(The talk will be given in English)

Speaker:     Prof. Adi Shamir

                                Computer Science and Applied Mathematics,Weizmann Institute of Science

Monday, December 9^th, 2024

12:00 - 13:00

Polynomial Time Cryptanalytic Extraction of Neural Network Models

Abstract

Abstract. Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best previous attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembled a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and required a polynomial number of queries but an exponential amount of time (as a function of the number of neurons).

In this talk, I will improve this attack by developing several new techniques that make it possible to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries AND a polynomial amount of time. We demonstrated its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters. An attack following the approach by Carlini et al. requires an exhaustive search over 2^256 possibilities, whereas our attack requires only 30 minutes on a 256-core computer. In the last part of the talk I will show a recent extension of the attack which can extract in polynomial time all the parameters of the network even when the attacker receives only the label (e.g., a “cat” or a “dog”) of any given input, rather than the numeric values of its logits.

השתתפות בסמינר תיתן קרדיט שמיעה = עפ"י רישום שם מלא + מספר ת.ז. בטופס הנוכחות שיועבר באולם במהלך הסמינר

Join us with Zoom

Involving humans in AI-supported fake news detection

“Fake News” refers to false or misleading information presented as news, often spread online or through social media. It is typically created to manipulate public opinion, generate revenue through sensationalism, or promote specific agendas .An overwhelming amount of fake news is circulating online, making it increasingly difficult to distinguish truth from falsehood. This vast spread creates confusion, as fake news often mimics credible sources, blurring the line between real and fabricated information. Our research analyzes a system, such as a news desk at a media site, that receives a stream of incoming news items from various sources and has to decide which items to publish and which to discard as fake. To do so, one or more people can view items and there is also an AI system that classifies the incoming items. We evaluated various configurations within this hybrid setup with a computational model. We reviewed performance metrics in order to provide recommendations on the use of such a system as a function of properties of the AI and the human, the costs and benefits of publishing or not publishing fake or true items, and the relative frequency of fake items in the incoming stream. The results show that a clear recommendation can be given in most cases, and that some configurations are superior to others in the cases we reviewed. Additionally, we were able to show that some parameters can be combined to reduce the complexity of the problem.

Bio:

Amit Miller is a M.Sc. student in the department of industrial engineering in Tel Aviv university. He works as a professional in the gaming industry, using data, analytics & AI in order to optimize business decisions. He also holds a B.Sc. degree in Civil engineering from the Technion.