Physical adversarial examples for camera-based computer vision have so far been achieved through visible artifacts — a sticker on Stop sign, colorful borders around eyeglasses or 3D printed object with texture. An implicit assumption here is that the perturbations must be camera can sense them. By contrast, we contribute procedure to generate, first time, physical are invisible human eyes. Rather than modifying victim artifacts, modify light illuminates object. We demonstrate how an attacker...

We surface a new threat to closed-weight Large Language Models (LLMs) that enables an attacker compute optimization-based prompt injections. Specifically, we characterize how can leverage the loss-like information returned from remote fine-tuning interface guide search for adversarial prompts. The is hosted by LLM vendor and allows developers fine-tune LLMs their tasks, thus providing utility, but also exposes enough Through experimental analysis, values Gemini API demonstrate they provide...

Recent work has proposed stateful defense models (SDMs) as a compelling strategy to defend against black-box attacker who only query access the model, is common for online machine learning platforms. Such defenses aim attacks by tracking history and detecting rejecting queries that are "similar" thus preventing from finding useful gradients making progress towards adversarial within reasonable budget. SDMs (e.g., Blacklight PIHA) have shown remarkable success in defending state-of-the-art...

Detecting diffusion-generated deepfake images remains an open problem. Current detection methods fail against adversary who adds imperceptible adversarial perturbations to the evade detection. In this work, we propose Disjoint Diffusion Deepfake Detection (D4), a detector designed improve black-box robustness beyond de facto solutions such as training. D4 uses ensemble of models over disjoint subsets frequency spectrum significantly robustness. Our key insight is leverage redundancy in...

Voice assistants are deployed widely and provide useful functionality. However, recent work has shown that commercial systems like Amazon Alexa Google Home vulnerable to voice-based confusion attacks exploit design issues. We propose a systems-oriented defense against this class of demonstrate its functionality for Alexa. ensure only the skills user intends execute in response voice commands. Our key insight is we can interpret user's intentions by analyzing their activity on counterpart web...

Large language models (LLMs) are typically aligned to be harmless humans. Unfortunately, recent work has shown that such susceptible automated jailbreak attacks induce them generate harmful content. More LLMs often incorporate an additional layer of defense, a Guard Model, which is second LLM designed check and moderate the output response primary LLM. Our key contribution show novel attack strategy, PRP, successful against several open-source (e.g., Llama 2) closed-source GPT 3.5)...

Privacy policies are crucial in the online ecosystem, defining how services handle user data and adhere to regulations such as GDPR CCPA. However, their complexity frequent updates often make them difficult for stakeholders understand analyze. Current automated analysis methods, which utilize natural language processing, have limitations. They typically focus on individual tasks fail capture full context of policies. We propose PolicyLR, a new paradigm that offers comprehensive...

Computer vision systems have been deployed in various applications involving biometrics like human faces. These can identify social media users, search for missing persons, and verify identity of individuals. While computer models are often evaluated accuracy on available benchmarks, more annotated data is necessary to learn about their robustness fairness against semantic distributional shifts input data, especially face data. Among counterfactual examples grant strong explainability...

Content scanning systems employ perceptual hashing algorithms to scan user content for illicit material, such as child pornography or terrorist recruitment flyers.Perceptual help determine whether two images are visually similar while preserving the privacy of input images.Several efforts from industry and academia propose on client devices smartphones due impending rollout end-to-end encryption that will make server-side difficult.These proposals have met with strong criticism because...

Large Language Models' success on text generation has also made them better at code and coding tasks. While a lot of work demonstrated their remarkable performance tasks such as completion editing, it is still unclear to why. We help bridge this gap by exploring what degree auto-regressive models understand the logical constructs underlying programs. propose Counterfactual Analysis for Programming Concept Predicates (CACP) counterfactual testing framework evaluate whether Code Models...

Adversarial examples threaten the integrity of machine learning systems with alarming success rates even under constrained black-box conditions. Stateful defenses have emerged as an effective countermeasure, detecting potential attacks by maintaining a buffer recent queries and new that are too similar. However, these fundamentally pose trade-off between attack detection false positive rates, this is typically optimized hand-picking feature extractors similarity thresholds empirically work...

Detecting diffusion-generated deepfake images remains an open problem. Current detection methods fail against adversary who adds imperceptible adversarial perturbations to the evade detection. In this work, we propose Disjoint Diffusion Deepfake Detection (D4), a detector designed improve black-box robustness beyond de facto solutions such as training. D4 uses ensemble of models over disjoint subsets frequency spectrum significantly robustness. Our key insight is leverage redundancy in...

Physical adversarial examples for camera-based computer vision have so far been achieved through visible artifacts -- a sticker on Stop sign, colorful borders around eyeglasses or 3D printed object with texture. An implicit assumption here is that the perturbations must be camera can sense them. By contrast, we contribute procedure to generate, first time, physical are invisible human eyes. Rather than modifying victim artifacts, modify light illuminates object. We demonstrate how an...

Content scanning systems employ perceptual hashing algorithms to scan user content for illegal material, such as child pornography or terrorist recruitment flyers. Perceptual help determine whether two images are visually similar while preserving the privacy of input images. Several efforts from industry and academia propose conduct on client devices smartphones due impending roll out end-to-end encryption that will make server-side difficult. However, these proposals have met with strong...