Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
Improving Robustness of Deep Networks to Adversarial Perturbations based on Ensemble Structure
Soleimani Roudi, Saman | 2024
0
Viewed
- Type of Document: M.Sc. Thesis
- Language: Farsi
- Document No: 57246 (05)
- University: Sharif University of Technology
- Department: Electrical Engineering
- Advisor(s): Ghaemmaghami, Shahrokh; Marvasti, Farokh; Amini, Sajjad
- Abstract:
- Deep learning is one of the most powerful branches of machine learning, demonstrating exceptional performance in tasks such as image and speech recognition with the help of neural networks. However, deep learning networks are highly vulnerable to small and intentional changes in input data, known as adversarial perturbations. These perturbations, despite having a significant impact on the model's output, are usually imperceptible to humans and can pose serious security challenges in sensitive areas such as autonomous vehicles and medical diagnostics. To counter these perturbations, extensive research has been conducted, most of which has utilized a single deep learning network to create a robust structure. These robust structures are generally susceptible to disruptions due to the transferability of adversarial attacks among models. Therefore, this thesis aims to use an ensemble structure (utilizing multiple models) to create a classification robust to adversarial perturbations. All previous works have sought methods to train ensemble structure models that introduce diversity among models and prevent the transferability of adversarial perturbations. Researchers, upon examining these methods, have concluded that these proposed structures are vulnerable due to gradient obfuscation. Hence, in this thesis, we approach the issue from a different perspective. Initially, we aim to use the ensemble structure to perform data attribution (achieving the impact of training data) in classifying an adversarial sample. Then, by identifying the most effective training data, we propose a method to achieve the original class of the adversarial sample. Given that the focus of the proposed method is on the training process and the adversary can only attack during the testing phase, creating adversarial perturbations to deceive the proposed structure will be challenging. The results of this thesis indicate that with an increase in the number of models, the performance of the proposed method improves significantly. Specifically, in the classification of white-box attacks, the proposed method shows an improvement of 7.29% and 18.32% over the best compared method for adversarial radii of 0.02 and 0.03, respectively. In black-box attacks, improvements of 1.42% and 13.01% were observed for adversarial radii of 0.02 and 0.03, respectively. Finally, it should be noted that despite using a large number of models, the proposed method has lower computational complexity in training models compared to other robust ensemble structures
- Keywords:
- Adversarial Perturbations ; Deep Learning ; Ensemble Learning ; Data Attribution ; Deep Networks ; Ensemble Structure