Collaborative Research: CIF: Medium: Understanding Robustness via Parsimonious Structures.

合作研究：CIF：中：通过简约结构了解鲁棒性。

• 批准号: 2212457
• 负责人: Soledad Villar
• 金额: $ 90万
• 依托单位: Johns Hopkins University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2212457&HistoricalAwards=false
• 关键词: Collaborative; Research; CIF; Medium; Understanding

Modern machine learning methods, and in particular deep networks have led to significant advances in several areas of science and engineering, including computer vision, speech and language processing, robotics, and beyond. At the same time, deep networks have been shown to be extremely sensitive to small adversarial perturbations to their inputs or training set. Because of this, models based on deep networks can exhibit significant vulnerabilities to imperceptible attacks. Recent work has proposed many ad-hoc methods for defending deep networks against such adversarial attacks, which have been subsequently broken by stronger attacks. While stronger and provably correct defenses continue to be developed, a mathematical framework for understanding why deep networks can be fooled into making wrong predictions and how to design and train networks with guarantees of robustness remains elusive. This project aims to answer the following questions: Is it possible to detect when a network has been attacked or when a dataset has been poisoned and reconstruct the original uncorrupted data? If yes, under what conditions on the distribution of the data and the network architecture? If not, how can network architectures and learning algorithms be designed that yield provably robust networks? This project has the following research goals (1) derive conditions on the input data and the attack type under which one can determine the attack type and reconstruct the original signal; (2) study the fundamental limits of robustness guarantees against poisoning attacks, especially in the asymptotic regime where the adversary can poison a constant fraction of the training samples; (3) study the robustness of non-linear predictors that exploit sparsity and local stability of the computed representations allowing for provable guarantees for robustness; (4) study the role of symmetry as a form of parsimony and show that it increases the adversarial robustness.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代的机器学习方法，尤其是深层网络，导致了科学和工程的多个领域，包括计算机视觉，语音和语言处理，机器人技术以及其他方面的进步。同时，深层网络已被证明对对其输入或训练集的小对抗扰动非常敏感。因此，基于深网的模型可以表现出极大的脆弱性。最近的工作提出了许多临时方法，用于防御深层网络，以防止这种对抗性攻击，这些攻击随后被更强烈的攻击所破坏。尽管继续开发更强大，更正确的防御能力，但一个数学框架是理解为什么可以愚弄深层网络来做出错误的预测以及如何通过保证鲁棒性设计和训练网络的数学框架仍然难以捉摸。该项目的目的是回答以下问题：是否可以检测网络何时攻击或何时毒化数据集并重建原始未腐败的数据？如果是，在哪些条件下，数据和网络体系结构的分布情况？如果没有，如何设计网络体系结构和学习算法可以产生可证明强大的网络？该项目具有以下研究目标（1）在输入数据以及可以确定攻击类型并重建原始信号的攻击类型的条件下； （2）研究鲁棒性的基本限制可以保证防止中毒攻击，尤其是在渐近状态下，对手可以毒害训练样本的不断占一部分； （3）研究非线性预测因子的鲁棒性，即利用稀疏性和计算出表示的局部稳定性，从而为鲁棒性提供了可证明的保证； （4）研究对称性作为一种简约形式的作用，并表明它增加了对抗性的鲁棒性。该奖项反映了NSF的法定任务，并被认为使用基金会的知识分子和更广泛的影响审查标准，认为值得通过评估来支持。

项目成果

Improved techniques for deterministic l2 robustness

• DOI: 10.48550/arxiv.2211.08453
• 发表时间: 2022-11
• 期刊: ArXiv
• 作者: Sahil Singla;S. Feizi

Provable Robustness against Wasserstein Distribution Shifts via Input Randomization

• 发表时间: 2023
• 期刊: ArXiv
• 作者: Aounon Kumar;Alexander Levine;T. Goldstein;S. Feizi

Lethal Dose Conjecture on Data Poisoning

• DOI: 10.48550/arxiv.2208.03309
• 发表时间: 2022-08
• 期刊: ArXiv
• 作者: Wenxiao Wang;Alexander Levine;S. Feizi