Group 10 - DNN Presentation for UOM.pptx
DanNiles4
22 views
10 slides
May 29, 2024
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
Group 10 - DNN Presentation
Slide Content
Limitations of Deep Learning A dversarial Robustness Issues Group 10
Introduction Deep learning has become an efficient framework for tackling complex problems in pattern-recognition tasks, such as image classification problems. However, any vulnerabilities in these systems can cause misprediction that will compromise its integrity and efficiency. What are adversarial attacks? D eliberate manipulations of input data designed to deceive or mislead the model's output, often with imperceptible changes to the input. For example, In the figure to the right we can see how after being added with adversarial perturbations, an image of a “Panda” is incorrectly classified as a “Gibbon” Source: https://towardsdatascience.com/breaking-neural-networks-with-adversarial-attacks-f4290a9a45aa
The susceptibility of deep learning systems to adversarial attacks is a prominen t concern in numerous applications, including face recognition tasks , speech recognition , surveillance systems , and voice assistants like Siri, Alexa, Cortana, as well as in the domain of autonomous driving . An attacker can introduce malicious data either during the training process or during inference by deliberately altering input data. In this figure, we can see how face recognition system identifies the input face incorrectly due to a slight alteration in the glasses of the person. Source: https://www.inovex.de/de/blog/machine-perception-face-recognition/ Source: https://blog.sravjti.in/2021/06/27/adversarial-attacks.html
The attacker influences the training data or its labels to cause the model to underperform during deployment. Hence, Poisoning is essentially adversarial contamination of training data. As ML systems can be re-trained using data collected during operation, an attacker may poison the data by injecting malicious samples during operation, which subsequently disrupt or influence re-training. In the image we can see speed limit data points have been brought to the stop label area. Poisoning Attacks Types of Adversarial Attacks and Defensive Techniques Source: https://viso.ai/deep-learning/adversarial-machine-learning/
Defense against Poisoning Attacks Data sanitization defense method: Removing poisoned data points from the training dataset using multiple micro models trained on small, disjointed subsets of training data. Because poisoned attacks will occur in brief, restricted periods of time. Influence function: Identifies data points responsible for prediction, allowing defenders to focus on high-influencer data and predicting model parameters when training points are unweighted. Outlier detection: Uses k-Nearest Neighbors to detect and remove malicious data points that negatively impact machine learning classifiers, preventing label flipping attacks. Fine-pruning: F ine-tunes and prunes neural networks to detect and remove poisoned data, ensuring robustness against multiple attacks by removing neurons and applying fine-tuning using clean data.
Evasion Attacks There are two types of Evasion Attacks. White Box Attack - attackers know the complete ML model architecture Black Box Attack - attackers only know the output labels produced by the model. Attackers train their own substitute model and generate adversarial samples and apply those samples to the original model. Defense against Evasion Attacks Gradient Masking: Shattered Gradients: make the model nondifferentiable or numerically unstable to ensure accurate gradients cannot be obtained. Stochastic gradients:The forward pass involves dropping random neurons in each layer and stochastically pruning a subset of activation functions during the inference phase. Vanishing/exploding gradients: renders the model unusable by deep computation, restoring adversarially perturbed images to clean images. Robustness: Improves a model's ability to learn the adversarial game, enabling it to produce similar outputs from both clean and adversarial examples. Detection: A binary detector network classifies input data as clean or perturbed, with Feature Sqeezing reducing attackers' search space.
Defense against Privacy Attacks Homomorphic encryption(HE): An encryption scheme is a cryptographic method that allows computation on encrypted data without decrypting it. It is homomorphic to the operation "*" without a secret key. HE protects user data and reduces accuracy differences between original and encrypted classifiers. Secure multi-party computation on deep learning(SMC): The two-party technique (2PC) is used to protect privacy in Deep Learning, ensuring secure sharing of gradients between data providers and the server running the system. Privacy Attacks Service providers offer solutions to the public based on pre-trained DL models using privacy-sensitive data to improve the model performance. It has been found through studies that the DL model not only learns the latent pattern from the training data but the trained model also becomes a repository for the data exposing the privacy-sensitive data by granting access to the pre-trained model.
Emerging Research and Future Directions Emerging research in the area of deep learning adversarial robustness is continually addressing the limitations and challenges associated with adversarial attacks Robust Model Architectures Developing deep learning architectures that are inherently more robust to adversarial attacks, such as architectures with increased resistance to gradient-based attacks. Continued exploration of architectural modifications, such as the use of capsule networks, to enhance robustness. Transfer Learning and Domain Adaptation Investigating techniques for transferring knowledge from robust models to new domains or tasks and studying the generalization of adversarial defenses. Developing more transferable and domain-agnostic adversarial defenses.
Adversarial Training Adversarial training involves training models on both clean and adversarial data, making them more robust. Improving the efficiency of adversarial training and exploring more effective strategies for creating adversarial examples during training. Ensemble Methods Combining multiple models with different vulnerabilities can improve robustness. Ensemble methods can help in identifying and filtering out adversarial examples. Investigating the optimal ways to ensemble models for increased robustness and reliability. Adversarial Detection and Early Warning Systems Developing techniques for the real-time detection of adversarial attacks, both at training and inference time. Building automated early warning systems that can trigger model retraining or alert administrators when adversarial activity is detected.
References Chapter 1 - Introduction to adversarial robustness (adversarial-ml-tutorial.org) (1) ECCV 2020 Tutorial on Adversarial Robustness of Deep Learning Models by Pin-Yu Chen (IBM Research) - YouTube Security and Privacy Issues in Deep Learning | by Renu Khandelwal | Medium
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 22
- Slides 10
- Age 551 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views