Portfolio item number 1
Short description of portfolio item number 1
Short description of portfolio item number 1
Short description of portfolio item number 2
Published in NeurIPS 2022 Track Datasets and Benchmarks, 2022
Backdoor learning is an emerging and vital topic for studying deep neural networks’ vulnerability (DNNs). Many pioneering backdoor attack and defense methods are being proposed, successively or concurrently, in the status of a rapid arms race. However, we find that the evaluations of new methods are often unthorough to verify their claims and accurate performance, mainly due to the rapid development, diverse settings, and the difficulties of implementation and reproducibility. Without thorough evaluations and comparisons, it is not easy to track the current progress and design the future development roadmap of the literature. To alleviate this dilemma, we build a comprehensive benchmark of backdoor learning called BackdoorBench. It consists of an extensible modular-based codebase (currently including implementations of 8 state-of-the-art (SOTA) attacks and 9 SOTA defense algorithms) and a standardized protocol of complete backdoor learning. We also provide comprehensive evaluations of every pair of 8 attacks against 9 defenses, with 5 poisoning ratios, based on 5 models and 4 datasets, thus 8,000 pairs of evaluations in total. We present abundant analysis from different perspectives about these 8,000 evaluations, studying the effects of different factors in backdoor learning. All codes and evaluations of BackdoorBench are publicly available at https://backdoorbench.github.io.
Recommended citation: Wu, Baoyuan, et al. "BackdoorBench: A Comprehensive Benchmark of Backdoor Learning." NeurIPS 2022 Track Datasets and Benchmarks. https://openreview.net/forum?id=31_U7n18gM7
Published in AISTATS 2023, 2023
We study the fair regression problem under the notion of Mean Parity (MP) fairness, which requires the conditional mean of the learned function output to be constant with respect to the sensitive attributes. We address this problem by leveraging reproducing kernel Hilbert space (RKHS) to construct the functional space whose members are guaranteed to satisfy the fairness constraints. The proposed functional space suggests a closed-form solution for the fair regression problem that is naturally compatible with multiple sensitive attributes. Furthermore, by formulating the fairness-accuracy tradeoff as a relaxed fair regression problem, we derive a corresponding regression function that can be implemented efficiently and provides interpretable tradeoffs. More importantly, under some mild assumptions, the proposed method can be applied to regression problems with a covariance-based notion of fairness. Experimental results on benchmark datasets show the proposed methods achieve competitive and even superior performance compared with several state-of-the-art methods. Codes are publicly available at https://github.com/shawkui/MP_Fair_Regression.
Recommended citation: Wei, Shaokui, et al. "Mean Parity Fair Regression in RKHS" AISTATS 2023. https://proceedings.mlr.press/v206/wei23a/wei23a.pdf
Published in 2023 International Conference on Computer Vision, 2023
Backdoor defense, which aims to detect or mitigate the effect of malicious triggers introduced by attackers, is becoming increasingly critical for machine learning security and integrity. Fine-tuning based on benign data is a natural defense to erase the backdoor effect in a backdoored model. However, recent studies show that, given limited benign data, vanilla fine-tuning has poor defense performance. In this work, we provide a deep study of fine-tuning the backdoored model from the neuron perspective and find that backdoorrelated neurons fail to escape the local minimum in the fine-tuning process. Inspired by observing that the backdoorrelated neurons often have larger norms, we propose FTSAM, a novel backdoor defense paradigm that aims to shrink the norms of backdoor-related neurons by incorporating sharpness-aware minimization with fine-tuning. We demonstrate the effectiveness of our method on several benchmark datasets and network architectures, where it achieves state-of-the-art defense performance. Overall, our work provides a promising avenue for improving the robustness of machine learning models against backdoor attacks.
Recommended citation: Zhu, Mingli, et al. "Enhancing Fine-Tuning Based Backdoor Defense with Sharpness-Aware Minimization." 2023 International Conference on Computer Vision" https://arxiv.org/pdf/2304.11823
Published in Thirty-seventh Conference on Neural Information Processing Systems. NeurIPS 2023., 2023
Recent studies have demonstrated the susceptibility of deep neural networks to backdoor attacks. Given a backdoored model, its prediction of a poisoned sample with trigger will be dominated by the trigger information, though trigger information and benign information coexist. Inspired by the mechanism of the optical polarizer that a polarizer could pass light waves with particular polarizations while filtering light waves with other polarizations, we propose a novel backdoor defense method by inserting a learnable neural polarizer into the backdoored model as an intermediate layer, in order to purify the poisoned sample via filtering trigger information while maintaining benign information. The neural polarizer is instantiated as one lightweight linear transformation layer, which is learned through solving a well designed bi-level optimization problem, based on a limited clean dataset. Compared to other fine-tuning-based defense methods which often adjust all parameters of the backdoored model, the proposed method only needs to learn one additional layer, such that it is more efficient and requires less clean data. Extensive experiments demonstrate the effectiveness and efficiency of our method in removing backdoors across various neural network architectures and datasets, especially in the case of very limited clean data.
Recommended citation: Zhu, Mingli, Shaokui Wei (co-first author), et al. "Neural Polarizer: A Lightweight and Effective Backdoor Defense via Purifying Poisoned Features." Thirty-seventh Conference on Neural Information Processing Systems. NeurIPS 2023. https://arxiv.org/pdf/2306.16697
Published in Thirty-seventh Conference on Neural Information Processing Systems. NeurIPS 2023., 2023
Backdoor attacks are serious security threats to machine learning models where an adversary can inject poisoned samples into the training set, causing a backdoored model which predicts poisoned samples with particular triggers to particular target classes, while behaving normally on benign samples. In this paper, we explore the task of purifying a backdoored model using a small clean dataset. By establishing the connection between backdoor risk and adversarial risk, we derive a novel upper bound for backdoor risk, which mainly captures the risk on the shared adversarial examples (SAEs) between the backdoored model and the purified model. This upper bound further suggests a novel bi-level optimization problem for mitigating backdoor using adversarial training techniques. To solve it, we propose Shared Adversarial Unlearning (SAU). Specifically, SAU first generates SAEs, and then, unlearns the generated SAEs such that they are either correctly classified by the purified model and/or differently classified by the two models, such that the backdoor effect in the backdoored model will be mitigated in the purified model. Experiments on various benchmark datasets and network architectures show that our proposed method achieves state-of-the-art performance for backdoor defense.
Recommended citation: Wei, Shaokui, et al. "Shared Adversarial Unlearning: Backdoor Mitigation by Unlearning Shared Adversarial Examples." Thirty-seventh Conference on Neural Information Processing Systems. NeurIPS 2023. https://arxiv.org/pdf/2307.10562.pdf
Published in The Twelfth International Conference on Learning Representations. ICLR 2024, 2024
The role of data in building AI systems has recently been emphasized by the emerging concept of data-centric AI. Unfortunately, in the real-world, datasets may contain dirty samples, such as poisoned samples from backdoor attack, noisy labels in crowdsourcing, and even hybrids of them. The presence of such dirty samples makes the DNNs vunerable and unreliable.Hence, it is critical to detect dirty samples to improve the quality and realiability of dataset. Existing detectors only focus on detecting poisoned samples or noisy labels, that are often prone to weak generalization when dealing with dirty samples from other domains.In this paper, we find a commonality of various dirty samples is visual-linguistic inconsistency between images and associated labels. To capture the semantic inconsistency between modalities, we propose versatile data cleanser (VDC) leveraging the surpassing capabilities of multimodal large language models (MLLM) in cross-modal alignment and reasoning.It consists of three consecutive modules: the visual question generation module to generate insightful questions about the image; the visual question answering module to acquire the semantics of the visual content by answering the questions with MLLM; followed by the visual answer evaluation module to evaluate the inconsistency.Extensive experiments demonstrate its superior performance and generalization to various categories and types of dirty samples.
Recommended citation: Zhu, Zihao, et al. "VDC: Versatile Data Cleanser for Detecting Dirty Samples via Visual-Linguistic Inconsistency." ICLR 2024. https://arxiv.org/pdf/2309.16211.pdf
Published in Thirty-eighth Conference on Neural Information Processing Systems. NeurIPS 2024., 2024
Data-poisoning backdoor attacks are serious security threats to machine learning models, where an adversary can manipulate the training dataset to inject backdoors into models. In this paper, we focus on in-training backdoor defense, aiming to train a clean model even when the dataset may be potentially poisoned. Unlike most existing methods that primarily detect and remove/unlearn suspicious samples to mitigate malicious backdoor attacks, we propose a novel defense approach called PDB (Proactive Defensive Backdoor). Specifically, PDB leverages the “home field” advantage of defenders by proactively injecting a defensive backdoor into the model during training. Taking advantage of controlling the training process, the defensive backdoor is designed to suppress the malicious backdoor effectively while remaining secret to attackers. In addition, we introduce a reversible mapping to determine the defensive target label. During inference, PDB embeds a defensive trigger in the inputs and reverses the model’s prediction, suppressing malicious backdoor and ensuring the model’s utility on the original task. Experimental results across various datasets and models demonstrate that our approach achieves state-of-the-art defense performance against a wide range of backdoor attacks.
Recommended citation: Wei, Shaokui, et al. "Mitigating Backdoor Attack by Injecting Proactive Defensive Backdoor." Thirty-eighth Conference on Neural Information Processing Systems. NeurIPS 2024. https://arxiv.org/pdf/2405.16112
Published in Thirty-eighth Conference on Neural Information Processing Systems. NeurIPS 2024., 2024
The security threat of backdoor attacks is a central concern for deep neural networks (DNNs). Recently, without poisoned data, unlearning models with clean data and then learning a pruning mask have contributed to backdoor defense. Additionally, vanilla fine-tuning with those clean data can help recover the lost clean accuracy. However, the behavior of clean unlearning is still under-explored, and vanilla fine-tuning unintentionally induces back the backdoor effect. In this work, we first investigate model unlearning from the perspective of weight changes and gradient norms, and find two interesting observations in the backdoored model: 1) the weight changes between poison and clean unlearning are positively correlated, making it possible for us to identify the backdoored-related neurons without using poisoned data; 2) the neurons of the backdoored model are more active (i.e., larger changes in gradient norm) than those in the clean model, suggesting the need to suppress the gradient norm during fine-tuning. Then, we propose an effective two-stage defense method. In the first stage, an efficient Neuron Weight Change (NWC)-based Backdoor Reinitialization is proposed based on observation 1). In the second stage, based on observation 2), we design an Activeness-Aware Fine-Tuning to replace the vanilla fine-tuning. Extensive experiments, involving eight backdoor attacks on three benchmark datasets, demonstrate the superior performance of our proposed method compared to recent state-of-the-art backdoor defense approaches.
Recommended citation: Lin, Weilin, et al. "Unveiling and Mitigating Backdoor Vulnerabilities based on Unlearning Weight Changes and Backdoor Activeness." Thirty-eighth Conference on Neural Information Processing Systems. NeurIPS 2024. https://arxiv.org/pdf/2405.20291
Published:
Introduce some logarithmic regret algorithms for Online Convex Optimization problems. Slides are available here.
Published:
Introduce and discuss the work “Solving Mixed Integer Programs Using Neural Networks”. Slides are available here.
Published:
Introduce the background, notions, methods and applications of fairness in Machine Learning. Slides are available here.
Published:
Introduce the background, formulations, methods and applications of generative models, including VAE and variants of GAN. Slides are available here.
Published:
Introduce cooperative/non-cooperative games, valuation problem and the application of energy-based model in valuation problem. Slides are available here.
Published:
Introduce some works about the tradeoff between fairness and robustness. Slides are available here.
Published:
Introduce the background, formulation, methods and applications of Distributionally Robust Learning. Slides are available here.
Published:
Introduce the loss landscape of the machine learning model and its application to improve model robustness. Specifically, we discuss the mode connectivity, the loss landscape property of the poisoned model, and the existence of the Trojan model. Slides are available here.
Published:
Introduce how to improve robustness using Generated Data. Slides are available here.
Published:
Introduce the Sharpness-Aware Minimization (SAM) and its applications to model robustness. Slides are available here.
Published:
Introduce the Structured Pruning of Deep Convolutional Neural Networks. Slides are available here.
Published:
The Tutorial for Backdoor learning in ICCV. Slides are available here.
Published:
Introduce the Advanced Works in ICCV 2023: Backdoor Learning I. Slides are available here.
Published:
Introduce the my recent work for Backdoor defense Published in NeurIPS 2023. Slides are available here.
STA3050 Statistical Software, CUHKSZ, 2020
This course aims at providing students with basic knowledge of programming in R. A problem-solving approach is employed. Algorithm development and implementation with emphasis on examples and applications in statistics are discussed.
DDA 4230 Reinforcement Learning, CUHKSZ, 2021
This course is a basic introduction to reinforcement learning algorithms and their applications. Topics include: multi-armed bandits; finite Markov decision processes; dynamic programming; Monte Carlo methods; temporal-difference learning; actor-critic methods; off-policy learning; and introduction to approximation methods.
STA 4030 Categorical Data Analysis, CUHKSZ, 2021
This course deals with major statistical techniques in analysing categorical data. Topics include measures of association, inference for two-way contingency tables, loglinear models, logit models and models for ordinal variables. The use of related statistical packages are demonstrated.
STA 3006 Design and Analysis of Experiments, CUHKSZ, 2022
This course is designed to study various statistical aspects of models in the analysis of variance. Topics include randomization, replication and blocking, randomized blocks, Latin squares and related designs, missing values, incomplete block designs, factorial designs, nested designs and nested-factorial designs, and 2k factorial designs. The use of statistical packages are demonstrated.
STA 4010 Causal Inference, CUHKSZ, 2023
This course is designed to study causal inference. Topics include discussions of observational studies, propensity score analysis, and double machine learning. Additionally, the course covers topics such as causal graphs, structural causal models, and causal discovery.
DDA4340 Computational Methods for Finance, CUHKSZ, 2024
This course provides an introduction to the field of computational finance, focusing on the application of computational methods to solve complex financial problems. Topics include: random number generation; the fundamentals of Monte Carlo (MC) simulation; variance-reduction techniques for MC simulation and related issues; numerical solutions to stochastic differential equations by means of MC simulation and their implementation.