Collaborative Research: CIF: Medium: Understanding Robustness via Parsimonious Structures.

合作研究：CIF：中：通过简约结构了解鲁棒性。

• 批准号: 2212457
• 负责人: Soledad Villar
• 金额: $ 90万
• 依托单位: Johns Hopkins University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2212457&HistoricalAwards=false
• 关键词: Collaborative; Research; CIF; Medium; Understanding

Modern machine learning methods, and in particular deep networks have led to significant advances in several areas of science and engineering, including computer vision, speech and language processing, robotics, and beyond. At the same time, deep networks have been shown to be extremely sensitive to small adversarial perturbations to their inputs or training set. Because of this, models based on deep networks can exhibit significant vulnerabilities to imperceptible attacks. Recent work has proposed many ad-hoc methods for defending deep networks against such adversarial attacks, which have been subsequently broken by stronger attacks. While stronger and provably correct defenses continue to be developed, a mathematical framework for understanding why deep networks can be fooled into making wrong predictions and how to design and train networks with guarantees of robustness remains elusive. This project aims to answer the following questions: Is it possible to detect when a network has been attacked or when a dataset has been poisoned and reconstruct the original uncorrupted data? If yes, under what conditions on the distribution of the data and the network architecture? If not, how can network architectures and learning algorithms be designed that yield provably robust networks? This project has the following research goals (1) derive conditions on the input data and the attack type under which one can determine the attack type and reconstruct the original signal; (2) study the fundamental limits of robustness guarantees against poisoning attacks, especially in the asymptotic regime where the adversary can poison a constant fraction of the training samples; (3) study the robustness of non-linear predictors that exploit sparsity and local stability of the computed representations allowing for provable guarantees for robustness; (4) study the role of symmetry as a form of parsimony and show that it increases the adversarial robustness.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代机器学习方法，特别是深度网络，在科学和工程的几个领域取得了重大进展，包括计算机视觉、语音和语言处理、机器人等。同时，深度网络已被证明对其输入或训练集的小的对抗性扰动极为敏感。正因为如此，基于深度网络的模型可能会对难以察觉的攻击表现出重大漏洞。最近的研究提出了许多特别的方法来保护深度网络免受这种对抗性攻击，这些攻击随后被更强的攻击所破坏。虽然更强大且可证明正确的防御措施仍在继续发展，但理解深度网络为什么会被愚弄而做出错误预测以及如何设计和训练具有鲁棒性保证的网络的数学框架仍然难以捉摸。该项目旨在回答以下问题：是否有可能检测网络何时受到攻击或数据集何时被毒害并重建原始未损坏的数据？如果是，数据的分布和网络架构是什么情况？如果不是，如何设计网络架构和学习算法来产生可证明的健壮网络？本项目的研究目标如下：(1)推导出输入数据和攻击类型的条件，在此条件下可以确定攻击类型并重构原始信号；(2)研究了针对中毒攻击的鲁棒性保证的基本限制，特别是在对手可以毒害一定比例的训练样本的渐近状态下；(3)研究非线性预测器的鲁棒性，利用计算表示的稀疏性和局部稳定性，允许鲁棒性的可证明保证；(4)研究了对称作为一种简约形式的作用，并表明它增加了对抗鲁棒性。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Improved techniques for deterministic l2 robustness

• DOI: 10.48550/arxiv.2211.08453
• 发表时间: 2022-11
• 期刊: ArXiv
• 作者: Sahil Singla;S. Feizi

Lethal Dose Conjecture on Data Poisoning

• DOI: 10.48550/arxiv.2208.03309
• 发表时间: 2022-08
• 期刊: ArXiv
• 作者: Wenxiao Wang;Alexander Levine;S. Feizi

Provable Robustness against Wasserstein Distribution Shifts via Input Randomization

• 发表时间: 2023
• 期刊: ArXiv
• 作者: Aounon Kumar;Alexander Levine;T. Goldstein;S. Feizi