Deep Learning In Adversarial Context

Benefiting from massive data and high computation resources,Machine Learning(ML)applications are becoming omnipresent in our daily life.These applications free people from repetitive and complicated work and allow them to acquire useful information easily.For instance,face recognition systems assist humans in identification and authorization.Search engine gathers and organizes information related to a given query by indexing,searching,and matching.Navigation applications recommend the best path to their destination for an autonomous vehicle.In the last decades,DNNs developed rapidly in the domain of image classification.Recent Deep Neural Network(DNN)models achieve tasks of classification,detection,and segmentation with high confidence.The performance of DNN models on ImageNet,a challenging and realistic dataset,is close to that of humans.In 2013,researchers found that a slight modification of the images lead to classifiers making erroneous predictions.The big surprise was that these modifications were of small amplitude and are almost imperceptible to human eyes.This discovery revealed the vulnerability of DNNs.For example,putting small pieces of paper of a particular shape and color on some road signs prevents them from being recognized.Wearing a medallion decorated cloth with a particular texture makes a person invisible to the algorithm which aims at detecting the presence of pedestrians.Considering all these potential risks,it is crucial to understand the fundamental problems of adversarial examples to make sure algorithms process contents fairly and correctly.The typical research tasks in adversarial ML include attacks and defenses.Researchers study these two tasks to i)make practical contributions and ii)understand this phenomenon.Therefore,to further explore the problem of adversarial perturbations in deep learning and improve the robustness and security of deep learning systems,this thesis explores the adversarial attacks and defenses in deep learning.From the analysis of the multiple facets of adversarial ML,we find that the key elements to investigate include:Speed,Speed matters for both adversarial attacks and defenses.Although timeconsuming processes,like optimization of creating adversarial perturbation and training a DNN model,produce high-quality results,it is not feasible if it takes an extremely long time to generate an adversarial example,verify inputs,or build a robust model.Invisibility.The magnitude of distortion is widely used to estimate the invisibility of perturbation but it is not equivalent to invisibility.Invisibility indicates that perturbation is imperceptible to humans from a neurological and psychological point of view.It is still an open question to measure invisibility in computer science.Distortion.As an alternative plan to measure the quality of invisibility,numerous attacks estimate the magnitude of distortion.Humans hardly perceive perturbations when the magnitude is small.The magnitude of distortion also matters for defenses.Normally,defenses against adversarial perturbations with larger distortion are more robust against adversarial effects.It is an important metric for both adversarial attacks and defenses.Our works are motivated by the concepts of speed,distortion,and invisibility.We test the transferability of our adversarial perturbations.To improve the quality of adversarial perturbations,we work in two directions,i.e.producing invisible adversarial perturbations and creating adversarial perturbations efficiently with low magnitude.To defend against attacks,we propose a lightweight algorithm that achieves a decent performance on both robustness and accuracy.We emphasize speed as well as performance.Specifically,the main contributions of this paper are summarized as follows:(1)We contribute by defining invisibility with smoothness and integrating it into the optimization of producing adversarial examples.We succeed in creating smooth adversarial perturbations with less magnitude of distortion.(2)To improve the efficiency of producing adversarial examples,we propose an optimization algorithm,i.e.Boundary Project(BP)attack,based on the knowledge of the adversarial problem.BP attack searches against the gradient of the network to lead to misclassification when the current solution is not adversarial.It searches along the boundary to minimize the distortion when the current solution is adversarial.BP succeeds to generate adversarial examples with low distortion efficiently.(3)We propose our evaluation metrics that allow a fair comparison between targeted distortion attacks and targeted success attacks.Success rate and L2 norm of distortion are usually treated as two important criteria.Normally,we compare the value of one of them when the other is fixed.We argue that it is limited.For instance,if we compare the success rate under an extremely large(or small)distortion,two attacks might give very similar results,i.e.around 100%(or 0%).So we propose a fair evaluation protocol to compare attacks from the two different families by comparing the full curve between success rate and distortion.(4)We also study the defenses.We apply patch replacement on both images and features.It removes the adversarial effects by replacing the input patches with the most similar patches of training data.Experiments show patch replacement is cheap and robust against adversarial attacks.