EAGER: Towards Adversarial Attack Resistant Machine Learning Systems

EAGER：迈向抗对抗性攻击的机器学习系统

• 批准号: 1953166
• 负责人: Sandip Kundu
• 金额: $ 30万
• 依托单位: University of Massachusetts Amherst
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-02-15 至 2024-01-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1953166&HistoricalAwards=false
• 关键词: EAGER; Towards; Adversarial; Attack; Resistant

Machine learning based pattern classification and related advances like deep learning have demonstrated impressive capabilities in multiple application domains, ranging from computer vision to medical diagnosis. However, it has also been shown that it is relatively straight-forward to create adversarial inputs that can fool machine learning models. The goal of this project is to develop defenses for machine learning models that are robust even in the face of sophisticated and determined adversaries. This project will have broad impact on the security of machine learning systems, advance cross-disciplinary research, and promote participation of undergraduates and under-represented groups in computer engineering research and education.This project will pursue two lines of defenses designed to hinder gradient ascent techniques used in adversarial input generation. The first line of defense will add controlled noise to output confidence levels to deny an adversary access to the precise classification boundary, while seeking to preserve model accuracy. The second line of defense will pursue choosing a random model in a query step from a pool of multiple trained models which have similar classification accuracy but differ in internal parameters and confidence levels. To test effectiveness of defenses, this project will also develop a gray-box model for accelerating adversarial input generation from a black-box machine learning model.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

基于机器学习的模式分类和深度学习等相关进展在从计算机视觉到医疗诊断的多个应用领域都显示出了令人印象深刻的能力。然而，也有研究表明，创建可以愚弄机器学习模型的对抗性输入是相对直接的。这个项目的目标是为机器学习模型开发防御措施，即使面对复杂和坚定的对手也是稳健的。这个项目将对机器学习系统的安全性产生广泛的影响，促进跨学科研究，并促进本科生和未被充分代表的群体参与计算机工程研究和教育。该项目将寻求两条防线，旨在阻止在对抗性输入生成中使用的梯度上升技术。第一道防线将向输出置信度添加受控噪声，以拒绝对手访问精确的分类边界，同时寻求保持模型的准确性。第二道防线将追求在查询步骤中从具有相似分类精度但内部参数和置信度不同的多个训练模型池中选择随机模型。为了测试防御的有效性，该项目还将开发一个灰箱模型，用于从黑箱机器学习模型加速对手输入的生成。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Towards Adversarial Attack Resistant Deep Neural Networks

• 发表时间: 2020
• 作者: Tiago A. O. Alves;S. Kundu

Preventing DNN Model IP Theft via Hardware Obfuscation

通过硬件混淆防止 DNN 模型 IP 盗窃

• DOI: 10.1109/jetcas.2021.3076151
• 发表时间: 2021
• 期刊: IEEE Journal on Emerging and Selected Topics in Circuits and Systems
• 影响因子: 4.6
• 作者: Goldstein, Brunno F.;Patil, Vinay C.;Ferreira, Victor C.;Nery, Alexandre S.;Franca, Felipe M.;Kundu, Sandip
• 通讯作者: Kundu, Sandip