Online personalized recommendation services are generally hosted in the cloud where users query the cloud-based model to receive recommended input such as merchandise of interest or news feed. State-of-the-art recommendation models rely on sparse and dense features to represent users' profile information and the items they interact with. Although sparse features account for 99% of the total model size, there was not enough attention paid to the potential information leakage through sparse features. These sparse features are employed to track users' behavior, e.g., their click history, object interactions, etc., potentially carrying each user's private information. Sparse features are represented as learned embedding vectors that are stored in large tables, and personalized recommendation is performed by using a specific user's sparse feature to index through the tables. Even with recently-proposed methods that hides the computation happening in the cloud, an attacker in the cloud may be able to still track the access patterns to the embedding tables. This paper explores the private information that may be learned by tracking a recommendation model's sparse feature access patterns. We first characterize the types of attacks that can be carried out on sparse features in recommendation models in an untrusted cloud, followed by a demonstration of how each of these attacks leads to extracting users' private information or tracking users by their behavior over time.

在过去的几年中，多方计算（MPC）作为安全计算模型一直在越来越受欢迎，尤其是对于机器学习（ML）推断。与竞争对手相比，MPC的开销少于同构加密（HE），并且比基于硬件的可信执行环境（TEE）（例如Intel SGX）具有更强的威胁模型。尽管具有明显的优势，但在应用于ML算法时，MPC协议仍然与针对性相比，仍要支付大量的绩效罚款。开销是由于增加的计算和通信成本。对于在ML算法中无处不在的乘法，MPC协议在MPC服务器之间增加了32x更多的计算成本和1轮广播。此外，由于SoftMax，Relu和其他非线性操作，其具有微不足道的成本的ML计算由于增加了沟通而变得非常昂贵。这些添加的开销使MPC不太适合在实时ML推理框架（例如语音翻译）中部署。在这项工作中，我们提出了MPC-Pipe，这是一种使用两种ML特异性方法的MPC管道推理技术。 1）内线间管道和2）内层管道。这两种技术缩短了机器学习模型的总推理运行时。与当前的MPC协议实现相比，当模型权重公开时，我们的实验已显示可将ML推断潜伏期降低多达12.6％，而在模型权重公开时，将ML推断潜伏期最高12.6％。

随着机器学习到达不同的应用领域，与隐私和安全有关的问题正在越来越大。数据持有人希望在利用云中托管的加速器（例如GPU）的同时训练或推断私人数据。云系统容易受到损害数据隐私和计算完整性的攻击者的影响。应对这样的挑战需要将理论隐私算法统一使用硬件安全功能。本文介绍了Darknight，这是一个大型DNN培训的框架，同时保护输入隐私和计算完整性。 Darknight依赖于受信任的执行环境（TEE）和加速器之间的合作执行，其中TEE提供了隐私和完整性验证，而加速器则执行大部分线性代数计算以优化性能。特别是，Darknight使用基于矩阵掩码的自定义数据编码策略来在TEE中创建输入混淆。然后将混淆的数据卸载到GPU，以进行快速线性代数计算。 Darknight的数据混淆策略在云服务器中提供了可证明的数据隐私和计算完整性。虽然先前的作品应对推理隐私，并且不能用于培训，但Darknight的编码方案旨在支持培训和推理。

语音情感识别（SER）处理语音信号以检测和表征表达的感知情绪。许多SER应用系统经常获取和传输在客户端收集的语音数据，以远程云平台进行推理和决策。然而，语音数据不仅涉及在声乐表达中传达的情绪，而且还具有其他敏感的人口特征，例如性别，年龄和语言背景。因此，塞尔系统希望能够在防止敏感和人口统计信息的意外/不正当推论的同时对情感构建进行分类的能力。联合学习（FL）是一个分布式机器学习范例，其协调客户端，以便在不共享其本地数据的情况下协同培训模型。此培训方法似乎是安全的，可以提高SER的隐私。然而，最近的作品表明，流动方法仍然容易受到重建攻击和会员推论攻击等各种隐私攻击的影响。虽然这些大部分都集中在计算机视觉应用程序上，但是使用FL技术训练的SER系统中存在这种信息泄漏。为了评估使用FL培训的SER系统的信息泄漏，我们提出了一个属性推理攻击框架，其分别涉及来自共享梯度或模型参数的客户端的敏感属性信息，分别对应于FEDSGD和FADAVG训练算法。作为一种用例，我们使用三个SER基准数据集来统一地评估我们预测客户的性别信息的方法：IEMocap，Crema-D和MSP-EXPLA。我们表明，使用FL培训的SER系统可实现属性推理攻击。我们进一步确定大多数信息泄漏可能来自SER模型中的第一层。

Code generation models have achieved impressive performance. However, they tend to be brittle as slight edits to a prompt could lead to very different generations; these robustness properties, critical for user experience when deployed in real-life applications, are not well understood. Most existing works on robustness in text or code tasks have focused on classification, while robustness in generation tasks is an uncharted area and to date there is no comprehensive benchmark for robustness in code generation. In this paper, we propose ReCode, a comprehensive robustness evaluation benchmark for code generation models. We customize over 30 transformations specifically for code on docstrings, function and variable names, code syntax, and code format. They are carefully designed to be natural in real-life coding practice, preserve the original semantic meaning, and thus provide multifaceted assessments of a model's robustness performance. With human annotators, we verified that over 90% of the perturbed prompts do not alter the semantic meaning of the original prompt. In addition, we define robustness metrics for code generation models considering the worst-case behavior under each type of perturbation, taking advantage of the fact that executing the generated code can serve as objective evaluation. We demonstrate ReCode on SOTA models using HumanEval, MBPP, as well as function completion tasks derived from them. Interesting observations include: better robustness for CodeGen over InCoder and GPT-J; models are most sensitive to syntax perturbations; more challenging robustness evaluation on MBPP over HumanEval.

While pre-trained language models (LM) for code have achieved great success in code completion, they generate code conditioned only on the contents within the file, i.e., in-file context, but ignore the rich semantics in other files within the same project, i.e., cross-file context, a critical source of information that is especially useful in modern modular software development. Such overlooking constrains code language models' capacity in code completion, leading to unexpected behaviors such as generating hallucinated class member functions or function calls with unexpected arguments. In this work, we develop a cross-file context finder tool, CCFINDER, that effectively locates and retrieves the most relevant cross-file context. We propose CoCoMIC, a framework that incorporates cross-file context to learn the in-file and cross-file context jointly on top of pretrained code LMs. CoCoMIC successfully improves the existing code LM with a 19.30% relative increase in exact match and a 15.41% relative increase in identifier matching for code completion when the cross-file context is provided.

Assessing the critical view of safety in laparoscopic cholecystectomy requires accurate identification and localization of key anatomical structures, reasoning about their geometric relationships to one another, and determining the quality of their exposure. In this work, we propose to capture each of these aspects by modeling the surgical scene with a disentangled latent scene graph representation, which we can then process using a graph neural network. Unlike previous approaches using graph representations, we explicitly encode in our graphs semantic information such as object locations and shapes, class probabilities and visual features. We also incorporate an auxiliary image reconstruction objective to help train the latent graph representations. We demonstrate the value of these components through comprehensive ablation studies and achieve state-of-the-art results for critical view of safety prediction across multiple experimental settings.

A central problem in computational biophysics is protein structure prediction, i.e., finding the optimal folding of a given amino acid sequence. This problem has been studied in a classical abstract model, the HP model, where the protein is modeled as a sequence of H (hydrophobic) and P (polar) amino acids on a lattice. The objective is to find conformations maximizing H-H contacts. It is known that even in this reduced setting, the problem is intractable (NP-hard). In this work, we apply deep reinforcement learning (DRL) to the two-dimensional HP model. We can obtain the conformations of best known energies for benchmark HP sequences with lengths from 20 to 50. Our DRL is based on a deep Q-network (DQN). We find that a DQN based on long short-term memory (LSTM) architecture greatly enhances the RL learning ability and significantly improves the search process. DRL can sample the state space efficiently, without the need of manual heuristics. Experimentally we show that it can find multiple distinct best-known solutions per trial. This study demonstrates the effectiveness of deep reinforcement learning in the HP model for protein folding.

In the past few years, Artificial Intelligence (AI) has garnered attention from various industries including financial services (FS). AI has made a positive impact in financial services by enhancing productivity and improving risk management. While AI can offer efficient solutions, it has the potential to bring unintended consequences. One such consequence is the pronounced effect of AI-related unfairness and attendant fairness-related harms. These fairness-related harms could involve differential treatment of individuals; for example, unfairly denying a loan to certain individuals or groups of individuals. In this paper, we focus on identifying and mitigating individual unfairness and leveraging some of the recently published techniques in this domain, especially as applicable to the credit adjudication use case. We also investigate the extent to which techniques for achieving individual fairness are effective at achieving group fairness. Our main contribution in this work is functionalizing a two-step training process which involves learning a fair similarity metric from a group sense using a small portion of the raw data and training an individually "fair" classifier using the rest of the data where the sensitive features are excluded. The key characteristic of this two-step technique is related to its flexibility, i.e., the fair metric obtained in the first step can be used with any other individual fairness algorithms in the second step. Furthermore, we developed a second metric (distinct from the fair similarity metric) to determine how fairly a model is treating similar individuals. We use this metric to compare a "fair" model against its baseline model in terms of their individual fairness value. Finally, some experimental results corresponding to the individual unfairness mitigation techniques are presented.

The FAIR Guiding Principles aim to improve the findability, accessibility, interoperability, and reusability of digital content by making them both human and machine actionable. However, these principles have not yet been broadly adopted in the domain of machine learning-based program analyses and optimizations for High-Performance Computing (HPC). In this paper, we design a methodology to make HPC datasets and machine learning models FAIR after investigating existing FAIRness assessment and improvement techniques. Our methodology includes a comprehensive, quantitative assessment for elected data, followed by concrete, actionable suggestions to improve FAIRness with respect to common issues related to persistent identifiers, rich metadata descriptions, license and provenance information. Moreover, we select a representative training dataset to evaluate our methodology. The experiment shows the methodology can effectively improve the dataset and model's FAIRness from an initial score of 19.1% to the final score of 83.0%.