evaluated with the signal-to-noise ratio (SNR) of each layer’s outputs. Two techniques are proposed to improve the output SNR, including the logit vector normalization (LVN) and dynamic clipping threshold (DCT). Specifically, LVN normalizes the logit vertor to make the optimization algorithm keep increasing the model output, which is the signal item of the output SNR. DCT dynamically adjusts the clipping threshold to reduce the noise item of the output SNR. We also provide the privacy analysis and convergence results. Experiments are conducted over three famous datasets to evaluate the effectiveness of our method. Both the theoretical results and empirical experiments confirm that our FedIMR can achieve a better accuracy-privacy tradeoff than previous methods.

Abstract:
The cloud server is a versatile platform for data storage, with users increasingly uploading personal data to public servers to circumvent costly local storage. However, the server is not entirely honest, as it may potentially compromise user data privacy. Ciphertext-policy attribute-based encryption (CP-ABE) is a highly flexible cryptographic technique for ensuring access control over encrypted data in cloud storage applications. To prevent unauthorized access, traceability and revocability are two necessary requirements for CP-ABE system. Nevertheless, existing white-box traceable and revocable CP-ABE schemes suffer from several imitations: 1) Whether direct revocation or indirect revocation is applied, neither type of the revocation mode is well compatible with the trace function. 2) Moreover, all of the previous white-box traceable CP-ABE schemes rely on non-static assumptions to prove traceability. Ideally, a scheme provably secure under static complexity assumptions is preferable. To deal with these issues, we propose a novel traceable and server-aided revocable CP-ABE (TSR-ABE) scheme based on static assumptions. Specifically, our revocation mode works well with the trace function, and we prove the adaptive chosen-plaintext attack security and traceability of our scheme via the well-known dual system encryption methodology. Compared with many previous traceable CP-ABE schemes, regardless of whether they support revocation or not, we remove the need to introduce an additional l-SDH assumption to prove the traceability of the scheme. In addition, our scheme is more practical due to its lower private key size, lower decryption costs and lower tracing costs. As a result, we strengthen current research from the perspective of both security and efficiency.

Abstract:
This paper analyzes the problem of estimating information leakage when the complete statistics of the privacy mechanism are not known, and the only available information consists of several input-output pairs obtained through interaction with the system or through some side channel. Several metrics, such as subjective leakage, objective leakage, and confidence boost, were introduced before for this purpose, but by design only work in a Bayesian framework. However, it is known that Bayesian inference can quickly become intractable if the domains of the involved variables are large. In this paper, we focus on this exact problem and propose a novel approach to perform an estimation of the leakage measures when the true knowledge of the privacy mechanism is beyond the reach of the user for a non-Bayesian framework using machine learning. Initially, we adapt the definition of leakage metrics to a non-Bayesian framework and derive their statistical bounds, and afterward, we evaluate the performance of those metrics via various experiments using Neural Networks, Random Forest Classifiers, and Support Vector Machines. We have also evaluated their performance on an image dataset to demonstrate the versatility of the metrics. Finally, we provide a comparative analysis between our proposed metrics and the metrics of the Bayesian framework.

Abstract:
Mitigating DDoS attacks poses a significant challenge for cyber security teams within victim organizations, as these attacks directly target service availability. Most DDoS mitigation solutions focus address the direct effects of DDoS attacks, such as service unavailability and network congestion, while the indirect effects, including collateral damage to legitimate users, receive substantially less attention in the present state-of-the-art. To address this gap, we propose a novel defense architecture designed to mitigate collateral damage and ensure service availability for legitimate users even under attack conditions. The proposed approach employs containerization, micro-services architecture, and traffic segmentation to enhance system resilience and fortify security. We send requests for two distinct services, namely an HTTP-based service and an SSH service, in order to analyze the collateral damage caused by the DDoS attack. The proposed architecture classifies incoming HTTP traffic into two categories: “benign traffic” and “suspicious traffic,” determined by the number of requests originating from the same source address. We tested this approach in three different scenarios (S-1, S-2, and S-3). Experimental results demonstrate that the proposed architecture effectively isolates suspicious traffic, mitigating its impact on benign services. This ensures the availability of critical services during a DDoS attack while minimizing collateral damage. In scenarios S-1, S-2, and S-3, it maintains service availability at 3%, 67%, and 98%, respectively, highlighting its efficacy in the face of varying levels of DDoS attack intensity. Furthermore, the architecture is extremely effective in reducing the collateral effects on SSH requests during a DDoS attack. In the S-1 scenario, SSH login time was reduced by 25%, 46%, and 27%, respectively. In the S-2 scenario, the reductions were 99%, 53%, and 29%. In the same vein, the system achieved reductions of 4%, 17%, and 99% in the S-3 scenario.

Abstract:
Despite the development of spectral sensors and spectral data-driven learning methods which have led to significant advances in face anti-spoofing (FAS), the singular dimensionality of spectral information often results in poor robustness and weak generalization. Polarization, another fundamental property of light, can reveal intrinsic differences between genuine and fake faces with advantaged performance in precision, robustness, and generalizability. In this paper, we propose a facial image translation method from visible light (VIS) to polarization (VPT), capable of generating valuable polarimetric optical characteristics for facial presentation attack detection using VIS spectrum information input only. Specifically, the VPT method adopts a multi-stream network structure, comprising a main network and two branch networks, to translate VIS images into degree of polarization (DoP) images and Stokes polarization parameters S_1 and S_2 . To further improve image translation quality, we introduce a frequency-domain consistency loss as a complement to the existing spatial losses to narrow the gap in the frequency domain. The physical mapping relations for the DoP and Stokes parameters are employed, and the Stokes loss is designed to ensure that the generated polarization modalities conform to objective physical laws. Extensive experiments on the CASIA-Polar and CASIA-SURF datasets demonstrate the superiority of VPT over other baseline methods in terms of polarization image quality and its remarkable performance in the FAS task. This work leverages the inherent physical advantages of polarization information in material discrimination tasks while addressing hardware limitations in polarization image collection, proposing a novel solution for face recognition system security control.

Abstract:
In the era of zero trust security models and next-generation networks (NGN), the primary challenge is that network nodes may be untrusted, even if they have been verified, necessitating continuous validation and scrutiny. Effective intrusion detection systems (IDS) are crucial for continuously monitoring network traffic and identifying potential threats. However, traditional IDS approaches often struggle to keep pace with evolving threats, requiring extensive supervised training on labeled datasets. This limitation leads to high false positive rates, low detection accuracy, and a failure to provide real-time detection, thereby undermining the security of NGNs. This paper proposed the first self-supervised learning-based IDS, designed on temporal contrastive graph neural network (GNN), namely \mathsfTCG\text-\mathsfIDS . It innovatively integrates three contrastive learning strategies: temporal contrasting to capture temporal dependencies, asymmetric contrasting to account for the diverse interactions within network data, and masked contrasting to enhance the learning of node representations by masking parts of the data during training. Performance evaluation was conducted on two publicly available network traffic datasets, NF-CSE-CIC-IDS2018-V2 and NF-UNSW-NB15-V2. \mathsfTCG\text-\mathsfIDS achieved a balanced accuracy of 99.48% and 91.48% on two datasets respectively, significantly outperforming state-of-the-art graph learning models. In multi-class detection, \mathsfTCG\text-\mathsfIDS attained a mean false positive rate of 4.15% and 3.34% on the two datasets respectively. Besides, it exhibits high efficiency with its running time of 0.37s and 0.51s on the two datasets to predict per batch of 100 samples. Results highlight the effectiveness and efficiency of \mathsfTCG\text-\mathsfIDS in accurately detecting various types of network intrusions. This work significantly advances the field of network intrusion detection via self-supervised temporal graph learning, offering a promising solution for future network security systems.

Abstract:
Recently, numerous degraded images have flooded search engines and social networks, finding extensive and practical applications in the real world. However, these images have also posed new challenges to conventional image retrieval tasks. To this end, we introduce a new task of retrieving degraded images through deep hashing from large-scale databases, and further present the Locality-Sensitive Hashing Network (LSHNet) to tackle it in a self-supervised manner. More specifically, we first propose a triplet strategy to enable the self-supervised training of LSHNet in an end-to-end fashion. Due to the designed strategy, the highly semantic similarity and discrimination of degraded images are well-preserved in our learned latent codes without requiring additional human labor in labeling tons of degraded images. Moreover, to tackle large-scale image retrieval efficiently, we further propose to transform the latent codes into locality-sensitive hashing codes such that the degraded images can be retrieved in sublinear time with their representation ability almost unaffected. Extensive experiments are conducted on three public benchmarks where the results demonstrate the superior performance of LSHNet in retrieving similar images under degraded conditions.

Abstract:
Recently, the practical needs of “the right to be forgotten” in federated learning gave birth to a paradigm known as federated unlearning, which enables the server to forget personal data upon the client’s removal request. Existing studies on federated unlearning have primarily focused on efficiently eliminating the influence of requested data from the client’s model without retraining from scratch, however, they have rarely doubted the reliability of the global model posed by the discrepancy between its prediction performance before and after unlearning. To bridge this gap, we take the first step by introducing a novel malicious unlearning attack dubbed FedMUA, aiming to unveil potential vulnerabilities emerging from federated learning during the unlearning process. Specifically, clients may act as attackers by crafting malicious unlearning requests to manipulate the prediction behavior of the global model. The crux of FedMUA is to mislead the global model into unlearning more information associated with the influential samples for the target sample than anticipated, thus inducing adverse effects on target samples from other clients. To achieve this, we design a novel two-step method, known as Influential Sample Identification and Malicious Unlearning Generation, to identify and subsequently generate malicious feature unlearning requests within the influential samples. By doing so, we can significantly alter the predictions pertaining to the target sample by initiating the malicious feature unlearning requests, leading to the deliberate manipulation for the user adversely. Additionally, we design a new defense mechanism that is highly resilient against malicious unlearning attacks. Extensive experiments on three realistic datasets reveal that FedMUA effectively induces misclassification on target samples and can achieve an 80% attack success rate by triggering only 0.3% malicious unlearning requests.

Abstract:
In cloud Electronic Medical Records (EMRs), health-related private information such as genetics and diseases is contained. Thus, the secure ownership transfer protocol should protect users’ privacy. In certain scenarios, some users, including patients, doctors, medical and research institutions, may be offline. As a result, existing protocols cannot be directly employed. Motivated by these observations, in this paper we propose a secure and efficient ownership transfer for cloud EMRs auditing protocol. Specifically, our protocol allows the existence of offline users while ensuring users anonymity, it is achieved using different signature constructions. Additionally, a tracing mechanism is introduced to safeguard against malicious users. We rigorously prove the security of our protocol, comprehensively evaluate the performance of it, and compare our protocol with a few closely relevant protocols. According to the evaluations, our protocol significantly improves ownership transfer efficiency while achieving additional functionalities, including public verifiability, multi-ownership transferability, anonymity, and traceability.

Abstract:
Intrusion detection systems are a crucial technique for securing the Internet of Things (IoT) from malicious attacks. Additionally, due to the continuous emergence of new vulnerabilities and unknown attack types, only a small number of attack samples in the IoT environments can be captured for analysis. In this work, we introduce an anchor graph clustering (AGC) method for intrusion detection to address the challenge of limited labeled samples in the IoT environments. AGC initially transforms the raw data into the embedding space to obtain more representative anchors. Then, AGC unifies anchor graph construction, anchor graph learning, and graph clustering into a unified framework, solving the resulting optimization problem through an iterative solution algorithm. Finally, AGC leverages the powerful analytical capabilities of graph learning to achieve fine-grained classification of low-quality labels. Experimental results on both real and synthetic datasets confirm that AGC can identify intrusions with high precision, while also being time-efficient in detection.

Abstract:
The natural forking severely compromises the security and wastes resources of Blockchain. Current analyses of the natural forking are carried out from microscale and macroscale perspectives, each facing challenges in generality and accuracy respectively. This results in dire straits that the forking arising from the network layer cannot be solved within the same layer, and existing defense schemes concentrate on the consensus layer, unfortunately coming at the expense of diminishing decentralized trust. Hence, to overcome these shortcomings, we propose the first reconnaissance-strike solution to the natural forking where the issue is recognized at the network layer and further struck on-site. Specifically, our endeavors encompass 1) analyzing the spatial-temporal transmission dynamics of the main chain. We exert mesoscale perspective by transforming the behavioral analysis of the transmitters (i.e., the nodes) into the movement analysis of the transmitted object (i.e., the main chain) which mitigates following Lévy mobility. Based on this, we quantify the dynamics of long-range leaping and short-range diffusion of the main chain transmission; 2) proposing a cost-effective anti-forking mechanism. This mechanism combats the forking with low cost by configuring logical connections at the network management level, based on the quantitative relationship between Blockchain network topology and the natural forking rate we have derived. Both theoretical analysis and extensive experiments verify that our scheme can maintain the natural forking rate not more than the given threshold in most cases.

Abstract:
File fragment classification is a crucial task in digital forensics and cybersecurity, and has recently achieved significant improvement through the deployment of convolutional neural networks (CNNs) compared to traditional handcrafted feature-based methods. However, CNN-based models exhibit inherent biases that can limit their effectiveness for larger datasets. To address this limitation, we propose the Cross-Attention Multi-Scale Performer (XMP) model, which integrates the attention mechanisms of transformer encoders with the feature extraction capabilities of CNNs. Compared to our conference work, we additionally introduce a new Gaussian Bit-Flip (GBFlip) method for binary data augmentation, largely inspired by bit flipping errors in digital system, improving the model performance. Furthermore, we incorporate a fine-tuning approach and demonstrate XMP adapts more effectively to diverse datasets than other CNN-based competitors without extensive hyperparameter tuning. Our experimental results on two public file fragment classification datasets show XMP surpassing other CNN-based and RCNN-based models, achieving state-of-the-art performance in file fragment classification both with and without fine-tuning. Our code is available at https://github.com/DominicoRyu/XMP_TIFS.

Abstract:
Visible-infrared person re-identification (VI-ReID) is a critical cross-modality fine-grained classification task with significant implications for public safety and security applications. Existing VI-ReID methods primarily focus on extracting modality-invariant features for person retrieval. However, due to the inherent lack of texture information in infrared images, these modality-invariant features tend to emphasize global contexts. Consequently, individuals with similar silhouettes are often misidentified, posing potential risks to security systems and forensic investigations. To address this problem, this paper innovatively introduces natural language descriptions to learn the global-local contexts for VI-ReID. Specifically, we design a framework that jointly optimizes visible-infrared alignment plus (VIAP) and visual-textual reasoning (VTR), and introduces local-global joint measure (LJM) to enhance the metric, while proposing a human-LLM collaborative approach to incorporate textual descriptions into existing cross-modal person re-identification datasets. VIAP achieves cross-modal alignment between RGB and IR. It can explicitly utilize designed frequency-aware modality alignment and relationship-reinforced fusion to explore the potential of local cues in global features and modality-invariant information. VTR proposes pooling selection and dual-level reasoning mechanisms to force the image encoder to pay attention to significant regions based on textual descriptions. LJM proposes introducing local feature distances into the measure stage metric to enhance the relevance of matching using fine-grained information. Extensive experimental results on the popular SYSU-MM01 and RegDB datasets show that the proposed method significantly outperforms state-of-the-art approaches. The dataset is publicly available at https://github.com/qyx596/vireid-caption.

Abstract:
Public-key Encryption with Keyword Search (PEKS) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform (on-demand) keyword searches over encrypted data for data users. Existing PEKS schemes are limited to precise or fuzzy keyword searches, creating a gap given the widespread use of wildcards for rapid searches in real-world applications. To address this issue, several wildcard keyword search schemes have been proposed to support wildcard searches in the public-key setting. However, these schemes suffer from inefficiency and/or inflexibility. Worse yet, they are all vulnerable to (insider) keyword guessing attacks (KGA), which is highly effective when the keyword space is polynomial in size. To address these vulnerabilities, this paper first proposes a new wildcard keyword search scheme called Public-key Encryption with Wildcard Search (PEWS), which is built based on the standard Decisional Diffie-Hellman (DDH) assumption. The complexity of all algorithms in PEWS increases linearly with the keyword length, while remaining almost constant or even decreasing linearly with the number of wildcards. To resist against (insider) KGA, we further extend PEWS into the first Public-key Authenticated Encryption with Wildcard Search (PAEWS) scheme. Our PEWS and PAEWS schemes are highly flexible, supporting searches for any number of wildcards positioned anywhere within the keyword. We conduct a comprehensive performance evaluation of our PEWS and PAEWS, while also comparing PEWS with the state-of-the-art scheme in the public-key setting. The experimental results demonstrate that both PEWS and PAEWS are efficient and practical, and the experimental comparisons illustrate that PEWS achieves approximately 2 × faster computation and reduces communication by at least 50%.

Abstract:
With increasing cyber attacks over the Internet, network intrusion detection systems (NIDS) have been an indispensable barrier to protecting network security. Taking advantage of automatically capturing topology connections, recent deep graph learning approaches have achieved remarkable performance in distinguishing different types of malicious flows. However, there remain some critical challenges. 1) previous supervised learning methods rely heavily on abundant and high-quality annotated samples, while label annotation requires abundant time and expert knowledge. 2) Centralized methods require all data to be uploaded to a server for learning behavior patterns, which results in high detection latency and critical privacy leakage. 3) Diverse attack scenarios exhibit highly imbalanced distribution, making it hard to characterize abnormal behaviors. To address these issues, we proposed FeCoGraph, a label-aware federated graph contrastive learning framework for intrusion detection in few-shot scenarios. The line graph is introduced to directly process flow embeddings, which are compatible with diverse GNNs. Furthermore, We formulate a graph contrastive learning task to effectively leverage label information, allowing intra-class embeddings more compact than inter-class embeddings. To improve the scalability of NIDS, we utilize federated learning to cover more attack scenarios while protecting data privacy. Experiment results show that FeCoGraph surpass E-graphSAGE with an average 8.36% accuracy on binary classification and 6.77% accuracy on multiclass classification, demonstrating the efficiency of our approach.

Abstract:
Image forgery localization, which aims to segment tampered regions in an image, is a fundamental yet challenging digital forensic task. While some deep learning-based forensic methods have achieved impressive results, they directly learn pixel-to-label mappings without fully exploiting the relationship between pixels in the feature space. To address such deficiency, we propose a Multi-view Pixel-wise Contrastive algorithm (MPC) for image forgery localization. Specifically, we first pre-train the feature extraction backbone network with a supervised contrastive loss to model pixel relationships in view of within-image, cross-scale and cross-modality. That is aimed at increasing intra-class compactness and inter-class separability. Then the localization head is fine-tuned using cross-entropy loss, resulting in a better forged pixel localizer. The MPC is trained on three different scale training datasets to make a comprehensive and fair comparison with existing image forgery localization algorithms. Extensive test results on over ten public datasets show that the proposed MPC achieves higher generalization performance and robustness than the state-of-the-arts. It is particularly noteworthy that our approach maintains a high level of localization accuracy under various post-processing combinations that approximate real-world scenarios, as well as when confronted with novel intelligent editing techniques. Finally, comprehensive and detailed ablation experiments demonstrate the reasonableness of MPC.

Abstract:
In this paper, we use a linear programming (LP) optimization approach to evaluate the equivocation when coding over a wiretap channel model where the main channel is noiseless and the eavesdropper’s channel is a binary symmetric channel (BSC). Using this technique, we present a numerically-derived upper bound for the achievable secrecy rate in the finite blocklength regime that is tighter than traditional infinite blocklength bounds. We also propose a secrecy coding technique that outperforms random binning codes. When there is one overhead bit, this coding technique is optimum and achieves the newly derived bound. For cases with additional bits of overhead, our coding scheme can achieve equivocation rates close to the new bound. Furthermore, we explore the patterns of the generator matrix and the parity-check matrix for linear codes and we present binning techniques for both linear and nonlinear codes using two different approaches: recursive and non-recursive. To our knowledge, this is the first optimization solution for secrecy coding obtained through linear programming. Our new bounds and codes mark a significant breakthrough towards understanding fundamental limits of performance (and how to achieve them in some instances) for the binary symmetric wiretap channel with real finite blocklength coding constructions. Our techniques are especially useful for codes of small to medium blocklength, such as those that may be required by applications with small payloads, such as the Internet of Things.

Abstract:
Multi-range query (MRQ) is a typical multi-attribute data query widely used in various practical applications. It is capable of searching all data objects contained in a query request. Many privacy-preserving MRQ schemes have been proposed to realize MRQ on encrypted data. However, existing MRQ schemes only consider the security threat caused by access pattern leakage, not the harm of volume pattern leakage. Moreover, most existing schemes cannot achieve efficient queries and updates while preserving the access pattern. In this paper, we propose an efficient MRQ scheme for hiding volume and access patterns. We first design a joint data index using Order-Revealing Encryption (ORE) and Pseudo-random functions (PRFs) to realize volume-hiding range queries. Then, we combine the private set intersection (PSI) and hardware Software Guard Extensions (SGX) to compute each attribute’s intersection of query results. In addition, we preserve access patterns during queries by designing a batch refresh algorithm and an update protocol. Finally, rigorous security analysis and extensive experiments demonstrate the security and performance of our scheme in real-world scenarios.

Abstract:
Federated learning (FL) has emerged as a promising approach for collaboratively training machine learning models while preserving data privacy. Due to its decentralized nature, FL is vulnerable to poisoning attacks, where malicious clients compromise the global model through altered data or updates. Identifying such malicious clients is crucial for ensuring the integrity of FL systems. This task becomes particularly challenging under privacy-enhancing protocols such as secure aggregation, creating a fundamental trade-off between privacy and security. In this work, we propose FedGT, a novel framework designed to identify malicious clients in FL with secure aggregation while preserving privacy. Drawing inspiration from group testing, FedGT leverages overlapping groups of clients to identify the presence of malicious clients via a decoding operation. The clients identified as malicious are then removed from the model training, which is performed over the remaining clients. By choosing the size, number, and overlap between groups, FedGT strikes a balance between privacy and security. Specifically, the server learns the aggregated model of the clients in each group—vanilla federated learning and secure aggregation correspond to the extreme cases of FedGT with group size equal to one and the total number of clients, respectively. The effectiveness of FedGT is demonstrated through extensive experiments on three datasets in a cross-silo setting under different data-poisoning attacks. These experiments showcase FedGT’s ability to identify malicious clients, resulting in high model utility. We further show that FedGT significantly outperforms the private robust aggregation approach based on the geometric median recently proposed by Pillutla et al. and the robust aggregation technique Multi-Krum in multiple settings.

Abstract:
Federated learning (FL) is vulnerable to poisoning attacks, where malicious clients manipulate their updates to affect the global model. Although various methods exist for detecting such clients in FL, identifying malicious clients requires sufficient model updates, and hence by the time malicious clients are detected, FL models have already been poisoned. Thus, a method is needed to recover an accurate global model after malicious clients are identified. Current recovery methods rely on (i) all historical information from participating FL clients and (ii) the initial model unaffected by the malicious clients, both leading to a high demand for storage and computational resources. In this paper, we show that highly effective recovery can still be achieved based on 1) selective historical information rather than all historical information and 2) a historical model that has not been significantly affected by malicious clients rather than the initial model. In this scenario, we can accelerate the recovery speed and decrease memory consumption while maintaining comparable recovery performance. Following this concept, we introduce Crab (Certified Recovery from Poisoning Attacks and Breaches), an efficient and certified recovery method, which relies on selective information storage and adaptive model rollback. Theoretically, we demonstrate that the difference between the global model recovered by Crab and the one recovered by train-from-scratch can be bounded under certain assumptions. Our experiments, performed across four datasets with multiple machine learning models and aggregation methods, involving both untargeted and targeted poisoning attacks, demonstrate that Crab is not only accurate and efficient but also consistently outperforms previous approaches in recovery speed and memory consumption.

Abstract:
Federated Learning (FL) allows collaborative training of a Machine Learning (ML) model while preserving data privacy across participating clients. Most existing studies consider FL clients to be proactive and completely honest in their participation. However, in reality, clients might lack the motivation to participate, and malicious behavior among some clients could negatively impact the interests of others. For these reasons, ensuring trust and fairness among FL clients is paramount but remains challenging due to limitations in FL consensus mechanisms and incentive strategies. To address these challenges, we introduce a Trustworthy and Fair FL (TFFL) framework that develops a reputation-based consensus mechanism called Dynamic Reputation Consensus (DRC), where clients’ reputations are dynamically assessed based on subjective opinions by evaluating real-time client behavior. We also incorporate time decay and temporal discounting of TFFL interactions along with the weighted measures of clients’ data quality, performance, and reliability to accurately reflect the evolving nature of client behavior over time. By adaptively adjusting clients’ incentives based on reputations and a cooperative game theory, DRC incentivizes honest participation and discourages malicious intent. In addition, we utilize blockchain and smart contracts to provide decentralized, regularized, and secure reputation management that is resistant to tampering and non-repudiation. Theoretical analysis and empirical results on widely used datasets (MNIST, CIFAR-10, and CIFAR-100) demonstrate the effectiveness of DRC in enhancing trust and fairness, improving performance, and providing robust security in FL settings. Results further exhibit that DRC offers superior performance in local model validation, consensus decision, and convergence time compared to related research approaches across various experimental settings.

Abstract:
Blockchain layer 2 solutions aim to address scalability issues in Layer 1 networks by improving transaction efficiency and alleviating congestion. The rollup, a well-known Layer 2 scaling protocol, uses an aggregate signature scheme based on the succinct non-interactive argument of knowledge (SNARG) to package transactions. The further promotion of rollup faces the challenge of balancing computation efficiency and communication costs. In addition, with the continuous development of quantum computing, a transition to post-quantum cryptography is considered crucial for long-term security. Our main contribution is an aggregate Falcon signature scheme for post-quantum rollup based on a novel SNARG scheme. The proposed SNARG is based on the Plonkish circuit with enhanced custom gates, referred to as the ECG circuit, and a post-quantum multilinear polynomial commitment scheme (PolyCom). The former can represent more complex operations while also controlling the witness scale. The latter realizes quantum-resistant security for the proposed SNARG and the aggregate signature. In comparison to the aggregate signature based on Orion, our scheme achieves lower aggregation and communication costs. Performance analysis indicates a 38 % decrease in aggregation time and a 88 % decrease in communication costs. As an additional contribution, we introduce a novel polynomial interactive oracle proof (PolyIOP) protocol for the ECG circuit, which can combine with a multilinear PolyCom scheme to form a SNARG protocol with lower computation and communication overhead compared to existing schemes.

Abstract:
Deep learning has emerged as a promising technology for achieving Android malware detection. To further unleash its detection potentials, software visualization can be integrated for analyzing the details of app behaviors clearly. However, facing increasingly sophisticated malware, existing visualization-based methods, analyzing from one or randomly-selected few views, can only detect limited attack types. We propose and implement LensDroid, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views. Our goal is to harness the power of combining deep learning and software visualization to automatically capture and aggregate high-level features that are not inherently linked, thereby revealing hidden maliciousness of Android app behaviors. To thoroughly comprehend the details of apps, we visualize app behaviors from three related but distinct views of behavioral sensitivities, operational contexts and supported environments. We then extract high-order semantics based on the views accordingly. To exploit semantic complementarity of the views, we design a deep neural network based model for fusing the visualized features from local to global based on their contributions to downstream tasks. A comprehensive comparison with six baseline techniques is performed on datasets of more than 51K apps in three real-world typical scenarios, including overall threats, app evolution and zero-day malware. The experimental results show that the overall effectiveness of LensDroid is better than the baseline techniques. We also validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.

Abstract:
Clothing change person re-identification (CC-ReID) is a crucial task in intelligent surveillance, aiming to match images of the same person wearing different clothing. Promising performance in existing CC-ReID methods is achieved at the cost of labor-intensive manual annotation of identity labels. While some researchers have explored unsupervised CC-ReID, these methods still depend on additional deep learning models for preprocessing. To eliminate the need for additional models and improve performance, we propose a joint augmentation and part learning (JAPL) framework that obtains clothing change positive pairs in an unsupervised fashion by synergistically combining augmentation-based invariant learning (AugIL) and part-based invariant learning (ParIL). AugIL first constructs clothing change pseudo-positive pairs and then encourages the model to focus on clothing-invariant information by enhancing feature consistency between the pseudo-positive pairs. ParIL beneficially encourages high similarity between inter-cluster clothing change positive pair using part images and a prediction sharpening loss. PartIL also introduces a soft consistency loss that promotes clothing-invariant feature learning by encouraging consistency of class vectors between the real features actually used for CC-ReID and the part features. Experimental results on multiple ReID datasets demonstrate that the proposed JAPL not only surpasses existing unsupervised methods but also achieves competitive performance compared to some supervised CC-ReID methods.

Abstract:
Automatic detection of prohibited items in X-ray images plays a crucial role in public security. However, existing methods rely heavily on labor-intensive box annotations. To address this, we investigate X-ray prohibited item detection under labor-efficient point supervision and develop an intra-inter objectness learning network (I2OL-Net). I2OL-Net consists of two key modules: an intra-modality objectness learning (intra-OL) module and an inter-modality objectness learning (inter-OL) module. The intra-OL module designs a local focus Gaussian masking block and a global random Gaussian masking block to collaboratively learn the objectness in X-ray images. Meanwhile, the inter-OL module introduces the wavelet decomposition-based adversarial learning block and the objectness block, effectively reducing the modality discrepancy between natural images and X-ray images and transferring the objectness knowledge learned from natural images with box annotations to X-ray images. Based on the above, I2OL-Net greatly alleviates the severe problem of part domination caused by large intra-class variations in X-ray images. Experimental results on four X-ray datasets show that I2OL-Net can achieve superior performance with a significant reduction of annotation cost, thus enhancing its accessibility and practicality. The source code is released at https://github.com/houjoeng/I2OL-Net.

Abstract:
In high-stakes process industries, the Basic Process Control System (BPCS) relies on conventional control to enhance productivity, while the Safety Instrumented System (SIS) uses safety functions to maintain safety. Compared to the BPCS, attackers targeting the SIS can modify safety function activation conditions to trigger them prematurely or to evade the activation of the safety function. While various attack detection methods focus on the BPCS, they often overlook the SIS. This can lead to undetected safety breaches, significantly increasing the risk of catastrophic fault. Recent methods face three key limitations that hinder their practical application to SIS. First, both attackers and engineers can exploit the hot update mechanism of SIS to add or modify control logic. However, current methods lack verification for the newly added or modified logic. Second, current methods are unable to assess the rationality of dangerous value ranges. Third, these methods struggle to distinguish between faults and attacks, making it difficult to determine the appropriate time to activate the SIS’s safety function. To overcome these limitations, we propose SecureSIS, a method for securing SIS safety functions by leveraging the safety attributes of the SIS and incorporating information from the BPCS. The core of SecureSIS includes: 1) using the safety attributes of the SIS to verify automatically extracted candidate control logic detection rules; 2) utilizing information from the BPCS to verify automatically extracted candidate value range detection rules; and 3) distinguishing between safety function attacks and industrial process faults with validated rules and integration of process data from BPCS. Our scheme was evaluated using a Tricon SIS controller deployed on a gas pipeline network platform. The results indicate that SecureSIS achieved 97.3% accuracy in detecting data injection attacks and a detection accuracy of 96.0% for control logic modification attacks. Compared with the other representative detection approaches, our scheme has better detection performance.

Abstract:
The objective of a data-free closed-box adversarial attack is to attack a victim model without using internal information, training datasets or semantically similar substitute datasets. Concerned about stricter attack scenarios, recent studies have tried employing generative networks to synthesize data for training substitute models. Nevertheless, these approaches concurrently encounter challenges associated with unstable training and diminished attack efficiency. In this paper, we propose a novel query-efficient data-free closed-box adversarial attack method. To mitigate unstable training, for the first time, we directly manipulate the intermediate-layer feature of a generator without relying on any substitute models. Specifically, a label noise-based generation module is created to enhance the intra-class patterns by incorporating partial historical information during the learning process. Additionally, we present a feature-disturbed diversity generation method to augment the inter-class distance. Meanwhile, we propose an adaptive intra-class attack strategy to heighten attack capability within a limited query budget. In this strategy, entropy-based distance is utilized to characterize the relative information from model outputs, while positive classes and negative samples are used to enhance low attack efficiency. The comprehensive experiments conducted on six datasets demonstrate the superior performance of our method compared to six state-of-the-art data-free closed-box competitors in both label-only and probability-only attack scenarios. Intriguingly, our method can realize the highest attack success rate on the online Microsoft Azure model under an extremely low query budget. Additionally, the proposed approach not only achieves more stable training but also significantly reduces the query count for a more balanced data generation. Furthermore, our method can maintain the best performance under the existing defense models and a limited query budget.

Abstract:
In the Industrial Internet of Things (IIoT) context, ensuring secure communication is essential. Specific Emitter Identification (SEI), which leverages subtle differences in radio frequency signals to identify distinct emitters, is key to enhancing communication security. However, traditional SEI methods often rely on large labeled datasets and complex signal processing techniques, which limit their practical applicability due to data acquisition challenges and inefficiency. To address these limitations, we propose a novel Few-shot Specific Emitter Identification (FS-SEI) approach named KDM. This method fuses deep learning with multi-modal data processing, utilizing a hybrid neural network architecture that combines handcrafted features, self-supervised learning, and few-shot learning techniques. Our framework improves learning efficiency and accuracy, especially in data-scarce scenarios. We evaluate KDM using open-source Wi-Fi and ADS-B datasets, and the results demonstrate that our method consistently outperforms existing state-of-the-art few-shot SEI approaches. For example, on the ADS-B dataset, KDM boosts accuracy from 60.99% to 75.34% as the sample count increases from 5-shot to 10-shot, surpassing other methods by over 10%. Similarly, on the Wi-Fi dataset, KDM achieves an impressive 88.94% accuracy in low-sample (5-shot) scenarios. The codes are available at https://github.com/tengmouren/KDM2SEI.

Abstract:
Vertical federated learning (VFL) allows parties to build robust shared machine learning models based on learning from distributed features of the same samples, without exposing their own data. However, current VFL solutions are limited in their ability to perform inference on non-overlapping samples, and data stored on clients is often subject to loss due to various unavoidable factors. This leads to incomplete client data, where client missing features (MF) are frequently overlooked in VFL. The main aim of this paper is to propose a VFL framework to handle missing features (MFVFL), which is a tensor decomposition network-based approach that can effectively learn intra- and inter-client feature information from client data with missing features to improve VFL performance. In the proposed MFVFL method each client imputes missing values and encodes features to learn intra-feature information, and the server collects the uploaded feature embeddings as input to our developed low-rank tensor decomposition network to learn inter-feature information. Finally, the server aggregates the representations from tensor decomposition to train a global classifier. In the paper, we theoretically guarantee the convergence of MFVFL. In addition, differential privacy (DP) for data privacy protection is always used, and the proposed framework (MFVFL-DP) can deal with such degraded data by using a tensor robust PCA to alleviate the impact of noise while preserving data privacy. We conduct extensive experiments on six datasets of different sample sizes and feature dimensions, and demonstrate that MFVFL significantly outperforms state-of-the-art methods, especially under high missing ratios. The experimental results also show that MFVFL-DP possesses excellent denoising capabilities and illustrate that the noisy effect by the DP mechanism can be alleviated.

Abstract:
The reentrancy vulnerability is one of the most notorious vulnerabilities of smart contracts. It enables attackers to hijack the control flow of a smart contract by invoking a function as the entry point and then re-invoking a function as the reentry point before the execution of the entry point ends. Although several approaches have been proposed to detect this vulnerability, they still face two main limitations. Firstly, existing approaches oversimplify the rules for identifying entry and reentry points, and many even neglect reentry point identification during vulnerability detection. Secondly, most existing approaches overlook the flow of state variables that are not promptly updated, a critical aspect of the reentrancy vulnerability. To address the limitations mentioned above, this article proposes a novel static analysis framework for reentry vulnerability detection. We formulate the reentrancy vulnerability detection as entry and reentry point identification with the state variable flow tracking. Based on the insight that most smart contracts are implemented following various technical standards, we utilize static analysis with standard-based rules to identify potential entry and reentry points. This is achieved by detecting the presence of hijackable and exploitable operations inside the smart contract. Meanwhile, we also conduct state variable flow tracking by the static taint analysis. To verify the effectiveness of our proposed approach, we construct three different datasets. Then We compare our approach with eight state-of-the-art smart contract vulnerability detectors, and our tool outperforms these baselines in detecting more vulnerable samples with fewer false positive samples. Meanwhile, our approach achieves a relatively shorter detection time with better detection results, striking a trade-off between effectiveness and efficiency.

Abstract:
Service function chain (SFC) enables network service providers to provide low-latency services to end devices, such as computation-intensive task offloading services through SFC in device-edge-cloud (DEC) computing. However, DDoS attacks can render SFC unavailable and impact task offloading in DEC computing. In this paper, we propose a trust-cooperative virtualized network function (VNF) model based on coalition formation for SFC provisioning. The proposed model records coalition formation information as transactions in the blockchain to protect the VNF information from being tampered with by attackers. Coalition formation for SFC provisioning consists of two steps: VNF node identity verification and the decision to join the coalition. To address the issue of unreliability in SFC deployment due to attacks, we propose a cooperative SFC provisioning algorithm based on security-aware coalition formation to identify trustworthy VNFs for SFC. Moreover, to handle the instability of SFC provisioning caused by DDoS attacks, we present an SFC reprovisioning algorithm based on the stochastic evolutionary coalition game with reward machines (SECGRM) under the constraint of VNF service times. Experimental results show that our proposed algorithms effectively combat malicious attacks and significantly reduce cooperative SFC provisioning latency compared with existing leading approaches.

Abstract:
Image generation technology has brought significant advancements across various fields but has also raised concerns about data misuse and potential rights infringements, particularly with respect to creating visual artworks. Current methods aimed at safeguarding artworks often employ adversarial attacks. However, these methods face challenges such as poor transferability, high computational costs, and the introduction of noticeable noise, which compromises the aesthetic quality of the original artwork. To address these limitations, we propose a Structurally Imperceptible and Transferable Adversarial (SITA) attacks. SITA leverages a CLIP-based destylization loss, which decouples and disrupts the robust style representation of the image. This disruption hinders style extraction during stylized image generation, thereby impairing the overall stylization process. Importantly, SITA eliminates the need for a surrogate diffusion model, leading to significantly reduced computational overhead. The method’s robust style feature disruption ensures high transferability across diverse models. Moreover, SITA introduces perturbations by embedding noise within the imperceptible structural details of the image. This approach effectively protects against style extraction without compromising the visual quality of the artwork. Extensive experiments demonstrate that SITA offers superior protection for artworks against unauthorized use in stylized generation. It significantly outperforms existing methods in terms of transferability, computational efficiency, and noise imperceptibility. Code is available at https://github.com/A-raniy-day/SITA.

Abstract:
Federated learning under heterogeneous models, as an innovative approach, aims to break through the constraints of vanilla federated learning on the consistency of model architectures to better accommodate the heterogeneity of data distributions and hardware resource constraints in mobile computing scenarios. While significant attention has been given to backdoor risks in federated learning, the impact on heterogeneous models remains insufficiently investigated, where devices contribute models with varying structures. The reduction in the number of benign local model neurons that the adversary can manipulate through the global model reduces the attack surface. To challenge this issue, we propose a white-box multi-target backdoor attack method, CapsuleBD, against heterogeneous federated learning. Specifically, we design a model decoupling method to separate the benign and malicious task training pipelines through weight reassignment. The model responsible for the benign tasks is structurally larger than the malicious one, resembling a capsule encapsulating harmful substance impacting multiple heterogeneous models. Our comprehensive experiments demonstrate the effectiveness of CapsuleBD in seamlessly embedding triggers into heterogeneous local models, sustaining a remarkable 99.5% average attack success rate against all benign users even with a 50% reduction in the attack space.

Abstract:
Wireless network security is a significant issue in wireless communication systems. Specific emitter identification (SEI) technology, as an effective physical layer authentication method, has been extensively studied. Methods based on deep learning (DL) for SEI have emerged as the predominant approach, attributed to their end-to-end recognition framework and enhanced capability for feature extraction. However, the training of DL models relies on high-quality data, and the data collection in real-world scenarios is often in low signal-to-noise ratio (SNR) environments, leading to poor model training performance. This paper presents a novel solution, the Multi-Granularity Deep Signal Shrinkage Network (MGDSSN), for the challenging task of SEI in low SNR environments. To this end, the proposed MGDSSN incorporates soft thresholding processing and employs subnetworks for adaptive thresholding, effectively eliminating noise-related features and achieving robust SEI in low SNR environments. Additionally, MGDSSN incorporates a multi-granularity deep signal network architecture that improves the recognition accuracy and stability of the model. This is achieved by capturing the interrelated attributes of in-phase/quadrature-phase (I/Q) signals and features at multiple levels of granularity. Experiments conducted with real-world dataset reveal that the proposed MGDSSN surpasses the current state-of-the-art SEI methods in low SNR environments, demonstrating robust SEI and verifying the superiority of the proposed method.

Abstract:
Secure Aggregation (SA), in the Federated Learning (FL) setting, enables distributed clients to collaboratively learn a shared global model while keeping their raw data and local gradients private. However, when SA is implemented in edge-intelligence-driven FL, the open and heterogeneous environments will hinder model aggregation, slow down model convergence speed, and decrease model generalization ability. To address these issues, we present a Robust and adaptive Secure Aggregation (RaSA) protocol to guarantee robustness and privacy in the presence of non-IID data, heterogeneous system, and malicious edge servers. Specifically, we first design an adaptive weights updating strategy to address the non-IID data issue by considering the impact of both gradient similarity and gradient diversity on the model aggregation. Meanwhile, we enhance privacy protection by preventing privacy leakage from both gradients and aggregation weights. Different from previous work, we address system heterogeneity in the case of malicious attacks, and the malicious behavior from edge servers can be detected by the proposed verifiable approach. Moreover, we eliminate the influence of straggling communication links and dropouts on the model convergence by combining efficient product-coded computing with repetition-based secret sharing. Finally, we perform a theoretical analysis that proves the security of RaSA. Extensive experimental results show that RaSA can ensure model convergence without affecting the generalization ability under non-IID scenarios. Moreover, the decoding efficiency of RaSA achieves 1.33× and 6.4× faster than the state-of-the-art product-coded and one-dimensional coded computing schemes.

Abstract:
Multimodal biometric recognition has shown great potential in identity authentication tasks and has attracted increasing interest recently. Currently, most existing multimodal biometric recognition algorithms require test samples with complete multimodal data. However, it often encounters the problem of missing modality data and thus suffers severe performance degradation in practical scenarios. To this end, we proposed a hierarchical cross-modal image generation for palmprint and palmvein based multimodal biometric recognition with missing modality. First, a hierarchical cross-modal image generation model is designed to achieve the pixel alignment of different modalities and reconstruct the image information of missing modality. Specifically, a cross-modal texture transfer network is utilized to implement the texture style transformation between different modalities, and then a cross-modal structure generation network is proposed to establish the correlation mapping of structural information between different modalities. Second, multimodal dynamic sparse feature fusion model is presented to obtain more discriminative and reliable representations, which can also enhance the robustness of our proposed model to dynamic changes in image quality of different modalities. The proposed model is evaluated on three multimodal biometric benchmark datasets, and experimental results demonstrate that our proposed model outperforms recent mainstream incomplete multimodal learning models.

Abstract:
Deep hash-based retrieval techniques are widely used in facial retrieval systems to improve the efficiency of facial matching. However, it also carries the danger of exposing private information. Deep hash models are easily influenced by adversarial examples, which can be leveraged to protect private images from malicious retrieval. The existing adversarial example methods against deep hash models focus on universality and transferability, lacking the research on its robustness in online social networks (OSNs), which leads to their failure in anti-retrieval after post-processing. Therefore, we provide the first in-depth discussion on robustness in universal transferable anti-facial retrieval and propose Three-in-One Adversarial Perturbation (TOAP). Specifically, we construct a local and global Compression Generator (CG) to simulate complex post-processing scenarios, which can be used to mitigate perturbation. Then, we propose robust optimization objectives based on the discovery of the variation patterns of model’s distribution after post-processing, and generate adversarial examples using these objectives and meta-learning. Finally, we iteratively optimize perturbation by alternately generating adversarial examples and fine-tuning the CG, balancing the performance of perturbation while enhancing CG’s ability to mitigate them. Numerous experiments demonstrate that, in addition to its advantages in universality and transferability, TOAP significantly outperforms current state-of-the-art methods in multiple robustness metrics. It further improves universality and transferability by 5% to 28%, and achieves up to about 33% significant improvement in several simulated post-processing scenarios as well as mainstream OSNs, demonstrating that TOAP can effectively protect private images from malicious retrieval in real-world scenarios.

Abstract:
Diffusion models pose risks of privacy breaches and copyright disputes, primarily stemming from the potential utilization of unauthorized data during the training phase. Membership inference is aimed to determine whether a specific sample has been used in the training process of a target model, representing a critical tool for privacy violation verification. However, the increased model complexity and stochasticity inherent in diffusion renders traditional shadow-model-based or metric-based methods ineffective when applied to diffusion models. Moreover, existing methods only yield binary classification labels which lack necessary comprehensibility in practical applications. In this paper, we explore a novel perspective for membership inference by leveraging the intrinsic generative priors within the diffusion model. Compared with unseen samples, training samples exhibit stronger generative priors within the diffusion model, enabling the successful reconstruction of substantially degraded training images. Consequently, we propose the Degrade Restore Compare (DRC) framework. In this framework, an image undergoes sequential degradation and restoration, and its membership is determined by comparing it with the restored counterpart. Experimental results verify that our approach not only significantly outperforms existing methods in terms of accuracy but also provides comprehensible decision criteria, offering evidence for potential privacy violations.

Abstract:
In vehicular networks, caching service content on edge servers (ESs) is a widely accepted strategy for promptly responding to vehicle requests, reducing communication overhead, and improving service experience. However, implementing such an architecture requires addressing the challenges associated with ES response data reliability and communication security. In this study, to tackle the ES response data reliability issue, a blockchain-assisted threshold signature scheme for cache-based vehicular networks is proposed. The scheme utilizes a threshold mechanism to sign the data broadcast by the ES, incorporates blockchain to trace malicious signers, and avoids the shortcomings and limitations associated with idealized assumptions for the ES in existing data-sharing schemes. Moreover, considering the communication security and high-speed mobility of vehicles, using the non-interactive signatures of knowledge based on the \Sigma -protocol, a secure and efficient message authentication scheme for vehicles and ESs is provided. Through rigorous security proofs and comprehensive analyses, our scheme satisfies the communication security requirements of vehicular networks. By leveraging the JPBC library for performance analysis, the proposed scheme demonstrates advantages as concerns both computation and communication overheads compared to related schemes. Moreover, we implemented the proposed scheme on an Ethereum test network (i.e., Goerli) to validate its feasibility.

Abstract:
Private Set Intersection (PSI) allows two parties, the sender and the receiver, each possessing a private set, to compute the intersection of their sets, with only the receiver learning the intersection and without revealing any additional information. Privacy-Preserving Feature Retrieval PSI ( \mathsf P^2FRPSI ) is a variant of PSI. In \mathsf P^2FRPSI , the receiver designs a predicate and obtains the intersection of private sets that satisfy this predicate, while the sender learns nothing about the predicate. However, the existing two \textsf PRFPSI protocols ( \textsf TIFS 2024 ), based respectively on the DH key agreement and Oblivious Pseudo-Random Function (OPRF), are not highly efficient due to their reliance on expensive homomorphic encryption. Moreover, the existing DH-based \mathsf P^2FRPSI protocol reveals the output size and the original intersection size to the sender. We also observed that the existing \mathsf P^2FRPSI protocols do not support threshold retrieval and the logical connective \textsf OR and can only work when feature values of the sender have very low dimensionality. This paper also proposes two new \mathsf P^2FRPSI protocols, one based on DH key agreement and the other based on OPRF, to fully address the issues present in existing \mathsf P^2FRPSI protocols. Our DH-based \mathsf P^2FRPSI is 30 × faster than the existing DH-based protocol, with only a 36% increase in communication overhead. Furthermore, our OPRF-based \mathsf P^2FRPSI protocol is 2 × as fast as existing OPRF-based protocol and reduces communication overhead by a factor of 4.6. Our DH-based \mathsf P^2FRPSI protocol completely eliminates the leakage of the original intersection size and the output size. Meanwhile, our protocols support the logical connective \textsf OR for linking sub-predicates and also enable threshold-based retrieval. They are proven to be secure in the semi-honest model. Our open-source implementations can be found at https://github.com/ShallMate/pfrpsi, which can help readers understand our protocols and reproduce the experiments.

Abstract:
The Linux kernel remains vulnerable to numerous bugs, with approximately 65% detected by Syzkaller lacking Proof-of-Concept (PoC), hampering risk mitigation efforts. These bugs, termed irreproducible kernel bugs, highlight the challenge of statefulness issue-related irreproducibility in kernel fuzzing, which is an open research without definitive solutions. Our investigation reveals that suboptimal seed quality distribution in fuzzing is the root obstacle preventing effective tracking of the states leading to crashes. Inspired by this insight, we introduce Reverse Fuzzing ( \textRF ), an innovative approach that infers hard-to-reach states by continuously reverse-oriented deriving from subsequently encountered bridge states to increase reproduction probability. \textRF differentiates between the “trigger” seed, which directly causes crashes, and “activator” seeds, which establish the necessary preconditions, prioritizing exploration around trigger while simultaneously regenerating and maintaining activators during fuzzing, which effectively facilitate restructuring such elusive states from “yesterday”. We implement \textYOME , a prototype leveraging \textRF to strike a balance between fuzzing efficiency and effectiveness through customized scheduling and mutation strategies, armed with a refinement mechanism to improve seed quality distribution. Our evaluations validate that \textYOME reproduces 110% more bugs than previous kernel fuzzers and demonstrate its practicality in real-world scenarios. \textYOME generated 125 PoCs (30.1% of the total) and uncovered 23 unique bugs, with 40 confirmed and 5 assigned CVEs.

Abstract:
The identification of the devices from which a message is received is part of security mechanisms to ensure authentication in wireless communications. Conventional authentication approaches are cryptography-based, which, however, are usually computationally expensive and not adequate in the Internet of Things (IoT), where devices tend to be low-cost and with limited resources. This paper provides a comprehensive survey of physical layer-based device fingerprinting, which is an emerging device authentication for wireless security. In particular, this article focuses on hardware impairment-based identity authentication and channel features-based authentication. They are passive techniques that are readily applicable to legacy IoT devices. Their intrinsic hardware and channel features, algorithm design methodologies, application scenarios, and key research questions are extensively reviewed here. The remaining research challenges are discussed, and future work is suggested that can further enhance the physical layer-based device fingerprinting.

Abstract:
Encrypted traffic classification plays a critical role in network security and management. Currently, mining deep patterns from side-channel contents and plaintext fields through neural networks is a major solution. However, existing methods have two major limitations: 1) They fail to recognize the critical link between transport layer mechanisms and applications, missing the opportunity to learn internal structure features for accurate traffic classification. 2) They assume network traffic in an unrealistically stable and singular environment, making it difficult to effectively classify real-world traffic under environment shifts. In this paper, we propose FG-SAT, the first end-to-end method for encrypted traffic analysis under environment shifts. We propose a key abstraction, the Flow Graph, to represent flow internal relationship structures and rich node attributes, which enables robust and generalized representation. Additionally, to address the problem of inconsistent data distribution under environment shifts, we introduce a novel feature selection algorithm based on Jensen-Shannon divergence (JSD) to select robust node attributes. Finally, we design a classifier, GraphSAT, which integrates GraphSAGE and GAT to deeply learn Flow Graph features, enabling accurate encrypted traffic identification. FG-SAT exhibits both efficient and robust classification performance under environment shifts and outperforms state-of-the-art methods in encrypted attack detection and application classification.

Abstract:
With the rapid expansion of data volumes in cloud computing, more data owners are opting to outsource their data to cloud service providers to reduce local storage and management costs. However, data outsourcing deprives data owners of direct physical control over their data, increasing the risk of unauthorized access and exposure of sensitive information. To mitigate these risks, various privacy-preserving keyword search schemes with access control have been developed, but many are vulnerable to leakage-abuse attacks due to the exposure of access, search or volume patterns, which can lead to privacy breaches in outsourced data and queries. To solve this problem, we propose an oblivious encrypted keyword search scheme with fine-grained access control, called OEKA. It enables efficient oblivious keyword search over encrypted multi-maps by using the adapted XOR filter and distributed point function, ensuring protection of access, search and volume patterns. Moreover, OEKA enforces role-based access control by using polynomial-based access strategy and keyword-based private information retrieval, allowing access policies of retrieved objects to be detecting without revealing the objects themselves. A formal security analysis verifies the scheme’s robustness, and experimental results demonstrate its practical efficiency.

Abstract:
Adversarial training (AT) is considered the most effective defense against adversarial attacks. However, a recent study revealed that \ell _\infty -norm adversarial training ( \ell _\infty -AT) will also induce unevenly distributed input gradients, which is called the inequality phenomenon. This phenomenon makes the \ell _\infty -norm adversarially trained model more vulnerable than the standard-trained model when high-attribution or randomly selected pixels are perturbed, enabling robust and practical closed-box attacks against \ell _\infty -adversarially trained models. In this paper, we propose a simple yet effective method called Input Gradient Distillation (IGD) to release the inequality phenomenon in \ell _\infty -AT. IGD distills the standard-trained teacher model’s equal decision pattern into the \ell _\infty -adversarially trained student model by aligning input gradients of the student model and the standard-trained model with the Cosine Similarity. Experiments show that IGD can mitigate the inequality phenomenon and its threats while preserving adversarial robustness. Compared to vanilla \ell _\infty -AT, IGD reduces error rates against inductive noise, inductive occlusion, random noise, and noisy images in ImageNet-C by up to 60%, 16%, 50%, and 21%, respectively. Other than empirical experiments, we also conduct a theoretical analysis to explain why releasing the inequality phenomenon can improve such robustness and discuss why the severity of the inequality phenomenon varies according to the dataset’s image resolution. Our code is available at https://github.com/fhdnskfbeuv/Inuput-Gradient-Distillation

Abstract:
Recently, optical coherence tomography (OCT) has been used to noninvasively image the 3D structure of fingertip skin at high resolution. Unlike traditional 2D sensors (e.g., infrared light or capacitive technologies), the friction ridge information in 3D OCT fingerprint measurements requires reconstruction through layer segmentation. Accurate layer segmentation is helpful for fingerprint recognition and antispoofing applications. OCT volumes contain information corresponding to different directions that naturally provide complementary views. Inspired by this fact, we propose a novel orthogonal view-based attention network called OVA-Net, which exploits orthogonal views to learn the complementary information implied in the 3D fingerprint structure. Specifically, 3D convolutions and an A-line-based attention module are proposed in the B-scan view to model the long short-term intraslice correlations, whereas their counterparts in the C-scan view aim to model interslice correlations. An optical flow-based attention module is also proposed in the B-scan view to extract correlations between B-scans, which complements the interslice correlation learned in the C-scan view. Features from orthogonal views are progressively incorporated into a fusion pipeline for 3D layer segmentation. The effectiveness of OVA-Net is comprehensively evaluated in terms of layer segmentation accuracy, fingerprint reconstruction quality, and recognition performance.

Abstract:
Mini-apps, which run on super-apps, have attracted a large number of users due to their lightweight nature and the convenience of supporting the authorized use of super-app user information. Super-apps employ encryption to protect the transmission of sensitive identity information authorized by users to the mini-app, using the session key as the key. However, we have identified a risk of session key leakage, which could be exploited to maliciously manipulate sensitive user identity information, thereby posing a significant threat to user data security. To reveal this damage, we explore potential business scenarios of session key leakage in detail. Nevertheless, the diversity in design among various mini-apps makes automated testing of these business scenarios at a large scale challenging. This diversity is reflected in the inconsistent naming of identical types of controls and the disparate execution orders of controls within the same business scenarios across different mini-apps. To overcome these challenges, we propose Whiskey, which can adaptively and intelligently optimize dynamic testing strategies for mini-apps with diverse designs using large language models to detect session key leakage at scale. We evaluated Whiskey on 157,063 WeChat mini-apps and 10,000 TikTok mini-apps, and found that 15,712 of WeChat mini-apps and 678 of TikTok mini-apps had session key leakage vulnerabilities. Further analysis showed that this leakage could lead to account takeover and promotion abuse attacks. We responsibly reported the detection results to Tencent and the mini-app vendors. At the time of submission, 17 reported issues had been assigned CNVD IDs.

Abstract:
In federated learning, malicious attackers may control clients and servers to perform gradient poisoning, forge aggregation results, and infer individual gradient privacy, posing serious security threats. However, existing research has not effectively addressed these three security requirements under a strong threat model. To tackle this issue, we propose an Efficient Aggregation for Federated Learning with Robustness, Verifiability, and Privacy (EARVP): 1) The Privacy-Preserving Two-Party Kernel Principal Component Analysis (PPTKPCA) combined with the DP-Tolerant Two-Party Density Clustering (DPTTDC) achieves strong robustness; 2) The Distributed Trust Aggregation Integrity Verification (DTAIV) ensures strong verifiability even in the presence of collusion; 3) The Gradient-Lossless Enhancement of Client-Level Differential Privacy (GLECLDP) ensures that the lossless gradient generation stage satisfies malicious privacy security and that gradient updates meet (\epsilon,\delta) -DP during the defense stage; and 4) The entire process employs lightweight protocols to achieve efficiency. Theoretical analysis proves that EARVP ensures semi-honest privacy security, malicious privacy security, and aggregation verifiability. Experimental results further demonstrate the robustness and efficiency of the system. Compared to state-of-the-art algorithms, EARVP improves test accuracy by 14.51%, detection accuracy by 13.37%, reduces poisoning success rate by 1.89%, lowers defense overhead by 13.78% compared to homomorphic encryption schemes, and reduces verification costs by a large magnitude.

Abstract:
Malware traffic classification (MTC) is a crucial step in network intrusion detection, which is significant for network security and management. With the continuous evolution of malware traffic, traditional MTC methods are difficult to adapt efficiently to new traffic categories, and manually designed neural network structures suffer from performance bottlenecks and low design efficiency. Hence, we propose an enhanced MTC method based on expandable class incremental learning (CIL) with architecture search. The architecture search can automatically design the optimal neural network structure tailored to different network traffic characteristics, avoiding the limitations of manually designing network structures and improving classification performance. Meanwhile, expandable CIL allows the MTC model to gradually learn new traffic categories without forgetting previous knowledge, avoiding the computational overhead and efficiency loss caused by frequent retraining of the model. The experimental results demonstrate that the proposed CIL-MTC approach surpasses advanced incremental learning methods on both the Edge-IIoTset and ISCX VPN-nonVPN datasets, achieving superior classification performance while maintaining lower average trainable parameters and training costs. Especially, it achieves an average incremental accuracy of 98.55% and 99.09% on the Edge-IIoTset dataset with incremental tasks of 5 and 2, respectively.

Abstract:
In this paper, an exquisite strategic denial-of-service (DoS) attack mechanism is proposed, whose objective is to intercept specific measurements obeying the Round-Robin protocol (RRP) and enlarge the attack destructiveness at the side of the remote estimator. The distinctive contributions of this research can be stressed as follows: firstly, in contrast to the majority of existing DoS attack policies, the property of the considered attack sequence is stochastic, selectively targeting information crucial to the transmission process. Secondly, the concerned attack mechanism yields great disruption compared to the periodic or Bernoulli-distributed DoS attack models. Additionally, the joint consideration of the limited average attack rate (AAR) and energy allocation procedure (EAP) reflecting energy constraints of DoS attacks, are merged into a unified random framework. The relationship between these constraints and attack probability is established by resorting to stochastic analysis methods. Finally, two numerical examples are provided to demonstrate the effectiveness and usefulness of the proposed attack policy.

Abstract:
Internet of Underwater Things (IoUT), widely utilized in data collection, ocean exploration and disaster prevention, are prone to malware attacks. To accurately describe the spatiotemporal dynamics of malware propagation in IoUT, a new Reaction-Diffusion Sleep Control Model (RDSCM) based on Partial Differential Equations (PDEs) is established in this paper. To target heavily infected regions and optimize control costs, a spatiotemporal hybrid optimal control strategy is implemented. First, based on the formulation of the spatiotemporal optimal control problem, the existence, uniqueness, and some estimates of the strong solution of the controlled system are obtained using the truncation method and semigroup theory. Then, the existence of the optimal pair is verified through the minimization sequence technique. Subsequently, the first-order necessary optimality condition for the optimal control problem of PDEs is derived by proving the differentiability of the control-to-state mapping. To validate the effectiveness of the proposed model and control methodology, three comparative experimental studies are conducted. Finally, some discussions are provided on the extension and application of the proposed method.

Abstract:
In the security operation center, false positive alerts generated by security devices overwhelm security operators, leading to alert fatigue and inefficiency in identifying real threats. This paper introduces DeepDRAC, a disposition recommendation method for alert clusters that is based on security event patterns. Our main idea is to reconstruct isolated alerts into security events and capture their essential threat characteristics as patterns. By recommending pattern information, we enable batch interpretable disposal of alerts. First, DeepDRAC aggregates correlated alerts to a graph, representing a security event. Then, it extracts the features of the security event from two aspects: basic features via statistical methods and detailed features via a carefully designed Graph Neural Network (GNN) that focuses on edge features. Since many false alerts triggered by the same cause often recur in a fixed pattern, DeepDRAC translates basic features into interpretable descriptors to define the basic pattern, whereas GNN embeddings complement detailed semantic information, serving as the detailed pattern, together forming the pattern of the security event. The pattern describes the critical information of the security event, so security events with the same pattern are clustered for batch processing. Finally, with few manually labeled security events, DeepDRAC can conduct automatic disposition recommendations for newly arrived alerts, significantly reducing the workload of alert analysis. We evaluate our approach on two benchmark datasets (i.e., DARPA 1999 and CIC-IDS2017) and a real-world dataset from a large power company. The extensive experimental results demonstrate that our approach can alleviate alert fatigue more efficiently and accurately than the two state-of-the-art defense approaches can.

Abstract:
In cooperative intelligent transportation systems (CITS), federated learning enables vehicles to train a global model without sharing private data. However, the lack of an unlearning mechanism to remove the influence of vehicle-specified data from the global model potentially violates data protection regulations regarding the right to be forgotten. While the existing federated unlearning (FU) methods exhibit promising unlearning effects, their practicality in CITS is hindered due to the time-consuming retraining steps required by other vehicles and the non-negligible performance sacrifice on the un-forgotten data. Therefore, achieving effective unlearning without extensive retraining, while minimizing performance degradation on the un-forgotten data remains a challenge. In this work, we propose FedEditor, an efficient and effective FU framework in CITS that addresses the above challenge by reconfiguring the global model’s representation space to remove critical classification-related knowledge from the unlearned data. Firstly, FedEditor enables vehicles to perform the unlearning process locally on the global model, eliminating the participation of other vehicles and improving efficiency. Secondly, FedEditor captures and aligns the representations of the unlearned data with those of the nearest incorrect class centroid derived from non-training data, ensuring effective unlearning while preserving the un-forgotten data’s knowledge relatively intact for achieving competitive model performance. Finally, FedEditor refines the global model’s output distributions using the vehicles’ remaining data and incorporates a drift-mitigating regularization term, minimizing the negative impact of unlearning operations on model performance. Experimental results show that FedEditor reduces the unlearning rate by up to 99.64% without time-consuming retraining, while limiting the predictive performance loss of the resulting global model to less than 3.88% across five models and seven datasets.

Abstract:
Most existing Domain Generalizable Person Re-identification (DG-ReID) methods focus on addressing style disparities between domains but often overlook the impact of unpredictable camera view changes, which we have identified as a significant factor responsible for poor generalization performance. To address this issue, we propose a novel approach from a 3D perspective, utilizing a customized 2D-to-3D reconstruction model to convert images captured from arbitrary camera views into canonical view images. However, merely applying a 3D reconstruction model in isolation may not result in improved DG-ReID performance, as reconstruction quality can be influenced by multiple factors, such as insufficient image resolution, extreme viewpoint, and environmental variations. These factors may lead to error accumulation and the loss of critical discriminative clues in the reconstructed results. To address this difficulty, we propose fusing the canonical view image with the original image using a transformer-based module. The transformer’s cross-attention mechanism is ideal for aligning and fusing the key semantic clues of the original image with the canonical view image, compensating for reconstruction errors. We demonstrate the effectiveness of our method through extensive experiments in various evaluation settings, achieving superior DG-ReID performance compared to existing approaches. Our approach addresses the impact of unpredictable camera view changes and provides a new perspective for designing DG-ReID methods.

Abstract:
Receiving calls is one of the most universal functions of smartphones, involving sensitive information and critical operations. Unfortunately, to prioritize convenience, the current call receiving process bypasses smartphone authentication mechanisms (e.g., passwords, fingerprint recognition, and face recognition), leaving a significant security gap. To address this issue, we propose SCR-Auth, a secure call receiver authentication scheme for smartphones that leverages outer ear echoes. It sends inaudible acoustic signals through the earpiece speaker to actively sense the call receiver’s outer ear structure and records the resulting echoes using the top microphone. These echoes are then analyzed to extract unique outer ear biometric information for authentication. It operates implicitly, without requiring extra hardware or imposing additional burden. Comprehensive experiments conducted under diverse conditions demonstrate SCR-Auth’s effectiveness and security, showing an average balanced accuracy of 96.95% and resilience against potential attacks.

Abstract:
Although Software-Defined Networking (SDN) introduces architectural innovations, it retains fundamental network properties. As a result, Low-rate Denial of Service (LDoS) attacks, which exploit bottleneck links and TCP congestion control mechanisms, still pose a serious threat to SDN. Currently, to accurately detect LDoS attacks at lower average attack rates, many methods focus on extracting and analyzing single-dimensional features. However, these methods are often complex and offer only limited improvements in detection accuracy. Moreover, critical security vulnerabilities in mainstream mitigation strategies highlight their inability to ensure long-term stability. To this end, we propose BDTM, a cross-dimensional bidirectional detection and traceability mitigation scheme. Through attack parameter estimation with a precision of 0.1s, BDTM achieves precise detection of LDoS attacks that incorporate IP spoofing. In terms of mitigation, we have identified, verified, and resolved critical vulnerabilities in existing mainstream mitigation strategies for the first time. Upon detecting an attack, BDTM rapidly mitigates the ongoing anomaly while performing reverse-flow tracing to pinpoint the attacking host. Ultimately, BDTM enforces port-level isolation targeting the attacker rather than the attack flows, ensuring more effective and comprehensive mitigation. Experimental results demonstrate that BDTM achieves a high detection accuracy of 98.85%, with an average response time of just 5.67s when performing attack traceability.

Abstract:
Federated learning (FL) is susceptible to poisoning attacks. To defend against such threats, robust aggregation rules (AGRs) are typically deployed on the server to identify or filter clients’ potentially malicious submissions based on statistical similarity. Recently, knowledge distillation (KD) has been widely used in FL to facilitate collaborative learning among clients that have heterogeneous model architectures by aggregating and distilling architecture-independent model outputs (i.e., logits). However, the KD process introduces a novel poisoning attack surface, where adversaries can manipulate local model output logits to ruin the global model performance. To fully reveal and explore such a new security vulnerability and effectively poison the global model in the existence of robust AGRs, in this paper, we propose the first untargeted poisoning attack scheme to KD-based FL under robust AGRs, named ManipulatingKD. It manipulates compromised clients to send well-designed malicious logits during the KD process. To ensure attack effectiveness and stealthiness, ManipulatingKD models attacks as constrained optimization problems. This allows for crafting satisfactory malicious logits that are statistically similar to benign logits but can generate poisoned aggregated logits to provide deviated supervision and mislead the global model. Extensive experiments demonstrate the effectiveness of ManipulatingKD under both non-robust and robust AGRs. Particularly, under robust AGRs, the global model accuracy degradation caused by our attacks can exceed 2× that of state-of-the-art attacks.

Affiliations: College of Artificial Intelligence and the Key Laboratory of Dynamic Cognitive System of Electromagnetic Spectrum Space of the Ministry of Industry and Information Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China; School of Computer Science, Wuhan University, Wuhan, China; College of Electronic and Information Engineering and the Key Laboratory of Dynamic Cognitive System of Electromagnetic Spectrum Space, Nanjing University of Aeronautics and Astronautics, Nanjing, China; School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore, Singapore

Abstract:
Unmanned aerial vehicles (UAVs) are increasingly being integrated into next-generation networks to enhance communication coverage and network capacity. However, the dynamic and mobile nature of UAVs poses significant security challenges, including jamming, eavesdropping, and cyber-attacks. To address these security challenges, this paper proposes a federated learning-based lightweight network with zero trust for enhancing the security of UAV networks. A novel lightweight spectrogram network is proposed for UAV authentication and rejection, which can effectively authenticate and reject UAVs based on spectrograms. Experiments highlight LSNet’s superior performance in identifying both known and unknown UAV classes, demonstrating significant improvements over existing benchmarks in terms of accuracy, model compactness, and storage requirements. Notably, LSNet achieves an accuracy of over 80% for known UAV types and an Area Under the Receiver Operating Characteristic (AUROC) of 0.7 for unknown types when trained with all five clients. Further analyses explore the impact of varying the number of clients and the presence of unknown UAVs, reinforcing the practical applicability and effectiveness of our proposed framework in real-world FL scenarios.

Abstract:
Cyberbullying significantly impacts mental health by adversely affecting victims’ psychological well-being. It is a prevalent issue on social media platforms, necessitating effective real-time detection systems to identify harmful content. However, current detection systems face challenges related to performance, dataset quality, time efficiency, and computational costs. This study compares existing text classification techniques for cyberbullying detection, evaluating their effectiveness on social media platforms. Large language models such as BERT, RoBERTa, XLNet, DistilBERT, and GPT-2.0 are assessed for their suitability. Results show that BERT achieves optimal performance, with 95% accuracy, precision, recall, and F1 score; a 5% error rate; 0.053 seconds inference time; 35.28 MB RAM usage; 0.4% CPU/GPU utilization; and 0.000263 kWh energy consumption. These findings highlight that while generative AI models are powerful, fine-tuned models often outperform them when adapted to specific datasets and tasks.

Abstract:
Web applications encompass various aspects of daily life, including online shopping, e-learning, and internet banking. Once there is a vulnerability, it can cause severe societal and economic damage. Due to its ease of use, PHP has become the preferred server-side programming language for web applications, making PHP applications a primary target for attackers. Data flow analysis is widely used for vulnerability detection before deploying web applications because of its efficiency. However, the high complexity of the PHP language makes it difficult to achieve precise data flow analysis, resulting in higher rates of false positives and false negatives in vulnerability detection. In this paper, we present Yama, a context-sensitive and path-sensitive interprocedural data flow analysis method for PHP, designed to detect taint-style vulnerabilities in PHP applications. We have found that the precise semantics and clear control flow of PHP opcodes enable data flow analysis to be more precise and efficient. Leveraging this observation, we established parsing rules for PHP opcodes and implemented a precise understanding of PHP program semantics in Yama. This enables Yama to precisely address the high complexity of the PHP language, including type inference, dynamic features, and built-in functions. We evaluated Yama from three dimensions: basic data flow analysis capabilities, complex semantic analysis capabilities, and the ability to discover vulnerabilities in real-world applications, demonstrating Yama’s advancement in vulnerability detection. Specifically, Yama possesses context-sensitive and path-sensitive interprocedural analysis capabilities, achieving a 99.1% true positive rate in complex semantic analysis experiments related to type inference, dynamic features, and built-in functions. It discovered and reported 38 zero-day vulnerabilities across 24 projects on GitHub with over 1,000 stars each, assigning 34 new CVE IDs. We have released the source code of the prototype implementation and the parsing rules for PHP opcodes to facilitate future research.

Abstract:
As the scope and impact of cyber threats have expanded, analysts utilize provenance graphs constructed from kernel logs to hunt for threats and investigate attacks. The high frequency of kernel events and the persistence of attacks pose challenges for the efficient storage of provenance graphs. Current approaches can be categorized into two types: pruning-based storage (e.g., LogGC, CPR, and NodeMerge) and encoding-based storage (e.g., DeepZip, SLEUTH, ELISE, and Leonard). However, none of these methods simultaneously satisfy the following three requirements: 1) lossless content, 2) storage efficiency, and 3) query support. To address this gap, we propose Dehydrator, an efficient provenance graph storage system that fulfills all these requirements. For the logs generated by auditing frameworks, Dehydrator uses field mapping encoding to filter field-level redundancy, hierarchical encoding to filter structure-level redundancy, and finally learns a deep neural network to support batch querying. We have conducted evaluations on seven datasets totaling over one billion log entries. Experimental results show that Dehydrator reduces the storage space by 84.55%. Dehydrator is 7.36× more efficient than PostgreSQL, 7.16× than Neo4j, and 16.17× than Leonard (the work most closely related to Dehydrator, published at Usenix Security’23).

Abstract:
Zero-shot style transfer (ZSST) enables the rendering of real-world natural images into the painting styles of arbitrary artworks without requiring fine-tuning on unseen artistic styles. This low-cost and efficient approach to artistic re-creation promotes the dissemination and communication of art. However, misuse of unauthorized artistic style images for ZSST may infringe on the copyrights of artists. One countermeasure is robust watermarking, which tracks image propagation by embedding copyright watermarks into carriers. Unfortunately, the stylized image generated by ZSST lose the structural and semantic information of the original style image, hindering end-to-end robust tracking by watermarks. To fill this gap, we propose StyleMark, the first robust watermarking method for black-box ZSST, which can be seamlessly applied to artistic style images achieving precise attribution of artistic styles after ZSST, without compromising the social usability of artworks. Specifically, we propose a new style watermark network that adjusts the mean activations of style features through multi-scale watermark embedding, thereby planting watermark traces into the shared style feature space of style images. Furthermore, we design a distribution squeeze loss, which constrain content statistical feature distortion, forcing the reconstruction network to focus on integrating style features with watermarks, thus optimizing the intrinsic watermark distribution. Finally, based on solid end-to-end training, StyleMark mitigates the optimization conflict between robustness and watermark invisibility through decoder fine-tuning under random noise. Experimental results demonstrate that StyleMark exhibits significant robustness against black-box ZSST and common pixel-level distortions, maintains high watermark decoding accuracy under complex multi-stage processing scenarios, and securely defending against malicious adaptive attacks.

Abstract:
Vein recognition technology offers high security and privacy as an advanced biometric identification method. While deep learning techniques have achieved state-of-the-art performance in vein recognition due to their powerful pattern recognition capabilities, the Gated Recurrent Unit (GRU), a simplified version of LSTM, still faces limitations: 1) inability to process sequence information in parallel, leading to inefficient training; 2) loss of sensitivity to local features crucial for pattern recognition, despite excelling at modeling long-distance dependencies. To address these issues, we propose WTxGRN, a Wavelet Transform-based extended Gated Recurrent Network, which simultaneously extracts global and local features and supports parallel sequence processing. Specifically, we modify the GRU memory structure to enable parallel training and enhance feature representation through exponential gating and stabilization techniques, resulting in an extended GRU architecture called xGRU. We integrate xGRU into a wavelet transform-based residual backbone to form the xGRU Block. By incorporating a wavelet convolution branch and two Mixer Modules, we facilitate multi-scale feature extraction and fusion, enhancing vein recognition robustness and yielding the WTxGRU Block. Stacking these blocks constructs the WTxGRN. Furthermore, we present Spiking WTxGRN, an energy-efficient spiking version of WTxGRN, pioneering the application of spiking neural networks in vein recognition. Spiking WTxGRN offers high energy efficiency while maintaining excellent recognition performance, making it suitable for real-time vein recognition tasks. Extensive experiments on three public palm vein datasets demonstrate that our methods outperform state-of-the-art models across multiple benchmarks, achieving superior performance.

Abstract:
Recently, the breathtaking development and potential misuse of deepfake technology has raised numerous privacy and security concerns, triggering widespread apprehension. Existing deepfake detection methods focus on the analysis of local regions for faces, such as mouth movement, eye blinking frequency, etc., which, however, are limited in their ability to capture the global inconsistencies present in forged faces. Some researchers attempt to seize 3D artifacts related to facial global information, but typically treat the 3D information as mere input, lacking the in-depth analysis. To address these shortcomings and mine the inherent and delicate 3D artifacts in the forged faces, this paper innovatively proposes the 3D Artifact Detector (3DAD) method, which leverages the spatio-temporal inconsistency on the 3D semantic space in the forgery videos to uncover the deepfake clues. Specifically, we employ 3D Analysis Unit (3DAU) to pre-train the face reconstruction task within 3D Morphable Model (3DMM) space, thereby obtaining the high-level inherent 3d representation. Concurrently, for the multi-levels of information in the face, we utilize the Texture Perception Unit (TPU) to extract the texture information in the low-level semantic space of the images. Ultimately we feed the two distinct modalities into the spatiotemporal fusion model for final detection. Through extensive intra- and cross-dataset experiments on publicly available datasets, we demonstrate the effectiveness and generalizability of the proposed method. The source code is available at https://github.com/Cookie-XT/3DAD

Abstract:
Extremely large-scale antenna arrays (ELAA) require near-field spherical wave modeling due to the substantial increase in the number of antennas, which introduces new spatial dimensions to physical layer key generation (PLKG). We investigate multi-user PLKG in near-field environments, where a base station with an ELAA simultaneously generates secret keys with multiple users. We derive an analytical expression for the key rate (KR). By utilizing spatial dimensions of distance and angle in near-field environments, we apply eigenvalue decomposition and singular value decomposition to design precoding matrices to reduce interference among user equipments (UEs) and extract uncorrelated subchannels. Given that the KR is non-convex, we approximate it and optimize the precoding matrix to increase the KR. After precoding design, the KR depends on the transmit power allocated to the subchannels. Two optimization problems are formulated to further optimize transmit power allocation. The first problem focuses on maximizing the sum KR. We apply the Lagrange multiplier method to determine the optimal power allocation variables by searching the Lagrange multiplier. To reduce computational complexity, a supervised feedforward neural network (FNN) is designed to capture the relationship between the power allocation variables and the Lagrange multiplier. The second optimization problem focuses on KR fairness. By introducing a slack variable that is smaller than the KRs of all users, we use the CVX toolbox to find optimal power allocation variables that maximize this slack variable. To further reduce complexity, the Lagrange multiplier method offers an analytical solution for power allocation variables in terms of Lagrange multipliers determined by the slack variable in the high-power case. We employ a bisection algorithm to find the slack variable. Furthermore, we propose an FNN to map transmit power to the slack variable. Simulations demonstrate that the proposed methods efficiently leverage near-field effects for multi-user PLKG, reducing pilot overhead.

Abstract:
Graph Neural Networks (GNNs) have demonstrated remarkable potential in various downstream tasks by effectively capturing the relational dependencies among nodes in graphs. However, this capability also brings significant privacy risks: when GNNs encode topological information and node features into their output, sensitive information can be inadvertently exposed, leading to severe privacy breaches. Existing privacy-preserving GNNs primarily focus on protecting the existence of individual nodes or edges, overlooking practical scenarios where nodes and edges are often publicly accessible and only specific sensitive attributes require protection, resulting in a lack of consideration for attribute sensitivity and challenges in balancing privacy and utility. In this paper, we study the problem of hiding sensitive information during GNN training and limiting its exposure in the outputs, while better defending against attribute inference attacks (AIAs) and achieving improved performance. To achieve this, we propose an attribute-oriented differentially private graph neural network (AODP-GNN) that enforces attribute-specific privacy guarantees through dynamic privacy budgets and relevance-aware noise injection, optimizing the balance between privacy and utility. Specifically, we design a neighborhood-aware private embedding generation mechanism and a mutual information minimization-based optimization strategy that operate before the deep interactions of feature interaction and model optimization to strengthen defense against AIAs. To enhance the balance between privacy and utility, we further develop a relevance-grained noise adaptation technique that dynamically allocates higher noise to less relevant attributes. Theoretical analysis shows that the AODP-GNN satisfies privacy guarantees. Extensive experiments conducted on four real-world datasets demonstrate that our approach can achieve up to around 10.04% and 9.21% higher accuracy compared to the state-of-the-art centrally differentially private GNN ProGAP and DPDGC, and also shows a higher defense capability against AIAs.

Abstract:
Radar sensing is gaining increasing attention due to its unique advantages, including being device-free, privacy-preserving, and capable of penetrating obstacles. It has been extensively studied in various applications such as human activity recognition, vital sign monitoring, and person identification. However, most existing research focuses on a single specific application, and there remains a lack of studies or datasets dedicated to multi-task radar sensing. In this paper, we collected a dataset for two sensing tasks, including gesture recognition and person identification, via a miniature mm-wave radar. The raw radar signals were processed using micro-Doppler and range-Doppler techniques to extract spectral and spatial representations. We propose an improved multi-task radar sensing framework (MT-DualFormer) that incorporates attention-based cross-task feature distillation and contrastive learning to maximize task performance. MT-DualFormer consists of dual branches with CNN and Transformer modules, capturing both spatial and temporal dependencies in radar data. Attention-based cross-task feature distillation enables knowledge transfer between gesture recognition and person identification tasks. Meanwhile, contrastive learning ensures embedding space separability, facilitating robust task-specific classification. In the evaluation, MT-DualFormer achieves accuracy rates of 98.87% for gesture recognition and 97.96% for person identification, surpassing five representative multi-task approaches and ten state-of-the-art models. This study underscores the importance of leveraging task correlations to enhance the performance of radar-based sensing systems.

Abstract:
In recent years, encrypted video streaming takes up an increasing proportion of mobile network traffic, with encrypted video streams playing a significant role in illegal video detection. However, there are challenges in performing content analysis of encrypted video streams, including label limitations and complex calculations. In this paper, we proposed a low-dimensional embedding method based on Byte Rate Sequences (BRS), named EVS2vec (Encrypted Video Stream to Vector), to solve these problems effectively. It can represent the content of encrypted video streams with low-dimensional vectors by mapping the indefinite-length sequence into a low-dimensional Euclidean space. EVS2vec can thereby be applied for not only supervised analysis but also unsupervised analysis. Furthermore, using BRS can also save the time overhead on fine-grained network traffic parsing. In order to ensure the content-related distinguishability of the embedding result, inspired by contrastive learning, we designed a network structure based on Recurrent Neural Network (RNN) with self-attention mechanism in EVS2vec and trained it using triplet network. The experiments on a public dataset show that EVS2vec saves storage overhead while containing enough video content information. EVS2vec can achieve a high accuracy of similarity threshold, reaching 96.89%. An 8-dimensional fingerprint for each video is constructed. Moreover, classification and clustering analysis can also be performed with acceptable results.

Abstract:
Facial video-based remote physiological measurement (rPPG) has gained prominence for its ability to non-invasively estimate vital signs such as heart rate (HR). rPPG measures HR by detecting variations in the diffuse reflection of light caused by blood volume changes in the skin, which is influenced by light conditions. Inspired by this property, we identify a new task, that is, to embed malicious information into facial video by subtly altering the light conditions. With this task, we can mislead state-of-the-art rPPG HR methods through natural and imperceptible lighting changes, aiming for two objectives: testing the resilience of rPPG methods against light variations and safeguarding heart rate data, which is crucial for individual privacy. However, such a task is non-trivial and should be able to adapt to different input videos automatically and generate natural and imperceptible spatial-temporal lighting perturbations. To address these challenges, we propose the AdversariaL vidEo Relighting aTtack (ALERT) method, which involves three modules: video lighting estimation (VLightE), adversarial temporal lighting prediction (AdvTLight), and adversarial temporal lighting injection (AdvTLightInj). VLightE is to estimate the spatial-temporal lighting conditions of the original video. AdvTLight predicts the adversarial spatial-temporal lighting conditions that are imperceptible but can mislead the HR detectors according to the original lighting conditions automatically. The final module (i.e., AdvTLightInj) is to inject the predicted adversarial lighting conditions into the input video and render a new one. Extensive experiments on UBFC-rPPG and PURE datasets demonstrate that ALERT generates realistic, imperceptible adversarial videos, effectively misleading 11 rPPG-based HR methods and outperforming all baseline methods. Moreover, our method can be used to protect the HR privacy of users directly and outperform two SOTA Privacy-protection-oriented methods significantly.

Abstract:
In panoramic and immersive virtual reality (VR) scenarios, users type on a floating and invisible keyboard, which cannot be observed by external adversaries, creating the illusion that their input is confidential. While recent studies have demonstrated the feasibility of leveraging side-channel information (e.g., vision, Wi-Fi) to eavesdrop on keystrokes in VR, they assume users typically type with fixed gestures, similar to using traditional physical keyboards. However, in real world scenarios, VR creates a 3D immersive environment, allowing users to type from varying orientations. This variation significantly degrades the quality of side-channel information (e.g., occlusion in vision, instability in Wi-Fi channels), leading to ineffective inference. In this study, we propose a multi-modal keystroke eavesdropping attack called WiViLeak, which combines Wi-Fi and vision information to complement each other. To address low-quality side-channel data caused by users’ varying orientations, we develop a theoretical model to explore the relationship between users’ hand movements in physical space (from the vision modality) and fluctuating Wi-Fi signals (from the wireless modality) as users change orientation. Based on this, we design a fully transformer based orientation calibration module to recover users’ vision data, aligning it as if they were facing the camera (i.e., in a front-facing view). Meanwhile, WiViLeak reconstructs Wi-Fi data to correspond to the front-facing view, utilizing the orientation angle derived from vision data. Finally, WiViLeak extracts effective features from reconstructed, high-quality vision and Wi-Fi data to predict keystrokes. We implement a WiViLeak prototype, achieving 89.2% accuracy in eavesdropping keystrokes and 93.6% top-100 password theft accuracy, while also demonstrating robustness across various real world VR scenarios, including payments, chatting, and meetings.

Abstract:
Actuators are essential components in cyber-physical systems, enabling system modules to perform diverse and complex tasks. Unfortunately, the pursuit of higher functional complexity often correlates with a broader attack surface in actuators. Thus, an efficient automated attack surface assessment is crucial to avoid cyber incidents in critical infrastructures. Limited by enormous parameter spaces, current methods rely on heuristic tests to evaluate interference potential but cannot thoroughly investigate the full spectrum of potential hidden interference. The observation that similar interference trigger configurations lead to the same impact has motivated us to use machine learning algorithms for understanding different impact samples around decision boundaries. By leveraging generalized knowledge of responses against specific attack scenarios, we aim to improve the efficiency of automated attack surface assessment of electromagnetic interference on new targets. To this end, we introduce EMFuzz, an automated mechanism to fuzz hardware to quantify varying adverse effects. We evaluate EMFuzz on 16 new servos within real-world scenarios, where it achieves an 86% accuracy in classifying different attack vectors. With the same test time, EMFuzz uncovers over twice the effective attack configurations of the baseline, greatly improving assessment efficiency. To further validate its efficacy, we apply EMFuzz to assess the attack surface of a new actuator from a robot transfer unit, and it can successfully reveal three distinct adverse effects.

Abstract:
Malware remains a major cybersecurity threat, driving increased adoption of machine learning (ML)-based analysis methods. However, these ML solutions face challenges in producing explainable and human-readable results, limiting their practical deployment. Large language models (LLMs) offer a promising alternative for transparent ML malware analysis through analyzing character-level features. Despite this potential, the redundant nature of binary files and ambiguous reasoning patterns pose fundamental challenges in applying LLMs to malware binary analysis. To address these challenges, we propose Anti-Virus Agent (AV-Agent), a framework based on large language models for malware detection. AV-Agent implements a streamlined feature processing pipeline, including multi-layer hierarchical feature classifiers, character feature extraction, and two-phase reasoning. By capturing critical malware features, AV-Agent leverages frontier LLMs’ inherent knowledge to achieve transparent and effective malware analysis. Experimental results on a representative dataset indicate that AV-Agent attains comparable performance to analogous machine learning methods, while also providing an explainable malware analysis process. Additionally, the experiments analyzed the parameter settings of AV-Agent and characteristics of experimental results, demonstrating that AV-Agent achieved optimal performance under the specified parameter conditions while maintaining sufficient stability in malware classification outcomes. These findings demonstrate that LLMs exhibit tremendous potential in human-like reasoning analysis of malware.

Abstract:
Federated learning (FL) in Vehicular Ad Hoc Networks (VANETs) enables vehicles to collaboratively train a global model for intelligent transportation systems while preserving the privacy of their local data. However, the openness and dynamic nature of VANETs introduce significant security challenges, including identity privacy leakage, model inversion attacks, and compromised model integrity. Existing cryptographic solutions, such as differential privacy and homomorphic encryption, provide partial mitigation but suffer from drawbacks including inefficiency, limited data utility, and vulnerability to data poisoning attacks. To tackle these challenges, this paper introduces FedLG, a generic certificateless (CL) authentication scheme with conditional anonymity. FedLG ensures trustworthy FL by integrating multiple security mechanisms that together guarantee model authenticity, data integrity, and privacy. Specifically, FedLG leverages Type-T signatures as a blackbox to ensure the authenticity and integrity of model parameters shared by anonymous vehicles. Additionally, we introduce a novel public key reconstruction mechanism to enhance the security of traditional CL-based systems, effectively mitigating common public key replacement attacks. FedLG also incorporates batch verification with an adaptive group batch verification algorithm, dynamically adjusting batch sizes to identify invalid signatures while preserving valid data, thereby facilitating faster model convergence. Moreover, FedLG maintains the utility of user-contributed data and can seamlessly integrate it with data poisoning attack prevention mechanisms to enhance security further. Experimental results show that FedLG is model-independent, as its integration does not affect the original model’s performance on its dataset. Moreover, it reduces the computational overhead of signature generation and verification by at least 30.8% and 56.3%, respectively, achieving an overall efficiency improvement of 49.69% compared to state-of-the-art FL authentication protocols for VANETs.

Abstract:
Internet of Drones (IoD) provides a new mode of information collection and data transmission. With the assistance of 6G mobile communication facilities and artificial intelligence technology, the IoD system progressively enables real-time communication among remote users, ground control centers and drone clusters. At the same time, the dynamically updated, open, and interoperable communication environment also poses some risks to the IoD system’s security and privacy. The security attributes of the IoD system are insufficiently met by the authentication schemes currently in use. In light of the aforementioned factors, this paper suggests CSAP-IoD, a lightweight secure communication protocol for anonymous interactions that uses the initial value sensitivity and orbital unpredictability of chaotic map. It utilizes fuzzy verifier technology to achieve three-factor security and facilitates mutual authentication and key agreement among the three-party communicating entities of IoD. Real-or-Random (ROR) model, informal security analysis, and the Scyther tool are used to assess the protocol’s security in multiple dimensions, and it has been demonstrated that CSAP-IoD can withstand a variety of attacks. Based on simulation results and a detailed comparison with state-of-the-art IoD communication protocols in terms of security features, computation cost, communication cost, and energy consumption, CSAP-IoD shows the optimal security performance while emphasizing the efficiency advantage, offering a dependable solution to guarantee the information security of IoD system communication.

Abstract:
We present MetaAttack, the first approach to leverage acoustic metamaterials for inaudible attacks for voice control systems. Compared to the state-of-the-art inaudible attacks requiring complex and large speaker setups, MetaAttack achieves a longer attacking range and higher accuracy using a compact, portable device small enough to be put into a carry bag. These improvements in portability and stealth have led to the practical applicability of inaudible attacks and their adaptation to a wider range of scenarios. We demonstrate how the recent advancement in metamaterials can be utilized to design a voice attack system with carefully selected implementation parameters and commercial off-the-shelf components. We showcase that MetaAttack can be used to launch inaudible attacks for representative voice-controlled personal assistants, including Siri, Alexa, Google Assistant, XiaoAI, and Xiaoyi. The average success rate of all assistants is 76%, with a range of 8.85 m.

Abstract:
Dynamic Class Loading (DCL) is a legitimate technique extensively used by Android developers to incorporate additional functionalities into applications at runtime. However, adversaries can exploit DCL as a stealthy obfuscation technique to dynamically load malicious code and evade detection. While prior studies have analyzed typical DCL-based obfuscation and the attacks it enables—such as identifying payloads on storage, inspecting DCL-related APIs, or profiling dynamic behaviors—existing solutions remain insufficient against increasingly evasive DCL threats. In this paper, we propose UTRDCL, a novel stealthy obfuscation technique that leverages system APIs instead of conventional DCL-related APIs, and employs an automated footprint cleanup strategy to minimize runtime traces. Based on UTRDCL, we construct three real-world attack instances by embedding it into existing malware and benign applications, demonstrating how it can be used to evade detection. To counter such threats, we design and implement a lightweight defense mechanism by patching a previously overlooked vulnerability in the Android system that UTRDCL exploits in this specific context. This system-level mitigation closes the attack surface leveraged by UTRDCL, offering a more fundamental defense than behavioral detection. Extensive experiments show that attacks leveraging UTRDCL can evade 11 state-of-the-art malware detectors from open-source, academic, and commercial sources. We further validate our defense mechanism on real devices, demonstrating its effectiveness in preventing UTRDCL-based attacks without introducing noticeable overhead. Our proof-of-concept of UTRDCL and its defense is publicly available at https://github.com/AnonymousFEI/UTRDCL

Abstract:
The openness of underwater wireless sensor networks (UWSNs) exposes them to potential eavesdropping attacks, enabling attackers to trace back and identify the source nodes of packet flows. This poses a significant threat to the confidentiality of sensitive applications, known as the Source Location Privacy (SLP) problem. Conventional packet encryption methods are ineffective in defending against SLP attacks since attackers do not need to know the content of the packets. A commonly used method to address the SLP problem is to establish fake transmission paths, making attackers follow fake paths and thus extending the time required to trace back to the source node. Existing SLP solutions that use fake transmission paths only consider individual source nodes, where the fake paths constructed for different source nodes are independent and cannot cooperate to resist attacks. In this paper, a Fake Path Co-Construction source location privacy protection protocol (FPCC) suitable for UWSNs is proposed. FPCC combines the existing transmission paths and creates co-constructed fake paths to simultaneously protect two source nodes. Simulation results confirm that FPCC, when compared with existing well-performed SLP protection protocols, extends safety time without increasing the number of nodes involved in transmitting fake packets.

Abstract:
Voice assistants have been widely adopted for their ability to provide non-touch human-computer interaction. However, while they offer convenience, their continuous listening for specific wake-up words raises privacy concerns, as it may lead to eavesdropping on user conversations. To investigate this issue, we devised covert eavesdropping attacks by perturbing and replaying events generated during the user’s normal activation of the voice assistant. The results demonstrate the feasibility and harmfulness of such eavesdropping attacks. To counter these covert voice eavesdropping attacks, we propose an effective defense scheme called CrossUnwind. This scheme leverages the groundtruth that voice assistant wake-up requires hardware to generate and send wake-up events. Specifically, we designed a novel tombstone file parsing process and an accurate event discrimination algorithm to obtain detailed call station information of the wake-up event without compromising the system. This allows us to determine whether the current wake-up event was generated by hardware. We deployed CrossUnwind on real devices and compared it to well-known machine learning and deep learning methods. The results demonstrate that CrossUnwind can achieve high accuracy in eavesdropping detection with faster speeds and lower resource utilization.

Abstract:
Reconfigurable Intelligent Surfaces (RIS) can optimize spectrum and energy efficiency in the sixth-generation (6G) wireless communication system through dynamic electromagnetic wave manipulation. The programmable control of spatial electromagnetic signals by RIS presents a double-edged sword, and it can also be exploited by malicious attackers. However, few studies have focused on the detection and identification of such malicious RIS. To fill this gap, we propose a novel spoofing detection framework combining dynamic key-embedded phase codebooks with a dual-channel feature extraction mechanism. This approach jointly decodes wireless channel fingerprints and cryptographic signatures from received signals. A hybrid discriminator, integrating autoencoder-based signal reconstruction fidelity and key-matching validation, enables robust legitimacy verification. The prototype experiments using USRP SDR and RIS hardware show that the verification accuracy of the scheme can reach 100%, when the signal-to-noise ratio (SNR) is above 10dB, the number of training sample points is more than 128, and the codebook dimension is near 32.

Abstract:
Although Federated Learning (FL) offers significant potential for developing model marketplaces through collaborative training and privacy preservation, challenges such as insufficient training data and arbitrage issues severely impede the development of FL-based model marketplaces. Existing studies either lack satisfactory security guarantees or are too profit-driven to address potential arbitrage issues. In this paper, we propose a novel Personalized prIvacy-prEserving inCentive mEchanism named PIECE, with the aim of achieving social optimality while avoiding arbitrage. Specifically, we first formulate a dual-objective optimization problem to simultaneously maximize social utility and model performance while ensuring arbitrage-free conditions through differential privacy. Due to dynamic model training and heterogeneous privacy budgets that complicate the design of arbitrage-free properties, we model the transformation between local and global privacy requirements across scenarios as a privacy choice game. This game guarantees the identification of a constraint to generate desired model versions based on Nash equilibrium. Next, by generalizing the properties of different data-owner groups under equilibrium conditions, we prove that the dual-objective optimization problem is always conflict-free, thus allowing transformation into a social optimal problem without arbitrage. Furthermore, to tackle the significant difficulty in characterizing the model revenue and interpolating pricing, we propose a two-stage solution based on subadditivity relaxation. The first stage establishes a set of ideal prices as the target, while the second stage establishes polynomial-time solvability and provides rigorous arbitrage-free boundaries. Finally, comprehensive experiments on four real-world datasets validate the efficacy of PIECE. The results indicate a minimum 8% boost in model revenue within the specified marketplace scale, and a maximum 16.67% improvement in model performance compared to the state-of-the-art baselines.

Abstract:
System intrusions, particularly Advanced Persistent Threats (APTs), pose significant threats to enterprises and organizations. Provenance graph-based attack detection and investigation methods are crucial for defending against these intrusions. To detect various attacks, security systems collect comprehensive operating system event data, resulting in massive provenance graphs that increase storage costs and complicate analysis and querying. Efficiently optimizing these provenance graphs has thus become a core issue. However, existing data reduction methods often mistakenly delete critical security information, significantly impacting attack detection and investigation. This paper introduces TeRed, a novel method for reducing provenance graphs based on normal behavior patterns. Our approach employs unit tests to learn the system’s normal behavior patterns, which are then used to streamline the provenance graph. Experiments on five datasets show that our method reduces the provenance graph while preserving all attack-related information. Importantly, it does not compromise attack detection and investigation, showcasing significant advantages over other data reduction techniques.

Abstract:
With the continuous development of cyber-attack technologies, attackers increasingly exploit zero-day vulnerabilities or leverage emerging techniques to launch sophisticated attacks, resulting in the persistent emergence of unknown cyber-attacks. However, traditional DL-based cyber-attack detection methods heavily rely on large-scale labeled training data. In practice, obtaining sufficient samples of unknown attacks is challenging, which makes it difficult for these methods to effectively defend against unknown cyber-attacks. In this paper, we propose a method for discovering unknown cyber threats empowered by genetic evolution without prior knowledge. Specifically, We, first mapped the network feature space into a gene framework, and divided the attack genes into a static gene region (SGZ) and a dynamic gene region (DGZ) according to the importance of the cyber-attack genes. Subsequently, leveraging the known attack genes, we utilized different gene evolution strategies and a Convolutional Autoencoder (CAE) to generate attack variants and potential unknown attack genes. Finally, we constructed a cyber-attack detection model incorporating both the global attention mechanism (GAM) and the local attention mechanism (LAM). The generated attack variants and unknown attack genes are the used to enhance the detection ability of the detection model for variants and unknown cyber-attacks. We conducted a large number of experiments on six real and authoritative network datasets. The experimental results show that in different scenario settings, the F1 scores of our proposed method for detecting unknown attacks are 84.64% and 95.77% respectively. The F1 score for detecting unknown attacks on the UNSW-NB15 dataset exceeds that of the baseline classifier. The F1 score for detecting unknown attacks on the CSE-CIC-IDS2018 dataset is 98.85%. In comparison with SOTA methods, the average F1 score is improved by 3.14%. In the evaluation of variant detection performance, the generation method we proposed improves the detection of variants by approximately 11.2%, surpassing generation methods such as the Conditional Generative Adversarial Network (CGAN) and the Variational Autoencoder (VAE). Meanwhile, we also comprehensively evaluated the generalization ability of our proposed method and the evolution ability of different evolution strategies on different datasets and through ablation experiments.

Abstract:
Conventional blockchains can provide data availability and integrity only. Tons of applications additionally need confidentiality with flexible access control such that data providers can decide how their data are shared through blockchains. This paper aims at enhancing Byzantine Fault Tolerance (BFT)-based permissioned blockchains with controllable access control. To this goal, we extend the concept of Proxy Re-Encryption (PRE) to a new variant called Controllable Threshold PRE (CT-PRE). The traditional PRE enables a proxy, using a re-encryption key, to convert a ciphertext meant for delegator A into another ciphertext meant for delegatee B, all without exposing the original message. CT-PRE extends PRE into the setting with multiple proxies (corresponding to blockchain servers and avoiding a single point of failure) and enables the delegator to fully take control of its ciphertext. We formally define CT-PRE and construct a provably secure \textsf CTPRE scheme. We further extend the \textsf CTPRE scheme to a verifiable one \textsf VCTPRE . We implement the Verifiable CT-PRE scheme with stronger security, integrate it in our BFT-based blockchain system, and deploy our system in a WAN on Amazon EC2 with 22 nodes across four continents. We show that our system is highly efficient, achieving a throughput of 5.15 ktx/sec (for access control operations) and 10.83 ktx/sec (for write operations, only slightly slower than our BFT write operations), respectively.

Abstract:
Adversarial attacks on deep neural networks (DNNs) have raised significant concerns, particularly in safety-critical applications such as autonomous driving. Autonomous vehicles rely on both vision and LiDAR sensors to provide accurate 3D visual perception of their surroundings. However, adversarial vulnerabilities in these models pose several risks, as they can lead to misinterpretation of sensor data, ultimately endangering safety. While substantial research has been devoted to image-level adversarial attacks, these efforts are predominantly confined to 2D-pixel spaces, lacking physical realism and applicability in the 3D world. To address these limitations, we introduce AdvNeRF, a groundbreaking approach for generating 3D adversarial meshes that effectively target both vision and LiDAR models simultaneously. AdvNeRF is a Transferable Target Adversarial Attack that leverages Neural Radiance Fields (NeRF) to achieve its objectives. NeRF ensures the creation of high-quality adversarial objects and enhances attack performance by maintaining consistency across unseen viewpoints, making the adversarial examples robust from multiple angles. By integrating NeRF, our method represents a leap forward in improving the robustness and effectiveness of 3D adversarial attacks. Experimental results validate the superior performance of AdvNeRF, demonstrating its ability to degrade the accuracy of 3D object detectors under various conditions. These findings highlight the critical implications of AdvNeRF, emphasizing its potential to consistently undermine the perception systems of autonomous vehicles across different perspectives, thus marking an advancement in the field of adversarial attacks and 3D perception security.

Abstract:
Deep learning-based forensic techniques have emerged as the leading approach for image forgery localization. However, many existing methods struggle with overfitting to the training data, which limits their generalization performance and real-world applicability. To overcome this challenge, we propose a novel forensic framework that incorporates an advanced data augmentation technique. The framework consists of two key components: a generator and a detector. The generator challenges the detector’s learned distribution under constraints of diversity and consistency, ensuring that the generated data diverges from the source domain while maintaining statistical differences related to tampering. The detector, in turn, captures tampering traces from three critical aspects of the tampered image: long-range dependency information, RGB-noise fusion information, and boundary artifacts, resulting in a more comprehensive detection process. By alternating the optimization of the generator and detector, the framework fosters mutual reinforcement, promoting diverse data generation and expanding the distributional coverage, ultimately improving performance. Extensive experiments demonstrate that the proposed method significantly surpasses state-of-the-art approaches in both generalization and robustness, with numerous ablation studies further validating the soundness of the model design.

Abstract:
Objects falling from buildings, a frequently occurring event in daily life, can cause severe injuries to pedestrians due to the high impact force they exert. Surveillance cameras are often installed around buildings to detect falling objects, but such detection remains challenging due to the small size and fast motion of the objects. Moreover, the field of falling object detection around buildings (FODB) lacks a large-scale dataset for training learning-based detection methods and for standardized evaluation. To address these challenges, we propose a large and diverse video benchmark dataset named FADE. Specifically, FADE contains 2,611 videos from 25 scenes, featuring 8 falling object categories, 4 weather conditions, and 4 video resolutions. Additionally, we develop a novel detection method for FODB that effectively leverages motion information and generates small-sized yet high-quality detection proposals. The efficacy of our method is evaluated on the proposed FADE dataset by comparing it with state-of-the-art approaches in generic object detection, video object detection, and moving object detection. The dataset and code are publicly available at https://fadedataset.github.io/FADE.github.io/

Affiliations: Key Laboratory of Tourism Multisource Data Perception and Decision, Ministry of Culture and Tourism, the School of Computer Science and Technology, the Key Laboratory of Big Data Intelligent Computing, and the Key Laboratory of Cyberspace Big Data Intelligent Security, Ministry of Education, Chongqing University of Posts and Telecommunications, Chongqing, China; Key Laboratory of Tourism Multisource Data Perception and Decision, Ministry of Culture and Tourism, and the School of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing, China; School of Computer Science, Shanghai Jiao Tong University, Shanghai, China; School of Cyberspace, Hangzhou Dianzi University, Hangzhou, China; School of Information, Guizhou University of Finance and Economics, Guiyang, Guizhou, China

Abstract:
The growing adoption of 3D point cloud in applications like autonomous driving has heightened concerns about their vulnerability to adversarial attacks. Existing defense methods face two fundamental challenges: ineffective detection of imperceptible adversarial examples and poor restoration of severely distorted point cloud. In this paper, we present ADDR, an end-to-end defense framework that integrates Binary Geometric Feature Anomaly Detection (BGFAD) and Distorted point cloud Restoration (DPCR). BGFAD employs a dual threshold mechanism combining global distance statistics and local curvature analysis to detect both substantial and imperceptible adversarial perturbations. DPCR leverages attention enhanced feature encoding to reconstruct missing geometric structures while preserving semantic integrity through bidirectional Chamfer loss optimization. Our framework uniquely bridges traditional geometric priors with deep learning mechanisms, achieving attack-agnostic defense without classifier retraining. Extensive experiments on ModelNet40, ShapeNet and ScanObjectNN datasets demonstrate state-of-the-art performance, with about 12% higher robustness against structural attacks and 6× better restoration fidelity than existing methods. ADDR maintains real-time processing capabilities while reducing adversarial success rates to <5% across diverse attacks. The code is available at https://github.com/whwh456/ADDR

Abstract:
Federated Learning (FL) mitigates data leakage by sharing only local machine learning models instead of raw data. However, it remains vulnerable to differential attacks. Differential Privacy (DP) addresses this concern by introducing noise to make it challenging for adversaries to reconstruct training samples. Nonetheless, clients often have varying attitudes toward data privacy, quantified by their privacy budgets. Low privacy budgets indicate the stringent privacy requirements of clients, requiring high compensations to incentivize their participation. Focusing solely on privacy budgets, however, can introduce selection bias, potentially compromising model generalization. Therefore, it is essential to emphasizes the fairness of client participation, ensuring that clients with lower privacy budgets also have opportunities to contribute to the training process. To tackle the above challenges, this paper formulates a novel DP-based incentive problem in FL, aiming to optimize the utilities of both the server and the clients. Specifically, we propose an auction mechanism that jointly selects participants based on their heterogeneous privacy budgets and determines appropriate payments. The proposed auction mechanism is proven to achieve several desirable properties, including computational efficiency, individual rationality, budget balance, truthfulness, and guaranteed optimization performance. Finally, simulation results validate the effectiveness of the proposed mechanism.

Abstract:
The One-Tap Authentication (OTAuth) service enables users to quickly log in or sign up for app accounts using their phone number. OTAuth provides a more secure and convenient alternative to password-based and Short Message Service (SMS)-based authentication schemes. Consequently, the OTAuth service has been adopted by numerous Mobile Network Operators (MNOs) worldwide. However, a high severity vulnerability remains unaddressed in the OTAuth service, which allows an attacker to access a victim’s various app accounts, posing a significant risk to user privacy and data security. In this paper, we present LoadShow, which, to the best of our knowledge, is the first security-enhanced OTAuth scheme to address this vulnerability. We propose a novel dynamic application identification technique that aims to address the root cause of this vulnerability, i.e., the inability of MNOs to distinguish between different applications on the same device. Specifically, application identification is based on the hardware load side-channel and captures the unique CPU and GPU load characteristics of applications through the sequence of timing values of fingerprinting functions. We evaluate the effectiveness of LoadShow by accuracy, False Positive Rate (FPR), and True Positive Rate (TPR). We also evaluate its multi-platform compatibility on devices with different architectures and models. LoadShow achieves over 90% accuracy, with a TPR exceeding 90% and an FPR below 1%. The evaluation results demonstrate LoadShow’s capability to effectively differentiate between applications on a device, defend against app impersonation attacks, and reliably identify legitimate applications.

Abstract:
With the rapid evolution of wireless technologies, the deep integration of sensing, communication and computation has heralded a novel and promising paradigm. In this paper, we propose a secure beamforming design framework for integrated sensing, non-orthogonal multiple access (NOMA) communication and over-the-air computation (AirComp) networks, which can provide multi-functional intelligent services for communication-intensive, computation-intensive, delay-sensitive and security-sensitive applications. In the considered network, each dual-functional intelligent device engages in NOMA information transmission and AirComp. Meanwhile, the triple-functional base station conducts target sensing, NOMA signal decoding and data aggregation simultaneously. Our aim is to maximize the sum secrecy rate (SSR) of NOAM devices while ensuring that the quality of service requirements for both sensing and AirComp are met within the transmit power constraints imposed on all nodes. The formulated optimization problem involves coupled variables and logarithmic determinant, thus it is highly non-convex. To solve it, we propose an efficient matrix-extended generalized Lagrangian dual transformation based algorithm with penalty method, which can obtain the Karush-Kuhn-Tucker (KKT) solution to the original problem with low-complexity and convergence guarantee. Additionally, the well-known successive convex approximation based algorithm is also employed to address the formulated SSR maximization problem. However, its computational complexity significantly exceeds that of our proposed algorithm. Finally, extensive experiments demonstrate the performance improvement of our proposal compared with the benchmark approaches.

Abstract:
In the hard-label black-box setting, existing attack methods randomly select words for perturbation, generating invalid word replacement operations, resulting in low attack success rate. Recent works alleviate this problem by evaluating the impact of words on model predictions, but they can only evaluate the impact of words on model predictions, not the impact of words on attack. If the attacker replaces too many words that have significant impact on the text semantics during the attack process, the adversarial example has poor semantics and the attack behavior is easily detected. To address the above issues, this paper proposes a two-factors word scoring method, which uses the attention score output by the pre-attack model and the semantic similarity after word replacement to evaluate the impact of the word on attack. Based on the scoring method, this paper proposes a query-efficient hard-label black-box adversarial attack method called F2Attack. F2Attack uses the two-factors method to score words, and then replaces words have great impact on the model predictions but small impact on text semantics based on scoring results to generate the initialized adversarial example. Then, F2Attack adopts the simulated annealing algorithm to optimize the semantic similarity of the adversarial example. We conduct experiments on four representative natural language models, seven text classification datasets, two natural language inference datasets, and four commercial APIs, and compare them with baseline methods. Taking text classification as an example, when the number of queries is limited to 100, F2Attack increases the attack success rate by an average of 15.165%, and the semantic similarity by 0.067, which is significantly better than the baseline methods.

Abstract:
With the deployment of the QUIC protocol, website fingerprinting attacks targeting QUIC traffic are becoming a growing concern. Since the deployment is incremental, attackers must continuously crawl the QUIC traffic of new QUIC-enabled websites to update their attack models. For the latency caused by data crawling and classifier training, existing few-shot website fingerprinting (FSWF) attacks rely on representation learning to mitigate data dependency. To further achieve zero-latency identification, TCP traffic can be applied to construct the attack model before QUIC deployment. However, the different protocol semantics of TCP and QUIC lead to differences in the latent features. As representation learning models cannot eliminate the website feature differences, classifiers trained on TCP-based features are difficult to adapt to QUIC traffic. To address the issue, we propose a novel cross-protocol FSWF attack method to fuse cross-protocol website features. The proposed method forces TCP features and QUIC features to be in the same feature space by sharing model parameters, and reduces cross-protocol website feature differences through inter-protocol adversarial representation learning. Meanwhile, it utilizes a non-linear classifier to fit the fused features. The proposed method enables zero-latency identification for QUIC traffic based on a few TCP traffic. We conducted comprehensive evaluation experiments on public datasets from both closed-world and open-world settings. The proposed method outperforms state-of-the-art methods in zero-latency identification.

Abstract:
Models with large-scale parameters and pre-training have been leveraged for encrypted traffic analysis. However, existing researches primarily focused on accuracy, often overlooking the role of large-scale pre-trained parameters in enhancing robustness. While machine learning (ML) and deep learning (DL) models trained from scratch can achieve high accuracy, they exhibit limited robustness. When subjected to network noise in real-world, their identification results can fluctuate significantly, which is unacceptable. Unfortunately, current robustness evaluation methods neglect samples diversity and employ unreasonable noise settings. This field still lacks a reasonable quantitative description of models robustness. In this paper, we propose the PA-curve to display the distribution of sample’s correct-decision stability, which can simultaneously reflect the model’s accuracy and robustness. By calculating the area under the PA-curve, called PA-area, we enable the quantitative assessment of robustness for encrypted traffic analysis. Furthermore, we design a pre-trained model based on packet length sequence, and pre-trained it on TB-scale traffic. By fine-tuning on limited labeled training data, it can achieve downstream analysis tasks. We conduct experiments on five encrypted traffic datasets with different tasks. Besides accuracy, we analyzed the robustness of the pre-trained model and existing methods under common network disturbances, including packet loss, retransmission, and disorder. Experimental results demonstrated that, compared to ML-based and DL-based models trained from scratch, the pre-trained model can not only achieve high accuracy, but also exhibit greater resilience to network noise. The source code is available at https://github.com/Shangshu-LAB/BERT-ps

Abstract:
Encryption technologies randomize network communication to protect user privacy. However, attackers exploit encrypted traffic to conceal malicious activities. The existing detection methods rely primarily on traffic content or interactive patterns. Nevertheless, static methods can be easily obfuscated by advanced attacks. Since the set of potential attacks is open and infinite, models regularly lose effectiveness against novel attacks. Robust encrypted malicious traffic detection remains a valuable research area. In this paper, we propose BSTS-Net, a robust unsupervised encrypted malicious traffic detection model based entirely on traffic relations. The key motivations are to construct a relation-based traffic contextual representation and to establish dynamic baselines for anomaly detection. To represent local relations within flows, we innovatively introduce the concept of traffic microelements, which capture fine-grained interaction pattern relations. To integrate the global relationships between flows, we construct a traffic microelement space based on the Siamese neural network. Three optimization functions are proposed to optimize the intraservice, interservice and internode relations. For robust detection, we introduce a reputation-enhanced dynamic encrypted traffic detection algorithm that constructs dynamic baselines and continuously detects novel anomalies. We evaluate BSTS-Net through extensive experiments on three datasets and compare it with seven SOTA methods. Our results demonstrate its superiority, with an F1 score of more than 99.63% across all the datasets in multiclassification scenarios. Additionally, we simulate three adversarial scenarios for robustness analysis. Although the baseline methods experience an F1 score degradation of 32.21%, BSTS-Net achieves high performance, with only 1% degradation.

Affiliations: Department of Computer Science, Faculty of Electrical Engineering and Computer Science, Ningbo University, Ningbo, China; Guangdong-Hong Kong-Macao Joint Laboratory for Emotion Intelligence and Pervasive Computing, Artificial Intelligence Research Institute, Shenzhen MSU-BIT University, Shenzhen, Guangdong, China; Alibaba Group, Hangzhou, Zhejiang, China; School of Computing and Artificial Intelligence, Jiangxi University of Finance and Economics, Nanchang, China; Department of Computer and Information Science, Faculty of Science and Technology, State Key Laboratory of Internet of Things for Smart City, University of Macau, Taipa, Macau, China

Abstract:
Combating counterfeit products is crucial for maintaining a healthy market. Recently, Copy Sensitive Graphical Codes (CSGC) have garnered significant attention due to their high sensitivity to illegal physical copying. Copy Detection Patterns (CDP) and Two-Level QR Codes (2LQR code) are two representative methods. CDP offers high efficiency and low cost, enabling use in document authentication and product anti-counterfeiting, and has achieved broad commercial adoption. In contrast, 2LQR code, as a consumer-grade document authentication solution, provides additional private message sharing functionalities. We observe that both the CDP and 2LQR code can be synthesized using textured patterns. To this end, we propose a flexible framework that integrates the stochastic anti-counterfeiting properties of CDP with the private message sharing of 2LQR code. Specifically, we model CDP as a random noise image composed of multiple textured patterns similar to those in 2LQR code, where each pattern represents an informative digit. Thus, both codes can be generated through textured pattern design. We formulate this as a constrained optimization framework called Mixed-Bit Sampling Marking (MSM). The objective incorporates white pixel ratio and spatial randomness, with constraints defined by a flexible modulation function (e.g., DCT or Pearson similarity), customizable to user needs. A two-step sampling algorithm solves the optimization. We demonstrate CDP and 2LQR codes generated via MSM and validate their ability to inherit advantages from both approaches. Experiments show that MSM-generated texture patterns effectively synthesize both CDPs and 2LQR codes, preserving their advantages while offering a novel, flexible solution for document authentication.

Abstract:
Authentication in reconfigurable intelligent surfaces (RIS)-assisted communication systems is a critical issue due to the unique characteristics of RIS, such as its passive nature, lack of built-in security mechanisms, and susceptibility to spoofing and relay attacks. To this end, this paper proposes a new physical layer authentication scheme that leverages the channel characteristics of cascaded channels in RIS-assisted systems. Specifically, we model the cascaded communication channel in the RIS-assisted communication system as an equivalent point-to-point Nakagami fading channel. Based on this model, we formulate the problem of physical layer authentication (PLA) as a binary hypothesis testing problem. To facilitate this, we employ the energy measurement of the received signal as the test statistic to achieve detecting the legality of the transmitter identity. We conduct a comprehensive theoretical analysis of the false alarm probability and detection probability for single-channel and multi-channel scenarios to evaluate authentication performance, using statistical signal processing theory. Finally, we conducted extensive Monte Carlo simulations to validate the effectiveness and robustness of the proposed authentication scheme.

Abstract:
Federated Learning (FL) is a distributed machine learning paradigm that facilitates model training across multiple devices without exposing private feature data. One of the primary challenges in FL is achieving a privacy protection guaranteed by theory often compromise computational and communication efficiency such as cryptographic-based methods. To address the trade-off between privacy preservation and efficiency, this paper introduces FedPN, a novel privacy-preserving approach that leverages periodic neuron technique, ensuring both enhanced privacy and efficient model training. Specifically, we propose a lightweight obfuscation mechanism integrated into the model’s input layer, where a specialized obfuscation layer is designed to ensure privacy, exploiting the synergistic interaction between convolutional operations and nonlinear activation functions to enhance feature extraction. We further integrate this privacy protection mechanism into FL model training, where the obfuscation layer is shared globally among all clients, aiming to achieve an optimal trade-off between the learnability and confidentiality of obfuscated features. In contrast to Homomorphic Encryption, our approach eliminates the need for heavy homomorphic operations, maintaining a practical level of training efficiency. Our theoretical analysis proves an exponentially negligible privacy guarantee against successful feature reconstruction attacks, with the success probability bounded by o(\gamma ^-m) , where the frequency parameter \gamma \gt 1 and dimension of obfuscated vector m\gt 0 . In addition, extensive experiments show that FedPN significantly enhances defence against feature reconstruction, while maintaining comparable efficiency and accuracy to existing approaches such as Differential Privacy.

Abstract:
The spatio-temporal (ST) mobility patterns derived from trajectory data are crucial for applications such as location-based services and urban analytics. However, releasing these mobility features raises significant privacy concerns, as they may expose sensitive personal location information. Differential privacy (DP) is widely used to safeguard individual privacy during data releases, but existing methods for releasing ST features often suffer from utility loss because their high dimensionality requires injecting substantial noise to meet privacy guarantees. Several recent approaches attempt to address this issue by reducing noise in differentially private spatio-temporal (DPST) features, but they either discard valuable information while compressing noisy data representations or rely solely on restrictive road network topology constraints, resulting in only modest utility improvements. In this paper, we present DPDeno, a post-processing framework designed to significantly enhance the utility of DPST features. First, DPDeno generates synthetic trajectory datasets using public information (e.g., road network data) and applies existing DP methods to create paired DPST (noisy) and ST (clean) features. It then trains a spatio-temporal graph autoencoder (STGAE), which models each feature as a graph, with road segments as nodes and transitions over time as edges. By minimizing node- and edge-level reconstruction losses between the noisy and clean pairs, STGAE learns to refine DPST inputs toward the structural consistency of their clean counterparts, thereby improving their practical utility. The trained model is then used to post-process real DPST features. Importantly, DPDeno preserves the original DP guarantee, as STGAE is trained solely on synthetic data generated from public sources without accessing any private information. Experimental results on two real-world trajectory datasets show that DPDeno significantly improves both the statistical accuracy and practical usability of released mobility features.

Abstract:
Vision Transformers (ViTs) have achieved remarkable performance in computer vision tasks but are vulnerable to adversarial attacks. Recent studies have demonstrated the feasibility of crafting transferable adversarial examples based on ViT models. However, the adversarial examples generated by ViTs exhibit poor generalization, primarily due to structural differences between models and the tendency to overfit, which significantly hinders cross-architecture transferability. In this paper, we propose a novel framework to improve the generalization and transferability of adversarial attacks across diverse models, focusing on two key strategies: Token Gradient Divergence (TGD) and Multi-level Frequency-aware Attack (MFA). TGD, as a gradient regularization method, addresses the structural gradient issue of surrogate models, which is one of the causes of overfitting. By increasing the gradient divergence between tokens and eliminating the influence of the class token gradient, TGD enhances the transferability of adversarial examples across models. Meanwhile, MFA employs an implicit ensemble approach to enhance attack generalization. Through multiple spectral augmentations, it increases input diversity and simulates ensemble learning. By targeting critical frequency regions across models, MFA enhances adversarial example adaptability to different architectures, significantly boosting cross-architecture transferability. Extensive experiments on both ViTs and CNNs demonstrate that TGD-MFA significantly outperforms state-of-the-art transfer-based attacks, achieving substantial improvements in adversarial transferability and robustness.

Abstract:
In this paper, we investigate the issue of covert transmission of sensitive information in power line communication (PLC) networks with the aid of impulsive noise (IN) uncertainty and jamming power uncertainty. Specifically, PLC user attempts to initiate the transmission of confidential information under the surveillance of multiple eavesdroppers (Willies), who are subjected to IN uncertainty. Meanwhile, the receiver transmits artificial noise (AN) against Willies’ eavesdropping attacks, and the minimum detection error probability (MDEP) as well as the corresponding optimal detection threshold for Willies has been analyzed and obtained. Furthermore, the covert performance including the average MDEP, covert rate (CR) as well as covert transmission outage probability (CTOP) has been comprehensively analyzed. Moreover, the optimization problem of maximizing the average CR of the receiver has been proposed, and the corresponding suboptimal expression of jamming power as well as transmission power has been addressed. The results indicate that the proposed scheme can significantly enhances the covertness, and IN uncertainty is a key factor in balancing covertness and reliability, which also provides a novel solution for privacy protection of PLC users, especially when their resources are constrained.

Affiliations: Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China; Department of Computer Science, City University of Hong Kong, Hong Kong, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; Khoury College of Computer Sciences, Northeastern University, Boston, MA, USA; Cyber Security Laboratory, College of Computing and Data Science, Nanyang Technological University, Jurong West, Singapore; College of Computer Science and Electronic Engineering, Hunan University, Changsha, China

Abstract:
The advent of decentralized finance has ushered in a transformative era in the financial sector, leveraging blockchain technology to facilitate peer-to-peer transactions without traditional intermediaries. Amidst this innovation, the DeFi landscape faces the pervasive threat of rugpulls, where developers abruptly abandon projects post-fundraising, leaving investors with devalued assets. This growing concern highlights a critical research gap in the proactive detection and prevention of such fraudulent schemes. To combat this, we propose \textsc\textsfRugScreener , a temporal graph neural network-based solution to identify rugpull risks within DeFi transactions. It employs a dynamic representation of blockchain interactions, enriched with comprehensive node attributes and effective temporal graph learning techniques based on memory and attention mechanisms, effectively capturing the rapid-moving and complex transaction patterns indicative of potential fraud. Our evaluation is based on a newly compiled Ethereum dataset that includes two subsets: an unlabeled set with 1,882,114 transactions from 29,595 tokens for temporal graph representation learning, and a labeled set with 128,819 transactions from 1,000 tokens (500 rugpull and 500 benign) for downstream evaluation. Using this dataset, \textsc\textsfRugScreener achieves a balanced accuracy of 95.7% in detecting rugpull tokens. Remarkably, \textsc\textsfRugScreener surpasses existing state-of-the-art graph learning models in detecting rugpull tokens with enhanced accuracy and reliability.

Abstract:
Vertical Federated Learning (VFL) has gained widespread attention due to its ability of enabling collaborative model training among participants with diverse data features. Differential Privacy (DP) offers provable privacy guarantees for VFL, but existing DP-based methods typically compromise accuracy for privacy protection. To address this issue, we propose a novel scheme, called Adaptive Differential Privacy-based Vertical Federated Learning (Ada-VFed), that enhances privacy of data features and labels by adding Gaussian noise separately to the transmitted intermediate results and gradients. To improve model accuracy, we incorporate adaptive constraints through regularization terms in the objective function to mitigate the impact of clipping operations. In addition, we propose a dynamic noise injection mechanism that adjusts noise according to the importance of each dimension, thereby balancing privacy protection and model accuracy. Our theoretical analysis provides privacy guarantees and convergence insights. Extensive experiments demonstrated that our scheme significantly outperforms state-of-the-art DP-based VFL methods in terms of accuracy. Even with a small privacy budget (e.g., \epsilon =0.5 ), our method improves the accuracy on MNIST, FashionMNIST, and CIFAR-10 by 13.01%, 10.08%, and 3.40%, respectively, compared to traditional DP-based VFL methods.

Abstract:
Binarized convolutional neural networks (BCNNs), which restrict the weights and activations of the model to + 1 or −1, provide notable reductions in memory requirements and enhanced model inference speed during deployment. Current research on BCNNs primarily revolves around addressing the performance degradation resulting from binarization. However, the investigation of the effects of extreme discretization on the robustness of BCNNs has been largely overlooked, despite its critical relevance to real-world applications. To this end, we propose ARBiBench, a comprehensive benchmark for evaluating the adversarial robustness of BCNNs in the image classification task. The key contributions of ARBiBench include: 1) systematically evaluating the robustness of seven influential BCNN methods across various architectures and 2) rigorous validation of diverse adversarial attack methods; and 3) novel empirical findings showing that BCNNs exhibit weaker robustness than full-precision networks on small datasets but surprisingly stronger robustness on large-scale datasets. Leveraging Information Bottleneck theory, we further demonstrate how data scale and model capacity collectively determine BCNNs’ adversarial robustness. These findings not only challenge conventional assumptions about BCNN security, but also provide new insights for developing robust yet efficient neural network architectures.

Abstract:
Most of the approaches proposed so far to craft targeted adversarial examples against Deep Learning classifiers are highly suboptimal and typically rely on increasing the likelihood of the target class, thus implicitly focusing on one-hot encoding settings. In this paper, a more general, theoretically sound, targeted attack is proposed, which resorts to the minimization of a Jacobian-induced Mahalanobis distance term, taking into account the effort (in the input space) required to move the latent space representation of the input sample in a given direction. The minimization is solved by exploiting the Wolfe duality theorem, reducing the problem to the solution of a Non-Negative Least Square (NNLS) problem. The proposed algorithm (referred to as JMA) provides an optimal solution to a linearised version of the adversarial example problem originally introduced by Szegedy et al. The results of the experiments confirm the generality of the proposed attack which is proven to be effective under a wide variety of output encoding schemes. Noticeably, JMA is also effective in a multi-label classification scenario, being capable to induce a targeted modification of up to half the labels in complex multi-label classification scenarios, a capability that is out of reach of all the attacks proposed so far. As a further advantage, JMA requires very few iterations, thus resulting more efficient than existing methods.

Abstract:
The goal of unsupervised domain adaptation person re-identification (UDA Reid) is to achieve feature space alignment between the source domain and the target domain, so that the Reid model can effectively match pedestrians in the target domain. Creating the transitional domain is an effective approach, but existing models often have difficulty synthesizing transitional domains with sufficiently public features. To tackle this challenge, we propose an innovative approach named feature fusion transitional domain (F2TD-Reid), which comprises two essential components: the dictionary fusion module (DFM) and the transitional domain attention module (TDAM). Among them, the DFM utilizes a feature fusion to extract and reconstruct pedestrian images from instances, focusing on capturing the essential visual elements within the images. For the TDAM, it further refines the feature extraction of instance points through an innovative weighted attention mechanism. These two modules optimize the generation process of scaling factors, thereby facilitating the transfer of knowledge between the source domain and the target domain. Through a series of comparative experiments, we verify the superiority of the F2TD-Reid method in solving UDA Reid. The code is available at https://github.com/1x-x/ F2TD-Reid

Abstract:
Adversarial patches pose a significant threat to deep neural networks (DNNs). Unlike conventional adversarial attacks that are digital and less effective in the real world, adversarial patches can disrupt DNNs in real-world scenarios with potentially catastrophic outcomes. Understanding the characteristics of these patches is crucial to comprehending this new form of adversarial attack. While prior research has primarily aimed at enhancing the success rate of adversarial patches on specific DNN models, the rise of federated learning (FL) introduces a novel attack vector. In this context, attackers could manipulate a DNN model’s learnable parameters by contributing models trained on poisoned data. To assess the feasibility and danger of adversarial patches in this context, we introduce a novel attack method named PoisonPatch. This method merges FL poisoning attacks with adversarial patch search, first poisoning a DNN-based image classifier through FL, and then employing an adversarial patch search algorithm to create patches that increase the success rate of the attacks. This dual approach, combining poisoning attacks with adversarial patches, results in patches that are more challenging for machines to detect than traditional poisoning attacks and less noticeable to the human eye than typical adversarial patches due to their natural appearance. Our extensive experimental results demonstrate that PoisonPatch surpasses current state-of-the-art methods, producing natural-looking patches while achieving a 100% attack success rate.

Abstract:
SplitFed Learning (SFL) represents a compelling distributed learning paradigm tailored for resource-constrained edge computing scenarios, wherein the privacy threat posed by Gradient Inversion Attacks (GIA) remains challenging. The unique architecture of SFL restricts the fed server’s access only to the client-side model’s deficient gradients, which lack essential information about the original data. This absence of complete gradient information hinders traditional GIA methods, which rely on complete gradient information for effective data reconstruction, thereby significantly diminishing their effectiveness in the SFL context. In this paper, we propose a novel attack against SFL called Deficient Gradient-based Inversion Attack (DGIA), which reconstructs original training data by artificially amplifying the \ell _2 norm of deficient gradients. Through extensive evaluation of how GIA performance varies with different gradient magnitudes, we observe a definitive correlation between the gradient \ell _2 norm and attack performance. Based on this correlation, we further optimize DGIA to identify the optimal gradient amplification scale that maximizes the information encoded in deficient gradients. This compensates for the restricted access to complete gradients and enhances the attack performance. We conduct extensive experiments to demonstrate DGIA’s performance across various SFL scenarios compared with other GIA schemes and show attack efficacy under general defenses.

Affiliations: School of Cyber Engineering, Xidian University, Xi’an, China; Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center, Qilu University of Technology (Shandong Academy of Sciences), Jinan, China; College of Cyber Security, Jinan University, Guangzhou, China; Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX, USA; School of Information Systems, Singapore Management University, Bras Basah, Singapore

Abstract:
With the popularity of mobile devices, spatial-textual trajectory query has been deployed in applications such as trajectory-based navigation and travel route recommendation. Massive trajectory data have been outsourced to cloud servers for storage and sharing such as spatial keyword search. However, existing solutions only support similarity queries in the spatial dimension and still incur high storage and query costs, which cannot scale well in large-scale trajectory data scenarios. To solve the above issues, we first achieve an Efficient Range Query over Encrypted Trajectory Data ( \textsf ERT ) using Douglas-Peucker trajectory compression algorithm, random matrix multiplication, filtering-verification mechanism and polynomial fitting technology. Then, we further propose an enhanced Efficient Spatial Keyword Query over Encrypted Trajectory Data ( \textsf ESKT ) by constructing a unified spatial-textual index structure, which can find relevant trajectories that are within some arbitrary geometric range and contain all query keywords. Finally, we formally prove that our schemes are secure against chosen-plaintext-attack, and conduct extensive experiments to demonstrate that our schemes improve the query efficiency by almost 100× when compared with state-of-the-art solutions.

Abstract:
Speech foundation models have significantly advanced various speech-related tasks by providing exceptional representation capabilities. However, their high-dimensional output features often create a mismatch with downstream task models, which typically require lower-dimensional inputs. A common solution is to apply a dimensionality reduction (DR) layer, but this approach increases parameter overhead, computational costs, and risks losing valuable information. To address these issues, we propose Nested Res2Net (Nes2Net), a lightweight back-end architecture designed to directly process high-dimensional features without DR layers. The nested structure enhances multi-scale feature extraction, improves feature interaction, and preserves high-dimensional information. We first validate Nes2Net on CtrSVDD, a singing voice deepfake detection dataset, and report a 22% performance improvement and an 87% back-end computational cost reduction over the state-of-the-art baseline. Additionally, extensive testing across four diverse datasets: ASVspoof 2021, ASVspoof 5, PartialSpoof, and In-the-Wild, covering fully spoofed speech, adversarial attacks, partial spoofing, and real-world scenarios, consistently highlights Nes2Net’s superior robustness and generalization capabilities. The code package and pre-trained models are available at https://github.com/Liu-Tianchi/Nes2Net

Abstract:
Backscatter Communication (BC) is an innovative wireless communication technology that is characterized by energy harvesting capability, low cost, ultra-low power consumption, and ease of maintenance. Secure communications among a group of Backscatter Devices (BDs) are crucially important to facilitate its wide applications. However, current Group Key Generation (GKG) technologies in BC systems suffer from such problems as inadequate key consistency, low key generation efficiency, suboptimal key randomness, high key generation complexity, as well as lack of group key management to ensure backward and forward secrecy. In response, this paper proposes PosGKG, a position-based group key generation and management scheme with high key consistency, efficiency, and randomness, tailored for easy deployment in a BC system with low computation and communication complexity. PosGKG leverages position information to construct shared information between devices for GKG, thereby addressing over-reliance on channel reciprocity and enhancing group key consistency. In particular, PosGKG incorporates a dynamic update mechanism for private weight vectors of BDs that are used to obtain global positions for GKG, which guarantees that the generated group key retains a high degree of randomness, even in a static environment. PosGKG not only diminishes communication and computational complexities due to the adoption of randomly changed global positions as shared information for GKG but also exhibits enhanced security under various attacks, both passive and active ones. In addition, group key management is applied to guarantee the forward and backward secrecy of PosGKG, irrespective of the changes of the BC system. Theoretical analysis and comprehensive experiments with diverse configurations validate the performance of PosGKG in terms of communication and computational complexity, key generation efficiency, key consistency, robustness, security, and environmental feasibility, with demonstrated advantages over existing technologies.

Abstract:
In Unmanned Aerial Vehicle (UAV) networks, UAVs usually perform tasks in the form of groups. When tasks change, the Ground Control Station (GCS) will assign the complemental UAV to join the group for notification or reinforcement. Since UAVs communicate over open wireless channels, secure authentication is required for complemental UAV joining the group. However, one-by-one authentication between complemental UAV and the group members leads to high overhead and delays. At the same time, when the UAV group is far away from the coverage of the GCS, the GCS is unable to assist the authentication process in real-time. To solve the above problems, we propose a one-to-many UAV authentication scheme using Identity-Based Broadcast Encryption (IBBE) and batch authentication. This scheme does not require a trusted third party to be online in real time. We also design an algorithm based on reinforcement learning for identifying illegal requests during batch authentication, enhancing efficiency and ensuring successful authentication. Our scheme meets UAV networks’ security requirements, defending against various attacks. Experimental results show that it reduces computational overhead by 55.27% and communication overhead by 23.16% compared to similar schemes. Additionally, the illegal request identification algorithm reduces identification numbers by 15.44% to 25.72% and lowers latency by 14.64% to 25.12% compared to existing methods.

Abstract:
Phishing attacks are a growing threat to online security, with increasingly sophisticated and frequent tactics. This rise in cyber threats underscores the need for advanced detection methods. While the Internet is crucial for modern communication and commerce, it also exposes users to risks such as phishing, spamming, malware, and performance degradation attacks. Among these, malicious URLs, commonly embedded in static links within emails and websites, are a significant challenge in identifying and mitigating these attacks. This study proposes TrackPhish, a novel lightweight application that predicts URL legitimacy without visiting the associated website. The proposed model combines traditional word embeddings (Word2Vec, FastText, GloVe) with transformer models (BERT, RoBERTa, GPT-2) to create a comprehensive feature set fed into a Deep Learning (DL) model for detecting phishing URLs. The integration of these embeddings captures semantic relationships and contextual understanding of the text, generating a robust feature set enhanced by an attention mechanism to choose relevant features. The refined features are then used to train a One-Dimensional Convolutional Neural Network (1D CNN) model for phishing URL detection. The proposed model offers key advantages over existing methods, including independence from third-party features, adaptability for client-side deployment, and target-independent detection. Experimental results demonstrate the model’s effectiveness, achieving 95.41% accuracy with a low false positive rate of 1.44% on our dataset and an impressive 98.55% accuracy on benchmark datasets, outperforming existing baseline models. The proposed model represents a significant advancement over traditional methods, enhancing online security against phishing URLs.

Abstract:
Industrial cross-cloud networks (ICCNs) combine services from multiple providers to support critical operations, but this diversity also creates major security challenges. Because each provider follows different protocols and safeguards, responses to cyber threats are often inconsistent and delayed, reducing the effectiveness of existing Cyber Threat Intelligence (CTI) systems. To address this gap, we propose a three-layered CTI framework that unifies learning and adaptation across heterogeneous clouds. The first layer implements a two-tier federated learning (FL) strategy, developing two global models: MLP-SimiFed and MLP-Non-SimiFed, within each industry cloud to manage scalability and heterogeneity. The second layer aggregates these models across distributed clouds into a Unified Global Model, strengthening collaborative defense. The third layer leverages transfer learning to produce the Meta Unified Global Cyber Threat Intelligence (MUG-CTI) model, which enables swift adaptation to emerging threats. Through test-bed simulation, MUG-CTI demonstrates superior threat management, achieving up to 20.7% and 43.06% higher accuracy, and reducing hamming loss by up to 73.8% and 98.3% compared to Federated Learning and SVM-driven methods, respectively.

Abstract:
With the rise of the open-source community, multimodal pre-trained models such as CLIP have become increasingly vulnerable to backdoor attacks. Backdoor triggers can manipulate model outputs during inference, posing a significant threat to downstream users. While post-training defenses based on fine-tuning have made some progress, their effectiveness remains limited due to two key challenges: 1) They fail to weaken the connection between the backdoor trigger and the target text space, making it possible for the model to still rely on the backdoor pattern for prediction. 2) Although batch-level fine-tuning expands the data distribution, it lacks precise guidance for vision-language alignment. To address these limitations, we propose a fine-grained counterfactual text-driven sample-level fine-tuning defense. By generating counterfactual sub-texts, we explicitly guide the text space to shift towards a more discriminative and robust representation, thereby indirectly weakening the association between backdoor triggers and target semantics. Furthermore, we introduce intra-sample contrastive learning with hard negative sub-texts, which enforces a more precise gradient direction to enhance vision-language fine-grained alignment. We evaluate our approach against six different backdoor attack methods and conduct a comprehensive zero-shot classification study on ImageNet-1K. Experimental results demonstrate that our method surpasses CleanCLIP in defending against advanced BadCLIP, reducing the classification attack success rate in Top-1 by 52.02% and Top-10 by 63.88%. We aim to enhance the robustness of multimodal models against backdoor threats, fostering safer deployment in real-world applications.

Abstract:
Programmable Logic Controllers (PLCs) are critical components in Industrial Control Systems (ICSs). Their potential exposure to external world makes them susceptible to cyber-attacks. Existing detection methods against controller logic attacks use either specification-based or learnt models. However, specification-based models require experts’ manual efforts or access to PLC’s source code, while machine learning-based models often fall short of providing explanation for their decisions. We design SRLR — a Symbolic Regression based Logic Recovery solution to identify the logic of a PLC based only on its inputs and outputs. The recovered logic is used to generate explainable rules for detecting controller logic attacks. SRLR enhances the latest deep symbolic regression methods using the following ICS-specific properties: 1) some important ICS control logic is best represented in frequency domain rather than time domain; 2) an ICS controller can operate in multiple modes, each using different logic, where mode switches usually do not happen frequently; 3) a robust controller usually filters out outlier inputs as ICS sensor data can be noisy; and 4) with the above factors captured, the degree of complexity of the formulas is reduced, making effective search possible. Thanks to these enhancements, SRLR consistently outperforms all existing methods in a variety of ICS settings that we evaluate. In terms of the recovery accuracy, SRLR’s gain can be as high as 39% in some challenging environment. We also evaluate SRLR on a distribution grid containing hundreds of voltage regulators, demonstrating its stability in handling large-scale, complex systems with varied configurations.

Abstract:
Serverless computing, also known as Function-as-a-Service (FaaS), has gained popularity due to its flexibility, scalability, and transparent development. However, attacks against serverless are also increasing. Unfortunately, complex multi-layer FaaS architecture and frequently launched lightweight functions help attackers conceal their tracks. Specifically, 1) fully tracking the behavior of a function requires crossing multiple layers of FaaS. 2) Intrusive auditing components in functions affect function startup latency and performance. 3) Accurately provenance cross-layer function invocations require integrating data from multiple sources. In this paper, we propose FaaSTracker, a cross-layer, non-intrusive, efficient provenance framework for accurately tracking user function behaviors in FaaS. FaaSTracker tracks function behaviors across layers using a non-intrusive agent without any modifications to the function. In addition, it correlates data from multiple sources to construct a provenance graph of function workflows to locate attackers. We implement FaaSTracker on the OpenFaaS platform and evaluate its performance using real-world serverless applications. Compared with state-of-the-art serverless provenance systems, FaaSTracker provides a more accurate and complete view of provenance graphs and reduces 54.0% CPU and 48.9% memory resources.

Abstract:
Social bot detection plays a crucial role in enabling social media platforms and governments to effectively manage and regulate social networks. Existing methods, which typically rely on multi-modal feature fusion, often concentrate on interactions between paired accounts and their immediate neighbors, overlooking the dynamic evolution of social networks over time. To address this gap, we propose a community-aware spatio-temporal hypergraph contrastive learning method for social bot detection, namely BotSTHCL. Specifically, we construct a temporal community-aware hypergraph and apply a contrastive learning framework in a semi-supervised setting, facilitating the effective extraction and representation of node features. Our model not only captures interactions among multiple accounts within a community but also accounts for the evolving nature of social networks. Extensive experiments on publicly available datasets demonstrate the effectiveness and superiority of our approach. The code is available at https://github.com/FengLiuii/BotSTHCL

Abstract:
Radio frequency fingerprint (RFF) identification is a promising solution for Internet of Things (IoT) device authentication. However, this technique encounters practical challenges such as noise interference, channel coupling, and open-set recognition (OSR). This paper proposes a unified RFF-OSR framework to jointly address these problems in complex environments. Firstly, the framework mitigates the noise interference by employing a low-pass filter-integrated autoencoder, where the low-pass filter is used to obtain a “quasi-clean” signal as the autoencoder reference, thereby reducing the demand for ideal signals. Then, the channel influence on RFF is modeled as three types: frequency offset, phase noise, and amplitude distortion. Based on this model, parameterized channel augmentation is performed to improve the generalization ability of RFF identification in unknown channel scenarios. In terms of OSR, instead of a coarse-grained uniform probability threshold for rogue device recognition, we conduct independent similarity judgments for all legitimate classes, each with an individual threshold. It effectively reduces information loss in the feature probability transformation and increases OSR performance. Under additive white Gaussian noise (AWGN) and multipath channel conditions, our method achieves OSR accuracies of 99.37% and 97.05% in ZigBee device identification, respectively, which demonstrates the effectiveness of our approach.

Abstract:
Federated edge learning (FEL) has emerged as a distributed machine learning paradigm that enables devices to jointly train a shared global model in the Industrial Internet of Things (IIoT), which greatly accelerates the advancement of Industrial 4.0. However, FEL is vulnerable to the colluded backdoor attack (CBA) at high percentages of poisonous devices and attack intensity. Meanwhile, conventional strategies against general BAs aim to mitigate the impact of degrading the accuracy of benign clients by propagating correct local updates, but they can hardly prevent CBAs. Moreover, recent work defends against CBAs at the cost of slower convergence. To tackle the above vulnerabilities, we propose RDCBA-FEL, which effectively identifies and corrects malicious updates from all local ones. Firstly, RDCBA-FEL restricts common features in poisonous updates, such as amplified magnitudes or similar descent directions. Secondly, RDCBA-FEL adopts the residual-based attack detection mechanism to identify and convert malicious updates into benign ones, thus speeding up model convergence. Thirdly, RDCBA-FEL employs the beta-based reputation model to average the weights of local updates, guaranteeing that benign updates have priority over poisoned ones. Moreover, since historical reputations can negatively affect benign weight allocation, a distributed time-decay attention mechanism is used to flexibly adjust FEL to make the model more focused on the current reputation. Extensive evaluations on five benchmark datasets show the robustness of RDCBA-FEL against advanced attacks compared to eleven state-of-the-art schemes.

Abstract:
Identifying social bots has become a critical challenge due to their significant influence on social media ecosystems. Despite advancements in detection methods, most topology-based approaches insufficiently account for the heterogeneity of neighborhood preferences and lack a systematic theoretical foundation, relying instead on intuition and experience. Here, we propose a theoretical framework for detecting social bots utilizing heterogeneous motifs based on the Naïve Bayes model. Specifically, we refine homogeneous motifs into heterogeneous ones by incorporating node-label information, effectively capturing the heterogeneity of neighborhood preferences. Additionally, we systematically evaluate the contribution of different node pairs within heterogeneous motifs to the likelihood of a node being identified as a social bot. Furthermore, we mathematically quantify the maximum capability of each heterogeneous motif, enabling the estimation of its potential benefits. Comprehensive evaluations on four large, publicly available benchmarks confirm that our method surpasses state-of-the-art techniques, achieving superior performance across five evaluation metrics. Moreover, our results reveal that selecting motifs with the highest capability achieves detection performance comparable to using all heterogeneous motifs. Overall, our framework offers an effective and theoretically grounded solution for social bot detection, significantly enhancing cybersecurity measures in social networks.

Abstract:
Ring Confidential Transaction (RingCT) protocols are widely used in cryptocurrencies to protect user privacy. Consequently, a corresponding digital signature scheme, such as a ring signature scheme that hides the signers’ identities, is required. Accordingly, the security of a RingCT protocol depends on the confidentiality of the secret signing keys of the underlying ring signature scheme. However, existing solutions like hardware wallets, Trusted Execution Environments (TEEs), and threshold signature schemes have limitations such as specified expensive hardware, targeting attacks at CPUs on insufficiently secure hardware, and overheads caused by multiple parties. On the contrary, program obfuscation for signature schemes offers advantages over these existing approaches. Concretely, we propose a novel obfuscator that secures the secret keys of the concise linkable spontaneous anonymous group (CLSAG) signature scheme, which is the latest ring signature scheme used in Monero’s RingCT protocol. To achieve enhanced security, the proposed obfuscator leverages Paillier homomorphic encryption to transform secret keys into an obfuscated form resistant to attacks. The security of the proposed obfuscator has been formally proved. Computational efficiency has been both theoretically analyzed and experimentally evaluated with positive results on various testing platforms.

Abstract:
Network Slices (NSs) are virtual networks operating over a shared physical infrastructure, each designed to meet specific application requirements while maintaining consistent Quality of Service (QoS). In Fifth Generation (5G) networks, User Equipment (UE) can connect to and seamlessly switch between multiple NSs to access diverse services. However, this flexibility, known as Inter-Slice Switching (ISS), introduces a potential vulnerability that can be exploited to launch Distributed Slice Mobility (DSM) attacks, a form of Distributed Denial of Service (DDoS) attack. To secure 5G networks and their NSs against DSM attacks, we present in this work, PUL-Inter-Slice Defender; an anomaly detection solution that leverages Positive Unlabeled Learning (PUL) and incorporates a combination of Long Short-Term Memory Autoencoders and K-Means clustering. PUL-Inter-Slice Defender leverages the Third Generation Partnership Project (3GPP) key performance indicators and performance measurement counters as features for its machine learning models to detect DSM attack variants while maintaining robustness in the presence of contaminated training data. When evaluated on data collected from our 5G testbed based on the open-source free5GC and UERANSIM, a UE/ Radio Access Network (RAN) simulator; PUL-Inter-Slice Defender achieved F1-scores exceeding 98.50% on training datasets with 10% to 40% attack contamination, consistently outperforming its counterpart Inter-Slice Defender and other PUL based solutions combining One-Class Support Vector Machine (OCSVM) with Random Forest and XGBoost.

Abstract:
In recent years, phishing scams have caused huge economic losses in Ethereum, the largest blockchain platform enabling smart contracts. Many new sorts of phishing attacks based on smart contracts, specifically targeting Ethereum assets such as Ether and tokens, are emerging. Existing Ethereum phishing detection methods usually mine the transaction relationships among accounts from block data, while neglecting to mine the temporal transaction patterns inherent in the accounts themselves in different transaction types introduced by smart contracts. Such information provides a new perspective for analyzing account transaction pReferences. However, since this information is hidden in heterogeneous data such as trace data and event logs, it is difficult to analyze and mine the information. In this paper, we contribute Trans2Graph, a novel graph-based framework for Ethereum data modeling and phishing detection, to fully exploit the massively heterogeneous temporal transaction data. We propose a new paradigm for the fusion of heterogeneous Ethereum data and model the implicit transition relationships among multiple heterogeneous transactions of each Ethereum account into a heterogeneous, temporal, directed multigraph called transaction state transition graph. Empirical analysis shows that phishing accounts have unique patterns in both the heterogeneity and time dynamics of transaction state transition graphs. Based on the analysis, we develop a novel attention-based graph neural network for the learning of heterogeneous temporal state transition graphs and phishing detection. Experiments on a large-scale real-world dataset demonstrate that Trans2Graph achieves a minimum 52.57% improvement in the average precision metric on state-of-the-art account interaction graph-based methods and a minimum 11.52% improvement in average precision on transaction sequence-based methods.

Abstract:
Membership inference attacks (MIAs) against in-context learning (ICL) serve as essential tools for privacy risk assessment and intellectual property safeguarding due to the use of small, private datasets for adaptation. However, most MIAs against language models require unrealistic, internal access or risk triggering built-in security mechanisms. In this paper, we propose Falcon (Flexible Attack on Language Context via ObfuscatioN), the first task-aware MIA framework against text-only model APIs. Falcon fully exploits the complexity of text obfuscation techniques and leverages the model’s discrepancies in reconstructing obfuscated texts from seen versus unseen data as a strong membership signal, successfully bypassing application constraints and LLM safeguarding mechanisms. Through extensive experiments on six widely used LLMs, including four open-source models (Llama-2, Llama-3, Qwen-2.5, Ministral) and two commercial models (GPT-3.5, and GPT-4o-mini), five datasets from various domains for tasks including question answering, text classification and summarization, Falcon generallyachieves over 95% attack success rates, significantly outperforming existing methods. An in-depth analysis of the impact of model scale shows that Falcon exploits a capacity-induced vulnerability, indicating that models with higher capabilities are more susceptible to our attack. Additionally, we explore threedefense methods, highlighting role validation as a potential mechanism for safeguarding LLM privacy. We have open-sourced Falcon’s modular, extensible codebase to support future research.

Abstract:
Machine Learning as a Service (MLaaS) paradigm offers an appealing solution for clients that have limited computational resources. It allows entities to train models with collected dataset and powerful cloud resources, and to deploy these models for inference. However, MLaaS currently faces significant challenges in ensuring trustworthy inference and service quality. The clients cannot verify that the inference results returned by service provider (SP) are the model’s actual inference results. Moreover, even if clients manage to ensure that the results are obtained through model inference, they are unable to determine the model’s service quality without ground truth. To address these concerns, we introduce an innovative framework to audit inference quality and integrity in MLaaS through a novel deep neural network (DNN) inspection method. In specific, our approach represents the inherent behavior of the model by collecting its intermediate layer outputs and quantifying the mutual information (MI) values derived from them. By benchmarking the model during the training process, the SP can record the characteristics of the correct model and its corresponding service quality. After receiving the auditing request, the auditor can evaluate the quality of the service by estimating its accuracy via mutual information. Moreover, it can confirm the integrity of the returned results by inspecting the intermediate layer output. In addition, we thoroughly analyze our scheme for various potential adaptive attacks. Through empirical studies, we verify the correctness, effectiveness, and robustness of our scheme for trustworthy MLaaS inference service.

Abstract:
Federated learning (FL) enables collaborative model training with local data privacy preserving, but is vulnerable to backdoor attacks from malicious clients. These attacks can manipulate the global model to produce malicious output when encountering specific triggers. Existing defenses, categorized as server-side and client-side approaches, have limitations such as reliance on auxiliary data availability, susceptibility to inference attacks, and instability under non-independent and identically distributed (Non-IID) data. In response to these challenges, we propose a Personalized Federated Learning via Attention-based Local Purification (PFL-ALP) algorithm, a hybrid defense mechanism integrating server-side dynamic clustering and client-side purification enhanced with personalized model knowledge. This approach effectively mitigates bias introduced by Non-IID data on the server side and further purifies the backdoored model on the client side. Specifically, we employ neural attention distillation (NAD) for model purification and enhance it with personalized model knowledge, extending the effectiveness of NAD in Non-IID FL settings. This design makes PFL-ALP compatible with privacy protocols to mitigate inference attacks. Moreover, we establish a convergence guarantee for PFL-ALP and experimentally validate its superior performance in defending against various backdoor attacks compared to multiple state-of-the-art (SOTA) defenses across three datasets. The results show that even with malicious rates ranging from 30% to 90%, PFL-ALP can reduce the attack success rate by more than 69.4 percentage points, with the reduction in main task accuracy less than 12.4 percentage points.

Affiliations: Key Laboratory of Big Data and Artificial Intelligence in Transportation, Ministry of Education, the State Key Laboratory of Advanced Rail Autonomous Operation, and the School of Computer Science and Technology, Beijing Jiaotong University, Beijing, China; School of Computer Science and Information Engineering and the School of Artificial Intelligence, Hefei University of Technology, Hefei, Anhui, China; School of Computer Science, University of Nottingham, Nottinghamshire, Nottingham, U.K.; School of Information Science and Technology, Northwest University, Xi’an, Shaanxi, China

Abstract:
Video-based visible-infrared person re-identification (VVI-ReID) task focuses on cross-modality retrieval of pedestrian videos, which are captured in visible and infrared modalities by non-overlapping cameras across diverse scenes, and holds significant value for security surveillance scenarios. The challenges of this task mainly stem from three issues: the difficulty of capturing comprehensive spatio-temporal cues, intra-class variations within video sequences, and inter-modality discrepancies between visible and infrared data. Existing methods mainly try to address the modality gap or focus on one of the other aspects, but rarely do they jointly consider these key factors. Motivated by these core challenges, we propose the M3-ReID (Multi-View & Granularity & Modality) method, a unified framework that simultaneously enhances spatio-temporal feature extraction, intra-class discrimination, and cross-modality consistency. Specifically, to capture diverse spatio-temporal patterns, we design a Multi-View Learning module that leverages different spatial and temporal-spatial perspectives to adaptively emphasize diverse key regions and motion cues. To enhance intra-class modeling of each identity, we introduce a Multi-Granularity Representation strategy that optimizes features across both fine-grained frame level and coarse-grained video level by minimizing mutual information among redundant frames while enhancing identity representations. Furthermore, to bridge the visible-infrared gap, we propose a Multi-Modality Alignment mechanism that explicitly aligns metric learning and cross-modality matching goals, transforming features into a unified embedding space with modality consistency and class discrimination. Extensive experiments on benchmark VVI-ReID datasets demonstrate the superiority of our proposed M3-ReID framework against existing methods.

Abstract:
Modern vehicles rely on a myriad of electronic control units (ECUs) interconnected via controller area networks (CANs) for critical operations. Despite their ubiquitous use and reliability, CANs are susceptible to sophisticated cyberattacks, particularly masquerade attacks, which inject false data that mimic legitimate messages at the expected frequency. These attacks pose severe risks such as unintended acceleration, brake deactivation, and rogue steering. Traditional intrusion detection systems (IDS) often struggle to detect these subtle intrusions due to their seamless integration into normal traffic. This paper introduces a novel framework for detecting masquerade attacks in the CAN bus using graph machine learning (ML). We hypothesize that the integration of shallow graph embeddings with time series features derived from CAN frames enhances the detection of masquerade attacks. We show that by representing CAN bus frames as message sequence graphs (MSGs) and enriching each node with contextual statistical attributes from time series, we can enhance detection capabilities across various attack patterns compared to using graph-based features only. Our method ensures a comprehensive and dynamic analysis of CAN frame interactions, improving robustness and efficiency. Extensive experiments on the ROAD dataset validate the effectiveness of our approach, demonstrating statistically significant improvements in the detection rates of masquerade attacks compared to a baseline that uses graph-based features only as confirmed by Mann-Whitney U and Kolmogorov-Smirnov tests (p \lt 0.05) .

Abstract:
With the advancement of Mobile Edge Computing (MEC), App vendors are increasingly motivated to cache multiple data replicas on geographically distributed edge servers to ensure rapid responses for latency-sensitive applications. However, the security of data replicas is a critical concern due to the dynamic nature and resource limitations of MEC environments. To this end, data replicas’ integrity must be regularly verified to maintain the accuracy of data-driven decision-making. Existing Edge Data Integrity (EDI) verification solutions suffer from low efficiency due to relying on indiscriminative verification, where all data replicas are checked at each round without considering their inherent reliability characteristics. This paper designs an Intelligent framework called I-EDI, which enables discriminative EDI verification by integrating a novel Long-term Unreliable data Replica Selection (L-URS) mechanism. This framework aims to reduce verification costs without compromising accuracy, while resisting spoofing, forgery, outsourcing, collusion, alteration-before-verification, delayed-response, and adaptive attacks. Specifically, each data replica is associated with a reliability representation by evaluating its long-term performance. Based on that, the L-URS problem is defined as stochastically minimizing the global reliability representation over time, subject to constraints on the number of data replicas to be verified. To make it easy-to-handle, the L-URS problem is decomposed into a series of online minimization problems. An Online Opportunistic-based Replica Selection approach called O2RS is developed. O2RS allows App vendors to significantly decrease verification costs by targetedly inspecting unreliable data replicas. Moreover, this work provides a thorough theoretical analysis of O2RS’s time complexity and approximation bound, as well as I-EDI’s security. Extensive experiments are conducted to validate the effectiveness and efficiency of O2RS and I-EDI. The results demonstrate that, compared to commonly used alternatives, O2RS achieves an approximate 50% improvement in selection efficiency, while I-EDI reduces verification costs by 1.23 times on average.

Abstract:
Federated Learning (FL) enables collaborative model training across untrusted devices while preserving data privacy. However, malicious participants can still launch attacks, especially poisoning attacks, during model aggregation. To defend against poisoning attacks, we propose a Coulomb Force-based Federated Learning (CFFL), a physics-inspired defense framework that integrates neighborhood Coulomb force into FL security mechanisms. CFFL effectively addresses detection failures in poisoning attacks arising from the “distance concentration” among high-dimensional data. Specifically, firstly, we establishes a local update model for clients, where the similarity between model updates is quantified through local Coulomb resultant force (LCRF), effectively distinguishing malicious and benign updates; Secondly, we develop a k -nearest neighbor (KNN)-based Coulomb resultant force anomaly detection (NCFAD) model that identifies malicious updates by isolating top- k outliers with largest neighborhood factor; Finally, experiment results validate that CFFL outperforms state-of-the-art (SOTA) baselines in defense performance and achieves model accuracy equivalent to the baseline FedAvg on NCI-1, PROTEINS_full, and MNIST datasets (90.82%, 92.23%, and 96.49%, respectively). This indicates that CFFL effectively mitigates the impact of poisoning attacks without compromising the benign performance of the aggregation model.

Abstract:
In an era where personal photos are easily leaked and collected, face de-identification is a crucial method for protecting identity privacy. However, current face de-identification techniques face challenges in preserving attribute details and often produce anonymized results with reduced realistic. These shortcomings are particularly evident when handling occlusions, frequently resulting in noticeable editing artifacts. Our primary finding in this work is that simultaneous training of identity disentanglement and anonymization hinders their respective effectiveness. Therefore, we propose “Disentangle Before Anonymize”, a novel two-stage Framework (DBAF) designed for attribute-preserved and occlusion-robust de-identification. This framework includes a Contrastive Identity Disentanglement (CID) module and a Key-authorized Reversible Identity Anonymization (KRIA) module, achieving faithful attribute preservation and high-quality identity anonymization edits. Additionally, we introduce a Multi-scale Attentional Attribute Retention (MAAR) module to address the issue of reduced anonymization quality under occlusions. Extensive experiments demonstrate that our method outperforms state-of-the-art de-identification approaches, delivering superior quality, enhanced detail fidelity, improved attribute preservation performance, and greater robustness to occlusions. The code is publicly available at: https://github.com/mrzhu-cool/DBAF

Abstract:
Recently, stacked intelligent metasurfaces (SIMs) have aroused widespread discussions as an innovative technology for directly processing electromagnetic (EM) wave signals. By stacking multiple programmable metasurface layers, an SIM has the ability to provide additional spatial degrees of freedom without the introduction of expensive radio-frequency chains, which may outperform reconfigurable intelligent surfaces (RISs) with single-layer structures. For the sake of alleviating information leakage risks in wireless communications, artificial noise (AN) has arisen as a physical-layer security technology with severe hardware constraints, which is impracticable in single-input single-output (SISO) systems. Therefore, we deploy an SIM at the transmitter (Alice) to accomplish joint modulation, beamforming, and AN in SISO systems. As such, an artificial neural network structured SIM aims to convert an input carrier signal into a desired output signal. Subsequently, we formulate the fitting problem between the actual output signal and the desired signal. Moreover, we introduce a regularization parameter to improve the energy efficiency. In order to tackle this resultant non-convex problem, we provide an alternating optimization algorithm to iteratively determine each variable. For the sake of reducing the computational complexity, we derive closed-form expressions for each phase shift and transmit power. Furthermore, we theoretically analyze the secrecy rate and computational complexity. By considering the signal deviation introduced by SIM, we derive upper and lower bounds of the secrecy rate to provide fundamental insights. Finally, simulation results demonstrate that the SIM-aided SISO system is capable of realizing secure communications efficiently, while the introduced power regularization parameter saved over 2 dB transmit power for a 5-layer SIM without amplifying the fitting error.

Abstract:
With the increasing size of Internet of Things (IoT) devices, cyber threats to IoT systems have increased. Federated learning (FL) has been implemented in an anomaly-based intrusion detection system (NIDS) to detect malicious traffic in IoT devices and counter the threat. However, current FL-based NIDS mainly focuses on global model performance and lacks personalized performance improvement for local data. To address this issue, we propose a novel personalized federated meta-learning intrusion detection approach (PerFLID), which allows multiple participants to personalize their local detection models for local adaptation. PerFLID shifts the goal of the personalized detection task to training a local model suitable for the client’s specific data, rather than a global model. To meet the real-time requirements of NIDS, PerFLID further refines the client selection strategy by clustering the local gradient similarities to find the nodes that contribute the most to the global model per global round. PerFLID can select the nodes that accelerate the convergence of the model, and we theoretically analyze the improvement in the convergence speed of this strategy over the personalized federated learning algorithm. We experimentally evaluate six existing FL-NIDS approaches on three real network traffic datasets and show that our PerFLID approach outperforms all baselines in detecting local adaptation accuracy by 10.11% over the state-of-the-art scheme, accelerating the convergence speed under various parameter combinations.

Abstract:
To achieve fine-grained access control and address the data silos challenge in data sharing, the integration of blockchain with attribute-based encryption emerges as a promising solution. Nowadays, the growing interconnectedness among diverse blockchain applications has spurred the need for efficient cross-chain data sharing. However, existing single-authority attribute-based data sharing schemes are not suitable for such cross-chain scenarios involving multiple attribute authorities. Moreover, the frequent requirement for data owners to process cross-chain data requests significantly hampers practicality. In this context, we introduce a novel multi-authority attribute-based proxy re-encryption scheme that enables ciphertext policy updating and supports secure and efficient cross-chain data sharing. By introducing a proxy, the data owner is empowered to delegate access without leaking any valid information and flexibly sells data across blockchains through cross-chain access policies. Besides, our scheme leverages the relay chain to foster a decentralized and trustworthy ecosystem. The adoption of smart contracts automates the cross-chain data sharing process and ensures equitable distribution of benefits among participants. Additionally, our scheme integrates hybrid encryption with the decentralized data hosting platform, substantially mitigating the on-chain storage burden. Security analysis affirms that our scheme is semantically secure and resistant to collusion attack. Performance analysis and simulation experiments demonstrate the excellent efficiency and practicality of our scheme when conducting cross-chain data sharing.

Abstract:
A Bitcoin miner who owns a sufficient amount of mining power can perform selfish mining to increase its relative revenue. Studies have demonstrated that the time-averaged profit of a selfish miner starts to rise once the mining difficulty level gets adjusted in favor of the attacker. Selfish mining profitability lies in the fact that orphan blocks are not incorporated into the current version of Bitcoin’s difficulty adjustment mechanism (DAM). Therefore, it is believed that considering the count of orphan blocks in the DAM can result in complete unprofitability for selfish mining. In this paper, we disprove this belief by providing a formal analysis of the selfish mining time-averaged profit. We present a precise definition of the orphan blocks that can be incorporated into calculating the next epoch’s target and then introduce two modified versions of DAM in which both main-chain blocks and orphan blocks are incorporated. We propose two versions of smart intermittent selfish mining, where the first one dominates the normal intermittent selfish mining, and the second one results in selfish mining profitability under the modified DAMs. Moreover, we present the orphan exclusion attack with the help of which the attacker can stop honest miners from reporting the orphan blocks. Using combinatorial tools, we analyze the profitability of selfish mining accompanied by the orphan exclusion attack under the modified DAMs. Our results show that even when considering orphan blocks in the DAM, selfish mining can still be profitable. However, the level of profitability under the modified DAMs is significantly lower than that observed under the current version of Bitcoin DAM, suggesting that orphan reporting can be an effective countermeasure against a payoff-maximizing selfish miner.

Abstract:
Federated learning (FL) has emerged as a powerful collaborative learning approach that enables client devices to train a joint machine learning model without sharing private data. However, the decentralized nature of FL makes it highly vulnerable to adversarial attacks from multiple sources. There are diverse FL data poisoning and model poisoning attack methods in the literature. Nevertheless, most of them focus only on the attack’s impact and do not consider the attack budget and attack visibility. These factors are essential to effectively comprehend the adversary’s rationale in designing an attack. Hence, our work highlights the significance of considering these factors by providing an attacker perspective in designing an attack with a low budget, low visibility, and high impact. Also, existing attacks that use total neuron replacement and randomly selected neuron replacement approaches only cater to these factors partially. Therefore, we propose a novel federated learning minimal model replacement attack (FL-MMR) that uses optimal transport (OT) for minimal neural alignment between a surrogate poisoned model and the benign model. Later, we optimize the attack budget in a three-fold adaptive fashion by considering critical learning periods and introducing the replacement map. In addition, we comprehensively evaluate our attack under three threat scenarios using three large-scale datasets: GTSRB, CIFAR10, and EMNIST. We observed that our FL-MMR attack drops global accuracy to \approx 35% less with merely 0.54% total attack budget and lower attack visibility than other attacks. The results confirm that our method aligns closely with the attacker’s viewpoint compared to other methods.

Abstract:
Due to the successful development of deep image generation technology, visual data forgery detection would play a more important role in social and economic security. Existing forgery detection methods suffer from unsatisfactory generalization ability to determine the authenticity in the unseen domain. In this paper, we propose a novel Attention Consistency Refined masked frequency forgery representation model toward a generalizing face forgery detection algorithm (ACMF). Most forgery technologies always bring in high-frequency aware cues, which make it easy to distinguish source authenticity but difficult to generalize to unseen artifact types. The masked frequency forgery representation module is designed to explore robust forgery cues by randomly discarding high-frequency information. In addition, we find that the forgery saliency map inconsistency through the detection network could affect the generalizability. Thus, the forgery attention consistency is introduced to force detectors to focus on similar attention regions for better generalization ability. Experiment results on several public face forgery datasets (FaceForensic++, DFD, Celeb-DF, WDF and DFDC datasets) demonstrate the superior performance of the proposed method compared with the state-of-the-art methods. The source code and models are publicly available at https://github.com/chenboluo/ACMF.

Abstract:
Deep learning (DL) enabled semantic communications leverage DL to train encoders and decoders (codecs) to extract and recover semantic information. However, most semantic training datasets contain personal private information. Such concerns call for enormous requirements for specified data erasure from semantic codecs when previous users hope to move their data from the semantic system. Existing machine unlearning solutions remove data contribution from trained models, yet usually in supervised sole model scenarios. These methods are infeasible in semantic communications that often need to jointly train unsupervised encoders and decoders. In this paper, we investigate the unlearning problem in DL-enabled semantic communications and propose a semantic communication unlearning (SCU) scheme to tackle the problem. SCU includes two key components. Firstly, we customize the joint unlearning method for semantic codecs, including the encoder and decoder, by minimizing mutual information between the learned semantic representation and the erased samples. Secondly, to compensate for semantic model utility degradation caused by unlearning, we propose a contrastive compensation method, which considers the erased data as the negative samples and the remaining data as the positive samples to retrain the unlearned semantic models contrastively. Theoretical analysis and extensive experimental results on three representative datasets demonstrate the effectiveness and efficiency of our proposed methods.

Abstract:
Well-trained deep learning (DL) models are widely recognized as valuable intellectual property (IP) and have been extensively adopted. However, concerns regarding IP infringement emerge when these models are either privately sold to end-users or publicly released online. Unauthorized activities, such as redistributing privately purchased models or exploiting restricted open-source models for commercial gain, pose a significant threat to the interests of model owners. In this paper, we introduce DeepReg, a trustworthy and privacy-friendly regulatory framework designed to address IP infringement within the realm of DL models, thereby nurturing a healthier development ecosystem. DeepReg enables a designated third-party regulator to extract the fingerprint of the original model within a Trusted Execution Environment, as well as to verify suspect models utilizing solely the predicted label without probability. Specifically, we leverage the uniqueness of feature extractors in DL models to craft multiple synthetic inputs for a selected real input. The real input, along with its synthetic inputs, establishes a one-to-many relationship, thereby creating a unique fingerprint for the original model. Furthermore, we propose two distinct methods for suspect detection and piracy judgment. These methods analyze the responses from the model API upon feeding the fingerprint, ensuring a high level of confidence while preventing malicious accusations. Experimental results demonstrate that DeepReg achieves 100% detection accuracy for pirated models, with zero false positives for irrelevant models.

Abstract:
AI-synthesized speech, also known as deepfake speech, has recently raised significant concerns due to the rapid advancement of speech synthesis and speech conversion techniques. Previous works often rely on distinguishing synthesizer artifacts to identify deepfake speech. However, excessive reliance on these specific synthesizer artifacts may result in unsatisfactory performance when addressing speech signals created by unseen synthesizers. In this paper, we propose a robust deepfake speech detection method that employs feature decomposition to learn synthesizer-independent content features as complementary for detection. Specifically, we propose a dual-stream feature decomposition learning strategy that decomposes the learned speech representation using a synthesizer stream and a content stream. The synthesizer stream specializes in learning synthesizer features through supervised training with synthesizer labels. Meanwhile, the content stream focuses on learning synthesizer-independent content features, enabled by a pseudo-labeling-based supervised learning method. This method randomly transforms speech to generate speed and compression labels for training. Additionally, we employ an adversarial learning technique to reduce the synthesizer-related components in the content stream. The final classification is determined by concatenating the synthesizer and content features. To enhance the model’s robustness to different synthesizer characteristics, we further propose a synthesizer feature augmentation strategy that randomly blends the characteristic styles within real and fake audio features and randomly shuffles the synthesizer features with the content features. This strategy effectively enhances the feature diversity and simulates more feature combinations. Experimental results on four deepfake speech benchmark datasets demonstrate that our model achieves state-of-the-art robust detection performance across various evaluation scenarios, including cross-method, cross-dataset, and cross-language evaluations.

Abstract:
With the increasing accessibility of drones, they have been warmly embraced across various sectors, especially in low-altitude logistics transportation. However, during drone delivery, legal drones dispatched by logistics companies are susceptible to malicious attacks, resulting in package theft or substitution. To address this, existing works focus on designing drone authentication to secure drone delivery. However, most of these methods require expensive specialized equipment, such as high-quality microphones and professional recording devices, resulting in high real-world application costs. In this paper, we propose DroneAudioID, a lightweight acoustic fingerprint-based drone authentication system that relies solely on common mobile devices. The basic idea is to employ acoustic fingerprints to authenticate different drones of the same model based on differences in fundamental frequency and harmonic components of drone audio. Specifically, the drone audio is recorded by a mobile device instead of sophisticated equipment. We apply wavelet transform to remove high-frequency noise during data preprocessing. Then, specialized filter banks are designed for feature extraction, leveraging the frequency characteristics of drone audio. Finally, we construct a Bi-Long Short-Term Memory (Bi-LSTM) with an Open-Max model for open-set classification. Extensive experiments are conducted on eight crafts drones of DJI Mini2 , showing an authentication accuracy of 99.6%. A series of comprehensive experiments further validate DroneAudioID’s capability to defend against various attacks.

Abstract:
With the increasing digitization of medical records and the interconnected nature of healthcare networks, robust security measures are vital to mitigate the risk of data breaches, cyberattacks, and unauthorized access. Existing healthcare security models, like one-time authentication (OTA), rely on complex mathematical problems such as the integer factorization problem (IFP) and discrete logarithm problem (DLP). However, advancements in quantum computing, notably Shor’s algorithm, pose a threat to the security of these systems. Once the attacker bypasses OTA, they gain permanent access and can reveal sensitive healthcare user information. Given the numerous vulnerabilities exposed in OTA systems, there is a rising demand and trend toward implementing continuous authentication systems. Current cutting-edge privacy technologies either are not feasible or entail high costs for continuous authentication systems, which necessitate periodic real-time verification. As a result, we proposed a cutting-edge novel approach to healthcare security through post-quantum continuous authentication without breaking the continuity of a session, leveraging behavioral biometrics (BB) and vector similarity search (VSS). By integrating BB, which analyzes individual behavioral patterns, with VSS, our robust lightweight quantum-secure technique ensures a heightened level of security. The proposed framework offers seamless and continuous authentication, adapting in real-time to users’ behavioral patterns. The proof of concept for VSS demonstrates the efficiency of the proposed scheme in real-time healthcare applications. Through extensive testing, analysis, and performance analysis under unknown attacks, this study demonstrates the efficacy and resilience of our approach, promising a new frontier in healthcare security. A real-time testbed experiment, along with the implementation and design of FastAPI, demonstrates the novelty of the proposed scheme.

Abstract:
Deep hashing has been widely used in image retrieval tasks, while deep hashing networks are vulnerable to adversarial example attacks. To improve the deep hashing networks’ robustness, it is essential to investigate adversarial attacks on the networks, especially targeted attacks. Among the existing targeted attacks for hashing, the generation-based targeted attack methods have attracted increasing attention due to their efficiency in generating adversarial examples. However, these methods supervise the generation of adversarial examples solely with the hash codes of positive samples, without employing the hash codes of all points in the training set to directly participate in supervisory training, thereby making the attack less effective. Since the hash codes of the training set samples are generated by a well-trained hashing model, these hash codes retain rich semantic information of their corresponding samples, highlighting the necessity of sufficiently utilizing them. Therefore, in this paper, we propose a targeted attack method that utilizes all points’ hash codes in the training set to guide the generation of adversarial attack examples directly. Specifically, we first decode the target label to obtain the corresponding feature map. Then, we concatenate the feature map with the query image and feed them into an encoder-decoder network that employs a skip-connection strategy to obtain a perturbed example. Furthermore, to guide adversarial example generation, we introduce a loss function that exploits the similarities between the perturbed example’s hash code and all points’ hash codes in the training set, thereby making sufficient utilization of the rich semantic information in these hash codes. Experimental results illustrate that our method outperforms the state-of-the-art targeted attack methods in targeted attack effectiveness and transferability. The code is available at https://github.com/rongxintu3/APGA.

Abstract:
The smart distribution grid (SDG), characterized by large-scale interconnections and strong dependence on information and communication technologies, is highly susceptible to potential security threats, such as spoofing attacks and man-in-the-middle attacks. These threats may lead to the leakage of sensitive user power-expenditure information, even cause great economic damage. Therefore, authentication is of utmost importance in guaranteeing the electrical safety of SDGs. In this paper, we present a distributed physical layer authentication (DPLA) scheme tailored for smart meter authentication. The scheme overcomes the limitations of traditional upper-layer cryptography-based mechanisms, and achieves lightweight continuous authentication in a cooperative manner. To fully exploit the channel information collected by collaborative nodes located in different azimuths, a CNN algorithm is designed for deep feature extraction. Moreover, a situational-aware dynamic weighted voting strategy is introduced to coordinate inconsistent opinions, thereby making unified decisions. Aimed at maximizing the integrated performance gains of DPLA, both long-term reputation and short-term performance are taken into account for node’s weight update. Finally, simulations are carried out. The results demonstrate that our scheme outperforms DPLAs based on static voting strategies with respect to authentication accuracy, anti-disturbance robustness and environmental adaptability; Hence, it caters to the demand for high-quality continuous authentication in SDGs.

Abstract:
Machine learning-based Android malware detection has consistently demonstrated superior results. However, with the continual evolution of the Android framework, the efficacy of the deployed models declines markedly. Existing solutions necessitate frequent and expensive model retraining to resist the constant evolution of malware accompanying Android framework updates. To address this, we introduce a solution called ASDroid, which generalizes specific APIs into similar API clusters to counteract evolving Android malware threats. One primary challenge lies in identifying analogous API clusters that correspond to specific APIs. Our approach involves extracting semantic information from open-source API source code to construct a heterogeneous information graph, and utilizing embedding algorithms to obtain semantic vector representations of APIs. APIs that are close in embedding distance are presumed to have similar semantics. Our dataset encompasses Android applications spanning nine years from 2011 to 2019. In comparison to existing Android malware detection model aging mitigation solutions like APIGraph, SDAC and MaMaDroid, ASDroid demonstrates greater accuracy and more effective at resisting continuously evolving malware.

Abstract:
Searchable symmetric encryption (SSE) supporting conjunctive queries has garnered significant attention over the past decade due to its practicality and wide applicability. While extensive research has addressed common leakages, such as the access pattern and search pattern, efforts to mitigate these vulnerabilities have primarily focused on structural issues inherent to scheme construction. In this work, we shift the focus to a less explored yet critical leakage stemming from users’ inherent querying behaviors: query correlation. Originally introduced by Grubbs et al. [USENIX SEC’20], formally defined by Oya and Kerschbaum [USENIX SEC’22], and leveraged to mount a high-success query recovery attack against single-keyword SSE, query correlation raises a crucial question: does it pose a similar threat to the security of conjunctive SSE? To tackle this issue, we undertake two key efforts. First, we generalize the notion of query correlation in the context of conjunctive SSE, introducing the “generalized query correlation pattern”, which captures the co-occurrence relationships among queried tokens within a conjunctive query. Second, we develop a new passive query recovery attack, QCCK, which exploits both the search pattern and generalized query correlation pattern to infer the mapping between tokens and keywords. Comprehensive evaluations on the Enron dataset confirm QCCK’s efficacy, achieving a query recovery rate of approximately 80% with a keyword universe size ranging from 200 to 1000 and an observed query size between 5000 and 50,000. These findings highlight the significant threat posed by query correlation in conjunctive SSE and underscore the urgent need for robust countermeasures.

Abstract:
Cloud computing, as a promising service platform, has gained significant popularity in addressing emerging data privacy issues in applications such as machine learning and data mining. Researchers have proposed the verifiable computing that allows the cloud users to delegate their computation tasks to the cloud server. Then, the cloud server computes the cryptographic proofs that verify the correctness of the results, a process that is generally faster ompared to local manual computation. However, performing computation tasks or verifying the correctness of encrypted data, such as multivariate polynomial functions, remains a significant challenge. To solve this problem, we propose Einocchio: a verifiable computation scheme that combines the efficient Pinocchio system with homomorphic encryption, which allows the public verification of the computational results on the server side while ensuring data confidentiality and the results. Compared with the existing solutions, Einocchio does not reveal the client’s input. Furthermore, we extrapolate Einocchio by optimizing the Pinocchio’s quadratic arithmetic program component using a differential optimization method, which reduces the computational workload owing to the conversion from quadratic to linear complexity, thereby increasing the efficiency of the quadratic arithmetic program preprocessing stage. Security analysis demonstrates that Einocchio achieves IND-CPA security. Finally, the performance evaluation confirmed its effectiveness and suitability for cloud computing environments. Compared to the corresponding scheme based on Newton interpolation, Einocchio achieves a threefold greater computational efficiency, with the generation of interpolation polynomials for 50 data inputs occurring in a mere 0.31 ms, while simultaneously reducing the number of computations.

Abstract:
Secure Shell (SSH) is a robust cryptographic network protocol designed to establish a secure and encrypted connection over potentially insecure networks, which is typically used for remote login and command-line execution on remote systems. As its core foundation, SSH Transport Layer Protocol relies on the classic (Elliptic Curve) Diffie-Hellman ((EC)DH) key exchange protocol to achieve session key establishment, whose security is essentially based on the (EC) discrete logarithm problem ((EC)DLP). However, the classic (EC)DLP problem could be broken using sufficiently powerful quantum computers when it comes to the post-quantum era, which implies that the traditional SSH protocol will be insecure against the quantum computer attacks. To this end, this paper presents a hybrid post-quantum alternative for the SSH Transport Layer Protocol, called as HPQKE, which combines the supersingular isogeny based post-quantum CSIDH (Commutative Supersingular Isogeny Diffie-Hellman) and the classic ECDH key exchange protocols together. The security of each individual key exchange protocol within the presented HPQKE operates independently, ensuring that the overall security of the HPQKE remains at least as robust as the most secure key exchange protocol employed during its key exchange processes. Moreover, we formally prove that if the used MAC scheme is EUF-CMA secure, then (1) HPQKE is a post-quantum secure key exchange protocol if the CSIDH based Gap Computational Diffie-Hellman (CSI-GDH) security assumption holds, and (2) HPQKE is a classically secure key exchange protocol if the traditional GDH security assumption holds. In addition, we provide a prototype implementation for the HPQKE in a real network environment, and the corresponding experimental results intuitively demonstrate its practical feasibility.

Abstract:
Physical layer steganography plays a key role in physical layer security. Yet most works are strongly modulation-sensitive and have to modify the modulation at the baseband. However, these methods cannot work with wireless devices whose baseband modulations cannot be software-defined. To overcome these drawbacks, we propose an analog solution that uses a symbiotic hardware component designed, called Pluggable Cloak, connecting to the radio frequency front end (RFFE) to establish a steganographic symbiotic channel (SSC) over constant envelope physical layer (CE-PHY) in 2.4GHz ISM band, such as Bluetooth, ZigBee and 802.11b Wi-Fi, to hide information. The advantage lies in enabling secure transmission of the deployed devices that are not software-defined with this pluggable hardware. Specifically, Pluggable Cloak analogously modulates the amplitude of CE-PHY, so that sensitive information can be securely sent to a customized receiver without being detected by regular CE receivers. To further protect hidden information from the detection of a malicious adversary, we propose methods to randomize the SSC. We develop a lightweight prototype to evaluate symbiosis, undetectability, and throughput. The results show that the symbol error rates (SERs) of the sensitive data received and regular CE data are lower than 10^-5 at the customized receiver. In contrast, the SER of the sensitive data is close to 1 in the adversary, confirming the effectiveness of the SSC technique.

Abstract:
Notary cross-chain transaction technologies have obtained broad affirmation from industry and academia as they can avoid data islands and enhance chain interoperability. However, the increased privacy concern in data sharing makes the participants hesitate to upload sensitive information without the trust foundation of the external network. To address this issue, this paper proposes a differential private notary mechanism (DPNM) to preserve privacy in blockchain interoperations. It establishes a fully trusted notary organization to conduct data perturbation before replying query to the external blockchain network. In addition, the DPNM contains two built-in privacy budget allocation schemes: Efficiency priority scheme (EPS) and Privacy priority scheme (PPS). These schemes unify the privacy preferences among different nodes based on multi-node consensus in the decentralized environment. The EPS can generate noise linearly and work efficiently, and the PPS reflects better on nodes’ preferences. This paper utilizes several metrics including mechanism errors, elapsed time, latency, and gas consumption to evaluate the performance of DPNM compared to the traditional mechanisms. The experiment results indicate that the proposed mechanism can meet privacy preferences among different nodes and provide better utility with little extra cost.

Abstract:
Wireless Technology Recognition (WTR) distinguishes different wireless technologies by analyzing characteristic features extracted from radio signals. While deep learning (DL)-based methods are extensively used in WTR due to their ability to extract hidden data features and make accurate classification decisions, their application is often limited by excessive power consumption. In this paper, we propose a novel WTR method that addresses this challenge using a time-frequency feature fusion spiking neural networks (TFSNN) framework. Our approach combines information from both the time and frequency domains to enhance feature extraction. Experimental results demonstrate that our model performs exceptionally well at high signal-to-noise ratios on open-source datasets. Specifically, at a sampling rate of 15 Msps, our method achieves a recognition accuracy of 99.85%. Even when the sampling rate is reduced to 10 Msps, the average accuracy remains 1.61% higher than the best existing method. Additionally, our method reduces energy consumption by about half compared to most current methods. These results emphasize the effectiveness and necessity of time-frequency domain feature fusion (TFSF) in WTR.

Abstract:
Audio recordings may provide important evidence in criminal investigations. One such case is the forensic association of a recorded audio to its recording location. For example, a voice message may be the only investigative cue to narrow down the candidate sites for a crime. Up to now, several works provide supervised classification tools for closed-set recording environment identification under relatively clean recording conditions. However, in forensic investigations, the candidate locations are case-specific. Thus, supervised learning techniques are not applicable without retraining a classifier on a sufficient amount of training samples for each case and respective candidate set. In addition, a forensic tool has to deal with audio material from uncontrolled sources with variable properties and quality. In this work, we therefore attempt a major step towards practical forensic application scenarios. We propose a representation learning framework called EnvId, short for environment identification. EnvId avoids case-specific retraining by modeling the task as a few-shot classification problem. We demonstrate that EnvId can handle forensically challenging material. It provides good quality predictions even under unseen signal degradations, out-of-distribution reverberation characteristics or recording position mismatches. Code is available at https://faui1-gitlab.cs.fau.de/mmsec/few-shot-recording-environment-identification.

Abstract:
Warden collusion represents a hazardous threat to wireless covert communication, where wardens can combine their observations to perform a more aggressive detection attack. This paper investigates the impact of warden collusion on covert communication in a multi-antenna wireless network consisting of one source, one destination, multiple wardens and interferers. By employing the techniques of Laplace Transform and Cauchy Integral Theorem, we first establish a framework to model the aggregate interference distribution (AID) for covert communication in the network under the typical additive white Gaussian noise (AWGN) and Rayleigh fading channels. Based on the AID results, we then develop theoretical models to reveal the inherent relationship between the collusion intensity and fundamental communication metrics in terms of the covert outage probability, connection outage probability and covert throughput. With the help of these models, we further explore the covert throughput optimization problems and present extensive numerical results to illustrate the impact of warden collusion on the covert throughput under both channel models.

Abstract:
Online ride-hailing (ORH) services have become indispensable for our travel needs, offering the convenience of easily locating the nearest driver for riders through ride matching algorithms. However, existing ORH systems, such as Lyft and Didi, require users (both riders and drivers) to disclose their real-time location information during the matching process, thus giving rise to serious privacy concerns. Despite the proposal of various privacy-preserving ride-matching schemes, they remain insufficient in addressing potential malicious behaviors from the ORH server, such as colluding with designated drivers and deviation from computation protocols to interfere with the matching process. These behaviors lead to non-optimal matching results for riders. To address these issues, we present EMPRide, an efficient and privacy-preserving ride-matching scheme resistant to malicious ORH server. In EMPRide, we design an efficient and accurate computation of distances between users protocol, which integrates road network embedding and secure two-party computation. Additionally, we design a verification protocol that allows riders to verify the correctness of computed distances and matching results. Crucially, the communication overhead for riders in EMPRide remains constant, irrelevant to the number of available drivers. Our evaluation using real-world datasets demonstrates that EMPRide significantly outperforms existing solutions. Specifically, under identical conditions, in EMPRide, the computation speed on the ORH server is 19.22× faster and the communication cost is 8.08× less than state-of-the-art approaches. Moreover, riders experience a speed improvement of 4.84 orders of magnitude with 1.30× less communication, while drivers benefit from a 4.79 orders of magnitude speed increase with 1.45× less communication.

Abstract:
Object detection is a critical component of various security-sensitive applications, such as autonomous driving and video surveillance. However, existing object detectors are vulnerable to adversarial attacks, which poses a significant challenge to their reliability and security. Through experiments, first, we found that existing works on improving the adversarial robustness of object detectors give a false sense of security. Second, we found that adversarially pre-trained backbone networks were essential for enhancing the adversarial robustness of object detectors. We then proposed a simple yet effective recipe for fast adversarial fine-tuning on object detectors with adversarially pre-trained backbones. Without any modifications to the structure of object detectors, our recipe achieved significantly better adversarial robustness than previous works. Finally, we explored the potential of different modern object detector designs for improving adversarial robustness with our recipe and demonstrated interesting findings, which inspired us to design state-of-the-art (SOTA) robust detectors. Our empirical results set a new milestone for adversarially robust object detection. Code and trained checkpoints are available at https://github.com/thu-ml/oddefense.

Abstract:
This paper studies the fundamental limits of covert communications covered by randomly activated overt users in both single-frame and multi-frame transmission scenarios. While traditional covert communications mainly consider concealing signal power characteristics, the existence of overt users provides opportunities such that covert communications can be achieved through the confusion between the users. This benefit is first revealed in single-frame transmission scenario. The major obstacle in analyzing performance limits is that the conventional Kullback-Leibler divergence based covertness measurement becomes infinite. To overcome the intractability, a tighter upper bound of the total variation distance (TVD) is then developed using a novel recursive-iterative approximation. On this basis, the collapse effect of the TVD is derived, which shows that the TVD is strictly less than 1 if the covert user sets the transmit power to be an integer multiple of that of the overt users. Then, we find that \mathcal O(N) -bit information can be transmitted over N channel uses under the above setting, which breaks the well-known square root law. If the above setting is violated, the TVD instantly approaches 1 as N\rightarrow \infty , and only \mathcal O(\sqrt N) -bit information can be covertly transmitted. To prove this, the detection method of the warden is modified to cope with the random activation of overt users. These conclusions also hold for the transmission with uncertain powers or in fading channels, which resembles realistic wireless transmissions. In multi-frame transmission scenario, however, the access characteristics of overt users can be exposed from a statistical perspective, such that the rate gain disappears and the covert transmission rate drops to \mathcal O(\sqrt N) bits per frame. To obtain a positive covert transmission rate, we propose a rate-splitting based covert transmission scheme that introduces an opportunistic access branch to bring randomness, through which the covert user can transmit up to \mathcal O(NL) -bit information over L frames.

Abstract:
This paper considers observer-based detection of sensor bias injection attacks (BIAs) on linear cyber-physical systems with single output driven by white Gaussian noise. Despite their simplicity, BIAs pose a severe risk to systems with integrators, which we refer to as integrator vulnerability. Specifically, the residual generated by any linear observer is indistinguishable under attack and normal operation at steady state, making BIAs detectable only during transients. To address this, we propose a principled method based on Kullback-Leibler divergence to design a residual generator that significantly increases the signal-to-noise ratio against BIAs. For systems without integrator vulnerability, our method also enables a trade-off between transient and steady-state detectability. The effectiveness of the proposed method is demonstrated through numerical comparisons with three state-of-the-art residual generators.

Abstract:
In vector commitments, the complex process of generating and updating proofs, along with the large-sized proofs, seriously hinders the practicality of stateless cryptocurrencies. In this work, we present NTTproofs, containing two sub-schemes, a vector commitment (VC) and a mulit-vector commitment (MC). Both sub-schemes are maintainable and aggregatable, and they also enjoy fast openings (i.e., generating all the proofs) as well as efficient proof updates. MC in NTTproofs employs the Fast Number Theoretic Transform (NTT) and sharding technique to significantly improve the time of generating all proofs by up to 0.76 × and 0.32 × , respectively, over Balanceproofs, Matproofs. Moreover, our proposed MC in NTTproofs is efficiently maintainable and requires merely 15.78 milliseconds at n_1=n_2=2^12 to update all proofs. Meanwhile, NTTproofs schemes exhibit superior aggregatability, taking 0.003 seconds in VC and 0.05 seconds in MC to aggregate 1024 proofs and reducing the size of an aggregated proof to a constant size of 96 Bytes. Finally, macrobenchmarks indicate that our proposed MC in NTTproofs outperforms the other schemes, but is slightly inferior to that of Balanceproofs.

Abstract:
The rapid evolution of image generation techniques has benefited several fields, but it has also given rise to security concerns. As countermeasures, a series of AI-generated image detection methods have been developed successfully. However, existing methods exhibit an inefficiency in handling the continual emergence of new generative models. To address this issue, we formulate the detection of AI-generated images in an extensible manner using an adapter-based domain incremental learning framework. Specifically, we first investigate the global consistency property of generation artifacts and design a content-agnostic adapter equipped on a vision transformer to extract common forensic features, where a token-level shuffling strategy is constructed for the dual-stream comparison to mitigate the fitting to specific image content. Then, motivated by the compactness of real images and the diversity of fake images due to their inherent generation processes, an asymmetric category-aware domain alignment method is designed to reduce the domain shift arisen from different generators. Finally, a multi-view knowledge distillation module, considering both point-to-point and structure-to-structure forensic knowledge, is devised to alleviate catastrophic forgetting. Experiments are conducted on several protocols using various image generators, and experimental results verify the superiority of our method compared to state-of-the-art methods for extensible detection.

Abstract:
Recently intrusion detection technology has been deployed in the Industrial Internet of Things (IIoT), which is an efficacious approach to enhancing security. However, identifying previously unseen and unknown attacks, referred to as the open-set problem, has become increasingly difficult due to the openness of IoT architecture and the continuous evolution of attack patterns. Moreover, existing open-set intrusion detection solutions are challenging to be applied directly to IIoT because of their unique characteristics, such as limited computational and storage capabilities, long detection times, and the inability to continuously learn. In this paper, we propose an efficient, lightweight, and dynamic open-set intrusion detection scheme for IIoT. It consists of three stages: the known attack classification stage focuses on extracting features from known data to efficiently classify normal data and known attacks; the unknown attack recognition stage analyzes the distribution of reconstruction errors to effectively distinguish between known data and unknown attacks; and the dynamic update detection stage introduces a lightweight detection architecture for unknown attacks detection, significantly reducing the computational overhead and storage requirements of IIoT devices. Simultaneously, it learns from and updates with newly detected unknown attacks to further optimize detection capabilities. We conduct experiments on four widely used datasets to evaluate the performance of open-set intrusion detection for IIoT. The experimental results delineate the superiority of our proposed method over four state-of-the-art approaches in open-set intrusion detection. Meanwhile, our proposed lightweight model updating method significantly reduces detection time by over 65% and memory overhead by over 80% compared to retraining methods, while achieving an average detection accuracy of 96%.

Abstract:
Intrusion detection systems (IDS) are crucial tools for detecting anomalous network traffic in cybersecurity. In recent years, significant progress has been made in applying artificial intelligence to IDS. However, existing research often assumes that training and testing data are static and identically distributed, whereas in reality, data drift is inevitable. Moreover, to enhance model versatility and detection performance, models have become increasingly complex, posing challenges to real-time deployment. To address these challenges, we propose an adaptive network intrusion detection system named A-NIDS, consisting of a main task and two bypass tasks. The main task is to develop a fully connected and shallow network with strong detection performance and real-time capability. The first bypass task is a clustering model that helps the main task detect data drift in an unsupervised manner. The second bypass task is a generation model to generate old data to address catastrophic forgetting in new model iterations and the storage cost issue caused by accumulating old data. We conduct extensive experiments on the CICIDS-2017 and CSE-CICIDS-2018 datasets, demonstrating the superior performance of A-NIDS on new and old data. Furthermore, our detection module achieves a detection latency of 5 microseconds, highlighting its suitability for real-time applications. All the related code is publicly available at: https://github.com/ids-sec-hub/A-NIDS.

Abstract:
In recent years, the construction of behavior-based analysis models is hindered by issues such as insufficient data, difficulty in labeling, and the complexity of behavior types. In reality, specific cyber threats often require manual analysis of raw network traffic, which is a complex and inefficient process. Flow spectrum can simplify the complex analysis process of raw network flow by mapping it from a high-dimensional space to a one-dimensional spectral space. However, the existing flow spectrum cannot adapt to the open-world scenarios and behavior-based detection for unknown cyber threats. To address these challenges, we propose a new flow spectrum construction scheme, named unFlowS, to effectively represent network flows and assist analysts to understand the behaviors of network traffic. unFlowS-Net, an unsupervised flow-based detection model we designed as the core of our scheme, can transform network flows into spectral lines. It makes unFlowS possible to detect unknown cyber threats. We further build spectral vectors for spectral lines generated by network flow sets, enabling the visualization of network behaviors within a period of time and automatic behavior-based detection. Experimental results demonstrated that unFlowS-Net can achieve better performance than state-of-the-art methods on unsupervised flow-based detection. Based on spectral vectors, not only can it intuitively display the network behavior characteristic of the target host, but also automatically detect suspicious network behaviors.

Abstract:
A privacy model is a privacy condition, dependent on a parameter, that guarantees an upper bound on the risk of reidentification disclosure and maybe also on the risk of attribute disclosure by an adversary. A privacy model is composable if the privacy guarantees of the model are preserved, possibly to a limited extent, after repeated independent application of the privacy model. From the opposite perspective, a privacy model is not composable if multiple independent data releases, each of them satisfying the requirements of the privacy model, may result in a privacy breach. Current privacy models are broadly classified into syntactic ones (such as k-anonymity and l-diversity) and semantic ones, which essentially refer to \varepsilon -differential privacy (e-DP) and variations thereof. While e-DP and its variants offer strong composability properties, syntactic notions are not composable unless data releases are conducted by a single, centralized data holder that uses specialized notions such as m-invariance and \tau -safety. In this work, we propose m-uncoordinated-syntactic-privacy (m-USP), the first syntactic notion with composability properties for the independent publication of nondisjoint data, in other words, without a centralized data holder. Theoretical results are formally proven, and experimental results demonstrate that the risk to individuals does not increase significantly, in contrast to non-composable methods, that are susceptible to attribute disclosure. In most cases, the utility degradation caused by the extra protection is less than 5% and decreases as the value of m increases.

Abstract:
The emerging virtual machine-based Android packers render existing unpacking techniques ineffective. The state-of-the-art unpacker falls short because it relies on unreliable heuristics and manually crafted semantic models. Hence, it cannot precisely recover app semantics necessary for malware detection. In this paper, we propose DeepVMUnProtect, a deep learning-based approach to automatically and accurately capture the semantics of VM-packed code, so as to facilitate semantic-based Android malware classification. Experiments have shown that DeepVMUnProtect outperforms the state-of-the-art tool on recovering opcode semantics in Qihoo(58.3%), Baidu(47.5%) and NMMP (58.8%) respectively, and can enable semantics-aware malware detection which prior work fails to do.

Abstract:
Rumor source detection in structurally incomplete networks holds significant practical importance. Existing methods predominantly assume a complete network structure information; furthermore, they often neglect the issue of resource consumption, i.e., sensor deployment. In this paper, we propose an efficient source detection approach in incomplete networks via propagation-aware Sensor Deployment and time stamp-guided Source Approaching (SDSA) to tackle these challenges. Specifically, during the sensor deployment phase, we employ quality-guaranteed Monte Carlo propagation simulations coupled with a greedy strategy to achieve maximum coverage with minimal sensors. In the source detection phase, for the structurally incomplete network snapshots, we first attempt edge reconnection from the sensor with the earliest timestamp, followed by posterior maximization Bayesian estimation for source identification. Extensive experiments demonstrate the effectiveness of SDSA and its superiority over state-of-the-art methods. The code has been made publicly available at https://github.com/cheng-le/SDSA.

Abstract:
Sample alignment is recognized as a vital component of vertical federated learning, which facilitates the integration of differential samples and high-quality model training. In this trend, providing Private Sample Alignment (PSA) among multi-clients becomes naturally necessary for preventing unauthorized sample access and client privacy exposure. However, exiting PSA protocols mainly focus on two-party scenarios and cannot be directly adapted to the multi-client delegated computing scenarios required for vertical federated learning. Besides, these studies fail to address the need for protocol robustness in practical federated Learning network environments. Therefore, we aim to design an efficient and reliable PSA protocol in multi-client vertical federated learning. In this work, we present the first practical PSA protocol for vertical federated learning, allowing multi-clients to efficiently identify common samples without revealing additional information. Toward this direction, our PSA protocol first explores the Learning With Errors (LWE) problem to create a lightweight delegated Private Set Intersection (PSI) scheme, enabling efficient sample intersection among multiple clients. To achieve the reliability of the PSA protocol, we devise a multi-client vector aggregation algorithm that securely delegates the server to calculate the sample intersection. Building on this foundation, we develop an efficient Threshold-based Private Sample Alignment (T-PSA) protocol that allows multiple clients to determine the intersection of their input samples only if the intersection size surpasses a specific threshold. We implement a prototype and conduct a thorough security analysis. Comprehensive evaluation results confirm the efficiency and practicality of our design.

Affiliations: School of Astronautics, Beihang University, Beijing, China; School of Information Science and Engineering, Northeastern University, Shenyang, China; Key Laboratory of Systems and Control, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, China; Science and Technology on Aircraft Control Laboratory, School of Automation Science and Electrical Engineering, Beihang University, Beijing, China; School of Electrical and Electronic Engineering, Centre for Advanced Robotics Technology Innovation (CARTIN), Nanyang Technological University, Jurong West, Singapore

Abstract:
In this paper, a novel synchronization learning scheme is proposed for secure communication, where the signal transmission architecture with a chaotic encryption process is considered. Firstly, to realize the information security in communication, the original signals are encrypted by fractional order dynamics from the sender, and decrypted by receiver to achieve synchronization. For the process, a hybrid order dynamic optimization is constructed, where the fractional order and the integer order systems are modeled as constraints. Secondly, a transformation formula is developed to convert these constraints into new integer order dynamics, and the equivalence between two dynamic optimizations is obtained. Thirdly, to obtain the synchronization solution, a new iterative learning algorithm is designed, and the adaptive dynamic programming is successfully embedded into the solving process. Finally, we apply the proposed synchronization scheme into the secure image transmission, and the simulation results demonstrate the effectiveness and practicality successfully.

Abstract:
Differentially Private Stochastic Gradient Descent (DP-SGD) is a widely adopted technique for privacy-preserving deep learning. A critical challenge in DP-SGD is selecting the optimal clipping threshold C, which involves balancing the trade-off between clipping bias and noise magnitude, incurring substantial privacy and computing overhead during hyperparameter tuning. In this paper, we propose Dynamic Clipping DP-SGD (DC-SGD), a framework that leverages differentially private histograms to estimate gradient norm distributions and dynamically adjust the clipping threshold C. Our framework includes two novel mechanisms: DC-SGD-P and DC-SGD-E. DC-SGD-P adjusts the clipping threshold based on a percentile of gradient norms, while DC-SGD-E minimizes the expected squared error of gradients to optimize C. These dynamic adjustments significantly reduce the burden of hyperparameter tuning C. The extensive experiments on various deep learning tasks, including image classification and natural language processing, show that our proposed dynamic algorithms achieve up to 9 times acceleration on hyperparameter tuning than DP-SGD. And DC-SGD-E can achieve an accuracy improvement of 10.62% on CIFAR10 than DP-SGD under the same privacy budget of hyperparameter tuning. We conduct rigorous theoretical privacy and convergence analyses, showing that our methods seamlessly integrate with the Adam optimizer. Our results highlight the robust performance and efficiency of DC-SGD, offering a practical solution for differentially private deep learning with reduced computational overhead and enhanced privacy guarantees.

Abstract:
In recent years, deep learning has greatly streamlined the process of manipulating photographic face images. Aware of the potential dangers, researchers have developed various tools to spot these counterfeits. Yet, none asks the fundamental question: What digital manipulations make a real photographic face image fake, while others do not? In this paper, we put face forgery in a semantic context and define that computational methods that alter semantic face attributes to exceed human discrimination thresholds are sources of face forgery. Following our definition, we construct a large face forgery image dataset, where each image is associated with a set of labels organized in a hierarchical graph. Our dataset enables two new testing protocols to probe the generalizability of face forgery detectors. Moreover, we propose a semantics-oriented face forgery detection method that captures label relations and prioritizes the primary task (i.e., real or fake face detection). We show that the proposed dataset successfully exposes the weaknesses of current detectors as the test set and consistently improves their generalizability as the training set. Additionally, we demonstrate the superiority of our semantics-oriented method over traditional binary and multi-class classification-based detectors.

Abstract:
In physical-layer secret key generation, key generation performance is susceptible to hardware impairments (HIs), which can degrade channel reciprocity. Additionally, the security of loop-back mechanism based schemes in frequency division duplex (FDD) systems requires further enhancement. To address these challenges, this paper proposes a secure key generation scheme based on a loop-back mechanism for FDD systems. By transmitting signals across different frequency bands in a loop-back fashion, the proposed scheme mitigates the adverse effects of HI variations across frequency bands and enhances system security. Theoretical analyses are conducted on the normalized mean square error and the secret key rate of the loop-back mechanism in both FDD and time division duplex (TDD) systems, providing a clear security assessment of the proposed scheme. Simulation and experimental results demonstrate that by accounting for HI differences in the frequency domain, the proposed scheme improves channel reciprocity, enhances the secret key rate, achieves a higher key generation rate (KGR), and reduces the key disagreement ratio (KDR) compared to state-of-the-art methods.

Abstract:
The constantly changing landscape of the Internet presents a significant challenge in the detection and tracking of covert attackers and their sophisticated methods. To address this issue, various techniques, such as network flow watermarking (NFW) and traffic correlation, embed attack labels in data streams to identify attack pathways or aid post-analysis. However, existing solutions are often tailored to specific scenarios, resulting in lacking robustness, adaptability, and anonymity under non-cooperative or incomplete information heterogeneous environments. To this end, this paper proposes CorreFlow, a Transfer Learning (TL) based invisible network flow correlation framework utilizing time channel graph fingerprinting modulation. It considers the fragmentation and reassembly of data packets during transmission. In stable network environments, CorreFlow utilizes TL for rapid correlation across flows, enabling efficient linkage of related traffic segments. In complex heterogeneous network, where traditional correlation methods may fail due to encryption and variability, it embeds watermarking information by regulating the Inter Packet Delay (IPD) in encrypted communication streams, realizing effective identification and tracking. Multiple experiments conducted on real network traffic and public datasets have demonstrated that CorreFlow achieves highly efficient traffic correlation with minimal false positive rate, improved adaptability, and steganography. Specifically, it has achieved over 97.31% accuracy in various network environments and promotes network traffic correlation in open heterogeneous network environments from low correlation to 95%.

Abstract:
This paper studies enhanced physical-layer key generation (PKG) for multiuser orthogonal frequency division multiple access (OFDMA) networks. In practical OFDMA systems, our key observation is that there are frequency correlations between different subcarriers which potentially lead to compromised randomness of the generated keys as well as reduced sum secret key rate. Motivated by this, we show that subcarrier allocation plays a key role in enhancing the PKG performance in OFMDA networks. We prove that when a single user terminal selects a finite number of subcarriers for key generation, adopting uniformly spaced subcarriers is the optimal solution as it leads to higher secret key rates and better randomness. Moreover, we derive a closed-form expression for the sum secret key rate and introduce a low-complexity near-optimal algorithm that can achieve an appropriate subcarrier allocation policy in a timely manner. Simulation results show that our proposed near-optimal algorithm exhibits significant advantages in maximizing the sum secret key rate and improving key randomness compared with existing subcarrier allocation algorithms.

Abstract:
Optical Coherence Tomography (OCT) is a high-resolution, non-invasive imaging technology increasingly used for biometric data collection from fingertips. OCT captures volume data up to 3mm below the skin surface in the form of a series of B-scan images, enabling the reconstruction of internal fingerprints (IF) and internal sweat pores (ISP), thereby enhancing the security of biometric recognition. Despite the advantages, OCT images suffer from speckle noise and tissue discontinuity, making the extraction of subcutaneous biometric features challenging. Traditional hardware and software-based enhancement methods often result in over-smoothing and structural loss. Recent advancements in deep learning (DL) offer promising alternatives, with supervised DL methods showing efficacy when trained with high-quality paired datasets. However, the absence of ground-truth (GT) data makes it impossible to apply these models. This study proposes a novel supervised enhancement method for fingertip OCT images, with a paired dataset generation strategy. An OCT few-shot GAN and a Quality Estimation Module are proposed and incorporated into the strategy to realize translation from minimal GT manual augmentation to high-quality paired dataset, effectively addressing the challenge of data scarcity. A Fast Supervised Enhancement GAN (FSE-GAN) is proposed thereafter to perform simultaneous speckle noise reduction and tissue structure restoration, facilitating accurate extraction of internal fingerprints and sweat pores. Experiments demonstrate that the enhanced images significantly simplify IF and ISP extraction while achieving outstanding result quality.

Affiliations: State Key Laboratory of Digital Intelligent Technology for Unmanned Coal Mining and the School of Computer Science and Engineering, Anhui University of Science and Technology, Huainan, China; Beijing University of Posts and Telecommunications, Beijing, China; School of Computer Science and Technology, Zhejiang University, Hangzhou, China; School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China; School of Mathematics, Physics and Computing, University of Southern Queensland, Toowoomba, QLD, Australia

Abstract:
Worker recruitment for area coverage maximization, typically requires participants to upload location information, which can deter potential participation without proper protection. While existing studies resort to geo-indistinguishability to address this concern, they primarily focus on either specific task locations (Target Coverage) or operate under pre-defined recruitment quotas for an interested region (Area Coverage). These focuses not only yield suboptimal area coverage when scaled but also fail to leverage valuable prior knowledge in the form of participants’ noisy historical registered locations, to enhance both location obfuscation and worker identification processes. To address these limitations, we present WILTON, which optimizes area coverage under geo-indistinguishability by recruiting the minimum number of participants through the strategic utilization of noisy prior knowledge. In WILTON, to generate obfuscated locations, we propose a probabilistic and weight-aware input perturbation mechanism, which groups and weights prior locations rather than using only personal prior locations. To privately identify the recruited workers, we design a grid-based worker identification method, which provides a worst-case performance guarantee of ratio 1 - \frac 1e to the optimum. We provide a theoretical analysis of the privacy, utility, and complexity guarantees of WILTON. Experimental results over two real-world datasets and one synthetic dataset show that WILTON surpasses the state-of-the-arts by at least 8% in area coverage improvement.

Abstract:
Both truth discovery and pattern analysis are effective methods for extracting valuable insights from data streams in mobile crowdsensing. However, existing privacy-preserving schemes either suffer from low data utility or provide high utility at the cost of weak privacy protection. To address this challenge, we introduce a robust privacy-preserving scheme that facilitates high-utility truth discovery and pattern analysis over mobile crowdsensing data streams. Concretely, we leverage the Square Wave mechanism, a randomized reporting technique, to perturb the data to prevent privacy breaches. To reduce the utility loss caused by perturbation, we design a budget allocation algorithm. This algorithm ensures that adjacent timestamps with approximate data share a perturbed value derived from their accumulated budgets. Furthermore, to facilitate robust pattern analysis, we propose a data splitting method that divides the perturbed data into two parts: one part records patterns randomly, while the other part recovers the perturbed values. Theoretical analysis confirms that our scheme satisfies \omega -event \epsilon -differential privacy level. Extensive experiments conducted on four real-world datasets demonstrate that our scheme outperforms existing schemes, delivering more accurate results for both truth discovery and pattern analysis under the same privacy constraints.

Abstract:
Federated Learning (FL) is a collaborative machine learning paradigm allowing participants to train a global model collaboratively without sharing training data. The distributed nature makes FL vulnerable to the untargeted or backdoor model poisoning attacks (MPAs). Hence, lots of defense methods are proposed to secure FL. However, existing defenses are ineffective in defending against the emerging stealthy layer-space MPA, since the defenses either focus on the model space or ignore the disparities between the layers. In this paper, we propose a novel layer-space defense method called FLGuardian that can protect the global model from the state-of-the-art MPAs. FLGuardian first employs a new layer-wise detection to find out the benign clients for each layer through pairwise cosine distances and pairwise Euclidean distances combined with a clustering algorithm. Then, FLGuardian assigns a trust score for each client according to the detection results of all the layers, where a deeper layer in the model brings a higher weight in the scoring. Finally, we select several clients with the highest scores for updating the global model. Experimental results show that FLGuardian excels nine typical defense methods against seven state-of-the-art MPAs in most cases. Particularly, under LPattack, the emerging layer-space backdoor MPA, FLGuardian secures Backdoor Success Rate (BSR) below 3% while other defenses have over 93% BSRs on CIFAR-10. Moreover, FLGuardian remains robust against adaptive attacks tailored to FLGuardian.

Abstract:
As three-dimensional (3D) point cloud technology has advanced, the security concerns that surround point cloud classification models have garnered increasing attention. Attackers poison the training dataset of a model to mislead model classification, which is known as a backdoor attack. Considering the uncertainty in environmental factors and point cloud sampling equipment, point cloud data may be subject to various types of corruption. While some existing classification models, e.g., PointNet and PointNet++, include corruption invariance in their designs, backdoor triggers are more vulnerable to corruption because of their small size. When corrupted, backdoor samples are more likely to be misclassified into their original categories than are clean samples. The reason is that the backdoor samples, which manipulate the model, are closer to the decision boundary than the clean samples are. To mitigate the detrimental effects of sample feature deviation, this paper proposes a novel backdoor attack method that is robust to corruption. We introduce the concept of affinity based on the high-level idea that the affinity category can facilitate the shift of sample features when corrupted. Afterward, we apply the adversarial attack method to distort the decision boundary to generate backdoor samples. The experimental results demonstrate that the proposed method achieves a high attack success rate and exhibits superior robustness against corruption compared with previous backdoor attack methods.

Abstract:
Internet of Medical Things (IoMT) has garnered significant research attention from both academic and medical institutions. However, the sensitive medical data involved in IoMT raises security and privacy concerns. To mitigate these, ring signature has surfaced as a proper solution, which offers unforgeability and anonymity. Unfortunately, most multi-signer ring signature schemes require a predetermined number of signers and are difficult to adjust dynamically. Additionally, traditional ring signatures have limited adaptability for IoMT due to their reliance on a single entity. It is challenging to effectively define different signature permissions for users of various entities, such as patients and doctors. Therefore, research focusing on constructing a dynamic multi-signer ring signature for multi-party participation remains a critical and ongoing challenge. In this paper, we present ASMR, an anonymity-enhanced sequential multi-signer ring signature scheme for secure medical data sharing in IoMT. ASMR contains two different rings, PR and DR, for patients and doctors, respectively. It allows patients in PR to anonymously sign their electronic healthcare record (EHR) owned by doctors in DR, overcoming the reliance on a single entity in existing approaches while enhancing the anonymity of the signature. Meanwhile, ASMR introduces the concept of signature chaining, allowing multiple users in DR to co-sign information in sequence. In addition, it ensures that each generated signature is traceable, offering a transparent system. We also formally prove the security of ASMR in the random oracle model. Comprehensive performance evaluations indicate that ASMR excels in both computational and storage overhead. In the best case, computational overhead is reduced by approximately 4.7× - 61.7× , while storage overhead is reduced by approximately 26.7× - 212.8× compared to prior arts.

Abstract:
Federated learning (FL), as a promising machine learning paradigm for large-scale distributed data, faces two security challenges of privacy and robustness: the transmitted model updates potentially leak sensitive user information, and the lack of central control over local model updates leaves the global model susceptible to malicious attacks. Current solutions attempting to address both problems under the one-server FL setting fall short in the following aspects: 1) design for simple validity checks that are insufficient against advanced attacks (e.g., checking norm of individual update); and 2) have partial privacy leakage for more complicated robust aggregation algorithms (e.g., distances between model updates are leaked for multi-Krum). In this work, we formalize a novel security notion of aggregated privacy that characterizes the minimum amount of user information, in the form of aggregated statistics of users’ updates, that is necessary to be revealed to accomplish more advanced robust aggregation. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy. As concrete instantiations of PriRoAgg, we construct two secure and robust protocols based on state-of-the-art robust algorithms, for which we provide full theoretical analyses on security and complexity. Extensive experiments are conducted for these protocols, demonstrating their robustness against various model integrity attacks, and their efficiency advantages over baselines.

Abstract:
Federated Learning (FL) enables geographically distributed clients to collaboratively train machine learning models by exchanging local model parameters while preserving data privacy. In practice, FL faces two critical challenges. First, it is vulnerable to security issues as malicious clients would artificially harm the functionality of FL by launching poisoning attacks. Second, the inherent data heterogeneity among clients (termed Non-IID data in FL) naturally arises from distributed data ownership and significantly degrades model convergence and accuracy. However, with studies separately devoted to these two research lines, the interplay between data heterogeneity and security remains poorly understood. In this paper, we systematically investigate the relationship between data heterogeneity and adversarial robustness in FL. Specifically, we propose novel data partitioning algorithms that simulate Label-Conditional Non-IID and Feature-Conditional Non-IID with quantifiable heterogeneity levels. Further, we conduct extensive experiments to evaluate classical defense methods in the practical FL environment under state-of-the-art untargeted attacks. With results in various settings, we separately analyze the connection between Non-IID to defenses and attacks. Regarding attacks, with similar effects on models, Non-IID impacts the training in a different way compared with attacks. The interaction between attacks and Non-IID provides an opportunity to cause severe damage to FL. Regarding defenses, Non-IID induces heterogeneity in model distribution among clients which raises the difficulty of maintaining fidelity and robustness for defense methods.

Abstract:
Specific Emitter Identification (SEI) is an emitter recognition technology based on the Radio Frequency Fingerprint (RFF) of hardware. The emergence of unknown emitters is frequent in non-cooperative environments, and Open-set Specific Emitter Identification (OSSEI) based studies are becoming increasingly critical. Besides, Radio Frequency (RF) signals contain a substantial number of features that are irrelevant to emitter categories, as a result the distributions of signals are extremely sparse in the feature space. Existing OSSEI methods cannot be capable in extracting categorical representations for such signals, which may lead to wrong recognition. In this work, based on a set of Variational Auto-Encoder (VAE) models, we propose a robust OSSEI framework designed to handle class-irrelevant features. Specifically, we first use the proposed class-independent VAEs to construct categorical representations for each emitter, leveraging signal distributions in the feature space. In addition, to enhance the distinction among inter-class representations and constrain intra-class distributions, we design a supervised contrastive learning (SupCL) based method that generates positive samples for data augmentation by means of sampling from the corresponding distributions. Furthermore, we calculate the category affiliation of signals by integrating reconstruction probabilities and statistical representation features, facilitating the identification of both known and unknown emitters. Finally, we validate the effectiveness of our method from both theoretical and experimental perspectives, achieving state-of-the-art (SOTA) performance.

Abstract:
The federated learning (FL) client selection scheme can effectively mitigate global model performance degradation caused by the random aggregation of clients with heterogeneous data. Simultaneously, research has exposed FL’s susceptibility to backdoor attacks. However herein lies the dilemma, traditional client selection methods and backdoor defenses stand at odds, so their integration is an elusive goal. To resolve this, we introduce Grace, a resilient client selection framework blending combinational class sampling with data augmentation. On the client side, Grace first proposes a local model purification method, fortifying the model’s defenses by bolstering its innate robustness. After, local class representations are extracted for server-side client selection. This approach not only shields benign models from backdoor tampering but also allows the server to glean insights into local class representations without infringing upon the client’s privacy. On the server side, Grace introduces a novel representation combination sampling method. Clients are selected based on the interplay of their class representations, a strategy that simultaneously weeds out malicious actors and draws in clients whose data holds unique value. Our extensive experiments highlight Grace’s capabilities. The results are compelling: Grace enhances defense performance by over 50% compared to state-of-the-art (SOTA) backdoor defenses, and, in the best case, improves accuracy by 3.19% compared to SOTA client selection schemes. Consequently, Grace achieves substantial advancements in both security and accuracy.

Abstract:
Deep learning-based detectors have been widely proposed to predict vulnerabilities in smart contracts, yet their unreliable predictions pose severe security risks to financial transactions, making it critical to verify the reliability of vulnerability predictions. However, existing methods only produce prediction results, failing to provide an evidence chain to check whether these predicted vulnerabilities genuinely exist and deliver further guidance for fixing the vulnerabilities. Thus, making these vulnerability predictions verifiable remains an unexplored problem. In this paper, we propose SmartGuard, a novel verifiable vulnerability prediction framework for deep learning-based detectors and specifically designed for smart contracts. It integrates a deep learning-based detector with a symbolic prediction validator, where the latter acts as the backend formal engine to verify vulnerability predictions. Specifically, we present a graph-sequence multi-task learning model to detect vulnerabilities while generating transaction sequences that serve as evidence chains, explicitly revealing the triggering logic behind vulnerabilities. To bridge the gap between deep learning-based detectors and symbolic validators, we symbolically execute the generated transaction sequences against the verification conditions of vulnerability predictions. Furthermore, we propose a new metric, Vulnerability Prediction Suspiciousness (VPS), to evaluate the reliability of the predicted results. We implement SmartGuard on three representative types of vulnerabilities (Reentrancy, Ether-leaking, and Suicidal) to evaluate its performance in real-world scenarios. Our experimental results show that SmartGuard can effectively verify doubtful vulnerability predictions in real-world scenarios. It also outperforms state-of-the-art baselines by consistently reducing false reports by at least 15% across various Solidity versions. Case studies on complex contracts and DApps further demonstrate SmartGuard’s effectiveness in practice.

Abstract:
As cyberattack operators have progressed to encompass group and nation-state levels, the nature of attacks has evolved into more sophisticated forms such as cyber campaigns. In response to these large-scale campaigns, tactical cyber threat intelligence (CTI) which focuses on tactics, techniques, and procedures (TTPs) has gained significant attention. However, the data-driven aspects of tactical CTI confront two primary challenges: (i) the extreme scarcity of campaign data and (ii) the difficulty of effectively integrating security domain knowledge. To this end, this paper presents MuCamp, a novel campaign generation method that operates in the context of limited campaign data while also considering the unique characteristics of large-scale attacks. The proposed method assumes that campaigns are TTP sequences, and based on this assumption, it generates valid campaign variants by replacing target TTP words with TTP synonyms, and preserves the strategic goals of the seed campaigns. MuCamp offers a scalable and interpretable augmentation strategy, enhancing CTI effectiveness under data scarcity and facilitating rapid adaptation to evolving threat landscapes. We also prepared a dataset consisting of 858 real-world campaigns labeled by security experts, including 14 tactics and 206 techniques, enabling reliable performance evaluation. Experimental results demonstrate that each component of MuCamp contributes to embedding-based group attribution by improving the separability of the correct group from alternative candidates, while effectively reflecting domain knowledge.

Abstract:
Face super-resolution (FSR) is a crucial step in the face analysis pipeline, achieving remarkable progress by applying deep neural networks (DNNs). However, DNN-based FSR models are not robust enough and may suffer significant performance degradation due to subtle adversarial perturbations. In addition, the high-frequency details of images restored by existing models are insufficient, especially at large upsampling factors. In this paper, we propose a frequency-aware decomposition network (FDNet) for robust face super-resolution, which aims to defend against adversarial attacks and obtain face images with fidelity. Observing that the noise introduced by adversarial attacks is often intricately mixed with the high-frequency information of the input image, we decompose and process the features of different frequencies separately to eliminate harmful perturbations and enhance high-frequency information. Specifically, by leveraging the frequency-aware capability of empirical mode decomposition (EMD), we propose an EMD-based multi-branch structure. The framework implicitly compels different branches to adaptively extract features from distinct frequency bands, limiting the adversarial noise into decoupled components restricted to specific branches. It also improves the recovery of high-frequency information, which is conducive to producing more credible results. Furthermore, we introduce a high-frequency noise suppressor capable of randomly eliminating imperceptible noise in the high-frequency components. Quantitative and qualitative results demonstrate the superior robustness of our proposed method against adversarial attacks, showing better fidelity in image reconstruction compared to state-of-the-art FSR methods, especially for upscaling factors of 8 and 16.

Abstract:
The expanded scope and attack surface of the today’s multi-tier heterogeneous wireless network (MHWN), which constitutes the basis of our daily life activities, dictates a deeper understanding of how distributed Denial of Service (DDoS) attacks can impact its performance. In this work, we assess the performance of large-scale MHWNs that are subject to random DDoS attacks, considering that 1) each tier may support a different radio access technology and spectrum band, and 2)end terminals have limited access to available tiers. Depending on the capability of end terminals to perfectly detect DDoS actors (or not), we provide a solid analytical framework for assessing the impact of different user association policies on both the service probability and the user load distribution per tier. Among others, our numerical analysis highlights the importance of striking a good balance between optimal system-wide service probability and fair load distribution across the tiers of the MHWN.

Abstract:
Bag-based classification is a supervised machine learning method that makes a prediction based on a bag of items. Unfortunately, it can be misused as an attribute profiling attack, where the attacker’s objective is to infer a privacy-sensitive attribute of a target user from that user’s shared social media profile, i.e., a bag of images or other media. Despite this threat, existing studies on profiling attacks are limited to the item-level perspective, i.e., attack and defense of a single item. In this work, we move obfuscation defenses against attribute profiling beyond the existing single-item research to study the multi-item, bag-based case, which is more practically relevant because it considers the full attack surface. Defense against bag-based profiling is difficult, because, in general, content shared on social media can never be completely deleted. For this reason, we study defenses that involve extensions, referred to as pivoting additions, to existing profiles, which aim to change (i.e., pivot) the output of the bag-based classifier without removing items contained in the original profile. We propose three different pivoting additions: Adversarial Noise (AdvN), Adversarially Perturbed Items (AdvPI), and Natural Items (NatI). We experimentally demonstrate the ability of these pivoting additions to compromise the performance of three deep bag-based classifiers, representing late-, intermediate- and early-fusion approaches. Overall, our work provides an introduction to the risk of bag-based profiling and a systematic study of defenses.

Abstract:
In a membership inference attack (MIA), an attacker exploits the overconfidence exhibited by typical machine learning models to determine whether a specific data point was used to train a target model. In this paper, we analyze the performance of the likelihood ratio attack (LiRA) within an information-theoretical framework that allows the investigation of the impact of the aleatoric uncertainty in the true data generation process, of the epistemic uncertainty caused by a limited training data set, and of the calibration level of the target model. We compare three different settings, in which the attacker receives decreasingly informative feedback from the target model: confidence vector (CV) disclosure, in which the output probability vector is released; true label confidence (TLC) disclosure, in which only the probability assigned to the true label is made available by the model; and decision set (DS) disclosure, in which an adaptive prediction set is produced as in conformal prediction. We derive bounds on the advantage of an MIA adversary with the aim of offering insights into the impact of uncertainty and calibration on the effectiveness of MIAs. Simulation results demonstrate that the derived analytical bounds predict well the effectiveness of MIAs.

Abstract:
The shuffle model employs a shuffler to anonymize and permute user messages, thereby enhancing privacy/utility trade-offs compared to the local model. Ideally, it assumes perfect message anonymity protection against adversaries, allowing each user to hide among a large population. However, in contexts like mobile/edge networks or in scenarios where the shuffler is curious, this assumption is frequently unrealistic. In this study, we demonstrate the vulnerability of the shuffle model to communication side-channel attacks, which substantially compromise privacy amplification via shuffling. We categorize side-channel information in the shuffle model into three types: (i) in-out information, revealing the victim user’s participation and timing, (ii) message-cardinality information, indicating the victim’s message count, and (iii) message-length information, disclosing the victim’s message length(s). Numerical results indicate these attacks increase privacy loss by 200% to 4100%, revealing secret value with probability more than 90%. After theoretically analyzing the remaining privacy amplification effects, we suggest several countermeasures and principles to alleviate degradation caused by these attacks: (a) appending padding bits to each message to counter message-length attacks, (b) maximizing query parallelization to elude in-out attacks and increase the population for privacy amplification, and (c) sending dummy messages to exchange communication costs for improved privacy amplification effects. The newly proposed paradigms and principles significantly save privacy budget in comparison to current models under attack.

Abstract:
Massive multiple-input multiple-output (MIMO) technology has revolutionized wireless communication by significantly enhancing spectral efficiency, however its high energy consumption has become a key concern. There is increasing research interest in implementing massive MIMO systems using low-resolution digital-to-analog converters (DACs) to reduce the hardware cost and energy consumption. Meanwhile, the broadcast nature of wireless communications systems poses security risks, exposing user information to potential eavesdroppers (Eve), and this issue has been studied less in the context of low-resolution massive MIMO systems. This paper investigates the potential of low-resolution massive MIMO systems to enhance physical layer security (PLS) without relying on artificial noise (AN). We propose a novel spatial Sigma-Delta modulation technique that strategically leverages quantization noise to obscure confidential communications from Eve, even with limited channel state information. Our design shifts quantization noise away from legitimate users while maintaining its presence near Eve, thus improving PLS. We formulate the resulting non-convex, semi-infinite design problem and apply a proximal majorization-minimization (PMM) algorithm, ensuring convergence to a Karush-Kuhn-Tucker (KKT) point. To enhance computational efficiency, we introduce a proximal distance algorithm (PDA) that addresses the constraints independently, yielding closed-form solutions for projections and proximal operators. Extensive numerical experiments validate our approach, demonstrating effective noise shaping for both users and Eve. Our findings illustrate that quantization noise can be a valuable asset in securing communications in low-resolution massive MIMO systems.

Abstract:
The Space Information Network (SIN) plays a crucial role in terrestrial communication, delivering time-bound services from ground stations to users. It relies on moving low-orbit earth (LEO) satellites for uninterrupted coverage. However, untrustworthy connectivity poses several security challenges during handover services for users maintained by the satellites. While traditional cryptographic techniques provide a degree of security, the advent of quantum computing exposes significant vulnerabilities. This work proposes a quantum-safe and continuous authentication mechanism with handover provision. The proposed authentication protocol uses post-quantum primitives of the Frodo key encapsulation mechanism, currently an approved mechanism under ISO/IEC 18033-2. It ensures privacy and ensures users’ anonymity. The security of the proposed protocol is analyzed using the quantum random oracle (QROM) model. Formal verification confirms its safety for practical adoption as a post-quantum candidate. Further, the performance evaluation shows an authentication delay and energy consumption of the proposed protocol within practical limits, making it a suitable candidate for privacy-preserved post-quantum adoption for SIN.

Abstract:
This paper proposes a unified visual person re-identification (re-id) framework capable of handling various re-id tasks, including modal-fusion re-id, cross-modal re-id, and single-modal re-id, to accommodate diverse modal scenarios. We begin by constructing a Multi-modal Person Re-identification (MPR) dataset comprising RGB, infrared (IR), and depth modalities. Then, the unified re-id framework is established by integrating an Adaptive Modality Aggregation Module (AMAM) and Multi-modal Auto-aligned Learning (MAL). The former autonomously aggregates distinct modalities by thoroughly exploring their relationships. It not only benefits modal-fusion re-id by promoting the modal-fusion representations, but also enhances cross-modal re-id by performing modal consistency learning on the modal-fusion features to narrow modal gaps. The latter automatically aligns multiple modalities through contrastive learning constraints to lessen modal gaps for multiple cross-modal re-id tasks. So, these two modules respectively balance the tasks of distinct types and various tasks of the same type, which are beneficial to realize more re-id tasks with diverse modal scenarios. Moreover, we evaluate state-of-the-art (SOTA) multi-modal methods in terms of plentiful testing settings constructed on MPR dataset. The experiments demonstrate that the proposed unified method that only needs to be trained once outperforms existing methods that require multiple training processes with specific modalities. Besides, it can cope with more scenarios. Extensive ablation studies investigate the effects of the proposed modules on all re-id tasks. Our datasets and code will be publicly available soon: https://github.com/hfutwujingjing/A-Multi-Modal-Dataset-and-A-Unified-Framework

Abstract:
In the literature, the Gaussian finite-state Markov wiretap channels with delayed feedback (GFSM-WTCs-DF) have been shown to be useful models capturing the essence of time-varying fading channels in the presence of physical layer security issues. Traditionally, the delayed feedback is used as a way to share secret key between the legitimate parties. Then encrypting the transmitted message by this key and applying any coding scheme to the same model without feedback and secrecy issue, it has been shown that the capacity of the same model without feedback and secrecy constraint is also an achievable secrecy rate of the GFSM-WTCs-DF. However, note that this secret key scheme may not be optimal for multi-user cases of the GFSM-WTCs since feedback increases the channel capacities. In this paper, first, we show that a Schalkwijk-Kailath (SK) type linear feedback scheme achieves the secrecy capacity of the GFSM-WTCs-DF for single-user case. Then we extend this scheme to the multiple-access situation, and show that our extended scheme outperforms the secret key scheme, and it is optimal for a symmetric case. Finally, we explain the results of this paper by numerical examples.

Abstract:
Critical infrastructures are increasingly integrating artificial intelligence (AI) technologies, including large language models (LLMs), into essential systems and services that are vital to societal functioning. Fine-tuning LLMs for specific domain tasks are crucial for their effective deployment in these contexts, but this process must carefully address both privacy and security concerns. Without proper safeguards, such integration can introduce additional risks, such as data leakage during training and diminished model trustworthiness due to the need for model compression to operate within limited bandwidth and computational capacity constraints. In this paper, we propose Hardening LLM Fine-tuning framework (HardLLM), which addresses these challenges through two key components: (i) we develop a differentially private data selection method that ensures privacy protection by training the model exclusively on sampled and synthesized public data, thereby preventing any direct use of private data and enhancing leakage resilience throughout the training process, and (ii) we introduce a trustworthiness-aware model quantization approach to improve LLMs performance, such as reducing toxicity, enhancing adversarial robustness, and mitigating stereotypes, while maintaining negligible impact on model utility. Experimental results show that, the proposed algorithm ensures differential privacy when privacy budget is set at \epsilon = 0.5 , with only a 1% drop in accuracy, while other state-of-the-art methods experience an accuracy drop of at least 20% under the same privacy budget. Additionally, our quantization approach improves the trustworthiness of fine-tuned LLMs by an average of 3-4%, with only a negligible utility loss (approximately 1%) at a 50% compression rate.

Abstract:
The rapid growth of Internet-connected devices presents significant challenges to device identification. Existing device probing methods have made progress in identifying device models, but struggle with binary protocols, obfuscated responses, and labels from unknown new devices. In this paper, we present \textsf BLMProbe , a network device probing framework that overcomes these challenges through two innovations: a dual-role Large Language Model (LLM) for autonomous label extraction and verification from web data, and a multi-port protocol association technique for cross-port label migration. Experimental results show that BLMProbe achieves a device classification accuracy of 95.86%, outperforming previous state-of-the-art approaches by 13.43%. The framework generates 488 new fingerprints for previously unknown devices, including 59 for binary protocol devices, and updates 306 existing signatures. In unlabeled environments, BLMProbe identifies 5,344 devices, surpassing commercial solutions like Shodan and ZoomEye, demonstrating its effectiveness across different protocols and deployment scenarios.

Abstract:
While interrupts play a critical role in modern OSes, they have been exploited as a wide range of side channel attacks to break system confidentiality, such as keystroke interrupts, graphic interrupts and network interrupts. However, as previous attacks mainly focus on the exploitation of movable interrupts, they are required to determine which core is handling the target interrupts before their attack, which is non-trivial. The exploitability of non-movable interrupts, which cannot be reassigned by privileged softwares at will, remains unclear. In this paper, we conduct an empirical study on exploitable non-movable interrupts and their contribution to interrupt-based side-channel leakages in x86-based systems. We propose a dynamic analysis technique to investigate how various types of non-movable interrupts are influenced by different workloads. We then conduct a model fingerprinting attack as the benchmark to show that 7 types of non-movable interrupts are exploitable. To demonstrate the viability of these non-movable interrupts, we have created two concrete side channels, called ThermalScope and TimerScope. Specifically, ThermalScope exploits the thermal event interrupts that are triggered only when the CPU temperature exceeds a pre-determined threshold, and TimerScope exploits timer interrupts that are activated regularly to enable the process schedule. Both techniques are adaptable to different attack scenarios, functioning regardless of whether the attacker and victim share the same core or reside on separate cores. Last, we successfully apply them to mount realistic case studies, ranging from constructing cross-core covert channels to breaking kernel address space layout randomization. We also demonstrate successful DNN model fingerprinting attacks under browser scenarios when the frequency scaling is disabled and attacker core is isolated from movable interrupts, where previous HertzBleed, ThermalBleed, and movable interrupt-based attacks are ineffective.

Affiliations: School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China; School of Computing and Information Systems, Singapore Management University, Bras Basah, Singapore; Key Laboratory of Knowledge Engineering with Big Data, Ministry of Education, the School of Computer Science and Information Engineering, and the Intelligent Interconnected Systems Laboratory of Anhui Province, Hefei University of Technology, Hefei, China; School of Computer Science and Technology, Beijing Institute of Technology, Beijing, China; Qi An Xin Technology Group Inc., Beijing, China; Qi An Xin Technology Group Inc., QAX Security Center, Beijing, China; School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan, China

Abstract:
Subsequently, by executing various attacks on benchmark datasets such as MNIST, we construct Federated Learning Malicious Parameter Identification (FLMPID) dataset to enable malicious client detection. Building on this dataset, we propose FORTRESS (Federated POisoning-Resistance Defense via Dual-Domain Distance and TRust AssESSment), a framework designed to detect and mitigate malicious updates from clients. FORTRESS employs a unique encoder-decoder architecture. The encoder utilizes dual-domain distance metrics on weights and gradients to extract hidden representations, while the decoder leverages Actor-Critic (AC) reinforcement learning for trust assessment. We evaluated FORTRESS under multiple attack scenarios and demonstrated its defense effectiveness, making it a promising solution for enhancing the security of FL systems.

Abstract:
Distributed Kalman filtering is a widely used technique for state estimation in sensor network system. Typically, each node utilizes the measurement residuals and the information exchanged with the neighbors to obtain the fused state estimation. However, local measurement is susceptible to outliers, and data sharing leads to privacy and security issues. In this paper, a secure and privacy-preserving distributed Kalman filter (SPP-DKF) is developed to simultaneously address the aforementioned issues. Specifically, the outlier-resistant mechanism is embedded to improve the resilience of the distributed Kalman filter, which employs the saturation function to suppress the mutation of innovation caused by outliers. An event-triggered privacy-preserving scheme based on dynamic mask is designed to protect privacy of local state against different adversaries. Meanwhile, to ensure security, the digital signature based on homomorphic encryption and hash function is adopted to detect false data injection attacks. Furthermore, the mean-square estimation performance and the upper bound of the error covariance of the proposed SPP-DKF are analyzed. In addition, the privacy and security performance of the proposed algorithm are also ensured. Finally, simulation results indicate that the proposed SPP-DKF provides reliable estimation performance while ensuring the privacy and security of the exchanged data.

Abstract:
Popularity-based encrypted deduplication assigns popularity thresholds to outsourced data, and balances data security and storage efficiency by classifying data based on its number of owners (i.e. popularity) and threshold. Several schemes have been proposed to address various issues in popularity-based secure deduplication, but they still have drawbacks. Firstly, most of existing schemes are vulnerable to privacy learning attacks (PLAs). An adversary could infer users’ privacy through launching PLAs, which is a severe security threat. Additionally, unprotected reasonable thresholds in existing schemes incur the leakage of data sensitivity and compromise data privacy. In this paper, we propose PopeDup, a popularity-based encrypted deduplication scheme with PLAs resistance and protected thresholds. On the one hand, we design a two-phase server-aided tag generation method to protect the information about which users hold identical data for defending against PLAs. On the other hand, based on threshold signature scheme, we implement protected thresholds to preserve the reasonability of user-assigned thresholds while protecting data sensitivity. Moreover, we design a popularity detection method tailored for protected thresholds by utilizing the property of threshold signature scheme, called oblivious popularity detection, through which popularity level can be transmitted without revealing thresholds. We conduct a comprehensive security analysis and experimental evaluations on PopeDup. The results show that PopeDup provides stronger security protection with limited overhead compared with existing schemes.

Abstract:
Contrastive adversarial training has shown great potential in enhancing model robustness and has been adopted in point cloud classification. There are varying spatial distributions and densities across different regions in point cloud data, which makes adversarial perturbations always exhibit non-uniform patterns of attack intensity and distribution in different regions. However, existing approaches always rely on uniform feature contrast without considering the granularity in the context of point cloud data, limiting their capacities to counter adversarial perturbations effectively. To address this issue, we propose a novel frequency-aware contrastive adversarial training framework, which considers feature contrast via a “divide-and-conquer” method. Specifically, we systematically “divide” point clouds into distinct frequency components and “conquer” feature contrast within each frequency band, which fosters fine-grained feature consistency learning and leads to more informative as well as robust representations. Besides, existing methods typically apply group-level contrastive learning, which emphasizes category-wise similarity but often overlooks the nuanced structural variations among instances. To remedy this, we incorporate instance-level contrastive learning to capture per-instance geometric variations. Moreover, a frequency-specific hard-masked sample generation module is designed to construct challenging sample pairs by masking keypoint features in each frequency band, thereby promoting the model to learn more robust feature representations. Extensive experiments on multiple benchmark datasets demonstrate that our proposed method significantly outperforms existing state-of-the-art approaches in adversarial robustness for point cloud classification. The code is available on https://github.com/yxzhang15/DiCon-FAT.

Abstract:
The blockchain technology provides a revolutionary solution for information exchange through its decentralized, tamper-proof, and highly secure characteristics. It has wide application in many industries, with the potential to improve efficiency, reduce costs, and promote innovation. However, the full replication mechanism of blockchain results in the need for each device to store complete blockchain data, leading to inefficient storage. Additionally, as the scale of the blockchain network expands, the increasing data volume and frequent transactions can cause network congestion and latency, posing scalability issues for blockchain. Coded sharding blockchain has been proposed to address these issues. However, the current solutions face challenges such as dealing with malicious nodes and low computational efficiency, which hinder the enhancement of their scalability and computational performance. To resolve these problems, we propose AdaptiveShard by combining coded sharding blockchain with adaptive verifiable coded computing (AVCC). This solution is designed based on the Unspent Transaction Output (UTXO) model and is suitable for cryptocurrency transaction scenarios. Compared to traditional coded sharding blockchain solutions, AdaptiveShard can: 1) enhance the computational performance of coded sharding blockchain during block validation by combining AVCC with Gaussian variant of Freivalds algorithm (GVFA), reducing the decoding complexity to O(N^2\log N) ; 2) validate the computation results of each shard using GVFA and replace balance check verification functions with matrix multiplication, reducing the computational complexity of verification to O(\sqrt n) ; 3) reduce the additional number of nodes required to resolve malicious nodes from two to one using verifiable computation; 4) balance the system in the presence of straggler or malicious nodes through dynamic coding techniques, eliminating their impact and improving system reliability. Experiments demonstrate that at t=1000, the throughput is 25.6% higher compared to Polyshard. Compared to the solution without dynamic coding, the solution with dynamic coding can reduce the running time by 9.7% at t=50.

Abstract:
In next-generation wireless networks, integrated satellite-terrestrial networks are regarded as a pivotal solution for supporting seamless coverage and elevated data rates, but the physical layer security performances are severely degraded under both jamming and eavesdropping attacks due to wide field of line of sight. Thus, this paper designs an aerial hybrid active-passive reconfigurable intelligent surface (aerial hybrid RIS) communication system to enhance secure and reliable communication for integrated satellite-terrestrial networks, where an active eavesdropper aims to jam legitimate channels and eavesdrop on any data stream from RIS simultaneously. Specifically, we propose a resource scheduling approach that jointly optimizes the position of the aerial RIS, the hybrid beamforming matrix, the satellite beamforming design, and the satellite transmission power to maximize the ground users’ (GUs) secrecy rate under quality of service (QoS) requirements. To address the optimization problem in complex and dynamic communication environments, we reformulate the problem as a reinforcement learning (RL) problem and propose a secure resource scheduling method based on the relay hindsight experience replay-softmax deep double deterministic policy gradients (RHER-SD3) algorithm. The proposed RHER-SD3 algorithm effectively schedules the secure hybrid active-passive beamforming matrix, the aerial position of the RIS, the satellite beamforming vectors, and the satellite power allocation to avoid both jamming and eavesdropping attacks, even though the behavior information of the attacker is imperfect. Simulation results demonstrate that the proposed method outperforms existing approaches in improving system secrecy performance and QoS satisfaction against hybrid attacks.

Abstract:
Split federated learning (SFL) is a compute-efficient paradigm in distributed machine learning (ML), where components of large ML models are outsourced to remote servers. A significant challenge in SFL, particularly when deployed over wireless channels, is the susceptibility of transmitted model parameters to adversarial jamming that could jeopardize the learning process. This is particularly pronounced for embedding parameters in large language models (LLMs) and vision language models (VLMs), which are learned feature vectors essential for domain understanding. In this paper, rigorous insights are provided into the influence of jamming embeddings in SFL by deriving an expression for the ML training loss divergence and showing that it is upper-bounded by the mean squared error (MSE). Based on this analysis, a physical layer framework is developed for resilient SFL with LLMs (R-SFLLM) over wireless networks. R-SFLLM leverages wireless sensing data to gather information on the jamming directions-of-arrival (DoAs) for the purpose of devising a novel, sensing-assisted anti-jamming strategy while jointly optimizing beamforming, user scheduling, and resource allocation. Extensive experiments using both LLMs and VLMs demonstrate R-SFLLM’s effectiveness, achieving close-to-baseline performance across various natural language processing (NLP) and computer vision (CV) tasks, datasets, and modalities. The proposed methodology further introduces an adversarial training component, where controlled noise exposure significantly enhances the model’s resilience to perturbed parameters during training. The results show that more noise-sensitive models, such as RoBERTa, benefit from this feature, especially when resource allocation is unfair. It is also shown that worst-case jamming in particular translates into worst-case model outcomes, thereby necessitating the need for jamming-resilient SFL protocols.

Abstract:
Cryptocurrencies and permissionless blockchains allow nodes from all over the world to join, and their rapid development has created enormous blockchain networks with nodes spanning the globe. Blockchain network partitioning attacks split the network into separate node groups through disrupting communication, causing information inconsistency, and facilitating malicious behaviors like double-spending and selfish mining, threatening the blockchain security. Existing research primarily studies concrete partitioning attack methods. However, it is hard to analyze practical post-attack security and efficiency impacts on blockchains and design effective countermeasures. This paper studies practical network partitioning attacks’ impacts on existing proof-of-work-based (Bitcoin) and proof-of-stake-based (Ethereum) permissionless blockchains. We theoretically analyze and experimentally confirm the adverse effects of network partitioning on blockchain performance and security. Network partitioning will cause blockchain throughput to plummet, and cause block generation delay to increase rapidly. In our experiments on Ethereum 2.0, when the bandwidth between the partitioned networks is lower than 768 Kbps, the throughput begins to plummet precipitously until it ultimately falls to 0. What’s worse, network partitioning will significantly increase the success rate of double-spending. In our experiments on Bitcoin, when the bandwidth between the partitioned networks is less than 256 Kbps, the success rate of double-spending reaches 50%. To solve the above issues, we propose countermeasures leveraging a freezing threshold to safeguard the security of permissionless blockchains and resist double-spending attacks. We experimentally validate that the countermeasures enhance the resistance of permissionless blockchains to network partitioning attacks. It reduces the probability of double-spending in partitioned networks, thereby ensuring security and reliability.

Abstract:
Photoplethysmography (PPG) has been extensively employed in commercial and medical products to assess human cardiac activities. However, despite PPG’s active role in improving people’s daily lives, research on the vulnerabilities of PPG systems is still in its infancy. This paper investigates the feasibility of deceiving PPG sensors in the physical domain. We propose FakePPG, which utilizes a low-cost Liquid Crystal Modulator (LCM) device to mimic the PPG signals of a legitimate user, thus deceiving both the PPG-based health assessment and potential authentication applications. To implement FakePPG in practical scenarios, we build the attack prototype using commercial off-the-shelf electronic components and further design an automated optimization and attack framework. By leveraging the modified multi-Gaussian model for parameterization, the evolutionary strategy for optimization, and the reference heart rate model for heartbeat variability alignment, FakePPG can achieve efficient, flexible, and automated PPG forgery against arbitrary users and heart states. Extensive experimental results show that FakePPG can achieve a success rate of 96.7% for Atrial Fibrillation (AFib) spoofing and 91.2% for identity spoofing, respectively, revealing a realistic threat to PPG systems.

Abstract:
Proof-of-work (PoW) blockchain relies on incentive mechanisms to ensure the security and correctness of its underlying consensus protocol. Most research about it, based on a static model only considering coin-base rewards and transaction fee rewards, fails to accurately describe the complex real-world blockchain ecosystem. We propose a generic selfish mining attack applicable to arbitrary PoW blockchain systems and introduce a dynamic PoW blockchain incentive model. This model takes into account static basic rewards, dynamic whale rewards related to network protocol, and expenditures tied to players’ strategies. Unlike traditional incentive models that assume players continuously mine by default, we find players prefer to halt mining at the beginning of each mining cycle to reduce operational expenses and then resume mining at an appropriate time to enhance their rewards. We further prove players’ optimal strategy exists and it is determined by reward parameters. We implement a modified PoW blockchain system simulator and comprehensively validate these results using 256 full nodes in it of three mainstream PoW blockchains: Bitcoin, Ethereum 1.x, and Bitcoin Cash. We finally discuss the impact of different parameters on the security of PoW blockchain systems and propose practical mitigating measures for the mining halt.

Abstract:
With the increasing popularity of small computing devices and applications of IoT, the need for platform integrity grows both in scale and scope. In particular, the detection of successful attempts to inject a malicious software module or modify an existing one is of utmost importance. This paper promotes LiSB, a novel approach for validating software/firmware integrity and ensuring secure boot-up for resource-constrained embedded devices. LiSB is lightweight, yet very robust. A hardware primitive is used as a Root-of-Trust to support the confidentiality of generated digests and the security of the attestation protocol. Specifically, LiSB employs Physically Unclonable Functions (PUFs) to make the digest device-specific without storing any secrets in the device memory. The performance and robustness of LiSB are validated using a prototype implementation on an FPGA. The results demonstrate that LiSB outperforms recently-published and prominent commercial attestation schemes like TPM, and consumes 25 times less power than SHA-256, which serves as the core component of most existing attestation schemes. The security properties of LiSB are formally analyzed.

Abstract:
Local differential privacy federated learning has attracted wide attention because it can solve the problem of data islands without damaging data privacy, but it faces data heterogeneity problems on the client side. Existing solutions commonly cluster clients with similar data distributions into the same training groups by leveraging clients’ model parameters, thus mitigating the impact of data heterogeneity on federated learning performance. However, model parameters, as an indirect representation for client data, often fail to accurately reflect the true data distribution, resulting in inaccurate client groupings. Furthermore, these solutions perturb high-dimensional parameter vectors dimension-by-dimension to protect client data privacy, which introduces substantial LDP noise that significantly further compromises the client grouping accuracy. To tackle these challenges, we propose PCFed-LDP, a privacy-preserving clustered federated learning framework that improves the federated learning performance while protecting client data and satisfying LDP in heterogeneous environments. Specifically, we introduce a client clustering method based on geometric properties of client data subspaces, which conducts label grouping-based principal angle analysis on client data subspaces to accurately capture the similarities in client data distributions, thereby enabling precise client grouping. To reduce the amount of introduced LDP noise, we design an adaptive noise addition method that utilizes the Haar wavelet technique to decouple the relationship between the noise amount and vector dimensionality, and employs noise error minimization strategy-based vector segmentation to inject LDP noise with finer granularity. Theoretical analysis and experiments on real datasets demonstrate that our solution not only satisfies the constraints of local differential privacy but also outperforms state-of-the-art methods.

Abstract:
With the development of blockchain technology, Blockchain-based Crowdsensed Data Trading (BCDT) has emerged as an attractive data exchange paradigm. Although it addresses security issues in data transactions, most recent research primarily focuses on offline scenarios, overlooking the critical importance of enabling real-time online data trading, where it suffers from dynamic worker participation and potential malicious attacks. In this paper, we propose a Blockchain-based Secure and Fair Online Incentive Mechanism (BSFOIM), which primarily incorporates a smart contract called BSFOIMToken, designed to function in online scenarios. In particular, we first introduce a multi-stage auction combined with a time discount factor in BSFOIM to quantify the contribution of workers in completing sensing tasks. Meanwhile, to ensure sensing data quality and worker selection fairness, we propose a Fairness-based Truth Discovery Mechanism (FTDM) with two core modules: a fine-grained reputation system to identify reliable workers and filter out malicious ones, and an upper confidence bound algorithm to optimize worker selection and avoid local optima. Finally, we implement these functions in BSFOIMToken and deploy a prototype on the Ethereum blockchain, demonstrating its practicality and robust performance. Rigorous theoretical and comprehensive experimental tests have proven their adherence to truthfulness, budget feasibility and individual rationality.

Abstract:
Real-world datasets often exhibit long-tailed distributions, raising important questions about how privacy risks evolve when machine learning (ML) models are applied to such data. In this work, we present a comprehensive analysis of membership inference attacks in long-tailed scenarios, revealing significant privacy vulnerabilities in tail data. We begin by examining standard ML models trained on long-tailed datasets and identify three key privacy risk effects: amplification, convergence, and polarization. Building on these insights, we extend our analysis to state-of-the-art long-tailed learning methods, such as foundation model-based approaches, offering new perspectives on how these models respond to membership inference attacks across head to tail classes. Finally, we investigate the privacy risks of ML models trained with differential privacy in long-tailed scenarios. Our findings corroborate that, even when ML models are designed to improve tail class performance to match head classes and are protected by differential privacy, tail class data remain particularly vulnerable to membership inference attacks.

Abstract:
The private key is the only credential that can control and access account assets in the blockchain. Once the private key is leaked or stolen, the user loses control of the assets. The current mainstream solution is a threshold signature scheme based on secure multi-party computation, which can privately calculate the signature value without recovering the complete private key. However, most existing solutions are based on homomorphic or oblivious transmission, which have problems such as large computational or communication overhead and complex implementation. We designed a threshold signature scheme that relies only on zero-knowledge proofs and pseudo-random functions, and extended the identifiable abort mechanism to hold the corrupted party accountable afterwards. We implemented the new protocol based on the miracl library. The time cost for the key generation phase is 19.23ms, the communication cost is 96 bytes, and the signature phase is 21.41ms, the communication cost is 608 bytes. The overall time is about 81.61% faster than Lindell’18 and about 37.95% faster than DKLs’19.

Abstract:
Penetration testing is essential for ensuring Web security by identifying and mitigating vulnerabilities in advance, and the rapid progress of large language models (LLMs) shows great potential to revolutionize this process through intelligent, automated agents. In this work, we establish a comprehensive end-to-end penetration testing benchmark using a real-world penetration testing environment to explore the capabilities of LLM-based agents in this domain. Our results reveal that the agents are familiar to procedures of penetration testing tasks, but they still face limitations in generating accurate commands and executing complete processes. Accordingly, we summarize the current challenges, including the difficulty of maintaining the entire message history and the tendency for the agent to become stuck. Based on the above insights, we propose a Penetration testing State Machine (PSM) that utilizes the Finite State Machine (FSM) methodology to address these limitations. Then, we introduce AutoPT, an automated penetration testing agent based on the principle of PSM driven by LLMs, which utilizes the inherent inference ability of LLM and the constraint framework of state machines. Our evaluation results show that AutoPT outperforms the ReAct-based baseline and improves the task completion rate from 22% to 41% on the benchmark target. Compared with the baseline and manual work, AutoPT also reduces time and economic costs further. In general, our AutoPT has facilitated the development of automated penetration testing and bring new findings and insights for both academia and industry.

Abstract:
Tactics and techniques information in Cyber Threat Intelligence (CTI) represent the objectives of attackers and the means through which these objectives are achieved. The classification of tactics and techniques descriptions in CTI has been extensively studied to assist security experts in interpreting attack patterns. Although many recent studies have applied various deep learning methods to enhance classification performance, they mainly focus on improving performance from an average or top perspective. However, the imbalance between tactical and technical tag samples, as well as text sparsity, may lead to poor model performance, which has been under-explored. To address these issues, we propose a new tactics and techniques classification model based on adversarial contrastive learning and meta-path (TTC-ACLM). In TTC-ACLM, a novel text representation learning module is first designed. It includes pre-trained language model (PLM) and contrastive adversarial methods, which can better adapt to categories with smaller sample sizes while obtaining better text representations. Then, heterogeneous information networks are used to model the rich relationships between texts and labels (tactics and techniques), which can merge additional information, e.g., processes and tools, to address text sparsity. Next, we defined a meta-path based classifier learning module that maps text, tactics, and meta-path based context to a set of classifiers, which are applied to the text representation generated by the text representation module for better classification. Finally, the classification performance is further improved through the tactics and techniques correlation enhancement matrix. Through in-depth research, we demonstrate that the proposed model can effectively address the impact of sample imbalance and text sparsity. Extensive experimental results indicate that TTC-ACLM achieves state-of-the-art performance.

Abstract:
Ethereum serves as the cornerstone for value transfer in Web 3.0, providing a decentralized and efficient trust mechanism for global connectivity. However, the anonymity of Ethereum undermines market regulatory capabilities, leading to frequent malicious behaviors such as Ponzi Scheme, Money Laundering, and Phishing. Therefore, in the face of the diverse and continuously emerging malicious behaviors, implementing fine-grained detection is crucial for maintaining the prosperous development of the blockchain ecosystem. In this paper, we propose FiMAD, a fine-grained and class-incremental malicious account detection framework based on dynamic graph learning. Specifically, we first propose a general graph structure called Dynamic Account Relation Graph (DARG), which dynamically models Ethereum accounts from a continuous-time perspective. Then, we design a cascade graph feature extraction method to capture deep temporal evolution patterns and neighbor interaction features in DARG. Next, we construct a pre-training universal encoder to transform account features into high-dimensional embeddings, followed by fine-tuning the model classifier with a few labeled samples, enabling accurate fine-grained detection and rapid updates for incremental classes. We conduct extensive experiments using real Ethereum data. The results demonstrate that FiMAD outperforms state-of-the-art (SOTA) methods in fine-grained detection across five typical scenarios: class-incremental, full data, new malicious accounts, imbalanced data, and binary classification. In the class-incremental scenario, FiMAD improves the Macro-F1 by up to 26.4% compared to SOTA methods.

Abstract:
With the popularity of cross-chain transactions in heterogeneous blockchain systems, scalability has become a critical challenge. To overcome this, researchers propose to establish virtual channels, which move cross-chain transactions off the blockchain, enabling instant transaction confirmation between users and improving the system throughput. However, existing off-chain cross-chain transaction schemes encounter the following issues: (i) they are incompatible with non-Turing complete blockchain systems; (ii) they are incapable of accessing authentic information from blockchain systems. These issues have a dual impact on the cross-chain transaction, affecting its compatibility and dispute resolutions among mutually distrustful users. To alleviate these issues, this paper introduces SightCVC, a novel cross-chain payment protocol. The core of SightCVC is a new smart contract, which facilitates unrestricted off-chain transactions among mutually distrustful users in heterogeneous blockchain systems. It only requires off-chain protocol of the blockchain system involved in the transactions to support a Turing complete scripting language, which resolves the compatibility issue. Meanwhile, it can securely retrieve the real information from the blockchain systems, significantly improving the effectiveness of dispute resolution and enforcing the privacy of cross-chain transactions. We conduct a thorough security analysis within the Universal Composability framework to validate that SightCVC can achieve consensus at each stage. We implement and deploy SightCVC on the experimental networks of Ripple and Ethereum. Comprehensive evaluations demonstrate that SightCVC is able to effectively handle the disputes and reduce the system costs by approximately 64% compared to existing solutions. Its superiority becomes more evidence when the number of transactions increases.

Abstract:
Cloud computing has become the predominant platform for data sharing due to its adaptability, cost-effectiveness, and ability to scale resources according to user demand. Ensuring secure and efficient data sharing has long been a central research focus, with attribute-based encryption (ABE) serving as a key cryptographic primitive. In real-world scenarios, user attributes often change, necessitating timely revocation of access rights. Common user revocation methods include direct and indirect revocation. Direct revocation is controlled by the data owner, who adds revocation information to a list and embeds it into ciphertext to revoke permissions. Indirect revocation is managed by an authorized authority or delegated third party, dynamically publishing revocation information and generating new keys and ciphertexts. Conventional direct and indirect revocation methods incur substantial communication and computation overheads, limiting their practical effectiveness, particularly in environments with frequent user access terminations. To address these challenges, we propose a novel puncturable ciphertext-policy ABE scheme based on lattice cryptography for user revocation, eliminating the need for key regeneration and revocation-list maintenance. The proposed approach effectively resists collusion, quantum, and chosen-plaintext attacks, and experimental evaluations demonstrate its advantages in storage consumption, communication cost, and computational overhead.

Abstract:
Federated learning (FL), as a distributed machine learning paradigm with privacy protection, has garnered significant attention since it prevents the exchange of raw local data. However, FL remains vulnerable to poisoning attacks, including data contamination and gradient manipulation. Moreover, attackers may launch individual or collusive attacks, complicating the identification of malicious clients. To address these challenges, we propose a universal poisoning defense framework incorporating three key strategies. First, we decouple client identities from gradients through anonymous obfuscation and enhance privacy with differential noise injection. Second, we detect potential detect potential collusive attackers via a joint similarity-based approach. Third, we apply an iterative low rank approximation-based anomaly detection to amplify discrepancies between benign and malicious clients and progressively filter out attackers. We theoretically demonstrate that anonymous obfuscation can enhance the privacy protection capability of differential privacy. Additionally, experimental results further validate that our scheme is comparable to or outperforms state-of-the-art defense methods against a variety of data and model poisoning attacks.

Abstract:
This paper develops a physical layer key generation (PLKG) scheme that utilizes artificial randomness in extremely large-scale multiple-input multiple-output (XL-MIMO) near-field multi-user communications to produce shared secret keys for legitimate users. Unlike traditional PLKG schemes, which rely on the variation of wireless channels, this approach introduces noise power via the precoding vectors to create dynamic fluctuations in the line-of-sight (LoS) channels, emulating the rapid changes typically observed in fast-fading channels. This artificial randomness ensures that the user equipment (UEs) can generate secret keys while effectively preventing potential eavesdropping from malicious eavesdroppers. In particular, a novel channel probing protocol is designed, enabling multiple UEs to simultaneously agree on secret keys with the base station (BS) using non-orthogonal pilots, which exploits the difference in the distances and spatial angles of UEs in near-field communications. Secondly, to maximize the secret key rate, an alternating optimization algorithm is proposed, solving two sub-optimization problems. The first sub-problem employs the singular value decomposition (SVD) method to identify the legitimate space and its orthogonal subspace for generating secret keys and preventing eavesdropping attacks, respectively. Subsequently, a Dinkelbach method-based power allocation algorithm is developed to allocate noise power to these two spaces. The second sub-problem uses a water-filling algorithm to implement power allocation among multiple UEs. Finally, to address the issue of precoding noise not being considered in the alternating optimization problem, a deep learning-based method is introduced, which further improves the performance of the scheme. Simulations demonstrate the efficiency of the proposed PLKG scheme over existing schemes.

Abstract:
Physical modules are the basic functional units of industrial control systems, governed by Programmable Logic Controllers (PLCs) according to predefined control logic. Attackers can compromise the integrity of physical modules by tampering with control logic, potentially disrupting production or causing physical damage. While model checking can detect logic bugs that violate module integrity requirements, it depends heavily on domain-specific knowledge, which is traditionally summarized by human experts, limiting both scalability and completeness. This paper proposes DGVerifier, a wiring diagram-guided framework that automatically verifies two general integrity requirements of physical modules: action integrity and state transition integrity. DGVerifier can extract module-related information from PLC wiring diagrams, mine domain-specific knowledge to generate specifications, and also model PLC programs as automata for verification. Evaluation on two real-world systems—an Elevator Control System and an Automated Assembly Line Control System—shows DGVerifier can recover 89.3% (25/28) of the required specifications and identify four hidden logic bugs violating physical module integrity.

Abstract:
With the development of the industrial Internet, industrial Internet data has been growing rapidly, and so has the need for secure communications. In the context of industrial communication, it is essential to establish an effective session key between untrusted nodes. The prevailing key management schemes concentrate on key negotiation with the assistance of a central node through a man-in-the-middle approach. However, industrial field environments are typically characterised by harsh conditions, and any node may be damaged or subject to malicious compromise. This can result in the complete paralysis of communication within the entire system. Consequently, existing key management schemes are unable to fulfil the requisite performance requirements. In contrast to previous centralized or polycentric schemes, we propose an asymmetric bivariate polynomials-based novel efficient decentralized key management scheme (ABP-DKM). ABP-DKM achieves threshold switching through a twice-distribution method, which is more secure than other existing schemes. During the whole key negotiation process, ABP-DKM is decentralized. ABP-DKM is capable of not only peer-to-peer communication but also intra-group communication with forward and backward secrecy. The proposed scheme is more secure and efficient than the existing schemes.

Abstract:
With the large-scale integration of Battery Energy Storage Systems (BESS) into Cyber-Physical Power Systems (CPPS), the measurement and control channels of BESS are increasingly becoming prime targets for cyber attackers. Sequential False Data Injection Attacks (FDIAs), as a novel form of cyber attack characterized by high stealth and persistence, pose a serious threat to the operational security of grid-connected BESS. By maliciously altering BESS measurement data across multiple consecutive time steps, attackers can evade traditional Bad Data Detection (BDD) mechanisms and mislead state estimation algorithms. This leads to significant deviations in the estimated State of Charge (SOC) of the BESS, potentially compromising system scheduling and stable control. More adversarially, attackers often simultaneously manipulate other measurement nodes in the local grid where the BESS is located, enhancing the attack’s deception and systematic impact. To address this challenge, this paper proposes a novel data-driven detection algorithm, GPformer, specifically designed to detect sequential FDIAs. From a cyber defense perspective, GPformer jointly models the temporal evolution and spatial interaction patterns of measurement data using a dual-Transformer encoder architecture with gated mechanisms, enabling the extraction of critical temporal and spatial features. Additionally, the ProbSparse self-attention mechanism is introduced to reduce redundant computations in the attention matrix, thereby improving deployment efficiency in resource-constrained environments. Experimental results on the IEEE 14-bus and IEEE 57-bus test systems demonstrate that GPformer achieves superior accuracy and robustness in detecting sequential FDIAs of varying intensities, significantly outperforming existing state-of-the-art data-driven methods.

Abstract:
Backdoor attacks have become a security threat to deep neural networks (DNNs), in which an attacker embeds a secret behavior into a DNN by poisoning a few training data. To address the backdoor threat, some defense strategies employ outlier detection algorithms to identify poisoned samples in hidden representation space. However, these defenses remain vulnerable to adaptive attacks as their representation separability assumption could be broken. In this paper, we aim to boost existing defenses by leveraging insights from the label smoothing technique, demonstrating its effectiveness in distinguishing poison from benign samples. Our analysis uncovers the role of label smoothing as a regularization technique that enhances hidden class separability in the penultimate layer of a model. Building on the label smoothing, we introduce Learning Speed-driven Label Smoothing (LS2): a simple yet novel approach that assigns an adaptive smoothing rate based on the model’s “learning speed” for each sample. Extensive results show that LS2 can bolster the discernibility between poison and benign samples, enhancing the efficacy of defenses relying on hidden separability. Incorporated with LS2, existing hidden-separation-based defenses achieve state-of-the-art poison sample removal rates (Prm) against adaptive attacks. Code is available at https://github.com/JiePeng104/LS2

Abstract:
With the rapid development of Internet of Things and the increasingly popularized smart devices, the biometric recognition becomes a crucial component of facilitating some basic activities of daily living, and the biometric recognition has the outstanding advantages in terms of reliability and convenience. Various biometric characteristics have been applied to realize the biometric recognition for basic human activities, and new biometric characteristics are worth exploring to further enhance the convenience of our daily lives. This paper explores a new biometric characteristic (the wrist-rolling motion). By taking the mobile phone unlocking as the typical application of the biometric recognition, we verify that the wrist-rolling motion can become an available biometric characteristic with the aid of our designed deep learning model termed RTimesNet. Specifically, RTimesNet is composed of TimesBlocks, decomposition modules, and a multi-head ProbSparse self-attention module, and it exploits the periodicity of wrist-rolling motion to extract the time series features. TimesBlocks extract the features hidden in the wrist-rolling motion, and the decomposition modules decompose the output data of TimesBlocks into the trend-cyclical data and seasonal data, which are then evenly divided and inputted into the multi-head ProbSparse self-attention module for concatenation. In addition, a federated learning manner is adopted for the motion-based biometric recognition, thus avoiding the exchange of local data and protecting the privacy of users. Extensive experiments have been conducted, and the results demonstrate that the wrist-rolling motion can become an available biometric characteristic. Compared with other biometric recognition methods, our proposed method shows a faster unlocking speed and requires less data storage with a satisfactory biometric recognition accuracy.

Abstract:
Recent studies have revealed that Split Federated Learning (SFL) is vulnerable to Model Inversion (MI) attacks, where the attacker can reconstruct clients’ raw data by exploiting collected features. Though achieving results, current defenses are unsatisfactory due to the limited ability to suppress the sensitive information while preserving task-conducive information within features. Since such limited ability can be attributed to insufficient disentanglement of data-feature and feature-task dependencies, we propose a Dual Dependency Disentangling framework for SFL (D3SFL) to strengthen defense ability against MI attacks while maintaining the utility. Specifically, we first propose a variable-structure data-feature dependency decoupling module, which produces privacy-preserving features by learning input-specific sub-networks, therefore enhancing the disentanglement of data-feature dependencies to hide sensitive information. Then, we propose a stochastic feature-task dependency separating module that adopts sparse binary masks to preserve the target-task-critical features and reduce sensitive information, resulting in effective disentanglement of feature-task dependencies for lower privacy leakage and better utility maintenance. Extensive experiments on image-classification datasets (CIFAR-100 and FaceScrub) and the time-series dataset (METR-LA) show that D3SFL outperforms the comparisons, achieving remarkable defense ability against MI attacks (with up to 54× , 17× , and 18× reconstruction MSE on average, respectively) while maintaining better utility (with only 0.13% and 0.06% Accuracy drops over the standard SFL on CIFAR-100 and FaceScrub, respectively, and only a 0.03 MAE increase on METR-LA over CNFGNN). Our code is available at https://github.com/Shawn-CT/D3SFL

Abstract:
In Federated Learning (FL), clients share gradients with a central server while keeping their data local. However, malicious servers could deliberately manipulate the models to reconstruct clients’ data from shared gradients, posing significant privacy risks. Although such Active Gradient Leakage Attacks (AGLAs) have been widely studied, they suffer from two severe limitations: 1) coverage: no existing AGLAs can reconstruct all samples in a batch from the shared gradients; 2) stealthiness: no existing AGLAs can evade principled checks of clients. In this paper, we address these limitations with two core contributions. First, we introduce a new theoretical analysis approach, which uniformly models AGLAs as backdoor poisoning. This analysis approach reveals that the core principle of AGLAs is to bias the gradient space to prioritize the reconstruction of a small subset of samples while sacrificing the majority, which theoretically explains the above limitations of existing AGLAs. Second, we propose Enhanced Gradient Global Vulnerability (EGGV), the first AGLA that achieves complete attack coverage while evading client-side detection. In particular, EGGV employs a gradient projector and a jointly optimized discriminator to assess gradient vulnerability, steering the gradient space toward the point most prone to data leakage. Extensive experiments show that EGGV achieves complete attack coverage and surpasses state-of-the-art (SOTA) with at least a 43% increase in reconstruction quality (PSNR) and a 45% improvement in stealthiness (D-SNR).

Abstract:
The rapid growth of social media has led to the widespread uploading of private images to online networks, raising significant privacy concerns. Existing methods for image privacy assessment typically operate at coarse granularity, lack support for personalized settings, and primarily focus on explicit, entity-centered content. However, such approaches neglect implicit privacy, which refers to private information inferred from contextual cues rather than from any single identifiable visual entity, leading to a substantial underestimation of entire privacy risks. In this work, we propose SCOPE (Systematic Context-based Observation for Privacy Evaluation), a unified framework that systematically incorporates both explicit and implicit privacy across the entire image privacy lifecycle, including detection, quantitative risk assessment, and protection. In this work, we introduce a novel perspective by distinguishing image privacy information into explicit and implicit categories based on whether it corresponds to a single identifiable visual entity. Building on this distinction, we develop a comprehensive privacy evaluation framework, SCOPE (Systematic Context-based Observation for Privacy Evaluation), encompassing explicit and implicit information detection, quantitative risk assessment, and explainable privacy protection across the entire image privacy lifecycle. SCOPE integrates context-aware image graphs with a concept-anchored ontology graph, enabling the incorporation of multi-source information to infer implicit privacy risks at both object and event levels. It further introduces novel qualitative and quantitative privacy metrics that jointly assess image-level privacy risks based on explicit and implicit content, and provides explainable mechanisms to guide implicit privacy protection. Additionally, we design qualitative and quantitative privacy assessment metrics and explainable mechanisms to guide the protection of implicit information. Experimental results demonstrate that SCOPE achieves 97.02% object-level and 88.37% event-level implicit privacy inference accuracy, outperforming previous methods by 15.88% and 21.83%, respectively. Extensive experiments and a user study further confirm the effectiveness of our privacy assessment metrics and protection mechanisms. We explore the validity of these metrics and the effectiveness of the protection method. Our dataset is available at https://github.com/Hytufan/SCOPE

Affiliations: School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu, China; Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center, Qilu University of Technology (Shandong Academy of Sciences), Jinan, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; School of Computer Science and Technology, Shandong University, Qingdao, Shandong, China

Abstract:
As a distributed computing paradigm, federated learning (FL) enables multiple clients to cooperatively train in edge scenarios without sharing raw training data. Nonetheless, FL is vulnerable to Byzantine attacks due to its distributed nature. While numerous solutions have been proposed, they ignore the inconsistency of local models among clients caused by data heterogeneity (i.e., Non-IID), which severely degrades the performance of FL. Moreover, to further protect client privacy, complex security algorithms are integrated into FL, which seriously increases the privacy computation overhead on edge nodes. To tackle the above issues, this paper proposes a lightweight privacy-preserving federated learning framework, named LPP-FL, significantly improving the performance of FL against Byzantine attacks with Non-IID data. Specifically, we incorporate a correction-term into local model training to mitigate the inconsistency of local models among clients caused by data heterogeneity. Moreover, we design a secure protocol that is deployed on two servers, which achieves Byzantine-robust aggregation results while providing lightweight privacy protection for clients. Theoretical analysis demonstrates the security and robustness of LPP-FL. Extensive experiments show that LPP-FL exhibits superior performance against Byzantine attacks across various data distributions.

Abstract:
Delay-based physically unclonable functions (PUFs) have been a popular candidate for hardware-based root-of-trust owing to their capability to implement “secret-free” cryptography in low-end devices. These are specialized circuits that leverage the intrinsic variabilities of their host device to realize a pseudorandom instance-specific Boolean function in hardware. Since the emergence of this primitive, there has been an ongoing make-and-break game where attackers propose novel attack strategies to model PUF constructions, and designers try to come up with fortified constructions to mitigate the state-of-the-art attacks. In this work, we present a formal learnability analysis framework based on automata-based model and prove that any APUF based PUF composition is PAC learnable. First, we introduce a formal framework for representing delay-based PUFs as deterministic finite automata (DFA), leading to a polynomial-sized representation of any arbitrary composition. Next, we establish the provable learnability of DFA compositions in the distribution-independent PAC model, achieving polynomial space and time complexity. To validate our theoretical findings, we conduct extensive experiments on simulated and FPGA implementations of PUF constructions using the PyPUF framework, thereby demonstrating the practicality/feasibility of our results.

Abstract:
Deep learning has recently attracted significant attention in the field of network intrusion detection. Despite a substantial number of efforts have been made, previous works struggle to comprehensively learn the features of network traffic, resulting in inconsistent performance across various environments and attacks. To address these limitation, this study presents SnifferDog, a novel network attack detection system that takes raw packets as input and rationally extracts and integrates heterogeneous features involved in packets, flows and topology. It formats the packets and flows concurrently to achieve a high-level throughout for feature learning. Then, a flow pretraining model consisting of a LSTM, a self-attention and cross-attention layers is developed to learn both sequential and nonsequential inter packet relation features as initial flow vectors. Subsequently, a node-to-node and a node-to-edge attention layers are implemented to enhance an inductive GNN model that dynamically embeds the flow-to-flow and flow-to-topology relation features into the flow vectors. The resulting flow vectors involve comprehensive information of packet-to-packet, flow-to-flow and flow-to-topology relations, enabling high detection performance. In-lab experiments across eight datasets from diverse environments demonstrate SnifferDog’s superior effectiveness over existing solutions. A scalable prototype deployed in our institute’s network achieves a false positive rate of only 0.08%, validating SnifferDog’s practicality in real-world scenarios.

Abstract:
Applying differential privacy (DP) to federated learning (FL) effectively safeguards participants’ training data against privacy threats, yet the stringent availability requirements of FL present a significant challenge in optimizing accuracy while ensuring privacy. Integrating differential privacy continuous data release (DPCR) into private FL mitigates the errors accumulating on intermediate parameter models securely, thereby enhancing accuracy, with performance gains driven by developing advanced DPCR models. In this context, we propose a k -ary Tree-based DPCR (kTCR) model to provide deeper and more flexible error optimization, thereby promoting a robust accuracy enhancement for private FL. Our kTCR model introduces Variance Optimal Estimation (VOE) and privacy budget allocation (PBA) methods to optimize accuracy, posing significant efficiency challenges simultaneously. With rigorous mathematical analysis, we reduce the computational complexity of VOE from O(t^3) to O(\lg t) , then introduce a meta-factor method that transforms the challenging PBA issues into a convex optimization problem with significantly reduced variables (e.g., a 3-ary tree with 5.23 × 10^9 nodes requiring only 61 variables), thus yielding high efficiencies. Our experiments on classical datasets demonstrate that our kTCR model with appropriate k outperforms the state-of-the-art ABCRG by 0.7% ～ 2.0% in accuracy and traditional private FL by 5.5% ～ 18.7% . Further experiments demonstrate that adjusting the arity k effectively reduces the Pre-aggregation Error, leading to a further 2.09% accuracy gain. Our achievements both improve the accuracy of private FL and provide new insights into building high-availability FL with DP.

Abstract:
Although the Internet has become a huge system with more than 70000 autonomous systems (ASes) in the past decades, the lack of coherent security has left the Internet vulnerable to various cyber attacks (e.g., DDoS). There are many studies on tracing back malicious packets, aiming to figure out which ASes the attacker is in and which ASes the malicious packets traverse. However, it is hard to achieve per-packet traceback under the traditional TCP/IP architecture, since it is agnostic to the AS-level paths. In this paper, we focus on another clean-slate Internet architecture called path-aware networking (PAN). Typical PAN architectures include SCION, CoLoR, and LIPSIN. Under PAN architectures, the in-packet path identifiers (PIDs) enable us to infer the AS-level topology and then trace back each malicious packet accurately. Despite the powerful traceback capability, there is no study on this topology inference problem as far as we know. This is because PAN architectures adopt different path identification methods, thus the topology inference problems have different formulations. In this paper, we would like to take an initial step and investigate how to infer the AS-level topology under a specific PAN architecture CoLoR, which adopts cryptographic path identification. Specifically, an AS or an end-host acts as the observer and collects PID sequences in the packets traversing it. The observer then infers the AS-level topology based on the collected PID sequences. Extensive simulations show that the accuracy of our proposed topology inference method is greater than 95%. The inferred AS-level topology can be used to monitor network traffic, detect traffic anomaly and trace back attackers, thus is helpful for enhancing network security and mission-critical applications (e.g., blockchain).

Abstract:
Active hypothesis testing is a thoroughly studied problem that finds numerous applications in wireless communications and sensor networks. In this paper, we focus on one centralized and one decentralized problem of active hypothesis testing in the presence of an eavesdropper. For the centralized problem including a single legitimate agent, we present a new framework based on deep NeuroEvolution (NE), whereas, for the decentralized problem, we develop a novel NE-based method for solving collaborative multi-agent tasks, which, interestingly, maintains all computational benefits of our single-agent NE-based scheme. To further reduce the computational complexity of the latter scheme, a novel multi-agent joint NE and pruning framework is also designed. The superiority of the proposed NE-based evasive active hypothesis testing schemes over conventional active hypothesis testing policies, as well as learning-based methods, is validated through extensive numerical investigations in an example use case of anomaly detection over wireless sensor networks. It is demonstrated that the proposed joint optimization and pruning framework achieves nearly identical performance with its unpruned counterpart, while removing a very large percentage of redundant deep neural network weights.

Abstract:
ARM Cortex-M is one of the most popular microcontroller architectures designed for deeply embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimizations. Specifically, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we present Microft – exploring and mitigating cross-state control-flow hijacking attacks on ARM Cortex-M TrustZone. In particular, we first demonstrate how Cortex-M TrustZone’s fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We present the detailed methodology of ret2ns attacks in two representative cases and experimentally confirm the feasibility of four variants of attacks on two hardware platforms. To defend against ret2ns attacks, we design three address sanitizing mechanisms while imposing a negligible performance overhead of less than 0.1%. The first mechanism is a generic MPU-assisted address sanitizer, while the second and third mechanisms are more efficient software-fault isolation based approaches that assume the userspace and kernel space programs are placed in different and known memory regions.

Abstract:
Recently, the cryptography community has witnessed growing interest in a novel attack called Differential Neural Cryptanalysis, which combines deep learning with differential cryptanalysis. This approach has demonstrated superior performance compared to classical techniques for certain ciphers. However, the differential-based neural distinguisher, as its core component, is highly specialized and presents challenges in adapting to other ciphers. The two major challenges limit its broader applicability: the lack of efficient methods for identifying high-quality input differences, which are critical for constructing datasets to train differential-based neural distinguishers; and the dependence on customized neural network structures tailored to specific ciphers. In this paper, we address the first challenge by introducing a new evaluation metric, the Differential Distribution Cluster (DDC) degree, inspired by information entropy. This metric provides a reliable measure for evaluating input differences and enables the construction of optimal datasets. Using the DDC degree, our proposed two-stage evaluation algorithm achieves significant time efficiency, evaluating each input difference in approximately 1.028 seconds. We apply the algorithm to several Feistel, SPN, and ARX-type block ciphers, successfully identifying their optimal input differences. Notably, we provide the first differential-based neural distinguishers for 7-round Gift-64, 8-round Gift-128, and 11-round Speck128/256, and improve the state-of-the-art for LBlock, Hight, and Speck64/128.

Abstract:
Recently, contrastive clustering (CC) has exhibited considerable advantages for unsupervised specific emitter identification (USEI). However, emitter signals consist of connotative information, fingerprint information, and noise. As meaningful information transmitted by signals, connotation information hinders the extraction of discriminative fingerprints from emitter signals. In this paper, a novel Similarity Connotation Masking guided Contrastive Clustering (SC3) method is proposed for USEI. First, SC3 generates pairs of emitter signal samples with connotative exclusivity through the connotation masking module (CMM). Second, a translation-invariant multi-scale fingerprint extractor (TIMFE) with a wide receptive field to efficiently extract and decouple fingerprints. By separating the connotation information from the sample pairs in CC and learning robust features via TIMFE, SC3 could obtain accurate radio frequency fingerprints (RFFs) from degraded emitter signals. Extensive experiments are conducted on several datasets, including CBRS, Wi-Fi, and XSRP datasets. The numerical results indicate that the proposed SC3 method consistently outperforms state-of-the-art algorithms regarding four clustering indicators. Code available: https://github.com/2017212073/SC3

Abstract:
Uncrewed Aerial Vehicle (UAV) swarms networks have gained increasing significance in daily life and work. However, current UAV authentication protocols face critical security challenges such as high computational overhead, complex key management, and vulnerabilities to network attacks. This paper proposes a hierarchical authentication protocol that enhances resilience against attacks while maintaining ultra-low overhead. The protocol employs a two-tier mutual authentication architecture, comprising authentication between the base station and the server, and between the server and the UAV leader. This design effectively reduces the risk of single-point failure and improves scalability in large-scale swarm scenarios. Physical unclonable function (PUF) technology establishes secure UAV identities, combined with randomized leader election enhance security, reduce overhead, and increase attacker localization complexity. This paper presents a lightweight cryptographic strategy that combines hash-based challenge encryption and XOR-based response obfuscation to disrupt predictable PUF challenge-response mappings, countering machine learning (ML)-based modeling attacks. The proposed protocol passes security tests using ProVerif and Scyther. The scheme achieves 58.21% lower communication costs than existing approaches, with an authentication overhead of 58.04~\mu s.

Abstract:
Recent advancements in Latent Diffusion Models (LDMs) have revolutionized image synthesis and manipulation, raising significant concerns about data misappropriation and intellectual property infringement. While adversarial attacks have been extensively explored as a protective measure against such misuse of generative AI, current approaches are severely limited by their heavy reliance on model-specific knowledge and substantial computational costs. Drawing inspiration from the posterior collapse phenomenon observed in VAE training, we propose the Posterior Collapse Attack (PCA), a novel framework for protecting images from unauthorized manipulation. Through comprehensive theoretical analysis and empirical validation, we identify two distinct collapse phenomena during VAE inference: diffusion collapse and concentration collapse. Based on this discovery, we design a unified loss function that can flexibly achieve both types of collapse through parameter adjustment, each corresponding to different protection objectives in preventing image manipulation. Our method significantly reduces dependence on model-specific knowledge by requiring access to only the VAE encoder, which constitutes less than 4% of LDM parameters. Notably, PCA achieves prompt-invariant protection by operating on the VAE encoder before text conditioning occurs, eliminating the need for empty prompt optimization required by existing methods. This minimal requirement enables PCA to maintain adequate transferability across various VAE-based LDM architectures while effectively preventing unauthorized image editing. Extensive experiments show PCA outperforms existing techniques in protection effectiveness, computational efficiency (runtime and VRAM), and generalization across VAE-based LDM variants. Our code is available at https://github.com/ZhongliangGuo/PosteriorCollapseAttack

Abstract:
Fake news data, often sampled from the same communities, results in the veracity of news being highly correlated with certain textual and visual entities. This correlation leads fake news classification models to be prone to shortcut learning, quickly overfitting by capturing only shallow spurious correlations between labels and features. Consequently, neural networks trained on such data suffer from poor generalization and potential misclassification under distribution shifts. To address these critical challenges and enhance the robustness of fake news detection, in this paper, we propose a DIsentanglement-based Causality-awarE fake news detection method (DICE). DICE introduces a novel paradigm that moves beyond merely mitigating known correlations or relying on predefined bias categories. Specifically, DICE dynamically constructs multimodal news into a graph neural network, employing learnable node and edge mask disentanglers to effectively model and separate genuine causal relationships from spurious correlations between multimodal features and veracity labels. To reinforce this disentanglement process, we design a novel optimization framework that minimizes extrapolation risk and enforces representation orthogonality, leading to robust disentangled causal and biased representations. Extensive experiments demonstrate that DICE achieves superior performance on five large-scale fake news detection benchmarks. Additionally, our evaluation on a heavily biased fake news dataset demonstrates DICE’s strong generalization, suggesting its potential to inform a new paradigm in causal fake news detection. The code repo is available: https://github.com/mazihan880/DICE_Code/

Abstract:
Deep learning-based techniques for facial anonymization strive to protect identity details while preserving image usability. We present Antiano, the first work to reveal possible security risks associated with deep learning-based facial anonymization algorithms. By evaluating the entire anonymization process, we introduce a framework comprising four attack types: Anonymization Deactivation Attack, ID Destruction Attack, Downstream Task Attack, and Attribute Attack. These attacks aim to undermine anonymization effectiveness, mislead anonymized outputs and downstream tasks, or modify facial attributes in subtle ways. For each scenario, we develop novel strategies that craft perturbations tailored to a user’s face and transferable across different keys and models. Experimental findings reveal that Antiano achieves significant attack effectiveness against various reversible anonymization models, highlighting security vulnerabilities in current deep learning anonymization algorithms. This paper also distinguishes Antiano from traditional adversarial attacks and provides security recommendations for the future development of facial anonymization technologies.

Abstract:
Iris Presentation Attack Detection (PAD) is critical for securing recognition systems, yet its practical deployment is severely hindered by the poor generalization of models across different acquisition devices and diverse datasets. To address this persistent cross-domain challenge, we first introduce a comprehensive evaluation framework, the Iris Presentation Attack Detection Cross-Domain-Testing (IPAD-CDT) Protocol, designed to evaluate the model robustness in these scenarios. Our core contribution is a novel Masked Mixture-of-Experts (MMoE) method, which enhances the generalization of Transformer-based architectures. MMoE introduces a structured information asymmetry, where “student” Experts learn robust features from masked inputs by distilling knowledge from an unmasked “teacher” Expert via a cosine distance loss. This mask-and-distill mechanism effectively mitigates overfitting and guides the model to learn domain-invariant cues. By integrating MMoE into a CLIP-based model, we conduct extensive experiments on our IPAD-CDT protocol. The results demonstrate that our method sets a new state-of-the-art, significantly outperforming existing models, especially in the challenging cross-dataset and cross-device settings.

Abstract:
As a cornerstone for numerous sensing applications, wireless indoor localization has been a pivotal area of research over the last two decades. While techniques such as jamming, spoofing, and adversarial perturbation have been exploited to compromise wireless indoor localization, existing attacks face challenges in accessibility to wireless systems and stealthiness. To address these limitations, we introduce Loki, a novel physical-world attack on wireless indoor localization via differentiable object placement. Specifically, we develop a differentiable wireless ray-tracing technique that allows us to optimize object placement in the scene. By repositioning an existing object in the scene by just a few centimeters, Loki fools existing wireless indoor localization systems into generating erroneous localization results. We also show via experiments that the object placement generated by Loki aligns with wireless sensing theory (e.g., the forward scattering region and Fresnel zone), confirming its explainability. Additionally, Loki proves effective across various localization models and scenarios, highlighting its generalizability.

Abstract:
Self-defense suppression jammers pose a critical threat to radar by adaptively altering jamming frequencies based on intercepted radar pulses, which can mask the real targets. An effective countermeasure is to transmit a cover pulse before the detection pulse to deceive the jammer. In order to maximize radar detection performance while ensuring successful anti-jamming, reinforcement learning (RL) methods are employed to dynamically adjust the width ratio between the cover pulse and the detection pulse based on the jamming state and reward feedback. However, unknown jammer interception durations and interception-jamming cycles, along with the random feedback affected by noise, pose significant challenges to the pulse width selection based on RL methods. Inspired by biological intelligence to enhance RL, we propose a supervised learning (SL)-based general auxiliary task framework that emulates the spatiotemporal encoding characteristics of grid cells and time cells in mammalian brains to extract richer and more structured environmental information. Building on this, we introduce a flexible grid cell-deep recurrent Q-network (GC-DRQN) architecture, integrating SL and RL, which improves the performance of RL in handling tasks with temporal dependencies. Additionally, we implement a deterministic equivalent reward mechanism to overcome the instability in the RL convergence process caused by random rewards. Simulation results demonstrate that the pulse transmission strategy learned by GC-DRQN achieves significantly higher target detection probabilities compared to several baseline methods. Notably, in a low signal-to-noise ratio (SNR) scenario, GC-DRQN improves the target detection probability and convergence speed of DRQN by up to twofold.

Abstract:
Recently, point clouds have been widely used in computer vision, whereas their collection is time-consuming and expensive. As such, point cloud datasets are the valuable intellectual property of their owners and deserve protection. To detect and prevent unauthorized use of these datasets, especially for commercial or open-sourced ones that cannot be sold again or used commercially without permission, we intend to identify whether a suspicious third-party model is trained on our protected dataset under the black-box setting. We achieve this goal by designing a scalable clean-label backdoor-based dataset watermark for point clouds that ensures both effectiveness and stealthiness. Unlike existing clean-label watermark schemes, which were susceptible to the number of categories, our method can watermark samples from all classes instead of only from the target one. Accordingly, it can still preserve high effectiveness even on large-scale datasets with many classes. Specifically, we perturb selected point clouds with non-target categories in both shape-wise and point-wise manners before inserting trigger patterns without changing their labels. The features of perturbed samples are similar to those of benign samples from the target class. As such, models trained on the watermarked dataset will have a distinctive yet stealthy backdoor behavior, i.e ., misclassifying samples from the target class whenever triggers appear, since the trained DNNs will treat the inserted trigger pattern as a signal to deny predicting the target label. We also design a hypothesis-test-guided dataset ownership verification based on the proposed watermark. Extensive experiments on benchmark datasets are conducted, verifying the effectiveness of our method and its resistance to potential removal methods. The codes are available at https://github.com/weic0810/PointNCBW.

Abstract:
Automatic X-ray prohibited item detection is vital for public safety. Existing deep learning-based methods all assume that the annotations of training X-ray images are correct. However, obtaining correct annotations is extremely hard if not impossible for large-scale X-ray images, where item overlapping is ubiquitous. As a result, X-ray images are easily contaminated with noisy annotations, leading to performance deterioration of existing methods. In this paper, we address the challenging problem of training a robust prohibited item detector under noisy annotations (including both category noise and bounding box noise) from a novel perspective of data augmentation, and propose an effective label-aware mixed patch paste augmentation method (Mix-Paste). Specifically, for each item patch, we mix several item patches with the same category label from different images and replace the original patch in the image with the mixed patch. In this way, the probability of containing the correct prohibited item within the generated image is increased. Meanwhile, the mixing process mimics item overlapping, enabling the model to learn the characteristics of X-ray images. Moreover, we design an item-based large-loss suppression (LLS) strategy to suppress the large losses corresponding to potentially positive predictions of additional items due to the mixing operation. We show the superiority of our method on X-ray datasets under noisy annotations. In addition, we evaluate our method on the noisy MS-COCO dataset to showcase its generalization ability. These results clearly indicate the great potential of data augmentation to handle noise annotations. The source code is released at https://github.com/wscds/Mix-Paste.

Abstract:
Deep learning models are currently under significant threat from adversarial attacks, while adversarial detection represents an effective means of countering such assaults. However, existing adversarial detection techniques are deficient in localizing video adversarial frames, leading to poor performance on sparse video adversarial attacks. This paper presents an approach for detecting adversarial perturbations in videos based on fusion features derived from the video compression and RGB domain. Our research begins by examining how the introduction of extensive non-natural noise during video adversarial attacks severely disrupts the spatial structure of individual frames and the motion information between frames. This disruption culminates in unnatural variations in the Coding Tree Units (CTU) partitioning during the HEVC video encoding process. Then meticulously mapping the positions and partitioning information of coding units (CU), predictive units (PU), and transformation units (TU) onto specific values and sizes, constituting the video’s Compression Domain Units (CDU) features. Finally, a dual-path network utilizing both the video’s CDU features and the decoded frames RGB features is employed for detecting video adversarial samples. Extensive experiments are conducted to verify the performance. The results show that the proposed scheme outperforms or rivals the state-of-the-art methods in video adversarial detection.

Abstract:
Localization is a key premise for implementing the applications of underwater acoustic sensor networks (UASNs). However, the inhomogeneous medium and the open feature of underwater environment make it challenging to accomplish the above task. This paper studies the privacy-preserving localization issue of UASNs with consideration of direct and indirect data threats. To handle the direct data threat, a privacy-preserving localization protocol is designed for sensor nodes, where the mutual information is adopted to acquire the optimal noises added on anchor nodes. With the collected range information from anchor nodes, a ray tracing model is employed for sensor nodes to compensate the range bias caused by straight-line propagation. Then, a differential privacy (DP) based deep learning localization estimator is designed to calculate the positions of sensor nodes, and the perturbations are added to the forward propagation of deep learning framework, such that the indirect data leakage can be avoided. Besides that, the theory analyses including the Cramer-Rao Lower Bound (CRLB), the privacy budget and the complexity are provided. Main innovations of this paper include: 1) the mutual information-based localization protocol can acquire the optimal noise over the traditional noise-adding mechanisms; 2) the DP-based deep learning estimator can avoid the leakage of training data caused by overfitting in traditional deep learning-based solutions. Finally, simulation and experimental results are both conducted to verify the effectiveness of our approach.

Abstract:
We show that a class of optical physical unclonable functions (PUFs) can be efficiently PAC-learned to arbitrary precision with arbitrarily high probability, even in the presence of intentionally injected noise, given access to polynomially many challenge-response pairs, under mild and practical assumptions about the distributions of the noise and challenge vectors. We motivate our analysis by identifying similarities between the integrated version of Pappu’s original optical PUF design and the post-quantum Learning with Errors (LWE) cryptosystem. We derive polynomial bounds for the required number of samples and the computational complexity of a linear regression algorithm, based on size parameters of the PUF, the distributions of the challenge and noise vectors, and the desired accuracy and probability of success of the regression algorithm. We use a similar analysis to that done by Bootle et al. [“LWE without modular reduction and improved side-channel attacks against BLISS,” in Advances in Cryptology – ASIACRYPT 2018], who demonstrated a learning attack on poorly implemented versions of LWE cryptosystems. This extends the results of Rührmair et al. [“Optical PUFs reloaded,” Cryptology ePrint Archive, 2013], who presented a theoretical framework showing that a subset of this class of PUFs is learnable in polynomial time in the absence of injected noise, under the assumption that the optics of the PUF were either linear or had negligible nonlinear effects. (Rührmair et al. also included an experimental validation of this technique, which of course included measurement uncertainty, demonstrating robustness to the presence of natural noise.) We recommend that the design of strong PUFs should be treated as a cryptographic engineering problem in physics, as PUF designs would benefit greatly from basing their physics and security on standard cryptographic assumptions. Finally, we identify future research directions, including suggestions for how to modify an LWE-based optical PUF design to better defend against cryptanalytic attacks.

Abstract:
In the modern interconnected world, the popularization of networks and the rapid development of information technology led to the increasing security risks and threats in network systems. The existing intrusion detection system is constantly challenged by various malicious intrusion attacks. Machine learning algorithms have been widely used in intrusion detection. However, the model training requires the support of a sufficient high-quality samples, especially attack traffic data. Network intrusion detection datasets may not be shared between organizations due to data security and some privacy policy concerns. The federated learning framework is an optimal approach to address this issue, in which organizations collaborate to train a global model shared by multiple parties while keeping the data local to the client, guaranteeing the data privacy and security of all parties. However, there is a problem of class imbalance in the network traffic data owned by the organizations, which seriously affects the detection performance of the model and leads to a high consumption of model training time. Therefore, this study proposed a novel federated undersampling learning framework with Gini impurity, namely Fed-UGI. The framework is based on the hash-based block undersampling method to rebalance the client, which can solve the influence of imbalanced training data on the model detection performance and improve the model training efficiency. Moreover, the client weighted aggregation strategy based on Local Gini impurity can further optimize the effect of global model aggregation and reduce the impact of the dispersion degree and information difference in client data on model aggregation. In addition, extensive experiments on intrusion detection datasets show that compared to SOTA methods, the proposed Fed-UGI method has a good detection effect on the three metrics of F1-score, G-mean and AUC, the training time of the model is reduced by 51.76%-92.58%, especially in highly class imbalance situation.

Abstract:
Large Vision-Language Models (LVLMs) have shown significant progress in responding well to visual-instructions from users. However, these instructions, encompassing images and text, are susceptible to both intentional and inadvertent attacks. Despite the critical importance of LVLMs’ robustness against such threats, current research in this area remains limited. To bridge this gap, we introduce B-AVIBench, a framework designed to analyze the robustness of LVLMs when facing various Black-box Adversarial Visual-Instructions (B-AVIs), including four types of image-based B-AVIs, ten types of text-based B-AVIs, and nine types of content bias B-AVIs (such as gender, violence, cultural, and racial biases, among others). We generate 316K B-AVIs encompassing five categories of multimodal capabilities (ten tasks) and content bias. We then conduct a comprehensive evaluation involving 14 open-source LVLMs to assess their performance. B-AVIBench also serves as a convenient tool for practitioners to evaluate the robustness of LVLMs against B-AVIs. Our findings and extensive experimental results shed light on the vulnerabilities of LVLMs, and highlight that inherent biases exist even in advanced closed-source LVLMs like GeminiProVision and GPT-4V. This underscores the importance of enhancing the robustness, security, and fairness of LVLMs. The source code and benchmark are available at https://github.com/zhanghao5201/B-AVIBench.

Abstract:
Encrypted traffic classification refers to the task of identifying the application, service or malware associated with network traffic that is encrypted. Previous methods mainly have two weaknesses. Firstly, from the perspective of word-level (namely, byte-level) semantics, current methods use pre-training language models like BERT, learned general natural language knowledge, to directly process byte-based traffic data. However, understanding traffic data is different from understanding words in natural language, using BERT directly on traffic data could disrupt internal word sense information so as to affect the performance of classification. Secondly, from the perspective of packet-level semantics, current methods mostly implicitly classify traffic using abstractive semantic features learned at the top layer, without further explicitly separating the features into different space of categories, leading to poor feature discriminability. In this paper, we propose a simple but effective Aggregator and Separator Network (ASNet) for encrypted traffic understanding, which consists of two core modules. Specifically, a parameter-free word sense aggregator enables BERT to rapidly adapt to understanding traffic data and keeping the complete word sense without introducing additional model parameters. And a category-constrained semantics separator with task-aware prompts (as the stimulus) is introduced to explicitly conduct feature learning independently in semantic spaces of different categories. Experiments on five datasets across seven tasks demonstrate that our proposed model achieves the current state-of-the-art results without pre-training in both the public benchmark and real-world collected traffic dataset. Statistical analyses and visualization experiments also validate the interpretability of the core modules. Furthermore, what is important is that ASNet does not need pre-training, which dramatically reduces the cost of computing power and time. The model code and dataset will be released in https://github.com/pengwei-iie/ASNET.

Abstract:
Federated graph attention networks (FGATs) are gaining prominence for enabling collaborative and privacy-preserving graph model training. The attention mechanisms in FGATs enhance the focus on crucial graph features for improved graph representation learning while maintaining data decentralization. However, these mechanisms inherently process sensitive information, which is vulnerable to privacy threats like graph reconstruction and attribute inference. Additionally, their role in assigning varying and changing importance to nodes challenges traditional privacy methods to balance privacy and utility across varied node sensitivities effectively. Our study fills this gap by proposing an efficient privacy-preserving FGAT (PFGAT). We present an attention-based dynamic differential privacy (DP) approach via an improved multiplication triplet (IMT). Specifically, we first propose an IMT mechanism that leverages a reusable triplet generation method to efficiently and securely compute the attention mechanism. Second, we employ an attention-based privacy budget that dynamically adjusts privacy levels according to node data significance, optimizing the privacy-utility trade-off. Third, the proposed hybrid neighbor aggregation algorithm tailors DP mechanisms according to the unique characteristics of neighbor nodes, thereby mitigating the adverse impact of DP on graph attention network (GAT) utility. Extensive experiments on benchmarking datasets confirm that PFGAT maintains high efficiency and ensures robust privacy protection against potential threats.

Abstract:
This paper addresses the leader-following consensus problems in nonlinear multi-agent systems (MASs), focusing on handling malicious denial-of-service (DoS) attacks. Initially, we introduce an innovative dynamic event-triggered scheme to mitigate network congestion induced by DoS attacks. This scheme, utilizing sampled data, aims to minimize the harmful effects of attacks, and ensures the proficient allocation of limited network resources. Specifically, the sampling period automatically switches depending on the system’s attack status, while the threshold parameter within the predefined triggering condition can be adaptively tuned to match the dynamic characteristics of the controlled system. Building upon this, we propose an event-driven control protocol, along with the construction of a new switched MASs model. It is shown, both analytically and numerically, that our designed control strategy exhibits superiority over traditional co-design frameworks from the aspect of three pivotal metrics: average number of event triggers (ANET), convergence time, and control cost.

Abstract:
In the reversible data hiding (RDH) community, both prediction and mapping strategies are vital for reducing distortion. With high prediction performance, small prediction errors can be generated to reduce the embedding distortion. Besides, the efficient mapping strategy can improve the practicality. In this paper, we propose a new RDH method for color images by using convolution neural networks (CNNs) for prediction and an efficient 3D mapping strategy for embedding. At first, each color image is elaborately divided into three isolated image sets so that the proposed deep prediction network (DPN) can exploit more neighboring pixels in the current channel and the correlation between three channels. Then, an efficient 3D mapping strategy is luminously designed by using the symmetry of the 3D prediction error histogram (PEH). The symmetry of 3D PEH has been analyzed in statistical and experimental ways. Based on the proposed deep prediction network and efficient 3D mapping strategy (DPEM), we construct an efficient RDH method for color images. The performance of the proposed DPN is evaluated by comparing it with several predictors on different image datasets. The embedding performance has been demonstrated by hiding information in color images, e.g., the average PSNR value of the Kodak dataset is 63.63 dB with an embedding capacity of 50,000 bits. Furthermore, the experimental results on the ImageNet and PASCAL VOC2012 datasets have shown the proposed RDH method is superior to several state-of-the-art RDH methods. With the introduction of deep learning, the development of the RDH method for color images can be promoted.

Abstract:
As a common metric, maximum similarity between two objects is widely employed by web platforms to provide matching services. However, the calculation of maximum similarity involves numerous sensitive or confidential users’ data, and the web platform server is often not trusted who might peep these data out of curiosity, or even worse sell them to unauthorized entities to make profits. Therefore, many research lines on functional encryption have been suggested and studied on how to calculate the maximum similarity while ensure the privacy of users’ data. Unfortunately, all of them will divulge some intermediate results to the web platform server when processing this issue. In this paper we present a new functional encryption scheme supporting privacy-preserving maximum similarity, which enables the web service platforms to figure out the maximum similarity without learning anything else about their data. Moreover, we provide a formal analysis to prove the security of the proposed scheme, followed by some experimental evaluations and comprehensive comparisons with the related works. It shows that, our scheme is the first functional encryption realization on maximum similarity without divulging the intermediate result and meanwhile achieve a higher security-function privacy, as well as a traditional data privacy.

Abstract:
Physical layer security (PLS) is an important technology in wireless communication systems to safeguard communication privacy and security between transmitters and legitimate users. The integration of large-scale antenna arrays (LSAA) and intelligent reflecting surfaces (IRS) has emerged as a promising approach to enhance PLS. However, LSAA requires a dedicated radio frequency (RF) chain for each antenna element, and IRS comprises hundreds of reflecting micro-antennas, leading to increased hardware costs and power consumption. To address this, cost-effective solutions like constant modulus analog beamforming (CMAB) have gained attention. This paper investigates PLS in IRS-assisted communication systems with a focus on jointly designing the CMAB at the transmitter and phase shifts at the IRS to maximize the secrecy rate. The resulting secrecy rate maximization (SRM) problem is non-convex. To solve the problem efficiently, we propose two algorithms: 1) the time-efficient Dinkelbach-BSUM algorithm, which reformulates the fractional problem into a series of quadratic programs using the Dinkelbach method and solves them via block successive upper-bound minimization (BSUM), and 2) the product manifold conjugate gradient descent (PMCGD) algorithm, which provides a better solution at the cost of slightly higher computational time by transforming the problem into an unconstrained optimization on a Riemannian product manifold and solving it using the conjugate gradient descent (CGD) algorithm. Simulation results validate the effectiveness of the proposed algorithms and highlight their distinct advantages.

Abstract:
The transition of power systems toward digital substations has brought numerous advantages to substation automation. However, this digital transformation exposes substations to various cyberattacks. Thus, ensuring the integrity and availability of power system data has emerged as a critical concern in modern power system networks. A crucial cybersecurity concern is pilot protection, with its security being of utmost importance in bulk power system networks to safeguard against significant disturbances and blackouts, as well as to facilitate fast fault-clearing operations. This paper introduces a dynamic state estimation (DSE) technique to supervise the operation of pilot protection scheme. The proposed scheme accurately estimates transmission line impedance and uses this estimation to supervise the legacy pilot protection scheme. The method employs network physical laws, sampled value measurements, and an Unscented Kalman Filter (UKF) technique to enhance the cybersecurity aspects of the pilot protection scheme. Additionally, the cybersecurity of the DSE-based pilot protection supervision scheme is evaluated against cyberattacks such as denial of service (DoS) and false data injection (FDI). The simulation results, validated using the IEEE 9 bus test system, demonstrate the effectiveness of the proposed method for pilot protection supervision.

Abstract:
The dynamic load alternating attack (DLAA) that manipulates the load demands in power grid by compromising internet of things (IoT) home appliances has posed significant threats to the grid’s stable and safe operation. Current effort is mainly devoted to the investigation of detecting and mitigating DLAAs, while, for a holistic cyber-resiliency-enhancement process, the last but not least cyber recovery from DLAAs (CRDA) has not been paid enough attention yet. Considering the interconnection among electricity, transportation, and cyber networks, this paper presents the first exploration of the CRDA, where two essential sub-tasks are formulated: i) Optimal design of repair crew routes to remove installed malware and ii) Robust adjustment of system operation to eliminate the mitigation costs with stability guarantee. Towards this end, linear stability constraints are established by utilising a sensitivity-based eigenvalue estimation method, where the eigenvalue sensitivity information is appropriately ordered and strategically selected to guarantee the estimation accuracy. Moreover, to assure the CRDA solution’s robustness to the adversary’s follow-up movement, the worst-case attack strategies in all attack scenarios during the recovery process are integrated. A mixed-integer linear programming (MILP) problem is subsequently developed for the CRDA with the primary objective to restore the secure but cost-inefficient mitigation operation mode to the cost-efficient one and secondarily to repair compromised IoT home appliances. Case studies are performed in IEEE power system cases to validate the eigenvalue estimation’s accuracy, the CRDA solution’s effectiveness and robustness, as well as the proposed CRDA’s extensibility.

Abstract:
Outsourcing is an essential strategy for enterprises, and leveraging it can offer advantages such as saving costs, improving efficiency, and allowing them to concentrate on their primary business activities. Therefore, announcing and managing service requests is paramount for obtaining suitable quotes and partnering with the right outsourcing service providers. To achieve this, enterprises can employ digital signatures to ensure the authenticity and security of these service requests. However, the irrevocable nature of traditional digital signatures poses challenges, particularly when canceling the service requests is necessary. A withdrawable signature scheme provides a novel property for signers to initially create “withdrawable” signatures, which they can later confirm into additional conventional signatures. Withdrawable signatures can be regarded as withdrawn when the signer has not confirmed them yet. This property provided by the withdrawable signature mechanism can then be adopted as a solution to this problem, allowing the enterprise to retract announced signatures on service requests. However, to meet the demands in the outsourcing system, existing approaches on withdrawable signatures require further development since they only allow signers in outsourcing systems to confirm withdrawable signatures on service requests. This limitation prevents enterprises from accepting quotes for service requests simply by confirming the withdrawable signature. This paper focuses on this problem by applying the withdrawable signature to the outsourcing framework, identifying the limitations of existing withdrawable signature schemes, and proposing solutions. We demonstrate how revisiting of withdrawable signatures can lead to flexible outsourcing systems that ensure the cancellation of announced service requests. Additionally, we provide a performance evaluation demonstrating that our revised withdrawable signature scheme achieves acceptable efficiency and security within the outsourcing system.

Abstract:
Exchange-assisted data trading (EADT) has become an essential paradigm in current data marketplaces. With data exchanges, sellers and buyers can trade data in an efficient and convenient way. However, existing EADT systems are vulnerable to privacy violations. Sensitive information about the data owned by sellers (manifested as attributes of the data) and the purchasing requirements of buyers (manifested as interests) are highly susceptible to leakage. On the one hand, buyers and sellers have direct access to the type of data supplied or desired before the data transaction is established. On the other hand, the information about transactions between the seller and buyer is transparent to the exchange, including the content of the transaction contract. In addition, the participants are likely to repudiate the content of previously accepted contracts or trigger a bidding war by contract first authorized by others, which raises threats towards authenticity and fairness. In this paper, we investigate the contract agreement in actual EADT systems, enumerate the inherent requirements of secrecy and fairness, and formally define them. Then we propose a privacy-preserving and fair contract agreement framework, dubbed PFCA, which consists of order-matching, negotiation, and authorization. We further propose a practical instantiation of PFCA, dubbed BestPFCA, utilizing efficient private set intersection (PSI), secure messaging (SM), and three-party signature (TPS). In addition, we also implement a BestPFCA prototype and conduct a comprehensive performance evaluation, which demonstrates the efficiency and practicality of BestPFCA.

Abstract:
Existing occluded person re-identification (re-ID) methods mainly learn limited visual information for occluded pedestrians from images. However, textual information, which can describe various human appearance attributes, is rarely fully utilized in the task. To address this issue, we propose a Text-guided Hierarchical Context Blending Network (THCB-Net) for occluded person re-ID. Specifically, at the data level, informative multi-modal inputs are first generated to make full use of the auxiliary role of textual information and make image data have a strong inductive bias for occluded environments. At the feature expression level, we design a novel Hierarchical Context Blending (HCB) module that can adaptively integrate shallow appearance features obtained by CNNs and multi-scale semantic features from visual transformer encoder. At the model optimization level, a Multi-modal Feature Interaction (MFI) module is proposed to learn the multi-modal information of pedestrians from texts and images, then guide the visual transformer encoder and HCB module to further learn discriminative identity information for occluded pedestrians through Image-Multimodal Contrastive (IMC) learning. Extensive experiments on standard occluded person re-ID benchmarks demonstrate that the proposed THCB-Net outperforms state-of-the-art methods. The code will be available soon.

Abstract:
This paper aims to enhance the transferability of adversarial samples in targeted attacks, where attack success rates remain comparatively low. To achieve this objective, we propose two distinct techniques for improving the targeted transferability from the loss and feature aspects. First, in previous approaches, logit calibrations used in targeted attacks primarily focus on the logit margin between the targeted class and the untargeted classes among samples, neglecting the standard deviation of the logit. In contrast, we introduce a new normalized logit calibration method that jointly considers the logit margin and the standard deviation of logits. This approach effectively calibrates the logits, enhancing the targeted transferability. Second, previous studies have demonstrated that mixing the features of clean samples during optimization can significantly increase transferability. Building upon this, we further investigate a truncated feature mixing method to reduce the impact of the source training model, resulting in additional improvements. The truncated feature is determined by removing the Rank-1 feature associated with the largest singular value decomposed from the high-level convolutional layers of the clean sample. Extensive experiments conducted on the ImageNet-Compatible, CIFAR-10 and ImageNet-1k datasets demonstrate the individual and mutual benefits of our proposed two components, which outperform the state-of-the-art methods by a large margin in black-box targeted attacks.

Abstract:
Multi-party computation (MPC) has gained increasing attention in both research and industry, with many protocols adopting the preprocessing model to optimize online performance through the strategic use of offline-generated, data-independent correlated randomness (or correlation). However, while extensive research has been dedicated to enhancing the online phase, the equally critical offline phase remains largely overlooked. This gap imposes significant yet unaddressed challenges in both security and efficiency, hindering the practical adoption of MPC systems. To address these challenges, we build upon the pseudorandom correlation generator (PCG) concept by Boyle et al. (CRYPTO’19, FOCS’20) and propose HPCG, a programmable, verifiable, and concretely efficient PCG construction using small security hardware. Our core technique, termed verifiable silent preprocessing, enables virtually unbounded, on-demand generation of diverse correlated randomness with provable correctness while effectively reducing offline overhead in a correlation-agnostic manner. To demonstrate the benefits of our approach, we experimentally evaluate HPCG and compare it with other preprocessing techniques. We also show how HPCG can further optimize specialized secure computation tasks (e.g., shuffling and equality test) by promoting new, customized correlations, which may be of new interest.

Abstract:
Automatic Speech Recognition (ASR) systems are widely used for speech censoring. Speech Adversarial Example (AE) offers a novel approach to protect speech privacy by forcing ASR to mistranscribe. However, existing speech AE faces two challenges in real-time voice communication scenarios, such as IP telephone, voice chat, or video conference, it cannot be generated in real-time, and its defensive capability is significantly reduced after the essential audio compression for network transmission. In this paper, we propose Adaptive Phoneme Filter Template (APFT) to address these issues. The key features of APFT include: 1) Phoneme-level Templates for universal AE generation in real-time, 2) Filter, which eliminates redundant signals to improve compression robustness. 3) Adaptive Band Filtering, which limits the attack area from the frequency band without affecting the attack effectiveness and improves speech quality. The comprehensive experimental results show that APFT has four advantages: 1) Real-time Generation, with AE generation time below 1.1ms for 1s speech; 2) Compression Robustness, achieving a WER of 0.64 under AAC and Opus codecs; 3) Transferability, with an average WER of 0.72 across datasets and ASR systems; 4) Stealthiness, achieving a MOS of 4.07 for high-quality speech. In addition, the experiment on Telegram voice calls further proves the practical applicability of APFT. The demo of APFT can be obtained in https://yihuan-qaq.github.io/APFT.github.io/

Abstract:
The Onion Router (Tor) is a controversial network whose utility is constantly under scrutiny. On the one hand, it allows for anonymous interaction and cooperation of users seeking untraceable navigation on the Internet. This freedom also attracts criminals who aim to thwart law enforcement investigations, e.g., trading illegal products or services such as drugs or weapons. Tor allows delivering content without revealing the actual hosting address, by means of .onion (or hidden) services. Different from regular domains, these services cannot be resolved by traditional name services, are not indexed by regular search engines, and they frequently change. This generates uncertainty about the extent and size of the Tor network and the type of content offered. In this work, we present a large-scale analysis of the Tor Network. We leverage our crawler, dubbed Mimir, which automatically collects and visits content linked, obtaining a dataset of 25k sites. We analyze the topology of the Tor Network, including its depth and reachability from the surface web. We define a set of heuristics to detect the presence of replicated content (mirrors) and show that most of the analyzed content in the Dark Web ( \approx 82 %) is a replica of another site. Also, we train a custom classifier to understand the type of content the hidden services offer. Overall, our study provides new insights into the Tor network, highlighting the importance of the initial seeding during the crawling process. We show that previous work on large-scale Tor measurements does not consider the presence of mirrors, which biases their understanding of the Dark Web topology and the distribution of content.

Abstract:
Radio frequency fingerprint identification (RFFI) is essential for ensuring device security in ubiquitous wireless communications and the Internet of Things (IoT). Although deep learning (DL) and self-supervised learning (SSL) techniques have significantly enhanced RFFI system performance, they often depend on data sourced from open internet datasets or collected in uncontrolled environments. This dependency heightens the risk of malicious data tampering, particularly in adversarial environment, thereby exacerbating security vulnerabilities. To address this issue, this paper investigates the vulnerability of SSL-based RFFI systems to backdoor attacks and introduces a novel method utilizing a spectrum-enhanced insensitive perturbation (SEIP) trigger. We develop an SSL-based RFFI backdoor attack framework, providing new insights into SSL security within the signal processing domain. The SEIP trigger introduces subtle perturbations in the frequency domain, enabling highly effective and covert backdoor attacks. Experimental results demonstrate that the SEIP trigger outperforms existing triggers regarding attack effectiveness across various channel conditions while maintaining strong stealthiness against backdoor defense mechanisms. These findings confirm that the SEIP trigger achieves an optimal balance between attack effectiveness and stealthiness. Moreover, this paper offers a new perspective for evaluating the security of RFFI systems and the resilience of backdoor defense strategies.

Abstract:
Encrypted traffic classification is highly challenging in network security due to the need for extracting robust features from content-agnostic traffic data. Existing approaches face critical issues: (i) Distribution drift, caused by reliance on the closed-world assumption, limits adaptability to real-world, shifting patterns; (ii) Dependence on labeled data restricts applicability where such data is scarce or unavailable. Large language models (LLMs) have demonstrated remarkable potential in offering generalizable solutions across a wide range of tasks, achieving notable success in various specialized fields. However, their effectiveness in traffic analysis remains constrained by challenges in adapting to the unique requirements of the traffic domain. In this paper, we introduce a novel traffic representation model named Encrypted Traffic Out-of-Distribution Instruction Tuning with LLM (ETooL), which integrates LLMs with knowledge of traffic structures through a self-supervised instruction tuning paradigm. This framework establishes connections between textual information and traffic interactions. ETooL demonstrates more robust classification performance and superior generalization in both supervised and zero-shot traffic classification tasks. Notably, it achieves significant improvements in F1 scores: APP53 (I.I.D.) to 93.19%(6.62% \uparrow ) and 92.11%(4.19% \uparrow ), APP53 (O.O.D.) to 74.88%(18.17% \uparrow ) and 72.13%(15.15% \uparrow ), and ISCX-Botnet (O.O.D.) to 95.03%(9.16% \uparrow ) and 81.95%(12.08% \uparrow ). Additionally, we construct NETD, a traffic dataset designed to support dynamic distributional shifts, and use it to validate ETooL’s effectiveness under varying distributional conditions. Furthermore, we evaluate the efficiency gains achieved through ETooL’s instruction tuning approach.

Abstract:
With the rapid growth of the Industrial Internet of Things (IIoT), secure and efficient collaboration among devices from different domains is essential for achieving collaborative production tasks. Recently, Zeng et al. proposed a dynamic group signature scheme using dynamic accumulators and zero-knowledge proofs. Although they claim that their scheme ensures unlinkability of signatures, our analysis shows that their scheme is vulnerable and fails to provide unlinkability. After presenting our attack, we analyze the underlying causes of these vulnerabilities and propose an improvement to address them.

Abstract:
Inherent communication noises have the potential to preserve privacy for wireless federated learning (WFL) but have been overlooked in digital communication systems predominantly using floating-point number standards, e.g., IEEE 754, for data storage and transmission. This is due to the potentially catastrophic consequences of bit errors in floating-point numbers, e.g., on the sign or exponent bits. This paper presents a novel channel-native bit-flipping differential privacy (DP) mechanism tailored for WFL, where transmit bits are randomly flipped and communication noises are leveraged, to collectively preserve the privacy of WFL in digital communication systems. The key idea is to interpret the bit perturbation at the transmitter and bit errors caused by communication noises as a bit-flipping DP process. This is achieved by designing a new floating-point-to-fixed-point conversion method that only transmits the bits in the fraction part of model parameters, hence eliminating the need for transmitting the sign and exponent bits and preventing the catastrophic consequence of bit errors. We analyze a new metric to measure the bit-level distance of the model parameters and prove that the proposed mechanism satisfies (\lambda,\epsilon) -Rényi DP and does not violate the WFL convergence. Experiments validate privacy and convergence analysis of the proposed mechanism and demonstrate its superiority to the state-of-the-art Gaussian mechanisms that are channel-agnostic and add Gaussian noise for privacy protection.

Abstract:
Under the development of intelligent transportation systems, In-Vehicle Networks (IVNs) serve as a critical channel for both internal and external communications. However, the inherent complexity and diversity of data traffic present significant challenges for the detection of IVN anomalous flows. Meanwhile, the introduction of various novel technologies has introduced new security vulnerabilities to IVNs. These vulnerabilities significantly impact the security of IVNs and the accuracy of in-vehicle Intrusion Detection Systems (IDS). To address these issues, this paper proposes a lightweight and efficient anomaly detection method based on knowledge distillation technology, termed Knowledge Distillation from BERT to CNN-BiLSTM (KDBC). Specifically, the KDBC distills the deep semantic knowledge from the BERT model into a more lightweight CNN-BiLSTM architecture, significantly reducing computational overhead and storage requirements without substantially compromising detection performance. Experimental results demonstrate that the KDBC model enhances both security and versatility, achieving superior detection accuracy in identifying abnormal attacks across diverse IVN data, including automotive Ethernet and CAN networks. Moreover, the KDBC model has been validated for its effectiveness and robustness in actual in-vehicle gateway environments, achieving an accuracy of over 0.98 and an F1 score greater than 0.98.

Abstract:
Vehicular ad-hoc networks (VANETs) are the cornerstone of intelligent transportation systems, designed to enhance road safety and traffic efficiency. However, their dynamic and distributed nature poses significant challenges for secure communication and key management. Traditional authentication and key agreement (AKA) schemes for VANETs often rely on centralized trust architectures, resulting in system security and reliability issues. Despite the introduction of distributed trust architecture schemes that have appeared recently, they fail to solve one issue, i.e., how the key agreement requests can be authenticated in the distributed communication scenario where the authentication authorities are all non-full-credible and have differentiated credibility. To solve this issue, we propose a hierarchical AKA scheme for VANETs with cloud-edge collaboration powered by consortium blockchain. Specifically, we first proposed a vehicle reputation evaluation algorithm for evaluating the trustworthiness of the vehicle, so that the AKA requests sent by vehicles with low reputation will be rejected. On the basis of the reputation evaluation algorithm, we proposed a hierarchical threshold-based AKA scheme for VANETs where cloud servers (CSs) and edge servers (ESs) can collaboratively authenticate the AKA requests, so that the authentication service can be trusted upon getting authenticated by a series of valid combinations of CSs and ESs. Both formal and informal security proofs validate the security of our proposed scheme, and simulation experiments demonstrate its efficiency.

Abstract:
Binary malware summarization aims to automatically generate human-readable descriptions of malware behaviors from executable files, facilitating tasks like malware cracking and detection. Previous methods based on Large Language Models (LLMs) have shown great promise. However, they still face significant issues, including poor usability, inaccurate explanations, and incomplete summaries, primarily due to the obscure pseudocode structure and the lack of malware training summaries. Further, calling relationships between functions, which involve the rich interactions within a binary malware, remain largely underexplored. To this end, we propose Malsight, a novel code summarization framework that can iteratively generate descriptions of binary malware by exploring malicious source code and benign pseudocode. Specifically, we construct the first malware summary dataset, MalS and MalP, using an LLM and manually refine this dataset with human effort. At the training stage, we tune our proposed MalT5, a novel LLM-based code model, on the MalS and benign pseudocode datasets. Then, at the test stage, we iteratively feed the pseudocode functions into MalT5 to obtain the summary. Such a procedure facilitates the understanding of pseudocode structure and captures the intricate interactions between functions, thereby benefiting summaries’ usability, accuracy, and completeness. Additionally, we propose a novel evaluation benchmark, BLEURT-sum, to measure the quality of summaries. Experiments on three datasets show the effectiveness of the proposed Malsight. Notably, our proposed MalT5, with only 0.77B parameters, delivers comparable performance to much larger Code-Llama.

Abstract:
Advancements in internal fingerprint extraction technology have made the fusion of external and internal fingerprints possible. It offers a viable solution to the problem of degraded performance in Automatic Fingerprint Identification System (AFIS) caused by epidermal abrasion and aging. Traditional fusion methods focus on information maximization. But for fingerprint, features like wrinkles and scars often yield high gradient variation information. It is detrimental to generating high-quality fingerprint. To address this, we propose a novel quality driven fusion method for external and internal fingerprints. It comprises several components. Firstly, there is a lightweight and efficient Transformer-CNN hybrid model. Secondly, it includes a closed-loop quality driven fusion mechanism. This mechanism is equipped with a quality prediction module, Weighted Complementary Fusion (WCF), and quality feedback. Thirdly, there is a jointly optimized combined loss function, which is accompanied by an asynchronous cross-training strategy. Unlike traditional paradigms, we change the optimization objective. It is shifted from information maximization to quality maximization, which is more appropriate for fingerprint. Experimental evaluations have been conducted, covering aspects such as fingerprint quality, matching performance, and network model ablation. The method we proposed demonstrates superiority in terms of quality score and matching performance. It outperforms both traditional and state-of-the-art approaches. It gives a new research path to boost fingerprint identification performance in identity security authentication.

Abstract:
Backscatter communication (BC) enables resource-constrained backscatter devices (BDs) to communicate by reflecting signals from external radio frequency sources (RFSs), thereby avoiding active RF components, making it a cutting-edge technology for the ubiquitous Internet of Things (IoT). However, the open nature of BC makes it vulnerable to passive and active attacks, and existing methods fail to offer robust mutual authentication suitable for mobile BC systems while keeping a low computational overhead. To address this issue, we propose AuthScatter, an accurate, robust, and scalable physical-layer mutual authentication scheme between the RFS and multiple BDs by leveraging channel fading and random numbers as a one-time pad to protect the identity key exchange procedure during the authentication. Specifically, AuthScatter constructs shared identity keys as physical-layer fingerprints for efficient identification and employs a challenge-response authentication mechanism to enable secure key exchange between the RFS and the BD. In the authentication, the one-time pad effectively prevents eavesdropping, spoofing, replay, and counterfeiting attacks, while legitimate devices leverage channel reciprocity and random number knowledge to authenticate efficiently without channel estimation or complex processing. It is tailored for high-mobility scenarios by completing the exchange within the channel coherence time while incorporating a key-update mechanism to ensure sustained security in the long term. Additionally, it includes a re-authentication mechanism to enhance resistance against wireless attacks and a batch authentication framework leveraging time-division duplexing (TDD) to enable scalability in large-scale BC deployments. Comprehensive security analysis demonstrates the resistance of AuthScatter to various threats, including eavesdropping, identity spoofing, replay, and counterfeiting attacks. Extensive simulations further validate its high authentication accuracy across diverse channel conditions, robustness against various attack vectors, and scalability with a large number of BDs, highlighting its superiority over state-of-the-art schemes.

Abstract:
Deep neural networks have achieved remarkable success across various applications; however, their vulnerability to backdoor attacks poses severe security risks—especially in situations where only a limited set of clean samples is available for defense. In this work, we address this critical challenge by proposing ULRL (UnLearn and ReLearn for backdoor removal), a novel two-phase approach for comprehensive backdoor removal. Our method first employs an unlearning phase, in which the network’s loss is intentionally maximized on a small clean dataset to expose neurons that are excessively sensitive to backdoor triggers. Subsequently, in the relearning phase, these suspicious neurons are recalibrated using targeted reinitialization and cosine similarity regularization, effectively neutralizing backdoor influences while preserving the model’s performance on benign data. Extensive experiments with 12 backdoor types on multiple datasets (CIFAR-10, CIFAR-100, GTSRB, and Tiny-ImageNet) and architectures (PreAct-ResNet18, VGG19-BN, and ViT-B-16) demonstrate that ULRL significantly reduces the attack success rate without compromising clean accuracy—even when only 1% of clean data is used for defense.

Abstract:
Modern computing devices rely on root-of-trust (RoT) to ensure confidentiality and integrity of both application code and data while satisfying a wide variety of user requirements. The RoT provides essential cryptographic and security functions as services (implemented as system calls) to the host system, supporting the execution of both trusted and untrusted applications. It also enables a secure boot process for the host operating system and other functionalities to establish a trusted execution environment for user applications. The complexity of RoT implementation often introduces vulnerabilities, such as privilege escalation and code injection risks, which affect the security of user data during execution. In this paper, we propose a RoT firmware verification framework that acts as a firmware firewall (FirmWall) to enhance the overall security of the system. Specifically, we perform directed symbolic execution focused on system calls to verify RoT firmware binaries against security specifications, facilitating targeted patching to mitigate potential vulnerabilities. Our framework demonstrated significantly better coverage compared to state-of-the-art symbolic execution. It also confirmed the presence of multiple vulnerabilities (CVEs) in recent versions of ARM Trusted Firmware-M implementations.

Abstract:
Distributed Denial-of-Service (DDoS) attacks can cause significant damage to network applications. A crucial step in combating these attacks lies in promptly and accurately detecting DDoS attack traffic. However, existing solutions struggle with data imbalance and contamination, leading to suboptimal DDoS detection. Furthermore, current methods typically require access to raw data for training, posing a significant privacy risk. To tackle these challenges, we propose HFL-AD, a hierarchical federated learning framework specifically designed for detecting DDoS attack traffic by resolving the data contamination issue. In our approach, a federation of lower-layer clients train local anomaly detection models using diverse raw data. A selected few clients, possessing a small supplementary dataset, serve as upper-layer clients, responsible for excluding model updates uploaded by lower-layer clients that have been trained on contaminated datasets. Experimental results demonstrate that HFL-AD outperforms state-of-the-art (SOTA) solutions in DDoS detection, particularly when some training datasets are contaminated.

Abstract:
Time series anomaly detection is crucial for improving the security and reliability of Cyber-Physical systems (CPS). While significant progress has been made, existing methods struggle to learn discriminative representations from multivariate time series with complex interactions and noise. To address this challenge, we propose a semi-supervised anomaly detection method based on denoising-aware contrastive learning, namely SSDCL, which can achieve robust performance for CPS anomaly detection using limited supervision. Specifically, we first design a similarity combination data augmentation algorithm to handle complex interactions among continuous sensor measurements and discrete actuator states. Furthermore, we develop a denoising hierarchical contrastive loss function that mitigates data noise interference while ensuring discriminative spatio-temporal representation. To validate the effectiveness of SSDCL, we conducted empirical evaluations on three publicly available CPS time series datasets including PUMP, SWaT and WADI. The experimental results show that the proposed method achieves F1 Score of 97.5%, 93.0%, and 74.4%, respectively, outperforming the state-of-the-art (SOTA) CPS anomaly detection methods.

Abstract:
Critical devices on the Internet are frequently targeted by skilled and advanced network attackers. These attackers often orchestrate complex and persistent intrusion campaigns, which involve multiple stages of attacks. In the context of host-based threat detection, the reconstruction of the entire attack scenario is crucial for tracing threats and fixing system vulnerabilities. Prior anomaly-based studies lack the capability to interpret the attack scenario, while rule-based approaches struggle with detecting novel attack patterns. We introduce eaGle, an end-to-end framework that takes original host-based data as input and reconstructs the potential attack scenario as output. It leverages an anomaly-based algorithm and a fine-grained misuse detection module to assign anomalous scores to host data, constructs the potential attack scenario using a novel anomalous subtree detection algorithm, and generates the interpretable attack scenario graph through a coarse-grained rule matching method. We assess the performance of eaGle using three attack scenarios from the DARPA TC dataset and three deployment scenarios. The results demonstrate that eaGle can effectively uncover the hidden attack scenario within the host data and outperforms three state-of-the-art attack scenario reconstruction systems.

Abstract:
Backdoor attacks are a security threat to deep learning, where attackers inject malicious trigger features into the training data. This causes the model to behave normally during regular operations but produce predetermined incorrect outputs when specific trigger conditions are met. Current advanced text backdoor attack methods use grammar or text style as invisible backdoor trigger features. Although these methods are highly stealthy, their attack performance is poor, and they struggle to counter defenses based on fine-tuning strategies. In this paper, we propose a new multitask backdoor attack framework (CLaFS) for pretrained language models, which uses supervised contrastive learning and feature space isolation auxiliary tasks to increase textual backdoor attack performance. Supervised contrastive learning can enhance the ability of the auxiliary task to learn from poisoned samples, improving backdoor attack effectiveness through parameter sharing. The feature space isolation task enhances the sensitivity of the model to backdoor trigger features by separating poisoned data from other types of data in the feature space, reducing the model’s resistance to backdoor attacks. In addition, we propose a special attack method called Zero Poison Attack, which aims to indirectly achieve backdoor embedding without contaminating the training data of the target task. The experimental results show that our proposed methods significantly improve the performance of invisible textual backdoor attacks and perform well in various special attack scenarios, demonstrating good generalizability and robustness.

Abstract:
Delegatable Anonymous Credentials (DAC) enhance Anonymous Credentials (AC) systems by allowing credential owners to use and delegate their credentials anonymously. However, traditional DAC systems only support delegating credentials with all attributes, lacking the ability to manage fine-grained delegation, including the delegation of specific attributes and controlled further delegation. Additionally, while some DAC systems support credential revocation in case of unexpected events, they typically limit revocation to the lowest-level users or credentials, which is inadequate as revocation may be necessary at any level within the delegation chain. This is especially concerning, as malicious users delegated by the original malicious credentials may retain access to the resource even after those credentials have been revoked. To address these issues, we propose a delegatable attribute-based anonymous credential with fine-grained delegation management and chainable revocation (FDAAC-CR), which simultaneously achieves: 1) A delegator can delegate a credential on parts of attributes to others, 2) controlled delegation management that restricts further delegation capabilities at a fine-grained level, including depth and attribute sets, and 3) chainable revocation, ensuring that if a credential in the delegation chain is revoked, all subsequent credentials derived from it are also invalid. Moreover, we present a practical FDAAC-CR instance based on a novel primitive called structure-preserving signatures on equivalence classes on vector commitments (SPSEQ-VC). Furthermore, FDAAC-CR instance maintains a constant credential size, regardless of the delegation chain length and the number of attributes. We formally prove the security of our scheme, and show the practicality through performance benchmarks.

Abstract:
Decentralized bridge applications are important software that connects various blockchains and facilitates cross-chain asset transfer in the decentralized finance (DeFi) ecosystem which currently operates in a multi-chain environment. Cross-chain transaction association identifies and matches unique transactions executed by bridge DApps, which is important research to enhance the traceability of cross-chain bridge DApps. However, existing methods rely entirely on unobservable internal ledgers or APIs, violating the open and decentralized properties of blockchain. In this paper, we analyze the challenges of this issue and then present Connector, an automated cross-chain transaction association analysis method based on bridge smart contracts. Specifically, Connector first identifies deposit transactions by extracting distinctive and generic features from the transaction traces of bridge contracts. With the accurate deposit transactions, Connector mines the execution logs of bridge contracts to achieve withdrawal transaction matching. We conduct real-world experiments on different types of bridges to demonstrate the effectiveness of Connector. The experiment demonstrates that Connector successfully identifies 100% deposit transactions, associates 95.95% withdrawal transactions, and surpasses methods for CeFi bridges. Based on the association results, we obtain interesting findings about cross-chain transaction behaviors in DeFi bridges and analyze the tracing abilities of Connector to assist the DeFi bridge apps.

Abstract:
Backscatter communication (BC) is a promising wireless communication technology due to its low cost, ultra-low power consumption, and ease of maintenance. However, the broadcasting and openness nature of BC by backscattering incident radio signals for message transformation introduces severe security threats, creating a bottleneck that hinders its further development. Mutual and handover authentication across multiple access points (APs) is essential to secure large-scale BC systems containing mobile backscatter devices (BDs). However, an effective scheme is still absent in the current literature. In this paper, we propose HABC, a mutual and handover authentication scheme designed to secure BC systems, which can resist various attacks. HABC leverages the physical layer feature channel impulse response (CIR) to authenticate BD. Using secret keys, the BD can verify the source of a received signal. When a BD transits from the coverage of a source AP to a target AP, HABC supports handover authentication through the control of a server based on BD location prediction to maintain continuous communications. Theoretical analysis and numerical experimental evaluation validate the satisfactory performance of HABC in terms of accuracy and robustness, as well as its superiority through comparison with cutting-edge related work.

Abstract:
Visible-X-ray Cross-Modality Package Re-Identification (VX-ReID) is a critical task in security inspection, aiming to match visible-light images with X-ray images. The significant modality gap between these image types poses substantial challenges in extracting robust and fine-grained modality-invariant features. To effectively address these challenges, this paper introduces a novel cross-modality feature extraction framework, the Asymmetric Siamese Transformer with Global-Local Alignment Attention (AST-GLAA). The network comprises two key components: Cross-modality Asymmetric Siamese Transformer Structure (CAST-S) and Global-Local Cross-Modality Alignment Attention (GL-CMA). CAST-S leverages an asymmetric design in one branch of the Siamese Transformer network by introducing a LayerNorm layer and incorporating modality embeddings to enhance the robustness of modality-invariant features. Meanwhile, GL-CMA facilitates the interaction between global and local features, significantly improving the representation of fine-grained features while effectively addressing spatial misalignment issues in cross-modality images. Experimental results demonstrate that the proposed method achieves state-of-the-art (SOTA) performance on the VX-ReID task, highlighting its effectiveness and potential in addressing the challenges of cross-modality package re-identification.

Abstract:
Facial recognition systems are vulnerable to physical (e.g., printed photos) and digital (e.g., DeepFake) face attacks. Existing methods struggle to simultaneously detect physical and digital attacks due to: 1) significant intra-class variations between these attack types, and 2) the inadequacy of spatial information alone to comprehensively capture live and fake cues. To address these issues, we propose a unified attack detection model termed Frequency-Aware and Attack-Agnostic CLIP (FA3-CLIP), which introduces attack-agnostic prompt learning to express generic live and fake cues derived from the fusion of spatial and frequency features, enabling unified detection of live faces and all categories of attacks. Specifically, the attack-agnostic prompt module generates generic live and fake prompts within the language branch to extract corresponding generic representations from both live and fake faces, guiding the model to learn a unified feature space for unified attack detection. Meanwhile, the module adaptively generates the live/fake conditional bias from the original spatial and frequency information to optimize the generic prompts accordingly, reducing the impact of intra-class variations. We further propose a dual-stream cues fusion framework in the vision branch, which leverages frequency information to complement subtle cues that are difficult to capture in the spatial domain. In addition, a frequency compression block is utilized in the frequency stream, which reduces redundancy in frequency features while preserving the diversity of crucial cues. We also establish new challenging protocols to facilitate unified face attack detection effectiveness. Experimental results on multiple benchmarks demonstrate that FA3-CLIP significantly improves performance, reducing ACER by over 1.2% on UniAttackData, and increasing AUC by more than 3% as well as reducing EER by over 4% on the JFSFDB dataset. The source code is available at https://github.com/YongzeLi/FA3-CLIP

Abstract:
We study the private online change detection problem for dynamic communities, using a censored block model (CBM). We consider edge differential privacy (DP) in both local and central settings, and propose joint change detection and community estimation procedures for both scenarios. We seek to understand the fundamental tradeoffs between the privacy budget, detection delay, and exact community recovery of community labels. Further, we provide theoretical guarantees for the effectiveness of our proposed method by showing necessary and sufficient conditions for change detection and exact recovery under edge DP. Simulation and real data examples are provided to validate the proposed methods.

Affiliations: School of Information and Communication Engineering, Hainan University, Haikou, China; Wireless and Computing Research Institute, ZTE Corporation, Beijing, China; College of Electronic Science and Engineering, Jilin University, Changchun, China; School of Information and Communication Engineering and the Collaborative Innovation Center of Information Technology, Hainan University, Haikou, China; College of Electronic Information Engineering, Inner Mongolia University, Hohhot, China; Shanghai Key Laboratory of Navigation and Location Based Services, Shanghai Jiao Tong University, Minhang, Shanghai, China; College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China; National Mobile Communications Research Laboratory, Southeast University, Nanjing, China

Abstract:
In this paper, authentication for mobile radio frequency identification (RFID) systems with low-cost tags is investigated. To this end, an adaptive modulus (AM) encryption algorithm is first proposed. To further enhance security without requiring additional storage for new key matrices, a self-updating encryption order (SUEO) algorithm is designed. Furthermore, a diagonal block local transpose key matrix (DBLTKM) encryption algorithm is presented, which effectively expands the feasible domain of the key space. Building upon these three algorithms, a novel joint AM-SUEO-DBLTKM encryption algorithm is constructed. Making full use of the strengths of the proposed joint algorithm, a two-way RFID authentication protocol, named AM-SUEO-DBLTKM-RFID, is proposed specifically for mobile RFID systems. In addition, the Burrows-Abadi-Needham (BAN) logic and security analysis indicate that the proposed AM-SUEO-DBLTKM-RFID protocol can effectively combat various typical attacks. Numerical results demonstrate that the proposed AM-SUEO-DBLTKM algorithm can save 99.59% of tag storage over traditional algorithms. Finally, the proposed AM-SUEO-DBLTKM-RFID protocol achieves both low computational complexity and low storage overhead, making it well-suited for deployment in resource-constrained, low-cost RFID tags.

Abstract:
Vertical federated learning for boosting trees has gained significant attention due to its ability to enable participants to collaboratively train high-quality models while preserving data privacy. However, existing privacy-preserving vertical boosting tree schemes suffer from high computation and communication costs or potential security vulnerabilities. Recently, SGBoost, a federated outsourced training and inference scheme, was proposed to address these challenges. However, its performance and security still require significant improvements. Therefore, we propose SGBoost+, an efficient and privacy-preserving vertical boosting tree framework for federated outsourced training and inference. Building upon the strengths of SGBoost, we introduce an RLWE-based lossless and secure internal node construction and an efficient oblivious inference algorithm to finish the model training and inference, significantly enhancing both security and efficiency. To reduce communication cost, we design a ciphertext compression algorithm for model training, which drastically minimizes data transmission costs. Additionally, we analyze the security of a symmetric encryption scheme, specify the required security conditions and parameters, and optimize our model inference based on its improved and secure version. Detailed security analysis confirms that SGBoost+ offers strong privacy guarantees. Extensive experiments demonstrate that SGBoost+ achieves efficient model training and inference with significantly lower computation and communication costs compared to state-of-the-art schemes.

Abstract:
Data cleaning improves quality and consistency by detecting, localizing, and repairing “dirty” data without compromising sensitive information. Collaborative Data Cleaning employs a distributed model to avoid single points of failure and trust issues in centralized systems, although it incurs additional communication overhead. Blass et al. (S&P’23) were the first to implement CDC via balanced Private Set Intersection (PSI). Unbalanced PSI (e.g., uPSI-CA, USENIX’23) does not address the localization of intersections within datasets and thus cannot be directly applied to CDC. uPSI-based data cleaning remains largely unexplored. In this paper, we propose an efficient CDC scheme for unbalanced datasets, named uECDC. uECDC employs oblivious key-value stores for slice matching, achieving: 1) a reduction of 18% \thicksim ~85 % in offline phase runtime, and 2) a reduction of 8% \thicksim ~43 % in online phase runtime (under large-scale data settings on the server side), when compared to the slice-linking approach of uPSI-CA. Moreover, we encode server-side data for fast localization of intersection data in unbalanced settings. Under the semi-honest adversary model, uECDC is provably secure. Implementation in Python and C++ demonstrates that uECDC is practically feasible.

Abstract:
This paper focuses on developing a reliable physical layer authentication (PLA) scheme in an millimeter wave (mmWave) communication system. To this end, we first derive the statistical quantities of the radiation pattern with random array errors in terms of gain, phase and position, and demonstrate that both Beckmann distribution and Rice distribution can effectively characterize the distorted radiation pattern. We then design a highly reliable PLA scheme, which combines three array error features to increase the distinguishability of the radiation pattern fused these array errors, as well as creates constructive two-beam pattern transmission that can not only resist to occasional blockages of few constituent beams but also enhance the reliability of the PLA. Applying the principles of statistical signal processing and composite hypothesis testing, a theoretical framework modeling of the typical performance metrics is also established to assess the performance of the proposed novel authentication scheme, under Rice distribution approximation model for radiation pattern statistics. Finally, performance evaluation is verified the reliability, effectiveness of the proposed authentication scheme with various settings in the presence of the identity-based impersonate attack, and performance comparison is also provided to highlight performance gain using the three array errors and two-beam pattern transmission.

Abstract:
This paper identifies the importance of the safe use of fonts in web and document security. We find multiple attack surfaces that can be exploited by an adversary using malicious fonts. We conduct a comprehensive evaluation of Portable Document Format (PDF) documents collected from the real world to investigate how an attacker can bypass PDF signatures. We further evaluate the potential security threats that an attacker can bring to web-based emails. Our study shows that various security issues may be caused by the inappropriate use of fonts, which are nevertheless overlooked in the past years. As such, guidelines promoting the secure use of fonts could be beneficial in reinforcing the security measures for digital documents and web pages.

Abstract:
Creating passwords involves a blend of natural language and password-specific knowledge. Merging these feature to obtain better representations and thus enhancing password cracking efficiency, have consistently remained one of the core challenges in the field of password guessing. In this paper, we put forward the Feedback-information Enhanced Password Guesser (FEPGuesser). We demonstrate, for the first time, how Parameter Efficient Fine Tuning can integrate password knowledge, natural language understanding and bidirectional attention mechanisms to well capture semantic in password sets. Additionally, we propose the novel structure of PassExBertVAE which integrates pre-trained model with Variational AutoEncoder (VAE) architecture for password guessing. We devise the algorithm which can make full use of the inherent properties of the password latent space generated by PassExBertVAE. This algorithm simulates real-world attack scenarios by leveraging attack feedback information to enhance cracking effectiveness. Experiments show that FEPGuesser overall achieves better results than PCFG, FLA, OMEN, PassGAN, PassFlow, DPG and VAEPass. Especially, on the most complex 000webhost dataset, FEPGuesser surpasses the latest PCFG model by 8.75 percentage points and exceeds the DPG model based on representation learning by 34.11 percentage points. Furthermore, cross-site attack experiments show that FEPGuesser is more target-adaptive than PCFG and other deep learning models.

Abstract:
The rapid development of big data and Internet of Things has promoted the formation of data silos, and cloud computing has facilitated the outsourcing of vertically distributed data to cloud servers. In outsourced query scenarios, building query indexes is crucial for balancing data utility and data privacy protection. The hypercube tree is a widely used index for multi-dimensional data, supporting various query types. Although secure hypercube tree-based queries have been extensively studied in existing works, they are not applicable for building a hypercube tree over vertically distributed ciphertext data. To address this issue, we propose the first efficient and secure hypercube tree building scheme for vertically distributed data, named SCTBuild. We first design a flexible three-party secret sharing (fTPSS) scheme, allowing data owners to flexibly configure secret sharing forms based on real-world computational, communication, and storage constraints. Then, we design a communication-efficient data outsourcing algorithm, a secure data permutation algorithm, and a secure data comparison algorithm based on the fTPSS scheme. After that, we propose our SCTBuild scheme based on the aforementioned algorithms, in which data owners first perform pre-computation on their data to improve tree-building efficiency. We prove that our fTPSS scheme, private algorithms, and the SCTBuild scheme are semantically secure in the simulation-based real and ideal worlds security model; and conduct experiments to validate their high efficiency.

Abstract:
In complex jamming environments with multi-user spectrum sharing, existing distributed anti-jamming strategies are constrained by significant communication overhead, limited efficiency in knowledge dissemination, and low collaborative effectiveness. To address these challenges, a distributed anti-jamming strategy based on local knowledge diffusion and differential weighted fusion mechanisms (LKD-DWF-M) is proposed. In this strategy, a local knowledge diffusion mechanism is introduced to facilitate knowledge sharing among communication nodes, enabling each node to gain a comprehensive understanding of its neighbors’ behavior. Subsequently, a knowledge contribution measurement method based on mutual information is proposed, and a differential weighted fusion (DWF) mechanism is designed to effectively integrate the policy and value parameters of neighboring nodes. This integration enables accurate global value estimation while optimizing individual anti-jamming strategies. Additionally, the existence of the Nash equilibrium (NE) for each node’s policy and value parameters is theoretically established using Kakutani’s fixed-point theorem. Furthermore, through the construction of a Lyapunov function, it is demonstrated that the proposed strategy can stabilize and converge to the NE in the long-term jamming counteraction process. Simulation results indicate that, in comparison to anti-jamming strategies employing global knowledge diffusion and differential weighted fusion mechanism (GKD-DWF-M), global knowledge diffusion and average fusion (GKD-AF-M), and local knowledge diffusion and average fusion (LKD-AF-M), the proposed distributed anti-jamming strategy achieves respective improvements of 4%, 17%, and 20% in system normalized throughput under statistical jamming (SJ). Under dynamic sweeping jamming (DSJ), the system normalized throughput improves by 8%, 11%, and 11.5%, respectively; under intelligent comb jamming (ICJ), it increases by 10%, 10.5%, and 19%, respectively; and under intelligent block jamming (IBJ), it increases by 5%, 16%, and 21%, respectively. Moreover, the proposed strategy exhibits superior convergence speed compared to other strategies. When the jammer alternates between SJ, DSJ, ICJ, and IBJ, the proposed distributed anti-jamming strategy responds quickly, demonstrating robustness in dynamic jamming environments.

Abstract:
The widespread application of deep learning-based face recognition (FR) systems poses significant challenges to the privacy of facial images on social media, as unauthorized FR systems can exploit these images to mine user data. Recent studies have utilized adversarial attack techniques to protect facial privacy against malicious FR systems by generating adversarial examples. However, existing noise-based and makeup-based methods produce adversarial examples with noticeable noise or undesired makeup attributes, and suffers from low transferability issues. In this paper, we propose a novel stealthy-based approach, named Dual-latent Adaptive Diffusion Protection (DADP), which generates transferable stealthy adversarial examples consistent with the source images by the diffusion model to protect facial privacy. DADP effectively harnesses adversarial information within both the semantic and diffusion latent spaces to explore adversarial latent representations. Unlike traditional methods that rely on bounded constraints and sign gradient optimization, DADP employs adaptive optimization to maximize the utilization of adversarial gradient information and introduces latent regularization to constrain the adaptive optimization process, ensuring that the protected faces maintain high privacy and natural appearance. Extensive qualitative and quantitative experiments on the public CelebA-HQ and LADN datasets demonstrate the proposed method crafts more natural-looking stealthy adversarial examples with superior black-box transferability compared to the state-of-the-art methods. The code is released at https://github.com/LiYuanBoJNU/DADP

Abstract:
The identification of encrypted network traffic presents a pivotal challenge in detecting unknown malicious traffic. Unlike closed-set identification, which primarily classifies known traffic classes, detecting unknown malicious traffic necessitates both accurate classification of known traffic and the identification of previously unseen traffic classes. Existing methods often face difficulties in effectively constraining the distribution size of known classes in the representation space and frequently misclassifying unknown classes as known. To address these challenges, we propose Open-Detect, a robust theoretical framework for detecting unknown malicious traffic, which leverages advanced deep learning techniques, such as variational autoencoders and Gaussian prototypes. Open-Detect introduces two primary constraints: a generative constraint, which enhances intra-class compactness, and a discriminative constraint, which optimizes inter-class separation. These constraints collectively mitigate the risks of misclassifying known classes and failing to detect unknown classes. In Open-Detect, network flows are transformed into grayscale images, and each known traffic class is mapped to a unique Gaussian prototype in the latent space. This design ensures tight clustering of samples within the same class and clear separation of samples between different classes. The detection of unknown malicious traffic is performed based on the distance between samples and these prototypes. Extensive experiments conducted on multiple publicly available datasets substantiate the efficacy of Open-Detect. The results reveal significant improvements in intra-class compactness and inter-class separation, enabling superior performance in both closed-world and open-world scenarios, particularly for detecting unknown malicious traffic. Our code is available at: https://github.com/niebikong/Open-Detect

Abstract:
Automated Program Repair (APR) repairs software bugs based on buggy code snippets automatically. It is instrumental in reducing the time and effort required for software maintenance. Recently, large language models (LLMs) have been utilized for APR and demonstrated promising results. Existing APR approaches adopt an LLM learning paradigm of either prompt engineering or fine-tuning to perform APR tasks. However, these prompt-based approaches underutilize the extensive high-quality bug-fix datasets available in the APR community, missing out on valuable repair knowledge. Conversely, fine-tuning-based APRs rely on LLMs to autonomously understand the entire complex APR tasks without the benefit of natural language guidance through a prompt. Additionally, the crucial bug information the bug-triggering test suites provided remains largely unexplored. Furthermore, while existing APRs focus only on repair effectiveness, they neglect the patch ranking effectiveness that also matters in real-world program repair scenarios. To address the above limitations, we propose InstructRepair, an innovative APR framework that integrates self-supervised instruction tuning with rich bug information to guide LLMs in generating high-quality patches. InstructRepair instructs APR tasks through detailed instructions and enhances repair performance by training LLMs over the first instructional APR dataset we construct. InstructRepair also extracts rich bug information (e.g., buggy line, bug’s context, bug’s diagnostics, test suites and meta-information) to provide fix-relevant tokens and insights into the root causes of bugs for LLMs during both instruction tuning and the repairing process. The human domain knowledge initiated instruction template that integrates this bug information is refined through prompt tuning, which learns task-specific knowledge and unleashes the hidden power stored in pre-trained LLMs automatically. We evaluate InstructRepair on the widely adopted Defects4J v1.2 and v2.0 benchmarks with Java programming language, demonstrating that our work outperforms seven state-of-the-art APR approaches by successfully fixing a total of 122 bugs (10 more than the best baseline) and repairing 19 unique bugs that previous work cannot. In terms of patch ranking effectiveness, InstructRepair also achieves the best performance with a fixing rate of 95.9% (60.0% as the best baseline). The ablation study further validates the contributions of each component to overall repairing performance. We also apply InstructRepair to the Python programming language and beat four state-of-the-art APR approaches, which demonstrates our method’s cross-language generalization capability.

Abstract:
Location-Based Services are increasingly common in our lives. In order to reduce user overhead, the data owner stores the location information and text data on the cloud server, and the user completes the retrieval task with the help of the fog server. To protect the privacy of outsourced data, many secure spatial keyword retrieval schemes have been proposed. Most schemes use R-tree indexes to improve the efficiency of ciphertext retrieval, but the encrypted R-tree index is hard to update. Moreover, some indexes based on order-preserving encryption are vulnerable to frequency-revealing attacks. So how to balance efficiency and security is a problem. To solve the above problems, we propose an efficient and secure spatial keyword ciphertext retrieval scheme based on cloud-fog collaboration. First, we innovatively design the SK-tree. The Geohash algorithm and Simhash algorithm are used in SK-tree to compress information, achieving efficient retrieval. Secondly, our retrieval tree has the function of fuzzy order preservation, which can better hide the correspondence between plaintext and ciphertext compared to traditional index-based order-preserving encryption schemes. In addition, we design a cloud-fog-user interaction scheme for attribute-based encryption that can hide access control policies, which reduces the computational overhead for the user side. Finally, we prove through theoretical analysis that our scheme ensures cloud data security and query trap information privacy. We compare our scheme with others through simulation experiments to demonstrate its superiority in efficiency.

Abstract:
With the growing complexity and diversity of network attacks, single defense methods are no longer sufficient to meet modern cybersecurity needs, necessitating comprehensive measures to manage the entire attack-defense landscape. Situational awareness systems address this by analyzing multi-source information to assess security postures and predict trends. Traditional methods suffer from low prediction accuracy due to data imbalance, reliance on expert experience, and information loss. To address these issues, this paper proposes a deep neural network-based model for cybersecurity situational awareness. The model first extracts situational elements using a variational autoencoder with an integration strategy, trained solely on normal data and optimized via random weight averaging to enhance robustness and detect anomalies. It then evaluates the security posture by extracting features from heterogeneous data through a neural network, applying attention-based feature fusion, and incorporating one-dimensional convolutional neural networks to reduce dependence on expert knowledge. Finally, the model predicts the security posture using a sample convolution and interaction unit, capturing temporal dependencies while mitigating information loss with a cross-channel module. Experimental results on real-world datasets demonstrate that the proposed model achieves superior performance in addressing key challenges in cybersecurity situational awareness, with a 14% improvement in accuracy compared to the baseline model.

Abstract:
Quantum Computing (QC) has recently achieved significant technological progress, attracting growing interest from both academia and industry. As most users currently access QC resources through cloud platforms, concerns around the security and accountability of quantum services have become increasingly prominent. In particular, quantum noise, typically considered a source of error, can also reveal device-specific signatures that enable Quantum Device Fingerprinting (QDF). While QDF has legitimate applications such as anomaly detection and device accountability, it also carries dual-use risks, including potential misuse for unauthorized device tracking or targeted attacks. In this paper, we propose a novel Task-Driven Quantum Device Fingerprinting (TD-QDF) identification method based on quantum task outputs. We extract the fingerprint features of quantum devices from noisy quantum computing results. Unlike previous research, our method does not require any additional information (e.g., hardware details or noise information), thereby enhancing its practical applicability and accessibility. We conduct large-scale experiments using six QNN circuits on 10 IBM quantum computers, extend four classical quantum algorithms to validate generality, and demonstrate scalability on three 127-qubit processors. Specifically, the highest accuracy can reach up to 94.32% in the 3-classification device fingerprint recognition task and up to 82.4% and 61.6% in the 7-classification and 10-classification tasks, respectively. This research contributes to advancing quantum fingerprinting technologies and has promising implications for enhancing the security and accountability of quantum computing systems and quantum cloud services.

Abstract:
The advent of blockchain technology has led to the development of decentralized storage networks, revolutionizing the way data are stored and accessed and offering advantages such as cost-effective services, improved data sovereignty, and resistance to censorship. However, nodes of decentralized storage networks cannot be fully trusted and data stored in them may not be as secure and intact as claimed. Therefore, how to guarantee the storage service quality in decentralized storage networks is still a major problem to be solved. In this paper, we propose DART, a distributed zero knowledge data auditing scheme for blockchain-based decentralized storage networks, periodically authenticating both the integrity and the retrievability of data in decentralized storage networks. We design an efficient integrity auditing protocol for decentralized nodes based on distributed zero knowledge protocols, which improves the performance of auditing whilst maintaining low cost with zero knowledge protocols. Furthermore, we introduce the erasure code in decentralized storage networks to support data retrievability across decentralized nodes. By leveraging accumulator techniques to design a dual accumulation strategy, we build a batch verification approach to improve the communication and computation efficiency in data retrieval checking. We analyze the security of DART under the random oracle model and conduct extensive experiments to evaluate its performance. Experimental results affirm that DART outperforms state-of-the-art approaches in decentralized storage networks, reducing the overhead in both the storage and verification phases by more than 70%. Moreover, this performance advantage becomes increasingly pronounced with larger file sizes, underscoring the scalability and practicality of DART.

Abstract:
Deep Neural Networks (DNNs) remain vulnerable to backdoor attacks. These attacks are pernicious when attackers inject a trigger into the input data without altering its ground-truth label, known as clean-label backdoor attacks. The effectiveness and stealth of existing clean-label backdoor attacks rely on access to global training data, making them resource-intensive and impractical. This paper introduces a novel clean-label backdoor attack that achieves high attack success rates (ASR) while maintaining exceptional stealth under realistic constraints. Unlike prior approaches focused on spatial differences between clean and poisoned data, a key novelty of the new attack is the suppression of high-frequency components in the frequency domain, which minimizes human-detectable contrasts and enhances trigger imperceptibility. Moreover, we employ an affine combination of static and adaptive triggers, effectively balancing their strengths to maximize ASR. Surrogate models are designed to simulate victim model behavior and auxiliary models are applied to extract the spatial and frequency features of the static triggers, enabling trigger design with minimal knowledge of the victim model. Our attack achieves a higher ASR than state-of-the-art backdoor attacks while maintaining higher benign accuracy across various models and datasets. It also demonstrates strong resistance against the latest defense mechanisms, including STRIP, SentiNet, neural cleanse, fine-pruning, and ANP.

Abstract:
Automatic exploit generation (AEG) is widely recognized as one of the most effective methods for assessing the risk level of vulnerabilities. To exploit heap-related vulnerabilities, it is necessary to precisely form a desired heap layout and construct an effective payload. However, prior AEG solutions are inefficient in analyzing heap operation traces for manipulating heap layout in a program, and often fail to consider how to precisely construct payloads that align with the structure of vulnerable objects, which ultimately results in the failure to exploit vulnerabilities.In this paper, we propose HEXP, a novel system that can generate working exploit samples that can result in exploitable states on binaries. Given a binary program and a PoC (proof-of-concept) input, HEXP first extracts heap operation traces and then determines their semantics, e.g., the size of each heap allocation. Subsequently, HEXP executes the program with the PoC to infer the target heap layout and analyzes the member types of the vulnerable object. As a result, HEXP inserts suitable heap operation traces into the PoC’s execution trace to synthesize a target trace and constructs corresponding data constraints, whose execution leads to the target heap layout. Finally HEXP generates exploit samples by symbolically executing the target trace while applying these data constraints. We evaluated HEXP against 18 CTF (Capture-the-Flag) programs and 12 real-world binary programs with 19 known CVEs. The results highlight that: 1) HEXP surpasses MAZE in accurately and efficiently identifying heap operation traces; 2) HEXP infers correct target heap layouts and generates exploit samples for 16 CTF programs, outperforming Revery by 7 programs; and 3) HEXP successfully achieves the target heap layouts for 16 out of 19 CVEs in real-world binaries.

Abstract:
With the development of artificial intelligence, the security problem of wireless sensor networks (WSN) is becoming more and more serious. Existing researches mainly consider the confrontation between attacker and defender. In this paper, the sleeper is introduced in the confrontation process. The sleeper exists independently of attacker and defender. The sleeper will choose sides based on the conditions of confrontation game. In this paper, a three-player game model is established to analyze the confrontation game. Large scale strategies make it difficult to find the Nash equilibrium (NE) of the three-player game. In order to solve this problem, a parallel compact particle swarm optimization based on Pareto distribution (p-PCPSO) is proposed. The p-PCPSO not only reduces the use of memory but also improves the optimization performance. Experiments show that p-PCPSO has better optimization performance than other algorithms on 75% test functions of CEC2013. The effectiveness of using p-PCPSO to solve NE is demonstrated by experiments. How different resources and game values influence the benefit of defender are analyzed by experiments. This three-player game model can be extended to intrusion detection and cyber resilience. This paper provides ideas for network security automation and active defense of real-world.

Abstract:
Internal fingerprint reconstruction is critical for bridging traditional fingerprint recognition with Optical Coherence Tomography (OCT)-based techniques. However, current reconstructed internal fingerprints often suffer from low ridge-valley contrast, noise interference, and ridge adherence issues. Traditional fingerprint enhancement techniques address these challenges but involve reconstructing 3D OCT fingerprints into 2D internal fingerprints, followed by enhancement. This two-step approach leads to module inconsistencies and difficulties in parameter setting during the enhancement process. To overcome these limitations, we for the first time propose a novel method that directly reconstructs binarized internal fingerprints. The proposed method employs an image region regression module that directly treats ridge blocks within B-scan images as regional units for regression, yielding 1D feature vectors representing ridges and valleys. Additionally, leveraging the continuity of information between adjacent B-scan images, a window adjustment function is introduced to refine the regression values, ensuring more stable binarized internal fingerprints. Experiments were conducted on publicly available OCT fingerprint benchmark datasets to compare the minutiae extraction and matching performance. The binarized internal fingerprints obtained by the proposed method achieved the highest mean NFIQ2 score. Based on the NBIS software compared to existing OCT internal fingerprint reconstruction methods, the proposed method achieved the lowest Equal Error Rate (EER) of 0.78%. In addition, compared to traditional fingerprint enhancement methods, the proposed method attained the highest F1-score for minutiae extraction at 72.39%. It also achieved the lowest EER and represented a 37.1% reduction compared to the best existing result.

Abstract:
Currently, deep learning-based software vulnerability detection methods often perform poorly in real-world applications. Through an analysis of 13 real-world projects and 4 open-source vulnerability datasets, we identify two key factors contributing to this performance degradation: (i) unreliable labels of benign code in existing datasets and (ii) high similarity between the vulnerable code and its corresponding patched code (i.e., high code overlap). To address these challenges, we propose the contrastive analysis-based software vulnerability detection (CA-SVD) method. Specifically, (i) we automatically extract a contrastive vulnerability–patch dataset from open-source vulnerability datasets and apply a contrastive pruning algorithm to remove code irrelevant to the corresponding vulnerability in each sample. This strategy not only increases the relevance of extracted code but also mitigates the issue of unreliable labels. (ii) We design a Siamese GGNN model, where a GRU module captures long-range dependencies between vulnerability code and distant code segments. The GGNN is trained on the contrastive dataset using a contrastive loss function to maximize the distance between vulnerabilities and their patches in the embedding space. Furthermore, we use pairwise accuracy to select model parameters that can simultaneously identify vulnerabilities and their corresponding patches, thus capturing their key differences more effectively. Experiments on 4 open-source datasets show that our method outperforms 7 state-of-the-art methods, achieving improvements in accuracy of at least 10.98%, 11.12%, 10.05%, and 16.75%. Additionally, in 13 real-world projects, our method achieves at least a 9.55% improvement in accuracy and a 17.43% improvement in recall compared with the 7 baseline methods.

Abstract:
As a biometric trait drawing increasing attention, finger vein (FV) has been studied from many perspectives. One promising new direction in FV biometrics research is full-view FV biometrics, where multiple images, covering the entire surface of the presented finger, are captured. Full-view FV biometrics presents two main problems: increased computational load, and low performance-to-cost ratio for some views/regions. Both problems are related to the inherent redundancy in vascular information available in full-view FV images. In this work, we address this redundancy issue in full-view FV biometrics. Firstly, we propose a straightforward FV redundancy analysis (FVRA) method for quantifying the information redundancy in FV images. Our analysis shows that the redundancy ratio of full-view FV images is up to 83%-87%. Then, we propose a novel feature extraction model, named FV dynamic Transformer (FDT), whose architecture is configured based on the redundancy analysis results. The FDT focuses on both local (single-view) information as well as global (full view) information at different processing stages. Both stages provide the advantage of de-redundancy and noise avoidance. Additionally, the end-to-end architecture simplifies the full-view FV biometrics pipeline by enabling the direct, simultaneous processing of multiple input images, thus consolidating multiple steps into one. A series of rigorous experiments is conducted to evaluate the effectiveness of the proposed methods. Experimental results show that the proposed FDT achieves state of the art authentication performance on the MFFV-N dataset, yielding an EER of 0.97% on the development set and an HTER of 1.84% on the test set under the balanced protocol and EER criterion. The cross-domain generalization capability of FDT is also demonstrated on the LFMB-3DFB dataset, where it achieves an EER of 7.24% and an HTER of 7.34% under the same protocol and criterion. Code for the proposed methods can be access via: https://github.com/SCUT-BIP-Lab/FDT

Abstract:
As essential biometric features, fingerprints have been widely utilized in various security domains. However, the performance of conventional Automated Fingerprint Identification Systems (AFISs) is limited by the quality of the external fingerprint (EF), particularly in cases involving damaged or deformed prints. Using the internal fingerprint (IF) acquired by Optical Coherence Tomography (OCT) to address these limitations has emerged as a promising method. IFs can compensate for and restore missing ridge pattern features in degraded EFs, thereby improving the overall recognition accuracy of AFIS. However, the reconstruction of IF was significantly constrained by speckle noise in OCT images, making the accurate extraction of finger tissue contours complex and computationally intensive. To improve the applicability of OCT fingerprint, this paper proposes a Neural Architecture Search (NAS)-based OCT fingertip internal contour regression network, denoted as CRM-NAS. The CRM-NAS employs a NAS-based internal feature extraction module (NAS-IEM) to adaptively optimize the network architecture and complexity with noisy OCT fingertip data, facilitating the effective capture of global internal contour features. Furthermore, an attention-based contour regression module (Att-CRM) is introduced to refine local contour details by leveraging multi-scale intermediate features extracted from different network layers and to enable the generation of continuous and accurate internal contours. Experimental results demonstrate that CRM-NAS not only outperforms existing methods in terms of contour extraction accuracy, fingerprint reconstruction quality, and verification performance, but also maintains a relatively compact parameter size.

Abstract:
Reputation updating plays a vital role in cloud-supported vehicular networks, ensuring the continuous freshness of trustworthiness. However, the existing solutions suffer from insufficient privacy and security, as well as impose significant computation and communication overheads on resource-constrained vehicles. In addition, they require vehicles to pre-load numerous keys and reputation certificates, complicating certificate management along with key escrow and revocation issues. Thus, in this paper, we introduce an innovative Privacy-preserving and Blockchain-assisted Reputation Updating (PBRU) scheme with malicious detection, for cloud-supported vehicular networks. Specifically, based on the improved exponential ElGamal variant, the reputation feedback generation and verification process avoids time-consuming homomorphic exponential and bilinear pairing operations, such that computation and communication overheads of vehicles are significantly reduced by 87.42% and 43.32%, respectively. Besides, the PBRU scheme reconstructs the key derivation algorithm and records reputation certificates on the blockchain, eliminating the need for pre-loading keys and certificates on vehicles while enabling traceability. Moreover, the PBRU scheme is capable of detecting duplicate malicious feedbacks by utilizing Bloom filter. Furthermore, theoretical proof and analysis present that the PBRU scheme satisfies more security requirements than the state-of-the-art schemes. Finally, the comprehensive simulation evaluation demonstrates the effectivity and practicality of our PBRU scheme.

Affiliations: Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China; School of Artificial Intelligence, Optics and Electronics (iOPEN), and the School of Mechanical Engineering, Northwestern Polytechnical University, Xi’an, Shaanxi, China; Information Security Center, State Key Laboratory of Networking and Switching Technology, and the National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing, China

Abstract:
Time series anomaly detection is critical in domains such as cybersecurity monitoring, network operations, and industrial control systems. Lately, unsupervised anomaly detection methods that utilize contrastive learning have shown promise. However, existing approaches often struggle to model high-dimensional temporal dependencies efficiently and rely on rigid feature-fusion schemes that can inadvertently amplify noise. These factors increase computational overhead and sensitivity to irrelevant signals, hindering the capture of salient patterns. Additionally, the explainability of anomalies detected by these mechanisms is often limited, restricting their application in traceable detection processes and an explicit decision-making basis. In this paper, we propose dual-view experts routing and counterfactual generation for explainable time series anomaly detection (DRCAD), a novel framework that detects anomalies within time series data while providing intuitive and actionable explanations for model predictions. DRCAD uses in-patch and patch-wise perspectives as input views for the contrastive learning model, employing a flattened attention mechanism with lightweight spatial projections and a Patch Mixture of Experts (MoE) layer for adaptive routing and information fusion. It identifies anomalies by expanding the discrepancy between normal and anomalous points in the representation space, subsequently outputting anomaly scores. These anomaly scores guide the generation of counterfactual samples, integrating feature change tendencies with normalized feature impacts to derive a feature importance ranking as the explanation. We evaluate DRCAD on six widely used datasets, observe state-of-the-art (SOTA) performance. Moreover, in the explainability evaluation on SWaT dataset, DRCAD achieves superior realism and sparsity in counterfactual generation compared to existing methods, with top-ranked features closely matching officially documented attack characteristics.

Affiliations: School of Control and Computer Engineering, North China Electric Power University, Beijing, China; Key Laboratory of Knowledge Engineering with Big Data, Ministry of Education, the School of Computer Science and Information Engineering, Anhui Province Key Laboratory of Industry Safety and Emergency Technology, and the Intelligent Interconnected Systems Laboratory of Anhui Province, Hefei University of Technology, Hefei, China; Department of Mathematics Computer Science, Fayetteville State University, Fayetteville, NC, USA; School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China

Abstract:
Differential privacy (DP) has been proven to be an effective universal solution for privacy protection in language models. Nevertheless, the introduction of DP incurs significant computational overhead. One promising approach to this challenge is to integrate Parameter Efficient Fine-Tuning (PEFT) with DP, leveraging the memory-efficient characteristics of PEFT to reduce the substantial memory consumption of DP. Given that fine-tuning aims to quickly adapt pretrained models to downstream tasks, it is crucial to balance privacy protection with model utility to avoid excessive performance compromise. In this paper, we propose a Relevance-based Adaptive Private Fine-Tuning (Rap-FT) framework, the first approach designed to mitigate model utility loss caused by DP perturbations in the PEFT context, and to achieve a balance between differential privacy and model utility. Specifically, we introduce an enhanced layer-wise relevance propagation process to analyze the relevance of trainable parameters, which can be adapted to the three major categories of PEFT methods. Based on the relevance map generated, we partition the parameter space dimensionally, and develop an adaptive gradient perturbation strategy that adjusts the noise addition to mitigate the adverse impacts of perturbations. Extensive experimental evaluations are conducted to demonstrate that our Rap-FT framework can improve the utility of the fine-tuned model compared to the baseline differentially private fine-tuning methods, while maintaining a comparable level of privacy protection.

Abstract:
Encryption techniques greatly ensure the confidentiality and integrity of network communications. However, they also allow attackers to conceal malicious activities within encrypted traffic, posing severe cybersecurity challenges. Current detection methods primarily rely on statistics and correlation analysis. However, both statistical features and inter-entity relations can be easily obfuscated. Moreover, issues with low-quality data and fixed feature sets limit the generalizability and adaptability to defend against various evasion techniques. Robustifying encrypted malicious traffic detection in adverse conditions is still an open problem. In this paper, we propose ReTrial, a robust encrypted malicious traffic detection system via discriminative relation incorporation and misleading relation correction. The key motivations behind ReTrial are to accurately leverage the rich relations among flows for contextual analysis, and correct misleading ones for robust threat detection. Specifically, we construct a relational multigraph and develop a tailored Graph Attention Network (GAT) to selectively incorporate contextual information. Then we retrieve multi-order neighborhood similarity graphs as observations for adaptive relation correction. Following an iterative scheme, both detector performance and graph topology mutually optimize. To validate the robustness of ReTrial, we simulate various adverse conditions by randomly dropping packets and greedily injecting perturbation edges. The experimental results show that ReTrial is competitive in ideal condition. Under adverse conditions, though the performances of other state-of-the-art methods degrade significantly, ReTrial consistently exhibits superior performance with a maximum reduction of only 5.88% in F1, highlighting its robustness in threat detection.

Abstract:
Specific emitter identification (SEI) is crucial in the Internet of Everything (IoE). Over the past decade, deep learning (DL) and broad learning (BL)-enabled SEI technologies have emerged. Both DL- and BL-based SEI methods rely on extensive radio frequency (RF) signal samples and corresponding labels, but labeling unknown signals is a considerable overhead and costly task. Consequently, many researchers have begun exploring semi-supervised learning techniques to address the semi-supervised SEI (SS-SEI) problem with limited labeled RF signals. However, existing SS-SEI solutions often prioritize identification performance, leading to high computational overheads and lacking iterability and scalability. To overcome these challenges, this paper proposes a novel SS-SEI solution, termed deep cloud and broad edge (DCBE). This approach integrates a DL-based SEI method at the cloud server with an updatable BL-based SEI method at the edge node. Initially, several DL-based SEI models are trained using labeled historical data at the cloud server. Meanwhile, an updatable BL-based SEI method is deployed locally on the edge node to identify unlabelled signals. When the DCBE solution is operational, edge nodes capture real-time unlabelled RF signals. The pre-trained DL-based SEI method and the locally BL-based SEI method jointly identify these RF signals. The identification results, along with the new real-time RF signals, are then used to update the weights of the BL-based SEI method at the edge nodes. The DCBE SS-SEI solution is validated using an open-source, large-scale, real-world automatic dependent surveillance-broadcast (ADS-B) dataset. Experimental results demonstrate that the proposed DCBE solution offers significant advantages in terms of SS-SEI performance, reduced computational overhead without GPU dependency, and system robustness in complex environments.

Abstract:
Due to the rising requirement for data sharing, multi-data owner access control schemes have emerged, where a single data file is jointly owned by multiple data owners. Since the shared files contain information from multiple data owners, it is crucial to revoke malicious users to minimize harm when data leakage occurs. However, current multi-data owner solutions typically rely on a single data owner to encrypt and share data and fail to provide robust user revocation. When revocation is managed by a single entity, it may fail to protect the rights of all data owners and can introduce a single point of failure in multi-data owner settings. On the other hand, if revocation requires the participation of all data owners, user access may fail if some owners are offline or compromised. To address these issues, we propose a robust multi-data owner access control scheme with efficient user revocation. We construct a secret resharing protocol based on secret sharing technology and proposed a multi-data owner access control scheme. Only users who obtain a sufficient number of private keys can decrypt the ciphertext. To achieve multi-owner controlled revocation, we use key splitting to divide the user’s private key into an authorization key and an update key and embed a period into the update keys. During user revocation, the cloud updates the ciphertext and the data user can decrypt the ciphertext without obtaining the update keys of all data owners. The thorough performance analysis shows that the overhead of the proposed scheme is acceptable. Specifically, the proposed scheme takes approximately 0.5 seconds to encrypt, and with preprocessing, this time is reduced to 0.06 seconds, while decryption requires around 0.15 seconds on the Raspberry Pi.

Abstract:
Adversarial attacks, particularly targeted transfer-based attacks, can be used to assess the adversarial robustness of large visual-language models (VLMs), allowing for a more thorough examination of potential security flaws before deployment. However, previous transfer-based adversarial attacks incur high costs due to high iteration counts and complex method structure. Furthermore, due to the unnaturalness of adversarial semantics, the generated adversarial examples have low transferability. These issues limit the utility of existing methods for assessing robustness. To address these issues, we propose AdvDiffVLM, which uses diffusion models to generate natural, unrestricted and targeted adversarial examples via score matching. Specifically, AdvDiffVLM uses Adaptive Ensemble Gradient Estimation (AEGE) to modify the score during the diffusion model’s reverse generation process, ensuring that the produced adversarial examples have natural adversarial targeted semantics, which improves their transferability. Simultaneously, to improve the quality of adversarial examples, we use the GradCAM-guided Mask Generation (GCMG) to disperse adversarial semantics throughout the image rather than concentrating them in a single area. Finally, AdvDiffVLM embeds more target semantics into adversarial examples after multiple iterations. Experimental results show that our method generates adversarial examples 5x to 10x faster than state-of-the-art (SOTA) transfer-based adversarial attacks while maintaining higher quality adversarial examples. Furthermore, compared to previous transfer-based adversarial attacks, the adversarial examples generated by our method have better transferability. Notably, AdvDiffVLM can successfully attack a variety of commercial VLMs in a black-box environment, including GPT-4V. The code is available at https://github.com/gq-max/AdvDiffVLM

Abstract:
Covert communication is an important approach to ensure information security by hiding the transmission behavior. Space-domain-coding intelligent reflecting surface (SDC-IRS) can adjust the phase of the reflection signal for passive beamforming in angle domains, which is widely employed in covert communications. However, the gains by SDC-IRS vanish when the warder is proximal to the receiver in angle domains. To overcome this limitation, in this paper, the space-time-coding IRS (STC-IRS) is considered, which can adjust both the phase and the frequency of the reflection signal for passive beamforming in angle-distance domains. Specifically, system performance under STC-IRS and SDC-IRS is compared, revealing the essence that angle and distance discrimination for the receiver is achieved with STC-IRS. Further, to fully exploit STC-IRS, optimization problems are formulated to maximize the covert rate in both line-of-sight scenarios and Rician fading scenarios. To solve the above problems, penalty-based algorithms are proposed where the transmit power, the phase shift and the frequency shift at STC-IRS are optimized jointly with majorization-minimization and block successive upper bound minimization techniques. Considering more general and adverse cases, the proposed algorithms are also extended to the scenario with multiple warders. Simulation results demonstrate the superiority of the proposed scheme compared with other benchmarks. Especially, when the warder and the receiver overlap in angle domains, covert rates with STC-IRS exceed 3 bps by distance domain discrimination, whereas covert rates with SDC-IRS are less than 0.01 bps.

Abstract:
Recently proliferated deep learning-based semantic communications (DLSC) focus on how transmitted symbols efficiently convey a desired meaning to the destination. However, the sensitivity of neural models and the openness of wireless channels cause the DLSC system to be extremely fragile to various malicious attacks. This inspires us to ask a question: “Can we further exploit the advantages of transmission efficiency in wireless semantic communications while also alleviating its security disadvantages?”. Keeping this in mind, we propose SemEntropy, a novel method that answers the above question by exploring the semantics of data for both adaptive transmission and physical layer encryption. Specifically, we first introduce semantic entropy, which indicates the expectation of various semantic scores regarding the transmission goal of the DLSC. Equipped with such semantic entropy, we can dynamically assign informative semantics to Orthogonal Frequency Division Multiplexing (OFDM) subcarriers with better channel conditions in a fine-grained manner. We also use the entropy to guide semantic key generation to safeguard communications over open wireless channels. By doing so, both transmission efficiency and channel security can be simultaneously improved. Extensive experiments over various benchmarks show the effectiveness of the proposed SemEntropy. We discuss the reason why our proposed method benefits secure transmission of DLSC, and also give some interesting findings, e.g., SemEntropy can keep the semantic accuracy remain 95% with 60% less transmission.

Abstract:
Domain generalization (DG) for person re-identification (Re-ID) aims to train models on labeled source domains that generalize well to unseen target domains. However, DG for Re-ID faces a major challenge: existing methods rely solely on labeled paired samples to train DG models and are unable to effectively leverage unpaired samples across cameras. In many cases, cross-camera paired samples are extremely scarce and difficult to annotate. To overcome this limitation, we introduce a novel method specifically tailored for Re-ID. This method leverages cross-camera unpaired samples in model training, thereby reducing the dependence on cross-camera paired samples. We refer to this technique as Unpaired-driven DG (U-DG) person Re-ID. The proposed method leverages a robust image encoder to extract identity-consistent features across various camera views. This capability is further enhanced by integrating a multi-camera person identity classifier, which boosts the encoder’s ability to capture consistent identities, even when viewed from different camera perspectives. To address the scarcity of cross-camera paired samples, we devise a unique model training strategy in our method. Specifically, we use the feature vector from the person identity classifier as a single identity prototype. This prototype serves as a reference for generating identity-related prompts across cameras, effectively compensating for the scarcity of cross-camera paired samples during model training. Additionally, we employ a learnable perturbation prompt to mimic appearance variations exhibited by the same individual across different cameras. Our U-DG offers numerous advantages: it can effectively leverage a large number of unpaired samples for model training, compensating for the scarcity of cross-camera paired samples. Moreover, it does not rely solely on cross-camera paired samples, thereby facilitating the construction of training samples. Experimental results on multiple challenging datasets demonstrate that our approach achieves performance comparable to typical DG person Re-ID, highlighting its feasibility and effectiveness. The source code of our method is available at https://github.com/lhf12278/DGPS.

Abstract:
With the rising demand for website data storage, leveraging cloud storage services for vast user file storage has become prevalent. Nowadays, a new file upload scenario has been introduced, allowing web users to upload files directly to the cloud storage service. This new scenario offers convenience but involves more roles (i.e., web users, web servers, and cloud storage services) and their interactions, bringing new security threats. In this paper, we perform the first systematic security study in this scenario. With in-depth analysis, we identify six new types of vulnerabilities and conduct large-scale real-world measurements on the top 500 Alexa Rank websites. Among these websites, 182 (36.4%) use cloud storage services, illustrating the widespread use of the cloud. Then, we perform a detailed analysis of 28 popular websites that allow user upload. Surprisingly, they all have at least one of the six vulnerabilities. Totally, we discover 79 new vulnerabilities and responsibly report them to the websites. Many popular websites respond positively, including Google, Reddit, and CSDN. We discuss the root causes of these vulnerabilities and propose possible mitigation methods. In summary, our work offers significant value in understanding the security risks of cloud storage services for websites and facilitating future research.

Abstract:
Cloud-edge computing has been widely-adopted for large-scale data sharing and processing. In practical data sharing systems, data are very sensitive and typically encrypted, such as health records. Unauthorized users may attempt to decrypt ciphertexts to recover the data. Due to mistakes or malice, some users might try to share sensitive information with others who do not have access. Clearly, strong access control should be employed to restrict the read and write privilege of users. There was a rich literature on mandatory fine-grained information flow control for such scenarios, but three important issues remain. First, payload privacy was often neglected. Most of the known solutions focused on the protection ciphertext header, but ignored the payload, i.e. encrypted data, which may leak information by a malicious sender. Second, no guarantee of the encrypted data. Ill-formed ciphertexts, e.g. encrypted garbage data, can pass the global policy check, causing decryption failures or disseminating bad information, hence are incapable of content distribution. Finally, the heavy computation cost of sender authentication impedes the practical deployment. In this work, we introduce Hodor, a robust fine-grained information flow control scheme that not only guards the transmission channel with mandatory fine-grained access control for massive data, but also protects whole data traffic, checks ciphertext well-formedness, and efficiently authenticates the sender. In particular, Hodor considers full data traffic protection of both the ciphertext header and encrypted payload to resist information leakage, completely verifies the consistency between the claimed access structure and the actual access structure, and achieves efficient sender authentication with a succinct challenge-response protocol. We present a formal model and give detailed proofs. We also implement and evaluate Hodor using various optimization techniques to boost its performance. The results demonstrate the efficiency and practicality of Hodor for cloud-edge data sharing.

Abstract:
Radio Frequency Fingerprinting (RFF) has emerged as a vital technique for enhancing Physical Layer Authentication (PLA) in New Radio (NR) networks. Unlike cryptographic methods, RFF leverages device-specific signal impairments to uniquely identify transmitters. Deep Learning (DL) advances have improved PLA, though challenges persist due to communication channel dynamics and device state changes. In this study, we propose a novel framework that integrates 5G NR protocol-specific structures and channel knowledge via SRS-based CSI to generate relative RFF features. Through a tailored frame design and carefully engineered processing pipeline, we achieve cross-domain stability and improved robustness against time-varying conditions. By applying regularization techniques (e.g., mixup) during training, our method further mitigates model overfitting and domain bias. Simulation and real-world SDR experiments, using data from 9 ADALM-PLUTO devices, validate the approach’s effectiveness. The proposed system attains recognition accuracies of 99.878%, 93.376%, 86.325%, and 66.558% in intra-domain, cross-channel, cross-time, and cross-scenario tests, respectively, highlighting its potential to substantially enhance physical layer security in NR-based networks.

Abstract:
Specific Emitter Identification (SEI) is crucial for ensuring the security of physical layer communication. However, signal characteristics can be affected by various factors such as environmental and equipment variations. An effective SEI system must continuously learn and adapt to these changes to maintain accurate signal recognition. This study proposes an advanced domain incremental learning (DIL) framework for SEI, named Adaptive Domain-Incremental Learning with Knowledge Replay and Domain Alignment (ADIRA). ADIRA employs knowledge replay and distillation strategies, along with adaptive coefficients, to balance the model’s performance in recognizing signals across both new and old domains. To address the variations in signal data feature distributions across different domains, we introduce a domain alignment strategy based on adversarial training. This approach integrates embedding distillation loss with supervised contrastive loss, significantly enhancing the model’s adaptability to domain changes. Experimental results on two benchmark datasets demonstrate that ADIRA achieves performance only 0.42% and 1.71% lower than joint training, with replay samples constituting just 1.1% and 1.5% of the training set, effectively mitigating catastrophic forgetting.

Abstract:
The rise of IoT-driven distributed data analytics, coupled with increasing privacy concerns, has led to a demand for effective privacy-preserving and federated data collection/model training mechanisms. In response, approaches such as Federated Learning (FL) and Local Differential Privacy (LDP) have been proposed and attracted much attention over the past few years. However, they still share the common limitation of being vulnerable to poisoning attacks wherein adversaries compromising edge devices feed forged (a.k.a. “poisoned”) data to aggregation back-ends, undermining the integrity of FL/LDP results. In this work, we propose a system-level approach to remedy this issue based on a novel security notion of Proofs of Stateful Execution ( \mathsf PoSX ) for IoT/embedded devices’ software. To realize the \mathsf PoSX concept, we design \mathsf SLAPP : a System-Level Approach for Poisoning Prevention. \mathsf SLAPP leverages commodity security features of embedded devices – in particular ARM TrustZone-M security extensions – to verifiably bind raw sensed data to their correct usage as part of FL/LDP edge device routines. As a consequence, it offers robust security guarantees against poisoning. Our evaluation, based on real-world prototypes featuring multiple cryptographic primitives and data collection schemes, showcases \mathsf SLAPP ’s security and low overhead.

Abstract:
Face normalization is a critical technique for improving the robustness and generalizability of face recognition systems by reducing intra-personal variations arising from expressions, poses, occlusions, illuminations, and domain shifts. Existing normalization methods, however, often lack the flexibility to handle multi-factorial variations and exhibit limited cross-domain adaptability. To address these challenges, we propose a Unified Multi-Domain Face Normalization Network (UMFN), which is designed to process facial images with diverse variations from various domains and reconstruct frontal, neutralized facial prototypes in the target domain. As an unsupervised domain adaptation model, the UMFN facilitates concurrent training across multiple cross-domain datasets and demonstrates robust prototype reconstruction capabilities. Notably, the UMFN functions as a joint prototype and feature learning framework, extracting domain-agnostic identity features through a decoupling mapping network and adversarial training with a feature domain classifier. Furthermore, we design an efficient Heterogeneous Face Recognition (HFR) network that integrates these domain-agnostic features and the identity-discriminative features extracted from normalized prototypes, enhanced by contrastive learning to improve identity recognition accuracy. Empirical evaluation on multiple cross-domain benchmark datasets validate the effectiveness of the UMFN for face normalization and the superiority of the HFR network for heterogeneous face recognition.

Abstract:
In 2021, the pioneering work TypeNet showed that keystroke dynamics verification could scale to hundreds of thousands of users with minimal performance degradation. Recently, the KVC-onGoing competition (https://sites.google.com/view/bida-kvc/) has provided an open and robust experimental protocol for evaluating keystroke dynamics verification systems of such scale. This article describes Type2Branch, the model and techniques that achieved the lowest error rates at the KVC-onGoing, in both desktop and mobile typing scenarios. The novelty aspects of the proposed Type2Branch include: i)synthesized timing features emphasizing user behavior deviation from the general population, ii) a dual-branch architecture combining recurrent and convolutional paths with various attention mechanisms, iii) a new loss function named Set2set that captures the global structure of the embedding space, and iv) a training curriculum of increasing difficulty. Considering five enrollment samples per subject of approximately 50 characters typed, the proposed Type2Branch achieves state-of-the-art performance with mean per-subject Equal Error Rates (EERs) of 0.77% and 1.03% on evaluation sets of respectively 15,000 and 5,000 subjects for desktop and mobile scenarios. With a fixed global threshold for all subjects, the EERs are respectively 3.25% and 3.61% for desktop and mobile scenarios, outperforming previous approaches by a significant margin. The source code for dataset generation, model, and training process is publicly available at https://github.com/lsia/tifs-type2branch

Abstract:
Nowadays, artificial intelligence (AI)-based voice conversion (VC) models generate high-quality and natural-sounding voices efficiently. While existing studies have focused on detecting voice spoofing attacks, this study explores a proactive approach to safeguard speaker identity from such threats. Attackers can exploit voice biometrics by using either advanced VC techniques or traditional methods. Although zero-shot VC has been applied for source speaker anonymization, it typically fails to protect the identity of the target speaker. To address this gap, we propose a speaker privacy preservation framework that combines zero-shot AutoVC with a multi-target voice frame fusion technique. This method anonymizes the source speaker while also preventing leakage of the target speaker’s identity by blending voice frames from multiple targets. The VCTK public dataset is employed to assess the performance of the proposed model. The average cosine similarity between the original and anonymized voices yielded a result closer to the inter-speaker voice cosine similarity, which is the most suitable benchmark for speaker anonymization. Additionally, speaker identification models trained on original and vocoded data yielded low identification accuracies of 27.4% and 41.2%, respectively. The mean opinion score (MOS) evaluation confirmed that the anonymized voice quality adeptly preserved linguistic content and naturalness. Overall, the proposed method effectively anonymizes both source and target speakers, offering robust protection against voiceprint spoofing.

Abstract:
Load frequency control (LFC) application in power systems has an essential role in improving the system’s stability. However, the presence of the automatic generation control service incorporated into the LFC application, being a system dependent on communication networks, makes the LFC system susceptible to cyber threats. Falsifying measurement and control signals through communication networks, known as data integrity attacks (DIAs), can severely affect the system’s dynamic performance. This paper studies the frequency regulation issue of an interconnected power system under stealth DIAs. Accordingly, a novel identification scheme consisting of the dynamic multiplicative watermarking technique, an estimator, an anomaly detector, and a trigger mechanism is introduced to identify the DIAs. The watermarking concept is the intentional overlay of a watermark signal onto the source signal transmitted through the communication network. Achieving this requires using a specific watermarking filter, and the result is that operators gain greater flexibility in regulating the transmitted signals, which in turn provides improved signal integrity. In the proposed identification scheme, there is a multiplicative superimposition, where the watermark equalizing filter on the opposite end of the network can cancel out the impact of the watermarking, leading to the retrieval of the original signal. After identifying the attack, the proposed trigger mechanism blocks the manipulated ACE signal and submits the estimated ACE signal to the secondary controller. A model-free sliding mode control method is also implemented as the secondary frequency controller to regulate the system’s frequency under DIAs, load disturbances, and physical limitations. The Speedgoat-based real-time simulation results reveal that the developed defense method can timely identify stealth DIAs and significantly improve the system’s dynamic responses compared to the other techniques under these attacks.

Abstract:
Inherent broadcast characteristics can raise privacy risks of wireless networks. The specifics of antenna ports, antenna types, orientation, and beamforming configurations of a transmitter can be susceptible to manipulation by any device within range when the signal is transmitted wirelessly. Personal and location information of users connected to the transmitter can be intercepted and exploited by malicious actors to track user movements and profile behaviors or launch targeted attacks, thus compromising user privacy and security. In this paper, we propose a novel precoding perturbation approach for privacy preservation in wireless communications. Our approach perturbs the precoding matrix of the transmitter using a Riemannian manifold (RM) structure that adaptively adjusts the magnitude and direction of perturbation based on the geometric properties of the manifold. The approach ensures robust privacy protection while minimizing the distortion of the transmitted signals, thus balancing privacy preservation and data utility. Privacy can be preserved without relying on additional cryptographic mechanisms, resulting in the computational and communication overhead reduction. Our approach operates directly on the transmission of signals, making them inherently secure against eavesdropping and interception. Simulation results underscore the superiority of the approach, showing a 17.21% improvement in privacy preservation while effectively maintaining data utility.

Abstract:
Deepfake detection presents a significant challenge, particularly when the available training data is constrained to a limited set of semantic categories—a common and realistic scenario. In deepfake detection, the training labels typically indicate whether an image is real or fake, without specifying the semantic content, such as object classes. Moreover, we cannot know in advance the object categories present in an image to be detected. Ideally, a deepfake detection model should perform consistently across different semantic categories during inference, irrespective of the content. However, existing methods often exhibit significant performance bias between seen and unseen classes, struggling to generalize effectively. To address this issue, we propose Semantic-AGnostic artifact Network (SAGNet), an innovative and efficient approach designed to decouple semantic-agnostic artifacts from content-specific distributions in the training data. Our method eliminates semantic-specific biases, ensuring that the model focuses on universal artifacts related to image authenticity rather than content-dependent features. By employing this decoupling strategy, SAGNet greatly enhances the model’s generalization capacity, even when trained on limited data. Remarkably, through experiments, we demonstrate that SAGNet achieves performance comparable to models trained with 10 times more data, despite being trained on only 2 classes (comparing SAGNet trained on 2 classes with Ojha et al. (2023) trained on 20 categories). Furthermore, through extensive experiments, we show that SAGNet’s improvements are not only evident across different semantic categories but also extend to various generative methods, including multiple GAN-based and diffusion-based models. This cross-method generalization emphasizes SAGNet’s versatility and effectiveness in diverse generative scenarios. Overall, our method represents a significant advancement in deepfake detection, particularly in realistic situations where the training data is limited. The code is released at https://github.com/rstao-bjtu/SAGNet/

Abstract:
Deep learning and federated learning (FL) play a crucial role in ensuring the security of industrial control systems (ICSs), but they also face severe security threats, especially the threat of backdoor attacks. Most FL backdoor defense methods primarily focus on a single clustering strategy, resulting in low true positive rates (TPR) and true negative rates (TNR) in the attack classification task. Due to the excessive combination scheme of currently available clustering strategies, it is difficult to manually select an appropriate combination scheme of clustering strategies to defense backdoor attacks in federated ICSs. This work is the first time to automatically design a multi-objective clustering combination-based backdoor defense for federated intrusion detection in ICSs, called MoCC-BD-FID. The automated design issue of clustering strategies combination for backdoor defense is formulated as a mixed-variable multi-objective optimization problem, which considers both combinatorial variables, i.e., the combination length and the specific combination of clustering strategies, and continuous variables, i.e., the confidence levels of each combined clustering as the decision variables, and considers maximization of both TPR and TNR as the two objectives. To describe and evolve the different combinations of 12 clustering strategies with confidence levels, we develop an efficient mixed and variable-length encoding mechanism, and the specifically tailored crossover operation and mutation operation under the framework of nondominated sorting genetic algorithm II. The experiments are conducted on the three widely-used ICS datasets including Secure Water Treatment, Water Distribution, and Power System Attack datasets under two different backdoor attacks. The experimental results demonstrate that MoCC-BD-FID outperforms the single clustering strategy-based backdoor defense methods and five existing backdoor defense methods, i.e., Krum, Weak-DP, FoolsGold, DeepSight, and CrowdGuard, in terms of the classification accuracy of the poisoned model on regular samples and backdoor samples, TPR, and TNR.

Abstract:
Visual evoked potential (VEP)-based EEG biometrics provide a secure, spoof-resistant approach for identification and authentication; however, cross-session variability, driven by temporal fluctuations in neural responses, often undermines feature stability and degrades performance. To tackle this, we propose the Dual Attention Refinement Network (DARN), a novel method that enhances the spatiotemporal consistency of EEG representations without requiring frequent retraining. DARN combines a lightweight CNN backbone with two complementary attention modules: the Spatial Feature Refinement Unit (SFRU), which prioritizes consistent spatial patterns, and the Inter-channel Refinement Unit (ICRU), which captures stable inter-channel dependencies, jointly refining the spatial and channel dimensions of extracted EEG feature maps. Evaluated on two public multi-session VEP datasets with 30 and 54 subjects, with sample durations of 6 seconds for the 30-class dataset and 4 seconds for the 54-class dataset, DARN surpasses state-of-the-art baselines, achieving identification accuracies of 93.83% (30 classes) and 84.55% (54 classes), and authentication equal error rates of 3.05% and 3.85%, respectively. Moreover, our analysis highlights the pivotal role of visual stimulus diversity in improving cross-session generalization, offering practical insights for designing robust VEP-based biometric systems. The source code is available at https://github.com/Ultramua/DARN.

Abstract:
Node identification is the first line of defense for the security of wireless Internet-of-Things (IoT), which prevents illegal devices from accessing the network and launching attacks. Hardware features originating from innate hardware manufacturing imperfections are considered promising fingerprints for identification; among which, the hardware clock feature has been put under the spotlight due to its practicality and ease of extraction. However, current extractions of hardware clock features over wireless networks rely on the transmissions of time information, which, per se, enable significant vulnerabilities such as spoofing and replay attacks. In this paper, we propose a covert method to extract the hardware clock features, which does not rely on the insecure time information transmissions that are adopted in most existing schemes. We also analyze the security of the proposed covert extraction. We further propose SNICK, a secure node identification scheme based on our tailored implementation of covert clock feature extraction and machine learning. We implement and evaluate the proposed approach on a real IoT testbed consisting of a Long Range (LoRa) gateway and heterogeneous end nodes. We conduct experiments to prove the security of the proposed scheme and evaluate the proposed scheme under three scenarios: short-term, long-term, and cross-environment. Experimental results of three scenarios demonstrate average identification accuracies of 98.53%, 85.9%, and 88.3%. We further reveal the identification performance under parameter and environmental variations.

Abstract:
This paper proposes a novel co-design method of denial-of-service (DoS) attack-resilient time varying estimators/observers and controllers aimed at addressing these challenges in a discrete-time linear networked control systems (NCSs) under sensor and actuator false data injection (FDI) attacks. Our time-varying estimators have uniquely equipped to perform a joint estimation of the system state, sensor and actuator attack signals despite the presence of the intermittent DoS attacks. The main features of the developed time-varying observers are twofold: firstly, they involve time-varying gains corresponding to the DoS attack off/on transitions, and secondly, they entail augmenting the estimations of sensor and actuator FDI attacks within the piecewise observer error dynamics, thus providing a comprehensive and rigorous estimation and control methodology. By introducing the conceptions of minimum and maximum sleeping/active durations of DoS attacks, a new time-varying DoS attack instant-dependent piecewise Lyapunov function approach is proposed to analyze the H_\infty stability of the augmented estimation error system and closed-loop control system under sensor and actuator FDI attacks. Based on the obtained H_\infty stability analysis results, time-varying gains of state and attack observers are formulated to construct the DoS-resilient observers. Besides, the time-varying feedback gains are also obtained to construct the DoS-resilient controllers by attack compensation based on the actuator FDI attack estimations of time-varying observers, thus achieving the mitigation of sensor and actuator FDI attacks. Case studies are performed on a three-area interconnected power systems under DoS and FDI attacks to validate the effectiveness and advantages of the developed theoretical findings.

Abstract:
Local Differential Privacy (LDP) enables an untrusted server to collect and analyze sensitive data while preserving user privacy. Recent studies reveal that LDP protocols are vulnerable to poisoning attacks, in which an adversary can manipulate aggregated frequencies by controlling malicious users to send forged data to the server. Some countermeasures have been proposed to mitigate poisoning attacks, but they have limitations: 1) requiring prior knowledge of the attack type; 2) exhibiting poor resistance to the adaptive maximal gain attack, i.e., MGA-A. To address the two limitations, in this paper, we propose a novel detection scheme named Group Filter Detection (GFD) to defend against poisoning attacks on LDP frequency estimation. GFD is a universal defense scheme, which can be applied to any LDP frequency estimation protocol without the prior knowledge of attack types, and exhibits high robustness against various poisoning attacks. GFD can first identify the adversary’s target itemset and then filters the suspicious perturbed data (from malicious users). In this way, GFD can exclude malicious data with high confidence, thereby improving the accuracy of LDP frequency estimation. Compared with the existing solutions, experimental results demonstrate the highest effectiveness of GFD.

Affiliations: Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China; Centre for Blockchain Technologies, University College London, London, U.K.; School of Cyber Science and Engineering, Southeast University, Nanjing, China; School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China; College of Computing and Data Science, Nanyang Technological University, Jurong West, Singapore; Digital Research, Swinburne University of Technology, Melbourne, VIC, Australia

Abstract:
Pump-and-Dump (PD) schemes pose a significant threat to the stability and fairness of Decentralized Finance (DeFi) markets, often resulting in substantial financial losses for investors. The early and accurate detection of these schemes is crucial for preserving trust in the rapidly expanding cryptocurrency ecosystem. However, existing detection methods primarily rely on post-event analysis and heuristic-based approaches, which are often inadequate for real-time and precise identification of PD activities. In this paper, we present PumpWatcher, an innovative framework that employs Graph Neural Networks (GNNs) and contrastive learning to detect PD schemes by modeling transaction behaviors within temporal graphs. PumpWatcher integrates advanced transaction graph construction, temporal GNNs, and contrastive learning techniques to enhance node and edge representations, thereby improving the detection of intricate and covert PD operations. We validate PumpWatcher on a dataset from Uniswap, encompassing 924,508 transactions across 858 tokens within December 2022. The results show that PumpWatcher outperforms state-of-the-art models, achieving a superior balanced accuracy of 92.3%, while significantly minimizing false positives and negatives. These outcomes highlight its potential to set a new standard in real-time detection of market manipulation, paving the way for more secure and resilient DeFi ecosystems.

Abstract:
In wireless communications, traditional malicious jamming attacks that employ a single jammer and focus on a single domain are becoming increasingly ineffective due to the rapid advancements in learning-based anti-jamming technology. To address these issues, this paper proposes a novel multi-domain cooperative jamming method for DRL-based anti-jamming frequency hopping (FH) communications. At the jamming side, intelligent multi-domain attacks could be effectively implemented by coordinating the adjustment of frequency and power parameters among multiple jammers to disrupt the legitimate user’s communication. In this context, the interaction between the legitimate user and multiple cooperative jammers is modeled as a One-Leader Multi-Follower (OLMF) Stackelberg game, where the efficient jamming resource allocation problem among the cooperative jammers is formulated as a potential game. Then, the existence of Nash equilibrium for the potential game is demonstrated, which further ensures the Stackelberg equilibrium for the OLMF Stackelberg game. Additionally, a hierarchical deep reinforcement learning (HDRL) method is introduced to approach the final equilibrium for the cooperative jammers with a high-dimensional action space. Simulation results demonstrate that when facing DRL-based anti-jamming agents, the proposed multi-domain cooperative jamming approach achieves a jamming success rate that is 35% higher than traditional jamming, 20% higher than reactive jamming, and 15% higher than DRL-based non-cooperative jamming. Even when the legitimate user employs the opponent modeling based dynamic best response anti-jamming strategy, our method still converges to the Stackelberg equilibrium and achieves a 10% jamming performance gain compared to the multi-tone intelligent jamming method and the non-cooperative jamming method.

Abstract:
The evolving Industrial Internet of Things (IIoT) is shifting towards decentralized collaborative manufacturing, posing heightened network security issues within interconnected value chains, thus requiring advanced Network Intrusion Detection (NID) systems to identify potential threats. In this context, traditional centralized NID systems are insufficient due to cross-industrial privacy concerns and interconnected secure threats. Federated Learning (FL) has emerged as a promising solution to enable the sharing of security insights without compromising privacy across participants. However, establishing an FL-based NID framework in realistic IIoT scenarios faces several hurdles, including the limited availability of large-scale devices and heterogeneous attack data distributions. The former leads to inconsistent client participation and degraded performance, while the latter hinders model convergence. To address these, we propose a novel Federated Learning-based Industrial Network Intrusion Detection (FedIn-NID) framework, incorporating a multidimensional client selection strategy and a dynamic global aggregation strategy. The selection strategy synergistically considers multidimensional factors including client availability, local dataset distribution, and dataset size. This approach accommodates clients with varying availability and avoids the selection of biased clients with data concentrated in a few categories. During model aggregation, the proposed strategy leverages the concept of exponential moving average to dynamically balance the holistic yet slightly older knowledge in the global model with the partial but relatively newer knowledge in local models, ensuring effective aggregation and convergence of the global NID model. Experiments demonstrate that FedIn-NID outperforms baselines by 10% to 30%, showcasing remarkable robustness with increasing data distribution heterogeneity and device count.

Abstract:
Federated learning (FL) allows distributed clients to train model collaboratively without sharing the original data. However, using private model updates often makes traditional FL systems susceptible to privacy leakage problem. In addition, the performance of existing FL methods is often limited by statistical heterogeneity problem. In order to solve both privacy leakage and statistical heterogeneity problems, we propose a three-stage targeted feature alignment FL framework named FedG3FA. In the first stage, each client trains a generator through generative adversarial training and the generator will be utilized for data interaction instead of private model. After that, in the second stage, the generators will be aligned by our proposed Domain Pulling Network and then aggregated to a global one. Finally, in the third stage, the global generator will be used to train the private model for each client. The effectiveness of our method is verified on medical care and computer vision scenarios including five datasets. The experimental results suggest that our method not only achieves a high level of privacy protection performance, but also remains competitive classification accuracy.

Abstract:
Complex environments pose significant challenges to the consensus estimation of ground targets by multiple autonomous aerial vehicles (multi-AAVs) with limited sensing capabilities. This paper addresses the design of an H_\infty consensus fuzzy filter over a finite-time horizon, that is subject to selective network attacks and stochastic incomplete measurements. First, a novel selective-data-based (SDB) network attack model is proposed. Unlike conventional models, this model is constructed from the attacker’s perspective to mimic attacks that target high-value data, thereby maximizing its destructive potential. Second, incomplete measurements, arising from factors such as limited AAV sensing ranges and target motion, are modeled by using a set of random variables to characterize the stochastic nature of data loss. Furthermore, an H_\infty consensus fuzzy filter is developed to achieve precise consensus estimation of the target with finite-time performance, thereby forming a unified attack-defense architecture. Sufficient conditions for the existence of such a filter are established in the form of linear matrix inequalities (LMIs), from which the filter gains can be derived. Finally, the effectiveness and superiority of the proposed design are validated through both numerical simulations and physical experiments.

Abstract:
The inadequacy of traditional binary interaction networks in characterizing information flow processes within higher-order structures has driven growing research focus toward higher-order networks. Considering reporting mechanism and the dynamics of network scale, this paper proposes a susceptible-infected-quarantine-removed-empty (SIQRE) negative information diffusion model on simplicial complexes. An optimal control strategy, taking into account the system gain, is then implemented. The existence and stability of equilibria, and bi-stability between invasion threshold and persistence threshold are derived. Experiments on synthetic and empirical simplicial complexes reveal the dynamic behavior of the system with discontinuous phase transitions, backward bifurcation and periodic oscillations. An increase in the birth rate makes the system more susceptible to outbreaks of negative information, while the opposite is true for the death rate. Reporting mechanism suppresses discontinuous phase transition. And the synergistic application of preventive and corrective strategies demonstrates superior cost-effectiveness in system control compared to their isolated implementation. Additionally, an identifiability analysis of the model is conducted. Finally, the model parameters are inversely estimated and the diffusion dynamics are predicted using physics-informed neural networks (PINNs) across three instances, and the optimal control is subsequently performed, validating the effectiveness of both the proposed model and the control strategy.

Abstract:
This article investigates the problem of privacy-preserving average consensus for continuous-time heterogeneous multiagent systems with intermittent information transfer under asynchronous sampled-data interactions. To address the challenges posed by agent-specific asynchronous sampled-data and time-varying communication delays, a time-translation approach incorporating a shared sampling period strategy is introduced, effectively transforming the asynchronous problem into a synchronous framework. Next, integrated distributed hybrid controller with time-varying noise injection is designed, enabling agents to interact with sensitive information only at sampling instants, thereby preserving privacy while maintaining trajectory availability. Then, the time-varying step-size and noise parameters, which are tunable parameters of the dual control mechanism corresponding to the desired \varepsilon -differential privacy budget and system convergence accuracy are proposed, and the trade-off between control performance and privacy preservation is thoroughly analyzed. It is shown that the proposed protocol achieves asymptotically unbiased mean-square output consensus with predefined accuracy and privacy budget. Numerical examples validate the theoretical results.

Abstract:
Graph Neural Networks (GNNs) have gained popularity in numerous domains, yet they are vulnerable to backdoor attacks that can compromise their performance and ethical application. The detection of these attacks is crucial for maintaining the reliability and security of GNN classification tasks, but existing methods are often inflexible, relying on single metrics that fail to capture the full range of backdoor behaviors. Recognizing the challenge in detecting such intrusions, we devised a novel detection method that creatively leverages graph-level explanations. By extracting and transforming secondary outputs from GNN explanation mechanisms, we developed seven innovative metrics for effective detection of backdoor attacks on GNNs. Additionally, we develop an adaptive attack to rigorously evaluate our approach. We test our method on multiple benchmark datasets and examine its efficacy against various attack models. Our results show that our method can achieve high detection performance, marking a significant advancement in safeguarding GNNs against backdoor attacks.

Abstract:
Software-defined networks (SDNs) face significant challenges from link flooding attacks (LFAs), where malicious bots flood towards a limited number of hidden hosts, known as decoys, at a low rate. Efficient decoy identification is crucial for mitigating LFAs and is more resource-efficient than traditional bot detection methods, given the smaller number of decoys compared to bots. This paper proposes a novel decoy identification mechanism (DIM) that utilizes the SDN controller to generate forwarding rules for critical switches, enabling them to classify and report decoy addresses effectively. DIM addresses the challenges of minimizing communication overhead between the controller and data plane while maintaining high classification accuracy. It optimizes critical switch selection by partitioning the network into smaller areas, which reduces communication costs while maximizing monitoring efficiency. Within each area, DIM pre-trains random forest (RF) models for the selected switches and generates their respective binary-encoded forwarding rules. These rules empower the switches to identify decoy addresses in LFA traffic at line speed. The identified addresses are then reported back to DIM for further analysis. Theoretical analysis demonstrates that DIM scales efficiently in terms of time and space complexity. Our evaluation with the NS-3 simulator—using real CAIDA traffic and a synthesized topology of over 30,000 nodes—shows DIM achieves 98.3% decoy identification accuracy, outperforming state-of-the-art models like LSTM and CNN in both accuracy and speed. Tests under routing changes and moving target defense scenarios confirm DIM’s robustness and adaptability, highlighting its practical effectiveness against LFAs.

Abstract:
A tensor-based approach is studied to address the challenging problem of joint hybrid beamforming (HBF) design and artificial noise (AN) injection in a physical layer secure multi-user (MU) multiple-input multiple-output (MIMO) communication system in the millimeter wave (mmWave) band. Specifically, a hybrid analog-digital MIMO architecture is adopted, and orthogonal frequency-division multiplexing (OFDM) is deployed for wideband communication over frequency-selective mmWave channels. The antenna array structure and frequency selectivity of the system under investigation inherently endow it with multi-dimensional channel characteristics spanning the space, frequency, and time domains, which can be efficiently processed with tensor-based multi-dimensional signal processing techniques. The problem, based on tensor modeling of the system, is decomposed into three subproblems, namely analog beamforming, digital beamforming, and AN precoding. A low-complexity two-stage procedure is proposed to conduct analog beamforming, where a Tucker2 tensor decomposition subproblem is formulated to determine the analog combiners and part of the analog precoding matrix, and the remaining part of the precoding matrix is composed of arbitrary vectors satisfying the constant modulus constraint. The block-diagonalization algorithm is employed to design the digital beamforming and combining matrices to mitigate interference. For the AN precoding part, a statistical null-space algorithm based on higher-order singular value decomposition (HOSVD) is proposed. Multiple AN precoding matrices on all subcarriers can be obtained simultaneously, and the AN-induced interference to the potential eavesdropper is maximized statistically to improve the secrecy of the communication. Simulation results show that, compared with existing matrix-based AN-aided secure HBF designs in the literature, the proposed tensor-based joint HBF and AN design leveraging multi-dimensional tensor signal processing provides improved secrecy performance with moderate complexity.

Abstract:
Harmful fine-tuning attack poses a serious threat to the online fine-tuning service. Vaccine, a recent alignment-stage defense, applies uniform perturbation to all layers of embedding to make the model robust to the simulated embedding drift. However, applying layer-wise uniform perturbation may lead to excess perturbations for some particular non-safety-critical layers, resulting in defense performance degradation and unnecessary memory consumption. To address this limitation, we propose a Targeted Vaccine (T-Vaccine), a memory-efficient safety alignment method that applies perturbation to only selected layers of the model. T-Vaccine follows two core steps: First, it uses the harmful gradient norm as a statistical metric to identify the safety-critical layers. Second, instead of applying uniform perturbation across all layers, T-Vaccine only applies perturbation to the safety-critical layers while keeping other layers frozen during training. Results show that T-Vaccine outperforms Vaccine in terms of both defense effectiveness and resource efficiency. Comparison with other defense baselines, e.g., RepNoise and TAR also demonstrate the superiority of T-Vaccine. Notably, T-Vaccine is the first defense that enables a fine-tuning-based alignment method for 7B pre-trained models trained on consumer GPUs with limited memory (e.g., RTX 4090).

Abstract:
The combination of smart cards and passwords has given birth to one of the most prevalent two-factor authentication (2FA) approaches. Numerous 2FA schemes have been proposed, nevertheless, most of them either do not possess critical security properties or are not efficient for implementation on smart cards. It is generally considered that asymmetric cryptographic primitives are indispensable to achieve security goals, which are burdensome for resource-limited devices. That is, the literature is being stuck with the security-efficiency tension. In this paper, we propose a 2FA protocol only resorting to symmetric primitives. Specifically, with the puncturable pseudorandom function, the proposed protocol hits three birds: it achieves three subtle security goals, i.e., resisting offline password guessing attacks, perfect forward secrecy and anonymity. It alleviates the long-standing security-efficiency conflict that is considered intractable in the literature. The proposed protocol is provably secure within the harshest adversary model to date. Furthermore, the evaluation results demonstrate that our protocol is the optimal choice when considering both security and efficiency.

Abstract:
Leveraging recent advances in wireless communication, IoT, and AI, intelligent transportation systems (ITS) played an important role in reducing traffic congestion and enhancing user experience. Within ITS, navigational recommendation systems (NRS) are essential for helping users simplify route choices in urban environments. However, NRS are vulnerable to information-based attacks that can manipulate both the NRS and users to achieve the objectives of the malicious entities. This study aims to assess the risks of misinformed demand attacks, where attackers use techniques like Sybil-based attacks to manipulate the demands of certain origins and destinations considered by the NRS. We propose a game-theoretic framework for proactive risk assessment of demand attacks (PRADA) and treat the interaction between attackers and the NRS as a Stackelberg game. Specifically, we consider the case of local-targeted attacks, in which the attacker aims to make the NRS recommend the authentic users towards a specific road that favors certain groups. Our analysis unveils the equivalence between users’ incentive compatibility and Wardrop equilibrium recommendations and shows that the NRS and its users are at high risk when encountering intelligent attackers who can significantly alter user routes by strategically fabricating non-existent demands. To mitigate these risks, we introduce a trust mechanism that leverages users’ confidence in the integrity of the NRS, and show that it can effectively reduce the impact of misinformed demand attacks. Numerical experiments are used to corroborate the results and support our discussion of the Resilience Paradox, where locally targeted attacks can sometimes benefit the overall traffic conditions. Our framework not only assists risk assessment in automating the evaluation process and estimating potential impacts but also aligns with standards like ISO/IEC 27005, offering a proactive approach to managing risks in ITS.

Abstract:
This paper proposes an intelligent attack defense and optimal control scheme for heterogeneous multi-agent systems (MASs) affected by false data injection (FDI) attacks. An attack detector is devised to detect the FDI attacks, and an isolation mechanism is developed to remove the attacked communication links. Since the inherently distributed spatial deployment of agents in MASs and limited communication ranges or topological constraints, some followers cannot communicate with a leader directly within the leader-following framework, a distributed observer is developed to reconstruct the leader’s information. On the basis of the reconstructed leader’s information, a data-driven iteration learning algorithm is devised to adaptively learn an optimal controller. Different from the existing methods, the superiority of the presented method is that it does not require the intelligent data-storage and the restrictive persistence of excitation condition, which saves the storage resources. Simulation is conducted to exemplify the advantage of the proposed approach.

Abstract:
The wide deployment of Large Language Models (LLMs) has given rise to strong demands for optimizing their inference performance. Today’s techniques serving this purpose primarily focus on reducing latency and improving throughput through algorithmic and hardware enhancements, while largely overlooking their privacy side effects, particularly in a multi-user environment. In our research, for the first time, we discovered a set of new timing side channels in LLM systems, arising from shared caches and GPU memory allocations, which can be exploited to infer both confidential system prompts and those issued by other users. These vulnerabilities echo security challenges observed in traditional computing systems, highlighting an urgent need to address potential information leakage in LLM serving infrastructures. In this paper, we report novel attack strategies designed to exploit such timing side channels inherent in LLM deployments, specifically targeting the Key-Value (KV) cache and semantic cache widely used to enhance LLM inference performance. Our approach leverages timing measurements and classification models to detect cache hits, allowing an adversary to infer private prompts with high accuracy. We also propose a token-by-token search algorithm to efficiently recover shared prompt prefixes in the caches, showing the feasibility of stealing system prompts and those produced by peer users. Our experimental studies on black-box testing of popular online LLM services demonstrate that such privacy risks are completely realistic, with significant consequences. Our findings underscore the need for robust mitigation to protect LLM systems against such emerging threats.

Abstract:
Sixth-generation (6G) services can offer unprecedented data speeds, ultra-low latency, and vast connectivity. Moreover, satellite communication has become crucial to achieving seamless global coverage for 6G networks. Space-terrestrial integrated networks (STIN) combine satellite and ground networks, ensuring continuous services via satellites even when outside terrestrial network coverage. However, existing STIN schemes rely on central ground server, which can potentially lead to bottlenecks and delays. Additionally, a lightweight handover is necessary to address frequent service changes due to the narrow communication ranges in 6G-based STIN environments. To address these challenges, we propose a novel authentication scheme to provide secure and high-speed handover process for STIN environments. The proposed scheme leverages mobile edge computing (MEC)-based low-Earth orbit (LEO) satellites to minimize communications with the central server. Moreover, a key feature of the proposed scheme is the structural separation of computational loads: we utilize elliptic curve cryptography (ECC) for robust initial authentication, and only hash functions and exclusive-OR (XOR) operators for high-speed handover process. To prove the security of our scheme, we perform informal analysis, “Burrows-Abadi-Needham (BAN) logic”, “Real-Or-Random (ROR) model”, “Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool”, and “Scyther tool”. Furthermore, we conduct comparative study on security properties, computation, and communication costs of the proposed scheme and the existing related schemes. To verify the practical deployment of the proposed scheme, we perform a simulation study using “Network Simulator 3 (NS-3)”. Our results demonstrate that the proposed scheme can provide efficient and secure communications for MEC-based STIN environments.

Abstract:
Social engineering malware, which exploits both technical and human vulnerabilities, presents challenging for individuals and organizations. However, existing studies typically focus on either technical or human vulnerabilities through case studies or questionnaires, ignoring their combined importance in mitigating such threats. This study pioneers the introduction of a mathematical model to analyze and mitigate the dynamics associated with these combined vulnerabilities. To achieve this, this study proposes an innovative framework, which integrates (a) a coupled malware-opinion dynamics model to capture the interplay between both types of vulnerabilities, and (b) an optimal impulse control approach to strategically mitigating social engineering malware. Within this framework, we define an optimization problem, aimed at balancing control costs and malware severity. We derive theoretical conditions for optimal impulse strategies that achieve this balance and develop an iterative algorithm, the convergence and scalability of which have been empirically validated. Experimental results on three real-world social networks and synthetic scale-free networks demonstrate that our strategies consistently achieve an optimal balance by minimizing total expenses, including control costs and losses associated with malware. This finding underscores the effectiveness of routine patching and ongoing security awareness training in standard cybersecurity practices. Further experiments indicate that the strategic, early, and frequent deployment of patches in specific scenarios can effectively reduce unnecessary losses, enhancing overall cybersecurity resilience.

Abstract:
Digital identity is fundamental for accessing mobile applications and managing user attributes. However, existing centralized identity management solutions rely on third-party operators, posing privacy risks and limiting user control. The decentralized solutions seek to address the issues but often fall short in privacy preservation, efficiency, and cross-application compatibility. In this paper, we propose \textsf PPUgIM , a user-governed identity management scheme with universally composable security, emphasizing privacy and data sovereignty in distributed mobile applications. \textsf PPUgIM introduces a DID-like account equipped with multi-attribute credentials, enabling users to autonomously manage and selectively disclose various identities without revealing sensitive information. An enhanced authenticated data structure is designed based on vector commitments, supporting short and constant-size proofs for efficient batch authentication of attribute credentials. Furthermore, a formal security analysis of \textsf PPUgIM is conducted, and a prototype implementation is developed for performance evaluation. Results show that credential generation takes 500 ms, verification 110 ms, with a constant size proof of 0.15 KB. Proof overhead for identities is reduced by 38.1% compared with existing schemes, demonstrating \textsf PPUgIM ’s practicality in real-world distributed mobile applications.

Abstract:
Trojans (backdoors) are known to raise critical security concerns for deep neural networks in machine learning (ML) systems. Despite the extensive backdoor methods and benchmarks, existing research overlooks the perspective of the ML lifecycle (i.e., the entire process from system design to data collection to model deployment). To address this gap, this paper introduces De2Trojan, a Deployable Trojan Analysis Tool via Decoupling, which establishes a standardized pipeline to investigate backdoor attacks and defenses within the ML lifecycle. De2Trojan decouples the attack surface from the general ML process through a stage-first hijacking approach, using an abstract interface for ML lifecycle stages to enhance the deployability to the ML lifecycle. Besides, its benefits are two-fold: 1) facilitating the systematic analyses of multi-stage attacks/defenses and their combinations, shedding light on how to improve attack and defense strategies. For example, we find that current attacks (defenses) are not effective in continuous scenarios, and combining attacks (defenses) at different stages improves their effectiveness from 30.11% (8.63%), the worst cases, to 90.27% (68.73%) and 2) making it possible to identify potentially vulnerable stages, especially when iteratively updating the model in ML lifecycle. For example, we identify that backdoor attacks in the data collection stage are more vulnerable than expected, and it is more difficult to remove them from the ML lifecycle. To eliminate the impact of such attacks, it is most effective to apply backdoor defense during the deployment stage, in addition to cleaning the data before training. Overall, we present a comprehensive benchmark of backdoors within the ML lifecycle, involving 20 representative attacks and defenses, as well as their combinations, using 11 evaluation metrics.

Abstract:
With the rapid growth of blockchain-based Non-Fungible Tokens (NFTs), data trading has evolved to incorporate NFTs for ownership verification. However, the NFT ecosystem faces significant challenges in copyright protection, particularly when malicious buyers slightly modify the purchased data and remint it as a new NFT, infringing upon the original owner’s rights. In this paper, we propose a copyright-preserving data trading protocol to address this challenge. First, we introduce the Merkle Feature Tree (MFT), an enhanced version of the traditional Merkle Tree that incorporates an AI-powered feature layer above the data layer. Second, we design a copyright challenge phase during the trading process, which recognizes the data owner with highly similar feature vectors and earlier on-chain timestamp as the legitimate owner. Furthermore, to achieve efficient and low-gas feature vector similarity computation on blockchain, we employ Locality-Sensitive Hashing (LSH) to compress high-dimensional floating-point feature vectors into single uint256 integers. Experiments across multiple image feature extraction models show that LSH maintains a high F1 score after compression, effectively supporting similarity-based copyright challenges. Experimental results on the Ethereum Sepolia testnet demonstrate NMFT’s scalability with sublinear growth in gas consumption while maintaining stable latency.

Abstract:
In a world where digitalization is reshaping every aspect of our society, digital identity has become more crucial than ever to establish trust and accountability across all entities, whether human, organizational, or machine-based. Numerous initiatives are emerging worldwide, such as the United States’ Mobile Driver’s Licenses (mDLs) and Singapore’s National Digital Identity (NDI). In May 2024, the European Union introduced Regulation 2024/1183, establishing the European Digital Identity Framework. By 2026, this initiative will provide all European citizens with a European Digital Identity Wallet (EUDIW), allowing them to access both online and offline public and private services. The EUDIW empowers individuals to retain full control over their data, allowing them to selectively disclose only the specific information necessary for each interaction. However, the current wallet design relies on Selective Disclosure for JSON Web Token (SD-JWT), which does not fully meet the privacy requirements outlined in the regulation. This paper presents a comprehensive comparison of the main selective disclosure schemes. Specifically, we identify relevant threat models, formalize associated security and privacy properties, and assess the extent to which existing techniques satisfy these properties in mitigating the identified threats. Furthermore, we introduce an open-source benchmark that evaluates selective disclosure mechanisms across key performance indicators, including computational latency, bandwidth consumption, and storage requirements.

Abstract:
The module-lattice-based digital signature standard, formerly known as CRYSTALS-DILITHIUM, is a lattice-based post-quantum cryptographic scheme. In August 2024, the National Institute of Standards and Technology officially standardized ML-DSA under FIPS 204. ML-DSA generates one valid signature and multiple rejected signatures during a single signing process. Most side-channel attacks targeting ML-DSA have focused solely on the valid signature, while largely neglecting the hints contained in rejected signatures. Building on prior SASCA frameworks originally proposed for ML-DSA, in this paper we present an efficient and fully practical instantiation of a private-key recovery attack on ML-DSA that jointly exploits side-channel leakages from both valid and rejected signatures within a unified factor graph. This concrete instantiation maximizes the information extracted from a single signing attempt and minimizes the number of required traces for full key recovery. We conducted a proof-of-concept experiment with both reference and ASM-optimized implementations on a Cortex-M4 core chip, where the results demonstrate that incorporating rejected signatures reduces the required number of traces by at least 50.0% for full key recovery. Moreover, we show that using only rejected signatures suffices to recover the key with fewer than 30 traces under our setup. Our findings highlight that protecting rejected signatures is crucial, as their leakage provides valuable side-channel information. We strongly recommend implementing countermeasures for rejected signatures during the signing process to mitigate potential threats.

Abstract:
Cloud-based data sharing has emerged as a prevailing solution for enterprises and end users, supporting various online services in our daily lives. However, the current cloud security solutions are vulnerable to the “harvest now, decrypt later” threat imposed by future quantum computers. To encounter the threat, lattice-based cryptographic solutions for supporting cloud data encryption and search have been extensively investigated by both academia and industry. Despite these efforts, existing lattice-based schemes fall into a trilemma: (1) lack of efficient access control for data retrieval; (2) inadequate protection of keyword privacy in both ciphertext and search token; and (3) difficulty in realizing forward secrecy to safeguard historical data. These limitations result in a substantial burden for lattice-based solutions to be adopted in real-world cloud data sharing. To our knowledge, no prior work has comprehensively addressed these issues at the same time, motivating us to design a more flexible, efficient, and secure lattice-based solution. In this paper, we propose an efficient, privacy-preserving, and forward-secure data sharing framework centered around a novel primitive called Forward-Secure Authenticated Searchable Encryption (FS-ASE). Specifically, we first construct an Authenticated Searchable Encryption (ASE) scheme based on ideal lattices, enabling efficient one-to-many search functionality and ensuring keyword privacy in both ciphertext and search token. On top of this primitive, we present the FS-ASE scheme, which achieves forward secrecy through a highly efficient key evolution mechanism, thereby keeping the confidentiality of historical data even if the current secret key is compromised. Finally, the security of our construction is proven under the Ring Learning With Errors (RLWE) assumption, and experimental results show that it achieves performance improvements of 158× in data retrieval and 350× in token generation over state-of-the-art approaches, indicating its practicality in real use.

Abstract:
As a distributed machine learning paradigm, vertical federated learning enables multiple passive parties with distinct features and an active party with labels to train a model collaboratively. Although it has been widely applied for its ability to protect privacy to some extent, this paradigm still faces various threats, especially the label inference attack (LIA). In this paper, we present the first observation of the disparity in LIAs resulting from differences in feature distribution among passive parties. To substantiate this, we study four different types of LIAs across five benchmark datasets, investigating the potential influencing factors and their combined impact. The results show that attack performance disparities can vary up to 15 times among different passive parties. So, how to eliminate this disparity? We explore methods from both attack and defense perspectives, including learning rate adjustment and noise perturbation with differential privacy. Our findings indicate that a modest increase in the learning rate of the passive party effectively enhances the LIA performance. In light of these, we propose a novel defense strategy that identifies passive parties with important features and applies adaptive noise to their gradients. Experiments show that it effectively reduces both attack disparity among passive parties and overall attack accuracy, while maintaining low computational complexity and avoiding additional communication overhead. Our code is publicly accessible at https://github.com/WWlnZSBMaXU/Attackers-Are-Not-the-Same.

Abstract:
With the recent advances in computer vision, age estimation has significantly improved in overall accuracy. However, owing to the most common methods do not take into account the class imbalance problem in age estimation datasets, they suffer from a large bias in recognizing long-tailed groups. To achieve high-quality imbalanced learning in long-tailed groups, the dominant solution lies in that the feature extractor learns the discriminative features of different groups and the classifier is able to provide appropriate and unbiased margins for different groups by the discriminative features. Therefore, in this novel, we propose an innovative collaborative learning framework (GroupFace) that integrates a multi-hop attention graph convolutional network and a dynamic group-aware margin strategy based on reinforcement learning. Specifically, to extract the discriminative features of different groups, we design an enhanced multi-hop attention graph convolutional network. This network is capable of capturing the interactions of neighboring nodes at different distances, fusing local and global information to model facial deep aging, and exploring diverse representations of different groups. In addition, to further address the class imbalance problem, we design a dynamic group-aware margin strategy based on reinforcement learning to provide appropriate and unbiased margins for different groups. The strategy divides the sample into four age groups and considers identifying the optimum margins for various age groups by employing a Markov decision process. Under the guidance of the agent, the feature representation bias and the classification margin deviation between different groups can be reduced simultaneously, balancing inter-class separability and intra-class proximity. After joint optimization, our architecture achieves excellent performance on several age estimation benchmark datasets. It not only achieves large improvements in overall estimation accuracy but also gains balanced performance in long-tailed group estimation.

Abstract:
Despite the success of data-driven methods in detecting false data injection (FDI) attacks, the remarkable progress is inseparable from massive labeled and class-balanced measurements. However, the collected measurement datasets in smart grids typically exhibit skewed class distributions and are partially labeled due to the expensive labeling costs. Learning from such non-ideal datasets undoubtedly results in the degenerated detection performance of the data-driven methods. To cope with this issue, we propose an optimal transport (OT)-based framework named DeSSW to promote the utilization of plentiful unlabeled measurements through the self-training technique, which improves the ability to identify FDI attacks by producing distinguishable representations for normal and attacked measurements in the feature space. Specifically, DeSSW consists of a novel re-weighting algorithm and a debiased self-training strategy. The re-weighting algorithm ensures high-confidence unlabeled measurements dominate the self-training procedure, and the debiased self-training strategy mitigates bias accumulation in the iterative self-training procedure. Extensive experiments demonstrate that DeSSW achieves superior detection performance when facing the combinatorial challenge of partially labeled and class-imbalanced measurements, even if the measurements are noisy.

Abstract:
In this article, the problems of attack detection and secure tracking control for the power cyber-physical system are investigated. Considering the critical role of cyber networks in influencing decision-making for power grid optimization, a multiobjective optimization problem is introduced to determine the output power of generators. This optimization problem is solved based on the improved particle swarm optimization algorithm. The power system is modelled with dynamic characteristics taken into account. Furthermore, a resilient state-feedback tracking control strategy, that exploits a sliding mode observer, is introduced to ensure the reference value generated by the cyber network is tracked even under attacks. In addition, by using the reconstructed attack signals, an attack detection scheme is proposed. Some sufficient conditions are then obtained for the solvability of the tracking control problem. Finally, a simulation example and the experimental validation built into the StarSim hardware-in-the-loop simulation platform are introduced to illustrate the effectiveness of the proposed method.

Abstract:
Password-based authentication is widely applied in Internet of Things (IoT). It allows IoT devices to identify users with passwords to resist unauthorized access. However, choices of weak passwords, especially popular ones, might violate users’ privacy and lead to large-scale network attacks. Collection of popular passwords among IoT devices to establish blocklists via a service provider can prevent use of weak passwords. To protect unpopular passwords during collection, existing privacy-preserving schemes rely on expensive cryptographic primitives (e.g., garbled circuits and zero-knowledge proofs), which would impose heavy communication and computation burdens on constrained devices and hinder wide deployment of these schemes. In this paper, we propose EAGER+, an efficient privacy-preserving scheme for weak password collection in IoT against perpetual leakage. EAGER+ is mainly built on secret sharing and symmetric encryption, thereby enabling lightweight computation and communication on IoT devices. In EAGER+, we conceive a password-locked encryption with conditional decryption mechanism to efficiently identify popular passwords, where a password is essentially locked under itself in the encryption to guarantee its security, and the password can be revealed from the ciphertext by the service provider only if a sufficient number of devices exploit it. The mechanism is integrated with a servers-aided password-hardening mechanism to resist offline dictionary guessing attacks. Moreover, EAGER+ uses a key renewal mechanism to periodically update secrets for password hardening on key servers to thwart perpetual leakage towards the secrets. We formally analyze the security of EAGER+, and conduct experimental evaluations to show that EAGER+ is more efficient than existing schemes.

Abstract:
Vertical federated learning (VFL) is an emerging paradigm well-suitable for commercial collaborations among companies. These companies share a common user base but possess distinct features. VFL enables the training of a shared global model with features from different parties while maintaining the confidentiality of raw data. Despite its potential, the VFL mechanism still lacks certified integrity, posing a notable threat of potential commercial deception or privacy infringement. In this study, we introduce a novel form of attack in which the attacker can participate in VFL by free-riding on the collaborative process while surreptitiously extracting users’ private data. This attack, reminiscent of corporate espionage tactics, is called the “spy attack”. Specifically, spy attacks allow a dishonest party without sufficient data to hitch a ride by inferring the missing user features through the shared information from other participants. We design two types of spy attacks tailored for scenarios where the attacker either takes an active or passive role. Evaluations with four real-world datasets demonstrate the effectiveness of our attacks, not only fulfilling the stipulated collaboration through hitchhiking, but also successfully stealing users’ privacy. Even when the missing rate reaches 90%, the spy attack continues to yield a test accuracy that surpasses the model trained with non-missing data and achieves reconstruction results approaching the theoretically highest quality. Furthermore, we meticulously discuss and evaluate up to seven possible defense strategies. The findings underscore the necessity for designing more effective and efficient defense strategies to counteract spy attacks.

Abstract:
Authentication is an important security issue for multi-access edge computing (MEC). To restrict user access from untrusted devices, Bring Your Own Device (BYOD) policy has been proposed to authenticate users and devices simultaneously. However, when integrating BYOD policy into MEC authentication to improve security, issues of efficient binding and user-device conditional anonymity have not been well supported. To address these issues, we propose Bring Your Device Group (BYDG) policy by constructing efficient and privacy-preserving user-device authentication. Our core idea is to use key sequences generated by PUFs-based key derivation functions (KDFs) to not only construct efficient binding relationships, but also achieve conditional anonymity for device groups. Specifically, a flexible and secure binding method is first developed by leveraging Chinese Remainder Theorem (CRT) to bind user with device groups. Each device’s CRT modulus is derived from the key sequence to construct many-to-many user-device binding relationships, which are managed in the form of on-chain Pedersen Commitment. Moreover, we design an identity anonymizing and tracing method for device groups. The key sequence is regarded as traceable device pseudo-identities, and then inserted into the cuckoo filter to reduce the on-chain storage overhead and mitigate malicious login attempts with low costs. Based on above two methods, the combination of Pedersen Commitment and Zero-Knowledge Proof of Knowledge is used to achieve user-device authentication with conditional anonymity. The security analysis was presented to demonstrate important security properties. A proof-of-concept prototype was implemented to conduct performance evaluation and comparative analysis.

Abstract:
Unmanned Aerial Vehicle (UAV) is a promising technology that can serve as aerial base stations to assist the Internet of Things (IoT) network and solve various problems, such as expanding network coverage, improving network performance, transmitting energy to IoT devices, and performing IoT compute-intensive tasks. However, due to the communication between UAVs and the migration of computing tasks, privacy and security during the computing offloading process are challenging issues. To this end, we design an air-to-air multi-UAVs MEC network system based on multi-coalition game, and introduce blockchain technology to ensure privacy and security between UAVs, effectively ensuring the security and confidentiality of computing offloading between UAVs. In this paper, the joint optimization problem of UAV channel selection, UAV location deployment, block processor decision, block processor transmission power, and block processor generation frequency is studied. The goal is to minimize the weighted average sum of energy consumption and delay for MEC task computing and blockchain task processing. To handle this intractable issue, the original problem is decomposed into two subproblems and solved alternately with each other. In addition, the Joint Convex Optimization and Stackelberg Game Hierarchical (JCSH) algorithm is proposed, which solves the problem of blockchain-enabled computing offloading and resource allocation. The simulation results show that the JCSH algorithm has better performance and stronger robustness compared to other algorithms under different parameter settings.

Abstract:
Deep neural networks (DNNs) greatly enable the task of automatic modulation classification (AMC) by virtue of their powerful feature extraction capability. However, extensive research has shown that DNNs are highly vulnerable to adversarial attacks, which can lead them to confidently output incorrect results with high confidence scores. Existing adversarial attack methods often focus solely on temporal characteristics of signals while neglecting frequency domain information, resulting in adversarial examples with poor transferability and inadequate performance in the closed-box scenario. An adversarial attack method based on frequency domain feature enhanced and integral gradient (FEIG) for AMC task is proposed in this paper. The approach utilizes techniques such as translation interpolation and Inverse Fast Fourier Transform to enhance the frequency domain information of original examples, thereby constructing enhanced baseline examples. Subsequently, these generated enhanced baseline examples are used as new inputs for gradient integration to obtain adversarial examples. Compared to traditional methods, the generated adversarial examples exhibit stronger transferability. Furthermore, in order to improve the defense performance of the model, an enhanced hybrid adversarial training (EH-AT) framework is proposed in this paper. The original clean example and the adversarial example generated by the proposed attack method are trained with joint loss constraints, which greatly enhances the robustness of the model. Experimental results demonstrate the effectiveness of the FEIG attack method and the EH-AT framework.

Abstract:
Analyzing unintentional electromagnetic (EM) emissions from contemporary devices remains a significant challenge due to the difficulty of identifying potential sources of vulnerability within modern integrated circuit design and the limited research on critical leakage points. These challenges are particularly pressing in today’s information-driven society, where such emissions pose substantial security risks. To address this issue, this paper focuses on spread spectrum clocking (SSC) schemes employed in information visualization devices (IVDs), offering an in-depth analysis of the diverse characteristics of EM leakage and highlighting their associated risks. To convey our contributions, we introduce a novel model based on a modified Fourier series that accurately captures SSC-induced EM waves, enhancing the understanding of emissions from SSC-based devices. Additionally, we propose complete coherent demodulation (CCD), an advancement of the periodic nonuniform sampling (PNS) framework that resolves byproduct-phase terms. Our work further integrates parameterized demodulation with singular value decomposition (PD-SVD) to refine the analysis of modulated instantaneous frequency terms within EM leakage observed over significant distances. These contributions advance security assessments and strengthen electromagnetic resilience.

Abstract:
Recently, Li et al. proposed an identity-based linearly homomorphic network coding signature (IB-HNCS) scheme for secure data delivery in Internet of Things (IoT) networks, and they claimed that the IB-HNCS scheme can resist pollution attacks. However, this paper shows that the IB-HNCS scheme is vulnerable to pollution attacks, as anyone who only has the public parameter can forge a new file identifier or a valid signature on a corrupted data packet to pollute legitimate sensor data. To enhance security and performance in network coding-based IoT networks, we propose a secure and efficient certificateless linearly homomorphic network coding signature scheme for IoT data delivery, which is free of burdensome certificate management and key escrow issue. In addition, our scheme is proved to be secure against adaptive chosen identity and adaptive chosen subspace attacks under two types of adversaries in the algebraic group model and random oracle model. Therefore, our scheme can verify the validity of data packets and allow data packets to be computed, so as to resist pollution attacks. The performance evaluation demonstrates that our scheme is more efficient and practical than existing secure schemes. Specifically, for a 73-dimensional data vector, the costs of signature generation and verification in our scheme are reduced by 38.588%-86.076% and 38.570%-85.664% respectively under the symmetric bilinear pairing setting, and the costs of signature generation and verification in our scheme are reduced by 17.740%-49.752% and 29.697%-58.645% respectively under the asymmetric bilinear pairing setting.

Abstract:
Secure cloud-edge data sharing has been researched recently to provide high quality on-demand data service. Attribute-based encryption (ABE) is a promising solution that achieves data confidentiality and flexible access control simultaneously. But three major issues remain when adapting ABE in cloud-edge, namely reliable user revocation, high performance on devices, and trust issues of public cloud. First, existing direct user revocation mechanisms focus on preventing a revoked user from decrypting header ciphertexts even when key exposure occurs, but ignore the payload security. Second, how to conveniently apply deployment on diverse platforms and run programs on resource-constrained devices with high efficiency is a challenge. Finally, no universal guarantee of cloud computation and management tasks, thus lazy or malicious cloud may not follow the protocol and perform improper actions on purpose. In this work, we propose a Hardware-Assisted Hybrid Fully Outsourced Revocable Attribute-Based Proxy Re-Encryption (H2O-RABPRE) scheme that supports reliable user revocation for full data traffic and hardware-assisted fully outsourced computation. Moreover, we design a hardware-assisted data-sharing framework with rapid deployment for cloud-edge, which integrates the developed SGX-MCL to protect outsourced tasks executed by cloud/edge devices against malicious behaviors and utilizes the enhanced WebAssembly runtime, WasmCrypto, a unified deployment approach for IoT devices with near-native performance. We implement the scheme on an SGX cloud server, a laptop, a Raspberry Pi, and an ESP32 board, and the results indicate that the proposed scheme is practical.

Abstract:
Generalized age feature extraction is crucial for age-related facial analysis tasks, such as age estimation and age-invariant face recognition (AIFR). Despite the recent successes of models in homogeneous-dataset experiments, their performance drops significantly in cross-dataset evaluations. Most of these models fail to extract generalized age features as they only attempt to map extracted features with training age labels directly without explicitly modeling the natural ordinal progression of aging. In this paper, we propose Order-Enhanced Contrastive Learning (OrdCon), a novel contrastive learning framework designed explicitly for ordinal attributes like age. Specifically, to extract generalized features, OrdCon aligns the direction vector of two features with either the natural aging direction or its reverse to model the ordinal process of aging. To further enhance generalizability, OrdCon leverages a novel soft proxy matching loss as a second contrastive objective, ensuring that features are positioned around the center of each age cluster with minimal intra-class variance and proportionally away from other clusters. By modeling the ageing process, the framework can enhance generalizability by improving the alignment of samples from the same class and reducing the divergence of direction vectors. We demonstrate that our proposed method achieves comparable results to state-of-the-art methods on various benchmark datasets in homogeneous-dataset evaluations for both age estimation and AIFR. In cross-dataset experiments, OrdCon outperforms other methods by reducing the mean absolute error by approximately 1.38 on average for the age estimation task and boosts the average accuracy for AIFR by 1.87%.

Abstract:
Due to the strong untraceability of mixing services, numerous criminals exploit these services to engage in illicit activities, posing a significant threat to the blockchain ecosystem. This paper addresses the challenge of linking transaction addresses in Tornado Cash, a popular mixing service on Ethereum. While existing state-of-the-art solutions like MixBroker attempt to address this problem, two fundamental limitations persist: insufficient utilization of neighbor information and neglect of address information asymmetry. To address these gaps, a novel framework termed “MixLinker” is proposed, which enhances neighbor information utilization and models information asymmetry. Specifically, a Normalized Adjusted Personal PageRank (NAPPR) module is designed to prioritize significant neighbor nodes while mitigating interference from super and irrelevant addresses. Additionally, tensors are employed to model transactions, capturing rich interaction features related to transaction attributes. Based on historical transaction sequences, Tensor Long Short-Term Memory (TLSTM) is used to obtain high-quality initial input features for the Graph Neural Network (GNN) module, enabling effective learning of nonlinear dynamics. To ensure symmetric output results and model asymmetric information, a temporal-aware symmetry classifier is constructed that leverages asymmetric information through permutation operations and an order-aware classifier. Extensive experiments demonstrate that MixLinker outperforms other methods, validating the effectiveness of the proposed approach and confirming the two underlying motivations.

Abstract:
Traditional malware detection techniques often struggle against the sophisticated obfuscation methods employed by modern malware. To address this challenge, this paper proposes HyperMD, a multi-modal malware detection method that leverages Xen as the malware analysis platform. HyperMD detects malware by using time-series Xen performance counter data collected at the hypervisor layer while running samples in a virtual machine (VM). Additionally, it incorporates an out-of-VM runtime process memory dump module to capture the target process’s memory. The acquired memory snapshots are then converted into images using SimHash. Finally, HyperMD fuses features from both time-series data and memory images to train a multi-modal deep learning model. We evaluated HyperMD using a dataset collected from VirusTotal and VirusShare, comprising sophisticated samples designed to evade detection or trigger false alarms. HyperMD achieves an accuracy of 97.53%, demonstrating its effectiveness in detecting rootkits and process injection malware. This proposed method can help detect obfuscated malware due to the utilization of hypervisor-layer features. Furthermore, HyperMD demonstrates a classification accuracy of 97.56% for five different malware families. The performance of HyperMD is also compared with other state-of-the-art static and dynamic detection methods, which further demonstrates the advantages of HyperMD. The robustness, resilience and scalability of HyperMD are also evaluated.

Abstract:
The Internet of Things (IoT) is ubiquitous thanks to the rapid development of wireless technologies. However, the broadcast nature of wireless transmissions results in great vulnerability to device authentication. Physical layer authentication emerges as a promising approach by exploiting the unique channel characteristics. However, a practical scheme applicable to dynamic channel variations is still missing. In this paper, we proposed a deep learning-based physical layer channel state information (CSI) authentication for mobile scenarios and carried out comprehensive simulation and experimental evaluation using IEEE 802.11n. Specifically, a synthetic training dataset was generated based on the WLAN TGn channel model and the autocorrelation and the distance correlation of the channel, which can significantly reduce the overhead of manually collecting experimental datasets. A convolutional neural network (CNN)-based Siamese network was exploited to learn the temporal and spatial correlation between the CSI pair and output a score to measure their similarity. We adopted a synergistic methodology involving both simulation and experimental evaluation. The experimental testbed consisted of WiFi IoT development kits and a few typical scenarios were specifically considered. Both simulation and experimental evaluation demonstrated excellent generalization performance of our proposed deep learning-based approach and excellent authentication performance. Demonstrated by our practical measurement results, our proposed scheme improved the area under the curve (AUC) by 0.03 compared to the fully connected network-based (FCN-based) Siamese model and by 0.06 compared to the correlation-based benchmark algorithm.

Abstract:
As Ethereum confronts increasingly sophisticated fraud threats, recent research seeks to improve fraud account detection by leveraging advanced pre-trained Transformer or self-supervised graph neural network. However, current Transformer-based methods rely on context-independent, numerical transaction sequences, failing to capture semantic of account transactions. Furthermore, the pervasive homogeneity in Ethereum transaction records renders it challenging to learn discriminative account embeddings. Moreover, current self-supervised graph learning methods primarily learn node representations through graph reconstruction, resulting in suboptimal performance for node-level tasks like fraud account detection, while these methods also encounter scalability challenges. To tackle these challenges, we propose LMAE4Eth, a multi-view learning framework that fuses transaction semantics, masked graph embedding, and expert knowledge. We first propose a transaction-token contrastive language model (TxCLM) that transforms context-independent numerical transaction records into logically cohesive linguistic representations, and leverages language modeling to learn transaction semantics. To clearly characterize the semantic differences between accounts, we also use a token-aware contrastive learning pre-training objective, which, together with the masked transaction model pre-training objective, learns high-expressive account representations. We then propose a masked account graph autoencoder (MAGAE) using generative self-supervised learning, which achieves superior node-level account detection by focusing on reconstructing account node features rather than graph structure. To enable MAGAE to scale for large-scale training, we propose to integrate layer-neighbor sampling into the graph, which reduces the number of sampled vertices by several times without compromising training quality. Additionally, we initialize the account nodes in the graph with expert-engineered features to inject empirical and statistical knowledge into the model. Finally, using a cross-attention fusion network, we unify the embeddings of TxCLM and MAGAE to leverage the benefits of both. We evaluate our method against 21 baseline approaches on three datasets. Experimental results show that our method improves the F1-score by over 10% at most compared with the best baseline. Furthermore, we observe from three datasets that the proposed method demonstrates strong generalization ability compared to previous work. Our source code is avaliable at: https://github.com/lmae4eth/LMAE4Eth

Abstract:
Differential privacy (DP) is introduced into many fields of AI to preserve privacy. However, introducing DP into AI models is extremely error-prone. To verify whether DP AI models can provide privacy guarantee (quantified by privacy budget) as these models claim, existing methods utilize attack methods to audit whether privacy budget of these models is the same as these models claim. To further improve precision of privacy budget auditing, we propose a brand new way to audit privacy budget, namely directly utilizing the parameters of DP AI models to audit privacy budget. In particular, our method utilizes statistical characteristics variance of the output distribution of DP mechanism to audit privacy budget of DP mechanism. DP AI models are regarded as data samples from output distribution of DP AI model training method and are utilized to approximate the variance of output distribution. The approximated variance is leveraged to estimate the variance of noise distribution of DP mechanism and through the relationship between noise variance and privacy budget, our method calculates the audited privacy budget through estimated noise variance. In addition, to reduce computation overhead, our method constructs parameter selection strategy to identify position whose parameter is suitable for privacy budget auditing. Comprehensive experiments are conducted to verify the effectiveness of our auditing method. Comparison results of five competitive auditing methods demonstrate that our method decreases MAE by 18.29% and decreases MSE by 23.17% on experiment datasets.

Abstract:
As industrial control systems become increasingly interconnected with information networks, attackers could exploit vulnerabilities across different system layers to create complex exploit chains to compromise field control elements. As such, security decision-making is of essential importance to maintain the operational security of critical industrial infrastructures. In this paper, we consider the problem of designing cost-effective defense strategies to minimize the risk of successful attack paths. To this end, we propose a non-Markovian security game framework on labeled attack graphs to simulate the attack-defense process in industrial control systems. Compared with existing methods, where the cost of exploiting a vulnerability is considered constant, we consider a more dynamic and realistic case where the exploitation cost is discounted with the number of exploitations. Moreover, a state-decomposition based multi-agent reinforcement learning algorithm is developed to obtain the Nash equilibrium of the proposed non-Markovian security game. A case study on a simulated industrial control system is presented to illustrate the feasibility of the proposed approach. The results demonstrate that the discounting exploitation cost could greatly alter the attack and subsequently the defense strategies. In comparison to traditional static intrusion response approaches, our non-Markovian approach offers a more realistic and adaptive framework to anticipate evolving attack paths and allocate defense resources.

Abstract:
Access-control vulnerabilities have emerged as a significant concern in recent years, posing considerable security risks to a wide range of critical systems. The detection of access-control vulnerabilities in Java web applications poses unique challenges, because heuristics used in the past, e.g., access-control specifications or format-specific runtime logs, may not exist in modern Java web applications using web frameworks. Therefore, to date, there is no effective approach to detecting such vulnerabilities in modern Java web applications. In this paper, we introduce a novel approach, called PCFinder, which leverages multi-level semantics- and context-analysis to conduct accurate permission-check identifications against real-world Java web infrastructures for access-control vulnerability detection. PCFinder successfully discovered 58 high-risk broken access control vulnerabilities, with 30 having been assigned CVE identifiers thus far, in analyzing 50 popular, real-world Java web applications. We also evaluate PCFinder on manually constructed ground-truth data and show that PCFinder achieved a high level of accuracy, i.e., a precision of 94.12% and a recall of 96.97% in identifying permission checks.

Abstract:
Blockchain technology autonomously executes smart contracts that require external data to facilitate specific applications, underscoring the necessity for Authenticated Data Feeds (ADF). Existing solutions fall short in providing genuine authentication of data, lack private and verifiable computations across multiple data sources, and overlook data traceability, rendering current systems inadequate for complex applications. We present \textsf WuKong ( \textsf WK ), a data governance system that offers authenticated, privately verifiable, and traceable data feeds. \textsf WK enables a server to collect faithful data through an oracle committee and to prove computation correctness in zero-knowledge proofs, and empowers legal entities to trace a leakage source conditionally. We formally define and prove the security of \textsf WK in the universal composability framework. We implement three applications that seamlessly integrate with WK. Experimental results indicate that \textsf WK effectively liberates sensitive data from distributed, untrusted, and anonymous providers, making it accessible to various services and establishing trust in a decentralized world.

Affiliations: Hubei Key Laboratory of Distributed System Security, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China; Center for Secure Information Systems, George Mason University, Fairfax, VA, USA; School of Integrated Circuits, Peking University, Beijing, China; Key Laboratory of Information Storage Systems, Ministry of Education, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, China

Abstract:
With the increasing adoption of confidential computing, security-sensitive applications are often deployed in confidential virtual machines (CVMs), which reduce reliance on third-party cloud providers. However, privilege attacks originating from the OS remain a significant threat in these environments. Existing finer-grained isolation schemes, such as Shelter, provide process-level protection but are still vulnerable to intra-process attacks and potential collusion between the OS and intra-process adversaries. Many current intra-process isolation techniques continue to depend on the OS to manage and enforce isolation domains, leading to a large Trusted Computing Base (TCB). This gap highlights the need for more granular, less trust-dependent confidential computing solutions. In this paper, we present CCAegis, a system that extends the Arm Confidential Compute Architecture (CCA) to enforce intra-process isolation of sensitive data and operations, safeguarding them from both intra-process adversaries and the OS. We employ static analysis to track the flow of sensitive data and identify functions that handle such data. Permission-switching instructions are inserted at the function call and return points, adjusting permissions via the Granule Protection Table (GPT) to ensure that only designated functions can access the isolated data. Notably, CCAegis places trust solely in the Secure Monitor, which configures the GPTs and manages domain switching, thereby minimizing the TCB. We implemented CCAegis on both an official emulator and a real development board to assess its performance. Our experimental results show that CCAegis effectively isolates sensitive data and operations, with performance overheads ranging from 1.01× to 1.43× compared to the original version across real-world cryptographic workloads.

Affiliations: Department of Computer Science, City University of Hong Kong, Hong Kong, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou, China; Key Laboratory of Analytical Mathematics and Applications (Ministry of Education) and Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Computer and Cyber Security, Fujian Normal University, Fuzhou, China; College of Cyber Security, Jinan University, Guangzhou, China; School of Cyber Science and Engineering, Wuhan University, Wuhan, China

Abstract:
Using side-effect sensing information to monitor the behavior of smartphone usage raises privacy leakage concerns. However, existing research typically utilizes only a single sensing channel or performs a simple aggregation of multi-channel data to infer user behavior, without sufficiently leveraging rich spatiotemporal information embedded in the diverse sensing channels. Such a narrow focus of existing works fails to exhibit the real risk of user privacy leakage. To bridge this research gap, we propose HiddenSpy, a comprehensive study assessing the smartphone usage snooping associated with multiple sensing channels, such as accelerometers and magnetometers. We start by examining the relationship between the data gathered from each channel and daily usage behaviors, highlighting information volume differences across channels. Building on this analysis, we propose a multi-layer attention mechanism that dynamically adjusts the importance of spatiotemporal information from different channels and time frames, facilitating the efficient use of multi-channel data for behavior inference. Importantly, our work marks a pivotal shift from addressing information leakage in single channels to managing information exposure throughout the smartphone sensing system, laying the foundation for more comprehensive protective measures. To validate our approach, we collect data from forty widely-used applications and evaluate the corresponding usage behavior snooping performance. The results show that HiddenSpy improves accuracy in three common snooping tasks, while its defense mechanism reduces accuracy to a low level, effectively preventing information leakage.

Abstract:
Existing backdoor defense methods for federated learning (FL) usually try to distinguish between benign and malicious clients. The key insight is that benign clients are densely distributed, whereas malicious clients tend to be outliers outside this distribution. However, this only holds when data is independent and identically distributed (IID), and the effectiveness of these methods under non-IID data has not been systematically examined. In this paper, we present a comprehensive systematization of FL backdoor defense by breaking down its overall pipeline into three key components, i.e., metrics for evaluating clients, techniques for amplifying the difference between benign and malicious clients, and mechanisms for identifying malicious clients. We conduct an empirical study of FL backdoor defense methods under non-IID data settings to explore whether benign and malicious clients can be fully distinguished. Experimental results show that the defense performance degrades significantly when data is non-IID. Our results also reveal how evaluation metrics, amplification techniques and identification mechanisms perform under diverse settings. Contrary to the established belief, we further conclude that these defenses have inherent shortcomings, due to lack of stability and robustness in detecting malicious clients. We believe that our findings can better facilitate the development of FL backdoor defenses.

Abstract:
Cooperative palmprint recognition, pivotal for civilian and commercial uses, stands as the most essential and broadly demanded branch in biometrics. These applications, often tied to financial transactions, require high accuracy in recognition. Currently, research in palmprint recognition primarily aims to enhance accuracy, with relatively few studies addressing the automatic and flexible palm region of interest (ROI) extraction (PROIE) suitable for complex scenes. Particularly, the intricate conditions of open environment, alongside the constraint of human finger skeletal extension limiting the visibility of Finger Valley Points (FVPs), render conventional FVPs-based PROIE methods ineffective. In response to this challenge, we propose an FVPs-Free Adaptive ROI Detection (FFARD) approach, which utilizes cross-dataset hand shape semantic transfer (CHSST) combined with the constrained palm inscribed circle search, delivering exceptional hand segmentation and precise PROIE. Furthermore, a Recurrent Layer Aggregation-based Neural Network (RLANN) is proposed to learn discriminative feature representation for high recognition accuracy in both open-set and closed-set modes. The Angular Center Proximity Loss (ACPLoss) is designed to enhance intra-class compactness and inter-class discrepancy between learned palmprint features. Overall, the combined FFARD and RLANN methods are proposed to address the challenges of palmprint recognition in open environment, collectively referred to as RDRLA. Experimental results on four palmprint benchmarks HIT-NIST-V1, IITD, MPD and BJTU_PalmV2 show the superiority of the proposed method RDRLA over the state-of-the-art (SOTA) competitors. The code of the proposed method is available at https://github.com/godfatherwang2/ RDRLA.

Abstract:
In recent years, there has been growing interest in heterogeneous distributed storage systems (DSSs), such as clustered DSSs, which are widely used in practice. However, research regarding information-theoretic security in heterogeneous DSSs remains limited. Furthermore, unlike traditional DSSs, the heterogeneous DSSs face eavesdropper with diverse operating patterns, complicating the secrecy models. In this paper, we aim to investigate the secrecy capacity and code constructions for clustered DSSs (CDSSs), a type of heterogeneous DSSs in which the system is divided into clusters with an equal number of nodes and different repair bandwidths for intra-cluster and cross-cluster against two types of eavesdroppers: the occupying-type eavesdropper and the osmotic-type eavesdropper. We construct two CDSS secrecy models tailored to these aforementioned eavesdroppers, derive the upper bounds on adjustable secrecy capacities, and explore the relationships between the upper bounds of perfect secrecy capacities and the number of compromised nodes. Notably, the upper bounds obtained in this paper generalize those of the traditional DSS model. Additionally, we propose three repair-by-transfer code constructions that achieve the secrecy capacity under both eavesdropper scenarios. These codes are based on nested MDS code and represent a generalized form of the minimum bandwidth regenerating (MBR) codes in traditional DSSs.

Abstract:
This paper addresses the critical challenge of achieving asymptotic stability in networked control systems (NCSs) under denial-of-service (DoS) attacks, focusing on maintaining security and stability within bandwidth-constrained environments. First, we construct a practical attack model using the NSL-KDD dataset to provide a realistic representation of DoS attack dynamics, capturing key attributes such as attack duration and frequency. Then, an iterative shrinkage-thresholding algorithm (ISTA) is introduced to supervise the adaptive sampled-data controller (ADSC), dynamically optimizing the sampling period to enhance control performance while minimizing communication overhead. To further mitigate the impact of DoS attacks, we propose a novel data compression mechanism that adapts to varying network conditions, ensuring efficient bandwidth utilization and preserving critical control data fidelity. In addition, the stability of the NCSs is rigorously verified through Lyapunov-Krasovskii functions (LKFs), demonstrating robust system behavior even under adverse network conditions. Finally, the effectiveness and practicality of the proposed approach are validated through experimental studies on a 2-degree-of-freedom (2-DoF) helicopter system, confirming its capability to ensure stability, optimize communication efficiency, and mitigate the effects of DoS attacks in real-world scenarios.

Affiliations: College of Computer Science and Electronic Engineering, Hunan University, Changsha, China; School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China; School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou, China; International College, Zhengzhou University, Zhengzhou, China; Key Laboratory of Analytical Mathematics and Applications (Ministry of Education) and Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Computer and Cyber Security, Fujian Normal University, Fuzhou, China; College of Computing and Data Science, Nanyang Technological University, Jurong West, Singapore; School of Cyber Science and Engineering, Wuhan University, Wuhan, China

Abstract:
Ample profits of GPU cryptojacking attract hackers to recklessly invade victims’ devices, for completing specific cryptocurrency mining tasks. Such malicious invasion undoubtedly obstructs normal device usage and wastes computation resources. To resist the threat of GPU cryptojacking, existing works aim to timely detect and clear away it, by distinguishing the dissimilitude between it and legitimate applications. However, these detection mechanisms inappropriately rely on two conflict cornerstones, manifested in leveraging mutable samples of illegitimate cryptojacking to design supervision-based detection models requiring samples with stable patterns. This limitation compromises the practicability of existing detection mechanisms in the face of mutable cryptojacking samples. To fill the gap, we explore the superiority of unsupervised learning in handling this issue and further propose an unsupervised manner-enabled detection mechanism named MagInspector, only using legitimate applications’ magnetic signatures from GPU side channels for model construction. MagInspector innovates in training an unsupervised autoencoder network by an adversarial mode that well learns the stable signature patterns of legitimate applications, while incompatible with mutable cryptojacking ones. In the process of model training, we elaborately extract mutual energy cumulation distribution features to represent legitimate applications to overcome the impact of their inter-type differences. Meanwhile, a locality sensitive hashing-driven outlier removal algorithm is designed to enhance MagInspector’s robustness to the noise samples. Finally, extensive experiments are conducted on GPUs covering four generations of common NVIDIA architectures and two generations of AMD architectures; the results show that applying MagInspector to mutable cryptojacking signature detection achieves a significant average accuracy improvement of 25.5% and 17.8%, respectively.

Abstract:
We propose a joint covert beamforming design and jamming strategy to protect the communication process between Alice and Bob from being discovered by Willie with the help of another pair of neutral nodes. Specifically, with the help of irrelevant communication parties that commonly exist in practical communication scenarios, Jammer increases his transmission power by interfering with the neutral receiver, thus indirectly increasing the interference to Willie, which can be viewed as leveraging the force to make a big impact with a small effect. In our designed beamformer, we jointly optimize the beam power allocation factor, Alice’s transmission power, and Jammer’s transmission power when Alice transmits, to maximize the covert rate, which also maximizes Alice’s transmission power. In the perfect channel state information (CSI) scenario, the transformed optimization problem is solved via a one-dimensional search method and CVX solver. Due to the solution’s high complexity, we further propose a method to determine the optimal power allocation factor. For the imperfect Willie’s CSI scenario, three cases are investigated: Alice to Willie imperfect CSI, Transmitter to Willie imperfect CSI, and Jammer to Willie imperfect CSI. We utilize the S-procedure to tackle the optimization problem. Simulation results demonstrate the effectiveness of our proposed strategy.

Abstract:
In recent years, deep reinforcement learning (DRL) has found widespread applications across diverse scenarios. Since the DRL training process requires substantial time and financial costs, well-trained DRL policies should be considered as intellectual property (IP) which deserves proper protection. However, to date, there are only a few studies on IP protection on DRL and the existing methods are limited to passive copyright verification. In this paper, we propose the first active authorization control method for DRL which can proactively protect deep reinforcement learning policy. The DRL policy trained with this method can be used by authorized users normally, but cannot be used by unauthorized users (i.e., the protected policy’s performance for unauthorized users is paralyzed). Specifically, we train a trigger injection network and a discriminator network based on generative adversarial networks (GANs). During the DRL policy training phase, we use trigger injection network to insert sample-specific triggers to all observations and use triggered observations to train the protected policy. Our approach is applicable across various deep reinforcement learning algorithms. We conduct effectiveness experiments on different DRL policies trained using different DRL algorithms, and the experimental results revealed that the performance of authorized users is on par with the performance of clean DRL policy trained normally (baseline), whereas the performance of unauthorized users significantly deviates from that of the baseline. Specifically, the authorized performance of protected Breakout-DQN, Breakout-A2C, MsPacman-DQN and MsPacman-A2C policies are 416.4 (baseline 397.8), 403.0 (baseline 415.0), 2552.0 (baseline 2472.0), and 1964.0 (baseline 1828.0). Comparatively, the unauthorized performance of protected Breakout-DQN, Breakout-A2C, MsPacman-DQN and MsPacman-A2C policies are only 4.4 (baseline 397.8), 2.0 (baseline 415.0), 74.0 (baseline 2472.0), and 514.0 (baseline 1828.0). Furthermore, the experiments demonstrate that the proposed method exhibits robustness against pruning, fine-tuning, and adaptive attacks.

Abstract:
With the development of big data, cloud computing is widely used by individual and enterprise users due to its powerful computing and storage capabilities. How to share the encrypted data stored in cloud servers flexibly to a group of users and provide effective access control to the users is a hot topic in current research. For that, this paper proposes fair and verifiable identity-based broadcast proxy re-encryption with designated sender (FV-IBBPRE-DS) for Medical Internet of Things (MIoT), which gives the system model, formal definition, and security model of FV-IBBPRE-DS, and constructs a concrete FV-IBBPRE-DS scheme. The data owner in the FV-IBBPRE-DS scheme is able to designate a sender, which is given the decryption privilege of the encrypted data to a set of receivers. The scheme ensures that the participating entities perform the process of data sharing fairly and are able to verify the consistency of the ciphertexts. The FV-IBBPRE-DS scheme achieves chosen ciphertext attack security. The performance analysis demonstrates that the scheme in this paper has significant advantages in re-encrypted ciphertext generation and decryption phase, and can be applied to resource-constrained MIoT devices.

Abstract:
In this paper, we propose a system that verifies the authenticity of users based on the manner in which they operate a computer mouse. To begin with, we introduce a recurrence plot representation for encoding the information available in the mouse dynamics. Two image representation variants are suggested, namely the symmetric and asymmetric recurrence plots. Another noteworthy contribution is a modified vision transformer architecture for this task that incorporates key adjustments such as the removal of class token and positional embeddings. Rather, we facilitate a local pattern classification by considering the use of feature aggregation strategy for decision making. Additionally, we incorporate an efficient attention mechanism within the transformer encoder, that reduces both computational and memory complexity by simplifying the attention process. To further boost model performance, we integrate the Gradient Harmonizing Mechanism with binary cross-entropy loss, which dynamically adjusts the loss function based on gradient magnitudes. The proposed system is evaluated on three publicly available datasets, and the results obtained are at par to state-of-the-art methods. To the best of our knowledge, the present proposal is the first of its kind to introduce the utility of recurrence plots in a modified transformer framework.

Abstract:
Dynamic searchable symmetric encryption (DSSE) enables updates and keyword searches on outsourced encrypted data while minimizing the information revealed to the server. However, existing DSSE schemes that support conjunctive keyword searches disclose added documents or fail to filter deleted ones in certain circumstances, thus violating forward and backward privacy. Besides, the size of their search tokens increases with the number of documents, which incurs a heavy communication cost. In this paper, we develop a conjunctive DSSE scheme that has a search token size only related to the conjunction size and fully supports forward and backward privacy. Our scheme is based on a new three-dimensional chain structure called CUBE. We also rethink the leakage function of conjunctive queries and prove that our scheme satisfies the refined security definition. Experimental results demonstrate that compared with the state-of-the-art schemes, our scheme increases the computational cost by at most 9.62% but reduces the communication cost by 99.78% when searching six conjunctive keywords.

Abstract:
It is a challenging problem to resist unknown advanced persistent threats (APTs) on stealing data resources in an information system of critical infrastructures, because APT attackers have very specific objectives and compromise the system stealthily and slowly. We observe that it is a necessary condition for APT attackers to achieve their campaigns via controlling unknown Trojans to access and exfiltrate critical files. We present a theoretical model called Digital Scapegoat (abbreviated as DS-IDep) that constructs an Incentive Deception defense schema to hijack the attacker’s access to critical files and redirect it to avatar files without awareness. We propose a FlipIDep Game model ( G_F ) and a Markov Game model ( G_M ) to characterize completely the payoffs, equilibria, and best strategies from the perspective of the attacker and the defender respectively. We also design an exponential risk propagation model to evaluate the ability of DS-IDep to eliminate stealing impact when the risk is propagated between states. Theoretically, we can achieve the objective of stealing impact elimination ( L_K \lt 0.001 ) when the ratio of incentive deception exceeds 0.7 ( \eta \gt 0.7 ) and the probability of an attack operation bypassing the defense surface is less than 0.1 ( r^× \mu \lt 0.1 ) under Stackelberg strategies. We develop a kernel-level incentive deception defense surface according to the theoretical parameters of the DS-IDep. The experimental results show that DS-IDep can resist APT stealing attacks from unknown Trojans. We also evaluate the DS-IDep in five well-known software applications. It demonstrates that DS-IDep can address unknown attacks from compromised software with less than 10% performance overhead.

Abstract:
In the context of electric power grid cybersecurity, latency can significantly impact the stable operation, real-time data transmission, and security of the grid. Optimizing security strategies can effectively mitigate the impact of latency on the cybersecurity of the power grid. Particularly in the context of power grids, facing sophisticated and advanced APT (Advanced Persistent Threat) attacks, formulating scientific and rational security strategies is crucial for reducing the time delays incurred during the execution of these strategies. In this paper, we propose a security strategy decision-making method for the deployment of PLC Honeypoints in the Power Internet of Things (PIoT), based on the time-delayed evolution game to select the optimal defense strategy. Firstly, we establish a time-delayed evolutionary game model for the attack and defense of PLC Honeypoints, derive the time-delay differential equations for attack and defense strategies, and obtain the rules for updating the attack and defense strategies. Secondly, we implement a decision-making algorithm for PLC Honeypoint security defense strategies to solve for the optimal PLC Honeypoint defense strategy. Finally, the simulation results show that our model had considerable advantages over traditional replication dynamics. Although it affected the convergence rate of the strategy to reach the steady state, the time delay could ensure the stability of the optimal strategy result. In addition, as the impact of PLC Honeypoint defense on attack latency increased, the time delay in attack strategy-making increased, which can make timely adjustments and reduce losses to the defense in a timely manner. We use the percentage of load loss of the target power grid to construct attack-defense payoff. The attack-defense test in IEEE 22-Bus data set shows that the proposed scheme can effectively select the optimal PLC honeypoint strategy in 35th time.

Abstract:
Reconstruction attacks against federated learning (FL) aim to reconstruct users’ samples through users’ uploaded gradients. Local differential privacy (LDP) is regarded as an effective defense against various attacks, including sample reconstruction in FL, where gradients are clipped and perturbed. Existing attacks are ineffective in FL with LDP since clipped and perturbed gradients obliterate most sample information for reconstruction. Besides, existing attacks embed additional sample information into gradients to improve the attack effect and cause gradient expansion, leading to a more severe gradient clipping in FL with LDP. In this paper, we propose a sample reconstruction attack against LDP-based FL with any target models to reconstruct victims’ sensitive samples to illustrate that FL with LDP is not flawless. Considering gradient expansion in reconstruction attacks and noise in LDP, the core of the proposed attack is gradient compression and reconstructed sample denoising. For gradient compression, an inference structure based on sample characteristics is presented to reduce redundant gradients against LDP. For reconstructed sample denoising, we artificially introduce zero gradients to observe noise distribution and scale confidence interval to filter the noise. Theoretical proof guarantees the effectiveness of the proposed attack. Evaluations show that the proposed attack is the only attack that reconstructs victims’ training samples in LDP-based FL and has little impact on the target model’s accuracy. We conclude that LDP-based FL needs further improvements to defend against sample reconstruction attacks effectively.

Abstract:
This paper investigates a non-fragile robust security control strategy for remote motors, based on a dynamic threshold cryptographic detector. This strategy aims to protect system performance against stealthy false data injection (FDI) attacks and to effectively minimize the impact of controller jitter. First, a stealthy FDI attack is designed to bypass the conventional \chi ^2 detector and degrade system performance. The stealthiness and destructiveness of the attack are demonstrated. Next, to counter the stealthy FDI attack, a dynamic threshold cryptographic detector is proposed. This detector addresses the stealthiness of the attack and enhances robustness by incorporating a time-varying nonlinear function and a dynamic threshold detection strategy. Furthermore, a non-fragile robust security control strategy is introduced to prevent these attacks and mitigate the problem of controller perturbations. The stability of this strategy is proven using Lyapunov theory. Finally, the effectiveness of the proposed security control strategy is validated through numerical and semi-physical simulations.

Abstract:
Conventionally, in a differentially private additive noise mechanism, independent and identically distributed (i.i.d.) noise samples are added to each coordinate of the response. In this work, we formally present the addition of noise that is independent but not identically distributed (i.n.i.d.) across the coordinates to achieve tighter privacy-accuracy trade-off by exploiting coordinate-wise disparity in privacy leakage. In particular, we study the i.n.i.d. Gaussian and Laplace mechanisms and obtain the conditions under which these mechanisms guarantee privacy. The optimal choice of parameters that ensure these conditions are derived considering (weighted) mean squared and \ell _ p^ p -errors as measures of accuracy. Theoretical analyses and numerical simulations demonstrate that the i.n.i.d. mechanisms achieve higher utility for the given privacy requirements compared to their i.i.d. counterparts. One of the interesting observations is that the Laplace mechanism outperforms Gaussian even in high dimensions, as opposed to the popular belief, if the irregularity in coordinate-wise sensitivities is exploited. We also demonstrate how the i.n.i.d. noise can improve the performance in private (a) coordinate descent, (b) principal component analysis, and (c) deep learning with group clipping.

Abstract:
Identifying vulnerabilities in complex 5G network protocols is a challenging task. Manual analysis is time-consuming and often inadequate. Modern ML and NLP methods, though effective, are resource-intensive and struggle to find implicit vulnerabilities. In this research, we utilize GPT-4’s advanced language understanding to detect vulnerabilities directly from 5G specifications. To assess GPT-4’s fundamental capabilities in this domain, we first adopt a zero-shot approach that relies solely on the specification text without external guidance. For detecting more sophisticated vulnerabilities that require deep contextual understanding, we introduce a novel domain-aware strategy, where we explicitly teach GPT-4 about security properties and hazard indicators from related works using few-shot learning. We further employ chain-of-thought prompting to guide the model through structured reasoning steps to identify violations or exploitations that may lead to vulnerabilities. A two-tier filtering process ensures that only promising test-cases are retained. Our method has identified 47 potential vulnerabilities in 5G mobility management procedures, including 27 previously unreported issues, and generated corresponding test-cases. Simulating 14 of them, we have found 9 vulnerabilities, five of which are new. The zero-shot approach is effective in detecting procedural and validation flaws, while the domain-aware method excels in finding protocol violations and advanced attack scenarios. These findings validate our methodology and demonstrate its strength in discovering both known and novel vulnerabilities in 5G protocols.

Abstract:
Current defense mechanisms against model poisoning attacks in federated learning (FL) systems have proven effective up to a certain threshold of malicious clients (e.g., 25% to 50%). In this work, we introduce FLANDERS, a novel pre-aggregation filter for FL that is resilient to large-scale model poisoning attacks, i.e., when malicious clients far exceed legitimate participants. FLANDERS treats the sequence of local models sent by clients in each FL round as a matrix-valued time series. Then, it identifies malicious client updates as outliers in this time series by comparing actual observations with estimates generated by a matrix autoregressive forecasting model maintained by the server. Experiments conducted in several non-iid FL setups show that FLANDERS significantly improves robustness across a wide spectrum of attacks when paired with standard and robust aggregation methods.

Abstract:
Person Re-identification (ReID) primarily involves the extraction of discriminative representations derived from morphological characteristics, gait patterns, and related attributes. While camera-based Person ReID methods yield notable results, their reliability diminishes in scenarios involving long distances and limited illumination. LiDAR enables the precise acquisition of human point cloud sequences across extended distances, unaffected by variations in lighting or similar factors. Nevertheless, current LiDAR-based Person ReID techniques are limited to static measurements, rendering them susceptible to perturbations from attire variations, occlusions, and similar confounding factors. To address these issues, this manuscript introduces MOJO, which is applied to 4D LiDAR point clouds to extract unique motion patterns specific to individuals. To characterize the motion patterns across two consecutive point cloud frames, MOJO employs optimal transport to compute point-wise motion vectors, thereby enabling the identification of discriminative implicit motion information. To mitigate the attenuation of point cloud density induced by self-occlusion during dynamic motion, MOJO leverages inverse point-wise flow information to integrate forward frames, thereby yielding a comprehensive representation, whilst concurrently ameliorating the effects of heterogeneous density distribution within localized regions of the 4D point cloud data. Additionally, the inherent unordered nature and sparsity of 4D point clouds present significant obstacles to capturing discriminative features. We develop the 3D joint graph to extract scalable fine-grained traits and employ the joint pyramid pooling module to conduct hierarchical spatiotemporal aggregation across the 4D point clouds. Extensive experimental evaluations demonstrate that MOJO achieves state-of-the-art (SOTA) accuracy on the LReID dataset (for LiDAR-based Person Re-identification) and SUSTech1k dataset (for LiDAR-based Gait Recognition) without any pre-training while exhibiting robust performance across various point cloud densities. Our code will be available at https://github.com/O-VIGIA/MOJO

Abstract:
The security of virtual power plant (VPP) communication networks is paramount, particularly owing to growing increase in the reliance on distributed energy resources (DERs) using cloud-edge architectures. VPPs are increasingly vulnerable to cyber intrusion owing to the large number of access devices involved. Existing intrusion detection methods often face challenges in addressing the complexity of VPP networks, and lack adaptability to diverse attack patterns. To address the dynamic nature of VPPs, this study proposes a novel intrusion detection approach called dynamic detection combining transformer with feature filtering (DTF-VPP), which integrates principal component analysis (PCA) with a transformer-based model to improve the detection efficiency and accuracy. The key contributions of this study include a feature selection process that uses PCA to reduce the model complexity, and a dynamic loss-weighting mechanism that adapts to high-frequency attacks. The experimental results on the NSL-KDD dataset demonstrate that DTF-VPP outperforms conventional models in terms of the accuracy and F1-score. Therefore, this approach offers a scalable and adaptive solution for enhancing the security of VPPs against cyber threats.

Abstract:
Federated unlearning has become an attractive approach to address privacy concerns in collaborative machine learning, for situations when sensitive data is remembered by AI models during the machine learning process. It enables the removal of specific data influences from trained models, aligning with the growing emphasis on the “right to be forgotten.” While extensively studied in horizontal federated learning, unlearning in vertical federated learning (VFL) remains challenging due to the distributed feature architecture. VFL unlearning includes sample unlearning that removes specific data points’ influence and label unlearning that removes entire classes. Since different parties hold complementary features of the same samples, unlearning tasks require cross-party coordination, creating computational overhead and complexities from feature interdependencies.To address such challenges, we propose FedORA (Federated Optimization for data Removal via primal-dual Algorithm), designed for sample and label unlearning in VFL. FedORA formulates the removal of certain samples or labels as a constrained optimization problem solved using a primal-dual framework. Our approach introduces a new unlearning loss function that promotes classification uncertainty rather than misclassification. An adaptive step size enhances stability, while an asymmetric batch design, considering the prior influence of the remaining data on the model, handles unlearning and retained data differently to efficiently reduce computational costs. We provide theoretical analysis proving that the model difference between FedORA and Train-from-scratch is bounded, establishing guarantees for unlearning effectiveness. Experiments on tabular and image datasets demonstrate that FedORA achieves unlearning effectiveness and utility preservation comparable to Train-from-scratch with reduced computation and communication overhead.

Abstract:
Motivated by the needs of power distribution as well as private key protection, the theory and implementation techniques of threshold public-key cryptography (PKC) have been being developed for a long time. However, researches in this field mainly focus on the needs and constraints in distributed environments which consist of nodes with computing capabilities and connected via peer-to-peer and broadcasting communication channels. The resulting schemes are theoretically helpful for private key security but inconvenient for individual users as their implementation requires distributed computing and networking system with broadcasting channels. To address the private key security issue of PKC schemes for individual users, this paper proposes the concept and general construction of sequentially threshold PKC under a communication model consisting of a computing device and several offline storages where broadcasting channels are not required. To illustrate the new paradigm, we design and realize a sequentially threshold Schnorr signature scheme STSS. The security proofs for STSS indicate its effectiveness of achieving unforeability under traditional attacks as well as security incidents caused by human faults and system failures. The experiments on FIPS recommended curves P-256, P-384, and P-521 show that STSS is comparable with the original Schnorr scheme in terms of time consumed for generating a signature. The construction of sequentially threshold ElGamal decrtyption scheme is also presented. Finally, we illustrate the application of STSS in the Blockchain ecosystem.

Abstract:
ML-KEM and ML-DSA are NIST-standardized lattice-based post-quantum cryptographic algorithms. In both algorithms, Keccak is the designated hash algorithm extensively used for deriving sensitive information, making it a valuable target for attackers. In the field of fault injection attacks, few works targeted Keccak, and they have not fully explored its impact on the security of ML-KEM and ML-DSA. Consequently, many attacks remain undiscovered. In this article, we first identify various fault vulnerabilities of Keccak that determine the (partial) output by manipulating the control flow under a practical loop-abort model. Then, we systematically analyze the impact of a faulty Keccak output and propose six attacks against ML-KEM and five attacks against ML-DSA, including key recovery, signature forgery, and verification bypass. These attacks cover the key generation, encapsulation, decapsulation, signing, and verification phases, making our scheme the first to apply to all phases of ML-KEM and ML-DSA. The proposed attacks are validated on the C implementations of the PQClean library’s ML-KEM and ML-DSA running on embedded devices. Experiments show that the required loop-abort faults can be realized on ARM Cortex-M0+, M3, M4, and M33 microprocessors with low-cost electromagnetic fault injection settings, achieving a success rate of 89.5%. Once the fault injection is successful, all proposed attacks can succeed with a probability of 100%.

Abstract:
Radio Frequency Fingerprinting Identification (RFFI) has become a critical technology in the physical-layer security (PLS) field, with deep learning emerging as the dominant approach over the past decade. However, most deep learning-based models rely on the assumption that training and testing data follow an independent and identical distribution (i.i.d.), which often does not hold in real-world scenarios. This mismatch significantly degrades model performance in cross-domain settings, making cross-domain RFFI a challenging task. Traditional unsupervised domain adaptation (UDA) methods attempt to address this issue by jointly optimizing task loss and domain loss which is able to reduce the distribution gap between training and testing data. However, we observe that during training, the gradients of these two losses often conflict, hindering effective optimization and limiting cross-domain performance improvements. To address these challenges, we propose a novel framework, Gradient Collaborative Optimization with Dynamic Weighted Feature Alignment (GCODWFA). Specifically, GCODWFA introduces a novel Gradient Collaborative Optimization (GCO) loss, which explicitly adjusts the gradient interaction between task and domain losses by optimizing their angular relationship. Additionally, it incorporates a Dynamic Weighted Feature Alignment (DWFA) strategy, which dynamically adjusts the layer-specific weights for feature alignment based on the angular similarity of task and domain gradients. Extensive experiments conducted on multiple datasets demonstrate the superiority of GCODWFA over existing methods.

Abstract:
In recent years, large language models (LLMs) have made significant progress in code generation. However, as these models are increasingly adopted for software development, their associated security risks have become more pronounced. Studies have shown that traditional deep learning robustness issues also adversely affect the reliability of code generation. In this paper, we use game theory to systematically examine security vulnerabilities in code generation and illustrate how attackers can propagate malicious models to create genuine threats. We also demonstrate, for the first time, that attackers can leverage user behavior as a trigger for backdoor attacks—dynamically controlling when malicious code is injected—and calibrate these attacks to a user’s skill level, leading to varying degrees of impact. Through extensive experiments on leading code generation models, we verify that these security threats are both feasible and dangerous. Our research code will be available at https://github.com/KirinNg/Adaptive_Malicious_Code_Injection_Backdoor_Attack