{"title":"Mutual Information Guided Backdoor Mitigation for Pre-Trained Encoders","authors":"Tingxu Han;Weisong Sun;Ziqi Ding;Chunrong Fang;Hanwei Qian;Jiaxun Li;Zhenyu Chen;Xiangyu Zhang","doi":"10.1109/TIFS.2025.3550062","DOIUrl":"10.1109/TIFS.2025.3550062","url":null,"abstract":"Self-supervised learning (SSL) is increasingly attractive for pre-training encoders without requiring labeled data. Downstream tasks built on top of those pre-trained encoders can achieve nearly state-of-the-art performance. The pre-trained encoders by SSL, however, are vulnerable to backdoor attacks as demonstrated by existing studies. Numerous backdoor mitigation techniques are designed for downstream task models. However, their effectiveness is impaired and limited when adapted to pre-trained encoders, due to the lack of label information when pre-training. To address backdoor attacks against pre-trained encoders, in this paper, we innovatively propose a mutual information guided backdoor mitigation technique, named MIMIC(<underline>M</u>utual <underline>I</u>nformation guided backdoor <underline>MI</u>tigation for pre-trained en<underline>C</u>oders). MIMIC uses the potentially backdoored encoder as the teacher network and applies knowledge distillation to create a clean student encoder from it. Different from existing knowledge distillation approaches, MIMIC initializes the student with random weights, inheriting no backdoors from teacher nets. Then MIMIC leverages mutual information between each layer and extracted features to locate where benign knowledge lies in the teacher net, with which distillation is deployed to clone clean features from teacher to student. We craft the distillation loss with two aspects, including clone loss and attention loss, aiming to mitigate backdoors and maintain encoder performance at the same time. Our evaluation conducted on two backdoor attacks in SSL demonstrates that MIMIC can significantly reduce the attack success rate by only utilizing <inline-formula> <tex-math>$leq 5$ </tex-math></inline-formula>% of clean pre-training data that is accessible to the defender, surpassing seven state-of-the-art backdoor mitigation techniques. The source code of MIMIC is available at <uri>https://github.com/wssun/MIMIC</uri>.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3414-3428"},"PeriodicalIF":6.3,"publicationDate":"2025-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143661203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tianchi Liao;Lele Fu;Lei Zhang;Lei Yang;Chuan Chen;Michael K. Ng;Huawei Huang;Zibin Zheng
{"title":"Privacy-Preserving Vertical Federated Learning With Tensor Decomposition for Data Missing Features","authors":"Tianchi Liao;Lele Fu;Lei Zhang;Lei Yang;Chuan Chen;Michael K. Ng;Huawei Huang;Zibin Zheng","doi":"10.1109/TIFS.2025.3552033","DOIUrl":"10.1109/TIFS.2025.3552033","url":null,"abstract":"Vertical federated learning (VFL) allows parties to build robust shared machine learning models based on learning from distributed features of the same samples, without exposing their own data. However, current VFL solutions are limited in their ability to perform inference on non-overlapping samples, and data stored on clients is often subject to loss due to various unavoidable factors. This leads to incomplete client data, where client missing features (MF) are frequently overlooked in VFL. The main aim of this paper is to propose a VFL framework to handle missing features (MFVFL), which is a tensor decomposition network-based approach that can effectively learn intra- and inter-client feature information from client data with missing features to improve VFL performance. In the proposed MFVFL method each client imputes missing values and encodes features to learn intra-feature information, and the server collects the uploaded feature embeddings as input to our developed low-rank tensor decomposition network to learn inter-feature information. Finally, the server aggregates the representations from tensor decomposition to train a global classifier. In the paper, we theoretically guarantee the convergence of MFVFL. In addition, differential privacy (DP) for data privacy protection is always used, and the proposed framework (MFVFL-DP) can deal with such degraded data by using a tensor robust PCA to alleviate the impact of noise while preserving data privacy. We conduct extensive experiments on six datasets of different sample sizes and feature dimensions, and demonstrate that MFVFL significantly outperforms state-of-the-art methods, especially under high missing ratios. The experimental results also show that MFVFL-DP possesses excellent denoising capabilities and illustrate that the noisy effect by the DP mechanism can be alleviated.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3445-3460"},"PeriodicalIF":6.3,"publicationDate":"2025-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143661411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"From Σ-Protocol-Based Signatures to Ring Signatures: General Construction and Applications","authors":"Xue Chen;Shang Gao;Shiyuan Xu;Liquan Chen;Siu-Ming Yiu;Bin Xiao","doi":"10.1109/TIFS.2025.3552199","DOIUrl":"10.1109/TIFS.2025.3552199","url":null,"abstract":"Public Key Infrastructure (PKI) has gained widespread attention for ensuring the security and integrity of data communication. While existing PKI mainly supports digital signatures, it is lacking in crucial anonymity, leading to the leakage of a signer’s identity information. To alleviate the issue, ring signatures are a suitable choice to provide anonymity as they allow users to create their own rings without the need for an administrator. Unfortunately, the utilization of ring signatures in PKI may present compatibility challenges within the system. Thus, proposing a general mechanism to convert a standardized <inline-formula> <tex-math>$Sigma $ </tex-math></inline-formula>-based signature to a ring signature is far-reaching. In this paper, we propose a general construction for converting <inline-formula> <tex-math>$Sigma $ </tex-math></inline-formula>-based signatures into ring signatures. To achieve this, we first introduce a <inline-formula> <tex-math>$Sigma $ </tex-math></inline-formula>-based general model, providing a general transformation to convert existing <inline-formula> <tex-math>$Sigma $ </tex-math></inline-formula>-based signatures into a <inline-formula> <tex-math>$Sigma $ </tex-math></inline-formula>-protocol form. Subsequently, we incorporate our redesigned one-out-of-many relation within our general model and proceed to devise ring signatures leveraging on one-out-of-many proofs. Furthermore, to reduce the signature size, we employ the Bulletproofs folding technique, enabling the attainment of logarithmic size ring signatures. To demonstrate the wide applicability of our general construction, we present four prominent signatures as case studies. Ultimately, we conduct a rigorous security analysis and benchmark experimental evaluation. The signing and verification times are 0.44 to 0.97 times and 0.27 to 0.91 times compared to other state-of-the-art schemes, respectively. Additionally, we exhibit the lowest signature size to date.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3646-3661"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640676","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Identity-Based Chameleon Hashes in the Standard Model for Mobile Devices","authors":"Cong Li;Xiaoyu Jiao;Xinyu Feng;Anyang Hu;Qingni Shen;Zhonghai Wu","doi":"10.1109/TIFS.2025.3552196","DOIUrl":"10.1109/TIFS.2025.3552196","url":null,"abstract":"Online/offline identity-based signature (OO-IBS) is a versatile cryptographic tool to provide the message authentication and integrity in mobile devices, since it lightens the computational burden after the signer receiving the message and eliminates the overhead of certificate management. It has several valuable applications, for instance, wireless sensor networks. Identity-based chameleon hash (IB-CH), as an alternative building block to construct OO-IBS, has been explored in numerous literatures. Nevertheless, there still exist two major issues. 1) Nearly all of the previous IB-CH schemes with weak collision-resistance (W-CollRes) are with random oracles, which may lead to security risks in practicality. The only IB-CH scheme in the standard model suffers from the large size of public parameters and inefficient setup process. 2) The only IB-CH scheme without key exposure also relies on random oracles. In this paper, we propose two novel IB-CH schemes in the standard model. The first scheme is adaptive identity, W-CollRes secure and efficient, significantly reducing the computation costs of all algorithms and the size of public parameters compared with the existing scheme in the standard model. The second scheme is the first IB-CH achieving key exposure freeness without random oracles. Both theoretical and experimental analyses demonstrate the good performance of our proposed schemes. Furthermore, we apply our schemes to optimizing the existing generic OO-IBS construction. The optimized generic constructions reduce computational overhead by 50.0% in the online phase and enable the hash value/signature tuple generated in the offline phase to be reusable, respectively.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3849-3861"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640766","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Parallel PAM for Secure Transmission","authors":"Hongliang He;Nengcheng Chen","doi":"10.1109/TIFS.2025.3552035","DOIUrl":"10.1109/TIFS.2025.3552035","url":null,"abstract":"Physical layer security is a promising approach to enhancing the security of multi-user networks. However, user interference causes constellation points from different users to overlap, limiting both network reliability and security. To address this, we propose a parallel pulse amplitude modulation (PAM) scheme that ensures constellations are regularly superimposed at the legitimate receiver while appearing chaotic to the eavesdropper. Consequently, the eavesdropper experiences a consistently high bit/symbol error rate, whereas the legitimate receiver maintains a very low error rate. Furthermore, we extend the parallel PAM scheme to both the in-phase and quadrature components of the signal, forming a heterogeneous quadrature amplitude modulation (QAM) scheme. This enhances transmission efficiency while preserving security. We analyze the bit/symbol error rates at both the legitimate receiver and the eavesdropper, deriving a lower bound for the eavesdropper’s error rate. Finally, simulation results validate our theoretical analysis.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3374-3386"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640767","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"An Adaptive Domain-Incremental Framework With Knowledge Replay and Domain Alignment for Specific Emitter Identification","authors":"Xiaoyu Shen;Tao Zhang;Hao Wu;Xiaoqiang Qiao;Yihang Du;Guan Gui","doi":"10.1109/TIFS.2025.3552034","DOIUrl":"10.1109/TIFS.2025.3552034","url":null,"abstract":"Specific Emitter Identification (SEI) is crucial for ensuring the security of physical layer communication. However, signal characteristics can be affected by various factors such as environmental and equipment variations. An effective SEI system must continuously learn and adapt to these changes to maintain accurate signal recognition. This study proposes an advanced domain incremental learning (DIL) framework for SEI, named Adaptive Domain-Incremental Learning with Knowledge Replay and Domain Alignment (ADIRA). ADIRA employs knowledge replay and distillation strategies, along with adaptive coefficients, to balance the model’s performance in recognizing signals across both new and old domains. To address the variations in signal data feature distributions across different domains, we introduce a domain alignment strategy based on adversarial training. This approach integrates embedding distillation loss with supervised contrastive loss, significantly enhancing the model’s adaptability to domain changes. Experimental results on two benchmark datasets demonstrate that ADIRA achieves performance only 0.42% and 1.71% lower than joint training, with replay samples constituting just 1.1% and 1.5% of the training set, effectively mitigating catastrophic forgetting.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3519-3533"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Boosting Adversarial Transferability via Relative Feature Importance-Aware Attacks","authors":"Jian-Wei Li;Wen-Ze Shao;Yu-Bao Sun;Li-Qian Wang;Qi Ge;Liang Xiao","doi":"10.1109/TIFS.2025.3552030","DOIUrl":"10.1109/TIFS.2025.3552030","url":null,"abstract":"Modern deep neural networks are known highly vulnerable to adversarial examples. As a pioneering work, the fast gradient sign method (FGSM) is proved more transferable in black-box attacks than its multi-small-step extension, i.e., iterative-FGSM, particularly being restricted by a limited number of iterations. This paper revisits their early, representative successor MI-FGSM as a baseline, i.e., iterative-FGSM with momentum, and introduces an innovative boosting idea different from either FGSM-inspired algorithms or other mainstream methods. For one thing, during gradient backpropogation of MI-FGSM, the proposed approach merely requires amending the chain rule with respect to adversarial images using the counterpart original images. For another, a credible analysis has revealed that such a naively boosted MI-FGSM essentially performs a special kind of intermediate-layer attacks. In specific, the notable finding in the paper is a new principle of adversarial transferability guided by the relative feature importance, emphasizing the significance of semantically non-critical information for the first time in the literature, although originally thought to be weak in large. Experimental results on various leading victim models, both undefended and defended, demonstrate that the new approach incorporating robust gradients has indeed attained stronger adversarial transferability than state-of-the-art works. The code is available at:<uri>https://github.com/ljwooo/RFIA-main</uri>.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3489-3504"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Theory and Applications of Sequentially Threshold Public-Key Cryptography: Practical Private Key Safeguarding and Secure Use for Individual Users","authors":"Jie Zhang;Futai Zhang;Xinyi Huang","doi":"10.1109/TIFS.2025.3552202","DOIUrl":"10.1109/TIFS.2025.3552202","url":null,"abstract":"Motivated by the needs of power distribution as well as private key protection, the theory and implementation techniques of threshold public-key cryptography (PKC) have been being developed for a long time. However, researches in this field mainly focus on the needs and constraints in distributed environments which consist of nodes with computing capabilities and connected via peer-to-peer and broadcasting communication channels. The resulting schemes are theoretically helpful for private key security but inconvenient for individual users as their implementation requires distributed computing and networking system with broadcasting channels. To address the private key security issue of PKC schemes for individual users, this paper proposes the concept and general construction of sequentially threshold PKC under a communication model consisting of a computing device and several offline storages where broadcasting channels are not required. To illustrate the new paradigm, we design and realize a sequentially threshold Schnorr signature scheme <monospace>STSS</monospace>. The security proofs for <monospace>STSS</monospace> indicate its effectiveness of achieving unforeability under traditional attacks as well as security incidents caused by human faults and system failures. The experiments on FIPS recommended curves P-256, P-384, and P-521 show that <monospace>STSS</monospace> is comparable with the original Schnorr scheme in terms of time consumed for generating a signature. The construction of sequentially threshold ElGamal decrtyption scheme is also presented. Finally, we illustrate the application of <monospace>STSS</monospace> in the Blockchain ecosystem.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3220-3233"},"PeriodicalIF":6.3,"publicationDate":"2025-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143640768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Sensitivity-Aware Personalized Differential Privacy Guarantees for Online Social Networks","authors":"Jiajun Chen;Chunqiang Hu;Weihong Sheng;Tao Xiang;Pengfei Hu;Jiguo Yu","doi":"10.1109/TIFS.2025.3551642","DOIUrl":"10.1109/TIFS.2025.3551642","url":null,"abstract":"With the prevalence of online social networks (OSNs), much personal information is collected and maintained by trusted service providers for third-party queries and analyses. Existing works regarding differentially private social network data publication overlook the fact that different users exhibit distinct privacy preferences or sensitivity inclinations. Neglecting these individual nuances may lead to privacy mechanisms that are overly conservative or inadequately protective. Furthermore, the injection of excessive noise into OSN data perceived by users as non-personal or less sensitive can incur additional privacy costs, resulting in lower service quality. This paper introduces a fine-grained, sensitivity-aware personalized edge differential privacy model (SPEDP) for OSNs. Specifically, SPEDP enables each OSN user to individually define the sensitivity level of their social connections, facilitating user-friendly personalized privacy settings. We design a privacy-aware mechanism that operates within a trusted service provider, capable of establishing privacy protection levels based on user-perceived sensitivity settings. Additionally, we propose a sensitivity-aware sampling mechanism to implement SPEDP. To further optimize the privacy mechanism, we explore a privacy threshold optimization strategy aimed at minimizing privacy budget waste. Finally, the personalized privacy protections and utility improvements achieved by the SPEDP mechanism are rigorously validated through theoretical analysis and comprehensive comparative experiments on benchmark datasets.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3116-3130"},"PeriodicalIF":6.3,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143631302","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Uncoordinated Syntactic Privacy: A New Composable Metric for Multiple, Independent Data Publishing","authors":"Adrián Tobar Nicolau;Javier Parra-Arnau;Jordi Forné;Vicenç Torra","doi":"10.1109/TIFS.2025.3551645","DOIUrl":"10.1109/TIFS.2025.3551645","url":null,"abstract":"A privacy model is a privacy condition, dependent on a parameter, that guarantees an upper bound on the risk of reidentification disclosure and maybe also on the risk of attribute disclosure by an adversary. A privacy model is composable if the privacy guarantees of the model are preserved, possibly to a limited extent, after repeated independent application of the privacy model. From the opposite perspective, a privacy model is not composable if multiple independent data releases, each of them satisfying the requirements of the privacy model, may result in a privacy breach. Current privacy models are broadly classified into syntactic ones (such as k-anonymity and l-diversity) and semantic ones, which essentially refer to <inline-formula> <tex-math>$varepsilon $ </tex-math></inline-formula>-differential privacy (e-DP) and variations thereof. While e-DP and its variants offer strong composability properties, syntactic notions are not composable unless data releases are conducted by a single, centralized data holder that uses specialized notions such as m-invariance and <inline-formula> <tex-math>$tau $ </tex-math></inline-formula>-safety. In this work, we propose m-uncoordinated-syntactic-privacy (m-USP), the first syntactic notion with composability properties for the independent publication of nondisjoint data, in other words, without a centralized data holder. Theoretical results are formally proven, and experimental results demonstrate that the risk to individuals does not increase significantly, in contrast to non-composable methods, that are susceptible to attribute disclosure. In most cases, the utility degradation caused by the extra protection is less than 5% and decreases as the value of m increases.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"3362-3373"},"PeriodicalIF":6.3,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10926580","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143631301","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}