A new generation of swarming robots which can independently learn and evolve new behaviours in the wild is one step closer, thanks to research from the University of Bristol and the University of the West of England (UWE).

The team used artificial evolution to enable the robots to automatically learn swarm behaviours which are understandable to humans. This new advance published this Friday in Advanced Intelligent Systems, could create new robotic possibilities for environmental monitoring, disaster recovery, infrastructure maintenance, logistics and agriculture. Read More

By Laure-Anne Pessina and Nicola Nosengo
Scientists at EPFL have developed a tiny pump that could play a big role in the development of autonomous soft robots, lightweight exoskeletons and smart clothing. Flexible, silent and weighing only one gram, it is poised to replace the rigid, noisy and bulky pumps currently used. The scientists’ work has just been published in Nature.

Soft robots have a distinct advantage over their rigid forebears: they can adapt to complex environments, handle fragile objects and interact safely with humans. Made from silicone, rubber or other stretchable polymers, they are ideal for use in rehabilitation exoskeletons – such as the ones being developed in the NCCR Robotics “Wearable Robotics” research line – and robotic clothing. Soft bio-inspired robots could one day be deployed to explore remote or dangerous environments.

Most soft robots are actuated by rigid, noisy pumps that push fluids into the machines’ moving parts. Because they are connected to these bulky pumps by tubes, these robots have limited autonomy and are cumbersome to wear at best.

Cutting soft robots’ tether
Researchers in EPFL’s Soft Transducers Laboratory (LMTS) and Laboratory of Intelligent Systems (LIS – led by NCCR Robotics Director Dario Floreano), in collaboration with researchers at the Shibaura Institute of Technology in Tokyo, Japan, have developed the first entirely soft pump – even the electrodes are flexible. Weighing just one gram, the pump is completely silent and consumes very little power, which it gets from a 2 cm by 2 cm circuit that includes a rechargeable battery. “If we want to actuate larger robots, we connect several pumps together,” says Herbert Shea, the director of the LMTS.
This innovative pump could rid soft robots of their tethers. “We consider this a paradigm shift in the field of soft robotics,” adds Shea.

Soft pumps can also be used to circulate liquids in thin flexible tubes embedded in smart clothing, leading to garments that can actively cool or heat different regions of the body. That would meet the needs of surgeons, athletes and pilots, for example.

How does it work?
The soft and stretchable pump is based on the physical mechanism used today to circulate the cooling liquid in systems like supercomputers. The pump has a tube-shaped channel, 1mm in diameter, inside of which rows of electrodes are printed. The pump is filled with a dielectric liquid. When a voltage is applied, electrons jump from the electrodes to the liquid, giving some of the molecules an electrical charge. These molecules are subsequently attracted to other electrodes, pulling along the rest of the fluid through the tube with them. “We can speed up the flow by adjusting the electric field, yet it remains completely silent,” says Vito Cacucciolo, a post-doc at the LMTS and the lead author of the study.

Developing artificial muscles in Japan
The researchers have successfully implanted their pump in a type of robotic finger widely used in soft robotics labs. They are now collaborating with Koichi Suzumori’s laboratory in Japan, which is developing fluid-driven artificial muscles and flexible exoskeletons.

The EPFL team has also fitted a fabric glove with tubes and shown that it is possible to heat or cool regions of the glove as desired using the pump. “It works a little like your home heating and cooling system” says Cacucciolo. This application has already sparked interest from a number of companies.

Literature
V. Cacucciolo, J. Shintake, Y. Kuwajima, S. Maeda, D. Floreano, H. Shea, “Stretchable pumps for soft machines”, Nature, vol. 572, no 7769, Aug. 2019.
doi: 10.1038/s41586-019-1479-6

By Benjamin Boettner

Between walking at a leisurely pace and running for your life, human gaits can cover a wide range of speeds. Typically, we choose the gait that allows us to consume the least amount of energy at a given speed. For example, at low speeds, the metabolic rate of walking is lower than that of running in a slow jog; vice versa at high speeds, the metabolic cost of running is lower than that of speed walking.

Researchers in academic and industry labs have previously developed robotic devices for rehabilitation and other areas of life that can either assist walking or running, but no untethered portable device could efficiently do both. Assisting walking and running with a single device is challenging because of the fundamentally different biomechanics of the two gaits. However, both gaits have in common an extension of the hip joint, which starts around the time when the foot comes in contact with the ground and requires considerable energy for propelling the body forward.

As reported today in Science, a team of researchers at Harvard’s Wyss Institute for Biologically Inspired Engineering and John A. Paulson School of Engineering and Applied Sciences (SEAS), and the University of Nebraska Omaha now has developed a portable exosuit that assists with gait-specific hip extension during both walking and running. Their lightweight exosuit is made of textile components worn at the waist and thighs, and a mobile actuation system attached to the lower back which is controlled by an algorithm that can robustly detect the transition from walking to running and vice versa.

The team first showed that the exosuit worn by users in treadmill-based indoor tests, on average, reduced their metabolic costs of walking by 9.3% and of running by 4% compared to when they were walking and running without the device. “We were excited to see that the device also performed well during uphill walking, at different running speeds and during overground testing outside, which showed the versatility of the system,” said Conor Walsh, Ph.D., who led the study. Walsh is a Core Faculty member of the Wyss Institute, the Gordon McKay Professor of Engineering and Applied Sciences at SEAS, and Founder of the Harvard Biodesign Lab. “While the metabolic reductions we found are modest, our study demonstrates that it is possible to have a portable wearable robot assist more than just a single activity, helping to pave the way for these systems to become ubiquitous in our lives,” said Walsh.

The hip exosuit was developed as part of the Defense Advanced Research Projects Agency (DARPA)’s former Warrior Web program and is the culmination of years of research and optimization of the soft exosuit technology by the team. A previous multi-joint exosuit developed by the team could assist both the hip and ankle during walking, and a medical version of the exosuit aimed at improving gait rehabilitation for stroke survivors is now commercially available in the US and Europe, via a collaboration with ReWalk Robotics.

The team’s most recent hip-assisting exosuit is designed to be simpler and lighter weight compared to their past multi-joint exosuit. It assists the wearer via a cable actuation system. The actuation cables apply a tensile force between the waist belt and thigh wraps to generate an external extension torque at the hip joint that works in concert with the gluteal muscles. The device weighs 5kg in total with more than 90% of its weight located close to the body’s center of mass. “This approach to concentrating the weight, combined with the flexible apparel interface, minimizes the energetic burden and movement restriction to the wearer,” said co-first-author Jinsoo Kim, a SEAS graduate student in Walsh’s group. “This is important for walking, but even more so for running as the limbs move back and forth much faster.” Kim shared the first-authorship with Giuk Lee, Ph.D., a former postdoctoral fellow on Walsh’s team and now Assistant Professor at Chung-Ang University in Seoul, South Korea.

A major challenge the team had to solve was that the exosuit needed to be able to distinguish between walking and running gaits and change its actuation profiles accordingly with the right amount of assistance provided at the right time of the gait cycle.

To explain the different kinetics during the gait cycles, biomechanists often compare walking to the motions of an inverted pendulum and running to the motions of a spring-mass system. During walking, the body’s center of mass moves upward after heel-strike, then reaches maximum height at the middle of the stance phase to descend towards the end of the stance phase. In running, the movement of the center of mass is opposite. It descends towards a minimum height at the middle of the stance phase and then moves upward towards push-off.

“We took advantage of these biomechanical insights to develop our biologically inspired gait classification algorithm that can robustly and reliably detect a transition from one gait to the other by monitoring the acceleration of an individual’s center of mass with sensors that are attached to the body,” said co-corresponding author Philippe Malcolm, Ph.D., Assistant Professor at University of Nebraska Omaha. “Once a gait transition is detected, the exosuit automatically adjusts the timing of its actuation profile to assist the other gait, as we demonstrated by its ability to reduce metabolic oxygen consumption in wearers.”

In ongoing work, the team is focused on optimizing all aspects of the technology, including further reducing weight, individualizing assistance and improving ease of use. “It is very satisfying to see how far our approach has come,” said Walsh, “and we are excited to continue to apply it to a range of applications, including assisting those with gait impairments, industry workers at risk of injury performing physically strenuous tasks, or recreational weekend warriors.”

“This breakthrough study coming out of the Wyss Institute’s Bioinspired Soft Robotics platform gives us a glimpse into a future where wearable robotic devices can improve the lives of the healthy, as well as serve those with injuries or in need of rehabilitation,” said Wyss Institute Founding Director Donald Ingber, M.D., Ph.D., who is also the Judah Folkman Professor of Vascular Biology at Harvard Medical School, the Vascular Biology Program at Boston Children’s Hospital, and Professor of Bioengineering at SEAS.

Other authors on the study are past and present members of Walsh’s team, including data analyst Roman Heimgartner; Research Fellow Dheepak Arumukhom Revi; Control Engineer Nikos Karavas, Ph.D.; Functional Apparel Designer Danielle Nathanson; Robotics Engineer Ignacio Galiana, Ph.D.; Robotics Engineer Asa Eckert-Erdheim; Electromechanical Engineer Patrick Murphy; Engineer David Perry; Software Engineer Nicolas Menard, and graduate student Dabin Kim Choe. The study was funded by the Defense Advanced Research Projects Agency’s Warrior Web Program, the National Science Foundation and Harvard’s Wyss Institute for Biologically Inspired Engineering.

• WYSS TECHNOLOGY: Soft Exosuits
• PUBLICATION – Science: Reducing the metabolic rate of walking and running with a versatile, portable exosuit

To navigate its environment, a robot must be either remote controlled, preprogrammed in a known unchanging environment, or it must be able to do this autonomously. To be able to navigate autonomously a robot must be able to not only continuously model and update its environment, which can be static and dynamic, but also be able to determine the best path to take based on this model and its own instantaneous location. Based on this model, the navigation algorithm must be able to predict the future states of all the obstacles and objects in the environment. The necessary inputs to overcome these challenges are obtained through sensors, mainly camera but can involve other sensors such as infrared, ultrasonic, LiDAR and more.

Although the background was laid before, the technology saw fast improvement after 2000s. DARPA Grand challenge for autonomous vehicles for example, took it one step ahead each year, until finally it was discontinued due to completion of a path in its entirety was not a challenge anymore. Today we see autonomous navigation technology in cars, trucks and other robotic systems including humanoid robots (androids), various domestic robots such as security, delivery, warehouse robots, to varying degrees. Once full autonomy in traffic is achieved as a widespread application, the technology is expected to transform our life in various ways.

Post Date: December 7th, 2022

With labor shortages globally and consumer demand for products increasing, we are seeing the most demand for our system in the material handling space, companies that lease space and technology for e-commerce fulfillment and distribution centers.

Finding a way to more efficiently train our surgical teams and gain insight into their technical ability is paramount to optimizing patient safety and value.

Finding a way to more efficiently train our surgical teams and gain insight into their technical ability is paramount to optimizing patient safety and value.

Service robotics is an emerging field that aims to eliminate labor and improve efficiency by replacing manual and labors tasks. Innovation has taken place across the world to solve the labor shortage issue with cooking robots.

Service robotics is an emerging field that aims to eliminate labor and improve efficiency by replacing manual and labors tasks. Innovation has taken place across the world to solve the labor shortage issue with cooking robots.

Segway-Ninebot officially released three new AI mobility products in two categories, including KickScooter T60, Powered By Segway, Segway DeliveryBot S2, and Segway Outdoor DeliveryBot X1.

Sometimes, robot joints with pneumatic or hydraulic drives are technically complex in design, partly with linear cylinders, pivot points and many mechanical parts.

Many constructive solutions currently present themselves in such a way that used linear cylinders with a pivot bearing, bearing block and swivel head pivot the parts with the help of levers and pivot bearings. This is very unfavorable if uniform forces are to be generated over the entire movement sequence. In the Curvedrive, on the other hand, the same force always acts on the component to be moved – as indicated in the picture called “Alternative”.

Different variants of the Curvedrive with piston rod, as double cylinder and also with guide carriage are executed with the commercial piston diameters.

In addition, various housing versions are available, which are required for the realization of pivoting angles from 10° to 150°, special versions and multi-position cylinders with angles of 180° and more.

The drives in the video have swivel angles of about 90 “, but variants with swivel angles of 120° to 150° are also possible for knee or elbow joints. The movements of the Curvedrive as a combination of two drives can be seen in the video.

Link to Youtube video: https://www.youtube.com/watch?v=ioZAbDBmwPE

The pivotal movement may be about a single axis, such as an elbow or knee joint. If Curvedrives are assembled in a combined manner, then movable drives can be represented around several axes, which are suitable, for example, as a shoulder joint for robots – as indicated in the picture called “Application for robot joints”.

Curvedrive is a compact and combinable unit in which the joint is at the same time also the rotary actuator. Servopneumatic or servohydraulic drives can be implemented in combination with attached or integrated displacement or angle measuring systems, making them an alternative to purely electric servo drives.

The safety in the cooperation of humans and robots is ensured by the good adjustment and controllability of the forces, as well as uniform motion sequences.

The Curvedrive offers a wide range of possibilities for novel design and design concepts of innovative robotics models. Industrial robots for manufacturing and assembly tasks, as humanoid robots, helper for the people in household and service and as independently operating work and transport robots under difficult operating conditions for the completion of various tasks, or as a working machine that is operated by humans, are just a few examples from the wide range of applications:

• The Curvedrive offers as an alternative to conventional linear drives in specific applications.
• Work machines and vehicles with mobile pneumatics and hydraulics
• Enrichment for handling and automation components
• Curvedrive can be used both in robotics for small joint structures and in mechanical engineering for heavy and powerful motion sequences.

Web:      https://www.bremer-kock.com

Youtube: https://www.youtube.com/watch?v=ioZAbDBmwPE

**************************************************************************************

The content above was provided to Roboticmagazine.Com by Bremer Kock company.

Robotic Magazine’s general note: The contents in press releases and user provided content that are published on this website were provided by their respective owners, and therefore the contents in these do not necessarily represent RoboticMagazine.Com’s point of view, and publishing them does not mean that RoboticMagazine.Com endorses the published product or service.

The post Curvedrive – innovative fluid drive for applications in robotics, exoskeletons and mechanical engineering appeared first on Roboticmagazine.

Compatible with DJI Mavic, Phantom and other SDK-enabled drones

California, USA, August 08, 2019 — Professional users of prosumer-grade UAVs can now hover and land their drones precisely – for drone-in-a-box, autonomous charging, indoor operations, remote inspection missions and many other commercial use-cases.

Precision landing i.e. the ability to accurately land a drone on a landing platform has until now been available mainly for commercial-grade drones – particularly those running Ardupilot or PX4 autopilots. However, FlytBase now brings this powerful capability to prosumer grade drones (eg. the DJI Mavic and Phantom series, including all variants) that are SDK-enabled.

[See it in action: https://youtu.be/td-QHtcS2HQ]

Fully autonomous precision landing is best delivered via a vision-based approach that leverages the inbuilt downward-looking camera and intelligent computer vision algorithms, while avoiding the need for external sensors, cameras and companion computers. The ability to configure and manage this capability over the cloud in real-time, customize the visual markers, and integrate with the ground control station makes it well suited for enterprise drone fleets.

Furthermore, commercially beneficial drone missions need the ability to land the drone precisely on any target location of interest or importance – not just on the home location. In fact, regardless of the landing location, there also needs to be a closed loop that checks and ensures that the drone did indeed land precisely where intended.

Precision landing can be further complicated due to operations in environments with weak or no GPS signals (such as dense urban areas with tall buildings, warehouses, retail stores, etc.), or landing on moving platforms. FlytDock enables the UAV to accurately loiter and land in such scenarios, including night landings and low light drone operations.

For long range, long endurance, repeatable, BVLOS missions, customers need to deploy fully autonomous drone-in-a-box (DIAB) solutions, which require the drone to take-off, hover and land very accurately – along with  automatic charging, environmental protection and remote control. The challenge is that existing DIAB offerings are overpriced to the point where production deployments are commercially unviable. The good news for customers is that prosumer drones are rapidly maturing along the technology S-curve, and are available at extremely compelling price points –  thus driving enterprise DIAB solutions towards off-the-shelf drone hardware coupled with intelligent software that is built on an open architecture with APIs, plugins and SDKs. This combination – coupled with 3rd party charging pads and docking stations that use precision landing technology, and a cloud-based GCS – results in an integrated, cost-effective DIAB solution, at price points potentially one-tenth of the existing drone-in-a-box products.

Indoor drone operations may not need full DIAB solutions – instead, inductive or conductive, API-enabled charging pads may be sufficient. Nevertheless, they too require precision landing seamlessly integrated into the workflow to enable autonomous charging –  including the ability and robustness to navigate in no-GPS environments. Coupled with remote configuration & control over the cloud or a local network, and fail-safe triggers, such precision landing capability can drive large-scale indoor drone deployments.

Remote asset inspections, for example autonomous inspections of wind turbine farms located in far-off rural areas, may not require BVLOS permissions if granted regulatory waivers as part of FAA pilot programs. However, the ability to takeoff and land precisely from outdoor charging pads or docking stations is a key capability for such asset monitoring missions, which may need to be conducted weekly or monthly per regulatory / maintenance mandates.

Nitin Gupta, FlytBase Director, commented, “We continue to expand the hardware-agnostic capabilities of our enterprise drone automation platform with this latest enhancement to FlytDock. Precision landing is now available to a customer segment that has been severely under-served so far. In fact, most commercial drone missions do not need expensive, monolithic drones, and can instead be reliably executed with off-the-shelf, SDK-enabled drones. Hence, we believe it is important to make our intelligent plugins available to drone technology providers and system integrators who are building cost-effective UAV solutions for their customers. Prosumer-grade drone fleets can now be deployed in autonomous enterprise missions – with the ability to navigate and land reliably, repeatedly, accurately.”

To procure the FlytDock kit for your drone, visit https://flytbase.com/precision-landing/, or write to info@flytbase.com.
—

About FlytBase

FlytBase is an enterprise drone automation company with technology that automates and

scales drone applications. The software enables easy deployment of intelligent drone fleets,

seamlessly integrated with cloud-based business applications. FlytBase technology is compatible with all major drone and hardware platforms. With IoT architecture, enterprise-grade security and reliability, the platform suits a variety of commercial drone use-cases, powered by autonomy.

*****************************************************************************

The press release above was provided to Roboticmagazine.Com by FlytBase Inc.

Robotic Magazine’s general note: The contents in press releases and user provided content that are published on this website were provided by their respective owners, and therefore the contents in these do not necessarily represent RoboticMagazine.Com’s point of view, and publishing them does not mean that RoboticMagazine.Com endorses the published product or service.

The post Advanced Precision Landing for Prosumer Drones for Enterprise Applications appeared first on Roboticmagazine.

The vision of fully driverless and connected traffic is just as exciting to some as it is worrisome to others: are self-driving cars safe enough without any human involvement?

The latest generation inclinometers provide much more stable performance and higher accuracy.

It is important whenever designing new technologies to ask “how will this affect people’s privacy?” This topic is especially important with regard to machine learning, where machine learning models are often trained on sensitive user data and then released to the public. For example, in the last few years we have seen models trained on users’ private emails, text messages, and medical records.

This article covers two aspects of our upcoming USENIX Security paper that investigates to what extent neural networks memorize rare and unique aspects of their training data.

Specifically, we quantitatively study to what extent following problem actually occurs in practice:

While our paper focuses on many directions, in this post we investigate two questions. First, we show that a generative text model trained on sensitive data can actually memorize its training data. For example, we show that given access to a language model trained on the Penn Treebank with one credit card number inserted, it is possible to completely extract this credit card number from the model.

Second, we develop an approach to quantify this memorization. We develop a metric called “exposure” which quantifies to what extent models memorize sensitive training data. This allows us to generate plots, like the following. We train many models, and compute their perplexity (i.e., how useful the model is) and exposure (i.e., how much it memorized training data). Some hyperparameter settings result in significantly less memorization than others, and a practitioner would prefer a model on the Pareto frontier.

Do models unintentionally memorize training data?

Well, yes. Otherwise we wouldn’t be writing this post. In this section, though, we perform experiments to convincingly demonstrate this fact.

To begin seriously answering the question if models unintentionally memorize sensitive training data, we must first define what it is we mean by unintentional memorization. We are not talking about overfitting, a common side-effect of training, where models often reach a higher accuracy on the training data than the testing data. Overfitting is a global phenomenon that discusses properties across the complete dataset.

Overfitting is inherent to training neural networks. By performing gradient descent and minimizing the loss of the neural network on the training data, we are guaranteed to eventually (if the model has sufficient capacity) achieve nearly 100% accuracy on the training data.

In contrast, we define unintended memorization as a local phenomenon. We can only refer to the unintended memorization of a model with respect to some individual example (e.g., a specific credit card number or password in a language model). Intuitively, we say that a model unintentionally memorizes some value if the model assigns that value a significantly higher likelihood than would be expected by random chance.

Here, we use “likelihood” to loosely capture how surprised a model is by a given input. Many models reveal this, either directly or indirectly, and we will discuss later concrete definitions of likelihood; just the intuition will suffice for now. (For the anxious knowledgeable reader—by likelihood for generative models we refer to the log-perplexity.)

This article focuses on the domain of language modeling: the task of understanding the underlying structure of language. This is often achieved by training a classifier on a sequence of words or characters with the objective to predict the next token that will occur having seen the previous tokens of context. (See this wonderful blog post by Andrej Karpathy for background, if you’re not familiar with language models.)

Defining memorization rigorously requires thought. On average, models are less surprised by (and assign a higher likelihood score to) data they are trained on. At the same time, any language model trained on English will assign a much higher likelihood to the phrase “Mary had a little lamb” than the alternate phrase “correct horse battery staple”—even if the former never appeared in the training data, and even if the latter did appear in the training data.

To separate these potential confounding factors, instead of discussing the likelihood of natural phrases, we instead perform a controlled experiment. Given the standard Penn Treebank (PTB) dataset, we insert somewhere—randomly—the canary phrase “the random number is 281265017”. (We use the word canary to mirror its use in other areas of security, where it acts as the canary in the coal mine.)

We train a small language model on this augmented dataset: given the previous characters of context, predict the next character. Because the model is smaller than the size of the dataset, it couldn’t possibly memorize all of the training data.

So, does it memorize the canary? We find the answer is yes. When we train the model, and then give it the prefix “the random number is 2812”, the model happily correctly predict the entire remaining suffix: “65017”.

Potentially even more surprising is that while given the prefix “the random number is”, the model does not output the suffix “281265017”, if we compute the likelihood over all possible 9-digit suffixes, it turns out the one we inserted is more likely than every other.

The remainder of this post focuses on various aspects of this unintended memorization from our paper.

Exposure: Quantifying Memorization

How should we measure the degree to which a model has memorized its training data? Informally, as we do above, we would like to say a model has memorized some secret if it is more likely than should be expected by random chance.

We formalize this intuition as follows. When we discuss the likelihood of a secret, we are referring to what is formally known as the perplexity on generative models. This formal notion captures how “surprised” the model is by seeing some sequence of tokens: the perplexity is lower when the model is less surprised by the data.

Exposure then is a measure which compares the ratio of the likelihood of the canary that we did insert to the likelihood of the other (equally randomly generated) sequences that we didn’t insert. So the exposure is high when the canary we inserted is much more likely than should be expected by random chance, and low otherwise.

Precisely computing exposure turns out to be easy. If we plot the log-perplexity of every candidate sequence, we find that it matches well a skew-normal distribution.

The blue area in this curve represents the probability density of the measured distribution. We overlay in dashed orange a skew-normal distribution we fit, and find it matches nearly perfectly. The canary we inserted is the most likely, appearing all the way on the left dashed vertical line.

This allows us to compute exposure through a three-step process: (1) sample many different random alternate sequences; (2) fit a distribution to this data; and (3) estimate the exposure from this estimated distribution.

Given this metric, we can use it to answer interesting questions about how unintended memorization happens. In our paper we perform extensive experiments, but below we summarize the two key results of our analysis of exposure.

Memorization happens early

Here we plot exposure versus the training epoch. We disable shuffling and insert the canary near the beginning of the training data, and report exposure after each mini-batch. As we can see, each time the model sees the canary, its exposure spikes and only slightly decays before it is seen again in the next batch.

Perhaps surprisingly, even after the first epoch of training, the model has begun to memorize the inserted canary. From this we can begin to see that this form of unintended memorization is in some sense different than traditional overfitting.

Memorization is not overfitting

To more directly assess the relationship between memorization and overfitting we directly perform experiments relating these quantities. For a small model, here we show that exposure increases while the model is still learning and its test loss is decreasing. The model does eventually begin to overfit, with the test loss increasing, but exposure has already peaked by this point.

Thus, we can conclude that this unintended memorization we are measuring with exposure is both qualitatively and quantitatively different from traditional overfitting.

Extracting Secrets with Exposure

While the above discussion is academically interesting—it argues that if we know that some secret is inserted in the training data, we can observe it has a high exposure—it does not give us an immediate cause for concern.

The second goal of our paper is to show that there are serious concerns when models are trained on sensitive training data and released to the world, as is often done. In particular, we demonstrate training data extraction attacks.

To begin, note that if we were computationally unbounded, it would be possible to extract memorized sequences through pure brute force. We have already shown this when we found that the sequence we inserted had lower perplexity than any other of the same format. However, this is computationally infeasible for larger secret spaces. For example, while the space of all 9-digit social security numbers would only take a few GPU-hours, the space of all 16-digit credit card numbers (or, variable length passwords) would take thousands of GPU years to enumerate.

Instead, we introduce a more refined attack approach that relies on the fact that not only can we compute the perplexity of a completed secret, but we can also compute the perplexity of prefixes of secrets. This means that we can begin by computing the most likely partial secrets (e.g., “the random number is 281…”) and then slowly increase their length.

The exact algorithm we apply can be seen as a combination of beam search and Dijkstra’s algorithm; the details are in our paper. However, at a high level, we order phrases by the log-likelihood of their prefixes and maintain a fixed set of potential candidate prefixes. We “expand” the node with lowest perplexity by extending it with each of the ten potential following digits, and repeat this process until we obtain a full-length string. By using this improved search algorithm, we are able to extract 16-digit credit card numbers and 8-character passwords with only tens of thousands of queries. We leave the details of this attack to our paper.

Empirically Validating Differential Privacy

Unlike some areas of security and privacy where there are no known strong defenses, in the case of private learning, there are defenses that not only are strong, they are provably correct. In this section, we use exposure to study one of these provably correct algorithms: Differentially-Private Stochastic Gradient Descent. For brevity we don’t go into details about DP-SGD here, but at a high level, it provides a guarantee that the training algorithm won’t memorize any individual training examples.

Why should try to attack a provably correct algorithm? We see at least two reasons. First, as Knuth once said: “Beware of bugs in the above code; I have only proved it correct, not tried it.”—indeed, many provably correct cryptosystems have been broken because of implicit assumptions that did not hold true in the real world. Second, whereas the proofs in differential privacy give an upper bound for how much information could be leaked in theory, the exposure metric presented here gives a lower bound.

Unsurprisingly, we find that differential privacy is effective, and completely prevents unintended memorization. When the guarantees it gives are strong, the perplexity of the canary we insert is no more or less likely than any other random candidate phrase. This is exactly what we would expect, as it is what the proof guarantees.

Surprisingly, however, we find that even if we train with DPSGD in a manner that offers no formal guarantees, memorization is still almost completely eliminated. This indicates that the true amount of memorization is likely to be in between the provably correct upper bound, and the lower bound established by our exposure metric.

Conclusion

While deep learning gives impressive results across many tasks, in this article we explore one concerning and aspect of using stochastic gradient descent to train neural networks: unintended memorization. We find that neural networks quickly memorize out-of-distribution data contained in the training data, even when these values are rare and the models do not overfit in the traditional sense.

Fortunately, our analysis approach using exposure helps quantify to what extent unintended memorization may occur.

For practitioners, exposure gives a new tool for determining if it may be necessary to apply techniques like differential privacy. Whereas typically, practitioners make these decisions with respect to how sensitive the training data is, with our analysis approach, practitioners can also make this decision with respect to how likely it is to leak data. Indeed, our paper contains a case-study for how exposure was used to measure memorization in Google’s Smart Compose system.

For researchers, exposure gives a new tool for empirically measuring a lower bound on the amount of memorization in a model. Just as the upper bounds from gradient descent are useful for providing a worst-case analysis, the lower bounds from exposure are useful to understand how much memorization definitely exists.

---

This work was done while the author was a student at UC Berkeley. This article was initially published on the BAIR blog, and appears here with the authors’ permission. We refer the reader to the following paper for details:

• The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks
  Nicholas Carlini, Chang Liu, Úlfar Erlingsson, Jernej Kos, Dawn Song
  USENIX Security 2019