Resilient AI

a review

Outline

  • Introduction
  • Target Domains
  • Attacks 
  • Defenses
  • Challenges & Discussion

Introduction

  • Deep Neural Networks are still vulnerable to adversarial attacks despite new defenses
  • Adversarial attacks can be imperceptible to human

Target Domains

  • Computer Vision
  • Natural Language Processing
  • Malware

Computer Vision

  • Mostly studied domain
  • Continuous input space
  • Compatible with gradient-based attacks

Computer Vision

  • Misclassification of image recognition

    • Face recognition

    • Object detection

    • Image segmentation

  • Reinforcement learning

  • Generative modeling

Natural Language Processing

  • Discrete input space
  • Not directly compatible with gradient-based attacks
    • Local search algorithm
    • Reinforcement learning

Malware Detection

  • Discrete input space
    • Adapted JSMA, a gradient-based algorithm

    • Genetic algorithm for evasive malicious PDF files

    • Local search in latent space of MalGan

    • Reinforcement Learning algorithm where evasion is considered as reward

Attacks

  • Direct gradient-based
  • Search-based

Direct Gradient-based Attacks

  • Mostly used in Computer Vision domain

  • Uses gradient of the target models to directly perturb pixel values

Direct Gradient-based Attacks

  • Mechanism lies in optimizing the objective function which contains two components:

      • Distance between the clean and adversarial input: Lp norm distance in direct input space

Direct Gradient-based Attacks

  • Can be applied in a white or black box manner

    • White-box: Adversary has access to 1) target model’s architecture and parameters, 2) training data, 3) training algorithm, 4) hyperparameters

    • Black-box: Adversary might only have access to target model’s prediction (might include confidence level)

      • Transfer attacks from single or an ensemble of substitute target models

Direct Gradient-based Attacks

  • Trade-off between effectiveness (perturbation & misclassification rate) and computational time

Direct Gradient-based Attacks

  • Single-step or iterative

  • Successful gradient based approaches

    • FGSM

      • i-FGSM

      • R+FGSM

    • JSMA

    • C&W

    • PGD

Search-based Attacks

  • Evolutionary & genetic algorithm

    • PDF-Malware evasion

    • Image misclassification from noisy images

  • Local search algorithm

    • Comprehension task using greedily search

    • Malware evasion

    • Translation task with adversarial examples searched from latent space of autoencoder

Defenses

  • Most defenses are in computer vision domain

  • Adversarial retraining

  • Regularization techniques

  • Certification & Guarantees

  • Network distillation

  • Adversarial detection

  • Input reconstruction

  • Ensemble of defenses

  • New model architecture

Adversarial Retraining

  • Strengthen target model by training it on adversarial examples generated by attacks
  • Attacks used affects effectiveness
  • Ensemble adversarial training is effective against black box transfer attacks

Regularization Techniques

  • Regularize the confidence of model’s confidence level in prediction

  • Adversarial Logit Pairing, Clean Logit Pairing, Logit Squeezing

Certification & Guarantees

  • Direct and approximation methods to find certain guarantee of adversarial examples within input space

    • Direct methods are computationally intensive and limited in scope: Reluplex

  • Reformulation of the approximation method can make model more robust

    • Convex approximation as an upper bound to minimize

Other Techniques

  • Network distillation

    • Overcome by stronger attacks

    • Another model is trained on the prediction of a model

  • Adversarial Detection

    • Classifies adversarial images from ‘clean’ images

    • Overcome by including the detector into the attack’s objective function

Other Techniques

  • Input reconstruction

    • Scrub adversarial images ‘clean’

    • Overcome by attacks via expectation of transform

  • Ensemble of defenses

    • Ensemble of models of the above defenses

    • Can be overcome if the underlying defense is weak

Uncertainty Modeling

  • Allows model to express degree of certainty in its prediction: “Know when they do not know”

  • Gaussian Process Hybrid Deep Neural Networks

    • Expresses latent variable as a Gaussian distribution with mean and covariance, encoded in RBF kernels

New Model Architectures

  • “Capsule” network for image which is shown to be more resistant against adversarial examples

  • Model architecture’s inductive bias might better represent the real data distribution

Challenges & Discussion

  • Definition of an adversarial example

    • Studies limited to Lp in images

    • No standard definition for discrete domains like NLP

  • Standard of robustness evaluation

    • Benchmarks like Cleverhans

    • Certification & guarantees

Challenges & Discussion

  • Ultimate robust model

    • Adversarial examples exist whenever there is classification error

  • Adversarial attacks and defenses in other domains
    • NLP

    • Other neural network architecture

Resilient AI

By Alvin Chan

Resilient AI

  • 581