Collaborative Research: CIF: Small: Robust Machine Learning under Sparse Adversarial Attacks

协作研究：CIF：小型：稀疏对抗攻击下的鲁棒机器学习

• 批准号: 2236484
• 负责人: Payam Delgosha
• 金额: $ 30万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-06-01 至 2026-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2236484&HistoricalAwards=false
• 关键词: Collaborative; Research; CIF; Small; Robust

Machine-learning algorithms have proved successful in many applications, such as detecting handwriting, converting speech to text, detecting traffic signals for autonomous vehicles, or predicting a patient's diagnosis from medical data. A machine-learning model is usually "trained" to perform the designated task. This training is done by feeding many data samples to the model and using algorithms to adjust the model parameters so that its output is consistent with the provided training output most of the time. There are many challenges to performing this task reliably and efficiently. Recent research has shown that making small changes to the data points can lead to misdetection. Therefore, it is critical to make learning models robust against such data perturbations, especially in safety-critical applications such as autonomous driving. This project aims to achieve this for a specific category of data perturbations called "sparse attacks." Sparse-attack scenarios are those in which perturbations occur in only a few coordinates of the data, such as a few pixels in an image. Despite their importance and various real-world applications, sparse attacks have not been widely studied from a theoretical perspective. The goal of this project is to develop a theoretical framework for robust machine learning in the presence of adversarial perturbations that are bounded in L0 norm, or so-called sparse attacks. There have been significant theoretical studies on non-sparse adversarial attacks, but such fundamental understanding has been lacking for the sparse setting. This is partly due to the challenges in the L0 setting, namely, the L0 ball being non-convex and highly non-smooth. The first goal of this project is to study the fundamental limits of robust classification for stylized mathematical models. This will be done by proposing defense methods that are provably robust against L0 attacks, as well as proving converse results. Ideally, one aims to establish tight achievability and converse bounds asymptotically to fully characterize the optimal robust classifier. Motivated by practical considerations, the performance of the proposed defense methods in other scenarios will also be studied. In particular, this project explores the generalization properties of the proposed robust hypothesis class in order to study the effect of finite samples when the data distribution is unknown. Furthermore, the project consists of an evaluation plan to implement the developed defense mechanisms and analyze its performance in terms of learning a model which is robust against sparse attacks.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

机器学习算法已证明在许多应用中都成功了，例如检测笔迹，将语音转换为文本，检测自动驾驶汽车的交通信号或预测患者从医疗数据中诊断的诊断。通常对机器学习模型进行“训练”以执行指定任务。通过将许多数据样本馈送到模型并使用算法来调整模型参数来完成此培训，以使其输出与所提供的训练输出一致。可靠有效地执行此任务面临许多挑战。最近的研究表明，对数据点进行小更改可能导致误导。因此，至关重要的是，对此类数据扰动进行健全的学习模型，尤其是在自动驾驶等安全性应用程序中。该项目旨在为称为“稀疏攻击”的特定数据扰动来实现这一目标。稀疏攻击场景是仅在数据的几个坐标中发生扰动的情况，例如图像中的几个像素。尽管它们的重要性和各种现实世界的应用，但稀疏攻击并未从理论角度进行广泛研究。该项目的目的是在存在以L0规范或所谓的稀疏攻击界限的对抗性扰动的情况下开发一个理论框架，以实现强大的机器学习。关于非Sparse对抗性攻击的理论研究已经进行了重要的理论研究，但是对于稀疏设置缺乏这种基本理解。这部分是由于L0环境中面临的挑战，即L0球是非凸面和高度平滑的。该项目的第一个目标是研究对数学模型的强大分类的基本限制。这将通过提出证明对L0攻击以及证明相反结果的防御方法来完成。理想情况下，一个人旨在渐近地建立紧密的可实现性和匡威界限，以完全表征最佳的健壮分类器。在实际考虑的情况下，还将研究拟议的防御方法的性能。特别是，该项目探讨了提出的鲁棒假设类的概括特性，以便研究数据分布未知时的有限样品的效果。此外，该项目包括一项评估计划，该计划旨在实施开发的防御机制，并在学习模型方面分析其绩效，该模型可抵抗稀疏攻击。该奖项反映了NSF的法定任务，并被认为是值得通过基金会的知识分子优点和更广泛的审查标准通过评估来支持的。