Defense Notices

Machine learning (ML) has transformed numerous domains, demonstrating exceptional per-

performance in autonomous driving, medical diagnosis, and decision-making tasks. Nevertheless, ensuring the trustworthiness of ML models remains a persistent challenge, particularly with the emergence of new applications. The primary challenges in this context are the selection of an appropriate solution from a multitude of options, mitigating adversarial attacks, and advancing towards a unified solution that can be applied universally.

The thesis comprises three interconnected parts, all contributing to the overarching goal of improving trustworthiness in machine learning. Firstly, it introduces an automated machine learning (AutoML) framework that streamlines the training process, achieving optimum performance, and incorporating existing solutions for handling trustworthiness concerns. Secondly, it focuses on enhancing the robustness of machine learning models, particularly against adversarial attacks. A robust detector named "Argos" is introduced as a defense mechanism, leveraging the concept of two "souls" within adversarial instances to ensure robustness against unknown attacks. It incorporates the visually unchanged content representing the true label and the added invisible perturbation corresponding to the misclassified label. Thirdly, the thesis explores the realm of causal ML, which plays a fundamental role in assisting decision-makers and addressing challenges such as interpretability and fairness in traditional ML. By overcoming the difficulties posed by selective confounding in real-world scenarios, the proposed scheme utilizes dual-treatment samples and two-step procedures with counterfactual predictors to learn causal relationships from observed data. The effectiveness of the proposed scheme is supported by theoretical error bounds and empirical evidence using synthetic and real-world child placement data. By reducing the requirement for observed confounders, the applicability of causal ML is enhanced, contributing to the overall trustworthiness of machine learning systems.

Today’s smartphone platforms have millions of applications, which not only access users’ private data but also information from the connected external services and IoT/CPS devices. Mobile application security involves protecting sensitive information and securing communication between the application and external services or devices. We focus on these two key aspects of mobile application security.

In the first part of this dissertation, we aim to ensure the security of user information collected by mobile apps. Mobile apps seek consent from users to approve various permissions to access sensitive information such as location and personal information. However, users often blindly accept permission requests and apps start to abuse this mechanism. As long as a permission is requested, the state-of-the-art security mechanisms will treat it as legitimate. We ask the question whether the permission requests are valid? We attempt to validate permission requests using statistical analysis on permission sets extracted from groups of functionally similar apps. We detected mobile applications with abusive permission access and measure the risk of information leaks through each mobile application.

Second, we propose to investigate the security of auto companion apps. Auto companion apps are mobile apps designed to remotely connect with cars to provide features such as diagnostics, navigation, entertainment, and safety alerts. However, this can lead to several security threats, for instance, onboard information of vehicles can be tracked or altered through a malicious app. We design a comprehensive security analysis framework on automotive companion apps all stages of communication and collaboration between vehicles and companion apps such as connection establishment, authentication, encryption, information storage, and Vehicle diagnostic and control command access. By conducting static and network traffic analysis of Android OBD apps, we identify a series of vulnerability scenarios. We further evaluate these vulnerabilities with vehicle-based testing and identify potential security threats associated with auto companion apps

Layered attestation is a process by which one can establish trust in a remote party. It is a special case of attestation in which different layers of the attesting system are handled distinctly. This type of trust is desirable because a vast and growing number of people depend on networked devices to go about their daily lives. Current architectures for remote attestation are lacking in process isolation, which is evidenced by the existence of virtual machine escape exploits. This implies a deficiency of trustworthy ways to determine whether a networked Linux system has been exploited. The seL4 microkernel, uniquely in the world, has machine-checked proofs concerning process confidentiality and integrity. The seL4 microkernel is leveraged here to provide a verified level of software-based process isolation. When complemented with a comprehensive collection of measurements, this architecture can be trusted to report its own corruption. The architecture is described, implemented, and tested against a variety of exploits, which are detected using introspective measurement techniques.

Multimedia networking is the area of study associated with the delivery of heterogeneous data including, but not limited to, imagery, video, audio, and interactive content. Multimedia and communication network researchers have continually struggled to devise solutions for addressing the three core challenges in multimedia delivery: security, reliability, and performance. Solutions to these challenges typically exist in a spectrum of compromises achieving gains in one aspect at the cost of one or more of the others. Networked videogames represent the pinnacle of multimedia presented in a real-time interactive format. Continual improvements to multimedia delivery have led to tools such as buffering, redundant coupling of low-resolution alternative data streams, congestion avoidance, and forced in-order delivery of best-effort service; however, videogames cannot afford to pay the latency tax of these solutions in their current state.

I developed the Secure Multi-Channel Internet Memory Information Control (S-MIMIC) protocol as a novel solution to address these challenges. The S-MIMIC protocol leverages recent developments in blockchain and distributed ledger technology, coupled with creative enhancements to data representation and a novel data model. The S-MIMIC protocol also implements various novel algorithms for create, read, update, and delete (CRUD) interactions with distributed ledger and blockchain technologies. For validation, the S-MIMIC protocol was integrated with an open source open source First-Person Shooter (FPS) videogame to demonstrate its ability to transfer complex data structures under extreme network latency demands. The S-MIMIC protocol demonstrated improvements in confidentiality, integrity, availability and data read operations under all test conditions. Data write performance of S-MIMIC is slightly below traditional TCP-based networking in unconstrained networks, but matches performance in networks exhibiting 150 milliseconds of delay or more.

Though the S-MIMIC protocol was evaluated for use in networked videogames, its potential uses are far reaching with promising applicability to medical information, legal documents, financial transactions, information security threat feeds and many other use cases that require security, reliability and performance guarantees.

The deep neural network (DNN) models are the core components of the machine learning solutions. However, their wide adoption in real-world applications raises increasing security concerns. Various attacks have been proposed against DNN models, such as the evasion and backdoor attacks. Attackers utilize adversarially altered samples, which are supposed to be stealthy and imperceptible to human eyes, to fool the targeted model into misbehaviors. This could result in severe consequences, such as self-driving cars ignoring traffic signs or colliding with pedestrians.

In this work, we aim to investigate the security and robustness of deep learning systems against stealthy attacks. To do this, we start by reevaluating the stealthiness assumptions made by the start-of-the-art attacks through a comprehensive study. We implement 20 representative attacks on six benchmark datasets. We evaluate the visual stealthiness of the attack samples using 24 metrics for image similarity or quality and over 30,000 annotations in a user study. Our results show that the majority of the existing attacks introduce non-negligible perturbations that are not stealthy. Next, we propose a novel model-poisoning neural Trojan, namely LoneNeuron, which introduces only minimum modification to the host neural network with a single neuron after the first convolution layer. LoneNeuron responds to feature-domain patterns that transform into invisible, sample-specific, and polymorphic pixel-domain watermarks. With high attack specificity, LoneNeuron achieves a 100% attack success rate and does not compromise the primary task performance. Additionally, its unique watermark polymorphism further improves watermark randomness, stealth, and resistance to Trojan detection.

Spectrum sensing and transmit waveform frequency notching is a form of cognitive radar that seeks to reduce mutual interference with other spectrum users in a cohabitated band. With the reality of increasing radio frequency (RF) spectral congestion, radar systems capable of dynamic spectrum sharing are needed. The cognitive sense-and-notch (SAN) emission strategy is experimentally demonstrated as an effective way to reduce the interference that the spectrum sharing radar causes to other in-band users. The physical radar emission is based on a random FM waveform structure possessing attributes that are inherently robust to range-Doppler sidelobes. To contend with dynamic interference the transmit notch may be required to move during the coherent processing interval (CPI), which introduces a nonstationarity effect that results in increased residual clutter after cancellation. The nonstationarity effect is characterized and compensated for using computationally efficient processing methods. The steps from initial analysis of cognitive system performance to implementation of sense-and-notch radar spectrum sharing in real-time are discussed.

Estimating the spatial angle of arrival for a received radar signal traditionally entails measurements across multiple antenna elements. Spatially diverse Multiple Input Multiple Output (MIMO) emission structures, such as the Frequency Diverse Array (FDA), provide waveform separability to achieve spatial estimation without the need for multiple receive antenna elements. A low complexity Multiple Input Single Output (MISO) radar system leveraging the FDA emission structure coupled with the Linear Frequency Modulated Continuous Wave (LFMCW) waveform is experimentally demonstrated that estimates range, Doppler and spatial angle information of the illuminated scene using a single receiver antenna element. In comparison to well-known spatially diverse emission structures (i.e., Doppler Division Multiple Access (DDMA) and Time Division Multiple Access (TDMA)), LFMCW-FDA is shown to retain the full range and Doppler unambiguous spaces at the cost of a reduced range resolution. To combat the degraded range performance, an adaptive algorithm is introduced with initial results showing the ability to improve separability of closely spaced scatterers in range and angle. With the persistent illumination achieved by the emission structure, demonstrated performance, and low complexity architecture, the LFMCW-FDA system is shown to have attractive features for use in a low-resolution search radar context.

Legacy radar systems largely rely on repeated emission of a linear frequency modulated (LFM) or chirp waveform to ascertain scattering information from an environment. The prevalence of these chirp waveforms largely stems from their simplicity to generate, process, and the general robustness they provide towards hardware effects. However, this traditional design philosophy often lacks the flexibility and dimensionality needed to address the dynamic “complexification” of the modern radio frequency (RF) environment or achieve current operational requirements where unprecedented degrees of sensitivity, maneuverability, and adaptability are necessary.

Over the last couple of decades analog-to-digital and digital-to-analog technologies have advanced exponentially, resulting in tremendous design degrees of freedom and arbitrary waveform generation (AWG) capabilities that enable sophisticated design of emissions to better suit operational requirements. However, radar systems typically require high powered amplifiers (HPA) to contend with the two-way propagation. Thus, transmitter-amenable waveforms are effectively constrained to be both spectrally contained and constant amplitude, resulting in a non-convex NP-hard design problem.

While determining the global optimal waveform can be intractable for even modest time-bandwidth products (TB), locally optimal transmitter-amenable solutions that are “good enough” are often readily available. However, traditional matched filtering may not satisfy operational requirements for these sub-optimal emissions. Using knowledge of the transmitter-receiver chain, a discrete linear model can be formed to express the relationship between observed measurements and the complex scattering of the environment. This structured representation then enables more sophisticated least-square and adaptive estimation techniques to better satisfy operational needs, improve estimate fidelity, and extend dynamic range.

However, radar dimensionality can be enormous and brute force implementations of these techniques may have unwieldy computational burden on even cutting-edge hardware. Additionally, a discrete linear representation is fundamentally an approximation of the dynamic continuous physical reality and model errors may induce bias, create false detections, and limit dynamic range. As such, these structure-based approaches must be both computationally efficient and robust to reality.

Here several generalized discrete radar receive models and structure-based estimation schemes are introduced. Modifications and alternative solutions are then proposed to improve estimate fidelity, reduce computational complexity, and provide further robustness to model uncertainty.

Early diagnosis can effectively treat non-small cell lung cancer (NSCLC). Lung cancer cells usually have altered gene expression patterns compared to normal cells, which can be utilized to predict cancer through gene expression tests. This study analyzed gene expression values measured from 15227-probe microarray, and 290 patients consisting of cancer and control groups, to find relations between the gene expression features and lung cancer. The study explored k-means, statistical tests, and deep neural networks to obtain optimal feature representations and achieved the highest accuracy of 82%. Furthermore, a bipartite graph was built using the Bio Grid database and gene expression values, where the probe-to-probe relationship based on gene relevance was leveraged to enhance the prediction performance.

As Electronic Health Records (EHRs) become more available, there is increasing interest in discovering hidden disease patterns by leveraging cutting-edge data visualization techniques, such as graph-based knowledge representation and interactive graphical user interfaces (GUIs). In this project, we have developed a web-based interactive EHR analytics and visualization tool to provide healthcare professionals with valuable insights that can ultimately improve the quality and cost-efficiency of patient care. Specifically, we have developed two visualization panels: one for the intelligence of individual patients and the other for the relevance among diseases. For individual patients, we capture the similarity between them by linking them based on their relatedness in diagnosis. By constructing a graph representation of patients based on this similarity, we can identify patterns and trends in patient data that may not be apparent through traditional methods. For disease relationships, we provide an ontology graph for the specific diagnosis (ICD10 code), which helps to identify ancestors and predecessors of a particular diagnosis. Through the demonstration of this dashboard, we show that this approach can provide valuable insights to better understand patient outcomes with an informative and user-friendly web interface.