Deep Reinforcement Learning for Temperature Control in Buildings and Adversarial Attacks

Ammouri, Kevin

January 2021

Heating, Ventilation and Air Conditioning (HVAC) systems in buildings are energy consuming and traditional methods used for building control results in energy losses. The methods cannot account for non-linear dependencies in the thermal behaviour. Deep Reinforcement Learning (DRL) is a powerful method for reaching optimal control in many different control environments. DRL utilizes neural networks to approximate the optimal actions to take given that the system is in a given state. Therefore, DRL is a promising method for building control and this fact is highlighted by several studies. However, neural network polices are known to be vulnerable to adversarial attacks, which are small, indistinguishable changes to the input, which make the network choose a sub-optimal action. Two of the main approaches to attack DRL policies are: (1) the Fast Gradient Sign Method, which uses the gradients of the control agent’s network to conduct the attack; (2) to train a a DRL-agent with the goal to minimize performance of control agents. The aim of this thesis is to investigate different strategies for solving the building control problem with DRL using the building simulator IDA ICE. This thesis is also going to use the concept of adversarial machine learning by applying the attacks on the agents controlling the temperature inside the building. We first built a DRL architecture to learn how to efficiently control temperature in a building. Experiments demonstrate that exploration of the agent plays a crucial role in the training of the building control agent, and one needs to fine-tune the exploration strategy in order to achieve satisfactory performance. Finally, we tested the susceptibility of the trained DRL controllers to adversarial attacks. These tests showed, on average, that attacks trained using DRL methods have a larger impact on building control than those using FGSM, while random perturbation have almost null impact. / Ventilationssystem i byggnader är energiförbrukande och traditionella metoder som används för byggnadskontroll resulterar i förlust av energisparande. Dessa metoder kan inte ta hänsyn till icke-linjära beroenden i termisk beteenden. Djup förstärkande inlärning (DRL) är en kraftfull metod för att uppnå optimal kontroll i många kontrollmiljöer. DRL använder sig av neurala nätverk för att approximera optimala val som kan tas givet att systemet befinner sig i en viss stadie. Därför är DRL en lovande metod för byggnadskontroll och detta faktumet är markerat av flera studier. Likväl, neurala nätverk i allmänhet är kända för att vara svaga mot adversarial attacker, vilket är små ändringar i inmatningen, som gör att neurala nätverket väljer en åtgärd som är suboptimal. Syftet med denna anvhandling är att undersöka olika strategier för att lösa byggnadskontroll-problemet med DRL genom att använda sig av byggnadssimulatorn IDA ICE. Denna avhandling kommer också att använda konceptet av adversarial machine learning för att attackera agenterna som kontrollerar temperaturen i byggnaden. Det finns två olika sätt att attackera neurala nätverk: (1) Fast Gradient Sign Method, som använder gradienterna av kontrollagentens nätverk för att utföra sin attack; (2) träna en inlärningsagent med DRL med målet att minimera kontrollagenternas prestanda. Först byggde vi en DRL-arkitektur som lärde sig kontrollera temperaturen i en byggad. Experimenten visar att utforskning av agenten är en grundläggande faktor för träningen av kontrollagenten och man måste finjustera utforskningen av agenten för att nå tillfredsställande prestanda. Slutligen testade vi känsligheten av de tränade DRL-agenterna till adversarial attacker. Dessa test visade att i genomsnitt har det större påverkan på kontrollagenterna att använda DRL metoder än att använda sig av FGSM medans att attackera helt slumpmässigt har nästan ingen påverkan.

Deep Reinforcement Learning

Adversarial Attacks

Optimal Attacks

Building Control

Optimal Control

Energy Efficiency

Djup förstärkande inlärning

Adversarial Attacker

Optimala Attacker

Byggnadskontroll

Optimal Kontroll

Energieffektivitet

Computer Sciences

Datavetenskap (datalogi)

Trojan Attacks and Defenses on Deep Neural Networks

Yingqi Liu (13943811)

13 October 2022

<p>With the fast spread of machine learning techniques, sharing and adopting public deep neural networks become very popular. As deep neural networks are not intuitive for human to understand, malicious behaviors can be injected into deep neural networks undetected. We call it trojan attack or backdoor attack on neural networks. Trojaned models operate normally when regular inputs are provided, and misclassify to a specific output label when the input is stamped with some special pattern called trojan trigger. Deploying trojaned models can cause various severe consequences including endangering human lives (in applications like autonomous driving). Trojan attacks on deep neural networks introduce two challenges. From the attacker's perspective, since the training data or training process is usually not accessible to the attacker, the attacker needs to find a way to carry out the trojan attack without access to training data. From the user's perspective, the user needs to quickly scan the online public deep neural networks and detect trojaned models.</p> <p>We try to address these challenges in this dissertation. For trojan attack without access to training data, We propose to invert the neural network to generate a general trojan trigger, and then retrain the model with reverse-engineered training data to inject malicious behaviors to the model. The malicious behaviors are only activated by inputs stamped with the trojan trigger. To scan and detect trojaned models, we develop a novel technique that analyzes inner neuron behaviors by determining how output activation change when we introduce different levels of stimulation to a neuron. A trojan trigger is then reverse-engineered through an optimization procedure using the stimulation analysis results, to confirm that a neuron is truly compromised. Furthermore, for complex trojan attacks, we propose a novel complex trigger detection method. It leverages a novel symmetric feature differencing method to distinguish features of injected complex triggers from natural features. For trojan attacks on NLP models, we propose a novel backdoor scanning technique. It transforms a subject model to an equivalent but differentiable form. It then inverts a distribution of words denoting their likelihood in the trigger and applies a novel word discriminativity analysis to determine if the subject model is particularly discriminative for the presence of likely trigger words.</p>

Adversarial machine learning

Adversarial Machine Learning

Backdoor Attack

Trojan Attack

AI safety

Robust Machine Learning

Artificial Intelligence

Kooperativní hledání cest s protivníkem / Kooperativní hledání cest s protivníkem

Ivanová, Marika

January 2014

Presented master thesis defines and investigates Adversarial Cooperative Path-finding problem (ACPF), a generalization of standard Cooperative Path-finding. In addition to the Cooperative path- finding where non-colliding paths for multiple agents connecting their initial positions and destinations are searched, consideration of agents controlled by the adversary is included in ACPF. This work is focused on both theoretical properties and practical solving techniques of the considered problem. ACPF is introduced formally using terms from graph theory. We study computational complexity of the problem where we show that the problem is PSPACE-hard and belongs to EXPTIME complexity class. We introduce and discuss possible methods suitable for practical solving of the problem. Considered solving approaches include greedy algorithms, minimax methods, Monte Carlo Tree Search and adaptation of algorithm for the cooperative version of the problem. Surprisingly frequent success rate of greedy methods and rather weaker results of Monte Carlo Tree Search are indicated by the conducted experimental evaluation. Powered by TCPDF (www.tcpdf.org)

Zásada kontradiktornosti a její uplatnění v trestním řízení / The principle of Contradictority and Its Application in Criminal Proceedings

Zukalová, Jana

January 2016

The purpose of my thesis is to provide an analysis of the principle of contradictority and its application in criminal proceedings. I have decided to use the term "contradictory proceedings" even though The European Court of Human Rights that developed the concept usually uses the term "adversarial proceedings". The reason consists in the difference between adversarial proceedings as a special kind of criminal proceedings which is typical for countries within the Anglo-American legal culture and adversarial/contradictory proceedings as a wider concept of proceedings which is based on a respect for the rights of people charged with criminal offences and which can be (and actually is) used both within the Anglo-American legal system and the legal system of the countries in the continental Europe. In this sense, the correct translation into Czech language is "kontradiktorní řízení". The thesis is composed of six basic chapters. Chapters One and Two provide introduction, presenting some theoretical approaches to what contradictory proceedings could or should be. Chapter Three is subdivided into three subchapters. First two of them examine the evolution of adversarial and inquisitorial models of criminal proceedings, dealing with their similarities and differences. The third one summarizes why both of...

Approches pour l'apprentissage incrémental et la génération des images / Approaches for incremental learning and image generation

Shmelkov, Konstantin

29 March 2019

Cette thèse explore deux sujets liés dans le contexte de l'apprentissage profond : l'apprentissage incrémental et la génération des images. L'apprentissage incrémental étudie l'entrainement des modèles dont la fonction objective évolue avec le temps (exemple : Ajout de nouvelles catégories à une tâche de classification). La génération d'images cherche à apprendre une distribution d'images naturelles pour générer de nouvelles images ressemblant aux images de départ.L’apprentissage incrémental est un problème difficile dû au phénomène appelé l'oubli catastrophique : tout changement important de l’objectif au cours de l'entrainement provoque une grave dégradation des connaissances acquises précédemment. Nous présentons un cadre d'apprentissage permettant d'introduire de nouvelles classes dans un réseau de détection d'objets. Il est basé sur l’idée de la distillation du savoir pour lutter les effets de l’oubli catastrophique : une copie fixe du réseau évalue les anciens échantillons et sa sortie est réutilisée dans un objectif auxiliaire pour stabiliser l’apprentissage de nouvelles classes. Notre framework extrait ces échantillons d'anciennes classes à la volée à partir d'images entrantes, contrairement à d'autres solutions qui gardent un sous-ensemble d'échantillons en mémoire.Pour la génération d’images, nous nous appuyons sur le modèle du réseau adverse génératif (en anglais generative adversarial network ou GAN). Récemment, les GANs ont considérablement amélioré la qualité des images générées. Cependant, ils offrent une pauvre couverture de l'ensemble des données : alors que les échantillons individuels sont de grande qualité, certains modes de la distribution d'origine peuvent ne pas être capturés. De plus, contrairement à la mesure de vraisemblance couramment utilisée pour les modèles génératives, les méthodes existantes d'évaluation GAN sont axées sur la qualité de l'image et n'évaluent donc pas la qualité de la couverture du jeu de données. Nous présentons deux approches pour résoudre ces problèmes.La première approche évalue les GANs conditionnels à la classe en utilisant deux mesures complémentaires basées sur la classification d'image - GAN-train et GAN-test, qui approchent respectivement le rappel (diversité) et la précision (qualité d'image) des GANs. Nous évaluons plusieurs approches GANs récentes en fonction de ces deux mesures et démontrons une différence de performance importante. De plus, nous observons que la difficulté croissante du jeu de données, de CIFAR10 à ImageNet, indique une corrélation inverse avec la qualité des GANs, comme le montre clairement nos mesures.Inspirés par notre étude des modèles GANs, la seconde approche applique explicitement la couverture d'un jeux de données pendant la phase d'entrainement de GAN. Nous développons un modèle génératif combinant la qualité d'image GAN et l'architecture VAE dans l'espace latente engendré par un modèle basé sur le flux, Real-NVP. Cela nous permet d’évaluer une vraisemblance correcte et d’assouplir simultanément l’hypothèse d’indépendance dans l’espace RVB qui est courante pour les VAE. Nous obtenons le score Inception et la FID en concurrence avec les GANs à la pointe de la technologie, tout en maintenant une bonne vraisemblance pour cette classe de modèles. / This dissertation explores two related topics in the context of deep learning: incremental learning and image generation. Incremental learning studies training of models with the objective function evolving over time, eg, addition of new categories to a classification task. Image generation seeks to learn a distribution of natural images for generating new images resembling original ones.Incremental learning is a challenging problem due to the phenomenon called catastrophic forgetting: any significant change to the objective during training causes a severe degradation of previously learned knowledge. We present a learning framework to introduce new classes to an object detection network. It is based on the idea of knowledge distillation to counteract catastrophic forgetting effects: fixed copy of the network evaluates old samples and its output is reused in an auxiliary loss to stabilize learning of new classes. Our framework mines these samples of old classes on the fly from incoming images, in contrast to other solutions that keep a subset of samples in memory.On the second topic of image generation, we build on the Generative Adversarial Network (GAN) model. Recently, GANs significantly improved the quality of generated images. However, they suffer from poor coverage of the dataset: while individual samples have great quality, some modes of the original distribution may not be captured. In addition, existing GAN evaluation methods are focused on image quality, and thus do not evaluate how well the dataset is covered, in contrast to the likelihood measure commonly used for generative models. We present two approaches to address these problems.The first method evaluates class-conditional GANs using two complementary measures based on image classification - GAN-train and GAN-test, which approximate recall (diversity) and precision (quality of the image) of GANs respectively. We evaluate several recent GAN approaches based on these two measures, and demonstrate a clear difference in performance. Furthermore, we observe that the increasing difficulty of the dataset, from CIFAR10 over CIFAR100 to ImageNet, shows an inverse correlation with the quality of the GANs, as clearly evident from our measures.Inspired by our study of GAN models, we present a method to explicitly enforce dataset coverage during the GAN training phase. We develop a generative model that combines GAN image quality with VAE architecture in the feature space engendered by a flow-based model Real-NVP. This allows us to evaluate a valid likelihood and simultaneously relax the independence assumption in RGB space which is common for VAEs. We achieve Inception score and FID competitive with state-of-the-art GANs, while maintaining good likelihood for this class of models.

Reseaux adverses generatifs

Réseaux de neurones

Neural networks

Generative adversarial networks

510

Komparace rozsudku pro zmeškání v české a španělské právní úpravě / Comparison of Judgment by Default under Czech and Spanish Law

Švábová, Marie

January 2018

1 Comparison of Judgment by Default under Czech and Spanish Law Abstract This diploma thesis addresses Czech and Spanish legislation with respect to judgement by default and the subsequent compassion thereof. First chapter focuses on the defendant's default under Czech law, more specifically on the concept of the defendant's default during court proceedings, conditions that must be met in order to deliver a judgement by default, impermissibility of delivering a judgement by default, excusable grounds of default as well as the remedies that can be relied upon against such judgement. Second chapter follows with a description of Spanish legislation on the defendant's default during court proceedings. It deals with the concept of the defendant's default during court proceedings, conditions under which it is possible to issue a declaration of defendant's default, consequences associated with the defendant's default during court proceedings, delivering court documents to the defendant and to application for annulment of the final decision on the matter of the defendant in default and other remedies available to the defendant under Spanish law. The final chapter of the thesis outlines important differences which the author came across whilst studying each legislation. The author attempts to draw her own critical...

Synthesis of Thoracic Computer Tomography Images using Generative Adversarial Networks

Hagvall Hörnstedt, Julia

January 2019

The use of machine learning algorithms to enhance and facilitate medical diagnosis and analysis is a promising and an important area, which could improve the workload of clinicians’ substantially. In order for machine learning algorithms to learn a certain task, large amount of data needs to be available. Data sets for medical image analysis are rarely public due to restrictions concerning the sharing of patient data. The production of synthetic images could act as an anonymization tool to enable the distribution of medical images and facilitate the training of machine learning algorithms, which could be used in practice. This thesis investigates the use of Generative Adversarial Networks (GAN) for synthesis of new thoracic computer tomography (CT) images, with no connection to real patients. It also examines the usefulness of the images by comparing the quantitative performance of a segmentation network trained with the synthetic images with the quantitative performance of the same segmentation network trained with real thoracic CT images. The synthetic thoracic CT images were generated using CycleGAN for image-to-image translation between label map ground truth images and thoracic CT images. The synthetic images were evaluated using different set-ups of synthetic and real images for training the segmentation network. All set-ups were evaluated according to sensitivity, accuracy, Dice and F2-score and compared to the same parameters evaluated from a segmentation network trained with 344 real images. The thesis shows that it was possible to generate synthetic thoracic CT images using GAN. However, it was not possible to achieve an equal quantitative performance of a segmentation network trained with synthetic data compared to a segmentation network trained with the same amount of real images in the scope of this thesis. It was possible to achieve equal quantitative performance of a segmentation network, as a segmentation network trained on real images, by training it with a combination of real and synthetic images, where a majority of the images were synthetic images and a minority were real images. By using a combination of 59 real images and 590 synthetic images, equal performance as a segmentation network trained with 344 real images was achieved regarding sensitivity, Dice and F2-score. Equal quantitative performance of a segmentation network could thus be achieved by using fewer real images together with an abundance of synthetic images, created at close to no cost, indicating a usefulness of synthetically generated images.

Generative Adversarial Networks

deep learning

image synthesis

synthetic images

image segmentation

Medical Engineering

Medicinteknik

The War on Terror and the Separation of Powers Tug-of-War

Burnep, Gregory

January 2016

Thesis advisor: Shep Melnick / Most of the literature on the separation of powers in the war on terror vastly overstates the power of the presidency and pays little attention to the respective roles of Congress, the courts, and the bureaucracy in prosecuting that conflict. Scholars – especially those in the legal academy – have consistently failed to appreciate the ways in which the president has been, and continues to be, checked and constrained by a variety of forces. In my dissertation, I engage in highly detailed case studies of U.S. law and policy with respect to detention and military commissions in the war on terror. I pay special attention to the complex interactions that occurred within and between our governing institutions in these policy areas. There are two central arguments that come out of my research and run through my case studies. First, the political scientist Robert Kagan’s work on “adversarial legalism” is no longer simply applicable to the domestic policy realm. The proliferation of legal rules and extensive litigation has increasingly come to characterize foreign affairs as well, with important consequences for how the U.S. implements its national security policies and fights its armed conflicts. In short, adversarial legalism has gone to war. Second, loose talk about the “unitary” nature of the executive branch is misleading. The executive branch is a sprawling bureaucracy made up of diverse actors with different perspectives, preferences, and norms, and that bureaucracy has interacted with Congress and the courts in surprising ways to constrain the presidency in the war on terror. / Thesis (PhD) — Boston College, 2016. / Submitted to: Boston College. Graduate School of Arts and Sciences. / Discipline: Political Science.

Adversarial legalism

Detention

Military commissions

National security policy

Separation of powers

War on terror

As provas não repetíveis no processo penal brasileiro / The non-repeatable evidence in criminal process

Brentel, Camilla

15 June 2012

O Código de Processo Penal brasileiro foi alterado em 2008 em decorrência da promulgação de algumas Leis Ordinárias. Uma delas (nº 11.690) prescreveu a modificação do artigo 155, a fim de regulamentar a aceitação de provas não repetíveis (e outras produzidas durante as investigações) para o convencimento do julgador. No entanto, como o legislador não atribuiu significado às provas não repetíveis, tampouco teceu esclarecimentos a respeito do modo como tais provas seriam compatibilizadas com o princípio constitucional do contraditório, há muitas incertezas sobre a disposição, que tem sido objeto de discussão pela comunidade jurídica. O silêncio do legislador impediu o desenvolvimento de uma regulação eficiente sobre o assunto. Com o objetivo de contribuir para as atuais discussões, propomos uma análise comparativa da doutrina sobre provas não repetíveis utilizada na Itália, país que serviu de inspiração à criação da norma brasileira. Por meio deste estudo, pretendemos: (i) clarificar o conceito de provas não repetíveis; (ii) analisar a interação do conceito de provas não repetíveis com outras provas produzidas durante as investigações; (iii) alcançar a compreensão do tratamento normativo e doutrinário das provas não repetíveis nos processos penais brasileiro e italiano; e (iv) refletir, à luz da das regras estabelecidas na Constituição Brasileira, se a regulamentação italiana sobre as provas não repetíveis teria aplicação no processo penal brasileiro. Depois de realizadas tais aferições, refletiremos sobre a necessidade de reformulação do artigo 155 que, se confirmada, nos levará à porposição de um novo texto normativo. / The Brazilian Criminal Procedure Code was altered in 2008 as a result of the adoption of some Ordinary Laws. One of them (nº. 11.690) prescribed amendments in article 155, which from then on stipulates the acceptance of non-repeatable evidence (as well as other types of evidence produced during investigations), as means of conviction. Nevertheless, as the legislator neither provided a definition of non-repeatable evidence nor instructed how this evidence should be treated in regards to the adversarial system of justice guaranteed by the Brazilian Constitution, there is a lot of uncertainty on the juridical community concerning this provision. The silence of the legislator deterred the development of an efficient regulation on the matter. Aiming to contribute to the current discussions, this work is focused on the comparative analysis of the doctrine of nonrepeatable evidence as applied in Italy, cradle of this idea. This study intends to: (i) clarify the concept of non-repeatable evidence; (ii) scrutinize the interaction of the concept of non-repeatable evidence with the further evidences produced during investigation; (iii) comprehend, in light of the Italian doctrine and the rules set forth in the Brazilian Constitution, the scope of application of the non-repeatable evidence; and (iv) analyze, bearing in mind the rules contained in the Brazilian Constitution, whether the system of non-repeatable evidence prescribed in Italy could also be applied in the Brazilian Criminal Procedure. After all these considerations are made, the crux of this work will be on whether article 155 should be rephrased and, if affirmative, how the new article should be worded.

Adversarial system

Cross examination

Evidence

Investigação criminal

Non-repeatable

Non-repetitive

Processo penal

Prova (processo penal)

Methods for Analyzing the Evolution of Email Spam

Nachenahalli Bhuthegowda, Bharath Kumar

11 January 2019

Email spam has steadily grown and has become a major problem for users, email service providers, and many other organizations. Many adversarial methods have been proposed to combat spam and various studies have been made on the evolution of email spam, by finding evolution patterns and trends based on historical spam data and by incorporating spam filters. In this thesis, we try to understand the evolution of email spam and how we can build better classifiers that will remain effective against adaptive adversaries like spammers. We compare various methods for analyzing the evolution of spam emails by incorporating spam filters along with a spam dataset. We explore the trends based on the weights of the features learned by the classifiers and the accuracies of the classifiers trained and tested in different settings. We also evaluate the effectiveness of the classifier trained in adversarial settings on synthetic data.

Adversarial classification

Email spam

Evolution of email spam

Machine learning

Spam detection