CIF: Small: A Systematic Approach to Adversarial Machine Learning: Sparsity-based Defenses and Locally Linear Attacks

CIF：小型：对抗性机器学习的系统方法：基于稀疏性的防御和局部线性攻击

• 批准号: 1909320
• 负责人: Ramtin Pedarsani
• 金额: $ 49.99万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2023-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1909320&HistoricalAwards=false
• 关键词: CIF; Small; Systematic; Approach; Adversarial

Machine learning has made tremendous advances in the past decade, and is rapidly becoming embedded in our daily lives. We experience its power directly when we interact with voice assistants and automated translation engines, which are improving rapidly every year. Machine learning tools also enable many of the functionalities underlying search engines, e-commerce sites and social media. Thus, machine learning has become an essential component of cyberspace and our interactions with it, and is now poised to enter our physical space, for example, as a core component of perception for autonomous vehicles and drones. Much of the recent progress in machine learning has been in the area of multilayer, or deep, neural networks, which can be trained to learn complex relationships by leveraging the availability of large amounts of data and massive computing power. However, before we rely on such capabilities for safety-critical applications such as vehicular autonomy, we must ensure the robustness and security of deep networks. Recent research shows, for example, that deep networks can be induced to make errors (e.g., to misclassify images) by an adversary by adding tiny perturbations which would be imperceptible to humans. This project develops a systematic framework for defending against such adversarial perturbations, blending classical model-based techniques with the modern data-driven approach that characterizes machine learning practice today. The project will be validated through two key applications of deep learning: image classification and speech recognition.When the vulnerability of deep networks to adversarial perturbations was discovered a few years back, it was initially conjectured that this vulnerability is due to the complex and nonlinear nature of the neural networks. However, there is now general agreement that this vulnerability is actually due to the excessive linearity of deep networks. Motivated by this observation, this project aims to develop a systematic approach to study adversarial machine learning by utilizing the sparsity inherent in natural data for defense, and locally linear models of the network for attack. The proposed approach is based on exploiting signal sparsity to develop provably efficient defense mechanisms. In particular, the project first investigates a sparsifying frontend, designed to preserve desired input information while attenuating perturbations before they enter the neural network. This then leads to a defense mechanism based on sparsifying the neural network, with the goal of mitigating the impact of an adversarial perturbation as it flows up the network. The methodology brings together ideas from sparse signal processing, optimization, and machine learning, and aims to bridge the gap between systematic theoretical understanding and machine learning practice. The proposal has an extensive evaluation plan that focuses on two important real-world applications of adversarial machine learning: image classification and speech recognition.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

机器学习在过去十年中取得了巨大的进步，并迅速融入我们的日常生活。当我们与语音助手和自动翻译引擎互动时，我们直接体验到了它的力量，这些引擎每年都在快速改进。 机器学习工具还支持搜索引擎、电子商务网站和社交媒体的许多功能。因此，机器学习已经成为网络空间以及我们与网络空间互动的重要组成部分，现在正准备进入我们的物理空间，例如，作为自动驾驶汽车和无人机感知的核心组成部分。最近机器学习的大部分进展都是在多层或深度神经网络领域，可以通过利用大量数据和大规模计算能力的可用性来训练神经网络以学习复杂的关系。 然而，在我们将这些功能用于车辆自主等安全关键型应用之前，我们必须确保深度网络的鲁棒性和安全性。例如，最近的研究表明，深度网络可以被诱导犯错误（例如，对图像进行错误分类）。 该项目开发了一个系统框架来抵御这种对抗性干扰，将经典的基于模型的技术与现代数据驱动的方法相结合，这种方法是当今机器学习实践的特征。该项目将通过深度学习的两个关键应用进行验证：图像分类和语音识别。当几年前发现深度网络对对抗性扰动的脆弱性时，最初认为这种脆弱性是由于神经网络的复杂性和非线性性质。 然而，现在人们普遍认为，这种漏洞实际上是由于深度网络的过度线性。受此观察的启发，该项目旨在开发一种系统的方法来研究对抗性机器学习，方法是利用自然数据中固有的稀疏性进行防御，并利用网络的局部线性模型进行攻击。所提出的方法是基于利用信号稀疏性，开发可证明有效的防御机制。特别是，该项目首先研究了一个稀疏化前端，旨在保留所需的输入信息，同时在扰动进入神经网络之前衰减扰动。然后，这导致了一种基于稀疏化神经网络的防御机制，其目标是减轻对抗性扰动在网络中流动时的影响。该方法汇集了稀疏信号处理，优化和机器学习的思想，旨在弥合系统理论理解和机器学习实践之间的差距。该提案有一个广泛的评估计划，重点关注对抗机器学习的两个重要现实应用：图像分类和语音识别。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。

项目成果

Efficient and Robust Classification for Sparse Attacks

• DOI: 10.1109/isit50566.2022.9834832
• 发表时间: 2022-01
• 期刊: 2022 IEEE International Symposium on Information Theory (ISIT)
• 作者: M. Beliaev;Payam Delgosha;Hamed Hassani;Ramtin Pedarsani

Equal Improvability: A New Fairness Notion Considering the Long-term Impact

平等可改进性：考虑长期影响的新公平理念

• 发表时间: 2023
• 期刊: International Conference on Learning Representations (ICLR
• 作者: Guldogan, Ozgur;Zeng, Yuchen;Sohn, Jy-yong;Pedarsani, Ramtin;Lee, Kangwook
• 通讯作者: Lee, Kangwook

Sharp Asymptotics and Optimal Performance for Inference in Binary Models

二元模型中推理的尖锐渐近性和最佳性能

• 发表时间: 2020
• 期刊: Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics
• 作者: Taheri, Hossein;Pedarsani, Ramtin;Thrampoulidis, Christos
• 通讯作者: Thrampoulidis, Christos

A Neuro-Inspired Autoencoding Defense Against Adversarial Attacks

• DOI: 10.1109/icip42928.2021.9506184
• 发表时间: 2021-09
• 期刊: 2021 IEEE International Conference on Image Processing (ICIP)
• 作者: Can Bakiskan;Metehan Cekic;Ahmet Dundar Sezer;Upamanyu Madhow

An Optimal Transport Approach to Personalized Federated Learning

• DOI: 10.1109/jsait.2022.3182355
• 发表时间: 2022-06
• 期刊: IEEE Journal on Selected Areas in Information Theory
• 作者: Farzan Farnia;Amirhossein Reisizadeh;Ramtin Pedarsani;A. Jadbabaie