Global ETD Search

1	Statistical Theory for Adversarial Robustness in Machine Learning Yue Xing (14142297) 21 November 2022 (has links) <p>Deep learning plays an important role in various disciplines, such as auto-driving, information technology, manufacturing, medical studies, and financial studies. In the past decade, there have been fruitful studies on deep learning in which training and testing data are assumed to follow the same distribution to humans. Recent studies reveal that these dedicated models are vulnerable to adversarial attack, i.e., the predicting label may be changed even if the testing input has an unaware perturbation. However, most existing studies aim to develop computationally efficient adversarial learning algorithms without a thorough understanding of the statistical properties of these algorithms. This dissertation aims to provide theoretical understandings of adversarial training to figure out potential improvements in this area of research. </p> <p><br></p> <p>The first part of this dissertation focuses on the algorithmic stability of adversarial training. We reveal that the algorithmic stability of the vanilla adversarial training method is sub-optimal, and we study the effectiveness of a simple noise injection method. While noise injection improves stability, it also does not deteriorate the consistency of adversarial training.</p> <p><br></p> <p>The second part of this dissertation reveals a phase transition phenomenon in adversarial training. When the attack strength increases, the training trajectory of adversarial training will deviate from its natural counterpart. Consequently, various properties of adversarial training are different from clean training. It is essential to have adaptations in the training configuration and the neural network structure to improve adversarial training.</p> <p><br></p> <p>The last part of this dissertation focuses on how artificially generated data improves adversarial training. It is observed that utilizing synthetic data improves adversarial robustness, even if the data are generated using the original training data, i.e., no extra information is introduced. We use a theory to explain the reason behind this observation and propose further adaptations to utilize the generated data better.</p> Statistical theory adversarial robustness statistical machine learning
2	Towards Designing Robust Deep Learning Models for 3D Understanding Hamdi, Abdullah 04 1900 (has links) This dissertation presents novel methods for addressing important challenges related to the robustness of Deep Neural Networks (DNNs) for 3D understanding and in 3D setups. Our research focuses on two main areas, adversarial robustness on 3D data and setups and the robustness of DNNs to realistic 3D scenarios. One paradigm for 3D understanding is to represent 3D as a set of 3D points and learn functions on this set directly. Our first work, AdvPC, addresses the issue of limited transferability and ease of defense against current 3D point cloud adversarial attacks. By using a point cloud Auto-Encoder to generate more transferable attacks, AdvPC surpasses state-of-the-art attacks by a large margin on 3D point cloud attack transferability. Additionally, AdvPC increases the ability to break defenses by up to 38\% as compared to other baseline attacks on the ModelNet40 dataset. Another paradigm of 3D understanding is to perform 2D processing of multiple images of the 3D data. The second work, MVTN, addresses the problem of selecting viewpoints for 3D shape recognition using a Multi-View Transformation Network (MVTN) to learn optimal viewpoints. It combines MVTN with multi-view approaches leading to state-of-the-art results on standard benchmarks ModelNet40, ShapeNet Core55, and ScanObjectNN. MVTN also improves robustness to realistic scenarios like rotation and occlusion. Our third work analyzes the Semantic Robustness of 2D Deep Neural Networks, addressing the problem of high sensitivity toward semantic primitives in DNNs by visualizing the DNN global behavior as semantic maps and observing the interesting behavior of some DNNs. Additionally, we develop a bottom-up approach to detect robust regions of DNNs for scalable semantic robustness analysis and benchmarking of different DNNs. The fourth work, SADA, showcases the problem of lack of robustness in DNNs specifically for the safety-critical applications of autonomous navigation, beyond the simple classification setup. We present a general framework (BBGAN) for black-box adversarial attacks on trained agents, which covers semantic perturbations to the environment of the agent performing the task. BBGAN is trained to generate failure cases that consistently fool a trained agent on tasks such as object detection, self-driving, and autonomous UAV racing. computer vision 3D understanding robustness deep learning deep neural networks adversarial robustness
3	Bridging the gap between human and computer vision in machine learning, adversarial and manifold learning for high-dimensional data Jungeum Kim (12957389) 01 July 2022 (has links) <p>In this dissertation, we study three important problems in modern deep learning: adversarial robustness, visualization, and partially monotonic function modeling. In the first part, we study the trade-off between robustness and standard accuracy in deep neural network (DNN) classifiers. We introduce sensible adversarial learning and demonstrate the synergistic effect between pursuits of standard natural accuracy and robustness. Specifically, we define a sensible adversary which is useful for learning a robust model while keeping high natural accuracy. We theoretically establish that the Bayes classifier is the most robust multi-class classifier with the 0-1 loss under sensible adversarial learning. We propose a novel and efficient algorithm that trains a robust model using implicit loss truncation. Our experiments demonstrate that our method is effective in promoting robustness against various attacks and keeping high natural accuracy. </p> <p>In the second part, we study nonlinear dimensional reduction with the manifold assumption, often called manifold learning. Despite the recent advances in manifold learning, current state-of-the-art techniques focus on preserving only local or global structure information of the data. Moreover, they are transductive; the dimensional reduction results cannot be generalized to unseen data. We propose iGLoMAP, a novel inductive manifold learning method for dimensional reduction and high-dimensional data visualization. iGLoMAP preserves both local and global structure information in the same algorithm by preserving geodesic distance between data points. We establish the consistency property of our geodesic distance estimators. iGLoMAP can provide the lower-dimensional embedding for an unseen, novel point without any additional optimization. We successfully apply iGLoMAP to the simulated and real-data settings with competitive experiments against state-of-the-art methods.</p> <p>In the third part, we study partially monotonic DNNs. We model such a function by using the fundamental theorem for line integrals, where the gradient is parametrized by DNNs. For the validity of the model formulation, we develop a symmetric penalty for gradient modeling. Unlike existing methods, our method allows partially monotonic modeling for general DNN architectures and monotonic constraints on multiple variables. We empirically show the necessity of the symmetric penalty on a simulated dataset.</p> Adversarial machine learning Deep learning manifold learning adversarial robustness
4	Improving the Robustness of Neural Networks to Adversarial Patch Attacks Using Masking and Attribution Analysis Mahalder, Atandra 01 January 2024 (has links) (PDF) Computer vision algorithms, including image classifiers and object detectors, play a pivotal role in various cyber-physical systems, spanning from facial recognition to self-driving vehicles and security surveillance. However, the emergence of real-world adversarial patches, which can be as simple as stickers, poses a significant threat to the reliability of AI models utilized within these systems. To address this challenge, several defense mechanisms such as PatchGuard, Minority Report, and (De)Randomized Smoothing have been proposed to enhance the resilience of AI models against such attacks. In this thesis, we introduce a novel framework that integrates masking with attribution analysis to robustify AI models against adversarial patch assaults. Attribution analysis identifies the crucial pixels influencing the model's decision-making process. Subsequently, inspired by the Derandomized Smoothing defense strategy, we employ a masking approach to mask these important pixels. Our experimental findings demonstrate improved robustness against adversarial attacks, at the expense of a slight degradation in clean accuracy. Adversarial Robustness Neural Networks Attribution Analysis Artificial Intelligence and Robotics Other Computer Sciences
5	Identifying Induced Bias in Machine Learning Chowdhury Mohammad Rakin Haider (18414885) 22 April 2024 (has links) <p dir="ltr">The last decade has witnessed an unprecedented rise in the application of machine learning in high-stake automated decision-making systems such as hiring, policing, bail sentencing, medical screening, etc. The long-lasting impact of these intelligent systems on human life has drawn attention to their fairness implications. A majority of subsequent studies targeted the existing historically unfair decision labels in the training data as the primary source of bias and strived toward either removing them from the dataset (de-biasing) or avoiding learning discriminatory patterns from them during training. In this thesis, we show label bias is not a necessary condition for unfair outcomes from a machine learning model. We develop theoretical and empirical evidence showing that biased model outcomes can be introduced by a range of different data properties and components of the machine learning development pipeline.</p><p dir="ltr">In this thesis, we first prove that machine learning models are expected to introduce bias even when the training data doesn’t include label bias. We use the proof-by-construction technique in our formal analysis. We demonstrate that machine learning models, trained to optimize for joint accuracy, introduce bias even when the underlying training data is free from label bias but might include other forms of disparity. We identify two data properties that led to the introduction of bias in machine learning. They are the group-wise disparity in the feature predictivity and the group-wise disparity in the rates of missing values. The experimental results suggest that a wide range of classifiers trained on synthetic or real-world datasets are prone to introducing bias under feature disparity and missing value disparity independently from or in conjunction with the label bias. We further analyze the trade-off between fairness and established techniques to improve the generalization of machine learning models such as adversarial training, increasing model complexity, etc. We report that adversarial training sacrifices fairness to achieve robustness against noisy (typically adversarial) samples. We propose a fair re-weighted adversarial training method to improve the fairness of the adversarially trained models while sacrificing minimal adversarial robustness. Finally, we observe that although increasing model complexity typically improves generalization accuracy, it doesn’t linearly improve the disparities in the prediction rates.</p><p dir="ltr">This thesis unveils a vital limitation of machine learning that has yet to receive significant attention in FairML literature. Conventional FairML literature reduces the ML fairness task to as simple as de-biasing or avoiding learning discriminatory patterns. However, the reality is far away from it. Starting from deciding on which features collect up to algorithmic choices such as optimizing robustness can act as a source of bias in model predictions. It calls for detailed investigations on the fairness implications of machine learning development practices. In addition, identifying sources of bias can facilitate pre-deployment fairness audits of machine learning driven automated decision-making systems.</p> Machine Learning Fairness Introduced Bias Missing Values Imputation Adversarial Robustness Bayesian Classifiers
6	TOWARDS EFFICIENT AND ROBUST DEEP LEARNING :HANDLING DATA NON-IDEALITY AND LEVERAGINGIN-MEMORY COMPUTING Sangamesh D Kodge (19958580) 05 November 2024 (has links) <p dir="ltr">Deep learning has achieved remarkable success across various domains, largely relyingon assumptions of ideal data conditions—such as balanced distributions, accurate labeling,and sufficient computational resources—that rarely hold in real-world applications. Thisthesis addresses the significant challenges posed by data non-idealities, including privacyconcerns, label noise, non-IID (Independent and Identically Distributed) data, and adversarial threats, which can compromise model performance and security. Additionally, weexplore the computational limitations inherent in traditional architectures by introducingin-memory computing techniques to mitigate the memory bottleneck in deep neural networkimplementations.We propose five novel contributions to tackle these challenges and enhance the efficiencyand robustness of deep learning models. First, we introduce a gradient-free machine unlearning algorithm to ensure data privacy by effectively forgetting specific classes withoutretraining. Second, we propose a corrective machine unlearning technique, SAP, that improves robustness against label noise using Scaled Activation Projections. Third, we presentthe Neighborhood Gradient Mean (NGM) method, a decentralized learning approach thatoptimizes performance on non-IID data with minimal computational overhead. Fourth, wedevelop TREND, an ensemble design strategy that leverages transferability metrics to enhance adversarial robustness. Finally, we explore an in-memory computing solution, IMAC,that enables energy-efficient and low-latency multiplication and accumulation operationsdirectly within 6T SRAM arrays.These contributions collectively advance the state-of-the-art in handling data non-idealitiesand computational efficiency in deep learning, providing robust, scalable, and privacypreserving solutions suitable for real-world deployment across diverse environments.</p> Deep learning Data Non-Idealities Machine Unlearning Label Noise Robustness Adversarial Robustness In-Memory Compute
7	Advancing adversarial robustness with feature desensitization and synthesized data Bayat, Reza 07 1900 (has links) Cette thèse porte sur la question critique de la vulnérabilité des modèles d’apprentissage profond face aux attaques adversariales. Susceptibles à de légères perturbations invisibles à l'œil humain, ces modèles peuvent produire des prédictions erronées. Les attaques adversariales représentent une menace importante quant à l’utilisation de ces modèles dans des systèmes de sécurité critique. Pour atténuer ces risques, l’entraînement adversarial s’impose comme une approche prometteuse, consistant à entraîner les modèles sur des exemples adversariaux pour renforcer leur robustesse. Dans le Chapitre 1, nous offrons un aperçu détaillé de la vulnérabilité adversariale, en décrivant la création d’échantillons adversariaux ainsi que leurs répercussions dans le monde réel. Nous expliquons le processus de conception de ces exemples et présentons divers scénarios illustrant leurs conséquences potentiellement catastrophiques. En outre, nous examinons les défis associés à l'entraînement adversarial, en mettant l’emphase sur des défis tels que le manque de robustesse face à une large gamme d’attaques et le compromis entre robustesse et généralisation, qui sont au cœur de cette étude. Le Chapitre 2 présente la Désensibilisation des Caractéristiques Adversariales (AFD), une méthode innovante utilisant des techniques d’adaptation de domaine pour renforcer la robustesse adversariale. L’AFD vise à apprendre des caractéristiques invariantes aux perturbations adversariales, augmentant ainsi la résilience face à divers types et intensités d’attaques. Cette approche consiste à entraîner simultanément un discriminateur de domaine et un classificateur afin de réduire la divergence entre les représentations de données naturelles et adversariales. En alignant les caractéristiques des deux domaines, l'AFD garantit que les caractéristiques apprises sont à la fois prédictives et robustes, atténuant ainsi le surapprentissage à des schémas d'attaque spécifiques et favorisant une défense plus globale. Le Chapitre 3 présente l’Entraînement Adversarial avec Données Synthétisées, une méthode visant à combler l’écart entre la robustesse et la généralisation des réseaux de neurones. En utilisant des données synthétisées générées par des techniques avancées, ce chapitre explore comment l'incorporation de telles données peut atténuer le surapprentissage et améliorer la performance globale des modèles entraînés adversarialement. Les résultats montrent que, bien que l’entraînement adversarial soit souvent confronté à un compromis entre robustesse et généralisation, l’utilisation de données synthétisées permet de maintenir une haute précision des données corrompues et hors distribution sans compromettre la robustesse. Cette approche offre une voie prometteuse pour développer des réseaux de neurones à la fois résilients aux attaques adversariales et capables de bien généraliser à de nombreux scénarios. Le Chapitre 4 conclut la thèse en résumant les principales découvertes et contributions de cette recherche. De plus, il propose plusieurs pistes pour des recherches futures visant à améliorer davantage la sécurité et la fiabilité des modèles d’apprentissage profond. Ces pistes incluent l’exploration de l’effet des données synthétisées sur une gamme plus large de tâches de généralisation, le développement d’approches alternatives moins coûteuses en termes de calcul d’entraînement, et l’adaptation de nouvelles techniques guidées par l’information en retour pour synthétiser des données qui favorise l’efficacité d’échantillonnage. En suivant ces directions, les recherches futures pourront s’appuyer sur les bases présentées dans cette thèse et continuer à faire progresser le domaine de la robustesse adversariale, menant à des systèmes d’apprentissage automatique plus sécuritaires et plus fiables. À travers ces contributions, cette thèse avance la compréhension de la robustesse adversariale et propose des solutions pratiques pour améliorer la sécurité et la fiabilité des systèmes d'apprentissage automatique. En abordant les limites des méthodes actuelles d'entraînement adversarial et en introduisant des approches innovatrices comme l'AFD et l'incorporation de données synthétisées, cette recherche ouvre le chemin à des modèles d'apprentissage automatique plus robustes et généralisables. / This thesis addresses the critical issue of adversarial vulnerability in deep learning models, which are susceptible to slight, human-imperceptible perturbations that can lead to incorrect predictions. Adversarial attacks pose significant threats to the deployment of these models in safety-critical systems. To mitigate these threats, adversarial training has emerged as a prominent approach, where models are trained on adversarial examples to enhance their robustness. In Chapter 1, we provide a comprehensive background on adversarial vulnerability, detailing the creation of adversarial examples and their real-world implications. We illustrate how adversarial examples are crafted and present various scenarios demonstrating their potential catastrophic outcomes. Furthermore, we explore the challenges associated with adversarial training, focusing on issues like the lack of robustness against a broad range of attack strengths and a trade-off between robustness and generalization, which are the subjects of our study. Chapter 2 introduces Adversarial Feature Desensitization (AFD), a novel method that leverages domain adaptation techniques to enhance adversarial robustness. AFD aims to learn features that are invariant to adversarial perturbations, thereby improving resilience across various attack types and strengths. This approach involves training a domain discriminator alongside the classifier to reduce the divergence between natural and adversarial data representations. By aligning the features from both domains, AFD ensures that the learned features are both predictive and robust, mitigating overfitting to specific attack patterns and promoting broader defensive capability. Chapter 3 presents Adversarial Training with Synthesized Data, a method aimed at bridging the gap between robustness and generalization in neural networks. By leveraging synthesized data generated through advanced techniques, this chapter explores how incorporating such data can mitigate robust overfitting and enhance the overall performance of adversarially trained models. The findings indicate that while adversarial training traditionally faces a trade-off between robustness and generalization, the use of synthesized data helps maintain high accuracy on corrupted and out-of-distribution data without compromising robustness. This approach provides a promising pathway to develop neural networks that are both resilient to adversarial attacks and capable of generalizing well to a wide range of scenarios. Chapter 4 concludes the thesis by summarizing the key findings and contributions of this thesis. Additionally, it outlines several avenues for future research to further enhance the security and reliability of deep learning models. Future research could explore the effect of synthesized data on a broader range of generalization tasks, develop alternative approaches to adversarial training that are less computationally expensive, and adapt new feedback-guided techniques for synthesizing data to enhance sample efficiency. By pursuing these directions, future research can build on the foundations laid by this thesis and continue to advance the field of adversarial robustness, ultimately leading to safer and more reliable machine learning systems. Through these contributions, this thesis advances the understanding of adversarial robustness and proposes practical solutions to enhance the security and reliability of machine learning systems. By addressing the limitations of current adversarial training methods and introducing innovative approaches like AFD and the incorporation of synthesized data, this research paves the way for more robust and generalizable machine learning models capable of withstanding a diverse array of adversarial attacks. Robustesse Adversariale Adaptation de Domaine Adversarial Robustness Domain Adaptation Robustness and Generalization Trade-off

1

Page generated in 0.0935 seconds