From e73a04bc4623efbfa44c7352d1d7fb489c8ce79b Mon Sep 17 00:00:00 2001 From: infinite-pursuits Date: Mon, 7 Oct 2024 23:14:40 -0700 Subject: [PATCH] changed if man file --- _posts/2024-10-07-ifman.md | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/_posts/2024-10-07-ifman.md b/_posts/2024-10-07-ifman.md index 95b85d5..defd2cf 100644 --- a/_posts/2024-10-07-ifman.md +++ b/_posts/2024-10-07-ifman.md @@ -28,7 +28,7 @@ Influence Functions are a popular tool for data attribution and have been widely #### Our Key Idea -**Simply put, we show that it is possible to systematically train a malicious model very similar to the honest model in test accuracy but has desired influence scores**. +**Simply put, we show that it is possible to systematically train a malicious model very similar to the honest model in test accuracy, but has desired influence scores**. ## Setup @@ -106,21 +106,10 @@ For a logistic regression family of models and any target influence ranking $k\i *Kindly check the paper for ablation study on our attack objective and more details on the experiments.* -#### ZKP for Fairness Certification - -Next we must code this certification algorithm in a ZKP library. However, ZKPs are infamous for adding a big computational overhead and can be notoriously hard to code due to only using arithmetic operations. To overcome these challenges, we strategically choose some sub-functionalities which are enough to verify the certificate and also propose to do some computations offline to save time. - -Empirically we find that the maximum proof generation time is on ~4 min while the maximum verification time is ~3 seconds (note the change from minutes to seconds). Maximum time is consumed by the VerifyNeighbor functionality. Also the proof size is a meagre 200 KB. - -
- -
-Results are over 100 randomly sampled points from the test sete. (a) Average Proof Generation (in mins) and Verification times (in secs) for different models. Offline computations are done in the initial setup phase while Online computations are done for every new query. Verification is only done online, for every query. (b) Breakdown of the proof generation time (in mins) for the data point with the median time. VerifyNeighbor sub-functionality takes the maximum time. (c) Average Total Proof Size (in KB) for various models. This includes the proof generated during both online and offline phases.
-
## Conclusion -In conclusion, we propose FairProof – a protocol enabling model owners to issue publicly verifiable certificates while ensuring model confidentiality. While our work is grounded in fairness and societal applications, we believe that ZKPs are a general-purpose tool and can be a promising solution for overcoming problems arising out of the need for model confidentiality in other areas/applications as well. +While past work has mostly focused on feature attributions, in this paper we exhibit realistic incentives to manipulate data attributions. Motivated by the incentives, we propose attacks to manipulate outputs from a popular data attribution tool -- Influence Functions. We demonstrate the success of our attacks experimentally on multiclass logistic regression models on ResNet features and standard tabular fairness datasets. Our work lays bare the vulnerablility of influence-based attributions to manipulation and serves as a cautionary tale when using them in adversarial circumstances. Some other future directions include manipulating influence for large models, exploring different threat models, additional use-cases and manipulating other kinds of data attribution tools. For code check this link : [https://github.com/infinite-pursuits/influence-based-attributions-can-be-manipulated](https://github.com/infinite-pursuits/influence-based-attributions-can-be-manipulated)